Created
September 7, 2018 19:39
-
-
Save nemanjan00/0285cfddc57e72018ae5648872267882 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Last Modified: Fri Sep 7 21:20:10 2018 | |
| #include <tunables/global> | |
| /usr/bin/qutebrowser { | |
| #include <abstractions/audio> | |
| #include <abstractions/base> | |
| #include <abstractions/bash> | |
| #include <abstractions/dbus-session-strict> | |
| #include <abstractions/dri-common> | |
| #include <abstractions/dri-enumerate> | |
| #include <abstractions/fonts> | |
| #include <abstractions/freedesktop.org> | |
| #include <abstractions/nameservice> | |
| #include <abstractions/openssl> | |
| #include <abstractions/python> | |
| #include <abstractions/ubuntu-browsers.d/plugins-common> | |
| /etc/mime.types r, | |
| /etc/httpd/conf/mime.types r, | |
| /dev/dri/ r, | |
| /etc/ca-certificates/trust-source/ r, | |
| /etc/ca-certificates/trust-source/anchors/ r, | |
| /etc/ca-certificates/trust-source/blacklist/ r, | |
| /proc/ r, | |
| /proc/sys/kernel/yama/ptrace_scope r, | |
| /proc/vmstat r, | |
| /sys/bus/pci/devices/ r, | |
| /sys/devices/** r, | |
| /usr/bin/ r, | |
| /usr/bin/ldconfig mrix, | |
| /usr/bin/python3.7 ix, | |
| /usr/bin/python3.7 r, | |
| /usr/bin/qutebrowser r, | |
| /usr/lib/qt/libexec/QtWebEngineProcess ix, | |
| /usr/share/gtk-2.0/gtkrc r, | |
| /usr/share/qt/resources/qtwebengine_devtools_resources.pak r, | |
| /usr/share/qt/resources/qtwebengine_resources.pak r, | |
| /usr/share/qt/resources/qtwebengine_resources_100p.pak r, | |
| /usr/share/qt/resources/qtwebengine_resources_200p.pak r, | |
| /usr/share/qt/translations/qtwebengine_locales/en-US.pak r, | |
| owner "/run/user/1000/nemanjan00-qutebrowser/**" rwk, | |
| owner /dev/shm/** rw, | |
| owner /home/*/.Xauthority r, | |
| owner /home/*/.cache/fontconfig/** r, | |
| owner /home/*/.cache/mesa_shader_cache/** r, | |
| owner /home/*/.cache/mesa_shader_cache/index rw, | |
| owner /home/*/.cache/qt_compose_cache_little_endian_76ae5806f6df4c95ae56f30baaeb085d r, | |
| owner /home/*/.cache/** r, | |
| owner /home/*/.cache/qutebrowser/webengine/Cache/** rw, | |
| owner /home/*/.config/pulse/cookie rk, | |
| owner /home/*/.config/qutebrowser/** rw, | |
| owner /home/*/.drirc r, | |
| owner /home/*/.gtkrc-2.0 r, | |
| owner /home/*/.icons/default/index.theme r, | |
| owner /home/*/.local/lib/python3.7/site-packages/ r, | |
| owner /home/*/.local/lib/python3.7/site-packages/selenium-3.14.0.dist-info/ r, | |
| owner /home/*/.pki/nssdb/cert9.db rwk, | |
| owner /home/*/.pki/nssdb/key4.db rwk, | |
| owner /home/*/.pki/nssdb/pkcs11.txt r, | |
| owner /home/*/.themes/joker/gtk-2.0/apps.rc r, | |
| owner /home/*/.themes/joker/gtk-2.0/assets/trough-progressbar.png r, | |
| owner /home/*/.themes/joker/gtk-2.0/gtkrc r, | |
| owner /home/*/.themes/joker/gtk-2.0/main.rc r, | |
| owner /home/*/.themes/joker/gtk-2.0/panel.rc r, | |
| owner /home/*/.themes/joker/gtk-2.0/xfce-notify.rc r, | |
| owner /proc/*/cmdline r, | |
| owner /proc/*/fd/ r, | |
| owner /proc/*/mem r, | |
| owner /proc/*/mounts r, | |
| owner /proc/*/oom_score_adj w, | |
| owner /proc/*/task/ r, | |
| owner /proc/*/task/*/status r, | |
| owner /run/user/1000/nemanjan00-qutebrowser/** rwkl, | |
| owner /run/user/1000/qutebrowser/** w, | |
| owner /usr/lib/** mrw, | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nice start; I suggest converting the /proc/ rules to @{PROC}, the /home// rules to @{HOME}, /run/user/1000/ to /run/user//
I'm a bit surprised you needed /dev/dri and /sys/bus/pci/devices/ and similar rules, perhaps double-check they are missing from your dri abstractions, and file a bug report if those are missing and needed.
It might make sense to change the joker theme rules to owner @{HOME}/.themes/** r, -- if someone changes their GTK 2 themes, they'd probably want whatever here to change with it.
owner /home/*/.cache/** r, is probably too wide. Loads of applications can cache contents that might not be desirable to expose to a web browser.
owner /dev/shm/** rw, may be similarly too wide. Are the names used in this directory really not any more specific than this?
Thanks