# apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/totem profile totem @{exec_path} flags=(attach_disconnected) { include include include include include include include network netlink raw, signal (send) set=(kill) peer=totem//bwrap, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.totem #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, @{open_path} rPx -> child-open-help, /usr/share/xml/iso-codes/{,**} r, /usr/share/grilo-plugins/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{HOME}/ r, owner @{MOUNTS}/ r, owner @{user_music_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_torrents_dirs}/{,**} rw, owner @{user_videos_dirs}/{,**} rw, owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/{,**} r, owner @{user_share_dirs}/grilo-plugins/ rw, owner @{user_share_dirs}/grilo-plugins/** rwlk, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, deny @{user_share_dirs}/gvfs-metadata/* r, profile bwrap flags=(attach_disconnected) { include include include include include capability dac_override, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, @{PROC}/sys/vm/mmap_min_addr r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, include if exists } include if exists } # vim:syntax=apparmor