mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
f1b4da2f64
Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>
86 lines
2.2 KiB
Text
86 lines
2.2 KiB
Text
# vim:syntax=apparmor
|
|
|
|
abi <abi/4.0>,
|
|
|
|
# This abstraction is designed to be used in a child profile to limit what
|
|
# confined application can invoke via xdg-open helper. xdg-open abstraction
|
|
# will allow to use gio-open, kde-open5 and other helpers of the different
|
|
# desktop environments.
|
|
#
|
|
# Usage example:
|
|
#
|
|
# ```
|
|
# profile foo /usr/bin/foo {
|
|
# ...
|
|
# /usr/bin/xdg-open rPx -> foo//xdg-open,
|
|
# ...
|
|
# } # end of main profile
|
|
#
|
|
# # out-of-line child profile
|
|
# profile foo//xdg-open {
|
|
# include <abstractions/xdg-open>
|
|
#
|
|
# # Enable a11y support if considered required by
|
|
# # profile author for (rare) error message boxes.
|
|
# include <abstractions/dbus-accessibility>
|
|
#
|
|
# # Enable gstreamer support if considered required by
|
|
# # profile author for (rare) error message boxes.
|
|
# include if exists <abstractions/gstreamer>
|
|
#
|
|
# # needed for ubuntu-* abstractions
|
|
# include <abstractions/ubuntu-helpers>
|
|
#
|
|
# # Only allow to handle http[s]: and mailto: links
|
|
# include <abstractions/ubuntu-browsers>
|
|
# include <abstractions/ubuntu-email>
|
|
#
|
|
# # < add additional allowed applications here >
|
|
# }
|
|
# ```
|
|
|
|
include <abstractions/base>
|
|
|
|
# for opening with `exo-open`
|
|
include <abstractions/exo-open>
|
|
|
|
# for opening with `gio open <uri>`
|
|
include <abstractions/gio-open>
|
|
|
|
# for opening with gvfs-open (deprecated)
|
|
include <abstractions/gvfs-open>
|
|
|
|
# for opening with kde-open5
|
|
include <abstractions/kde-open5>
|
|
|
|
# Main executables
|
|
|
|
/{,usr/}bin/{b,d}ash mr,
|
|
/usr/bin/xdg-open r,
|
|
|
|
# Additional executables
|
|
|
|
/usr/bin/xdg-mime rix,
|
|
/{,usr/}bin/cut rix, # for xdg-mime
|
|
/{,usr/}bin/head rix, # for xdg-mime
|
|
/{,usr/}bin/sed rix, # for xdg-open
|
|
/{,usr/}bin/tr rix, # for xdg-mime
|
|
/{,usr/}bin/which rix, # for xdg-open
|
|
/{,usr/}bin/{grep,egrep} rix, # for xdg-open
|
|
|
|
# System files
|
|
|
|
/dev/pts/[0-9]* rw,
|
|
/dev/tty w,
|
|
/etc/gnome/defaults.list r, # for grep
|
|
/usr/share/applications/mimeinfo.cache r, # for grep
|
|
/usr/share/terminfo/s/screen r, # for bash on openSUSE
|
|
/usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
|
|
/var/lib/menu-xdg/applications/ r, # for xdg-mime
|
|
|
|
# Usr files
|
|
|
|
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
|
|
|
# Include additions to the abstraction
|
|
include if exists <abstractions/xdg-open.d>
|