mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 17:08:09 +01:00
feat(profiles): continue replacing [0-9]* by @{int}.
This commit is contained in:
Alexandre Pujol
parent
99e4c4622d
commit
00051bd2f0
100 changed files with 222 additions and 229 deletions
|
|
@ -74,7 +74,7 @@ profile dropbox @{exec_path} {
|
|||
|
||||
# What's this for?
|
||||
@{bin}/mount mrix,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
|
||||
@{sys}/devices/virtual/block/dm-@{int}/dm/name r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]/ r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
|
||||
@{run}/mount/utab r,
|
||||
|
|
|
|||
|
|
@ -49,9 +49,9 @@ profile filezilla @{exec_path} {
|
|||
|
||||
# Creating new files on FTP
|
||||
/tmp/ r,
|
||||
owner /tmp/fz[0-9]temp-[0-9]*/ rw,
|
||||
owner /tmp/fz[0-9]temp-[0-9]*/fz*-lockfile rwk,
|
||||
owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw,
|
||||
owner /tmp/fz[0-9]temp-@{int}/ rw,
|
||||
owner /tmp/fz[0-9]temp-@{int}/fz*-lockfile rwk,
|
||||
owner /tmp/fz[0-9]temp-@{int}/empty_file_* rw,
|
||||
|
||||
# External apps
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ profile signal-desktop @{exec_path} {
|
|||
@{lib_dirs}/libnode.so mr,
|
||||
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
|
||||
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
|
||||
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
|
||||
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.@{int} mr,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ profile apt-listbugs-aptcleanup @{exec_path} {
|
|||
include <abstractions/ruby>
|
||||
|
||||
@{exec_path} r,
|
||||
@{bin}/ruby2.[0-9]* rix,
|
||||
@{bin}/ruby2.@{int} rix,
|
||||
|
||||
include if exists <local/apt-listbugs-aptcleanup>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -58,8 +58,8 @@ profile apt-systemd-daily @{exec_path} {
|
|||
|
||||
/var/backups/ r,
|
||||
/var/backups/apt.extended_states rw,
|
||||
/var/backups/apt.extended_states.[0-9]* rw,
|
||||
/var/backups/apt.extended_states.[0-9]*.gz w,
|
||||
/var/backups/apt.extended_states.@{int} rw,
|
||||
/var/backups/apt.extended_states.@{int}.gz w,
|
||||
|
||||
/var/cache/apt/ r,
|
||||
/var/cache/apt/archives/ r,
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ profile reportbug @{exec_path} {
|
|||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
owner /tmp/* rw,
|
||||
owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
|
||||
owner /tmp/reportbug-*-@{int}-@{pid}-* rw,
|
||||
owner /var/tmp/*.bug{,~} rw,
|
||||
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ profile cron-popularity-contest @{exec_path} {
|
|||
/var/log/ r,
|
||||
/var/log/popularity-contest{,.new} rw,
|
||||
/var/log/popularity-contest{,.new}.gpg rw,
|
||||
/var/log/popularity-contest.[0-9]* rw,
|
||||
/var/log/popularity-contest.@{int} rw,
|
||||
|
||||
# Store last successful http submission timestamp
|
||||
/var/lib/popularity-contest/ rw,
|
||||
|
|
@ -78,8 +78,8 @@ profile cron-popularity-contest @{exec_path} {
|
|||
@{sh_path} rix,
|
||||
|
||||
/var/log/ r,
|
||||
/var/log/popularity-contest.[0-9]*.gz rw,
|
||||
/var/log/popularity-contest.[0-9]* rw,
|
||||
/var/log/popularity-contest.@{int}.gz rw,
|
||||
/var/log/popularity-contest.@{int} rw,
|
||||
/var/log/popularity-contest rw,
|
||||
|
||||
# file_inherit
|
||||
|
|
@ -121,8 +121,8 @@ profile cron-popularity-contest @{exec_path} {
|
|||
|
||||
/var/log/popularity-contest.new r,
|
||||
/var/log/popularity-contest.new.gpg rw,
|
||||
/var/log/popularity-contest.[0-9]* r,
|
||||
/var/log/popularity-contest.[0-9]*.gpg rw,
|
||||
/var/log/popularity-contest.@{int} r,
|
||||
/var/log/popularity-contest.@{int}.gpg rw,
|
||||
|
||||
owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,
|
||||
|
||||
|
|
@ -149,7 +149,7 @@ profile cron-popularity-contest @{exec_path} {
|
|||
|
||||
/var/log/ r,
|
||||
/var/log/popularity-contest.new.gpg r,
|
||||
/var/log/popularity-contest.[0-9]*.gpg r,
|
||||
/var/log/popularity-contest.@{int}.gpg r,
|
||||
|
||||
# file_inherit
|
||||
owner /tmp/#@{int} rw,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
/var/lib/lightdm/.Xauthority r,
|
||||
/var/log/lightdm/seat[0-9]*-greeter.log w,
|
||||
/var/log/lightdm/seat@{int}-greeter.log w,
|
||||
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
owner @{run}/user/@{uid}/at-spi/ rw,
|
||||
|
|
|
|||
|
|
@ -37,11 +37,11 @@ profile colord-sane @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/bus/scsi/devices/ r,
|
||||
@{sys}/devices/@{pci}/{vendor,model,type} r,
|
||||
|
||||
@{PROC}/sys/dev/parport/parport[0-9]*/base-addr r,
|
||||
@{PROC}/sys/dev/parport/parport[0-9]*/irq r,
|
||||
@{PROC}/sys/dev/parport/ r,
|
||||
@{PROC}/sys/dev/parport/parport@{int}/base-addr r,
|
||||
@{PROC}/sys/dev/parport/parport@{int}/irq r,
|
||||
|
||||
/dev/parport[0-9]* r,
|
||||
/dev/parport@{int} r,
|
||||
|
||||
include if exists <local/colord-sane>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ profile fc-cache @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
/var/cache/fontconfig/{,**} rw,
|
||||
/var/cache/fontconfig/*.cache-[0-9]* rwk,
|
||||
/var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
|
||||
/var/cache/fontconfig/*.cache-@{int} rwk,
|
||||
/var/cache/fontconfig/*.cache-@{int}.LCK rwl,
|
||||
/var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
|
||||
|
||||
/var/tmp/mkinitramfs_*/{**,} rwl,
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_config_dirs}/pipewire/pipewire-pulse.conf r,
|
||||
owner @{user_config_dirs}/pipewire/pipewire.conf r,
|
||||
|
||||
owner /tmp/librnnoise-[0-9]*.so rm,
|
||||
owner /tmp/librnnoise-@{int}.so rm,
|
||||
owner @{run}/user/@{uid}/pipewire-@{int} rw,
|
||||
owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
|
||||
owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/pulse/pid w,
|
||||
owner /tmp/librnnoise-[0-9]*.so rm,
|
||||
owner /tmp/librnnoise-@{int}.so rm,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
|
|||
|
||||
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
|
||||
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-[0-9]*.scope/memory.* r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-@{int}.scope/memory.* r,
|
||||
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
@{PROC}/zoneinfo r,
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile gnome-photos-thumbnailer @{exec_path} {
|
|||
owner @{user_cache_dirs}/gnome-photos/thumbnails/{,**} rw,
|
||||
owner @{user_share_dirs}/gegl-*/{,**} r,
|
||||
|
||||
owner /dev/shm/DzlCounters-[0-9]* rw,
|
||||
owner /dev/shm/DzlCounters-@{int} rw,
|
||||
|
||||
include if exists <local/gnome-photos-thumbnailer>
|
||||
}
|
||||
|
|
@ -43,7 +43,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/@{pci}/virtio[0-9]*/**/stat r,
|
||||
@{sys}/devices/@{pci}/virtio@{int}/**/stat r,
|
||||
@{sys}/devices/virtual/net/*/statistics/collisions r,
|
||||
@{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile grub-mkrelpath @{exec_path} {
|
|||
|
||||
/tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r,
|
||||
/tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r,
|
||||
/tmp/grub-btrfs.*/@_backup_[0-9]*/boot/ r,
|
||||
/tmp/grub-btrfs.*/@_backup_@{int}/boot/ r,
|
||||
/tmp/grub-btrfs.*/ r,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -44,20 +44,22 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||
|
||||
@{run}/systemd/inhibit/*.ref rw,
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
owner @{run}/user/@{uid}kcrash_[0-9]* rw,
|
||||
owner @{run}/user/@{uid}kcrash_@{int} rw,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/i2c/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/drm/ r,
|
||||
@{sys}/class/i2c-dev/ r,
|
||||
@{sys}/class/usbmisc/ r,
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
||||
@{sys}/devices/@{pci}/i2c-[0-9]*/name r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/name r,
|
||||
@{sys}/devices/**/ r,
|
||||
@{sys}/devices/i2c-[0-9]*/name r,
|
||||
@{sys}/devices/platform/*/i2c-[0-9]*/name r,
|
||||
@{sys}/devices/i2c-@{int}/name r,
|
||||
@{sys}/devices/platform/*/i2c-@{int}/name r,
|
||||
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ profile kwin_x11 @{exec_path} {
|
|||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/kwin.@{rand6} rwl,
|
||||
|
||||
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/kcrash_@{int} rw,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
|
|
|||
|
|
@ -28,8 +28,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/+pci:* r,
|
||||
@{run}/udev/data/+platform:* r,
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/c16[6,7]:[0-9]* r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
|
||||
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
|
||||
@{run}/udev/data/n@{int} r,
|
||||
|
|
|
|||
|
|
@ -144,8 +144,8 @@ profile pacman @{exec_path} {
|
|||
|
||||
owner /var/lib/pacman/{,**} rwl,
|
||||
owner /tmp/alpm_*/{,**} rw,
|
||||
owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw,
|
||||
owner /tmp/checkup-db-[0-9]*/db.lck rw,
|
||||
owner /tmp/checkup-db-@{int}/sync/{,*.db*} rw,
|
||||
owner /tmp/checkup-db-@{int}/db.lck rw,
|
||||
|
||||
@{PROC}/@{pids}/ r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile pacman-hook-perl @{exec_path} {
|
|||
@{bin}/pacman rPx,
|
||||
@{bin}/sed rix,
|
||||
|
||||
@{lib}/perl[0-9]*/{,**} r,
|
||||
@{lib}/perl@{int}/{,**} r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ profile ssh @{exec_path} {
|
|||
owner @{user_projects_dirs}/**/ssh/{,*} r,
|
||||
owner @{user_projects_dirs}/**/config r,
|
||||
|
||||
owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
|
||||
owner /tmp/ssh-*/{,agent.@{int}} rwkl,
|
||||
|
||||
owner @{run}/user/@{uid}/keyring/ssh rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@ profile systemd-ac-power @{exec_path} {
|
|||
|
||||
@{sys}/class/power_supply/ r,
|
||||
|
||||
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r,
|
||||
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r,
|
||||
@{sys}/devices/**/power_supply/{AC,BAT@{int}}/ r,
|
||||
@{sys}/devices/**/power_supply/{AC,BAT@{int}}/{type,online} r,
|
||||
|
||||
include if exists <local/systemd-ac-power>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ profile systemd-dissect @{exec_path} {
|
|||
|
||||
owner /tmp/dissect-*/{,**} rw,
|
||||
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/{,**} r,
|
||||
@{sys}/devices/virtual/block/loop@{int}/{,**} r,
|
||||
@{sys}/kernel/uevent_seqnum r,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
mount options=(rw, rslave) -> @{run}/,
|
||||
mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/,
|
||||
mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/,
|
||||
|
||||
# dbus: own bus=system name=org.freedesktop.home1
|
||||
|
||||
|
|
@ -77,7 +77,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/uid_map w,
|
||||
|
||||
/dev/loop-control rwk,
|
||||
/dev/loop[0-9]* rw,
|
||||
/dev/loop@{int} rw,
|
||||
/dev/mapper/control rw,
|
||||
/dev/mqueue/ r,
|
||||
/dev/shm/ r,
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile systemd-journald @{exec_path} {
|
|||
|
||||
@{run}/udev/data/+acpi:* r,
|
||||
@{run}/udev/data/+bluetooth:* r,
|
||||
@{run}/udev/data/+hid:* r,
|
||||
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
||||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/+pci:* r,
|
||||
@{run}/udev/data/+platform:* r,
|
||||
|
|
@ -61,8 +61,8 @@ profile systemd-journald @{exec_path} {
|
|||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
||||
@{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/c29:[0-9]* r, # For CD-ROM
|
||||
@{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/c29:@{int} r, # For CD-ROM
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
||||
@{sys}/devices/**/uevent r,
|
||||
|
|
|
|||
|
|
@ -78,9 +78,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
|
||||
@{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
|
||||
@{run}/udev/data/c21:@{int} r, # Generic SCSI access
|
||||
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
@{run}/udev/data/c89:[0-9]* r, # For I2C bus interface
|
||||
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ profile systemd-rfkill @{exec_path} {
|
|||
@{run}/systemd/notify rw,
|
||||
@{run}/udev/data/+rfkill:* r,
|
||||
|
||||
@{sys}/devices/**/rfkill[0-9]*/{uevent,name} r,
|
||||
@{sys}/devices/**/rfkill@{int}/{uevent,name} r,
|
||||
|
||||
/dev/rfkill rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,13 +19,13 @@ profile zram-generator @{exec_path} {
|
|||
|
||||
/etc/systemd/zram-generator.conf r,
|
||||
