tty and pts are part of abstractions/consoles

This commit is contained in:
Jeroen Rijken 2022-08-01 18:30:03 +02:00 committed by Alex
parent 7ee9644325
commit 005dec1a53
59 changed files with 58 additions and 65 deletions

View file

@ -81,6 +81,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
#include <abstractions/audio> #include <abstractions/audio>
#include <abstractions/bash> #include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/cups-client> #include <abstractions/cups-client>
#include <abstractions/dbus> #include <abstractions/dbus>
#include <abstractions/dbus-session> #include <abstractions/dbus-session>
@ -151,8 +152,6 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
/usr/bin/kgpg rix, /usr/bin/kgpg rix,
/usr/bin/kleopatra rix, /usr/bin/kleopatra rix,
/dev/tty rw,
/usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx, /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx,
owner @{user_cache_dirs}/gstreamer-???/** rw, owner @{user_cache_dirs}/gstreamer-???/** rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-mark @{exec_path} = /{usr/,}bin/apt-mark
profile apt-mark @{exec_path} { profile apt-mark @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common> include <abstractions/apt-common>
@{exec_path} mr, @{exec_path} mr,
@ -25,7 +26,5 @@ profile apt-mark @{exec_path} {
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
/dev/pts/[0-9]* rw,
include if exists <local/apt-mark> include if exists <local/apt-mark>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session @{exec_path} = /{usr/,}bin/dbus-run-session
profile dbus-run-session @{exec_path} { profile dbus-run-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
signal (receive) set=(term, kill, hup) peer=gdm*, signal (receive) set=(term, kill, hup) peer=gdm*,
@ -31,9 +32,6 @@ profile dbus-run-session @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
# file_inherit
/dev/tty rw,
/dev/tty[0-9]* rw,
include if exists <local/dbus-run-session> include if exists <local/dbus-run-session>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*} @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
profile fc-cache @{exec_path} { profile fc-cache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth @{exec_path} = /{usr/,}bin/plymouth
profile plymouth @{exec_path} { profile plymouth @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"), unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-mime @{exec_path} = /{usr/,}bin/xdg-mime
profile xdg-mime @{exec_path} flags=(attach_disconnected) { profile xdg-mime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@{exec_path} r, @{exec_path} r,
@ -47,7 +48,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/tty rw,
# When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes: # following root processes:

View file

@ -10,6 +10,7 @@ include <tunables/global>
profile xdg-open @{exec_path} flags=(attach_disconnected) { profile xdg-open @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/consoles>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
@{exec_path} r, @{exec_path} r,
@ -50,7 +51,6 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
# file_inherit # file_inherit
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/tty rw,
profile dbus { profile dbus {
include <abstractions/base> include <abstractions/base>

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xkbcomp @{exec_path} = /{usr/,}bin/xkbcomp
profile xkbcomp @{exec_path} flags=(attach_disconnected) { profile xkbcomp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
@ -32,7 +33,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
owner /tmp/server-[0-9]*.xkm rwk, owner /tmp/server-[0-9]*.xkm rwk,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
deny /dev/input/event[0-9]* rw, deny /dev/input/event[0-9]* rw,

View file

@ -13,6 +13,7 @@ include <tunables/global>
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
profile xorg @{exec_path} flags=(attach_disconnected) { profile xorg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
@ -131,7 +132,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/dev/input/event[0-9]* rw, /dev/input/event[0-9]* rw,
/dev/shm/#[0-9]*[0-9] rw, /dev/shm/#[0-9]*[0-9] rw,
/dev/shm/shmfd-* rw, /dev/shm/shmfd-* rw,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
/dev/vga_arbiter rw, # Graphic card modules /dev/vga_arbiter rw, # Graphic card modules

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/Xwayland @{exec_path} = /{usr/,}bin/Xwayland
profile xwayland @{exec_path} flags=(attach_disconnected) { profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/mesa> include <abstractions/mesa>
@ -41,7 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/comm r, owner @{PROC}/@{pids}/comm r,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
/dev/tty rw,
include if exists <local/xwayland> include if exists <local/xwayland>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gdm-session-worker @{exec_path} = @{libexec}/gdm-session-worker
profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -87,7 +88,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{PROC}/1/limits r, @{PROC}/1/limits r,
@{PROC}/keys r, @{PROC}/keys r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <local/gdm-session-worker> include if exists <local/gdm-session-worker>

