Overview

File etherpad-lite.apparmor of Package etherpad-lite

# This AppArmor profile is part of the etherpad-lite package
# Georg Pfuetzenreuter <mail+apparmor@georg-pfuetzenreuter.net>

abi <abi/3.0>,

include <tunables/global>

@{EP_BASE}=/srv/www/etherpad-lite
@{ESBUILD}=@{EP_BASE}/node_modules/.pnpm/@esbuild+linux-x64@0.*.*/node_modules/@esbuild/linux-x64/bin/esbuild

profile etherpad flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/openssl>

  deny /{lib,usr}/ r,
  deny /usr/bin/ldd x,
  deny /usr/lib/getconf/getconf x,
  deny /usr/{{,s}bin,lib}/ r,

  /dev/null r,

  /usr/bin/abiword Cx -> abiword,
  @{ESBUILD} Cx -> esbuild,
  /usr/bin/node{,20} mrix,
  /usr/lib/node_modules/pnpm/bin/pnpm.cjs mrix,
  /usr/bin/pnpm r,

  /usr/share/icu/[0-9][0-9].[0-9]/icudt[0-9][0-9]l.dat r,
  /var/lib/ca-certificates/ca-bundle.pem r,

  /proc/sys/crypto/fips_enabled r,
  /proc/version r,
  owner /proc/@{pid}/{cgroup,stat} r,

  /etc/etherpad-lite/settings.json r,

  @{EP_BASE}/node_modules/.pnpm/**/package.json r,
  @{EP_BASE}/node_modules/.pnpm/*@*.*.*/node_modules/*/{,**/}*.js{,.map} r,
  @{EP_BASE}/node_modules/.pnpm/*@*.*.[0-9]/node_modules/**/*.json r,
  @{EP_BASE}/node_modules/.pnpm/*@[0-9].*.[0-9]/node_modules/*/**/*.{,c}js{,.map} r,
  @{EP_BASE}/node_modules/.pnpm/lightningcss-linux-x64-gnu@[0-9].*.[0-9]/node_modules/lightningcss-linux-x64-gnu/lightningcss.linux-x64-gnu.node rm,
  @{EP_BASE}/node_modules/.pnpm/underscore@[0-9].*.[0-9]/node_modules/underscore/underscore-*.cjs{,.map} r,
  @{EP_BASE}/src/ep.json r,
  @{EP_BASE}/src/locales/{,*.json} r,
  @{EP_BASE}/src/node/*/*.ts r,
  @{EP_BASE}/src/node/hooks/express/*.ts r,
  @{EP_BASE}/src/node/utils/Minify{,Worker}.js r,
  @{EP_BASE}/src/node/utils/tar.json r,
  @{EP_BASE}/src/node/{,utils/}*.ts r,
  @{EP_BASE}/src/package.json r,
  @{EP_BASE}/src/static/css/{,**/}*.css r,
  @{EP_BASE}/src/static/font/*.{otf,ttf,woff{,2}} r,
  @{EP_BASE}/src/static/img/brand.svg r,
  @{EP_BASE}/src/static/js/*.js r,
  @{EP_BASE}/src/static/js/pluginfw/*.{js,ts} r,
  @{EP_BASE}/src/static/js/vendors/*.js r,
  @{EP_BASE}/src/static/skins/**/*.{css,jpg,js} r,
  @{EP_BASE}/src/{static,templates}/*.html r,
  @{EP_BASE}/var/installed_plugins.json r,

  owner @{EP_BASE}/var/minified_* rw,

  owner /tmp/tsx-*/ rw,
  owner /tmp/tsx-*/*-* rw,
  # the "Import" feature puts user uploaded files there :-(
  owner /tmp/* rw,


  profile abiword flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/fonts>
    include <abstractions/nameservice>

    /usr/bin/abiword mr,

    owner @{HOME}/.cache/ rw,
    owner @{HOME}/.config/abiword/profile rw,

    /etc/inputrc{,.keys} r,

    /usr/lib64/abiword-[0-9].[0-9]/plugins/*.so r,

    /usr/share/abiword-[0-9].[0-9]/system.profile* r,
    /usr/share/glib-[0-9].[0-9]/schemas/gschemas.compiled r,
    /usr/share/mime/mime.cache r,
    /usr/share/terminfo/** r,

    # for export
    owner /tmp/.gsf-save-* rw,
    owner /tmp/etherpad_export_*.{doc,html,odt,pdf} rw,
    # for import
    owner /tmp/*.{doc,html,odt,pdf} rw,

  }


  profile esbuild flags=(attach_disconnected) {
    include <abstractions/base>

    @{ESBUILD} mr,
    /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  }
}
openSUSE Build Service is sponsored by
Places