diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio deleted file mode 100644 index d5d9c5af0..000000000 --- a/apparmor.d/groups/apps/android-studio +++ /dev/null @@ -1,287 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{AS_LIBDIR} = @{MOUNTS}/android-studio -@{AS_SDKDIR} = @{MOUNTS}/SDK -@{AS_HOMEDIR} = @{HOME}/.AndroidStudio* -@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects - -@{exec_path} = @{AS_LIBDIR}/bin/studio.sh -profile android-studio @{exec_path} { - include - #icnlude - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability sys_ptrace, - - signal (send) set=(term, kill) peer=android-studio//lsb-release, - - ptrace (read) peer=android-studio//*, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network inet raw, - network inet6 raw, - network netlink raw, - - @{exec_path} r, - - @{bin}/{,ba,da}sh rix, - @{bin}/{,e}grep rix, - @{bin}/cat rix, - @{bin}/chattr rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kill rix, - @{bin}/ldconfig rix, - @{bin}/mktemp rix, - @{bin}/nice rix, - @{bin}/python3.[0-9]* rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/setsid rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xargs rix, - - @{bin}/git rPx, - @{bin}/lsusb rPx, - @{bin}/ps rPx, - @{bin}/xdg-mime rPx, - @{bin}/xprop rPx, - - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/lsb_release rCx -> lsb-release, - @{bin}/xdg-open rCx -> open, - - @{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix, - - /etc/java-[0-9]*-openjdk/** r, - /usr/share/java/java-atk-wrapper.jar r, - - /etc/ssl/certs/java/cacerts r, - - / r, - /home/ r, - @{MOUNTS}/ r, - @{MOUNTS}/*/ r, - /usr/ r, - @{lib}/ r, - - @{AS_LIBDIR}/ rw, - @{AS_LIBDIR}/** mrwkix, - - # A standard system android SDK location. - # Currently there is only the target platform of API Level 23 packaged, so only apps targeted at - # android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in - # order to use the SDK, build scripts need to be modified. - @{lib}/android-sdk/ r, - @{lib}/android-sdk/** mrkix, - /usr/share/android-sdk-platform-*/{,**} r, - deny @{lib}/android-sdk/build-tools/*/package.xml w, - deny @{lib}/android-sdk/platforms/android-*/package.xml w, - deny @{lib}/android-sdk/.knownPackages w, - - # This one is used if the standard android SDK location is missing - @{AS_SDKDIR}/ rw, - @{AS_SDKDIR}/** mrwkix, - - owner @{AS_HOMEDIR}/ rw, - owner @{AS_HOMEDIR}/** mrwkix, - - owner @{AS_PROJECTDIR}/ rw, - owner @{AS_PROJECTDIR}/** rwk, - - owner @{HOME}/AndroidStudio/ rw, - owner @{HOME}/AndroidStudio/DeviceExplorer/ rw, - owner @{HOME}/AndroidStudio/DeviceExplorer/** rw, - - owner @{HOME}/Android/ rw, - owner @{HOME}/Android/** mrwkix, - - owner "@{user_config_dirs}/Android Open Source Project/" rw, - owner "@{user_config_dirs}/Android Open Source Project/**" rwk, - - owner @{user_config_dirs}/Google/ rw, - owner @{user_config_dirs}/Google/** rwk, - - owner @{user_cache_dirs}/ rw, - owner "@{user_cache_dirs}/Android Open Source Project/" rw, - owner "@{user_cache_dirs}/Android Open Source Project/**" rw, - - owner @{user_cache_dirs}/main.kts.compiled.cache/ rw, - owner @{user_cache_dirs}/main.kts.compiled.cache/** rw, - - owner @{user_cache_dirs}/Google/ rw, - owner @{user_cache_dirs}/Google/** rwk, - # To remove the following error: - # Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp - # java.io.IOException: Cannot run program - # "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied - owner @{user_cache_dirs}/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix, - # - owner @{user_cache_dirs}/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk, - - owner @{user_cache_dirs}/JNA/ rw, - owner @{user_cache_dirs}/JNA/** rw, - - owner @{HOME}/.gradle/ rw, - owner @{HOME}/.gradle/** mrwkix, - - owner @{HOME}/ r, - owner @{HOME}/.android/ rw, - owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**, - - owner @{user_share_dirs}/Google/ rw, - owner @{user_share_dirs}/Google/** rw, - - owner @{user_share_dirs}/kotlin/ rw, - owner @{user_share_dirs}/kotlin/** rw, - - owner "@{user_share_dirs}/Android Open Source Project/" rw, - owner "@{user_share_dirs}/Android Open Source Project/**" rwk, - - owner @{HOME}/.java/ rw, - owner @{HOME}/.java/fonts/ rw, - owner @{HOME}/.java/fonts/*/ rw, - owner @{HOME}/.java/fonts/*/fcinfo*.tmp rw, - owner @{HOME}/.java/fonts/*/fcinfo*.properties rw, - owner @{HOME}/.java/.userPrefs/ rw, - owner @{HOME}/.java/.userPrefs/** rwk, - - owner @{HOME}/.emulator_console_auth_token rw, - - deny owner @{HOME}/Desktop/* rw, - - @{PROC}/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/ipv6_route r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/coredump_filter rw, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/stat r, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/partitions r, - @{PROC}/vmstat r, - @{PROC}/loadavg r, - - @{sys}/fs/cgroup/{,**} r, - - owner /tmp/** rwk, - owner /tmp/native-platform[0-9]*dir/*.so rwm, - - owner @{run}/user/@{uid}/avd/ rw, - owner @{run}/user/@{uid}/avd/running/ rw, - owner @{run}/user/@{uid}/avd/running/pid_@{pid}.ini rw, - - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /dev/kvm rw, - - @{sys}/devices/virtual/block/**/rotational r, - - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - } - - profile lsb-release { - include - include - include - - signal (receive) set=(term, kill) peer=android-studio, - - @{bin}/lsb_release r, - @{bin}/python3.[0-9]* r, - - @{bin}/ r, - @{bin}/apt-cache rPx, - - owner @{PROC}/@{pid}/fd/ r, - - /etc/dpkg/origins/** r, - /etc/debian_version r, - /usr/share/distro-info/*.csv r, - - owner /tmp/android-*/emulator-* w, - owner /tmp/android-*/@{uuid}/opengl_* w, - - # file_inherit - owner @{HOME}/.android/avd/** r, - /dev/dri/card@{int} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{bin}/{,ba,da}sh rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/spacefm rPx, - @{bin}/smplayer rPx, - @{bin}/vlc rPx, - @{bin}/mpv rPx, - @{bin}/geany rPx, - @{bin}/viewnior rPUx, - @{bin}/qpdfview rPx, - @{bin}/ebook-viewer rPx, - @{lib}/firefox/firefox rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - - include if exists -} diff --git a/apparmor.d/groups/apps/geany b/apparmor.d/groups/apps/geany deleted file mode 100644 index c97891654..000000000 --- a/apparmor.d/groups/apps/geany +++ /dev/null @@ -1,119 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/geany -profile geany @{exec_path} { - include - include - include - include - include - include - include - - # To edit system files as root. - capability dac_read_search, - capability dac_override, - - deny capability sys_nice, - - network inet stream, - network inet6 stream, - - @{exec_path} mr, - - @{bin}/{,ba,da}sh rix, - - # For the sorting feature - @{bin}/sort rix, - - # When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following - # root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Geany works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /usr/share/geany/{,**} r, - - owner @{user_config_dirs}/geany/{,**} rw, - - owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw, - - # To read/write files in the system. The read permission is granted for all files, the write - # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in - # the list. - / r, - /boot/ r, - /boot/** r, - owner /boot/** rw, - /etc/ r, - /etc/** r, - owner /etc/** rw, - /efi/ r, - /efi/** r, - owner /efi/** rw, - /home/ r, - /home/** r, - owner /home/** rw, - /lost+found/ r, - /lost+found/** r, - owner /lost+found/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** r, - owner @{MOUNTS}/** rw, - /mnt/ r, - /mnt/** r, - owner /mnt/** rw, - /opt/ r, - /opt/** r, - owner /opt/** rw, - /root/ r, - /root/** r, - owner /root/** rw, - @{run}/ r, - @{run}/** r, - owner @{run}/** rw, - /srv/ r, - /srv/** r, - owner /srv/** rw, - /tmp/ r, - /tmp/** r, - owner /tmp/** rw, - /usr/ r, - /usr/** r, - owner /usr/** rw, - /var/ r, - /var/** r, - owner /var/** rw, - - - profile dbus { - include - include - - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, - } - - include if exists -}