apparmor.d/apparmor.d/abstractions/app-open

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Instead of allowing the run of all software in @{bin}/, @{lib} the purpose of
# this abstraction is to list all GUI program that can open resources.

# Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail
# should be present here. Until this day, this profile will be a controlled mess.

  abi <abi/4.0>,

  # Sandbox managers
  @{bin}/bwrap                  PUx,
  @{bin}/firejail               PUx,
  @{bin}/flatpak                Px,
  @{bin}/snap                   Px,

  # Labeled programs
  @{archive_viewers_path}       PUx,
  @{backup_path}                PUx,
  @{browsers_path}              Px,
  @{document_viewers_path}      PUx,
  @{emails_path}                PUx,
  @{file_explorers_path}        Px,
  @{help_path}                  Px,
  @{image_viewers_path}         PUx,
  @{offices_path}               PUx,
  @{terminal_path}              Px,
  @{text_editors_path}          PUx,

  # Others
  @{bin}/amule                  Px,
  @{bin}/blueman-tray           Px,
  @{bin}/discord{,-ptb}         Px,
  @{bin}/draw.io                PUx,
  @{bin}/dropbox                Px,
  @{bin}/element-desktop        Px,
  @{bin}/extension-manager      Px,
  @{bin}/filezilla              Px,
  @{bin}/flameshot              Px,
  @{bin}/gimp{,3}               Px,
  @{bin}/gnome-calculator       Px,
  @{bin}/gnome-disk-image-mounter Px,
  @{bin}/gnome-disks            Px,
  @{bin}/gnome-session-quit     Px,
  @{bin}/gnome-software         Px,
  @{bin}/gwenview               PUx,
  @{bin}/qbittorrent            Px,
  @{bin}/qpdfview               Px,
  @{bin}/smplayer               Px,
  @{bin}/steam-runtime          PUx,
  @{bin}/telegram-desktop       Px,
  @{bin}/transmission-gtk       Px,
  @{bin}/viewnior               PUx,
  @{bin}/vlc                    Px,
  @{bin}/xbrlapi                Px,

  #aa:only opensuse
  @{lib}/YaST2/**               PUx,

  include if exists <abstractions/app-open.d>

# vim:syntax=apparmor