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset,comp_algorithm} rw,
|
||||
@{sys}/block/zram[0-9]*/{disksize,reset} rw,
|
||||
|
||||
owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw,
|
||||
owner @{run}/systemd/generator/dev-zram[0-9]*.swap rw,
|
||||
owner @{run}/systemd/generator/swap.target.wants/{,dev-zram[0-9]*.swap} rw,
|
||||
owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
|
||||
owner @{run}/systemd/generator/dev-zram@{int}.swap rw,
|
||||
owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw,
|
||||
owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw,
|
||||
|
||||
@{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw,
|
||||
@{sys}/block/zram@{int}/{disksize,reset} rw,
|
||||
|
||||
@{PROC}/crypto r,
|
||||
|
||||
|
|
|
|||
|
|
@ -66,11 +66,11 @@ profile subiquity-console-conf @{exec_path} {
|
|||
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||
@{run}/udev/data/c5:@{int} r, # For /dev/tty, /dev/console, /dev/ptmx
|
||||
@{run}/udev/data/c7:[0-9]* r, # For Virtual console capture devices
|
||||
@{run}/udev/data/c7:@{int} r, # For Virtual console capture devices
|
||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
|
||||
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c89:[0-9]* r, # For I2C bus interface
|
||||
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
|
||||
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/calico/{,**} r,
|
||||
/var/log/calico/cni/ r,
|
||||
/var/log/calico/cni/cni.log rw,
|
||||
/var/log/calico/cni/cni-@{date}T@{time}.[0-9]*.log rw,
|
||||
/var/log/calico/cni/cni-@{date}T@{time}.@{int}.log rw,
|
||||
|
||||
/usr/share/mime/globs2 r,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,13 +32,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
|
||||
mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||
mount -> /tmp/ctd-volume[0-9]*/,
|
||||
mount -> /var/lib/containerd/tmpmounts/containerd-mount@{int}/,
|
||||
mount -> /tmp/ctd-volume@{int}/,
|
||||
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
|
||||
|
||||
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
|
||||
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||
umount /tmp/ctd-volume[0-9]*/,
|
||||
umount /var/lib/containerd/tmpmounts/containerd-mount@{int}/,
|
||||
umount /tmp/ctd-volume@{int}/,
|
||||
umount @{run}/netns/cni-@{uuid},
|
||||
|
||||
signal (receive) set=term peer={dockerd,k3s},
|
||||
|
|
@ -72,7 +72,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
|
||||
/var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
|
||||
/var/lib/containerd/{,**} rwk,
|
||||
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
|
||||
/var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
|
||||
/var/lib/docker/containerd/{,**} rwk,
|
||||
/var/lib/kubelet/seccomp/{,**} r,
|
||||
/var/lib/security-profiles-operator/{,**} r,
|
||||
|
|
@ -86,10 +86,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/netns/cni-@{uuid} rw,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
owner /var/tmp/** rwkl,
|
||||
/tmp/cri-containerd.apparmor.d@{int} rwl,
|
||||
/tmp/ctd-volume@{int}/{,**} rw,
|
||||
owner /tmp/** rwkl,
|
||||
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
|
||||
/tmp/ctd-volume[0-9]*/{,**} rw,
|
||||
owner /var/tmp/** rwkl,
|
||||
|
||||
@{sys}/fs/cgroup/kubepods/** r,
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
|
@ -97,11 +97,11 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
@{PROC}/@{pid}/task/@{tid}/ns/net rw,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
owner @{PROC}/@{pids}/attr/current r,
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
owner @{PROC}/@{pids}/uid_map r,
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
owner @{PROC}/@{pids}/uid_map r,
|
||||
|
||||
/dev/bsg/ r,
|
||||
/dev/bus/ r,
|
||||
|
|
|
|||
|
|
@ -32,9 +32,9 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{bin}/runc rPUx,
|
||||
|
||||
/tmp/runc-process[0-9]* rw,
|
||||
/tmp/pty[0-9]*/ rw,
|
||||
/tmp/pty[0-9]*/pty.sock rw,
|
||||
/tmp/runc-process@{int} rw,
|
||||
/tmp/pty@{int}/ rw,
|
||||
/tmp/pty@{int}/pty.sock rw,
|
||||
|
||||
@{run}/containerd/{,containerd.sock.ttrpc} rw,
|
||||
@{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/@{int}/@{hex}-{stdin,stdout,stderr} rw,
|
||||
|
|
|
|||
|
|
@ -34,16 +34,16 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
mount /var/lib/docker/overlay2/**/,
|
||||
mount options=(rw, bind) -> /run/docker/netns/*,
|
||||
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
|
||||
mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
|
||||
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
|
||||
mount options=(rw, rprivate) -> /.pivot_root@{int}/,
|
||||
mount options=(rw, rslave) -> /,
|
||||
|
||||
umount /.pivot_root[0-9]*/,
|
||||
umount /.pivot_root@{int}/,
|
||||
umount /run/docker/netns/*,
|
||||
umount /var/lib/docker/overlay*/**/,
|
||||
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
|
||||
|
||||
ptrace (read) peer=docker-*,
|
||||
ptrace (read) peer=unconfined,
|
||||
|
|
@ -70,7 +70,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{lib}/docker/overlay2/*/work/{,**} rw,
|
||||
owner /var/lib/docker/{,**} rwk,
|
||||
owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,
|
||||
owner /var/lib/docker/tmp/qemu-check@{int}/check rix,
|
||||
|
||||
@{sys}/fs/cgroup/cgroup.controllers r,
|
||||
@{sys}/fs/cgroup/cpuset.cpus.effective r,
|
||||
|
|
@ -88,7 +88,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/docker[0-9]*/accept_ra rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/ip_forward rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
|
||||
owner @{PROC}/@{pids}/attr/current r,
|
||||
|
|
|
|||
|
|
@ -160,7 +160,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-[0-9]*.scope/{,**/} r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r,
|
||||
|
||||
@{sys}/kernel/mm/hugepages/ r,
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
|
|
|||
|
|
@ -154,7 +154,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/libvirt/ rw,
|
||||
@{run}/libvirt/** rwk,
|
||||
@{run}/libvirtd.pid wk,
|
||||
@{run}/lock/LCK.._pts_[0-9]* rw,
|
||||
@{run}/lock/LCK.._pts_@{int} rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/systemd/notify w,
|
||||
@{run}/utmp rk,
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile virtiofsd @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
