36 lines
1,014 B
Text
36 lines
1,014 B
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
# This profile is designed to be used in a child profile to limit what
|
|
# confined application can invoke via open helper.
|
|
|
|
# This version of child-open allows to open any programs.
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile child-open-any flags=(attach_disconnected,mediate_deleted) {
|
|
include <abstractions/base>
|
|
include <abstractions/app/open>
|
|
|
|
@{bin}/** PUx,
|
|
@{lib}/** PUx,
|
|
@{user_bin_dirs}/** PUx,
|
|
/opt/*/** PUx,
|
|
/usr/local/bin/** PUx,
|
|
/usr/share/** PUx,
|
|
|
|
@{bin}/ r,
|
|
@{user_bin_dirs}/ r,
|
|
/ r,
|
|
/usr/ r,
|
|
/usr/local/bin/ r,
|
|
|
|
include if exists <usr/child-open-any.d>
|
|
include if exists <local/child-open-any>
|
|
}
|
|
|
|
# vim:syntax=apparmor
|
|
|