Resolves #1 and #7.

nobody43 · Nov 22, 2021 · 3565292 · 3565292
1 parent e576d54
commit 3565292
Show file tree

Hide file tree

Showing 4 changed files with 258 additions and 25 deletions.
diff --git a/abstractions/3rd/network-allow b/abstractions/3rd/network-allow
@@ -0,0 +1,4 @@
+# vim:syntax=apparmor
+
+  network tcp,
+  network udp,
diff --git a/tunables/3rd/exts-image b/tunables/3rd/exts-image
@@ -0,0 +1,136 @@
+# vim:syntax=apparmor
+
+@{IMAGE_EXTS}  = [wW][bB][mM][pP]
+@{IMAGE_EXTS} += 3[dD][sS]
+@{IMAGE_EXTS} += [qQ][iI][fF]
+@{IMAGE_EXTS} += [wW][mM][fF]
+@{IMAGE_EXTS} += [eE][rR][fF]
+@{IMAGE_EXTS} += [pP][bB][mM]
+@{IMAGE_EXTS} += [eE][pP][sS][iI]
+@{IMAGE_EXTS} += [dD][nN][gG]
+@{IMAGE_EXTS} += [kK][tT][xX]2
+@{IMAGE_EXTS} += [gG][iI][fF]
+@{IMAGE_EXTS} += [cC][uU][rR]
+@{IMAGE_EXTS} += [xX][cC][fF].[gG][zZ]
+@{IMAGE_EXTS} += [pP][sS][dD]
+@{IMAGE_EXTS} += [dD][dD][sS]
+@{IMAGE_EXTS} += [rR][aA][wW]
+@{IMAGE_EXTS} += [xX][cC][fF]
+@{IMAGE_EXTS} += [jJ][nN][gG]
+@{IMAGE_EXTS} += [aA][gG]
+@{IMAGE_EXTS} += [pP][iI][cC][tT]2
+@{IMAGE_EXTS} += [lL][bB][mM]
+@{IMAGE_EXTS} += [iI][cC][nN][sS]
+@{IMAGE_EXTS} += [cC][rR][wW]
+@{IMAGE_EXTS} += [hH][eE][iI][cC]
+@{IMAGE_EXTS} += [sS][kK]
+@{IMAGE_EXTS} += [jJ][pP][eE]
+@{IMAGE_EXTS} += [sS][vV][gG]
+@{IMAGE_EXTS} += [pP][nN][tT][gG]
+@{IMAGE_EXTS} += [lL][wW][oO]
+@{IMAGE_EXTS} += [eE][mM][fF]
+@{IMAGE_EXTS} += [pP][iI][cC]
+@{IMAGE_EXTS} += [mM][oO][sS]
+@{IMAGE_EXTS} += [xX][cC][fF].[bB][zZ]2
+@{IMAGE_EXTS} += [fF][iI][tT][sS]
+@{IMAGE_EXTS} += [eE][pP][sS][iI].[gG][zZ]
+@{IMAGE_EXTS} += [fF][iI][gG]
+@{IMAGE_EXTS} += [jJ][pP][mM]
+@{IMAGE_EXTS} += [pP][aA][tT]
+@{IMAGE_EXTS} += [kK][tT][xX]
+@{IMAGE_EXTS} += [eE][pP][sS]
+@{IMAGE_EXTS} += [gG]3
+@{IMAGE_EXTS} += [rR][lL][eE]
+@{IMAGE_EXTS} += [lL][wW][sS]
+@{IMAGE_EXTS} += [vV][dD][aA]
+@{IMAGE_EXTS} += [aA][vV][iI][fF][sS]
+@{IMAGE_EXTS} += [bB][mM][qQ]
+@{IMAGE_EXTS} += [lL][wW][oO][bB]
+@{IMAGE_EXTS} += [dD][jJ][vV]
+@{IMAGE_EXTS} += [sS][rR]2
+@{IMAGE_EXTS} += [sS][gG][iI]
+@{IMAGE_EXTS} += [jJ]2[cC]
+@{IMAGE_EXTS} += [jJ][pP][fF]
+@{IMAGE_EXTS} += [iI][cC][oO]
+@{IMAGE_EXTS} += [eE][pP][sS][fF].[gG][zZ]
+@{IMAGE_EXTS} += [eE][xX][rR]
+@{IMAGE_EXTS} += [rR][aA][fF]
+@{IMAGE_EXTS} += [sS][rR][fF]
+@{IMAGE_EXTS} += [xX][bB][mM]
+@{IMAGE_EXTS} += [rR][gG][bB]
+@{IMAGE_EXTS} += [gG][bB][rR]
