# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# This profile is designed to be used in a child profile to limit what
# confined application can invoke via open helper.

# This version of child-open allows to open any programs.

abi <abi/4.0>,

include <tunables/global>

profile child-open-any flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/app/open>

  @{bin}/**                     PUx,
  @{lib}/**                     PUx,
  @{user_bin_dirs}/**           PUx,
  /opt/*/**                     PUx,
  /usr/local/bin/**             PUx,
  /usr/share/**                 PUx,

  @{bin}/                       r,
  @{user_bin_dirs}/             r,
  /                             r,
  /usr/                         r,
  /usr/local/bin/               r,

  include if exists <usr/child-open-any.d>
  include if exists <local/child-open-any>
}

# vim:syntax=apparmor