| blob | 42053db2abefdc89af59a04a00aadf30c270f5dd |
1 # ------------------------------------------------------------------
2 #
3 # Copyright (C) 2016 Canonical Ltd.
4 # Copyright (C) 2018 Software in the Public Interest, Inc.
5 #
6 # This Source Code Form is subject to the terms of the Mozilla Public
7 # License, v. 2.0. If a copy of the MPL was not distributed with this
8 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 #
10 # Authors: Jonathan Davies <jonathan.davies@canonical.com>
11 # Bryan Quigley <bryan.quigley@canonical.com>
12 # Rene Engelhard <rene@debian.org>
13 #
14 # ------------------------------------------------------------------
16 # This profile should enable the average LibreOffice user to get their
17 # work done while blocking some advanced usage
18 # Namely not tested and likely not working : embedded plugins,
19 # Using the LibreOffice SDK and other development tasks
20 # Everything else should be working
22 #Defines all common supported file formats
23 #Some obscure ones we're excluded (mostly input)
25 #Generic
26 #.txt
27 @{libreoffice_ext} = [tT][xX][tT]
28 #All the open document format
29 @{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
30 #.xml and xsl
31 @{libreoffice_ext} += [xX][mMsS][lL]
32 #.pdf
33 @{libreoffice_ext} += [pP][dD][fF]
34 #Unified office format
35 @{libreoffice_ext} += [uU][oO][fFtTsSpP]
36 #(x)htm(l)
37 @{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
38 #.epub
39 @{libreoffice_ext} += [eE][pP][uU][bB]
40 #.ps (printing to file)
41 @{libreoffice_ext} += [pP][sS]
43 #Images
44 @{libreoffice_ext} += [jJ][pP][gG]
45 @{libreoffice_ext} += [jJ][pP][eE][gG]
46 @{libreoffice_ext} += [pP][nN][gG]
47 @{libreoffice_ext} += [sS][vV][gG]
48 @{libreoffice_ext} += [sS][vV][gG][zZ]99251
49 @{libreoffice_ext} += [tT][iI][fF]
50 @{libreoffice_ext} += [tT][iI][fF][fF]
52 #Writer
53 @{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
54 @{libreoffice_ext} += [rR][tT][fF]
56 #Calc
57 @{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
58 @{libreoffice_ext} += [xX][lL][wW]
59 #.dif dbf
60 @{libreoffice_ext} += [dD][iIbB][fF]
61 #.tsv .csv
62 @{libreoffice_ext} += [cCtT][sS][vV]
63 @{libreoffice_ext} += [sS][lL][kK]
65 #Impress/Draw
66 @{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
67 @{libreoffice_ext} += [pP][oO][tT]{,m,M}
68 #Photoshop
69 @{libreoffice_ext} += [pP][sS][dD]
71 #Math
72 @{libreoffice_ext} += [mM][mM][lL]
74 @{libo_user_dirs} = @{HOME} /mnt /media
76 #include <tunables/global>
78 profile libreoffice-soffice INSTDIR-program/soffice.bin {
79 #include <abstractions/private-files>
81 #include <abstractions/audio>
82 #include <abstractions/bash>
83 #include <abstractions/cups-client>
84 #include <abstractions/dbus>
85 #include <abstractions/dbus-session>
86 #include <abstractions/dbus-accessibility>
87 #include <abstractions/ibus>
88 #include <abstractions/nameservice>
89 #include <abstractions/gnome>
90 # GnuPG1 only...
91 # #include <abstractions/gnupg>
92 #include <abstractions/python>
93 #include <abstractions/p11-kit>
95 #include <abstractions/user-tmp>
97 #List directories for file browser
98 / r,
99 /**/ r,
101 owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
102 owner @{libo_user_dirs}/**~lock.* rw, #lock file support
103 owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
104 owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
105 owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
107 # Settings
108 /etc/libreoffice/ r,
109 /etc/libreoffice/** r,
111 /etc/cups/ppd/*.ppd r,
112 /etc/xml/catalog r, #exporting to .xhtml, for libxml2
113 /proc/*/status r,
115 owner @{HOME}/.config/libreoffice{,dev}/** rwk,
116 owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
117 owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
118 owner @{HOME}/.config/soffice.binrc.lock rwk,
119 owner @{HOME}/.cache/fontconfig/** rw,
120 owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work
122 owner /{,var/}run/user/*/dconf/user rw,
123 owner @{HOME}/.config/dconf/user r,
125 # allow schema to be read
126 /usr/share/glib-*/schemas/ r,
127 /usr/share/glib-*/schemas/** r,
129 # bluetooth send to
130 network bluetooth,
132 /{usr/,}bin/sh rmix,
133 /{usr/,}bin/bash rmix,
134 /{usr/,}bin/dash rmix,
135 /{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998 (printing to file)
136 /usr/bin/bluetooth-sendto rmPUx,
137 /usr/bin/lpr rmPUx,
138 /usr/bin/paperconf rmix,
139 /usr/bin/gpgconf rmix,
140 /usr/bin/gpg rmCx -> gpg,
141 /usr/bin/gpgsm rmCx -> gpg,
142 /usr/bin/gpa rix,
143 /usr/bin/seahorse rix,
144 /usr/bin/kgpg rix,
145 /usr/bin/kleopatra rix,
147 /dev/tty rw,
149 /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx,
150 owner @{HOME}/.cache/gstreamer-???/** rw,
151 unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this
153 /usr/lib{,32,64}/jvm/ r,
154 /usr/lib{,32,64}/jvm/** r,
155 /usr/lib{,32,64}/jvm/**/jre/bin/java mix,
156 /usr/lib{,32,64}/jvm/**/bin/java mix,
157 INSTDIR-** rw,
158 INSTDIR-**.so m,
159 INSTDIR-program/soffice.bin mix,
160 INSTDIR-program/xpdfimport px,
161 INSTDIR-program/senddoc px,
162 /usr/bin/xdg-open rPUx,
164 /usr/share/java/**.jar r,
165 /usr/share/hunspell/ r,
166 /usr/share/hunspell/** r,
167 /usr/share/hyphen/ r,
168 /usr/share/hyphen/** r,
169 /usr/share/mythes/ r,
170 /usr/share/mythes/** r,
171 /usr/share/liblangtag/ r,
172 /usr/share/liblangtag/** r,
173 /usr/share/libreoffice/ r,
174 /usr/share/libreoffice/** r,
175 /usr/share/yelp-xsl/xslt/mallard/** r,
176 /usr/share/libexttextcat/* r,
177 /usr/share/icu/** r,
178 /usr/share/locale-bundle/* r,
180 /var/spool/libreoffice/ r,
181 /var/spool/libreoffice/** rw,
182 /var/cache/fontconfig/ rw,
184 #Likely moving to abstractions in the future
185 owner @{HOME}/.icons/*/cursors/* r,
186 /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
187 /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # for libdrm
188 /usr/share/*-fonts/conf.avail/*.conf r,
189 /usr/share/fonts-config/conf.avail/*.conf r,
190 /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
191 /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
192 @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
194 #To avoid "Unable to create io-slave." for file dialog
195 owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
196 #For KIO IO::Slave::createSlave()
197 owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl -> /{,var/}run/user/[0-9]*/#[0-9]*,
199 owner @{HOME}/.mozilla/firefox/profiles.ini r,
200 owner @{HOME}/.mozilla/firefox/*/secmod.db r,
201 # firefox < 58
202 owner @{HOME}/.mozilla/firefox/*/cert8.db r,
203 # firefox >= 58
204 owner @{HOME}/.mozilla/firefox/*/cert9.db r,
206 owner @{HOME}/.local/share/user-places.xbel r,
208 # there is abstractions/gnupg but that's just for gpg1...
209 profile gpg {
210 #include <abstractions/base>
212 /usr/bin/gpgconf rm,
213 /usr/bin/gpg rm,
214 /usr/bin/gpgsm rm,
216 owner @{HOME}/.gnupg/* r,
217 owner @{HOME}/.gnupg/random_seed rk,
218 }
220 # probably should become a subprofile like gpg above, but then it doesn't
221 # work either as it tries to access stuff only allowed above...
222 owner @{HOME}/.config/kdeglobals r,
223 /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
224 /usr/share/qt5/translations/* r,
225 /usr/lib/*/qt5/plugins/** rm,
226 /usr/share/plasma/look-and-feel/**/contents/defaults r,
228 # TODO: remove when rules are available in abstractions/kde
229 owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
230 owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
231 owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
232 owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
233 owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
234 owner @{HOME}/.config/trashrc r, # user by KFileWidget
235 /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
237 # TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
238 owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
240 # TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
241 /usr/share/kservices5/*.protocol r,
243 # TODO: use qt5-settings-write abstraction when it is available
244 owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
245 owner @{HOME}/.config/QtProject.conf rw,
246 owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
247 owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
248 owner @{HOME}/.config/QtProject.conf.lock rwk,
250 # TODO: use qt5-compose-cache-write abstraction when it is available
251 owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
253 # TODO: use recent-documents-write abstraction when it is available
254 owner @{HOME}/.local/share/RecentDocuments/** r,
255 owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
256 owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
257 owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
259 # TODO: use kde-globals-write abstraction when it is available
260 owner @{HOME}/.config/kdeglobals rw,
261 owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
262 owner @{HOME}/.config/kdeglobals.lock rwk,
263 }