+@{IMAGE_EXTS} += [hH][dD][rR]
+@{IMAGE_EXTS} += [hH][rR][dD]
+@{IMAGE_EXTS} += [bB][mM][pP]
+@{IMAGE_EXTS} += [jJ][pP][gG]2
+@{IMAGE_EXTS} += [vV][sS][tT]
+@{IMAGE_EXTS} += [jJ][pP][cC]
+@{IMAGE_EXTS} += [kK]25
+@{IMAGE_EXTS} += [xX]3[fF]
+@{IMAGE_EXTS} += [iI][fF][fF]
+@{IMAGE_EXTS} += [sS][kK]1
+@{IMAGE_EXTS} += [sS][vV][gG][zZ]
+@{IMAGE_EXTS} += [iI][lL][bB][mM]
+@{IMAGE_EXTS} += [mM][dD][cC]
+@{IMAGE_EXTS} += [dD][iI][bB]
+@{IMAGE_EXTS} += [pP][eE][fF]
+@{IMAGE_EXTS} += [rR][aA][sS]
+@{IMAGE_EXTS} += [bB][aA][yY]
+@{IMAGE_EXTS} += [mM][dD][iI]
+@{IMAGE_EXTS} += [eE][pP][sS][fF].[bB][zZ]2
+@{IMAGE_EXTS} += [wW][eE][bB][pP]
+@{IMAGE_EXTS} += [aA][vV][iI][fF]
+@{IMAGE_EXTS} += [rR][pP]
+@{IMAGE_EXTS} += [cC][sS]2
+@{IMAGE_EXTS} += [eE][pP][sS][fF]
+@{IMAGE_EXTS} += [iI][eE][fF]
+@{IMAGE_EXTS} += [pP][iI][cC][tT]1
+@{IMAGE_EXTS} += [kK][dD][cC]
+@{IMAGE_EXTS} += [pP][cC][dD]
+@{IMAGE_EXTS} += [pP][nN][mM]
+@{IMAGE_EXTS} += [pP][iI][cC][tT]
+@{IMAGE_EXTS} += [pP][nN][gG]
+@{IMAGE_EXTS} += [nN][eE][fF]
+@{IMAGE_EXTS} += [dD][cC][rR]
+@{IMAGE_EXTS} += [tT][pP][iI][cC]
+@{IMAGE_EXTS} += [tT][gG][aA]
+@{IMAGE_EXTS} += [eE][pP][sS][iI].[bB][zZ]2
+@{IMAGE_EXTS} += [pP][cC][xX]
+@{IMAGE_EXTS} += [cC][sS]1
+@{IMAGE_EXTS} += [rR][dD][cC]
+@{IMAGE_EXTS} += [dD][xX][fF]
+@{IMAGE_EXTS} += [gG][iI][hH]
+@{IMAGE_EXTS} += [jJ][pP][gG]
+@{IMAGE_EXTS} += [pP][gG][mM]
+@{IMAGE_EXTS} += [jJ][pP][xX]
+@{IMAGE_EXTS} += [pP][pP][mM]
+@{IMAGE_EXTS} += [pP][cC][tT]
+@{IMAGE_EXTS} += [jJ]2[kK]
+@{IMAGE_EXTS} += [dD][jJ][vV][uU]
+@{IMAGE_EXTS} += [sS][uU][nN]
+@{IMAGE_EXTS} += [eE][pP][sS].[bB][zZ]2
+@{IMAGE_EXTS} += [cC][gG][mM]
+@{IMAGE_EXTS} += [iI][cC][bB]
+@{IMAGE_EXTS} += [dD][wW][gG]
+@{IMAGE_EXTS} += [eE][pP][sS].[gG][zZ]
+@{IMAGE_EXTS} += [mM][sS][oO][dD]
+@{IMAGE_EXTS} += [oO][rR][aA]
+@{IMAGE_EXTS} += [tT][iI][fF][fF]
+@{IMAGE_EXTS} += [aA][rR][wW]
+@{IMAGE_EXTS} += [mM][rR][wW]
+@{IMAGE_EXTS} += [aA][sS][tT][cC]
+@{IMAGE_EXTS} += [qQ][tT][iI][fF]
+@{IMAGE_EXTS} += [tT][iI][fF]
+@{IMAGE_EXTS} += [fF][fF][fF]
+@{IMAGE_EXTS} += [xX][pP][mM]
+@{IMAGE_EXTS} += [jJ][pP][gG][mM]
+@{IMAGE_EXTS} += [hH][eE][iI][fF]
+@{IMAGE_EXTS} += [cC][rR]2
+@{IMAGE_EXTS} += [oO][rR][fF]
+@{IMAGE_EXTS} += [xX][wW][dD]
+@{IMAGE_EXTS} += [rR][wW]2
+@{IMAGE_EXTS} += [pP][nN][xX]
+@{IMAGE_EXTS} += [jJ][pP][eE][gG]
+@{IMAGE_EXTS} += [jJ][pP]2
+
