update apparmor profiles

parent f8e78a98
......@@ -151,22 +151,41 @@ profile firefox @{exec_path} {
# file_inherit
/dev/tty[0-9]* rw,
# Launch external apps
/{usr/,}bin/exo-open rPUx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/qbittorrent rPUx,
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/okular rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/xarchiver rPUx,
/{usr/,}bin/thunderbird rPUx,
/{usr/,}bin/telegram-desktop rPUx,
/{usr/,}bin/spacefm rPUx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/gpa rPUx,
/{usr/,}bin/keepassxc-proxy rPUx, # For storing passwords externally
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/qbittorrent rPUx,
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/okular rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/xarchiver rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/thunderbird rPUx,
/{usr/,}bin/telegram-desktop rPUx,
/{usr/,}bin/spacefm rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include if exists <local/firefox_open>
}
#include if exists <local/firefox>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# file_inherit
owner /dev/log-xsession w,
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# file_inherit
owner /dev/log-xsession w,
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# file_inherit
owner /dev/log-xsession w,
......@@ -103,7 +103,7 @@ profile mkinitramfs @{exec_path} {
owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw,
owner /var/tmp/mkinitramfs_*/{usr/,}lib/*.so* r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw,
owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw,
......
......@@ -25,9 +25,9 @@ profile orage @{exec_path} {
/{usr/,}bin/globaltime rPx,
# For the Help menu
/{usr/,}bin/exo-open rPUx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
owner @{HOME}/.config/orage/ rw,
owner @{HOME}/.config/orage/* rw,
......@@ -35,9 +35,9 @@ profile orage @{exec_path} {
owner @{HOME}/.local/share/orage/ rw,
owner @{HOME}/.local/share/orage/* rwk,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
......@@ -46,5 +46,21 @@ profile orage @{exec_path} {
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include if exists <local/orage_open>
}
#include if exists <local/orage>
}
......@@ -153,10 +153,9 @@ profile thunderbird @{exec_path} {
# Silencer
deny /{usr/,}lib/thunderbird/** w,
# Launch external apps
/{usr/,}bin/exo-open rPUx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPUx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Needed for enigmail
/usr/share/xul-ext/enigmail/{,**} r,
......@@ -164,6 +163,10 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/gpg-connect-agent rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
profile gpg {
#include <abstractions/base>
......@@ -207,9 +210,21 @@ profile thunderbird @{exec_path} {
#include if exists <local/thunderbird_gpg>
}
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include if exists <local/thunderbird_open>
}
#include if exists <local/thunderbird>
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment