felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): cleanup usage of mime abs.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-30 19:47:07 +02:00
parent f5e2572457
commit ac6eac1333
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
18 changed files with 12 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/flatpak/flatpak-portal
View file

@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/mime>
include <abstractions/nameservice-strict>
capability sys_ptrace,
@ -32,11 +33,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
@{bin}/flatpak rPx,
/usr/share/mime/mime.cache r,
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
owner /att/**/ r,
owner @{att}/.flatpak-info r,
@ -44,7 +42,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_share_dirs}/mime/mime.cache r,
owner @{run}/user/@{uid}/.flatpak/@{int}/* r,
owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r,

2
apparmor.d/groups/flatpak/flatpak-system-helper
View file

@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/mime>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
@ -42,7 +43,6 @@ profile flatpak-system-helper @{exec_path} {
/usr/share/flatpak/remotes.d/{,**} r,
/usr/share/flatpak/triggers/ r,
/usr/share/mime/mime.cache r,
/var/lib/flatpak/{,**} rwkl,
/var/tmp/flatpak-cache-*/{,**} rw,

4
apparmor.d/groups/freedesktop/colord
View file

@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/devices-usb>
include <abstractions/mime>
include <abstractions/nameservice-strict>
network inet dgram,
@ -31,11 +32,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
/etc/udev/hwdb.bin r,
/usr/share/color/icc/{,**} r,
/usr/share/mime/mime.cache r,
/usr/share/snmp/mibs/{,*} r,
@{system_share_dirs}/mime/mime.cache r,
owner /var/lib/colord/.cache/ rw,
owner /var/lib/colord/.cache/** rw,
owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,

3
apparmor.d/groups/gnome/gnome-photos-thumbnailer
View file

@ -9,12 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-photos-thumbnailer
profile gnome-photos-thumbnailer @{exec_path} {
include <abstractions/base>
include <abstractions/mime>
include <abstractions/user-download-strict>
@{exec_path} mr,
/usr/share/mime/mime.cache r,
owner @{user_pictures_dirs}/{,**} r,
owner @{user_cache_dirs}/babl/{,**} r,

3
apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
View file

@ -10,11 +10,10 @@ include <tunables/global>
profile gnome-shell-hotplug-sniffer @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/mime>
@{exec_path} mr,
/usr/share/mime/mime.cache r,
@{MOUNTS}/**/ r,
@{MOUNTS}/** r,

3
apparmor.d/groups/gvfs/gvfsd-admin
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-admin
profile gvfsd-admin @{exec_path} {
include <abstractions/base>
include <abstractions/mime>
include <abstractions/nameservice-strict>
capability chown,
@ -20,8 +21,6 @@ profile gvfsd-admin @{exec_path} {
@{exec_path} mr,
/usr/share/mime/mime.cache r,
#aa:lint ignore=too-wide
# Full access to system's data, but no write access to sensitive system directories
/ r,

2
apparmor.d/groups/kde/kaccess
View file

@ -29,8 +29,6 @@ profile kaccess @{exec_path} {
owner @{user_config_dirs}/breezerc r,
owner @{user_config_dirs}/kaccessrc r,
owner @{user_share_dirs}/mime/generic-icons r,
/dev/tty r,
include if exists <local/kaccess>

2
apparmor.d/groups/kde/kiod
View file

@ -20,8 +20,6 @@ profile kiod @{exec_path} {
@{exec_path} mr,
/usr/share/mime/{,**} r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/ksslcertificatemanager.lock rwk,

2
apparmor.d/groups/kde/startplasma
View file

@ -48,8 +48,6 @@ profile startplasma @{exec_path} {
/etc/xdg/plasma-workspace/env/{,*} r,
/etc/xdg/plasmarc r,
/var/lib/flatpak/exports/share/mime/ r,
@{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/#@{int} rwk,
owner @{user_cache_dirs}/kcrash-metadata/ rw,

