Rethink the configure process.

dists/flags/arch.flags

@@ -0,0 +1,16 @@
+arch-audit complain
+archlinux-java complain
+aurpublish complain
+pacman complain
+pacman-conf attach_disconnected,complain
+pacman-hook-dconf complain
+pacman-hook-depmod complain
+pacman-hook-dkms complain
+pacman-hook-fontconfig complain
+pacman-hook-gio complain
+pacman-hook-gtk complain
+pacman-hook-mkinitcpio-install attach_disconnected,complain
+pacman-hook-mkinitcpio-remove complain
+pacman-hook-perl complain
+pacman-hook-systemd complain
+pacman-key complain

dists/flags/debian.flags

@@ -0,0 +1,22 @@
+dhclient complain
+dhclient-script complain
+dpkg complain
+dpkg-architecture complain
+dpkg-buildflags complain
+dpkg-checkbuilddeps complain
+dpkg-deb complain
+dpkg-divert complain
+dpkg-genbuildinfo complain
+dpkg-genchanges complain
+dpkg-preconfigure complain
+dpkg-query complain
+dpkg-split complain
+dpkg-status complain
+dpkg-trigger complain
+dpkg-vendor complain
+ifup complain
+macchanger complain
+resolvconf complain
+run-parts complain
+unattended-upgrade complain
+unattended-upgrade-shutdown attach_disconnected,complain

dists/flags/main.flags

@@ -0,0 +1,199 @@
+# Common profile flags definition for all distributions
+# One profile by line using the format: '<profile> <flags>'
+
+acpid attach_disconnected,complain
+adb complain
+agetty complain
+at-spi-bus-launcher attach_disconnected
+auditd complain
+badblocks complain
+biosdecode complain
+blkid complain
+blockdev complain
+bootctl complain
+borg complain
+cert-sync complain
+cfdisk complain
+cgdisk complain
+cockpit-askpass complain
+cockpit-bridge complain
+cockpit-certificate-ensure complain
+cockpit-certificate-helper complain
+cockpit-desktop complain
+cockpit-session attach_disconnected,complain
+cockpit-ssh complain
+cockpit-tls complain
+cockpit-ws complain
+cockpit-wsinstance-factory complain
+dbus-daemon-launch-helper complain
+dbus-run-session complain
+dconf complain
+dkms attach_disconnected,complain
+dmesg complain
+e2fsck complain
+e2image complain
+fatlabel complain
+fdisk complain
+fsck-ext4 complain
+fuse-overlayfs complain
+fusermount complain
+gdisk complain
+gdm-x-session attach_disconnected,complain
+gdm-xsession complain
+git complain
+glib-compile-resources complain
+glib-genmarshal complain
+glib-gettextize complain
+glib-mkenums complain
+gnome-contacts complain
+gnome-control-center attach_disconnected,complain
+gnome-control-center-print-renderer complain
+gnome-control-center-search-provider complain
+gnome-disk-image-mounter complain
+gnome-disks complain
+gnome-keyring-daemon complain
+gnome-music complain
+gnome-shell attach_disconnected,complain
+gnome-shell-hotplug-sniffer complain
+gnome-system-monitor attach_disconnected,complain
+gnome-tweak-tool-lid-inhibitor complain
+gnome-tweak-tool-lid-inhibitor complain
+gnome-tweaks complain
+gpg complain
+groups complain
+gsd-disk-utility-notify complain
+gsd-media-keys attach_disconnected,complain
+gsd-print-notifications attach_disconnected,complain
+gsd-printer attach_disconnected,complain
+gsd-rfkill attach_disconnected,complain
+gssproxy complain
+gvfsd-dav complain
+hostnamectl complain
+install-info complain
+kernel-install complain
+kmod attach_disconnected,complain
+last complain
+lastlog complain
+libvirt-dbus complain
+libvirtd attach_disconnected,complain
+localectl complain
+man complain
+mission-control complain
+mke2fs complain
+mkinitcpio attach_disconnected,complain
+mono-sgen complain
+mount complain
+newgidmap complain
+newuidmap complain
+nft complain
+nmap complain
+ntfs-3g complain
+ntfs-3g-probe complain
+obex-folder-listing complain
+obexautofs complain
+obexctl complain
+obexfs complain
+obexpush-atd complain
+obexpushd complain
+oomctl complain
+pass complain
+pass-import complain
+pinentry-gtk-2 complain
+podman attach_disconnected,complain
+run-parts complain
+runuser complain
+seahorse complain
+slirp4netns attach_disconnected,complain
+spice-client-glib-usb-acl-helper complain
+ssh complain
+start-pulseaudio-x11 complain
+su complain
+sudo complain
+swaplabel complain
+swapoff complain
+swapon complain
+systemd-analyze complain
+systemd-ask-password complain
+systemd-binfmt complain
+systemd-bless-boot complain
+systemd-boot-check-no-failures complain
+systemd-cat complain
+systemd-cgls complain
+systemd-cgroups-agent
+systemd-cgtop complain
+systemd-coredump attach_disconnected,complain
+systemd-dissect complain
+systemd-environment-d-generator complain
+systemd-escape complain
+systemd-export complain
+systemd-growfs complain
+systemd-hibernate-resume complain
+systemd-homed complain
+systemd-homework complain
+systemd-hwdb attach_disconnected,complain
+systemd-id128 complain
+systemd-import complain
+systemd-import-fs complain
+systemd-importd complain
+systemd-inhibit
+systemd-journal-gatewayd complain
+systemd-journal-remote complain
+systemd-journal-upload complain
+systemd-logind complain
+systemd-machine-id-setup complain
+systemd-machined complain
+systemd-makefs complain
+systemd-modules-load complain
+systemd-mount complain
+systemd-network-generator complain
+systemd-notify complain
+systemd-oomd complain
+systemd-path complain
+systemd-portabled complain
+systemd-quotacheck complain
+systemd-random-seed complain
+systemd-remount-fs complain
+systemd-repart complain
+systemd-reply-password complain
+systemd-resolve complain
+systemd-resolved complain
+systemd-run complain
+systemd-sleep complain
+systemd-socket-activate complain
+systemd-socket-proxyd complain
+systemd-stdio-bridge complain
+systemd-sulogin-shell complain
+systemd-sysctl attach_disconnected,complain
+systemd-sysext complain
+systemd-sysusers attach_disconnected,complain
+systemd-time-wait-sync complain
+systemd-tmpfiles attach_disconnected,complain
+systemd-tty-ask-password-agent complain
+systemd-update-done complain
+systemd-update-utmp complain
+systemd-user-runtime-dir complain
+systemd-user-sessions complain
+systemd-userdbd complain
+systemd-userwork complain
+systemd-vconsole-setup complain
+systemd-xdg-autostart-condition complain
+systemd-xdg-autostart-generator complain
+timedatectl complain
+tracker-extract complain
+udisksctl complain
+udisksd attach_disconnected,complain
+umount complain
+umount.udisks2 complain
+userdbctl complain
+virt-manager attach_disconnected,complain
+virtlockd complain
+xbrlapi attach_disconnected,complain
+xdg-dbus-proxy attach_disconnected,complain
+xdg-desktop-icon complain
+xdg-desktop-portal complain
+xdg-desktop-portal-gtk complain
+xdg-document-portal complain
+xdg-permission-store attach_disconnected,complain
+xdg-user-dirs-gtk-update complain
+xhost complain
+xset complain

dists/flags/ubuntu.flags

@@ -0,0 +1 @@
+aa-status complain

dists/ignore/arch.ignore

@@ -0,0 +1,3 @@
+apparmor.d/abstractions/apt-common
+apparmor.d/groups/apt
+apparmor.d/groups/cron

dists/ignore/debian.ignore

@@ -0,0 +1,2 @@
+apparmor.d/groups/pacman
+root/usr/share/libalpm/hooks/apparmor.hook

dists/ignore/main.ignore

@@ -0,0 +1,13 @@
+# Common ignore file for all distributions
+# One ignore by line. Can be a profile name or a directory to ignore
+
+# Contains profile for full system confinement, only included when ./configure
+# is given the --full option
+apparmor.d/groups/_full
+
+apparmor.d/groups/apps
+
+anki
+torbrowser.Browser.firefox
+torbrowser.Browser.plugin-container
+torbrowser.Tor.tor

dists/ignore/ubuntu.ignore

@@ -0,0 +1,3 @@
+apparmor.d/groups/pacman
+apparmor.systemd
+root/usr/share/libalpm/hooks/apparmor.hook

dists/ubuntu/abstractions/dbus-network-manager-strict

@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member={GetDevices,ListConnections}
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(name=org.freedesktop.NetworkManager),
+
+  include if exists <abstractions/dbus-network-manager-strict.d>

dists/ubuntu/abstractions/exo-open

@@ -0,0 +1,74 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via exo-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/exo-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/exo-open rPx -> foo//exo-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//exo-open {
+#   include <abstractions/exo-open>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # Add if accesibility access is considered as required
+#   # (for message boxe in case exo-open fails)
+#   include <abstractions/dbus-accessibility>
+#
+#   # < add additional allowed applications here >
+# }
+
+  include <abstractions/X>
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/gnome>
+
+  # Main executables
+
+  /usr/bin/exo-open rix,
+  /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
+
+  # Other executables
+
+  /{,usr/}bin/which rix,
+
+  # Deny DBus
+
+  # for GTK error message dialog, not required exo-open to work.
+  deny dbus send
+    bus=session
+    path=/org/gtk/vfs/mounttracker,
+
+  # System files
+
+  /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
+  /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
+  /usr/share/sounds/freedesktop/** r, # for message box alert sound
+  /usr/share/xfce4/helpers/*.desktop r,
+  /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
+
+  # User files
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{HOME}/.config/xfce4/helpers.rc r,
+  owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/exo-open.d>

dists/ubuntu/abstractions/gio-open

@@ -0,0 +1,57 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gio helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gio directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gio rPx -> foo//gio-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gio-open {
+#   include <abstractions/gio-open>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # < add additional allowed applications here >
+# }
+
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+
+  # Main executables
+
+  /usr/bin/gio rix,
+  /usr/bin/gio-launch-desktop ix, # for OpenSUSE
+  /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
+
+  # System files
+
+  /etc/gnome/defaults.list r,
+  /usr/share/mime/* r,
+  /usr/share/{,*/}applications/{,**} r,
+  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
+  /var/lib/snapd/desktop/applications/{,**} r,
+
+  # User files
+
+  owner @{HOME}/.config/mimeapps.list r,
+  owner @{HOME}/.local/share/applications/{,*.desktop} r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gio-open.d>

dists/ubuntu/abstractions/gvfs-open

@@ -0,0 +1,46 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gvfs-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gvfs-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gvfs-open {
+#   include <abstractions/gvfs-open>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # < add additional allowed applications here >
+# }
+# ```
+
+  include <abstractions/base>
+
+  # gvfs-open is deprecated, it launches gio open <uri>
+  include <abstractions/gio-open>
+
+  # Main executables
+
+  /usr/bin/gvfs-open r,
+  /{,usr/}bin/dash mr,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gvfs-open.d>
+

dists/ubuntu/abstractions/kde-open5

@@ -0,0 +1,104 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via kde-open5 helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/kde-open5 directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/kde-open5 rPx -> foo//kde-open5,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//kde-open5 {
+#   include <abstractions/kde-open5>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # Add if accesibility access is considered as required
+#   # (for message boxe in case exo-open fails)
+#   include <abstractions/dbus-accessibility>
+#
+#   # Add if audio support for message box is
+#   # considered as required.
+#   include if exists <abstractions/gstreamer>
+#
+#   # < add additional allowed applications here >
+# }
+# ```
+
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/kde-icon-cache-write>
+  include <abstractions/kde>
+  include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
+  include <abstractions/openssl>
+  include <abstractions/qt5>
+  include <abstractions/recent-documents-write>
+  include <abstractions/X>
+
+  # Main executables
+
+  /usr/bin/kde-open5 rix,
+  /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
+
+  # DBus
+
+  dbus
+      bus=session
+      interface=org.kde.KLauncher
+      member=start_service_by_desktop_path
+      peer=(name=org.kde.klauncher5),
+
+  # Denied system files
+
+  deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9]*[0-9] m,
+
+  # System files
+
+  /dev/tty r,
+  /etc/xdg/accept-languages.codes r,
+  /etc/xdg/menus/{,*/} r,
+  /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
+  /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
+  /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
+  /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
+  /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
+  /usr/share/mime/ r,
+  /usr/share/mime/generic-icons r,
+  /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
+  /usr/share/sounds/ r,
+  @{PROC}/sys/kernel/core_pattern r,
+  @{PROC}/sys/kernel/random/boot_id r,
+
+  # User files
+
+  owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
+  owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
+  owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
+  owner @{HOME}/.cache/kio_http/ rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-open5.d>

dists/ubuntu/abstractions/xdg-open

@@ -0,0 +1,84 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via xdg-open helper. xdg-open abstraction
+# will allow to use gio-open, kde-open5 and other helpers of the different
+# desktop environments.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/xdg-open rPx -> foo//xdg-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//xdg-open {
+#   include <abstractions/xdg-open>
+#
+#   # Enable a11y support if considered required by
+#   # profile author for (rare) error message boxes.
+#   include <abstractions/dbus-accessibility>
+#
+#   # Enable gstreamer support if considered required by
+#   # profile author for (rare) error message boxes.
+#   include if exists <abstractions/gstreamer>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # < add additional allowed applications here >
+# }
+# ```
+
+  include <abstractions/base>
+
+  # for openin with `exo-open`
+  include <abstractions/exo-open>
+
+  # for opening with `gio open <uri>`
+  include <abstractions/gio-open>
+
+  # for opening with gvfs-open (deprecated)
+  include <abstractions/gvfs-open>
+
+  # for opening with kde-open5
+  include <abstractions/kde-open5>
+
+  # Main executables
+
+  /{,usr/}bin/{b,d}ash mr,
+  /usr/bin/xdg-open r,
+
+  # Additional executables
+
+  /usr/bin/xdg-mime rix,
+  /{,usr/}bin/cut rix, # for xdg-mime
+  /{,usr/}bin/head rix, # for xdg-mime
+  /{,usr/}bin/sed rix, # for xdg-open
+  /{,usr/}bin/tr rix, # for xdg-mime
+  /{,usr/}bin/which rix, # for xdg-open
+  /{,usr/}bin/{grep,egrep} rix, # for xdg-open
+
+  # System files
+
+  /dev/pts/[0-9]* rw,
+  /dev/tty w,
+  /etc/gnome/defaults.list r, # for grep
+  /usr/share/applications/mimeinfo.cache r, # for grep
+  /usr/share/terminfo/s/screen r, # for bash on openSUSE
+  /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
+  /var/lib/menu-xdg/applications/ r, # for xdg-mime
+
+  # Usr files
+
+  owner @{HOME}/.local/share/applications/{,*.desktop} r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/xdg-open.d>