felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

@{HOME}/.config -> @{user_config_dirs}

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 17:21:33 +01:00
parent 1c9fc00c13
commit 7f6ea8d44d
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
138 changed files with 378 additions and 378 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/groups/apps/android-studio
View file

@ -127,11 +127,11 @@ profile android-studio @{exec_path} {
owner @{HOME}/Android/ rw,
owner @{HOME}/Android/** mrwkix,
owner "@{HOME}/.config/Android Open Source Project/" rw,
owner "@{HOME}/.config/Android Open Source Project/**" rwk,
owner "@{user_config_dirs}/Android Open Source Project/" rw,
owner "@{user_config_dirs}/Android Open Source Project/**" rwk,
owner @{HOME}/.config/Google/ rw,
owner @{HOME}/.config/Google/** rwk,
owner @{user_config_dirs}/Google/ rw,
owner @{user_config_dirs}/Google/** rwk,
owner @{user_cache_dirs}/ rw,
owner "@{user_cache_dirs}/Android Open Source Project/" rw,

6
apparmor.d/groups/apps/atom
View file

@ -81,8 +81,8 @@ profile atom @{exec_path} {
#owner @{HOME}/ r,
owner @{HOME}/.atom/ rw,
owner @{HOME}/.atom/** rwkl -> @{HOME}/.atom/**,
owner @{HOME}/.config/Atom/ rw,
owner @{HOME}/.config/Atom/** rwkl -> @{HOME}/.config/Atom/**,
owner @{user_config_dirs}/Atom/ rw,
owner @{user_config_dirs}/Atom/** rwkl -> @{user_config_dirs}/Atom/**,
# Git dirs
/ r,
@ -91,7 +91,7 @@ profile atom @{exec_path} {
owner /media/*/atom/ r,
owner /media/*/atom/** rwkl -> /media/*/atom/**,
owner @{HOME}/.config/git/config r,
owner @{user_config_dirs}/git/config r,
# To remove the following error:
# Error initializing NSS with a persistent database

6
apparmor.d/groups/apps/calibre
View file

@ -86,8 +86,8 @@ profile calibre @{exec_path} {
owner /media/*/Calibre_Library*/ rw,
owner /media/*/Calibre_Library*/** rwkl -> /media/*/Calibre_Library*/**,
owner @{HOME}/.config/calibre/ rw,
owner @{HOME}/.config/calibre/** rwk,
owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk,
owner @{HOME}/.local/share/calibre-ebook.com/ rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/ rw,
@ -129,7 +129,7 @@ profile calibre @{exec_path} {
/etc/fstab r,
owner @{HOME}/.config/qt5ct/{,**} r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# no new privs

4
apparmor.d/groups/apps/code
View file

@ -58,8 +58,8 @@ profile code @{exec_path} {
# Reading of the user home dir is required or the following error will be printed:
# Unexpected end of JSON input:
#owner @{HOME}/ r,
owner @{HOME}/.config/Code/ rw,
owner @{HOME}/.config/Code/** rwkl -> {HOME}/.config/Code/**,
owner @{user_config_dirs}/Code/ rw,
owner @{user_config_dirs}/Code/** rwkl -> {HOME}/.config/Code/**,
owner @{HOME}/.vscode/ rw,
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,

14
apparmor.d/groups/apps/discord
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{DISCORD_LIBDIR} = /usr/share/discord
@{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@{DISCORD_HOMEDIR} = @{user_config_dirs}/discord
@{DISCORD_CACHEDIR} = @{user_cache_dirs}/discord
@{exec_path} = @{DISCORD_LIBDIR}/Discord /{usr/,}bin/discord
@ -152,9 +152,9 @@ profile discord @{exec_path} {
# file_inherit
/usr/share/discord/** r,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw,
owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r,
owner @{HOME}/.config/discord/GPUCache/index rw,
owner @{user_config_dirs}/discord/GPUCache/data_[0-9] rw,
owner @{user_config_dirs}/discord/*/modules/discord_desktop_core/core.asar r,
owner @{user_config_dirs}/discord/GPUCache/index rw,
}
@ -180,9 +180,9 @@ profile discord @{exec_path} {
# file_inherit
deny /usr/share/discord/** r,
deny owner /dev/shm/.org.chromium.Chromium.* rw,
deny owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw,
deny owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r,
deny owner @{HOME}/.config/discord/GPUCache/index rw,
deny owner @{user_config_dirs}/discord/GPUCache/data_[0-9] rw,
deny owner @{user_config_dirs}/discord/*/modules/discord_desktop_core/core.asar r,
deny owner @{user_config_dirs}/discord/GPUCache/index rw,
}

2
apparmor.d/groups/apps/discord-chrome-sandbox
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{DISCORD_LIBDIR} = /usr/share/discord
@{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@{DISCORD_HOMEDIR} = @{user_config_dirs}/discord
@{DISCORD_CACHEDIR} = @{user_cache_dirs}/discord
@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox

2
apparmor.d/groups/apps/dropbox
View file

@ -69,7 +69,7 @@ profile dropbox @{exec_path} {
owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw,
# For autostart
deny owner @{HOME}/.config/autostart/dropbox.desktop rw,
deny owner @{user_config_dirs}/autostart/dropbox.desktop rw,
# What's this for?
/{usr/,}bin/mount mrix,

4
apparmor.d/groups/apps/filezilla
View file

@ -30,8 +30,8 @@ profile filezilla @{exec_path} {
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
owner @{HOME}/ r,
owner @{HOME}/.config/filezilla/ rw,
owner @{HOME}/.config/filezilla/* rwk,
owner @{user_config_dirs}/filezilla/ rw,
owner @{user_config_dirs}/filezilla/* rwk,
owner @{user_cache_dirs}/filezilla/ rw,
owner @{user_cache_dirs}/filezilla/default_*.png rw,

12
apparmor.d/groups/apps/flameshot
View file

@ -39,13 +39,13 @@ profile flameshot @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
# Flameshot home files
owner @{HOME}/.config/flameshot/ rw,
owner @{HOME}/.config/flameshot/flameshot.ini rw,
owner @{HOME}/.config/flameshot/#[0-9]*[0-9] rw,
owner @{HOME}/.config/flameshot/flameshot.ini* rwl -> @{HOME}/.config/flameshot/#[0-9]*[0-9],
owner @{HOME}/.config/flameshot/flameshot.ini.lock rwk,
owner @{user_config_dirs}/flameshot/ rw,
owner @{user_config_dirs}/flameshot/flameshot.ini rw,
owner @{user_config_dirs}/flameshot/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#[0-9]*[0-9],
owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk,
owner @{HOME}/.config/qt5ct/{,**} r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/var/lib/dbus/machine-id r,

4
apparmor.d/groups/apps/freetube
View file

@ -52,8 +52,8 @@ profile freetube @{exec_path} {
@{FT_LIBDIR}/chrome-sandbox rPx,
owner @{HOME}/ r,
owner @{HOME}/.config/FreeTube/ rw,
owner @{HOME}/.config/FreeTube/** rwk,
owner @{user_config_dirs}/FreeTube/ rw,
owner @{user_config_dirs}/FreeTube/** rwk,
/var/tmp/ r,
/tmp/ r,

2
apparmor.d/groups/apps/geany
View file

@ -49,7 +49,7 @@ profile geany @{exec_path} {
/usr/share/geany/{,**} r,
owner @{HOME}/.config/geany/{,**} rw,
owner @{user_config_dirs}/geany/{,**} rw,
owner /{run/,}user/[0-9]*/geany/geany_socket.[0-9a-f]* rw,

20
apparmor.d/groups/apps/okular
View file

@ -39,22 +39,22 @@ profile okular @{exec_path} {
/tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/#[0-9]*[0-9] rw,
owner @{HOME}/.config/okularrc rw,
owner @{HOME}/.config/okularrc.lock rwk,
owner @{HOME}/.config/okularrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{user_config_dirs}/okularrc rw,
owner @{user_config_dirs}/okularrc.lock rwk,
owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{HOME}/.config/okularpartrc rw,
owner @{HOME}/.config/okularpartrc.lock rwk,
owner @{HOME}/.config/okularpartrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{user_config_dirs}/okularpartrc rw,
owner @{user_config_dirs}/okularpartrc.lock rwk,
owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{HOME}/.config/kdeglobals r,
owner @{HOME}/.config/kwalletrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwalletrc r,
owner @{HOME}/.local/share/okular/{,**} rw,
owner @{HOME}/.config/qt5ct/{,**} r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/ rw,

2
apparmor.d/groups/apps/signal-desktop
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{user_config_dirs}/Signal{, Beta}"
@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
profile signal-desktop @{exec_path} {

2
apparmor.d/groups/apps/signal-desktop-chrome-sandbox
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{user_config_dirs}/Signal{, Beta}"
@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
profile signal-desktop-chrome-sandbox @{exec_path} {

4
apparmor.d/groups/apps/spotify
View file

@ -30,8 +30,8 @@ profile spotify @{exec_path} {
/usr/share/spotify/swiftshader/libGLESv2.so mr,
/usr/share/spotify/swiftshader/libEGL.so mr,
owner @{HOME}/.config/spotify/ rw,
owner @{HOME}/.config/spotify/** rw,
owner @{user_config_dirs}/spotify/ rw,
owner @{user_config_dirs}/spotify/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/spotify/ rw,

2
apparmor.d/groups/apps/telegram-desktop
View file

@ -57,7 +57,7 @@ profile telegram-desktop @{exec_path} {
#owner @{TELEGRAM_WORK_DIR}/{,**} rw,
# Autostart
owner @{HOME}/.config/autostart/telegramdesktop.desktop rw,
owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
/dev/shm/#[0-9]*[0-9] rw,

6
apparmor.d/groups/apps/thunderbird
View file

@ -101,16 +101,16 @@ profile thunderbird @{exec_path} {
# System integration
/etc/mime.types r,
owner @{HOME}/.config/mimeapps.list.* rw,
owner @{user_config_dirs}/mimeapps.list.* rw,
# KDE system keyring
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/usr/share/xul-ext/kwallet5/* r,
/etc/xul-ext/kwallet5.js r,
owner @{HOME}/.config/kwalletrc r,
owner @{user_config_dirs}/kwalletrc r,
# QT5
owner @{HOME}/.config/qt5ct/{,**} r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny @{sys}/devices/system/cpu/present r,

2
apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash
View file

@ -30,7 +30,7 @@ profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(compla
/usr/lib/libreoffice/program/soffice.bin rmpx,
/usr/lib/libreoffice/program/javaldx rmpux,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),
unix peer=(addr=@/tmp/.X11-unix/* label=unconfined),
}

2
apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc
View file

@ -32,6 +32,6 @@ profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain
/dev/null rw,
/usr/lib/libreoffice/program/uri-encode rmpux,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
}

40
apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
View file

@ -118,15 +118,15 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
/etc/xml/catalog r, #exporting to .xhtml, for libxml2
/proc/*/status r,
owner @{HOME}/.config/libreoffice{,dev}/** rwk,
owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.lock rwk,
owner @{user_config_dirs}/libreoffice{,dev}/** rwk,
owner @{user_config_dirs}/soffice.binrc rwl -> @{user_config_dirs}/#[0-9]*,
owner @{user_config_dirs}/soffice.binrc.* rwl -> @{user_config_dirs}/#[0-9]*,
owner @{user_config_dirs}/soffice.binrc.lock rwk,
owner @{user_cache_dirs}/fontconfig/** rw,
owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work
owner @{user_config_dirs}/gtk-???/bookmarks r, #Make bookmarks work
owner /{,var/}run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
owner @{user_config_dirs}/dconf/user r,
# allow schema to be read
/usr/share/glib-*/schemas/ r,
@ -227,7 +227,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
# probably should become a subprofile like gpg above, but then it doesn't
# work either as it tries to access stuff only allowed above...
owner @{HOME}/.config/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
/usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
/usr/share/qt5/translations/* r,
/usr/lib/*/qt5/plugins/** rm,
@ -235,11 +235,11 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
# TODO: remove when rules are available in abstractions/kde
owner @{user_cache_dirs}/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/trashrc r, # user by KFileWidget
owner @{user_config_dirs}/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{user_config_dirs}/dolphinrc r, # settings used by KFileWidget
owner @{user_config_dirs}/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{user_config_dirs}/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{user_config_dirs}/trashrc r, # user by KFileWidget
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
# TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
@ -249,11 +249,11 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
/usr/share/kservices5/*.protocol r,
# TODO: use qt5-settings-write abstraction when it is available
owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
owner @{HOME}/.config/QtProject.conf rw,
owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.lock rwk,
owner @{user_config_dirs}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
owner @{user_config_dirs}/QtProject.conf rw,
owner @{user_config_dirs}/QtProject.conf.?????? l -> @{user_config_dirs}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
owner @{user_config_dirs}/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
owner @{user_config_dirs}/QtProject.conf.lock rwk,
# TODO: use qt5-compose-cache-write abstraction when it is available
owner @{user_cache_dirs}/qt_compose_cache_{little,big}_endian_* r,
@ -265,7 +265,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# TODO: use kde-globals-write abstraction when it is available
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
owner @{user_config_dirs}/kdeglobals rw,
owner @{user_config_dirs}/kdeglobals.* rwl -> @{user_config_dirs}/#[0-9]*,
owner @{user_config_dirs}/kdeglobals.lock rwk,
}

2
apparmor.d/groups/apps/usr.lib.libreoffice.program.xpdfimport
View file

@ -21,7 +21,7 @@ profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport flags=(co
/usr/share/poppler/** r,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
/usr/lib/libreoffice/program/xpdfimport pxm,

6
apparmor.d/groups/apps/vlc
View file

@ -98,8 +98,8 @@ profile vlc @{exec_path} {
# VLC config files
owner @{HOME}/ r,
owner @{HOME}/.config/vlc/ rw,
owner @{HOME}/.config/vlc/* rwkl -> @{HOME}/.config/vlc/#[0-9]*[0-9],
owner @{user_config_dirs}/vlc/ rw,
owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9],
owner @{HOME}/.local/share/vlc/{,*} rw,
owner @{user_cache_dirs}/ rw,
@ -107,7 +107,7 @@ profile vlc @{exec_path} {
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{HOME}/.config/qt5ct/{,**} r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/dev/shm/#[0-9]*[0-9] rw,

2
apparmor.d/groups/apt/dpkg-buildflags
View file

@ -19,7 +19,7 @@ profile dpkg-buildflags @{exec_path} flags=(complain) {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner @{HOME}/.config/dpkg/buildflags.conf r,
owner @{user_config_dirs}/dpkg/buildflags.conf r,
include if exists <local/dpkg-buildflags>
}

2
apparmor.d/groups/apt/dpkg-genbuildinfo
View file

@ -26,7 +26,7 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner @{HOME}/.config/dpkg/buildflags.conf r,
owner @{user_config_dirs}/dpkg/buildflags.conf r,
/usr/local/bin/ r,
/usr/local/sbin/ r,

18
apparmor.d/groups/browsers/brave
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
@{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev}
@ -87,7 +87,7 @@ profile brave @{exec_path} {
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{HOME}/ r,
owner @{HOME}/.config/BraveSoftware/ w,
owner @{user_config_dirs}/BraveSoftware/ w,
owner @{BRAVE_HOMEDIR}/ rw,
owner @{BRAVE_HOMEDIR}/** rwk,
# For Widevine plugin
@ -111,14 +111,14 @@ profile brave @{exec_path} {
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
owner @{HOME}/.mozilla/firefox/*/logins.json r,
# For importing data from Chromium
owner "@{HOME}/.config/chromium/Local State" r,
owner @{HOME}/.config/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{HOME}/.config/chromium/*/Login Data{,-journal}" rwk,
owner @{HOME}/.config/chromium/*/ r,
owner @{HOME}/.config/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
owner "@{user_config_dirs}/chromium/Local State" r,
owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
owner @{user_config_dirs}/chromium/*/ r,
owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
owner @{HOME}/.config/menus/applications-merged/ r,
owner @{HOME}/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
/etc/fstab r,

2
apparmor.d/groups/browsers/brave-browser
View file

@ -3,7 +3,7 @@
# SPDX-License-Identifier: GPL-2.0-only
@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
@{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
abi <abi/3.0>,

2
apparmor.d/groups/browsers/brave-sandbox
View file

@ -3,7 +3,7 @@
# SPDX-License-Identifier: GPL-2.0-only
@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
@{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
abi <abi/3.0>,

2
apparmor.d/groups/browsers/chromium
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@{CHROMIUM_HOMEDIR} = @{user_config_dirs}/chromium
@{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium
@{exec_path} = /{usr/,}bin/chromium

2
apparmor.d/groups/browsers/chromium-chrome-sandbox
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@{CHROMIUM_HOMEDIR} = @{user_config_dirs}/chromium
@{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium
@{exec_path} = @{CHROMIUM_INSTALLDIR}/chrome-sandbox

4
apparmor.d/groups/browsers/chromium-chromium
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@{CHROMIUM_HOMEDIR} = @{user_config_dirs}/chromium
@{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium
@{exec_path} = @{CHROMIUM_INSTALLDIR}/chromium
@ -83,7 +83,7 @@ profile chromium-chromium @{exec_path} {
# Chromium home files
owner @{HOME}/ r,
owner @{HOME}/.config/ r,
owner @{user_config_dirs}/ r,
owner @{CHROMIUM_HOMEDIR}/ rw,
owner @{CHROMIUM_HOMEDIR}/** rwk,
owner @{CHROMIUM_HOMEDIR}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw,

2
apparmor.d/groups/browsers/firefox
View file

@ -121,7 +121,7 @@ profile firefox @{exec_path} {
# Set default browser
/{usr/,}bin/update-mime-database rPUx,
owner @{HOME}/.config/mimeapps.list{,.*} rw,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{HOME}/.local/share/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{HOME}/.local/share/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,

12
apparmor.d/groups/browsers/google-chrome-chrome
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
@{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@{CHROME_HOMEDIR} = @{user_config_dirs}/google-chrome{,-beta,-unstable}
@{CHROME_CACHEDIR} = @{user_cache_dirs}/google-chrome{,-beta,-unstable}
@{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable}
@ -107,11 +107,11 @@ profile google-chrome-chrome @{exec_path} {
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
owner @{HOME}/.mozilla/firefox/*/logins.json r,
# For importing data from Chromium
owner "@{HOME}/.config/chromium/Local State" r,
owner @{HOME}/.config/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{HOME}/.config/chromium/*/Login Data{,-journal}" rwk,
owner @{HOME}/.config/chromium/*/ r,
owner @{HOME}/.config/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
owner "@{user_config_dirs}/chromium/Local State" r,
owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
owner @{user_config_dirs}/chromium/*/ r,
owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
/etc/fstab r,

2
apparmor.d/groups/browsers/google-chrome-chrome-sandbox
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
@{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@{CHROME_HOMEDIR} = @{user_config_dirs}/google-chrome{,-beta,-unstable}
@{CHROME_CACHEDIR} = @{user_cache_dirs}/google-chrome{,-beta,-unstable}
@{exec_path} = @{CHROME_INSTALLDIR}/chrome-sandbox

