From 2af1d06f183302037a10f62641b90ee644a65eaf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 8 Sep 2024 13:25:49 +0100 Subject: [PATCH] feat(tunable): add @{editor_path} & @{pager_path}. --- apparmor.d/groups/_full/default | 4 +--- apparmor.d/groups/apt/apt | 8 +++----- apparmor.d/groups/apt/apt-listchanges | 6 +++--- apparmor.d/groups/apt/aptitude | 11 +++++------ apparmor.d/groups/apt/dpkg | 5 +---- apparmor.d/groups/apt/dpkg-query | 4 +--- apparmor.d/groups/apt/reportbug | 4 +--- apparmor.d/groups/cron/crontab | 6 +----- apparmor.d/groups/network/nmcli | 4 +--- apparmor.d/groups/pacman/pacman | 5 +---- apparmor.d/groups/systemd/bootctl | 4 +--- apparmor.d/groups/systemd/busctl | 4 +--- apparmor.d/groups/systemd/coredumpctl | 4 +--- apparmor.d/groups/systemd/journalctl | 4 +--- apparmor.d/groups/systemd/localectl | 4 +--- apparmor.d/groups/systemd/loginctl | 4 +--- apparmor.d/groups/systemd/networkctl | 4 +--- apparmor.d/groups/systemd/systemd-analyze | 4 +--- apparmor.d/groups/systemd/systemd-cgls | 4 +--- apparmor.d/groups/systemd/systemd-cgtop | 4 +--- apparmor.d/groups/systemd/systemd-dissect | 4 +--- apparmor.d/groups/systemd/systemd-mount | 4 +--- apparmor.d/groups/systemd/systemd-udevd | 4 +--- apparmor.d/groups/systemd/userdbctl | 4 +--- apparmor.d/profiles-a-f/dmesg | 4 +--- apparmor.d/profiles-g-l/git | 10 +++------- apparmor.d/profiles-g-l/gpo | 4 +--- apparmor.d/profiles-m-r/mutt | 13 +++---------- apparmor.d/profiles-m-r/pass | 7 ++----- apparmor.d/profiles-s-z/task | 5 +---- apparmor.d/profiles-s-z/udisksctl | 4 +--- apparmor.d/profiles-s-z/vipw-vigr | 4 +--- apparmor.d/tunables/multiarch.d/paths | 10 ++++++++-- apparmor.d/tunables/multiarch.d/programs | 9 +++++++++ docs/install.md | 4 +--- 35 files changed, 63 insertions(+), 124 deletions(-) diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 733d227cb..b6689cb1d 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -45,9 +45,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{coreutils_path} rix, @{shells_path} rix, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, # @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 38bd8f3eb..9907ae02f 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -99,11 +99,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language-options rPx, # For editing the sources.list file - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, + @{editor_path} rCx -> editor, # For changelogs - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, #aa:only whonix @{lib}/uwt/uwtwrapper rix, @@ -168,8 +167,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, - @{bin}/less rix, - @{bin}/sensible-pager mr, + @{pager_path} rmix, @{bin}/which{,.debianutils} rix, /root/ r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 8613f2280..fbabcd983 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -28,7 +28,7 @@ profile apt-listchanges @{exec_path} { # shared object file): ignored. @{bin}/dpkg-deb rpx, # - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, # Send results using email @{bin}/exim4 rPx, @@ -83,12 +83,11 @@ profile apt-listchanges @{exec_path} { capability dac_read_search, #capability sys_tty_config, - @{bin}/sensible-pager mr, + @{pager_path} mrix, @{bin}/ r, @{sh_path} rix, @{bin}/which{,.debianutils} rix, - @{bin}/less rix, owner @{HOME}/.less* rw, @@ -98,6 +97,7 @@ profile apt-listchanges @{exec_path} { /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 12bd0efb1..7b36e4abe 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -105,7 +105,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, owner @{user_cache_dirs}/aptitude/metadata-download rwk, - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, # For aptitude-run-state-bundle owner @{tmp}/aptitudebug.*/ r, @@ -171,20 +171,19 @@ profile aptitude @{exec_path} flags=(complain) { include include - @{bin}/ r, - @{bin}/sensible-pager mr, - @{sh_path} rix, + @{bin}/ r, + @{editor_path} mrix, + @{sh_path} rix, @{bin}/which{,.debianutils} rix, - @{bin}/less rix, owner @{HOME}/.less* rw, - owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, # For shell pwd /root/ r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index b8e577833..c22ba0ae5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -34,10 +34,7 @@ profile dpkg @{exec_path} { @{lib}/needrestart/dpkg-status rPx, /usr/share/debian-security-support/check-support-status.hook rPx, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/diff rPx -> child-pager, + @{pager_path} rPx -> child-pager, # Package maintainer's scripts # Move it to a child profile once more transitions will be available diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index f8150cc37..9a5512c2c 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -16,9 +16,7 @@ profile dpkg-query @{exec_path} { @{sh_path} rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e7b8e1d29..1571298af 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -47,10 +47,8 @@ profile reportbug @{exec_path} { @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/less rPx -> child-pager, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open /usr/share/bug/* rPUx, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index c5aaf5546..2743173f8 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -22,11 +22,7 @@ profile crontab @{exec_path} { @{exec_path} mr, @{sh_path} rix, - - # When editing the crontab file - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, - @{bin}/nvim rCx -> editor, + @{editor_path} rCx -> editor, /etc/cron.{allow,deny} r, /etc/environment r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 2345d9d2c..6c9a13203 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -15,9 +15,7 @@ profile nmcli @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ab08d1f18..6ab0802ba 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -196,10 +196,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/diff rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 2bd8c4c78..4a5d4d832 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -22,9 +22,7 @@ profile bootctl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index baf89561d..64396608f 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -37,9 +37,7 @@ profile busctl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 7c4149bee..b291c0493 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -22,9 +22,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{bin}/gdb rCx -> gdb, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 4b5f11810..79af65679 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -25,9 +25,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 46f67b325..3ab09cfca 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -15,9 +15,7 @@ profile localectl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /usr/share/kbd/keymaps/{,**} r, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 345957e3f..b5228f222 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -19,9 +19,7 @@ profile loginctl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 4c841e97d..ae188df5f 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -35,9 +35,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/udev/hwdb.bin r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index deb22cbc1..0c3b38d64 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -28,9 +28,7 @@ profile systemd-analyze @{exec_path} { @{lib}/systemd/system-environment-generators/* rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{bin}/man rPx, /usr/ r, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index ed7254339..e58fec015 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -14,9 +14,7 @@ profile systemd-cgls @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop index 9ae69cd69..cd0f1e416 100644 --- a/apparmor.d/groups/systemd/systemd-cgtop +++ b/apparmor.d/groups/systemd/systemd-cgtop @@ -14,9 +14,7 @@ profile systemd-cgtop @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 991a787d2..cd3ba97ca 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -25,9 +25,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/fsck rPx, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, # Location of file system OS images @{user_build_dirs}/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount index 4db3dcacf..a86bf152d 100644 --- a/apparmor.d/groups/systemd/systemd-mount +++ b/apparmor.d/groups/systemd/systemd-mount @@ -13,9 +13,7 @@ profile systemd-mount @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index fa096a35d..5c1709201 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,6 +37,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{sh_path} rix, @{coreutils_path} rix, + @{pager_path} rPx -> child-pager, @{bin}/*-print-pci-ids rix, @{bin}/alsactl rPUx, @{bin}/ddcutil rPx, @@ -44,16 +45,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/ethtool rix, @{bin}/issue-generator rPx, @{bin}/kmod rPx, - @{bin}/less rPx -> child-pager, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lvm rPx, @{bin}/mknod rix, - @{bin}/more rPx -> child-pager, @{bin}/multipath rPx, @{bin}/nfsrahead rix, @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/pager rPx -> child-pager, @{bin}/perl rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 159d1442a..279560e99 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -16,9 +16,7 @@ profile userdbctl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/shadow