feat(profile): rewrite profile for vscode (wip).
This commit is contained in:
Alexandre Pujol
parent
73ff7efe60
commit
7c24dde028
3 changed files with 73 additions and 23 deletions
|
|
@ -1,14 +1,16 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/code /usr/share/code/{bin/,}code
|
@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss}
|
||||||
profile code @{exec_path} {
|
|
||||||
|
@{exec_path} = @{lib}/electron@{int}/electron
|
||||||
|
profile code flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/chromium-common>
|
include <abstractions/chromium-common>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
|
@ -17,36 +19,58 @@ profile code @{exec_path} {
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl>
|
include <abstractions/opencl-intel>
|
||||||
|
include <abstractions/opencl-mesa>
|
||||||
|
include <abstractions/opencl-nvidia>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
include <abstractions/vulkan>
|
||||||
|
|
||||||
# ptrace (read) peer=lsb_release,
|
capability sys_ptrace,
|
||||||
|
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
signal (send),
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
@{lib}/code/extensions/git/dist/askpass.sh rPx,
|
@{lib}/code/node_modules.asar.unpacked/**.node rm,
|
||||||
@{lib}/code/extensions/git/dist/git-editor.sh rPx,
|
|
||||||
|
# Core tools
|
||||||
|
@{bin}/git rPx,
|
||||||
|
@{bin}/rg rix,
|
||||||
|
@{bin}/gpg{,2} rPx,
|
||||||
|
@{bin}/lsb_release rPx -> lsb_release,
|
||||||
|
@{bin}/gio rPx -> child-open,
|
||||||
|
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||||
|
@{bin}/xdg-open rPx -> child-open,
|
||||||
|
|
||||||
# The shell is not confined on purpose.
|
# The shell is not confined on purpose.
|
||||||
@{bin}/{,b,d,rb}ash rUx,
|
@{bin}/{,b,d,rb}ash rUx,
|
||||||
@{bin}/{c,k,tc,z}sh rUx,
|
@{bin}/{c,k,tc,z}sh rUx,
|
||||||
|
|
||||||
@{bin}/git rPx,
|
# Confine some common tools
|
||||||
@{bin}/gpg{,2} rPUx,
|
@{lib}/code/extensions/git/dist/askpass.sh rPx,
|
||||||
@{bin}/lsb_release rPx -> lsb_release,
|
@{lib}/code/extensions/git/dist/git-editor.sh rPx,
|
||||||
|
|
||||||
# /usr/share/code/** r,
|
# Do NOT confine most of the extensions
|
||||||
# /usr/share/code/libffmpeg.so mr,
|
@{bin}/[a-z0-9]* rPUx,
|
||||||
# /usr/share/code/resources/**/bin/* rix,
|
@{code_config_dirs}/extensions/** rPUx,
|
||||||
# /usr/share/code/resources/**.node mr,
|
@{HOME}/.go/bin/* rPUx,
|
||||||
|
@{lib}/go/bin/* rPUx,
|
||||||
|
@{bin}/python[0-9]* rUx
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/etc/libva.conf r,
|
||||||
/etc/machine-id r,
|
/etc/shells r,
|
||||||
|
/etc/lsb-release r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/Code/ rw,
|
owner @{HOME}/@{XDG_SSH_DIR}/config r,
|
||||||
owner @{user_config_dirs}/Code/** rwkl -> {HOME}/.config/Code/**,
|
|
||||||
owner @{HOME}/.vscode/ rw,
|
owner @{code_config_dirs}/ rw,
|
||||||
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
|
owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**,
|
||||||
|
|
||||||
owner @{user_projects_dirs}/ r,
|
owner @{user_projects_dirs}/ r,
|
||||||
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
|
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
|
||||||
|
|
@ -56,14 +80,35 @@ profile code @{exec_path} {
|
||||||
owner /tmp/vscode-ipc-@{uuid}.sock rw,
|
owner /tmp/vscode-ipc-@{uuid}.sock rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
|
owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
|
||||||
owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw,
|
owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw,
|
||||||
|
owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw,
|
||||||
|
|
||||||
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
|
|
||||||
|
@{sys}/devices/system/cpu/present r,
|
||||||
|
@{sys}/devices/system/cpu/kernel_max r,
|
||||||
|
@{sys}/devices/virtual/tty/tty[0-9]*/active r,
|
||||||
|
@{sys}/devices/pci[0-9]*/**/irq r,
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pid}/fd/ r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pids}/task/ r,
|
@{PROC}/@{pid}/stat r,
|
||||||
owner @{PROC}/@{pids}/task/@{tid}/status r,
|
@{PROC}/loadavg r,
|
||||||
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||||
|
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||||
|
@{PROC}/version r,
|
||||||
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/comm w,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||||
|
owner @{PROC}/@{pid}/statm r,
|
||||||
|
owner @{PROC}/@{pids}/clear_refs w,
|
||||||
|
owner @{PROC}/@{pids}/task/ r,
|
||||||
|
owner @{PROC}/@{pids}/task/@{tid}/status r,
|
||||||
|
|
||||||
|
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
include if exists <local/code>
|
include if exists <local/code>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,8 @@ abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss}
|
||||||
|
|
||||||
@{exec_path} = @{bin}/git
|
@{exec_path} = @{bin}/git
|
||||||
@{exec_path} += @{bin}/git-*
|
@{exec_path} += @{bin}/git-*
|
||||||
@{exec_path} += @{lib}/git-core/git
|
@{exec_path} += @{lib}/git-core/git
|
||||||
|
|
@ -104,6 +106,8 @@ profile git @{exec_path} {
|
||||||
owner /tmp/git-commit-msg-.txt rw, # For android studio
|
owner /tmp/git-commit-msg-.txt rw, # For android studio
|
||||||
|
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
deny /dev/shm/.org.chromium.Chromium* rw,
|
||||||
|
deny owner @{code_config_dirs}/** rw,
|
||||||
|
|
||||||
profile gpg {
|
profile gpg {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
|
||||||
|
|
@ -48,6 +48,7 @@ cockpit-ssh complain
|
||||||
cockpit-tls complain
|
cockpit-tls complain
|
||||||
cockpit-ws complain
|
cockpit-ws complain
|
||||||
cockpit-wsinstance-factory complain
|
cockpit-wsinstance-factory complain
|
||||||
|
code complain
|
||||||
containerd-shim-runc-v2 attach_disconnected,complain
|
containerd-shim-runc-v2 attach_disconnected,complain
|
||||||
ctop complain
|
ctop complain
|
||||||
cups-backend-beh complain
|
cups-backend-beh complain
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue