refractor(abs): move common and app abstraction to their own abstractions subfolder.

As the number of abstraction is increasing, it is valuable to separate "base" abstractions to programs specific ones.

apparmor.d/abstractions/app/chromium

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # For chromium based browser. If your application requires chromium to run
-# (like electron) use abstractions/chromium-common instead.
+# (like electron) use abstractions/common/chromium instead.
 
 # This abstraction requires the following variables definied in the profile header:
 # @{name} = chromium
@@ -209,4 +209,4 @@
   deny @{lib_dirs}/** w,
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
-  include if exists <abstractions/chromium.d>
+  include if exists <abstractions/app/chromium.d>

apparmor.d/abstractions/app/sudo

@@ -64,4 +64,4 @@
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
-  include if exists <abstractions/sudo.d>
+  include if exists <abstractions/app/sudo.d>

apparmor.d/abstractions/app/systemctl

@@ -2,6 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  include <abstractions/bus-system>
   include <abstractions/consoles>
 
   ptrace (read) peer=@{systemd},
@@ -24,4 +25,4 @@
     owner @{PROC}/@{pid}/fd/ r,
     owner @{PROC}/@{pid}/stat r,
 
-  include if exists <abstractions/systemctl.d>
+  include if exists <abstractions/app/systemctl.d>

apparmor.d/abstractions/common/app

@@ -13,9 +13,6 @@
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Avahi>
-  include <abstractions/bus/org.freedesktop.NetworkManager>
-  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/consoles>
   include <abstractions/deny-sensitive-home>
   include <abstractions/desktop>
@@ -55,8 +52,7 @@
   owner @{run}/user/@{uid}/{,**} rw,
   owner @{user_config_dirs}/** rwkl,
   owner @{user_share_dirs}/** rwkl,
-
-  @{user_games_dirs}/{,**} rm,
+  owner @{user_games_dirs}/{,**} rm,
 
   owner /tmp/** rmwk,
   owner /dev/shm/** rwlk -> /dev/shm/**,
@@ -114,4 +110,4 @@
   /dev/pts/ptmx rw,
   /dev/tty rw,
 
-  include if exists <abstractions/bwrap-app.d>
+  include if exists <abstractions/common/app.d>

apparmor.d/abstractions/common/apt

@@ -25,7 +25,7 @@
   /var/lib/dpkg/status r,
   /var/lib/ubuntu-advantage/apt-esm/{,**} r,
 
-  owner /tmp/clearsigned.message.* rw,
   owner /tmp/#@{int} rw,
+  owner /tmp/clearsigned.message.* rw,
 
-  include if exists <abstractions/apt-common.d>
+  include if exists <abstractions/common/apt.d>

apparmor.d/abstractions/common/bwrap

@@ -51,4 +51,4 @@
   owner @{PROC}/@{pid}/setgroups rw,
   owner @{PROC}/@{pid}/uid_map rw,
 
-  include if exists <abstractions/bwrap.d>
+  include if exists <abstractions/common/bwrap.d>

apparmor.d/abstractions/common/chromium

@@ -0,0 +1,40 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# This abstraction is for chromium based application. Chromium based browsers
+# need to use abstractions/chromium instead.
+
+  # userns,
+
+  # Only needed when kernel.unprivileged_userns_clone is set to "1"
+  capability sys_admin,
+  capability sys_chroot,
+  capability setuid,
+  capability setgid,
+  owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/uid_map w,
+
+  owner @{HOME}/.pki/ rw,
+  owner @{HOME}/.pki/nssdb/ rw,
+  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+
+  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
+
+        /tmp/ r,
+        /var/tmp/ r,
+  owner /tmp/.org.chromium.Chromium.* rw,
+  owner /tmp/.org.chromium.Chromium.*/{,**} rw,
+  owner /tmp/scoped_dir*/ rw,
+  owner /tmp/scoped_dir*/SingletonCookie w,
+  owner /tmp/scoped_dir*/SingletonSocket w,
+  owner /tmp/scoped_dir*/SS w,
+
+        /dev/shm/ r,
+  owner /dev/shm/.org.chromium.Chromium.* rw,
+
+  include if exists <abstractions/common/chromium.d>

apparmor.d/abstractions/common/systemd

@@ -18,4 +18,4 @@
 
   /dev/kmsg w,
 
-  include if exists <abstractions/systemd-common.d>
+  include if exists <abstractions/common/systemd.d>