/ r,
|
||||
/var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,
|
||||
/var/lib/libvirt/qemu/*/fs@{int}-fs.sock rw,
|
||||
|
||||
@{user_publicshare_dirs}/{,**} r,
|
||||
@{user_vm_dirs}/{,**} r,
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
|
||||
@{run}/udev/data/c21:@{int} r, # Generic SCSI access
|
||||
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
|
||||
|
|
|
|||
|
|
@ -24,10 +24,10 @@ profile adb @{exec_path} {
|
|||
|
||||
/usr/share/scrcpy/scrcpy-server r,
|
||||
|
||||
owner /tmp/adb.[0-9]*.log rw,
|
||||
owner /tmp/adb.@{int}.log rw,
|
||||
|
||||
owner @{HOME}/.android/ rw,
|
||||
owner @{HOME}/.android/adb.[0-9]* rw,
|
||||
owner @{HOME}/.android/adb.@{int} rw,
|
||||
owner @{HOME}/.android/adbkey rw,
|
||||
|
||||
include if exists <local/adb>
|
||||
|
|
|
|||
|
|
@ -29,14 +29,14 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/apparmor-features/{,**} r,
|
||||
/usr/share/apparmor/{,**} r,
|
||||
|
||||
owner /snap/core[0-9]*/@{int}/etc/apparmor.d/{,**} r,
|
||||
owner /snap/core[0-9]*/@{int}/etc/apparmor/* r,
|
||||
owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} r,
|
||||
owner /snap/core@{int}/@{int}/etc/apparmor/* r,
|
||||
owner /var/cache/apparmor/{,**} rw,
|
||||
owner /var/lib/docker/tmp/docker-default[0-9]* r,
|
||||
owner /var/lib/docker/tmp/docker-default@{int} r,
|
||||
owner /var/lib/snapd/apparmor/{,**} r,
|
||||
owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
|
||||
|
||||
owner /tmp/cri-containerd.apparmor.d[0-9]* r,
|
||||
owner /tmp/cri-containerd.apparmor.d@{int} r,
|
||||
|
||||
@{sys}/kernel/security/apparmor/{,**} r,
|
||||
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ profile arduino-ctags @{exec_path} {
|
|||
|
||||
owner /tmp/tags.* rw,
|
||||
|
||||
owner /tmp/arduino_build_[0-9]*/** r,
|
||||
owner /tmp/arduino_build_@{int}/** r,
|
||||
|
||||
include if exists <local/arduino-ctags>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,11 +48,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{HOME}/bluetooth*/ r,
|
||||
owner @{HOME}/bluetooth*/* rw,
|
||||
|
||||
owner @{user_cache_dirs}/blueman-tray-[0-9]* rw,
|
||||
owner @{user_cache_dirs}/blueman-services-[0-9]* rw,
|
||||
owner @{user_cache_dirs}/blueman-adapters-[0-9]* rw,
|
||||
owner @{user_cache_dirs}/blueman-manager-[0-9]* rw,
|
||||
owner @{user_cache_dirs}/blueman-applet-[0-9]* rw,
|
||||
owner @{user_cache_dirs}/blueman-tray-@{int} rw,
|
||||
owner @{user_cache_dirs}/blueman-services-@{int} rw,
|
||||
owner @{user_cache_dirs}/blueman-adapters-@{int} rw,
|
||||
owner @{user_cache_dirs}/blueman-manager-@{int} rw,
|
||||
owner @{user_cache_dirs}/blueman-applet-@{int} rw,
|
||||
|
||||
owner @{user_cache_dirs}/obexd/ rw,
|
||||
owner @{user_cache_dirs}/obexd/* rw,
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/sdp rw,
|
||||
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
||||
|
||||
@{sys}/devices/@{pci}/rfkill[0-9]*/name r,
|
||||
@{sys}/devices/@{pci}/rfkill@{int}/name r,
|
||||
@{sys}/devices/@{pci}/bluetooth/**/{uevent,name} r,
|
||||
@{sys}/devices/platform/**/rfkill/**/name r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
|
|
|
|||
|
|
@ -34,12 +34,12 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/bus/wmi/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/devices/@{pci}/device r,
|
||||
@{sys}/devices/@{pci}/domain[0-9]*/{security,uevent} r,
|
||||
@{sys}/devices/@{pci}/domain[0-9]*/**/ r,
|
||||
@{sys}/devices/@{pci}/domain[0-9]*/**/{authorized,generation} r,
|
||||
@{sys}/devices/@{pci}/domain[0-9]*/**/{uevent,unique_id} r,
|
||||
@{sys}/devices/@{pci}/domain[0-9]*/**/{vendor,device}_name r,
|
||||
@{sys}/devices/@{pci}/domain[0-9]*/iommu_dma_protection r,
|
||||
@{sys}/devices/@{pci}/domain@{int}/{security,uevent} r,
|
||||
@{sys}/devices/@{pci}/domain@{int}/**/ r,
|
||||
@{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r,
|
||||
@{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r,
|
||||
@{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r,
|
||||
@{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r,
|
||||
@{sys}/devices/platform/**/uevent r,
|
||||
@{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw,
|
||||
owner /tmp/mozilla-temp-[0-9]* r,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
|
||||
owner /tmp/mozilla-temp-@{int} r,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ profile cawbird @{exec_path} {
|
|||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/cawbird-* rw,
|
||||
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
|
|
|||
|
|
@ -49,9 +49,9 @@ profile claws-mail @{exec_path} flags=(complain) {
|
|||
owner @{user_mail_dirs}/ rw,
|
||||
owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
|
||||
|
||||
owner /tmp/claws-mail-[0-9]*/ rw,
|
||||
owner /tmp/claws-mail-[0-9]*/@{hex} rw,
|
||||
owner /tmp/claws-mail-[0-9]*/@{hex}.lock rwk,
|
||||
owner /tmp/claws-mail-@{int}/ rw,
|
||||
owner /tmp/claws-mail-@{int}/@{hex} rw,
|
||||
owner /tmp/claws-mail-@{int}/@{hex}.lock rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ profile code flags=(attach_disconnected) {
|
|||
@{code_config_dirs}/extensions/** rPUx,
|
||||
@{HOME}/.go/bin/* rPUx,
|
||||
@{lib}/go/bin/* rPUx,
|
||||
@{bin}/python[0-9]* rUx
|
||||
@{bin}/python3.@{int} rUx,
|
||||
|
||||
/etc/shells r,
|
||||
/etc/lsb-release r,
|
||||
|
|
|
|||
|
|
@ -129,8 +129,8 @@ profile conky @{exec_path} {
|
|||
|
||||
# Temperatures and Fans
|
||||
@{bin}/sensors rPUx,
|
||||
@{sys}/devices/**/hwmon@{int}/temp[0-9]*_input r,
|
||||
@{sys}/devices/**/hwmon/hwmon@{int}/temp[0-9]*_input r,
|
||||
@{sys}/devices/**/hwmon@{int}/temp@{int}_input r,
|
||||
@{sys}/devices/**/hwmon/hwmon@{int}/temp@{int}_input r,
|
||||
@{sys}/class/hwmon/ r,
|
||||
@{PROC}/acpi/ibm/fan r,
|
||||
|
||||
|
|
@ -142,7 +142,7 @@ profile conky @{exec_path} {
|
|||
|
||||
@{PROC}/@{pid}/net/route r,
|
||||
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||
owner /tmp/xauth-@{int}-_[0-9] r,
|
||||
|
||||
/usr/share/X11/XErrorDB r,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ profile downloadhelper @{exec_path} {
|
|||
owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw,
|
||||
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google@{int}/goog-phish-proto-@{int}.vlpset rw,
|
||||
|
||||
owner /tmp/vdh-*.tmp rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app,
|
||||
|
||||
owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
|
||||
owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
|
||||
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,8 +32,8 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
||||
@{sys}/class/hidraw/ r,
|
||||
@{sys}/devices/@{pci}/hidraw/hidraw[0-9]*/uevent r,
|
||||
@{sys}/devices/virtual/**/hidraw/hidraw[0-9]*/uevent r,
|
||||
@{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r,
|
||||
@{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r,
|
||||
|
||||
include if exists <local/fprintd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ profile fritzing @{exec_path} {
|
|||
|
||||
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
|
||||
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
|
||||
@{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]*
|
||||
@{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]*
|
||||
|
||||
/dev/ttyS@{int} rw,
|
||||
/dev/ttyACM@{int} rw,
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ profile gajim @{exec_path} {
|
|||
|
||||
/etc/fstab r,
|
||||
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
||||
# TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
|
||||
/var/tmp/ r,
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@ profile git @{exec_path} {
|
|||
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
|
||||
|
||||
owner /tmp/git@*:[0-9]* rwl -> /tmp/git@*:[0-9]*.*,
|
||||
owner /tmp/git@*:@{int} rwl -> /tmp/git@*:@{int}.*,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
|
@ -182,7 +182,7 @@ profile git @{exec_path} {
|
|||
/etc/vim/{,**} r,
|
||||
|
||||
owner @{user_projects_dirs}/**/ r,
|
||||
owner @{user_projects_dirs}/**/.git/[0-9]* rw,
|
||||
owner @{user_projects_dirs}/**/.git/@{int} rw,
|
||||
owner @{user_projects_dirs}/**/.git/*MSG rw,
|
||||
|
||||
owner @{HOME}/.selected_editor r,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ profile gpa @{exec_path} {
|
|||
# Files to verify
|
||||
owner /**.tar.gz r,
|
||||
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||
owner /tmp/xauth-@{int}-_[0-9] r,
|
||||
|
||||
# External apps
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
|
|
|||
|
|
@ -40,7 +40,6 @@ profile hardinfo @{exec_path} {
|
|||
@{bin}/locale rix,
|
||||
@{bin}/make rix,
|
||||
@{bin}/perl rix,
|
||||
@{bin}/python2.[0-9]* rix,
|
||||
@{bin}/python3.@{int} rix,
|
||||
@{bin}/route rix,
|
||||
@{bin}/ruby[0-9].@{int} rix,
|
||||
|
|
@ -71,8 +70,8 @@ profile hardinfo @{exec_path} {
|
|||
|
||||
@{sys}/devices/system/cpu/** r,
|
||||
@{sys}/devices/virtual/dmi/id/* r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/temp* r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp* r,
|
||||
@{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
|
||||
@{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
|
||||
@{sys}/devices/@{pci}/eeprom r,
|
||||
|
|
|
|||
|
|
@ -97,14 +97,14 @@ profile htop @{exec_path} {
|
|||
@{sys}/devices/**/hwmon/**/{name,temp*} r,
|
||||
@{sys}/devices/**/power_supply/**/{uevent,type,online} r,
|
||||
@{sys}/devices/*/name r,
|
||||
@{sys}/devices/i2c-[0-9]*/name r,
|
||||
@{sys}/devices/@{pci}/i2c-[0-9]*/name r,
|
||||
@{sys}/devices/platform/*/i2c-[0-9]*/name r,
|
||||
@{sys}/devices/i2c-@{int}/name r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/name r,
|
||||
@{sys}/devices/platform/*/i2c-@{int}/name r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/online r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
|
||||
@{sys}/devices/virtual/block/zram@{int}/{disksize,mm_stat} r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
|
||||
@{sys}/kernel/mm/hugepages/ r,
|
||||
@{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ profile hugo @{exec_path} {
|
|||
owner @{user_cache_dirs}/hugo_cache/{,**} rwkl,
|
||||
|
||||
owner /tmp/hugo_cache/{,**} rwkl,
|
||||
owner /tmp/go-codehost-[0-9]* rw,
|
||||
owner /tmp/go-codehost-@{int} rw,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ profile hwinfo @{exec_path} {
|
|||
|
||||
@{sys}/bus/{,**/} r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/pci[0-9]*/** r,
|
||||
@{sys}/devices/@{pci_bus}/** r,
|
||||
@{sys}/devices/**/input/**/dev r,
|
||||
@{sys}/devices/**/{modalias,uevent} r,
|
||||
@{sys}/devices/virtual/net/*/{type,carrier,address} r,
|
||||
|
|
|
|||
|
|
@ -21,14 +21,14 @@ profile irqbalance @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/ r,
|
||||
|
||||
@{run}/irqbalance/irqbalance[0-9]*.sock w,
|
||||
@{run}/irqbalance/irqbalance@{int}.sock w,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/@{pci}/{class,numa_node,local_cpus,irq} r,
|
||||
@{sys}/devices/@{pci}/{vendor,device,subsystem_vendor,subsystem_device} r,
|
||||
@{sys}/devices/@{pci}/msi_irqs/ r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/ r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index[0-9]*/shared_cpu_map r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/shared_cpu_map r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r,
|
||||
@{sys}/devices/system/cpu/isolated r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ profile jdownloader @{exec_path} {
|
|||
owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw,
|
||||
owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw,
|
||||
owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw,
|
||||
owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw,
|
||||
owner @{JD_INSTALLDIR}/tmp/jna/jna@{int}.tmp mrw,
|
||||
owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
|
||||
|
||||
owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
|
||||
|
|
@ -67,10 +67,10 @@ profile jdownloader @{exec_path} {
|
|||
owner /tmp/SevenZipJBinding-*/ rw,
|
||||
owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
|
||||
# For auto updates
|
||||
owner /tmp/lastChanceSrc[0-9]*lch rw,
|
||||
owner /tmp/lastChanceDst[0-9]*.jar rw,
|
||||
owner /tmp/i4j_log_jd2_[0-9]*.log rw,
|
||||
owner /tmp/install4jError[0-9]*.log rw,
|
||||
owner /tmp/lastChanceSrc@{int}lch rw,
|
||||
owner /tmp/lastChanceDst@{int}.jar rw,
|
||||
owner /tmp/i4j_log_jd2_@{int}.log rw,
|
||||
owner /tmp/install4jError@{int}.log rw,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile jmtpfs @{exec_path} {
|
|||
owner @{HOME}/*/ r,
|
||||
owner @{HOME}/*/*/ r,
|
||||
|
||||
owner @{user_cache_dirs}/*/mtp{,-[0-9]*}/ rw,
|
||||
owner @{user_cache_dirs}/*/mtp{,-@{int}}/ rw,
|
||||
|
||||
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
|
||||
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ profile kodi @{exec_path} {
|
|||
owner @{HOME}/.kodi/** rwk,
|
||||
|
||||
owner @{HOME}/core w,
|
||||
owner @{HOME}/kodi_crashlog-[0-9]*_[0-9]*.log w,
|
||||
owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w,
|
||||
|
||||
owner @{HOME}/.icons/default/index.theme r,
|
||||
|
||||
|
|
@ -68,7 +68,7 @@ profile kodi @{exec_path} {
|
|||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
|
||||
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
|
|
@ -84,7 +84,7 @@ profile kodi @{exec_path} {
|
|||
|
||||
# file_inherit
|
||||
/usr/share/kodi/** r,
|
||||
/sys/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
|
||||
/sys/devices/virtual/thermal/thermal_zone@{int}/temp r,
|
||||
/sys/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||
/home/morfik/.kodi/temp/kodi.log w,
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ profile last @{exec_path} {
|
|||
@{PROC}/@{pids}/loginuid r,
|
||||
|
||||
/var/log/wtmp r,
|
||||
/var/log/btmp{,.[0-9]*} r,
|
||||
/var/log/btmp{,.@{int}} r,
|
||||
|
||||
include if exists <local/last>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,8 +42,8 @@ profile localepurge @{exec_path} {
|
|||
/usr/share/cups/{templates,locale,doc-root}/{,**/} r,
|
||||
/usr/share/cups/{templates,locale,doc-root}/**/** w,
|
||||
/usr/share/vim/ r,
|
||||
/usr/share/vim/vim[0-9]*/lang/{,**/} r,
|
||||
/usr/share/vim/vim[0-9]*/lang/**/** w,
|
||||
/usr/share/vim/vim@{int}/lang/{,**/} r,
|
||||
/usr/share/vim/vim@{int}/lang/**/** w,
|
||||
/usr/share/X11/locale/**/** w,
|
||||
|
||||
/etc/locale.nopurge r,
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/security/pam_env.conf r,
|
||||
/etc/shells r,
|
||||
|
||||
/var/log/btmp{,.[0-9]*} r,
|
||||
/var/log/btmp{,.@{int}} r,
|
||||
|
||||
owner @{user_cache_dirs}/motd.legal-displayed rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ profile mandb @{exec_path} flags=(complain) {
|
|||
/usr/{,share/}man/{,**} r,
|
||||
/usr/local/{,share/}man/{,**} r,
|
||||
|
||||
/usr/share/**/man/man[0-9]*/*.[0-9]*.gz r,
|
||||
/usr/share/**/man/man@{int}/*.@{int}.gz r,
|
||||
|
||||
owner @{user_share_dirs}/man/** rwk,
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile mke2fs @{exec_path} {
|
|||
owner @{user_img_dirs}/{,**} rwk,
|
||||
|
||||
# For virt-resize
|
||||
owner /var/tmp/.guestfs-[0-9]*/** rwk,
|
||||
owner /var/tmp/.guestfs-@{int}/** rwk,
|
||||
|
||||
owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ profile monitorix @{exec_path} {
|
|||
@{PROC}/@{pids}/io r,
|
||||
|
||||
@{sys}/class/i2c-adapter/ r,
|
||||
@{sys}/devices/@{pci}/i2c-[0-9]*/name r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/name r,
|
||||
@{sys}/class/hwmon/ r,
|
||||
@{sys}/devices/**/thermal*/{,**} r,
|
||||
@{sys}/devices/**/hwmon*/{,**} r,
|
||||
|
|
|
|||
|
|
@ -59,8 +59,8 @@ profile mount @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/mount/utab{,.*} rw,
|
||||
owner @{run}/mount/utab.lock wk,
|
||||
|
||||
/tmp/sanity-squashfs-[0-9]* rw,
|
||||
/tmp/syscheck-squashfs-[0-9]* rw,
|
||||
/tmp/sanity-squashfs-@{int} rw,
|
||||
/tmp/syscheck-squashfs-@{int} rw,
|
||||
|
||||
@{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,12 +10,16 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/obexautofs
|
||||
profile obexautofs @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
network bluetooth seqpacket,
|
||||
network bluetooth stream,
|
||||
network bluetooth raw,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=fuse.obexautofs -> @{HOME}/*/,
|
||||
mount fstype=fuse.obexautofs -> @{HOME}/*/*/,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/fusermount{,3} rCx -> fusermount,
|
||||
|
|
@ -23,42 +27,31 @@ profile obexautofs @{exec_path} {
|
|||
owner @{HOME}/*/ r,
|
||||
owner @{HOME}/*/*/ r,
|
||||
|
||||
mount fstype=fuse.obexautofs -> @{HOME}/*/,
|
||||
mount fstype=fuse.obexautofs -> @{HOME}/*/*/,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/bus/usb/devices/ r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/bConfigurationValue r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/bConfigurationValue r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/{uevent,busnum,devnum,speed,descriptors} r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/{uevent,busnum,devnum,speed,descriptors} r,
|
||||
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters
|
||||
|
||||
/dev/bus/usb/ r,
|
||||
/dev/fuse rw,
|
||||
|
||||
|
||||
profile fusermount {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# To mount anything:
|
||||
capability sys_admin,
|
||||
|
||||
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/,
|
||||
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/,
|
||||
|
||||
@{bin}/fusermount{,3} mr,
|
||||
|
||||
/etc/fuse.conf r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/,
|
||||
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/,
|
||||
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
include if exists <local/obexautofs_fusermount>
|
||||
}
|
||||
|
||||
include if exists <local/obexautofs>
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ profile qemu-ga @{exec_path} {
|
|||
|
||||
owner @{PROC}/@{pid}/net/dev r,
|
||||
|
||||
/dev/vport[0-9]*p[0-9]* rw,
|
||||
/dev/vport@{int}p@{int} rw,
|
||||
|
||||
include if exists <local/qemu-ga>
|
||||
}
|
||||
|
|
@ -69,9 +69,9 @@ profile qnapi @{exec_path} {
|
|||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/QNapi-*-rc wl -> /tmp/#@{int},
|
||||
owner /tmp/QNapi-*-rc.lock rwk,
|
||||
owner /tmp/QNapi.[0-9]*.tmp rw,
|
||||
owner /tmp/QNapi.[0-9]*.tmp.* rw,
|
||||
owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#@{int},
|
||||
owner /tmp/QNapi.@{int}.tmp rw,
|
||||
owner /tmp/QNapi.@{int}.tmp.* rw,
|
||||
owner /tmp/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int},
|
||||
owner /tmp/QNapi.@{int} rw,
|
||||
|
||||
owner /dev/shm/#@{int} rw,
|
||||
|
|
|
|||
|
|
@ -66,8 +66,8 @@ profile quiterss @{exec_path} {
|
|||
|
||||
/dev/shm/#@{int} rw,
|
||||
|
||||
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
|
||||
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,
|
||||
owner /tmp/qtsingleapp-quiter-@{int}-@{int} rw,
|
||||
owner /tmp/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
# Allowed apps to open
|
||||
|
|
|
|||
|
|
@ -24,11 +24,10 @@ profile sensors @{exec_path} {
|
|||
@{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r,
|
||||
@{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
|
||||
@{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
|
||||
@{sys}/devices/**/hwmon/hwmon@{int}/power[0-9]*_crit r,
|
||||
@{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-[0-9]*/name r,
|
||||
@{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r,
|
||||
@{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r,
|
||||
@{sys}/devices/@{pci}/name r,
|
||||
@{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon[0-9]* r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/ r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/fan[0-9]_label r,
|
||||
|
|
|
|||
|
|
@ -122,9 +122,9 @@ profile snapd @{exec_path} {
|
|||
/var/cache/apparmor/*/snap* rw,
|
||||
|
||||
/tmp/ r,
|
||||
/tmp/syscheck-mountpoint-[0-9]*/{,**} rw,
|
||||
/tmp/syscheck-squashfs-[0-9]* rw,
|
||||
/tmp/read-file[0-9]*/{,**} rw,
|
||||
/tmp/syscheck-mountpoint-@{int}/{,**} rw,
|
||||
/tmp/syscheck-squashfs-@{int} rw,
|
||||
/tmp/read-file@{int}/{,**} rw,
|
||||
|
||||
/boot/ r,
|
||||
/boot/grub/grubenv r,
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pids}/cgroup r,
|
||||
|
||||
/dev/uinput rw,
|
||||
/dev/vport[0-9]*p[0-9]* rw,
|
||||
/dev/vport@{int}p@{int} rw,
|
||||
|
||||
include if exists <local/spice-vdagentd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -166,7 +166,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
|||
@{sys}/devices/**/input/input@{int}/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/@{pci}/class r,
|
||||
@{sys}/devices/@{pci}/i2c-[0-9]*/report_descriptor r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/report_descriptor r,
|
||||
@{sys}/devices/@{pci}/sound/card[0-9]*/** r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
|
||||
@{sys}/devices/system/cpu/** r,
|
||||
|
|
|
|||
|
|
@ -18,10 +18,10 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{HOME}/.steam/steam.pipe r,
|
||||
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/fozpipelinesv[0-9]*/{,**} rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/fozpipelinesv@{int}/{,**} rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav[0-9]*/GLCache/ rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav[0-9]*/GLCache/** rwk,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
|
|
@ -31,7 +31,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/pressure/io r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
|
||||
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -101,7 +101,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||
@{user_share_dirs}/Steam/legacycompat/** mr,
|
||||
@{user_share_dirs}/Steam/linux{32,64}/ r,
|
||||
@{user_share_dirs}/Steam/linux{32,64}/**.so* mr,
|
||||
@{user_share_dirs}/Steam/standalone_installscript_progress_[0-9]*.vdf rw,
|
||||
@{user_share_dirs}/Steam/standalone_installscript_progress_@{int}.vdf rw,
|
||||
@{user_share_dirs}/Steam/steamapps/common/*/* mr,
|
||||
@{user_share_dirs}/Steam/steamapps/common/Proton*/ r,
|
||||
@{user_share_dirs}/Steam/steamapps/common/Proton*/files/bin/* mrix,
|
||||
|
|
@ -195,9 +195,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/**/input@{int}/capabilities/* r,
|
||||
@{sys}/devices/**/input/input@{int}/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/@{pci}/sound/card[0-9]*/** r,
|
||||
@{sys}/devices/@{pci}/sound/card@{int}/** r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
|
||||
@{sys}/devices/system/clocksource/clocksource[0-9]*/current_clocksource r,
|
||||
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
|
||||
@{sys}/devices/system/cpu/** r,
|
||||
@{sys}/devices/system/node/node[0-9]/cpumap r,
|
||||
@{sys}/devices/system/node/online r,
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{sys}/devices/**/hwmon@{int}/ r,
|
||||
@{sys}/devices/**/hwmon@{int}/name r,
|
||||
@{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
|
||||
@{sys}/devices/**/hwmon@{int}/temp@{int}_{max,crit} r,
|
||||
@{sys}/devices/**/path r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
|
@ -57,10 +57,10 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/mode rw,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/policy rw,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_temp rw,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_type r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_hyst r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/cdev[0-9]*_trip_point r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_@{int}_temp rw,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_@{int}_type r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_@{int}_hyst r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/cdev@{int}_trip_point r,
|
||||
|
||||
@{sys}/devices/virtual/thermal/cooling_device[@{int}/ r,
|
||||
@{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw,
|
||||
|
|
@ -72,7 +72,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/* r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/constraint_* w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/enabled w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/intel-rapl:@{int}/{,*} r,
|
||||
|
||||
/dev/acpi_thermal_rel rw,
|
||||
/dev/input/ r,
|
||||
|
|
|
|||
|
|
@ -16,9 +16,9 @@ profile thinkfan @{exec_path} {
|
|||
/etc/thinkfan.conf r,
|
||||
/etc/thinkfan.yaml r,
|
||||
|
||||
@{sys}/devices/**/hwmon/**/pwm[0-9]* rw,
|
||||
@{sys}/devices/**/hwmon/**/pwm[0-9]*_enable rw,
|
||||
@{sys}/devices/**/hwmon/**/temp[0-9]*_input r,
|
||||
@{sys}/devices/**/hwmon/**/pwm@{int} rw,
|
||||
@{sys}/devices/**/hwmon/**/pwm@{int}_enable rw,
|
||||
@{sys}/devices/**/hwmon/**/temp@{int}_input r,
|
||||
|
||||
@{PROC}/acpi/ibm/thermal r,
|
||||
@{PROC}/acpi/ibm/fan rw,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ profile tint2 @{exec_path} {
|
|||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner /tmp/tint2-@{pid}-[0-9]*.png rw,
