felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

readers

Browse source
This commit is contained in:
nobody43 2023-04-03 01:41:31 +00:00 committed by Alex
parent 9b51f26500
commit 2a20b69c65
5 changed files with 204 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

50
apparmor.d/profiles-a-f/atril
View file

@ -17,9 +17,51 @@ profile atril @{exec_path} {
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/X-strict>
include <abstractions/ibus>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
network netlink raw,
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name=:*, label=at-spi2-registryd),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(name=:*),
dbus send bus=session path=/org/mate/atril/{,**}
peer=(name=org.freedesktop.DBus, label=atrild), # all interfaces and members
dbus send bus=session path=/org/mate/atril/Daemon
interface=org.mate.atril.Daemon
member={RegisterDocument,UnregisterDocument}
peer=(name=org.mate.atril.Daemon), # no peer's labels
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@ -44,6 +86,8 @@ profile atril @{exec_path} {
owner @{user_cache_dirs}/atril/{,**} rw,
owner @{user_share_dirs}/ r,
owner /tmp/gtkprint_* rw,
owner /tmp/settings*.ini rw,
owner /tmp/settings*.ini.* rw,
@ -65,3 +109,9 @@ profile atril @{exec_path} {
include if exists <local/atril>
}
profile /{usr/,}bin/atril-previewer {
include <abstractions/base>
include if exists <local/atril-previewer>
}

12
apparmor.d/profiles-a-f/atrild
View file

@ -9,6 +9,18 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/atril/atrild
profile atrild @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus (send, receive) bus=session path=/org/mate/atril/**
peer=(name="{:*,org.freedesktop.DBus}", label=atril), # all interfaces and members
dbus bind bus=session
name=org.mate.atril.Daemon,
@{exec_path} mr,

83
apparmor.d/profiles-a-f/evince
View file

@ -15,10 +15,70 @@ profile evince @{exec_path} {
include <abstractions/user-download-strict>
include <abstractions/user-read>
include <abstractions/user-write>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/ibus>
# also denies network mounts
deny network inet,
deny network inet6,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member={Set,GetTreeFromDevice}
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus send bus=session path=/org/gnome/evince/Daemon
interface=org.gnome.evince.Daemon
member=RegisterDocument
peer=(name=org.gnome.evince.Daemon), # no peer's labels
dbus (send, receive) bus=session path=/org/gnome/evince/{,**}
peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", label=@{profile_name}), # all interfaces and members
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name=:*, label=at-spi2-registryd),
dbus bind bus=session
name=org.gnome.evince.Daemon,
@{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix,
@ -51,3 +111,26 @@ profile evince @{exec_path} {
include if exists <local/evince>
}
profile evince-previewer /{,usr/}bin/evince-previewer {
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label=xorg),
/{,usr/}bin/evince-previewer mr,
# X-tiny
owner @{HOME}/.Xauthority r,
include if exists <local/evince-previewer>
}
profile evince-thumbnailer /{,usr/}bin/evince-thumbnailer {
include <abstractions/base>
/{,usr/}bin/evince-thumbnailer mr,
include if exists <local/evince-thumbnailer>
}