# apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/aa-notify profile aa-notify @{exec_path} { include include include include include include include capability setgid, capability setuid, capability sys_ptrace, ptrace read, @{exec_path} mr, @{bin}/gtk-launch ix, @{bin}/pkexec Cx -> pkexec, @{bin}/xdg-mime Px, @{open_path} Cx -> open, @{bin}/ r, /usr/share/apparmor/** r, /usr/share/terminfo/** r, @{etc_ro}/inputrc r, @{etc_ro}/inputrc.keys r, /etc/apparmor.d/{,**} r, /etc/apparmor/*.conf r, /var/log/audit/audit.log r, owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/cmdline r, profile open { include include @{editor_ui_path} rPx -> aa-notify//editor, include if exists } profile editor { include include include include include @{editor_ui_path} rix, @{open_path} rPx -> child-open-help, /etc/apparmor.d/{,**} r, owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } profile pkexec { include include include ptrace read peer=aa-notify, @{bin}/apparmor_parser Px, @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, /usr/share/apparmor/** r, /usr/share/terminfo/** r, @{etc_ro}/inputrc r, @{etc_ro}/inputrc.keys r, /etc/apparmor.d/ r, /etc/apparmor.d/** rw, /etc/apparmor/* r, include if exists } include if exists } # vim:syntax=apparmor