You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
105 lines
3.6 KiB
Plaintext
105 lines
3.6 KiB
Plaintext
2 years ago
|
# vim:syntax=apparmor
|
||
|
|
||
|
# This abstraction is designed to be used in a child profile to limit what
|
||
|
# confined application can invoke via kde-open5 helper.
|
||
|
#
|
||
|
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||
|
# portability across desktop environments, unless you are sure that confined
|
||
|
# application only uses /usr/bin/kde-open5 directly.
|
||
|
#
|
||
|
# Usage example:
|
||
|
#
|
||
|
# ```
|
||
|
# profile foo /usr/bin/foo {
|
||
|
# ...
|
||
|
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
|
||
|
# ...
|
||
|
# } # end of main profile
|
||
|
#
|
||
|
# # out-of-line child profile
|
||
|
# profile foo//kde-open5 {
|
||
|
# #include <abstractions/kde-open5>
|
||
|
#
|
||
|
# # needed for ubuntu-* abstractions
|
||
|
# #include <abstractions/ubuntu-helpers>
|
||
|
#
|
||
|
# # Only allow to handle http[s]: and mailto: links
|
||
|
# #include <abstractions/ubuntu-browsers>
|
||
|
# #include <abstractions/ubuntu-email>
|
||
|
#
|
||
|
# # Add if accesibility access is considered as required
|
||
|
# # (for message boxe in case exo-open fails)
|
||
|
# #include <abstractions/dbus-accessibility>
|
||
|
#
|
||
|
# # Add if audio support for message box is
|
||
|
# # considered as required.
|
||
|
# #include if exists <abstractions/gstreamer>
|
||
|
#
|
||
|
# # < add additional allowed applications here >
|
||
|
# }
|
||
|
# ```
|
||
|
|
||
|
#include <abstractions/audio> # for alert messages
|
||
|
#include <abstractions/base>
|
||
|
#include <abstractions/dbus-accessibility-strict>
|
||
|
#include <abstractions/dbus-network-manager-strict>
|
||
|
#include <abstractions/dbus-session-strict>
|
||
|
#include <abstractions/dbus-strict>
|
||
|
#include <abstractions/kde-icon-cache-write>
|
||
|
#include <abstractions/kde>
|
||
|
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
||
|
#include <abstractions/openssl>
|
||
|
#include <abstractions/qt5>
|
||
|
#include <abstractions/recent-documents-write>
|
||
|
#include <abstractions/X>
|
||
|
|
||
|
# Main executables
|
||
|
|
||
|
/usr/bin/kde-open5 rix,
|
||
|
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
|
||
|
|
||
|
# DBus
|
||
|
|
||
|
dbus
|
||
|
bus=session
|
||
|
interface=org.kde.KLauncher
|
||
|
member=start_service_by_desktop_path
|
||
|
peer=(name=org.kde.klauncher5),
|
||
|
|
||
|
# Denied system files
|
||
|
|
||
|
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
|
||
|
|
||
|
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
|
||
|
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
|
||
|
# AppArmor does not allow to distinguish "real" file vs shared memory one,
|
||
|
# so we deny this path to protect from loading exploits from /tmp.
|
||
|
deny /tmp/#[0-9]*[0-9] m,
|
||
|
|
||
|
# System files
|
||
|
|
||
|
/dev/tty r,
|
||
|
/etc/xdg/accept-languages.codes r,
|
||
|
/etc/xdg/menus/{,*/} r,
|
||
|
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
|
||
|
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
|
||
|
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
|
||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
|
||
|
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
|
||
|
/usr/share/mime/ r,
|
||
|
/usr/share/mime/generic-icons r,
|
||
|
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
|
||
|
/usr/share/sounds/ r,
|
||
|
@{PROC}/sys/kernel/core_pattern r,
|
||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||
|
|
||
|
# User files
|
||
|
|
||
|
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
|
||
|
owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
|
||
|
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
|
||
|
owner @{HOME}/.cache/kio_http/ rw,
|
||
|
|
||
|
# Include additions to the abstraction
|
||
|
#include if exists <abstractions/kde-open5.d>
|