+#include if exists <local/tunables/3rd/exts-image>
diff --git a/tunables/3rd/exts-video b/tunables/3rd/exts-video
@@ -0,0 +1,69 @@
+# vim:syntax=apparmor
+
+@{VIDEO_EXTS}  = [aA][xX][vV]
+@{VIDEO_EXTS} += [mM][jJ]2
+@{VIDEO_EXTS} += [wW][mM][pP]
+@{VIDEO_EXTS} += [mM]2[tT][sS]
+@{VIDEO_EXTS} += [mM][oO][vV][iI][eE]
+@{VIDEO_EXTS} += [mM][xX][uU]
+@{VIDEO_EXTS} += [mM][pP][gG]
+@{VIDEO_EXTS} += [mM][lL][tT]
+@{VIDEO_EXTS} += [oO][gG][mM]
+@{VIDEO_EXTS} += [mM][pP]2
+@{VIDEO_EXTS} += [bB][dD][mM]
+@{VIDEO_EXTS} += [mM][pP][lL][sS]
+@{VIDEO_EXTS} += [aA][nN][iI][mM][1-9][jJ]
+@{VIDEO_EXTS} += [vV][iI][vV]
+@{VIDEO_EXTS} += [vV][iI][vV][oO]
+@{VIDEO_EXTS} += [rR][vV][xX]
+@{VIDEO_EXTS} += [fF][lL][iI]
+@{VIDEO_EXTS} += [dD][iI][fF]
+@{VIDEO_EXTS} += [fF][lL][vV]
+@{VIDEO_EXTS} += [mM][pP][lL]
+@{VIDEO_EXTS} += 3[gG][pP]
+@{VIDEO_EXTS} += [cC][pP][iI]
+@{VIDEO_EXTS} += [mM][jJ][pP][gG]
+@{VIDEO_EXTS} += [mM][oO][oO][vV]
+@{VIDEO_EXTS} += [mM][pP][eE][gG]
+@{VIDEO_EXTS} += [fF]4[vV]
+@{VIDEO_EXTS} += [mM]1[uU]
+@{VIDEO_EXTS} += [qQ][tT]
+@{VIDEO_EXTS} += [mM][jJ][pP]2
+@{VIDEO_EXTS} += [aA][vV][iI]
+@{VIDEO_EXTS} += [cC][lL][pP][iI]
+@{VIDEO_EXTS} += [bB][dD][mM][vV]
+@{VIDEO_EXTS} += [wW][eE][sS][tT][lL][eE][yY]
+@{VIDEO_EXTS} += [oO][gG][gG]
+@{VIDEO_EXTS} += [wW][eE][bB][mM]
+@{VIDEO_EXTS} += [mM][nN][gG]
+@{VIDEO_EXTS} += [wW][mM][vV]
+@{VIDEO_EXTS} += [0-9][0-9][0-9].[vV][dD][rR]
+@{VIDEO_EXTS} += [fF][xX][mM]
+@{VIDEO_EXTS} += [mM][jJ][pP][eE][gG]
+@{VIDEO_EXTS} += [mM]4[vV]
+@{VIDEO_EXTS} += [mM]4[uU]
+@{VIDEO_EXTS} += [mM][pP]4
+@{VIDEO_EXTS} += [mM]2[tT]
+@{VIDEO_EXTS} += [oO][gG][vV]
+@{VIDEO_EXTS} += [dD][iI][vV][xX]
+@{VIDEO_EXTS} += [qQ][tT][vV][rR]
+@{VIDEO_EXTS} += 3[gG][pP][pP]
+@{VIDEO_EXTS} += [tT][sS]
+@{VIDEO_EXTS} += [fF][lL][cC]
+@{VIDEO_EXTS} += [vV][oO][bB]
+@{VIDEO_EXTS} += [lL][rR][vV]
+@{VIDEO_EXTS} += [mM][kK]3[dD]
+@{VIDEO_EXTS} += [rR][vV]
+@{VIDEO_EXTS} += 3[gG][pP][pP]2
+@{VIDEO_EXTS} += [mM][tT][sS]
+@{VIDEO_EXTS} += 3[gG][pP]2
+@{VIDEO_EXTS} += 3[gG]2
+@{VIDEO_EXTS} += [mM][oO][vV]
+@{VIDEO_EXTS} += [mM][kK][vV]
+@{VIDEO_EXTS} += [dD][vV]
+@{VIDEO_EXTS} += [nN][sS][vV]
+@{VIDEO_EXTS} += [aA][vV][fF]
+@{VIDEO_EXTS} += [mM][pP][eE]
+@{VIDEO_EXTS} += 3[gG][aA]
+
+#include if exists <local/tunables/3rd/exts-video>
diff --git a/usr.bin.ristretto b/usr.bin.ristretto
@@ -1,11 +1,17 @@
 # vim:syntax=apparmor
 