View file

@ -43,7 +43,6 @@ profile gdm-xsession @{exec_path} {
/{usr/,}bin/dbus-update-activation-environment mr, /{usr/,}bin/dbus-update-activation-environment mr,
# file_inherit # file_inherit
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gjs-console @{exec_path} = /{usr/,}bin/gjs-console
profile gjs-console @{exec_path} flags=(attach_disconnected) { profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
@ -58,7 +59,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
/dev/ r, /dev/ r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <local/gjs-console> include if exists <local/gjs-console>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-extensions-app @{exec_path} = /{usr/,}bin/gnome-extensions-app
profile gnome-extensions-app @{exec_path} { profile gnome-extensions-app @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -17,7 +18,6 @@ profile gnome-extensions-app @{exec_path} {
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,
/dev/tty rw,
include if exists <local/gnome-extensions-app> include if exists <local/gnome-extensions-app>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-session-binary @{exec_path} = @{libexec}/gnome-session-binary
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -141,7 +142,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <usr/gnome-session-binary.d> include if exists <usr/gnome-session-binary.d>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-xsettings @{exec_path} = @{libexec}/gsd-xsettings
profile gsd-xsettings @{exec_path} { profile gsd-xsettings @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -70,7 +71,6 @@ profile gsd-xsettings @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
profile run-parts { profile run-parts {

