# vim:syntax=apparmor # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via xdg-open helper. xdg-open abstraction # will allow to use gio-open, kde-open5 and other helpers of the different # desktop environments. # # Usage example: # # ``` # profile foo /usr/bin/foo { # ... # /usr/bin/xdg-open rPx -> foo//xdg-open, # ... # } # end of main profile # # # out-of-line child profile # profile foo//xdg-open { # #include # # # Enable a11y support if considered required by # # profile author for (rare) error message boxes. # #include # # # Enable gstreamer support if considered required by # # profile author for (rare) error message boxes. # #include if exists # # # needed for ubuntu-* abstractions # #include # # # Only allow to handle http[s]: and mailto: links # #include # #include # # # < add additional allowed applications here > # } # ``` #include # for openin with `exo-open` #include # for opening with `gio open ` #include # for opening with gvfs-open (deprecated) #include # for opening with kde-open5 #include # Main executables /{,usr/}bin/{b,d}ash mr, /usr/bin/xdg-open r, # Additional executables /usr/bin/xdg-mime rix, /{,usr/}bin/cut rix, # for xdg-mime /{,usr/}bin/head rix, # for xdg-mime /{,usr/}bin/sed rix, # for xdg-open /{,usr/}bin/tr rix, # for xdg-mime /{,usr/}bin/which rix, # for xdg-open /{,usr/}bin/{grep,egrep} rix, # for xdg-open # System files /dev/pts/[0-9]* rw, /dev/tty w, /etc/gnome/defaults.list r, # for grep /usr/share/applications/mimeinfo.cache r, # for grep /usr/share/terminfo/s/screen r, # for bash on openSUSE /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime /var/lib/menu-xdg/applications/ r, # for xdg-mime # Usr files owner @{HOME}/.local/share/applications/{,*.desktop} r, # Include additions to the abstraction #include if exists