feat(profile): cleanup usage of mime abs.

2025-08-30 19:47:07 +02:00 · 2025-08-30 19:47:07 +02:00 · ac6eac1333
commit ac6eac1333
parent f5e2572457
18 changed files with 12 additions and 40 deletions
--- a/apparmor.d/groups/flatpak/flatpak-portal
+++ b/apparmor.d/groups/flatpak/flatpak-portal
@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  capability sys_ptrace,
@ -32,11 +33,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
  @{bin}/flatpak rPx,
  /usr/share/mime/mime.cache r,
  /usr/share/xdg-desktop-portal/portals/{,*.portal} r,
  /var/lib/flatpak/exports/share/mime/mime.cache r,
  owner /att/**/ r,
  owner @{att}/.flatpak-info r,
@ -44,7 +42,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
  owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,
  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_share_dirs}/mime/mime.cache r,
  owner @{run}/user/@{uid}/.flatpak/@{int}/* r,
  owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r,
--- a/apparmor.d/groups/flatpak/flatpak-system-helper
+++ b/apparmor.d/groups/flatpak/flatpak-system-helper
@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -42,7 +43,6 @@ profile flatpak-system-helper @{exec_path} {
  /usr/share/flatpak/remotes.d/{,**} r,
  /usr/share/flatpak/triggers/ r,
  /usr/share/mime/mime.cache r,
  /var/lib/flatpak/{,**} rwkl,
  /var/tmp/flatpak-cache-*/{,**} rw,
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/devices-usb>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  network inet dgram,
@ -31,11 +32,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  /etc/udev/hwdb.bin r,
  /usr/share/color/icc/{,**} r,
  /usr/share/mime/mime.cache r,
  /usr/share/snmp/mibs/{,*} r,
  @{system_share_dirs}/mime/mime.cache r,
  owner /var/lib/colord/.cache/ rw,
  owner /var/lib/colord/.cache/** rw,
  owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
--- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer
+++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer
@ -9,12 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-photos-thumbnailer
 profile gnome-photos-thumbnailer @{exec_path} {
  include <abstractions/base>
  include <abstractions/mime>
  include <abstractions/user-download-strict>
  @{exec_path} mr,
  /usr/share/mime/mime.cache r,
  owner @{user_pictures_dirs}/{,**} r,
  owner @{user_cache_dirs}/babl/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
+++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
@ -10,11 +10,10 @@ include <tunables/global>
 profile gnome-shell-hotplug-sniffer @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/mime>
  @{exec_path} mr,
  /usr/share/mime/mime.cache r,
  @{MOUNTS}/**/ r,
  @{MOUNTS}/** r,
--- a/apparmor.d/groups/gvfs/gvfsd-admin
+++ b/apparmor.d/groups/gvfs/gvfsd-admin
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-admin
 profile gvfsd-admin @{exec_path} {
  include <abstractions/base>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  capability chown,
@ -20,8 +21,6 @@ profile gvfsd-admin @{exec_path} {
  @{exec_path} mr,
  /usr/share/mime/mime.cache r,
  #aa:lint ignore=too-wide
  # Full access to system's data, but no write access to sensitive system directories
  / r,
--- a/apparmor.d/groups/kde/kaccess
+++ b/apparmor.d/groups/kde/kaccess
@ -29,8 +29,6 @@ profile kaccess @{exec_path} {
  owner @{user_config_dirs}/breezerc r,
  owner @{user_config_dirs}/kaccessrc r,
  owner @{user_share_dirs}/mime/generic-icons r,
  /dev/tty r,
  include if exists <local/kaccess>
--- a/apparmor.d/groups/kde/kiod
+++ b/apparmor.d/groups/kde/kiod
@ -20,8 +20,6 @@ profile kiod @{exec_path} {
  @{exec_path} mr,
  /usr/share/mime/{,**} r,
  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/ksslcertificatemanager.lock rwk,
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@ -48,8 +48,6 @@ profile startplasma @{exec_path} {
  /etc/xdg/plasma-workspace/env/{,*} r,
  /etc/xdg/plasmarc r,
  /var/lib/flatpak/exports/share/mime/ r,
        @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/#@{int} rwk,
