feat(profiles): ensure child-open is available.

2023-09-10 12:10:14 +01:00 · 2023-09-10 12:10:14 +01:00 · e381aace56
commit e381aace56
parent 3147f7d59a
7 changed files with 17 additions and 43 deletions
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@ -32,10 +32,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mrix,

  @{bin}/{b,d}ash            rix,
-  @{lib}/gio-launch-desktop  rix,
+
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,

  @{bin}/blueman-tray  rPx,
-  @{bin}/xdg-open      rCx -> open,

  /usr/share/blueman/{,**} r,
  /usr/share/X11/xkb/{,**} r,
@ -71,37 +72,5 @@ profile blueman @{exec_path} flags=(attach_disconnected) {

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{bin}/{,ba,da}sh      rix,
-    @{bin}/basename        rix,
-    @{bin}/dbus-send       rix,
-    @{bin}/file            rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/mimetype        rix,
-    @{bin}/readlink        rix,
-    @{bin}/uname           rix,
-    @{bin}/xprop           rix,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPx,
-    @{bin}/spacefm         rPx,
-
-    /usr/share/perl5/** r,
-
-    /etc/magic r,
-
-    owner @{HOME}/ r,
-    owner @{HOME}/bluetooth*/* r,
-    owner @{HOME}/.xsession-errors w,
-
-    owner @{run}/user/@{uid}/ r,
-
-  }
-
  include if exists <local/blueman>
 }
--- a/apparmor.d/profiles-a-f/code
+++ b/apparmor.d/profiles-a-f/code
@ -40,13 +40,14 @@ profile code flags=(attach_disconnected) {
  @{lib}/code/node_modules.asar.unpacked/**.node rm,

  # Core tools
+  @{bin}/gio                    rPx -> child-open,
  @{bin}/git                    rPx,
-  @{bin}/rg                     rix,
  @{bin}/gpg{,2}                rPx,
  @{bin}/lsb_release            rPx -> lsb_release,
-  @{bin}/gio                    rPx -> child-open,
-  @{lib}/gio-launch-desktop     rPx -> child-open,
+  @{bin}/rg                     rix,
  @{bin}/xdg-open               rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,

  # The shell is not confined on purpose.
  @{bin}/{,b,d,rb}ash         rUx,