From c391bdefc18aaf093bce4ae2ecd55cf54d417a5f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Apr 2025 15:49:15 +0200
Subject: [PATCH] feat(tunable): add editor_ui variables.

---
 apparmor.d/groups/children/child-open-editor | 28 ++++++++++++++++++++
 apparmor.d/tunables/multiarch.d/paths        |  3 ++-
 apparmor.d/tunables/multiarch.d/programs     |  3 ++-
 3 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 apparmor.d/groups/children/child-open-editor

diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor
new file mode 100644
index 000000000..16d3dc868
--- /dev/null
+++ b/apparmor.d/groups/children/child-open-editor
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# This profile is designed to be used in a child profile to limit what
+# confined application can invoke via open helper.
+
+# This version of child-open only allow to open text editor.
+
+# Note: This profile does not specify an attachment path because it is
+# intended to be used only via "Px -> child-open-browsers" exec transitions
+# from other profiles.
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile child-open-editor flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/app/open>
+
+  @{editor_ui_path}              PUx,
+
+  include if exists <usr/child-open-editor.d>
+  include if exists <local/child-open-editor>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths
index eedf07033..733f8925c 100644
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@@ -38,8 +38,9 @@
 @{open_path} += @{lib}/gio-launch-desktop
 @{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
 
-# Editor
+# Editors
 @{editor_path} = @{bin}/@{editor_names}
+@{editor_ui_path} = @{bin}/@{editor_ui_names}
 
 # Pager
 @{pager_path} = @{bin}/@{pager_names}
diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs
index 8d2c5eff8..3611178a2 100644
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@@ -32,8 +32,9 @@
 # Open
 @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop
 
-# Editor
+# Editors
 @{editor_names} = sensible-editor vim{,.*} vimtutor vim-nox11 nvim nano
+@{editor_ui_names} = gnome-text-editor gedit mousepad
 
 # Pager
 @{pager_names} = sensible-pager pager less more nvimpager