diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator new file mode 100644 index 000000000..1ec92c1b0 --- /dev/null +++ b/apparmor.d/groups/browsers/ephy-profile-migrator @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/epiphany/ephy-profile-migrator +profile ephy-profile-migrator @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/epiphany/** rw, + owner @{user_config_dirs}/epiphany/{,**} rw, + owner @{user_share_dirs}/epiphany/.migrated{,.@{rand6}} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany new file mode 100644 index 000000000..8809be131 --- /dev/null +++ b/apparmor.d/groups/browsers/epiphany @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/epiphany +profile epiphany @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + + capability dac_override, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{exec_path} mr, + + @{bin}/bwrap rix, + @{bin}/xdg-dbus-proxy rix, + @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, + + owner /bindfile@{rand6} rw, + owner /.flatpak-info r, + + owner @{user_config_dirs}/glib-2.0/ w, + owner @{user_config_dirs}/glib-2.0/settings/ w, + + owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, + owner @{tmp}/Serialized@{rand9} rw, + owner @{tmp}/WebKit-Media-@{rand6} rw, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + /dev/video@{int} rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 976dcad5b..6d69b629f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -98,6 +98,8 @@ dpkg-genbuildinfo complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain +ephy-profile-migrator complain +epiphany attach_disconnected,complain epiphany-search-provider complain epiphany-webapp-provider complain evolution-user-prompter complain @@ -396,4 +398,3 @@ xsettingsd complain xwaylandvideobridge complain YACReader attach_disconnected,mediate_deleted,complain YACReaderLibrary attach_disconnected,mediate_deleted,complain -