Merge pull request #3 from nobodysu/youtube-dl

youtube-dl

abstractions/3rd/file-chooser

@@ -5,12 +5,19 @@
   #include <abstractions/3rd/nameservice-strict>
 
   # list directory contents
-  / r,
+  /    r,
   /**/ r,
 
+  @{HOME}/.cache/thumbnails/** r,
+
+  @{PROC}/@{pid}/mountinfo r,
+
+  # initialization only?
+  /usr/share/uim/{,**/}*.scm  r,
+  /var/lib/uim/*.scm          r,
+
   # noisy
-  /etc/fstab r,
-  deny @{HOME}/.cache/thumbnails/** r,
+  deny /etc/fstab r,
 
   dbus send
        bus="session"

usr.local.bin.youtube-dl

@@ -0,0 +1,78 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+# changeme
+@{DOWNLOAD_FOLDERS}=@{HOME}/Downloads /tmp/ytdl
+@{YTDL_PATH}=/usr/{,local/}bin/youtube-dl
+
+profile youtube_dl @{YTDL_PATH} {
+  @{YTDL_PATH} r,
+  #include <abstractions/base>
+  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
+#  #include <abstractions/nameservice>
+  #include <abstractions/3rd/nameservice-strict>
+
+  @{DOWNLOAD_FOLDERS}/** rw,
+
+  /etc/youtube-dl.conf   r,
+  /etc/mime.types        r,
+  /etc/python{2.[4-7],3.[0-9],3.[0-9][0-9]}/** r,
+
+  owner @{PROC}/@{pid}/{fd/,mounts} r,
+
+  owner @{HOME}/.cache/youtube-dl/{,**}  rwk,
+  owner @{HOME}/.config/youtube-dl/{,**} rwk,
+
+  owner /tmp/ytdl_prg    w,
+  owner /tmp/ytdl_stderr w,
+  owner /tmp/??????      w,
+  owner /var/tmp/??????  w,
+
+  /usr/bin/python{2.[4-7],3.[0-9],3.[0-9][0-9]}  rix,
+  /usr/bin/env                                   rix,
+  /{,usr/}bin/stty                               rix,
+  /{,usr/}sbin/ldconfig{,.real}                  rix,
+  /{,usr/}bin/uname                              rix,
+
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9],3.[0-9][0-9]}/{site,dist}-packages/{,youtube_dl/**} r,
+  deny /usr/bin/ r,  # ?; noisy
+
+  /usr/bin/ffmpeg Cx,
+  profile ffmpeg /usr/bin/ffmpeg {
+    /usr/bin/ffmpeg r,
+    #include <abstractions/base>
+
+    @{DOWNLOAD_FOLDERS}/** rw,
+
+    /sys/devices/system/node/{,node[0-9]*/meminfo} r,
+  }
+
+  /usr/bin/ffprobe Cx,
+  profile ffprobe /usr/bin/ffprobe {
+    /usr/bin/ffprobe r,
+    #include <abstractions/base>
+
+    @{DOWNLOAD_FOLDERS}/** r,
+
+    /sys/devices/system/node/{,node[0-9]*/meminfo} r,
+  }
+
+  /{,usr/}bin/dash Cx,
+  profile dash /{,usr/}bin/dash {
+    /{,usr/}bin/dash r,
+    #include <abstractions/base>
+
+    @{DOWNLOAD_FOLDERS}/** rw,
+
+    # --exec commands goes here
+#    /bin/mv         rix,
+#    /bin/cp          Ux,   # Unrestricted, DANGEROUS
+  }
+
+  # Ubuntu
+  network tcp,
+  network udp,
+  network netlink raw,
+}

usr.local.bin.youtubedl-gui

@@ -0,0 +1,127 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+# changeme
+@{DOWNLOAD_FOLDERS}=@{HOME}/Downloads /tmp/ytdl
+@{YTDL_PATH}=/usr/{,local/}bin/youtube-dl
+
+profile youtubedl_gui /usr/{,local/}bin/youtubedl-gui {
+  /usr/{,local/}bin/youtubedl-gui r,
+  #include <abstractions/base>
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/dconf>
+  #include <abstractions/dbus-accessibility-strict>
+  #include <abstractions/dbus-session-strict>
+  #include <abstractions/qt5>
+  #include <abstractions/private-files>
+  #include <abstractions/private-files-strict>
+#  #include <abstractions/nameservice>
+  #include <abstractions/3rd/nameservice-strict>
+#  #include <abstractions/3rd/file-chooser>
+#  #include <abstractions/3rd/dbus-overwrite>
+
+  @{DOWNLOAD_FOLDERS}/** rw,
+
+  # qt5-settings-write-deny (modification)
+  deny owner @{HOME}/.config/QtProject.conf* wkl,
+  deny owner @{HOME}/.config/#[0-9]*[0-9]    wkl,
+  # or allow write access
+#  #include <abstractions/qt5-settings-write>
+
+  deny @{PROC}/sys/kernel/random/boot_id r,
+  deny /usr/share/nvidia/nvidia-application-profiles-* r,
+       /usr/libexec/coreutils/libstdbuf.so mr,
+
+  owner @{PROC}/@{pid}/{cmdline,comm}  r,
+
+  /dev/tty rw,
+
+  owner /tmp/ytdl_prg    w,
+  owner /tmp/ytdl_stderr w,
+
+  owner /{,var/}run/user/*/dconf/user w,
+
+  /usr/share/hwdata/pnp.ids r,
+
+  /usr/bin/stdbuf    rix,
+  /{,usr/}bin/grep   rix,
+  /{,usr/}bin/bash   rix,
+
+  @{YTDL_PATH}       rPx -> youtube_dl,
+
+  dbus send
+       bus="session"
+       path="/org/a11y/bus"
+       interface="org.freedesktop.DBus.Properties"
+       member="Get"
+       peer=(name="org.a11y.Bus"),
+
+  dbus send
+       bus="accessibility"
+       path="/org/a11y/atspi/accessible/root"
+       interface="org.a11y.atspi.Socket"
+       member="Embed"
+       peer=(name="org.a11y.atspi.Registry"),
+
+  dbus receive
+       bus="accessibility"
+       path="/org/a11y/atspi/accessible/root"
+       interface="org.freedesktop.DBus.Properties"
+       member="Set"
+       peer=(name=":*"),
+
+  dbus send
+       bus="accessibility"
+       path="/org/a11y/atspi/registry/deviceeventcontroller"
+       interface="org.a11y.atspi.DeviceEventController"
+       member="{GetKeystrokeListeners,GetDeviceEventListeners}"
+       peer=(name="org.a11y.atspi.Registry"),
+
+  dbus send
+       bus="accessibility"
+       path="/org/a11y/atspi/registry"
+       interface="org.a11y.atspi.Registry"
+       member="GetRegisteredEvents"
+       peer=(name="org.a11y.atspi.Registry"),
+
+  dbus receive
+       bus="accessibility"
+       path="/org/a11y/atspi/registry"
+       interface="org.a11y.atspi.Registry"
+       member="EventListenerDeregistered"
+       peer=(name=":*"),
+
+  dbus send
+       bus="session"
+       path="/org/gtk/vfs/mounttracker"
+       interface="org.gtk.vfs.MountTracker"
+       member="ListMountableInfo"
+       peer=(name=":*"),
+
+  # Ubuntu
+  owner @{HOME}/.cache/mesa_shader_cache/index rw,
+
+  dbus send
+       bus="session"
+       path="/org/a11y/bus"
+       interface="org.a11y.Bus"
+       member="GetAddress"
+       peer=(name="org.a11y.Bus"),
+
+  dbus send
+       bus="session"
+       path="/org/gtk/Settings"
+       interface="org.freedesktop.DBus.Properties"
+       member="GetAll"
+       peer=(name=":*"),
+
+  # save to smb shares, etc
+#  network tcp,
+#  network udp,
+
+  # or deny network access by itself
+  deny network tcp,
+  deny network udp,
+}