update

nobody43 · Nov 22, 2021 · 541b804 · 541b804
1 parent 49b2696
commit 541b804
Show file tree

Hide file tree

Showing 4 changed files with 124 additions and 27 deletions.
diff --git a/usr.lib.systemd.systemd-timesyncd b/usr.lib.systemd.systemd-timesyncd
@@ -0,0 +1,50 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+# adjust in local
+@{ETC_DIRS} = /etc /var/local/etc
+#include if exists <local/tunables/3rd/usr.lib.systemd.systemd-timesyncd>
+
+#profile systemd_timesyncd /{,usr/}lib/systemd/systemd-timesyncd {                            # Debian
+profile systemd_timesyncd /{,usr/}lib/systemd/systemd-timesyncd flags=(attach_disconnected) { # Ubuntu
+  #include <abstractions/base>
+  #include <abstractions/3rd/nameservice-strict>
+
+  capability sys_time,
+
+  @{ETC_DIRS}/adjtime         r,
+  /etc/systemd/timesyncd.conf r,
+
+  owner @{PROC}/@{pid}/stat               r,
+        @{PROC}/@{pid}/sched              r,
+        @{PROC}/cmdline                   r,
+        @{PROC}/sys/kernel/random/boot_id r,
+        @{PROC}/sys/kernel/osrelease      r,
+
+  owner /var/lib/systemd/timesync/clock           rw,
+  owner /{,var/}run/systemd/timesync/synchronized rw,
+
+  # Ubuntu
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
+  /{,var/}run/systemd/journal/socket rw,
+  /{,var/}run/systemd/notify         rw,
+  /{,var/}run/dbus/system_bus_socket rw,
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,RequestName}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus bind
+       bus=system
+       name=org.freedesktop.timesync1,
+
+  #include if exists <local/usr.lib.systemd.systemd-timesyncd>
+}
diff --git a/usr.local.bin.gallery-dl b/usr.local.bin.gallery-dl
@@ -0,0 +1,40 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+# adjust in local
+@{GLDL_DIRS} = @{HOME}/Downloads/gallery-dl @{HOME}/gallery-dl /tmp/gallery-dl
+#include if exists <local/tunables/3rd/usr.local.bin.gallery-dl>
+
+profile gallery_dl /usr/{,local/}bin/gallery-dl {
+  /usr/{,local/}bin/gallery-dl rix,
+  #include <abstractions/base>
+  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/python>
+  #include <abstractions/3rd/nameservice-strict>
+
+  owner @{GLDL_DIRS}/{,**}       rwk,
+
+  /etc/gallery-dl.conf r,
+
+  owner @{HOME}/.config/gallery-dl/config.json r,
+  owner @{HOME}/.gallery-dl.conf               r,
+  owner @{HOME}/.cache/gallery-dl/{,**}        rwk,
+
+  owner @{HOME}/.netrc r,
+
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9],3.[0-9][0-9]}/{site,dist}-packages/gallery_dl/{,**} r,
+  /usr/lib/python3/dist-packages/idna/__pycache__/{,**} rw,
+
+  deny /usr/local/bin/ r,  # ??
+
+  # Ubuntu
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  #include if exists <local/usr.local.bin.gallery-dl>
+}
diff --git a/usr.local.bin.youtube-dl b/usr.local.bin.youtube-dl
@@ -2,19 +2,20 @@
 
 #include <tunables/global>
 
-# changeme
-@{DOWNLOAD_FOLDERS}=@{HOME}/Downloads /tmp/ytdl
-@{YTDL_PATH}=/usr/{,local/}bin/{youtube-dl,yt-dlp}*
+# adjust in local
+@{YTDL_DIRS} = @{HOME}/Downloads /tmp/ytdl
+@{YTDL_BINS} = /usr/{,local/}bin/{youtube-dl,yt-dlp}*
+#include if exists <local/tunables/3rd/usr.local.bin.youtube-dl>
 
-profile youtube_dl @{YTDL_PATH} {
-  @{YTDL_PATH} r,
+profile youtube_dl @{YTDL_BINS} {
+  @{YTDL_BINS} r,
   #include <abstractions/base>
   #include <abstractions/openssl>
   #include <abstractions/ssl_certs>
 #  #include <abstractions/nameservice>
   #include <abstractions/3rd/nameservice-strict>
 
-  @{DOWNLOAD_FOLDERS}/** rwk,
+  @{YTDL_DIRS}/** rwk,
 
   /etc/youtube-dl.conf   r,
   /etc/mime.types        r,
@@ -24,7 +25,7 @@ profile youtube_dl @{YTDL_PATH} {
 
   owner @{HOME}/.cache/youtube-dl/{,**}   rwk,
   owner @{HOME}/.config/youtube-dl/{,**}  r,
-#  owner @{HOME}/.netrc                    r,
+  owner @{HOME}/.netrc                    r,
 
   owner /tmp/ytdl_prg    rw,
   owner /tmp/ytdl_stderr rw,
@@ -36,6 +37,9 @@ profile youtube_dl @{YTDL_PATH} {
   /{,usr/}bin/stty                               rix,
   /{,usr/}sbin/ldconfig{,.real}                  rix,
   /{,usr/}bin/uname                              rix,
+  /{,usr/}bin/file                               rix,
+
+  /etc/magic r,
 