r, /etc/gshadow r, diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 819cd234e..f2d0c7665 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -18,9 +18,7 @@ profile dmesg @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 47450b8e6..8a2ffb797 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -62,9 +62,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/wc rix, @{bin}/whoami rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{bin}/man rPx, @{bin}/meld rPUx, @@ -74,10 +72,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/ssh rCx -> ssh, - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - + @{editor_path} rCx -> editor, + /usr/share/git{,-core}/{,**} r, /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 97c89a433..411d078bd 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -27,9 +27,7 @@ profile gpo @{exec_path} { @{bin}/ r, @{sh_path} rix, @{bin}/uname rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 1ed63e68e..9d01e2269 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -37,13 +37,8 @@ profile mutt @{exec_path} { @{bin}/w3m rCx -> html-renderer, @{bin}/lynx rCx -> html-renderer, - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - @{bin}/sensible-editor rCx -> editor, - - @{bin}/less rCx -> pager, - @{bin}/more rCx -> pager, - @{bin}/pager rCx -> pager, + @{editor_path} rCx -> editor, + @{pager_path} rCx -> pager, @{bin}/gpg{2,} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -118,9 +113,7 @@ profile mutt @{exec_path} { include include - @{bin}/less mr, - @{bin}/more mr, - @{bin}/pager mr, + @{pager_path} mr, /usr/share/terminfo/** r, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 5bd851921..3796dfbc4 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -46,7 +46,7 @@ profile pass @{exec_path} { @{bin}/gpg{2,} rCx -> gpg, @{bin}/pkill rCx -> pkill, @{bin}/qdbus rCx -> qdbus, - @{bin}/vim{,.*} rCx -> editor, + @{editor_path} rCx -> editor, @{lib}/git{,-core}/git rCx -> git, @{bin}/wl-{copy,paste} rPx, @{bin}/xclip rPx, @@ -112,10 +112,7 @@ profile pass @{exec_path} { @{bin}/git* mrix, @{lib}/git{,-core}/git* mrix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - + @{pager_path} rPx -> child-pager, @{bin}/gpg{2,} rPx -> pass//gpg, /usr/share/git{,-core}/{,**} r, diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index bd7f276a8..87b9be2df 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -23,10 +23,7 @@ profile task @{exec_path} { @{exec_path} mr, @{sh_path} rix, - - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - @{bin}/sensible-editor rCx -> editor, + @{editor_path} rCx -> editor, /usr/share/{doc/,}task{warrior,}/** r, diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl index a05cede9c..63e8b7c79 100644 --- a/apparmor.d/profiles-s-z/udisksctl +++ b/apparmor.d/profiles-s-z/udisksctl @@ -15,9 +15,7 @@ profile udisksctl @{exec_path} { @{sh_path} rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 835267c2d..5b42ab828 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -16,9 +16,7 @@ profile vipw-vigr @{exec_path} { @{exec_path} mr, @{sh_path} rix, - - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, + @{editor_path} rCx -> editor, /etc/login.defs r, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 35bf0c58f..83aec3ce3 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -34,10 +34,16 @@ @{emails_path} = @{thunderbird_path} @{bin}/@{emails_names} # Open -@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open -@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop +@{open_path} = @{bin}/@{open_names} +@{open_path} += @{lib}/gio-launch-desktop @{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop +# Editor +@{editor_path} = @{bin}/@{editor_names} + +# Pager +@{pager_path} = @{bin}/@{pager_names} + # File explorers @{file_explorers_path} = @{bin}/@{file_explorers_names} diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 9c0c4d305..8dd2f237c 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -28,6 +28,15 @@ # Python interpreters @{python_name} = python{,3,3.[0-9],3.1[0-9]} +# Open +@{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop + +# Editor +@{editor_names} = sensible-editor vim{,.*} nvim nano + +# Pager +@{pager_names} = sensible-pager pager less more + # Browsers @{brave_name} = brave{,-beta,-dev,-bin} diff --git a/docs/install.md b/docs/install.md index 5afac9c77..5d84331ce 100644 --- a/docs/install.md +++ b/docs/install.md @@ -148,9 +148,7 @@ The following desktop environments are supported: @{bin}/wl-{copy,paste} rPx, @{bin}/xclip rPx, @{bin}/python3.@{int} rPx -> pass-import, # pass-import - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' ``` So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.