/etc/apparmor.d/usr.bin.surf is in surf 2.0-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | #include <tunables/global>
/usr/bin/surf {
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/enchant>
#include <abstractions/dconf>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
@{HOME}/.surf/ w,
@{HOME}/.surf/** rwkl,
@{HOME}/.cache/ r,
@{HOME}/.cache/dconf/ w,
@{HOME}/.cache/dconf/user rw,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r,
/dev/dri/ r,
/sys/devices/pci[0-9]*/** r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/doc/** r,
# GStreamer
#include <abstractions/gstreamer>
/usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Pix -> gst_plugin_scanner,
@{HOME}/.cache/gstreamer-[0-9].[0-9]/registry.*.bin* rw,
@{HOME}/orcexec.* w,
# WebKit
/usr/lib/@{multiarch}/webkit2gtk-4.0/WebKit*Process ix,
/{dev,run}/shm/WK2SharedMemory.* rw,
/var/tmp/WebKit-Media-* rw,
@{HOME}/.local/share/webkitgtk/ w,
@{HOME}/.local/share/webkitgtk/** rw,
@{HOME}/.cache/webkitgtk/ w,
@{HOME}/.cache/webkitgtk/** rwk,
/usr/bin/surf ix,
/bin/dash ix,
/bin/sed ix,
/usr/bin/dmenu ix,
/usr/bin/printf ix,
/usr/bin/xargs ix,
/usr/bin/xprop ix,
# for downloading files
/dev/ptmx rw,
/dev/pts/* rw,
/bin/sleep ix,
/usr/bin/stterm ix,
# unconfined because it is called in (and downloading to) the cwd
/usr/bin/curl Ux,
}
|