mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
cd91492d53
Abstractions should not generally include deny rules as this can unduly constrain profiles which include them due to the precedent matching rules between deny vs allow rules. Also as per the comment, this is not required for exo-open to work, so simply omit it from the abstraction for now. Finally, in Ubuntu, the evince profile includes the exo-open abstraction and this deny rule causes evince to fail to initialise correctly as it then assumes it cannot use gvfs. Signed-off-by: Alex Murray <alex.murray@canonical.com>
69 lines
1.9 KiB
Text
69 lines
1.9 KiB
Text
# vim:syntax=apparmor
|
|
|
|
abi <abi/3.0>,
|
|
|
|
# This abstraction is designed to be used in a child profile to limit what
|
|
# confined application can invoke via exo-open helper.
|
|
#
|
|
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
|
# portability across desktop environments, unless you are sure that confined
|
|
# application only uses /usr/bin/exo-open directly.
|
|
#
|
|
# Usage example:
|
|
#
|
|
# ```
|
|
# profile foo /usr/bin/foo {
|
|
# ...
|
|
# /usr/bin/exo-open rPx -> foo//exo-open,
|
|
# ...
|
|
# } # end of main profile
|
|
#
|
|
# # out-of-line child profile
|
|
# profile foo//exo-open {
|
|
# include <abstractions/exo-open>
|
|
#
|
|
# # needed for ubuntu-* abstractions
|
|
# include <abstractions/ubuntu-helpers>
|
|
#
|
|
# # Only allow to handle http[s]: and mailto: links
|
|
# include <abstractions/ubuntu-browsers>
|
|
# include <abstractions/ubuntu-email>
|
|
#
|
|
# # Add if accessibility access is considered as required
|
|
# # (for message box in case exo-open fails)
|
|
# include <abstractions/dbus-accessibility>
|
|
#
|
|
# # < add additional allowed applications here >
|
|
# }
|
|
|
|
include <abstractions/X>
|
|
include <abstractions/audio> # for alert messages
|
|
include <abstractions/base>
|
|
include <abstractions/dbus-session-strict>
|
|
include <abstractions/gnome>
|
|
|
|
# Main executables
|
|
|
|
/usr/bin/exo-open rix,
|
|
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
|
|
|
|
# Other executables
|
|
|
|
/{,usr/}bin/which rix,
|
|
|
|
# System files
|
|
|
|
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
|
|
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
|
|
/usr/share/sounds/freedesktop/** r, # for message box alert sound
|
|
/usr/share/xfce4/helpers/*.desktop r,
|
|
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
|
|
|
|
# User files
|
|
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{HOME}/.config/xfce4/helpers.rc r,
|
|
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
|
|
|
|
# Include additions to the abstraction
|
|
include if exists <abstractions/exo-open.d>
|