mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 01:57:43 +00:00
f1773f4083
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`. Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`. openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and `/usr/libexec/qt6/QtWebEngineProcess`. Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
48 lines
947 B
Plaintext
48 lines
947 B
Plaintext
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile plasmashell /usr/bin/plasmashell {
|
|
include <abstractions/dbus-session>
|
|
|
|
capability,
|
|
userns,
|
|
network,
|
|
dbus,
|
|
mount,
|
|
umount,
|
|
remount,
|
|
signal,
|
|
mqueue,
|
|
unix,
|
|
ptrace,
|
|
|
|
# allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
|
|
priority=1 /usr/lib{,64,exec}/{,@{multiarch}/}qt{,5,6}/{,libexec/}QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
|
|
|
|
# allow to execute all other programs under their own profile, or to run unconfined
|
|
/** pux,
|
|
|
|
/{,**} mrwlk,
|
|
@{exec_path} mr,
|
|
|
|
profile QtWebEngineProcess {
|
|
capability,
|
|
userns,
|
|
network,
|
|
dbus,
|
|
mount,
|
|
umount,
|
|
remount,
|
|
signal,
|
|
mqueue,
|
|
unix,
|
|
ptrace,
|
|
/** pux,
|
|
/{,**} mrwlk,
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/plasmashell>
|
|
}
|