From 6b159fe9181cc52c246f7cb88a4492f25ad7dcc8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 7 Sep 2023 17:58:47 +0100 Subject: [PATCH] feat: cleanup ignored profile list. --- apparmor.d/profiles-a-f/code-wrapper | 25 +++++++++++++++++++++++++ dists/ignore/main.ignore | 11 ++++++----- 2 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/profiles-a-f/code-wrapper diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper new file mode 100644 index 000000000..55db5be54 --- /dev/null +++ b/apparmor.d/profiles-a-f/code-wrapper @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/code{,-oss} +profile code-wrapper @{exec_path} { + include + include + + @{exec_path} r, + + @{bin}/{,ba,da}sh rix, + @{lib}/electron@{int}/electron rPx -> code, + + owner @{user_config_dirs}/code-flags.conf r, + owner @{user_config_dirs}/electron@{int}-flags.conf r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + include if exists +} diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 053554cc2..3cd68aeaa 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,21 +2,22 @@ # One ignore by line. Can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when ./configure is given the --full option +# when built with 'make full' apparmor.d/groups/_full -root/etc/initramfs-tools root/usr/lib/initcpio root/usr/lib/systemd/ +root/usr/share/initramfs-tools +# Apps that should be sandboxed apparmor.d/groups/apps code code-wrapper + +# Work in progress profiles plasma-discover +snap steam steam-fossilize steam-game steam-gameoverlayui steam-reaper - -anki -man