Create child-gedit
Create a strict skeleton-abstraction for system applications that have wide access (text editors) and then only grant broader file access (in the child profile) based on the application that executed said child profile.
This commit is contained in:
maplemanuka
GitHub
parent
4df3f2e52f
commit
9a658d6ccb
1 changed files with 31 additions and 0 deletions
31
child-gedit
Normal file
31
child-gedit
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
#vim:syntax=apparmor
|
||||||
|
#AppArmor policy abstraction for child profiles of gedit
|
||||||
|
#Copyright (C) 2023 Andy Ramos
|
||||||
|
#SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/gnome>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/enchant>
|
||||||
|
|
||||||
|
@{bin}/gedit mrix,
|
||||||
|
|
||||||
|
/usr/share/terminfo/x/xterm-256color r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/ibus/bus/{,**} r,
|
||||||
|
owner @{user_config_dirs}/gedit/{,**} r,
|
||||||
|
owner @{user_config_dirs}/gedit/accels rw,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
# needed?
|
||||||
|
deny network inet stream,
|
||||||
|
|
||||||
|
deny unix (send, receive, connect)
|
||||||
|
type=stream
|
||||||
|
peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
|
||||||
|
|
||||||
|
deny /etc/{fstab,group,machine-id,passwd} r,
|
||||||
|
deny /run/user/@{uid}/bus rw,
|
||||||
Loading…
Add table
Add a link
Reference in a new issue