  owner @{user_cache_dirs}/kcrash-metadata/ rw,
--- a/apparmor.d/groups/lxqt/lxqt-session
+++ b/apparmor.d/groups/lxqt/lxqt-session
@ -47,7 +47,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) {
  @{bin}/xdg-user-dirs-update         rPx,
  /usr/share/                         r,
  /usr/share/mime/                    r,
  /usr/share/cursors/                 r,
  /usr/share/backintime/common/*      r,
  /usr/share/desktop-directories/*    r,
--- a/apparmor.d/groups/lxqt/startlxqt
+++ b/apparmor.d/groups/lxqt/startlxqt
@ -31,7 +31,6 @@ profile startlxqt @{exec_path} {
  /usr/share/color-schemes/{,**} r,
  /usr/share/desktop-directories/{,**} r,
  /usr/share/kservices5/{,**} r,
  /usr/share/mime/{,**} r,
  /etc/machine-id r,
  /etc/xdg/menus/{,**} r,
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/mime>
  capability sys_admin,
  capability net_admin,
@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
  /var/log/calico/cni/ r,
  /var/log/calico/cni/*.log rw,
  /usr/share/mime/globs2 r,
  @{run}/calico/ rw,
  @{run}/calico/ipam.lock rwk,
  @{run}/netns/cni-@{uuid} r,
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
  /var/lib/rancher/k3s/data/@{hex}/bin/* rix,
  @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
  /usr/share/mime/globs2 r,
  /etc/machine-id r,
  /etc/rancher/{,**} rw,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -23,6 +23,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/devices-usb>
  include <abstractions/disks-write>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  capability audit_write,
@ -141,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /usr/share/hwdata/* r,
  /usr/share/iproute2/{,**} r,
  /usr/share/libvirt/{,**} r,
  /usr/share/mime/mime.cache r,
  /usr/share/misc/pci.ids r,
  /usr/share/qemu/{,**} r,
--- a/apparmor.d/profiles-a-f/evince-thumbnailer
+++ b/apparmor.d/profiles-a-f/evince-thumbnailer
@ -9,10 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/evince-thumbnailer
 profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/mime>
  @{exec_path} mr,
  /usr/share/mime/mime.cache r,
  /usr/share/poppler/{,**} r,
  owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -17,6 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/consoles>
  include <abstractions/disks-write>
  include <abstractions/fonts>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  include <abstractions/sqlite>
@ -57,7 +58,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  /usr/share/fwupd/{,**} r,
  /usr/share/hwdata/* r,
  /usr/share/libdrm/*.ids r,
  /usr/share/mime/mime.cache r,
  /usr/share/misc/*.ids r,
  /etc/fwupd/{,**} rw,
@ -77,7 +77,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  @{MOUNTDIRS}/*/{,@{efi}/} r,
  @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r,
        /var/lib/flatpak/exports/share/mime/mime.cache r,
  owner /var/cache/fwupd/ rw,
  owner /var/cache/fwupd/** rwk,
  owner /var/lib/fwupd/ rw,
--- a/apparmor.d/profiles-g-l/hugo
+++ b/apparmor.d/profiles-g-l/hugo
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/hugo
 profile hugo @{exec_path} {
  include <abstractions/base>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
@ -26,7 +27,6 @@ profile hugo @{exec_path} {
  @{lib}/go/bin/go                    rix,
  /usr/share/git{,-core}/{,**} r,
  /usr/share/mime/{,**} r,
  /usr/share/terminfo/** r,
  /etc/mime.types r,
--- a/apparmor.d/profiles-m-r/mimetype
+++ b/apparmor.d/profiles-m-r/mimetype
@ -11,22 +11,13 @@ include <tunables/global>
 profile mimetype @{exec_path} {
  include <abstractions/base>
  include <abstractions/perl>
  include <abstractions/perl>
  @{exec_path} r,
  /usr/share/mime/**.xml r,
  /usr/share/mime/globs r,
  /usr/share/mime/aliases r,
  /usr/share/mime/magic r,
  # To read files
  owner /** r,  #aa:lint ignore=too-wide
  owner @{user_share_dirs}/mime/**.xml r,
  owner @{user_share_dirs}/mime/globs r,
  owner @{user_share_dirs}/mime/aliases r,
  owner @{user_share_dirs}/mime/magic r,
  include if exists <local/mimetype>
 }