# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/gpodder profile gpodder @{exec_path} { include include include include include include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, @{exec_path} r, @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/{,ba,da}sh rix, @{bin}/uname rix, owner @{HOME}/ r, owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, /usr/share/gpodder/{,**} r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, /etc/fstab r, owner /var/tmp/etilqs_@{hex} rw, /etc/mime.types r, /usr/share/*/*.desktop r, @{bin}/xdg-settings rPUx, @{bin}/xdg-open rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, # A/V players @{bin}/smplayer rPUx, @{bin}/vlc rPUx, @{bin}/mpv rPUx, # Open in a web browser @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty@{int} rw, profile open { include include @{bin}/xdg-open mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{bin}/{,ba,da}sh rix, @{bin}/{m,g,}awk rix, @{bin}/readlink rix, @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, } include if exists }