   /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9],3.[0-9][0-9]}/{site,dist}-packages/{,youtube_dl/**} r,
   deny /usr/bin/ r,  # ?; noisy
@@ -45,43 +49,47 @@ profile youtube_dl @{YTDL_PATH} {
     /usr/bin/ffmpeg r,
     #include <abstractions/base>
 
-    @{DOWNLOAD_FOLDERS}/** rw,
+    @{YTDL_DIRS}/** rw,
 
     /sys/devices/system/node/{,node[0-9]*/meminfo} r,
 
-    include if exists <local/usr.local.bin.youtube-dl_ffmpeg>
-#    #include <local/usr.local.bin.youtube-dl_ffmpeg>
+    # livestreams
+#    #include <abstractions/3rd/nameservice-strict>
+#    #include <abstractions/ssl_certs>
+#    network tcp,
+#    network udp,
+#    network netlink raw,
+
+    #include if exists <local/usr.local.bin.youtube-dl_ffmpeg>
   }
 
   /usr/bin/ffprobe Cx,
   profile ffprobe /usr/bin/ffprobe {
     /usr/bin/ffprobe r,
     #include <abstractions/base>
 
-    @{DOWNLOAD_FOLDERS}/** r,
+    @{YTDL_DIRS}/** r,
 
     /sys/devices/system/node/{,node[0-9]*/meminfo} r,
 
     # some media-providers require network
     network tcp,
 
-    include if exists <local/usr.local.bin.youtube-dl_ffprobe>
-#    #include <local/usr.local.bin.youtube-dl_ffprobe>
+    #include if exists <local/usr.local.bin.youtube-dl_ffprobe>
   }
 
   /{,usr/}bin/dash Cx,
   profile dash /{,usr/}bin/dash {
     /{,usr/}bin/dash r,
     #include <abstractions/base>
 
-    @{DOWNLOAD_FOLDERS}/** rw,
+    @{YTDL_DIRS}/** rw,
 
     # --exec commands goes here
 #    /bin/mv         rix,
 #    /bin/cp          Ux,   # Unrestricted, DANGEROUS
 
-    include if exists <local/usr.local.bin.youtube-dl_dash>
-#    #include <local/usr.local.bin.youtube-dl_dash>
+    #include if exists <local/usr.local.bin.youtube-dl_dash>
   }
 
   # yt-dlp
@@ -101,6 +109,5 @@ profile youtube_dl @{YTDL_PATH} {
   network udp,
   network netlink raw,
 
-  include if exists <local/usr.local.bin.youtube-dl>
-#  #include <local/usr.local.bin.youtube-dl>
+  #include if exists <local/usr.local.bin.youtube-dl>
 }
diff --git a/usr.local.bin.youtubedl-gui b/usr.local.bin.youtubedl-gui
@@ -2,9 +2,10 @@
 
 #include <tunables/global>
 
-# changeme
-@{DOWNLOAD_FOLDERS}=@{HOME}/Downloads /tmp/ytdl
-@{YTDL_PATH}=/usr/{,local/}bin/{youtube-dl,yt-dlp}*
+# adjust in local
+@{YTDL_DIRS} = @{HOME}/Downloads /tmp/ytdl
+@{YTDL_BINS} = /usr/{,local/}bin/{youtube-dl,yt-dlp}*
+#include if exists <local/tunables/3rd/usr.local.bin.youtubedl-gui>
 
 profile youtubedl_gui /usr/{,local/}bin/youtubedl-gui {
   /usr/{,local/}bin/youtubedl-gui r,
@@ -19,10 +20,10 @@ profile youtubedl_gui /usr/{,local/}bin/youtubedl-gui {
   #include <abstractions/private-files-strict>
 #  #include <abstractions/nameservice>
   #include <abstractions/3rd/nameservice-strict>
-#  #include <abstractions/3rd/file-chooser>
-#  #include <abstractions/3rd/dbus-overwrite>
+  #include if exists <abstractions/3rd/file-chooser_ytdlgui>
+  #include if exists <abstractions/3rd/dbus-overwrite_ytdlgui>
 
-  @{DOWNLOAD_FOLDERS}/** rw,
+  @{YTDL_DIRS}/** rwk,
 
   # qt5-settings-write-deny (modification)
   deny owner @{HOME}/.config/QtProject.conf* wkl,
@@ -51,7 +52,7 @@ profile youtubedl_gui /usr/{,local/}bin/youtubedl-gui {
   /{,usr/}bin/grep   rix,
   /{,usr/}bin/bash   rix,
 
-  @{YTDL_PATH}       rPx -> youtube_dl,
+  @{YTDL_BINS}       rPx -> youtube_dl,
 
   dbus send
        bus="session"
@@ -127,6 +128,5 @@ profile youtubedl_gui /usr/{,local/}bin/youtubedl-gui {
   deny network tcp,
   deny network udp,
 
-  include if exists <local/usr.local.bin.youtubedl-gui>
-#  #include <local/usr.local.bin.youtubedl-gui>
+  #include if exists <local/usr.local.bin.youtubedl-gui>
 }