feat(abs): rewrite the app/open abstraction to accomodate kde require…

…ments. See #630 #605 #647
roddhjav · Jan 20, 2025 · ef99c81 · ef99c81
1 parent f15cbdf
commit ef99c81
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 13 deletions.
diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open
@@ -3,19 +3,42 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-# Full set of rules for child-open-* profiles.
+# Full set of rules for desktop generic open-* used in child-open-* profiles.
 
   abi <abi/4.0>,
 
   include <abstractions/desktop>
 
-  @{open_path} mrix,
+  # We cannot use `@{open_path} mrix,` here because it includes:
+  #     @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
+  # And `@{multiarch}` as a wildcard that cannot be merged and that will generate 
+  # "has merged rule with conflicting x modifiers" error when used with other
+  # wilcard over PUx transition.
+  @{bin}/exo-open mrix,
+  @{bin}/xdg-open mrix,
+  @{bin}/gio mrix,
+  @{bin}/kde-open mrix,
+  @{bin}/gio-launch-desktop mrix,
+  @{lib}/gio-launch-desktop mrix,
 
-  @{sh_path} r,
   @{bin}/env rix,
-
+  @{sh_path} r,
+
   /dev/tty rw,
 
+  # if @{DE} == kde
+
+    include <abstractions/audio-client>
+    include <abstractions/bus-accessibility>
+    include <abstractions/bus-session>
+    include <abstractions/bus/org.a11y>
+    include <abstractions/graphics>
+
+    owner @{run}/user//@{uid}/#@{int} rw, 
+    owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
+
+  # fi
+
   include if exists <abstractions/app/open.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any
@@ -13,11 +13,7 @@ include <tunables/global>
 
 profile child-open-any flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
-  include <abstractions/desktop>
-
-  @{open_path} mrix,
-
-  @{sh_path} r,
+  include <abstractions/app/open>
 
   @{bin}/**                     PUx,
   @{lib}/**                     PUx,
@@ -32,10 +28,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) {
   /usr/                         r,
   /usr/local/bin/               r,
 
-  owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
-
-  /dev/tty rw,
-
   include if exists <usr/child-open-any.d>
   include if exists <local/child-open-any>
 }