From ca381c4f0724ad72f726d3b68fbbd5425fd5c595 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Apr 2025 22:20:18 +0200 Subject: [PATCH] feat(profile): update aa-notify for apparmor 4.1 --- apparmor.d/groups/apparmor/aa-notify | 62 ++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 53c64daf9..1112af4b1 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -11,6 +11,8 @@ profile aa-notify @{exec_path} { include include include + include + include include include @@ -22,8 +24,14 @@ profile aa-notify @{exec_path} { @{exec_path} mr, + @{bin}/gtk-launch ix, + @{bin}/pkexec Cx -> pkexec, + @{bin}/xdg-mime Px, + @{open_path} Cx -> open, + @{bin}/ r, + /usr/share/apparmor/** r, /usr/share/terminfo/** r, @{etc_ro}/inputrc r, @@ -43,6 +51,60 @@ profile aa-notify @{exec_path} { @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/cmdline r, + profile open { + include + include + + @{editor_ui_path} rPx -> aa-notify//editor, + + include if exists + } + + profile editor { + include + include + include + include + include + + @{editor_ui_path} rix, + @{open_path} rPx -> child-open-help, + + /etc/apparmor.d/{,**} r, + + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + + profile pkexec { + include + include + include + + ptrace read peer=aa-notify, + + @{bin}/apparmor_parser Px, + @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + + /etc/apparmor.d/ r, + /etc/apparmor.d/** rw, + /etc/apparmor/* r, + + include if exists + } + include if exists }