diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 48c98fbbc..386b4f7fb 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -55,9 +55,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/more rPx -> child-pager, @{bin}/pager rPx -> child-pager, - @{bin}/exo-open rPx -> child-open, - @{bin}/xdg-open rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, audit @{bin}/** Pix, audit @{lib}/** Pix, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 75da1e051..bad8a4373 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -106,15 +106,12 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib}/mozilla/plugins/libvlcplugin.so mr, # Desktop integration - @{bin}/exo-open rPx -> child-open, @{bin}/gnome-software rPx, @{bin}/kreadconfig5 rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/update-mime-database rPx, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, @{lib}/gvfsd-metadata rPx, + @{open_path} rPx -> child-open, # Common extensions /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 683bfdd4e..9804a7988 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -71,9 +71,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/snap rPUx, @{bin}/kreadconfig5 rPx, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, @{lib}/xdg-desktop-portal-validate-icon rPUx, + @{open_path} rPx -> child-open, / r, /.flatpak-info r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 9afb3f4bd..348c47b35 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -19,8 +19,7 @@ profile gnome-disks @{exec_path} { @{exec_path} mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, owner @{user_cache_dirs}/gnome-disks/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 600a928a0..7340b4e25 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -44,8 +44,7 @@ profile gnome-extension-gsconnect @{exec_path} { @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index 102a8e37f..115fab059 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -32,12 +32,9 @@ profile gnome-extension-manager @{exec_path} { @{bin}/gjs-console rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/gnome-shell/org.gnome.Shell.Extensions r, - /usr/share/themes/{,**} r, - /usr/share/X11/xkb/{,**} r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index a6631d7ba..9934ec74e 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -25,8 +25,7 @@ profile gnome-extensions-app @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/gjs-console rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index bc31827ad..580e2fd39 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -38,9 +38,8 @@ profile gnome-software @{exec_path} { @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, @{lib}/revokefs-fuse rix, + @{open_path} rPx -> child-open, /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 3be34aeef..e8d3aa4e0 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -46,8 +46,7 @@ profile gnome-terminal-server @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/sounds/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 5a5fc4732..5fb5ff59b 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -88,8 +88,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 9256d197c..e38a029db 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -34,8 +34,7 @@ profile kgx @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, owner /tmp/#@{int} rw, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index e941fb927..1c8755fbb 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -54,11 +54,8 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/vaapitest rPx -> torbrowser-vaapitest, # Desktop integration - @{bin}/exo-open rPx -> child-open, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{bin}/lsb_release rPx -> lsb_release, + @{open_path} rPx -> child-open, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 30e3323cf..35b01763a 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -33,10 +33,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) { @{bin}/{b,d}ash rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, - @{bin}/blueman-tray rPx, + @{open_path} rPx -> child-open, /usr/share/blueman/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index f9ea28a46..250c6777f 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -40,14 +40,11 @@ profile code flags=(attach_disconnected) { @{lib}/code/node_modules.asar.unpacked/**.node rm, # Core tools - @{bin}/gio rPx -> child-open, @{bin}/git rPx, @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/rg rix, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, # The shell is not confined on purpose. @{bin}/{,b,d,rb}ash rUx, diff --git a/apparmor.d/profiles-a-f/element b/apparmor.d/profiles-a-f/element index 871b33fec..1620402e2 100644 --- a/apparmor.d/profiles-a-f/element +++ b/apparmor.d/profiles-a-f/element @@ -42,9 +42,7 @@ profile element @{exec_path} { @{lib}/element/{,**} r, @{lib}/element/app.asar.unpacked/node_modules/**.node mr, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 1a68da439..be9d5f37e 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -64,8 +64,7 @@ profile engrampa @{exec_path} { # For deb packages @{bin}/dpkg-deb rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{bin}/xdg-open rPx -> child-open, + @{open_path} rPx -> child-open, # Allowed apps to open @{bin}/engrampa rPx, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index d21bbed9e..a060505ec 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -37,8 +37,7 @@ profile evince @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/gio-launch-desktop rPx, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/djvu/{,**} r, /usr/share/evince/{,**} r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 8e03473a4..70db0a2fb 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -41,8 +41,7 @@ profile file-roller @{exec_path} { @{bin}/zstd rix, @{lib}/p7zip/7z rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index b274aea93..3f8f00ea0 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -67,10 +67,7 @@ profile gpartedbin @{exec_path} { @{bin}/tune2fs rPx, @{bin}/xfs_io rPUx, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, - + @{open_path} rPx -> child-open, @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index e4ce3217f..6794e7a0d 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -42,8 +42,8 @@ profile keepassxc @{exec_path} { # Allowed apps to open @{bin}/geany rPUx, - @{bin}/xdg-open rCx -> child-open, @{lib}/firefox/firefox rPx, + @{open_path} rPx -> child-open, /usr/share/hwdata/pnp.ids r, /usr/share/keepassxc/{,**} r, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 25409ce01..cd562f2cc 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -92,7 +92,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, - @{bin}/xdg-{open,mime} rPx -> child-open, + @{open_path} rPx -> child-open, @{bin}/python3.[0-9]* rCx -> python, # For "search engine" # Allowed apps to open diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 627763e9c..dddba4ab1 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -30,8 +30,8 @@ profile qpdfview @{exec_path} { @{bin}/bzip2 rix, @{bin}/xz rix, - @{bin}/xdg-open rPx -> child-open, @{lib}/firefox/firefox rPUx, + @{open_path} rPx -> child-open, /usr/share/hwdata/pnp.ids r, /usr/share/poppler/** r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index c6fb08efd..31b1d08a2 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -38,9 +38,7 @@ profile spotify @{exec_path} { @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /etc/libva.conf r, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 28d4e6b62..e58584a55 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -21,7 +21,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, - @{bin}/xdg-open rPx -> child-open, + @{open_path} rPx -> child-open, @{bin}/ip rix, /usr/share/mime/{,*} r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 60394bbcb..f2ee64729 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -80,11 +80,8 @@ profile thunderbird @{exec_path} { @{bin}/gpgsm rPx, # Desktop integration - @{bin}/exo-open rPx -> child-open, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{bin}/lsb_release rPx -> lsb_release, + @{open_path} rPx -> child-open, # Allowed apps to open @{bin}/engrampa rPx, diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk index e28ce51d9..b4562c1d8 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission-gtk @@ -33,8 +33,7 @@ profile transmission-gtk @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 48e805897..c7edccdde 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -38,8 +38,7 @@ profile vidcutter @{exec_path} { @{bin}/ffprobe rPx, @{bin}/mediainfo rPx, - @{bin}/xdg-open rPx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 3c2d2cd31..715e4e5e8 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -49,8 +49,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{open_path} rPx -> child-open, /usr/share/egl/{,**} r, /usr/share/gtksourceview-4/{,**} r, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index f93b11c3f..1266956f2 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -31,3 +31,9 @@ @{thunderbird_name} = thunderbird{,-bin} @{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name} @{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name} + +# Open + +@{open_path} = @{bin}/exo-open @{bin}/xdg-open +@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop +