#1007804 amfora: AppArmor policy

Package:
amfora
Source:
amfora
Description:
Fancy terminal browser for the Gemini protocol
Submitter:
Jo Coscia
Date:
2025-07-03 11:55:02 UTC
Severity:
wishlist
Tags:
#1007804#5
Date:
2022-03-17 04:46:05 UTC
From:
To:
I would like to contribute an AppArmor policy for amfora. I asked the
folks in #apparmor about this, and they recommended going to the Debian
bug tracker.

I tested amfora with the following policy, and all features appear to
work correctly.
----------------------------------------
#include <tunables/global>

# vim:syntax=apparmor
# AppArmor policy for amfora

/usr/bin/amfora {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/user-tmp>

   /etc/mime.types r,
   /etc/hosts r,
   /etc/resolv.conf r,
   /etc/nsswitch.conf r,
   /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   network tcp,

   # Allow opening/saving geminitext files; amfora only opens files with
these extensions
   /**.[gG][mM][iI] rw,
   /**.[gG][eE][mM][iI][nN][iI] rw,

   # Allow amfora to make these dirs, if they don't exist
   owner @{HOME}/.cache/ w,
   owner @{HOME}/.config/ w,
   owner @{HOME}/.local/ w,
   owner @{HOME}/.local/share/ w,

   owner @{HOME}/.cache/amfora/ rw,
   owner @{HOME}/.cache/amfora/** rw,
   owner @{HOME}/.config/amfora/ rw,
   owner @{HOME}/.config/amfora/** rw,
   owner @{HOME}/.local/share/amfora/ rw,
   owner @{HOME}/.local/share/amfora/** rw,

   owner @{HOME}/.config/user-dirs.dirs r,

   # Allows browsing/saving to a user-owned directory other than the
default Downloads directory. Supports removable media, etc. Restricting
it to only @{HOME}/Downloads/ would be more secure, but could cause
breakage.
   owner /**/ rw,

   # Allow amfora to open non-gemini URLs in other applications
   /usr/bin/xdg-open Ux,

}

#1007804#10
Date:
2022-03-29 15:11:46 UTC
From:
To:
Hi,

Thanks for your patch. Admittedly I do not know much about apparmor profiles
myself; but I suppose it'd be good if you could submit your patch upstream[1]
I even saw this in our wiki too[2], that the better place to do this is upstream itself.

[1]: https://github.com/makeworld-the-better-one/amfora
[2]: https://wiki.debian.org/AppArmor/Contribute#Debian_.2F_Upstream_relationship

Regards,
Nilesh

#1007804#17
Date:
2025-07-03 11:53:52 UTC
From:
To:
Hi Jo Coscia,

Upstream has in the meantime requested that a PR be made against
the upstream repository, see https://github.com/makew0rld/amfora/issues/359

Can you do that?

Chris