mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 01:57:43 +00:00
fae582b66b
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments. Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers. PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404 Acked-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a) 622fc44b Add xdg-open (and friends) abstraction af278ca6 exo-open: Fix denials on OpenSUSE f07f0771 exo-open: Allow playing alert sounds 80514906 kde-open5: use dbus-network-manager-strict abstraction ac08dc66 kde-open5: fix denies Ubuntu Eoan 501aada8 gio-open: fix denies Ubuntu Eoan 0a55babe exo-open: do not enable a11y by default e77abfa5 exo-open: update comment about DBUS denial d35faafd kde-open5: do not enable a11y by default 8b481d46 kde-open5: do not enable gstreamer support by default 162e5086 xdg-open: update usage example
56 lines
1.4 KiB
Plaintext
56 lines
1.4 KiB
Plaintext
# vim:syntax=apparmor
|
|
|
|
# This abstraction is designed to be used in a child profile to limit what
|
|
# confined application can invoke via gio helper.
|
|
#
|
|
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
|
# portability across desktop environments, unless you are sure that confined
|
|
# application only uses /usr/bin/gio directly.
|
|
#
|
|
# Usage example:
|
|
#
|
|
# ```
|
|
# profile foo /usr/bin/foo {
|
|
# ...
|
|
# /usr/bin/gio rPx -> foo//gio-open,
|
|
# ...
|
|
# } # end of main profile
|
|
#
|
|
# # out-of-line child profile
|
|
# profile foo//gio-open {
|
|
# #include <abstractions/gio-open>
|
|
#
|
|
# # needed for ubuntu-* abstractions
|
|
# #include <abstractions/ubuntu-helpers>
|
|
#
|
|
# # Only allow to handle http[s]: and mailto: links
|
|
# #include <abstractions/ubuntu-browsers>
|
|
# #include <abstractions/ubuntu-email>
|
|
#
|
|
# # < add additional allowed applications here >
|
|
# }
|
|
|
|
#include <abstractions/base>
|
|
#include <abstractions/dbus-session-strict>
|
|
|
|
# Main executables
|
|
|
|
/usr/bin/gio rix,
|
|
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
|
|
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
|
|
|
|
# System files
|
|
|
|
/etc/gnome/defaults.list r,
|
|
/usr/share/mime/* r,
|
|
/usr/share/{,*/}applications/{,**} r,
|
|
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
|
|
/var/lib/snapd/desktop/applications/{,**} r,
|
|
|
|
# User files
|
|
|
|
owner @{HOME}/.config/mimeapps.list r,
|
|
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
|