Create child-gedit

Create a strict skeleton-abstraction for system applications that have wide access (text editors) and then only grant broader file access (in the child profile) based on the application that executed said child profile.
2023-11-01 07:45:58 +00:00 · 2023-11-01 07:45:58 +00:00 · 9a658d6ccb
commit 9a658d6ccb
parent 4df3f2e52f
1 changed files with 31 additions and 0 deletions
--- a/31
+++ b/31
@ -0,0 +1,31 @@
+#vim:syntax=apparmor
+#AppArmor policy abstraction for child profiles of gedit
+#Copyright (C) 2023 Andy Ramos
+#SPDX-License-Identifier: GPL-2.0-only
+
+    include <abstractions/base>
+    include <abstractions/dconf-write>
+    include <abstractions/gnome>
+    include <abstractions/nameservice-strict>
+    include <abstractions/gtk>
+    include <abstractions/enchant>
+
+    @{bin}/gedit mrix,
+
+    /usr/share/terminfo/x/xterm-256color r,
+
+    owner @{user_config_dirs}/ibus/bus/{,**}     r,
+    owner @{user_config_dirs}/gedit/{,**}        r,
+    owner @{user_config_dirs}/gedit/accels       rw,
+
+    owner @{PROC}/@{pid}/mountinfo       r,
+
+    # needed?
+    deny network inet stream,
+
+    deny unix (send, receive, connect)
+       type=stream
+       peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
+
+    deny /etc/{fstab,group,machine-id,passwd} r,
+    deny /run/user/@{uid}/bus                 rw,