feat(profile): cleanup and remove open subprofile when it is useless.

2024-10-06 15:46:07 +01:00 · 2024-10-06 15:46:07 +01:00 · 105a9b4def
commit 105a9b4def
parent 36f620dab1
14 changed files with 111 additions and 482 deletions
--- a/apparmor.d/profiles-a-f/arduino
+++ b/apparmor.d/profiles-a-f/arduino
@ -39,7 +39,7 @@ profile arduino @{exec_path} {
  @{bin}/chmod              rix,
  @{bin}/avrdude            rix,

-  @{bin}/xdg-open           rCx -> open,
+  @{open_path}             rCx -> child-open,

  @{bin}/dpkg-architecture  rPx,
  @{bin}/arduino-builder    rPx,
@ -109,31 +109,6 @@ profile arduino @{exec_path} {
  # Silencer
  deny /usr/share/arduino/** w,

-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-    @{bin}/spacefm         rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
  include if exists <local/arduino>
 }

--- a/apparmor.d/profiles-a-f/cawbird
+++ b/apparmor.d/profiles-a-f/cawbird
@ -31,8 +31,12 @@ profile cawbird @{exec_path} {

  @{sh_path}         rix,

-  @{bin}/xdg-open    rCx -> open,
-  @{bin}/exo-open    rCx -> open,
+  @{open_path}       rPx -> child-open,
+
+  /usr/share/xml/iso-codes/{,**} r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,

  owner @{user_config_dirs}/cawbird/ rw,
  owner @{user_config_dirs}/cawbird/** rwk,
@ -40,36 +44,8 @@ profile cawbird @{exec_path} {
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/cawbird-* rw,

-  /usr/share/xml/iso-codes/{,**} r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
  owner @{PROC}/@{pid}/fd/ r,

-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
  include if exists <local/cawbird>
 }

--- a/apparmor.d/profiles-a-f/czkawka-gui
+++ b/apparmor.d/profiles-a-f/czkawka-gui
@ -18,7 +18,7 @@ profile czkawka-gui @{exec_path} {

  @{exec_path} mr,

-  @{bin}/xdg-open   rCx -> open,
+  @{open_path} rPx -> child-open,

  # Dirs to scan for duplicates
  #owner @{HOME}/** rw,
@ -38,32 +38,6 @@ profile czkawka-gui @{exec_path} {

  @{sys}/fs/cgroup/{,**} r,

-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    #@{lib}/firefox/firefox  rPx,
-    @{bin}/smplayer          rPx,
-    @{bin}/geany             rPx,
-    @{bin}/viewnior         rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
  include if exists <local/czkawka-gui>
 }

--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@ -7,13 +7,9 @@ abi <abi/4.0>,

 include <tunables/global>

-@{DCD_LIBDIR} =  @{lib}/deltachat-desktop
-@{DCD_LIBDIR} += @{lib}/deltachat
-@{DCD_LIBDIR} += /opt/DeltaChat/
+@{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/

-@{exec_path}   = /usr/bin/deltachat-desktop
-@{exec_path}  += /opt/DeltaChat/deltachat-desktop
-#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop
+@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop
 profile deltachat-desktop @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
@ -35,15 +31,18 @@ profile deltachat-desktop @{exec_path} {

  @{exec_path} mrix,

-  @{DCD_LIBDIR}/ r,
-  @{DCD_LIBDIR}/** r,
-  @{DCD_LIBDIR}/libffmpeg.so mr,
-  @{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
-  @{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr,
-  @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr,
-  @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr,
-  @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
-  @{DCD_LIBDIR}/chrome-sandbox rPx,
+  @{lib_dirs}/ r,
+  @{lib_dirs}/** r,
+  @{lib_dirs}/libffmpeg.so mr,
+  @{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
+  @{lib_dirs}/{swiftshader/,}libEGL.so mr,
+  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
+  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
+  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
+  @{lib_dirs}/chrome-sandbox rPx,
+
+  @{bin}/xdg-settings    rPx,
+  @{open_path} rPx -> child-open-browsers,

  owner @{user_config_dirs}/DeltaChat/ rw,
  owner @{user_config_dirs}/DeltaChat/** rwk,
@ -53,58 +52,24 @@ profile deltachat-desktop @{exec_path} {
  owner @{tmp}/@{hex}/db.sqlite rwk,
  owner @{tmp}/@{hex}/db.sqlite-journal rw,

-             @{PROC}/ r,
-       owner @{PROC}/@{pid}/fd/ r,
-             @{PROC}/@{pids}/task/ r,
-             @{PROC}/@{pids}/task/@{tid}/status r,
-             @{PROC}/@{pids}/stat r,
-       owner @{PROC}/@{pids}/statm r,
-  deny owner @{PROC}/@{pid}/cmdline r,
-       owner @{PROC}/@{pids}/oom_{,score_}adj r,
-  deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
-       owner @{PROC}/@{pid}/cgroup r,
-             @{PROC}/sys/kernel/yama/ptrace_scope r,
-             @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/ r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/task/ r,
+        @{PROC}/@{pid}/task/@{tid}/status r,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+  owner @{PROC}/@{pid}/statm r,

-        /dev/ r,
+  /dev/ r,

  # (#FIXME#)
  deny @{sys}/bus/pci/devices/ r,
-
  deny @{sys}/devices/virtual/tty/tty@{int}/active r,

-  # no new privs
-  @{bin}/xdg-settings    rPx,
-
-  @{bin}/xdg-open        rCx -> open,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPx,
-
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
  include if exists <local/deltachat-desktop>
 }

--- a/apparmor.d/profiles-a-f/deluser
+++ b/apparmor.d/profiles-a-f/deluser
@ -14,24 +14,18 @@ profile deluser @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  # The deluser command is issued as root and its task is to delete regular user accounts. It
-  # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup.
-  # Because of that, the deluser command needs the following CAPs to be able to do so.
  capability dac_read_search,
  capability dac_override,

  @{exec_path} r,
  @{bin}/perl r,

-  @{sh_path}        rix,
-
-  @{bin}/userdel   rPx,
+  @{sh_path}       rix,
+  @{bin}/crontab   rPx,
+  @{bin}/gpasswd   rPx,
  @{bin}/groupdel  rPx,
-  @{bin}/gpasswd    rPx,
-
-  @{bin}/crontab    rPx,
-
-  @{bin}/mount      rCx -> mount,
+  @{bin}/mount     rCx -> mount,
+  @{bin}/userdel   rPx,

  /etc/adduser.conf r,
  /etc/deluser.conf r,
@ -45,7 +39,6 @@ profile deluser @{exec_path} {
  /   r,
  /** rw,

-
  profile mount {
    include <abstractions/base>