2
apparmor.d/groups/browsers/google-chrome-google-chrome
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
@{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@{CHROME_HOMEDIR} = @{user_config_dirs}/google-chrome{,-beta,-unstable}
@{CHROME_CACHEDIR} = @{user_cache_dirs}/google-chrome{,-beta,-unstable}
@{exec_path} = @{CHROME_INSTALLDIR}/google-chrome{,-beta,-unstable}

18
apparmor.d/groups/browsers/opera
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
@{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@{OPERA_HOMEDIR} = @{user_config_dirs}/opera{,-beta,-developer}
@{OPERA_CACHEDIR} = @{user_cache_dirs}/opera{,-beta,-developer}
@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
@ -94,16 +94,16 @@ profile opera @{exec_path} {
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
owner @{HOME}/.mozilla/firefox/*/logins.json r,
# For importing data from Chromium
owner "@{HOME}/.config/chromium/Local State" r,
owner @{HOME}/.config/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{HOME}/.config/chromium/*/Login Data{,-journal}" rwk,
owner @{HOME}/.config/chromium/*/ r,
owner @{HOME}/.config/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
owner "@{user_config_dirs}/chromium/Local State" r,
owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
owner @{user_config_dirs}/chromium/*/ r,
owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
# Flashplayer
owner @{HOME}/.config/google-chrome{,-beta,-unstable}/PepperFlash/**/manifest.json r,
owner @{HOME}/.config/google-chrome{,-beta,-unstable}/PepperFlash/latest-component-updated-flash r,
owner @{HOME}/.config/google-chrome{,-beta,-unstable}/PepperFlash/**/libpepflashplayer.so mr,
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/PepperFlash/**/manifest.json r,
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/PepperFlash/latest-component-updated-flash r,
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/PepperFlash/**/libpepflashplayer.so mr,
/etc/fstab r,

2
apparmor.d/groups/browsers/opera-crashreporter
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
@{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@{OPERA_HOMEDIR} = @{user_config_dirs}/opera{,-beta,-developer}
@{OPERA_CACHEDIR} = @{user_cache_dirs}/opera{,-beta,-developer}
@{exec_path} = @{OPERA_INSTALLDIR}/opera_crashreporter

2
apparmor.d/groups/browsers/opera-sandbox
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
@{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@{OPERA_HOMEDIR} = @{user_config_dirs}/opera{,-beta,-developer}
@{OPERA_CACHEDIR} = @{user_cache_dirs}/opera{,-beta,-developer}
@{exec_path} = @{OPERA_INSTALLDIR}/opera_sandbox

4
apparmor.d/groups/browsers/torbrowser.Browser.firefox
View file

@ -119,8 +119,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny /dev/dri/ rwklx,
deny @{user_cache_dirs}/fontconfig/ rw,
deny @{user_cache_dirs}/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw,
deny @{HOME}/.config/gtk-2.0/** rw,
deny @{user_config_dirs}/gtk-2.0/ rw,
deny @{user_config_dirs}/gtk-2.0/** rw,
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,

8
apparmor.d/groups/desktop/dconf-editor
View file

@ -22,10 +22,10 @@ profile dconf-editor @{exec_path} {
owner @{run}/user/[0-9]*/dconf/user rw,
# When GSETTINGS_BACKEND=keyfile
owner @{HOME}/.config/glib-2.0/ rw,
owner @{HOME}/.config/glib-2.0/settings/ rw,
owner @{HOME}/.config/glib-2.0/settings/keyfile rw,
owner @{HOME}/.config/glib-2.0/settings/.goutputstream-* rw,
owner @{user_config_dirs}/glib-2.0/ rw,
owner @{user_config_dirs}/glib-2.0/settings/ rw,
owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
/usr/share/glib-2.0/schemas/{,*} r,

4
apparmor.d/groups/desktop/dconf-service
View file

@ -18,8 +18,8 @@ profile dconf-service @{exec_path} {
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/dconf/ rw,
owner @{HOME}/.config/dconf/user{,.*} rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/dconf/ rw,

2
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -23,7 +23,7 @@ profile gio-launch-desktop @{exec_path} {
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{user_config_dirs}/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,