From 9a658d6ccbd9a690cc93d8d0b77f59e8f544378a Mon Sep 17 00:00:00 2001
From: maplemanuka <149565728+maplemanuka@users.noreply.github.com>
Date: Wed, 1 Nov 2023 07:45:58 +0000
Subject: [PATCH] Create child-gedit

Create a strict skeleton-abstraction for system applications that have wide access (text editors) and then only grant broader file access (in the child profile) based on the application that executed said child profile.
---
 child-gedit | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 child-gedit

diff --git a/child-gedit b/child-gedit
new file mode 100644
index 000000000..c7e56c91a
--- /dev/null
+++ b/child-gedit
@@ -0,0 +1,31 @@
+#vim:syntax=apparmor
+#AppArmor policy abstraction for child profiles of gedit
+#Copyright (C) 2023 Andy Ramos
+#SPDX-License-Identifier: GPL-2.0-only
+
+    include <abstractions/base>
+    include <abstractions/dconf-write>
+    include <abstractions/gnome>
+    include <abstractions/nameservice-strict>
+    include <abstractions/gtk>
+    include <abstractions/enchant>
+
+    @{bin}/gedit mrix,
+
+    /usr/share/terminfo/x/xterm-256color r,
+
+    owner @{user_config_dirs}/ibus/bus/{,**}     r,
+    owner @{user_config_dirs}/gedit/{,**}        r,
+    owner @{user_config_dirs}/gedit/accels       rw,
+
+    owner @{PROC}/@{pid}/mountinfo       r,
+
+    # needed?
+    deny network inet stream,
+
+    deny unix (send, receive, connect)
+       type=stream
+       peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
+
+    deny /etc/{fstab,group,machine-id,passwd} r,
+    deny /run/user/@{uid}/bus                 rw,