General profiles update.

2022-03-26 20:43:47 +00:00 · 2022-03-26 20:43:47 +00:00 · 20c3b0575c
commit 20c3b0575c
parent d7be27411b
22 changed files with 101 additions and 155 deletions
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -82,5 +82,7 @@ profile sudo @{exec_path} {
  /dev/ r,    # interactive login
  /dev/ptmx rw,

+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
  include if exists <local/sudo>
 }
--- a/apparmor.d/profiles-s-z/usr.bin.totem
+++ b/apparmor.d/profiles-s-z/usr.bin.totem
@ -1,58 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) Jamie Strandboge <jamie@canonical.com>
-# SPDX-License-Identifier: GPL-2.0-only
-
-#include <tunables/global>
-
-/usr/bin/totem {
-  #include <abstractions/audio>
-  #include <abstractions/dconf>
-  #include <abstractions/ibus>
-  #include <abstractions/mesa>
-  #include <abstractions/nvidia>
-  #include <abstractions/python>
-  #include <abstractions/totem>
-  #include <abstractions/ubuntu-helpers>
-
-  signal (send) set=("kill") peer=unconfined,
-
-  # Maybe in an abstraction?
-  /usr/include/**/pyconfig.h r,
-
-  /usr/bin/totem r,
-  /usr/bin/totem-video-thumbnailer Pix,
-  /usr/bin/bwrap PUx,
-  /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
-  /usr/{lib/@{multiarch},libexec}/totem-gallery-thumbnailer Pix,
-  /dev/sr* r,
-
-  # Help browser
-  /usr/bin/yelp Cx -> sanitized_helper,
-  # GDesktopAppInfo in GLib 2.64.x uses a very small shell script
-  # to launch .desktop files, instead of gio-launch-desktop
-  /{usr/,}bin/{dash,bash} ixr,
-  # With older GLib we might still be on the fallback code path
-  # (remove this after Debian 11 and Ubuntu 20.04)
-  /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
-
-  # Quiet logs
-  deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
-
-  # Allow read and write on almost anything in @{HOME}. Lenient, but
-  # private-files-strict is in effect.
-  #include <abstractions/private-files-strict>
-  owner @{HOME}/[^.]*    rw,
-  owner @{HOME}/[^.]*/** rw,
-
-  # Allow usage of openat with O_TMPFILE
-  owner @{HOME}/#[0-9]*[0-9] m,
-
-  owner /{,var/}run/user/@{uid}/dconf/user w,
-  owner /{,var/}run/user/@{uid}/at-spi2-*/   rw,
-  owner /{,var/}run/user/@{uid}/at-spi2-*/** rw,
-
-  /sys/devices/pci[0-9]*/**/config r,
-  /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
-
-  include if exists <local/usr.bin.totem>
-}
--- a/apparmor.d/profiles-s-z/usr.bin.totem-previewers
+++ b/apparmor.d/profiles-s-z/usr.bin.totem-previewers
@ -1,40 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) Jamie Strandboge <jamie@canonical.com>
-# SPDX-License-Identifier: GPL-2.0-only
-
-include <tunables/global>
-
-/usr/bin/totem-video-thumbnailer flags=(attach_disconnected) {
-  include <abstractions/totem>
-
-  # Probably needed due to this program being run with bwrap
-  @{HOMEDIRS} w,
-  owner @{HOME}/ w,
-
-  # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
-  # effect.
-  include <abstractions/private-files-strict>
-  owner @{HOME}/[^.]*    rw,
-  owner @{HOME}/[^.]*/** rw,
-
-  # Not needed by nautilus, but maybe other applications
-  owner /**.[pP][nN][gG] w,
-  owner /**.[jJ][pP]{,[eE]}[gG] w,
-
-  /usr/bin/totem-video-thumbnailer rm,
-
-  include if exists <local/usr.bin.totem-previewers>
-}
-
-/usr/bin/totem-audio-preview flags=(attach_disconnected) {
-  include <abstractions/totem>
-  include <abstractions/audio>
-
-  # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
-  # effect.
-  include <abstractions/private-files-strict>
-  owner @{HOME}/[^.]*    rw,
-  owner @{HOME}/[^.]*/** rw,
-
-  include if exists <local/usr.bin.totem-previewers>
-}