apparmor.d/apparmor.d/groups/children/child-open

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-open" exec transitions
# from other profiles. 

# Instead of allowing the run of all software in @{bin}/, the purpose of
# this profile is to list all GUI program that can open resources.

# Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
# should be present here. Until this day, this profile will be a controlled mess.

abi <abi/3.0>,

include <tunables/global>

# App allowed to open
profile child-open {
  include <abstractions/base>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/vulkan>
  include <abstractions/xdg-open>

  @{bin}/exo-open                                     mr,
  @{bin}/xdg-open                                     mr,
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
  @{lib}/gio-launch-desktop                           mrix,

  @{bin}/{,ba,da}sh        rix,
  @{bin}/{,m,g}awk         rix,
  @{bin}/basename          rix,
  @{bin}/readlink          rix,

  # Sandbox managers
  @{bin}/bwrap            rPUx,
  @{bin}/firejail         rPUx,
  @{bin}/flatpak          rPUx,
  @{bin}/snap             rPUx,

  # Files explorer
  @{bin}/nautilus          rPx,

  # Firefox
  @{bin}/firefox{,.sh,-esr,-bin}                                                 rPx,
  @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                         rPx,
  /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                           rPx,
  # Brave
  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin}          rPx,
  # Chromium
  @{lib}/chromium/chromium                                                       rPx,
  # Chrome
  /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable}  rPx,
  # Opera
  @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}          rPx,

  # Text editors
  @{bin}/code                   rPx,
  @{bin}/gedit                 rPUx,
  /usr/share/code/{bin/,}code   rPx,

  # Others
  @{bin}/*Foliate         rPUx,
  @{bin}/blueman-tray      rPx,
  @{bin}/discord{,-ptb}    rPx,
  @{bin}/draw.io          rPUx,
  @{bin}/dropbox           rPx,
  @{bin}/engrampa          rPx,
  @{bin}/eog              rPUx,
  @{bin}/evince            rPx,
  @{bin}/file-roller      rPUx,
  @{bin}/filezilla         rPx,
  @{bin}/flameshot         rPx,
  @{bin}/geany             rPx,
  @{bin}/gnome-calculator rPUx,
  @{bin}/gnome-disk-image-mounter rPx,
  @{bin}/gnome-disks       rPx,
  @{bin}/gwenview         rPUx,
  @{bin}/kgx               rPx,
  @{bin}/okular            rPx,
  @{bin}/qbittorrent       rPx,
  @{bin}/qpdfview          rPx,
  @{bin}/smplayer          rPx,
  @{bin}/spacefm           rPx,
  @{bin}/teams            rPUx,
  @{bin}/telegram-desktop  rPx,
  @{bin}/thunderbird       rPx,
  @{bin}/transmission-gtk  rPx,
  @{bin}/viewnior         rPUx,
  @{bin}/vlc              rPUx,
  @{bin}/xarchiver         rPx,
  @{bin}/xbrlapi 	         rPx,
  @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,

  include if exists <usr/child-open.d>
  include if exists <local/child-open>
}