-abi <abi/3.0>,
-
 #include <tunables/global>
+#include <tunables/3rd/exts-image>
+
+#@{more_exts}                = [xX][xX][xX]
 
-# changeme; /home already included except dotfiles
-@{PIC_DIRS}=/usr/share /var/local /media /mnt /tmp
+# adjust in local; /home already included except dotfiles
+@{RISTRETTO_DIRS_RO}        = /usr/share
+@{RISTRETTO_DIRS_RW}        = /var/local /media /mnt /tmp
+@{RISTRETTO_EXTS}           = @{IMAGE_EXTS}
+@{RISTRETTO_EXTS_SILENCED}  = [hH][tT][mM]
+@{RISTRETTO_EXTS_SILENCED} += [hH][tT][mM][lL]
+#include if exists <local/tunables/3rd/usr.bin.ristretto>
 
 profile ristretto /usr/bin/ristretto {
   /usr/bin/ristretto r,
@@ -17,40 +23,62 @@ profile ristretto /usr/bin/ristretto {
   #include <abstractions/freedesktop.org>
   #include <abstractions/private-files>
   #include <abstractions/private-files-strict>
-#  #include <abstractions/3rd/file-chooser>
+#  #include <abstractions/gnome>                                # relaxed with large footprint
+  #include if exists <abstractions/3rd/file-chooser_ristretto>
+  #include if exists <abstractions/3rd/network-allow_ristretto> # pictures on smb shares, etc
+
+        @{RISTRETTO_DIRS_RO}/{,**/}                        r,   # read dirs
+        @{RISTRETTO_DIRS_RO}/**.@{RISTRETTO_EXTS}          r,   # read files
+        @{RISTRETTO_DIRS_RW}/{,**/}                        r,
+        @{RISTRETTO_DIRS_RW}/**.@{RISTRETTO_EXTS}          rwk, # write files (=delete)
+
+  owner @{HOME}/{,[^.]*,**/}                               r,   # dirs,  but not dotdirs
+  owner @{HOME}/[^.]{,**/}*.@{RISTRETTO_EXTS}              rwk, # files, but not dotfiles
+  owner /{,var/}run/user/[0-9]*/gvfs/{,**/}                r,   # USB storage
+  owner /{,var/}run/user/[0-9]*/gvfs/**.@{RISTRETTO_EXTS}  rwk,
+
+  owner @{HOME}/.cache/.fr-*/{,**/}                        r,   # file roller
+  owner @{HOME}/.cache/.fr-*/**.@{RISTRETTO_EXTS}          r,
+  owner @{HOME}/.cache/thumbnails/{,**}                    r,
+
+  deny  /**.@{RISTRETTO_EXTS_SILENCED}                     r,
 
-  owner @{HOME}/{,[^.]*}{,/**}  rw, # home itself, not dotfiles, nested files
-        @{PIC_DIRS}/{,**}       r,  # read
-        @{PIC_DIRS}/{,**}        w, # write (=delete)
+  # Trashing; dirs must exist
+  owner @{HOME}/.local/share/Trash/**.@{RISTRETTO_EXTS}{,.trashinfo}{,.??????} rwk,
+  owner @{HOME}/.local/share/gvfs-metadata/**              r,
 
-  deny /var/log/{,**} mrwkl,  # protect the logs
+  owner @{HOME}/.config/ristretto/{,**}                    rwk,
+  owner @{HOME}/.local/share/ristretto/{,**}               rwk,
 
-  owner @{HOME}/.config/ristretto/{,**}      rwk,
-  owner @{HOME}/.local/share/ristretto/{,**} rwk,
-  owner @{HOME}/.local/share/                r,
-  owner @{HOME}/.cache/thumbnails/{,**}      r,
+  deny  @{HOME}/.local/share/                              r,
+  deny  @{HOME}/.xsession-errors                           r,
+  deny  @{HOME}/.xfce4-session.verbose-log{,.last}         r,
 
+  owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/{mountinfo,mounts} r,
   /{,var/}run/mount/utab r,
 
-  /etc/xfce[0-9]/defaults.list r,
   /etc/magic r,
+  /usr/share/xfce[3-5]/applications/mimeinfo.cache r,
+  /etc/xfce[0-9]/defaults.list r,
+  /usr/share/*ubuntu/applications/defaults.list r,
+  /usr/share/themes/** r,
   /var/lib/snapd/desktop/icons/ r,
-  owner /tmp/dbus-* w,
+  owner /tmp/dbus-* rw,
 
   # gnome-tiny
   /etc/gnome/defaults.list r,
   /etc/gtk-[0-9].[0-9]*/settings.ini r,
 
   # edit button; comment out for significantly less footprint
-  /{,usr/}bin/dash rPx -> ristretto//dash,
-  owner @{PROC}/@{pid}/fd/ r,
+  /{,usr/}bin/dash                                           rPx -> ristretto_opener, # Ubuntu
+  /usr/lib/@{multiarch}/glib-[0-9].[0-9]*/gio-launch-desktop rPx -> ristretto_opener, # Debian
 
   dbus (send, receive)
        bus="session"
        path="/org/freedesktop/thumbnails/Thumbnailer1"
        interface="org.freedesktop.thumbnails.Thumbnailer1"
-       member="{Started,Ready,Finished,Queue,Dequeue}"
+       member="{Started,Ready,Finished,Queue,Dequeue,Error}"
        peer=(name=:*),
 
   dbus send
@@ -137,14 +165,10 @@ profile ristretto /usr/bin/ristretto {
        member="ListMountableInfo"
        peer=(name=:*),
 
-  # pictures on smb shares, etc
-  network tcp,
-  network udp,
-
-  include if exists <local/usr.bin.ristretto>
+  #include if exists <local/usr.bin.ristretto>
 }
 
-profile ristretto//dash {
+profile ristretto_opener {
   /{,usr/}bin/dash r,
   #include <abstractions/base>
   #include <abstractions/ubuntu-helpers>
@@ -154,5 +178,5 @@ profile ristretto//dash {
   # sanitized, slightly less bad than Ux; "Use at your own risk."
   /usr/bin/gimp-[2-3].[0-9]{,[0-9]} Cx -> sanitized_helper,
 
-  include if exists <local/usr.bin.ristretto_dash>
+  #include if exists <local/usr.bin.ristretto_dash>
 }