Rethink the configure process.

2021-12-04 22:09:20 +00:00 · 2021-12-04 22:09:20 +00:00 · 1644b70d6d
commit 1644b70d6d
parent 0fc9c8b5b0
19 changed files with 156 additions and 125 deletions
--- a/dists/ubuntu/abstractions/gio-open
+++ b/dists/ubuntu/abstractions/gio-open
@ -0,0 +1,57 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gio helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gio directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gio rPx -> foo//gio-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gio-open {
+#   include <abstractions/gio-open>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # < add additional allowed applications here >
+# }
+
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+
+  # Main executables
+
+  /usr/bin/gio rix,
+  /usr/bin/gio-launch-desktop ix, # for OpenSUSE
+  /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
+
+  # System files
+
+  /etc/gnome/defaults.list r,
+  /usr/share/mime/* r,
+  /usr/share/{,*/}applications/{,**} r,
+  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
+  /var/lib/snapd/desktop/applications/{,**} r,
+
+  # User files
+
+  owner @{HOME}/.config/mimeapps.list r,
+  owner @{HOME}/.local/share/applications/{,*.desktop} r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gio-open.d>