mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 01:57:43 +00:00
fae582b66b
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments. Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers. PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404 Acked-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a) 622fc44b Add xdg-open (and friends) abstraction af278ca6 exo-open: Fix denials on OpenSUSE f07f0771 exo-open: Allow playing alert sounds 80514906 kde-open5: use dbus-network-manager-strict abstraction ac08dc66 kde-open5: fix denies Ubuntu Eoan 501aada8 gio-open: fix denies Ubuntu Eoan 0a55babe exo-open: do not enable a11y by default e77abfa5 exo-open: update comment about DBUS denial d35faafd kde-open5: do not enable a11y by default 8b481d46 kde-open5: do not enable gstreamer support by default 162e5086 xdg-open: update usage example
44 lines
1.1 KiB
Plaintext
44 lines
1.1 KiB
Plaintext
# vim:syntax=apparmor
|
|
|
|
# This abstraction is designed to be used in a child profile to limit what
|
|
# confined application can invoke via gvfs-open helper.
|
|
#
|
|
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
|
# portability across desktop environments, unless you are sure that confined
|
|
# application only uses /usr/bin/gvfs-open directly.
|
|
#
|
|
# Usage example:
|
|
#
|
|
# ```
|
|
# profile foo /usr/bin/foo {
|
|
# ...
|
|
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
|
|
# ...
|
|
# } # end of main profile
|
|
#
|
|
# # out-of-line child profile
|
|
# profile foo//gvfs-open {
|
|
# #include <abstractions/gvfs-open>
|
|
#
|
|
# # needed for ubuntu-* abstractions
|
|
# #include <abstractions/ubuntu-helpers>
|
|
#
|
|
# # Only allow to handle http[s]: and mailto: links
|
|
# #include <abstractions/ubuntu-browsers>
|
|
# #include <abstractions/ubuntu-email>
|
|
#
|
|
# # < add additional allowed applications here >
|
|
# }
|
|
# ```
|
|
|
|
#include <abstractions/base>
|
|
|
|
# gvfs-open is deprecated, it launches gio open <uri>
|
|
#include <abstractions/gio-open>
|
|
|
|
# Main executables
|
|
|
|
/usr/bin/gvfs-open r,
|
|
/{,usr/}bin/dash mr,
|
|
|