From bb772167f02eeabbad4aa6d820ac145fa4833f19 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Fri, 31 May 2024 12:47:01 +0200
Subject: [PATCH] add multiple profiles (#341)

* add multiple profiles
---
 apparmor.d/profiles-a-f/atool                 | 50 +++++++++++++++++++
 apparmor.d/profiles-a-f/exiftool              | 18 +++++++
 apparmor.d/profiles-g-l/highlight             | 22 ++++++++
 .../{groups/apps => profiles-g-l}/imv-wayland |  2 +-
 apparmor.d/profiles-m-r/mediainfo             |  5 +-
 apparmor.d/profiles-m-r/mediainfo-gui         |  4 +-
 .../{groups/apps => profiles-s-z}/zathura     |  2 +-
 7 files changed, 94 insertions(+), 9 deletions(-)
 create mode 100644 apparmor.d/profiles-a-f/atool
 create mode 100644 apparmor.d/profiles-a-f/exiftool
 create mode 100644 apparmor.d/profiles-g-l/highlight
 rename apparmor.d/{groups/apps => profiles-g-l}/imv-wayland (90%)
 rename apparmor.d/{groups/apps => profiles-s-z}/zathura (91%)

diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool
new file mode 100644
index 000000000..3a1177081
--- /dev/null
+++ b/apparmor.d/profiles-a-f/atool
@@ -0,0 +1,50 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/atool
+profile atool @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  @{bin}/7z rix,
+  @{bin}/arc rix,
+  @{bin}/arj rix,
+  @{bin}/bzip2 rix,
+  @{bin}/bzip2 rix,
+  @{bin}/bzip rix,
+  @{bin}/compress rix,
+  @{bin}/cpio rix,
+  @{bin}/gunzip rix,
+  @{bin}/gzip rix,
+  @{bin}/gzip rix,
+  @{bin}/jar rix,
+  @{bin}/lha rix,
+  @{bin}/lrunzip rix,
+  @{bin}/lrzcat rix,
+  @{bin}/lrzip rix,
+  @{bin}/lrz rix,
+  @{bin}/lrztar rix,
+  @{bin}/lrzuntar rix,
+  @{bin}/lzip rix,
+  @{bin}/lzma rix,
+  @{bin}/lzop rix,
+  @{bin}/lzop rix,
+  @{bin}/rar rix,
+  @{bin}/tar rix,
+  @{bin}/unace rix,
+  @{bin}/unrar rix,
+  @{bin}/unxz rix,
+  @{bin}/unzip rix,
+  @{bin}/xz rix,
+  @{bin}/zip rix,
+
+  include if exists <local/atool>
+}
diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool
new file mode 100644
index 000000000..c21f991c8
--- /dev/null
+++ b/apparmor.d/profiles-a-f/exiftool
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/vendor_perl/exiftool
+profile exiftool @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/user-read-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/exiftool>
+}
diff --git a/apparmor.d/profiles-g-l/highlight b/apparmor.d/profiles-g-l/highlight
new file mode 100644
index 000000000..4a5ef1402
--- /dev/null
+++ b/apparmor.d/profiles-g-l/highlight
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/highlight
+profile highlight @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-read-strict>
+
+  @{exec_path} mr,
+
+  /etc/machine-id r,
+  /etc/highlight/{,**} r,
+  /usr/share/highlight/{,**} r,
+
+  include if exists <local/highlight>
+}
diff --git a/apparmor.d/groups/apps/imv-wayland b/apparmor.d/profiles-g-l/imv-wayland
similarity index 90%
rename from apparmor.d/groups/apps/imv-wayland
rename to apparmor.d/profiles-g-l/imv-wayland
index 2479e8bfa..6bac7898b 100644
--- a/apparmor.d/groups/apps/imv-wayland
+++ b/apparmor.d/profiles-g-l/imv-wayland
@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo
index 788b12455..bd1d1e41a 100644
--- a/apparmor.d/profiles-m-r/mediainfo
+++ b/apparmor.d/profiles-m-r/mediainfo
@@ -10,12 +10,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/mediainfo
 profile mediainfo @{exec_path} {
   include <abstractions/base>
-  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   @{exec_path} mr,
 
-  owner @{user_music_dirs}/** r,
-  owner @{user_videos_dirs}/** r,
-
   include if exists <local/mediainfo>
 }
diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui
index 72dc273a9..4315a8157 100644
--- a/apparmor.d/profiles-m-r/mediainfo-gui
+++ b/apparmor.d/profiles-m-r/mediainfo-gui
@@ -15,14 +15,12 @@ profile mediainfo-gui @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
-  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   @{exec_path} mr,
 
   @{bin}/xdg-open    rCx -> open,
 
-  owner @{user_music_dirs}/** r,
-  owner @{user_videos_dirs}/** r,
 
   profile open {
     include <abstractions/base>
diff --git a/apparmor.d/groups/apps/zathura b/apparmor.d/profiles-s-z/zathura
similarity index 91%
rename from apparmor.d/groups/apps/zathura
rename to apparmor.d/profiles-s-z/zathura
index 0c86abdee..98f218e13 100644
--- a/apparmor.d/groups/apps/zathura
+++ b/apparmor.d/profiles-s-z/zathura
@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,