From 5093d41de12c26b38bb94395721f86f0191f25d2 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 24 Jul 2021 18:56:20 +0300 Subject: [PATCH] youtube-dl --- abstractions/3rd/file-chooser | 13 +++- usr.local.bin.youtube-dl | 78 +++++++++++++++++++++ usr.local.bin.youtubedl-gui | 127 ++++++++++++++++++++++++++++++++++ 3 files changed, 215 insertions(+), 3 deletions(-) create mode 100644 usr.local.bin.youtube-dl create mode 100644 usr.local.bin.youtubedl-gui diff --git a/abstractions/3rd/file-chooser b/abstractions/3rd/file-chooser index 968c654..b1ea457 100644 --- a/abstractions/3rd/file-chooser +++ b/abstractions/3rd/file-chooser @@ -5,12 +5,19 @@ #include # list directory contents - / r, + / r, /**/ r, + @{HOME}/.cache/thumbnails/** r, + + @{PROC}/@{pid}/mountinfo r, + + # initialization only? + /usr/share/uim/{,**/}*.scm r, + /var/lib/uim/*.scm r, + # noisy - /etc/fstab r, - deny @{HOME}/.cache/thumbnails/** r, + deny /etc/fstab r, dbus send bus="session" diff --git a/usr.local.bin.youtube-dl b/usr.local.bin.youtube-dl new file mode 100644 index 0000000..4ef1a67 --- /dev/null +++ b/usr.local.bin.youtube-dl @@ -0,0 +1,78 @@ +# vim:syntax=apparmor + +#include + +# changeme +@{DOWNLOAD_FOLDERS}=@{HOME}/Downloads /tmp/ytdl +@{YTDL_PATH}=/usr/{,local/}bin/youtube-dl + +profile youtube_dl @{YTDL_PATH} { + @{YTDL_PATH} r, + #include + #include + #include +# #include + #include + + @{DOWNLOAD_FOLDERS}/** rw, + + /etc/youtube-dl.conf r, + /etc/mime.types r, + /etc/python{2.[4-7],3.[0-9],3.[0-9][0-9]}/** r, + + owner @{PROC}/@{pid}/{fd/,mounts} r, + + owner @{HOME}/.cache/youtube-dl/{,**} rwk, + owner @{HOME}/.config/youtube-dl/{,**} rwk, + + owner /tmp/ytdl_prg w, + owner /tmp/ytdl_stderr w, + owner /tmp/?????? w, + owner /var/tmp/?????? w, + + /usr/bin/python{2.[4-7],3.[0-9],3.[0-9][0-9]} rix, + /usr/bin/env rix, + /{,usr/}bin/stty rix, + /{,usr/}sbin/ldconfig{,.real} rix, + /{,usr/}bin/uname rix, + + /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9],3.[0-9][0-9]}/{site,dist}-packages/{,youtube_dl/**} r, + deny /usr/bin/ r, # ?; noisy + + /usr/bin/ffmpeg Cx, + profile ffmpeg /usr/bin/ffmpeg { + /usr/bin/ffmpeg r, + #include + + @{DOWNLOAD_FOLDERS}/** rw, + + /sys/devices/system/node/{,node[0-9]*/meminfo} r, + } + + /usr/bin/ffprobe Cx, + profile ffprobe /usr/bin/ffprobe { + /usr/bin/ffprobe r, + #include + + @{DOWNLOAD_FOLDERS}/** r, + + /sys/devices/system/node/{,node[0-9]*/meminfo} r, + } + + /{,usr/}bin/dash Cx, + profile dash /{,usr/}bin/dash { + /{,usr/}bin/dash r, + #include + + @{DOWNLOAD_FOLDERS}/** rw, + + # --exec commands goes here +# /bin/mv rix, +# /bin/cp Ux, # Unrestricted, DANGEROUS + } + + # Ubuntu + network tcp, + network udp, + network netlink raw, +} diff --git a/usr.local.bin.youtubedl-gui b/usr.local.bin.youtubedl-gui new file mode 100644 index 0000000..ce74d3b --- /dev/null +++ b/usr.local.bin.youtubedl-gui @@ -0,0 +1,127 @@ +# vim:syntax=apparmor + +#include + +# changeme +@{DOWNLOAD_FOLDERS}=@{HOME}/Downloads /tmp/ytdl +@{YTDL_PATH}=/usr/{,local/}bin/youtube-dl + +profile youtubedl_gui /usr/{,local/}bin/youtubedl-gui { + /usr/{,local/}bin/youtubedl-gui r, + #include + #include + #include + #include + #include + #include + #include + #include + #include +# #include + #include +# #include +# #include + + @{DOWNLOAD_FOLDERS}/** rw, + + # qt5-settings-write-deny (modification) + deny owner @{HOME}/.config/QtProject.conf* wkl, + deny owner @{HOME}/.config/#[0-9]*[0-9] wkl, + # or allow write access +# #include + + deny @{PROC}/sys/kernel/random/boot_id r, + deny /usr/share/nvidia/nvidia-application-profiles-* r, + /usr/libexec/coreutils/libstdbuf.so mr, + + owner @{PROC}/@{pid}/{cmdline,comm} r, + + /dev/tty rw, + + owner /tmp/ytdl_prg w, + owner /tmp/ytdl_stderr w, + + owner /{,var/}run/user/*/dconf/user w, + + /usr/share/hwdata/pnp.ids r, + + /usr/bin/stdbuf rix, + /{,usr/}bin/grep rix, + /{,usr/}bin/bash rix, + + @{YTDL_PATH} rPx -> youtube_dl, + + dbus send + bus="session" + path="/org/a11y/bus" + interface="org.freedesktop.DBus.Properties" + member="Get" + peer=(name="org.a11y.Bus"), + + dbus send + bus="accessibility" + path="/org/a11y/atspi/accessible/root" + interface="org.a11y.atspi.Socket" + member="Embed" + peer=(name="org.a11y.atspi.Registry"), + + dbus receive + bus="accessibility" + path="/org/a11y/atspi/accessible/root" + interface="org.freedesktop.DBus.Properties" + member="Set" + peer=(name=":*"), + + dbus send + bus="accessibility" + path="/org/a11y/atspi/registry/deviceeventcontroller" + interface="org.a11y.atspi.DeviceEventController" + member="{GetKeystrokeListeners,GetDeviceEventListeners}" + peer=(name="org.a11y.atspi.Registry"), + + dbus send + bus="accessibility" + path="/org/a11y/atspi/registry" + interface="org.a11y.atspi.Registry" + member="GetRegisteredEvents" + peer=(name="org.a11y.atspi.Registry"), + + dbus receive + bus="accessibility" + path="/org/a11y/atspi/registry" + interface="org.a11y.atspi.Registry" + member="EventListenerDeregistered" + peer=(name=":*"), + + dbus send + bus="session" + path="/org/gtk/vfs/mounttracker" + interface="org.gtk.vfs.MountTracker" + member="ListMountableInfo" + peer=(name=":*"), + + # Ubuntu + owner @{HOME}/.cache/mesa_shader_cache/index rw, + + dbus send + bus="session" + path="/org/a11y/bus" + interface="org.a11y.Bus" + member="GetAddress" + peer=(name="org.a11y.Bus"), + + dbus send + bus="session" + path="/org/gtk/Settings" + interface="org.freedesktop.DBus.Properties" + member="GetAll" + peer=(name=":*"), + + # save to smb shares, etc +# network tcp, +# network udp, + + # or deny network access by itself + deny network tcp, + deny network udp, +}