feat(abs): rewrite user-read/user-write.

See #307
2024-03-28 16:47:40 +00:00 · 2024-03-28 16:47:40 +00:00 · 2fc2394bad
commit 2fc2394bad
parent b089a4d2c5
18 changed files with 96 additions and 48 deletions
--- a/apparmor.d/groups/apps/imv-wayland
+++ b/apparmor.d/groups/apps/imv-wayland
@ -13,7 +13,7 @@ profile imv @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
-  include <abstractions/user-read>
+  include <abstractions/user-read-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -34,7 +34,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
-  include <abstractions/user-read>
+  include <abstractions/user-read-strict>

  # userns,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -26,7 +26,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/thumbnails-cache-read>
-  include <abstractions/user-download>
+  include <abstractions/user-download-strict>
  include <abstractions/user-write>

  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -14,6 +14,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/trash-strict>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>

  signal (send) set=(kill) peer=loupe//bwrap,

--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -13,7 +13,7 @@ profile gpg @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
-  include <abstractions/user-read>
+  include <abstractions/user-read-strict>

  capability dac_read_search,

--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@ -14,8 +14,8 @@ profile gvfsd-dav @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
-  include <abstractions/user-read>
  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>

  network inet stream,
  network inet6 stream,
--- a/apparmor.d/groups/kde/kactivitymanagerd
+++ b/apparmor.d/groups/kde/kactivitymanagerd
@ -14,7 +14,7 @@ profile kactivitymanagerd @{exec_path} {
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/recent-documents-write>
-  include <abstractions/user-read>
+  include <abstractions/user-read-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@ -15,8 +15,8 @@ profile okular @{exec_path} {
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
-  include <abstractions/user-read>
-  include <abstractions/user-write>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/whonix/torbrowser
+++ b/apparmor.d/groups/whonix/torbrowser
@ -33,7 +33,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
-  include <abstractions/user-read>
+  include <abstractions/user-read-strict>

  # userns,