felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): common/gnome: remove open_path from the abs, add bus accessibility.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-04 14:31:54 +01:00
parent 2ef038e8d9
commit 7b73adceeb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
23 changed files with 44 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/profiles-a-f/baobab
View file

@ -17,6 +17,8 @@ profile baobab @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open-help,
# As a directory tree analyzer it needs full access to the filesystem
/ r,
/** r,

6
apparmor.d/profiles-a-f/file-roller
View file

@ -9,8 +9,6 @@ include <tunables/global>
@{exec_path} = @{bin}/file-roller
profile file-roller @{exec_path} {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/common/gnome>
include <abstractions/nameservice-strict>
@ -23,6 +21,8 @@ profile file-roller @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open-help,
# Archivers
@{bin}/7z rix,
@{bin}/7zz rix,
@ -38,8 +38,6 @@ profile file-roller @{exec_path} {
@{bin}/zstd rix,
@{lib}/p7zip/7z rix,
/ r,
@{run}/mount/utab r,
owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/profiles-a-f/foliate
View file

@ -32,6 +32,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
@{bin}/gjs-console rix,
@{bin}/xdg-dbus-proxy rix,
@{bin}/speech-dispatcher rPx,
@{open_path} rPx -> child-open-help,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
@ -65,7 +66,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/smaps r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
deny @{user_share_dirs}/gvfs-metadata/* r,

10
apparmor.d/profiles-a-f/fractal
View file

@ -23,23 +23,17 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/xml/iso-codes/{,**} r,
@{open_path} rPx -> child-open-help,
/ r,
/usr/share/xml/iso-codes/{,**} r,
owner @{tmp}/.@{rand6} rw,
owner @{tmp}/.goutputstream-@{rand6} rw,
owner @{tmp}/@{rand6} rw,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/ r,