|
||||
owner /tmp/tint2-@{pid}-@{int}.png rw,
|
||||
|
||||
# Battery applet
|
||||
@{sys}/class/power_supply/ r,
|
||||
|
|
|
|||
|
|
@ -126,7 +126,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
|
||||
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
|
||||
@{sys}/devices/virtual/block/*/{,**} rw,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
|
||||
@{sys}/devices/virtual/block/loop@{int}/uevent rw,
|
||||
@{sys}/devices/virtual/dmi/id/product_uuid r,
|
||||
@{sys}/devices/virtual/nvme-subsystem/{,**} r,
|
||||
@{sys}/fs/ r,
|
||||
|
|
@ -139,7 +139,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/loop-control rw,
|
||||
/dev/null.[0-9]* rw,
|
||||
/dev/null.@{int} rw,
|
||||
|
||||
include if exists <local/udisksd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile unhide-tcp @{exec_path} {
|
|||
@{PROC}/@{pids}/fd/ r,
|
||||
|
||||
# For logs
|
||||
/**/unhide-tcp_[0-9]*-[0-9]*-[0-9]*.log w,
|
||||
/**/unhide-tcp_@{int}-@{int}-@{int}.log w,
|
||||
|
||||
include if exists <local/unhide-tcp>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ profile update-smart-drivedb @{exec_path} {
|
|||
|
||||
/var/lib/smartmontools/drivedb/drivedb.h{,.*} rw,
|
||||
|
||||
owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/{,**} rw,
|
||||
owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/{,**} rw,
|
||||
|
||||
# For shell pwd
|
||||
/root/ r,
|
||||
|
|
@ -55,8 +55,8 @@ profile update-smart-drivedb @{exec_path} {
|
|||
|
||||
/var/lib/smartmontools/drivedb/drivedb.h.new.raw{,.asc} r,
|
||||
|
||||
owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/ rw,
|
||||
owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/**,
|
||||
owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/ rw,
|
||||
owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/**,
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ profile usbguard @{exec_path} {
|
|||
/etc/usbguard/*.conf rw,
|
||||
/etc/usbguard/IPCAccessControl.d/{,*} rw,
|
||||
|
||||
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
|
||||
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
# For "usbguard generate-policy"
|
||||
@{sys}/devices/@{pci}/uevent r,
|
||||
|
|
|
|||
|
|
@ -29,10 +29,10 @@ profile usbguard-applet-qt @{exec_path} {
|
|||
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int},
|
||||
|
||||
/dev/shm/#@{int} rw,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
|
||||
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw,
|
||||
owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_@{int}-[a-zA-Z0-9]*/{,**} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
|
|||
|
|
@ -29,9 +29,9 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
/var/log/usbguard/usbguard-audit.log rw,
|
||||
|
||||
/dev/shm/ r,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
|
||||
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/ rw,
|
||||
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-*/ rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
@{sys}/devices/@{pci}/uevent r,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ profile usbguard-dbus @{exec_path} {
|
|||
deny capability sys_nice,
|
||||
|
||||
@{exec_path} mr,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
|
||||
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
include if exists <local/usbguard-dbus>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ profile usbguard-notifier @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
|
||||
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ profile utmpdump @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/log/wtmp{,.[0-9]*} r,
|
||||
/var/log/btmp{,.[0-9]*} r,
|
||||
/var/log/wtmp{,.@{int}} r,
|
||||
/var/log/btmp{,.@{int}} r,
|
||||
|
||||
include if exists <local/utmpdump>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{sh_path} rix,
|
||||
@{bin}/python3.@{int} r,
|
||||
@{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w,
|
||||
@{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/env rix,
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ profile wireplumber @{exec_path} {
|
|||
@{sys}/devices/**/device:*/**/path r,
|
||||
@{sys}/devices/**/sound/**/pcm_class r,
|
||||
@{sys}/devices/**/sound/**/uevent r,
|
||||
@{sys}/devices/@{pci}/video4linux/video[0-9]*/uevent r,
|
||||
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
|
|
|
|||
|
|
@ -79,7 +79,7 @@ profile wireshark @{exec_path} {
|
|||
|
||||
/dev/shm/#@{int} rw,
|
||||
|
||||
owner /tmp/wireshark_extcap_ciscodump_[0-9]*_* rw,
|
||||
owner /tmp/wireshark_extcap_ciscodump_@{int}_* rw,
|
||||
|
||||
# Allowed apps to open
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
|
|
|||
|
|
@ -33,10 +33,10 @@ profile wpa-action @{exec_path} {
|
|||
/etc/network/interfaces r,
|
||||
/etc/network/interfaces.d/{,*} r,
|
||||
|
||||
owner @{run}/wpa_action.wlan[0-9]*.ifupdown rw,
|
||||
owner @{run}/wpa_action.wlan[0-9]*.timestamp rw,
|
||||
owner @{run}/network/ifstate.wlan[0-9]* rwk,
|
||||
owner @{run}/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan[0-9]*.pid rw,
|
||||
owner @{run}/wpa_action.wlan@{int}.ifupdown rw,
|
||||
owner @{run}/wpa_action.wlan@{int}.timestamp rw,
|
||||
owner @{run}/network/ifstate.wlan@{int} rwk,
|
||||
owner @{run}/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan@{int}.pid rw,
|
||||
|
||||
include if exists <local/wpa-action>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile wpa-cli @{exec_path} {
|
|||
/etc/inputrc r,
|
||||
|
||||
owner @{HOME}/.wpa_cli_history rw,
|
||||
owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw,
|
||||
owner @{HOME}/.wpa_cli_history-@{int}.tmp rw,
|
||||
|
||||
owner @{run}/wpa_supplicant/ r,
|
||||
owner /tmp/wpa_ctrl_@{pid}-[0-9] rw,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ profile xsel @{exec_path} {
|
|||
owner @{user_cache_dirs}/xsel.log rw,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||
owner /tmp/xauth-@{int}-_[0-9] r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty@{int} rw,
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile youtube-viewer @{exec_path} {
|
|||
/etc/wgetrc r,
|
||||
|
||||
owner @{HOME}/.wget-hsts r,
|
||||
owner @{HOME}/wget-log{,.[0-9]*} rw,
|
||||
owner @{HOME}/wget-log{,.@{int}} rw,
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue