From e38f2ac72157efe5e7d70450dbba26fc7a5c61f0 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Sat, 11 May 2024 14:52:59 -0600 Subject: [PATCH 1/6] Create editor abstraction I'm counting seven profiles that have a child profile named "editor" that all include roughly the same boiler plate policies. Let's abstract it out. --- apparmor.d/abstractions/editor | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/abstractions/editor diff --git a/apparmor.d/abstractions/editor b/apparmor.d/abstractions/editor new file mode 100644 index 000000000..a7086eedc --- /dev/null +++ b/apparmor.d/abstractions/editor @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + + include + include + + @{bin}/sensible-editor mr, + @{bin}/vim mrix, + @{bin}/vim.* mrix, + @{sh_path} rix, + @{bin}/which{,.debianutils} rix, + + /usr/share/vim/{,**} r, + /usr/share/terminfo/** r, + + /etc/vimrc r, + /etc/vim/{,**} r, + + owner @{HOME}/.selected_editor r, + owner @{HOME}/.viminfo{,.tmp} rw, + owner @{HOME}/.vimrc r, + + # Vim swap file + owner @{HOME}/ r, + owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/vim/** wr, + + include if exists From 769b4a7cecaad5c13ede26e086fc51c3923159f1 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Sat, 11 May 2024 14:56:27 -0600 Subject: [PATCH 2/6] Mutt: Use editor abstraction --- apparmor.d/profiles-m-r/mutt | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 9ff28b44b..d33cb83ba 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -104,30 +104,8 @@ profile mutt @{exec_path} { } profile editor { - include - include + include - @{bin}/sensible-editor mr, - @{bin}/vim mrix, - @{bin}/vim.* mrix, - @{bin}/{,ba,da}sh rix, - @{bin}/which{,.debianutils} rix, - - /usr/share/vim/{,**} r, - /usr/share/terminfo/** r, - - /etc/vimrc r, - /etc/vim/{,**} r, - - owner @{HOME}/.selected_editor r, - owner @{HOME}/.viminfo{,.tmp} rw, - owner @{HOME}/.vimrc r, - - # Vim swap file - owner @{HOME}/ r, - owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/vim/** wr, - # This is the file that holds the message owner /{var/,}tmp/{.,}mutt* rw, From eb32db16c6307b77db24b4427bd662e01ccf93eb Mon Sep 17 00:00:00 2001 From: doublez13 Date: Sat, 11 May 2024 14:59:11 -0600 Subject: [PATCH 3/6] Task: Use editor abstraction --- apparmor.d/profiles-s-z/task | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index 3c161081d..ed6cfe0f2 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -35,29 +35,7 @@ profile task @{exec_path} { owner @{HOME}/.task/{,**} rwk, profile editor { - include - include - - @{bin}/sensible-editor mr, - @{bin}/vim mrix, - @{bin}/vim.* mrix, - @{sh_path} rix, - @{bin}/which{,.debianutils} rix, - - /usr/share/vim/{,**} r, - /usr/share/terminfo/** r, - - /etc/vimrc r, - /etc/vim/{,**} r, - - owner @{HOME}/.selected_editor r, - owner @{HOME}/.viminfo{,.tmp} rw, - owner @{HOME}/.vimrc r, - - # Vim swap file - owner @{HOME}/ r, - owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/vim/** wr, + include # Taskwarrior related files owner @{HOME}/.task/ r, From 479d04abac26944ccd505b2f06fb6a7787288b35 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Sun, 12 May 2024 08:20:36 -0600 Subject: [PATCH 4/6] Update and move abstractions/editor to abstractions/app/editor --- apparmor.d/abstractions/{ => app}/editor | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename apparmor.d/abstractions/{ => app}/editor (90%) diff --git a/apparmor.d/abstractions/editor b/apparmor.d/abstractions/app/editor similarity index 90% rename from apparmor.d/abstractions/editor rename to apparmor.d/abstractions/app/editor index a7086eedc..b4cb1e7d8 100644 --- a/apparmor.d/abstractions/editor +++ b/apparmor.d/abstractions/app/editor @@ -2,7 +2,6 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only - include include @{bin}/sensible-editor mr, @@ -26,4 +25,4 @@ owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/vim/** wr, - include if exists + include if exists From 533bff85832d67240752989bd95ca770536e6a38 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Sun, 12 May 2024 08:25:10 -0600 Subject: [PATCH 5/6] Mutt: Update abstraction path --- apparmor.d/profiles-m-r/mutt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index d33cb83ba..dd5a85ee2 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -104,7 +104,8 @@ profile mutt @{exec_path} { } profile editor { - include + include + include # This is the file that holds the message owner /{var/,}tmp/{.,}mutt* rw, From 8594700f9ac9ec473d4488bd604de1413ebedc7e Mon Sep 17 00:00:00 2001 From: doublez13 Date: Sun, 12 May 2024 08:26:20 -0600 Subject: [PATCH 6/6] Task: Update abstraction path --- apparmor.d/profiles-s-z/task | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index ed6cfe0f2..3c0ea26b5 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -35,7 +35,8 @@ profile task @{exec_path} { owner @{HOME}/.task/{,**} rwk, profile editor { - include + include + include # Taskwarrior related files owner @{HOME}/.task/ r,