# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/kde-open5 directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//kde-open5 {
# include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/kde-icon-cache-write>
include <abstractions/kde>
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
include <abstractions/openssl>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/X>
# Main executables
/usr/bin/kde-open5 rix,
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
dbus
bus=session
interface=org.kde.KLauncher
member=start_service_by_desktop_path
peer=(name=org.kde.klauncher5),
# Denied system files
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9]*[0-9] m,
# System files
/dev/tty r,
/etc/xdg/accept-languages.codes r,
/etc/xdg/menus/{,*/} r,
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
/usr/share/mime/ r,
/usr/share/mime/generic-icons r,
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction
include if exists <abstractions/kde-open5.d>
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| apparmor_api | Folder | 0755 |
|
|
| ubuntu-browsers.d | Folder | 0755 |
|
|
| X | File | 1.94 KB | 0644 |
|
| apache2-common | File | 978 B | 0644 |
|
| aspell | File | 412 B | 0644 |
|
| audio | File | 1.94 KB | 0644 |
|
| authentication | File | 1.81 KB | 0644 |
|
| base | File | 6.77 KB | 0644 |
|
| bash | File | 1.58 KB | 0644 |
|
| consoles | File | 903 B | 0644 |
|
| crypto | File | 809 B | 0644 |
|
| cups-client | File | 820 B | 0644 |
|
| dbus | File | 694 B | 0644 |
|
| dbus-accessibility | File | 745 B | 0644 |
|
| dbus-accessibility-strict | File | 760 B | 0644 |
|
| dbus-network-manager-strict | File | 1.37 KB | 0644 |
|
| dbus-session | File | 747 B | 0644 |
|
| dbus-session-strict | File | 1010 B | 0644 |
|
| dbus-strict | File | 781 B | 0644 |
|
| dconf | File | 344 B | 0644 |
|
| dovecot-common | File | 675 B | 0644 |
|
| dri-common | File | 542 B | 0644 |
|
| dri-enumerate | File | 392 B | 0644 |
|
| enchant | File | 2.17 KB | 0644 |
|
| exo-open | File | 1.88 KB | 0644 |
|
| fcitx | File | 558 B | 0644 |
|
| fcitx-strict | File | 821 B | 0644 |
|
| fonts | File | 2.22 KB | 0644 |
|
| freedesktop.org | File | 1.37 KB | 0644 |
|
| gio-open | File | 1.51 KB | 0644 |
|
| gnome | File | 3.73 KB | 0644 |
|
| gnupg | File | 459 B | 0644 |
|
| gtk | File | 1.42 KB | 0644 |
|
| gvfs-open | File | 1.15 KB | 0644 |
|
| hosts_access | File | 511 B | 0644 |
|
| ibus | File | 992 B | 0644 |
|
| kde | File | 2.8 KB | 0644 |
|
| kde-globals-write | File | 413 B | 0644 |
|
| kde-icon-cache-write | File | 256 B | 0644 |
|
| kde-language-write | File | 575 B | 0644 |
|
| kde-open5 | File | 3.61 KB | 0644 |
|
| kerberosclient | File | 1.25 KB | 0644 |
|
| ldapclient | File | 856 B | 0644 |
|
| libpam-systemd | File | 770 B | 0644 |
|
| likewise | File | 595 B | 0644 |
|
| mdns | File | 554 B | 0644 |
|
| mesa | File | 1.16 KB | 0644 |
|
| mir | File | 694 B | 0644 |
|
| mozc | File | 573 B | 0644 |
|
| mysql | File | 739 B | 0644 |
|
| nameservice | File | 4.29 KB | 0644 |
|
| nis | File | 625 B | 0644 |
|
| nss-systemd | File | 1.22 KB | 0644 |
|
| nvidia | File | 751 B | 0644 |
|
| opencl | File | 370 B | 0644 |
|
| opencl-common | File | 516 B | 0644 |
|
| opencl-intel | File | 672 B | 0644 |
|
| opencl-mesa | File | 636 B | 0644 |
|
| opencl-nvidia | File | 895 B | 0644 |
|
| opencl-pocl | File | 2.84 KB | 0644 |
|
| openssl | File | 648 B | 0644 |
|
| orbit2 | File | 197 B | 0644 |
|
| p11-kit | File | 999 B | 0644 |
|
| perl | File | 974 B | 0644 |
|
| php | File | 1.13 KB | 0644 |
|
| php-worker | File | 558 B | 0644 |
|
| php5 | File | 208 B | 0644 |
|
| postfix-common | File | 1.32 KB | 0644 |
|
| private-files | File | 1.62 KB | 0644 |
|
| private-files-strict | File | 1.18 KB | 0644 |
|
| python | File | 1.82 KB | 0644 |
|
| qt5 | File | 863 B | 0644 |
|
| qt5-compose-cache-write | File | 399 B | 0644 |
|
| qt5-settings-write | File | 514 B | 0644 |
|
| recent-documents-write | File | 466 B | 0644 |
|
| ruby | File | 1008 B | 0644 |
|
| samba | File | 1.13 KB | 0644 |
|
| smbpass | File | 581 B | 0644 |
|
| snap_browsers | File | 1.63 KB | 0644 |
|
| ssl_certs | File | 1.52 KB | 0644 |
|
| ssl_keys | File | 938 B | 0644 |
|
| svn-repositories | File | 1.72 KB | 0644 |
|
| ubuntu-bittorrent-clients | File | 821 B | 0644 |
|
| ubuntu-browsers | File | 1.58 KB | 0644 |
|
| ubuntu-console-browsers | File | 731 B | 0644 |
|
| ubuntu-console-email | File | 718 B | 0644 |
|
| ubuntu-email | File | 1.06 KB | 0644 |
|
| ubuntu-feed-readers | File | 456 B | 0644 |
|
| ubuntu-gnome-terminal | File | 300 B | 0644 |
|
| ubuntu-helpers | File | 3.7 KB | 0644 |
|
| ubuntu-konsole | File | 453 B | 0644 |
|
| ubuntu-media-players | File | 2.3 KB | 0644 |
|
| ubuntu-unity7-base | File | 2.5 KB | 0644 |
|
| ubuntu-unity7-launcher | File | 311 B | 0644 |
|
| ubuntu-unity7-messaging | File | 313 B | 0644 |
|
| ubuntu-xterm | File | 346 B | 0644 |
|
| user-download | File | 987 B | 0644 |
|
| user-mail | File | 944 B | 0644 |
|
| user-manpages | File | 1000 B | 0644 |
|
| user-tmp | File | 760 B | 0644 |
|
| user-write | File | 972 B | 0644 |
|
| video | File | 231 B | 0644 |
|
| vulkan | File | 1.06 KB | 0644 |
|
| wayland | File | 645 B | 0644 |
|
| web-data | File | 811 B | 0644 |
|
| winbind | File | 882 B | 0644 |
|
| wutmp | File | 711 B | 0644 |
|
| xad | File | 984 B | 0644 |
|
| xdg-desktop | File | 782 B | 0644 |
|
| xdg-open | File | 2.23 KB | 0644 |
|