From 03275ff5c75cafa2cbd1c98b6be6e4940a523793 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 09:44:56 +0200 Subject: [PATCH] Update pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 82 ++++++++++--------------------- 1 file changed, 26 insertions(+), 56 deletions(-) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 5b0c02c52..1e5e78f7d 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -10,13 +10,11 @@ include @{exec_path} = @{bin}/pcmanfm-qt profile pcmanfm-qt @{exec_path} { include - include include include include include include - include include include include @@ -29,26 +27,32 @@ profile pcmanfm-qt @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.pcmanfm.PCManFM #aa:exec kioworker @{exec_path} mr, - @{lib}/menu-cache/menu-cached rPx, + @{lib}/menu-cache/menu-cached rix, @{lib}/exec/menu-cache/menu-cache-gen rix, - owner @{user_cache_dirs}/pcmanfm-qt/** r, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/ r, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/recent-files.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-0.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/dir-settings.conf~ l -> @{user_config_dirs}/pcmanfm-qt/lxqt/dir-settings.conf, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-eDP-@{int}.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-0.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-eDP-@{int}.conf l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/recent-files.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.lock.* rwk, + #aa:lint ignore=too-wide + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rw, + owner @{tmp}/ r, + owner @{tmp}/** rw, + + owner @{user_cache_dirs}/pcmanfm-qt/{,**} rw, + owner @{user_config_dirs}/pcmanfm-qt/ rw, + owner @{user_config_dirs}/pcmanfm-qt/** rwlk -> @{user_config_dirs}/pcmanfm-qt/**, @{sys}/bus/ r, @{sys}/class/ r, @@ -61,46 +65,12 @@ profile pcmanfm-qt @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, - # To read/write files in the system. The read permission is granted for all files, the write - # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in - # the list. - / r, - @{efi}/ r, - @{efi}/** r, - owner @{efi}/** rw, - /etc/ r, - /etc/** r, - owner /etc/** rw, - /home/ r, - /home/** r, - /home/** rw, - /lost+found/ r, - /lost+found/** r, - owner /lost+found/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** r, - owner @{MOUNTS}/** rw, - /opt/ r, - /opt/** r, - owner /opt/** rw, - /root/ r, - /root/** r, - owner /root/** rw, - @{run}/ r, - @{run}/** r, - owner @{run}/** rw, - /srv/ r, - /srv/** r, - owner /srv/** rw, - /tmp/ r, - /tmp/** r, - owner /tmp/** rw, - /usr/ r, - /usr/** r, - owner /usr/** rw, - /var/ r, - /var/** r, - owner /var/** rw, + # Silence non user's data + deny @{efi}/{,**} r, + deny /opt/{,**} r, + deny /root/{,**} r, + deny /tmp/.* rw, + deny /tmp/.*/{,**} rw, /dev/tty r,