1
apparmor.d/groups/lxqt/lxqt-session
View file

@ -47,7 +47,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) {
@{bin}/xdg-user-dirs-update rPx,
/usr/share/ r,
/usr/share/mime/ r,
/usr/share/cursors/ r,
/usr/share/backintime/common/* r,
/usr/share/desktop-directories/* r,

1
apparmor.d/groups/lxqt/startlxqt
View file

@ -31,7 +31,6 @@ profile startlxqt @{exec_path} {
/usr/share/color-schemes/{,**} r,
/usr/share/desktop-directories/{,**} r,
/usr/share/kservices5/{,**} r,
/usr/share/mime/{,**} r,
/etc/machine-id r,
/etc/xdg/menus/{,**} r,

3
apparmor.d/groups/virt/cni-calico
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico
profile cni-calico @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/mime>
capability sys_admin,
capability net_admin,
@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
/var/log/calico/cni/ r,
/var/log/calico/cni/*.log rw,
/usr/share/mime/globs2 r,
@{run}/calico/ rw,
@{run}/calico/ipam.lock rwk,
@{run}/netns/cni-@{uuid} r,

1
apparmor.d/groups/virt/k3s
View file

@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
/var/lib/rancher/k3s/data/@{hex}/bin/* rix,
@{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
/usr/share/mime/globs2 r,
/etc/machine-id r,
/etc/rancher/{,**} rw,

2
apparmor.d/groups/virt/libvirtd
View file

@ -23,6 +23,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles>
include <abstractions/devices-usb>
include <abstractions/disks-write>
include <abstractions/mime>
include <abstractions/nameservice-strict>
capability audit_write,
@ -141,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/usr/share/hwdata/* r,
/usr/share/iproute2/{,**} r,
/usr/share/libvirt/{,**} r,
/usr/share/mime/mime.cache r,
/usr/share/misc/pci.ids r,
/usr/share/qemu/{,**} r,

2
apparmor.d/profiles-a-f/evince-thumbnailer
View file

@ -9,10 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/evince-thumbnailer
profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/mime>
@{exec_path} mr,
/usr/share/mime/mime.cache r,
/usr/share/poppler/{,**} r,
owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r,

3
apparmor.d/profiles-a-f/fwupd
View file

@ -17,6 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/consoles>
include <abstractions/disks-write>
include <abstractions/fonts>
include <abstractions/mime>
include <abstractions/nameservice-strict>
include <abstractions/sqlite>
@ -57,7 +58,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
/usr/share/fwupd/{,**} r,
/usr/share/hwdata/* r,
/usr/share/libdrm/*.ids r,
/usr/share/mime/mime.cache r,
/usr/share/misc/*.ids r,
/etc/fwupd/{,**} rw,
@ -77,7 +77,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
@{MOUNTDIRS}/*/{,@{efi}/} r,
@{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
owner /var/cache/fwupd/ rw,
owner /var/cache/fwupd/** rwk,
owner /var/lib/fwupd/ rw,

2
apparmor.d/profiles-g-l/hugo
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/hugo
profile hugo @{exec_path} {
include <abstractions/base>
include <abstractions/mime>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@ -26,7 +27,6 @@ profile hugo @{exec_path} {
@{lib}/go/bin/go rix,
/usr/share/git{,-core}/{,**} r,
/usr/share/mime/{,**} r,
/usr/share/terminfo/** r,
/etc/mime.types r,

11
apparmor.d/profiles-m-r/mimetype
View file

@ -11,22 +11,13 @@ include <tunables/global>
profile mimetype @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/perl>
@{exec_path} r,
/usr/share/mime/**.xml r,
/usr/share/mime/globs r,
/usr/share/mime/aliases r,
/usr/share/mime/magic r,
# To read files
owner /** r, #aa:lint ignore=too-wide
owner @{user_share_dirs}/mime/**.xml r,
owner @{user_share_dirs}/mime/globs r,
owner @{user_share_dirs}/mime/aliases r,
owner @{user_share_dirs}/mime/magic r,
include if exists <local/mimetype>
}