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/nautilus @{exec_path} = /{usr/,}bin/nautilus
profile nautilus @{exec_path} flags=(attach_disconnected) { profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -61,7 +62,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pids}/net/wireless r, @{PROC}/@{pids}/net/wireless r,
/dev/tty rw,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
include if exists <local/nautilus> include if exists <local/nautilus>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = "/opt/Mullvad VPN/mullvad-gui" @{exec_path} = "/opt/Mullvad VPN/mullvad-gui"
profile mullvad-gui @{exec_path} { profile mullvad-gui @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/chromium-common> include <abstractions/chromium-common>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
@ -69,7 +70,6 @@ profile mullvad-gui @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/uid_map w,
/dev/tty rw,
include if exists <local/mullvad-gui> include if exists <local/mullvad-gui>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/nm-openvpn-service @{exec_path} = /{usr/,}lib/nm-openvpn-service
profile nm-openvpn-service @{exec_path} { profile nm-openvpn-service @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability kill, capability kill,
@ -27,7 +28,6 @@ profile nm-openvpn-service @{exec_path} {
@{run}/NetworkManager/nm-openvpn-@{uuid} rw, @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
/dev/net/tun rw, /dev/net/tun rw,
/dev/tty rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/wg-quick @{exec_path} = /{usr/,}bin/wg-quick
profile wg-quick @{exec_path} { profile wg-quick @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability net_admin, capability net_admin,
@ -39,7 +40,6 @@ profile wg-quick @{exec_path} {
@{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
/dev/tty rw,
# Force the use as root # Force the use as root
deny /{usr/,}bin/sudo x, deny /{usr/,}bin/sudo x,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/archlinux-java @{exec_path} = /{usr/,}bin/archlinux-java
profile archlinux-java @{exec_path} { profile archlinux-java @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -25,7 +26,6 @@ profile archlinux-java @{exec_path} {
/{usr/,}lib/jvm/default w, /{usr/,}lib/jvm/default w,
/{usr/,}lib/jvm/default-runtime w, /{usr/,}lib/jvm/default-runtime w,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/paccache @{exec_path} = /{usr/,}bin/paccache
profile paccache @{exec_path} { profile paccache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -35,7 +36,6 @@ profile paccache @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
include if exists <local/paccache> include if exists <local/paccache>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pacdiff @{exec_path} = /{usr/,}bin/pacdiff
profile pacdiff @{exec_path} flags=(attach_disconnected) { profile pacdiff @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -36,7 +37,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
/usr/{,**} r, /usr/{,**} r,
/var/{,**} r, /var/{,**} r,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny /apparmor/.null rw, deny /apparmor/.null rw,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/dconf-update @{exec_path} = /usr/share/libalpm/scripts/dconf-update
profile pacman-hook-dconf @{exec_path} { profile pacman-hook-dconf @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -20,7 +21,6 @@ profile pacman-hook-dconf @{exec_path} {
/etc/dconf/db/{,**} rw, /etc/dconf/db/{,**} rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/depmod @{exec_path} = /usr/share/libalpm/scripts/depmod
profile pacman-hook-depmod @{exec_path} { profile pacman-hook-depmod @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -23,7 +24,6 @@ profile pacman-hook-depmod @{exec_path} {
/usr/lib/modules/*/{,**} rw, /usr/lib/modules/*/{,**} rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/dkms @{exec_path} = /usr/share/libalpm/scripts/dkms
profile pacman-hook-dkms @{exec_path} { profile pacman-hook-dkms @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -27,7 +28,6 @@ profile pacman-hook-dkms @{exec_path} {
/etc/dkms/{,*} r, /etc/dkms/{,*} r,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/40-fontconfig-config @{exec_path} = /usr/share/libalpm/scripts/40-fontconfig-config
profile pacman-hook-fontconfig @{exec_path} { profile pacman-hook-fontconfig @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -21,7 +22,6 @@ profile pacman-hook-fontconfig @{exec_path} {
/etc/fonts/conf.d/* rwl, /etc/fonts/conf.d/* rwl,
/usr/share/fontconfig/conf.default/* r, /usr/share/fontconfig/conf.default/* r,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/gio-querymodules @{exec_path} = /usr/share/libalpm/scripts/gio-querymodules
profile pacman-hook-gio @{exec_path} { profile pacman-hook-gio @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -23,7 +24,6 @@ profile pacman-hook-gio @{exec_path} {
/usr/lib/gio/modules/ rw, /usr/lib/gio/modules/ rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache @{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache
profile pacman-hook-gtk @{exec_path} { profile pacman-hook-gtk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -23,7 +24,6 @@ profile pacman-hook-gtk @{exec_path} {
/usr/share/icons/{,**} rw, /usr/share/icons/{,**} rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install
profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) { profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -32,7 +33,6 @@ profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected)
/ r, / r,
owner /boot/vmlinuz-* rw, owner /boot/vmlinuz-* rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-remove @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-remove
profile pacman-hook-mkinitcpio-remove @{exec_path} { profile pacman-hook-mkinitcpio-remove @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -28,7 +29,6 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
/boot/initramfs-*.img rw, /boot/initramfs-*.img rw,
/boot/initramfs-*-fallback.img rw, /boot/initramfs-*-fallback.img rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh
profile pacman-hook-perl @{exec_path} { profile pacman-hook-perl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -23,7 +24,6 @@ profile pacman-hook-perl @{exec_path} {
/{usr/,}lib/perl[0-9]*/{,**} r, /{usr/,}lib/perl[0-9]*/{,**} r,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/systemd-hook @{exec_path} = /usr/share/libalpm/scripts/systemd-hook
profile pacman-hook-systemd @{exec_path} { profile pacman-hook-systemd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -29,7 +30,6 @@ profile pacman-hook-systemd @{exec_path} {
/usr/ rw, /usr/ rw,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -10,6 +10,7 @@ include <tunables/global>
profile pacman-key @{exec_path} { profile pacman-key @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -35,7 +36,6 @@ profile pacman-key @{exec_path} {
/etc/pacman.d/gnupg/gpg.conf r, /etc/pacman.d/gnupg/gpg.conf r,
/dev/tty rw,
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-analyze @{exec_path} = /{usr/,}bin/systemd-analyze
profile systemd-analyze @{exec_path} { profile systemd-analyze @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability sys_resource, capability sys_resource,
@ -57,8 +58,5 @@ profile systemd-analyze @{exec_path} {
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,
@{PROC}/swaps r, @{PROC}/swaps r,
/dev/tty rw,
/dev/pts/1 rw,
include if exists <local/systemd-analyze> include if exists <local/systemd-analyze>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/user-environment-generators/* @{exec_path} = /{usr/,}lib/systemd/user-environment-generators/*
profile systemd-environment-d-generator @{exec_path} { profile systemd-environment-d-generator @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/systemd-common> include <abstractions/systemd-common>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -24,7 +25,6 @@ profile systemd-environment-d-generator @{exec_path} {
owner @{user_config_dirs}/environment.d/{,*.conf} r, owner @{user_config_dirs}/environment.d/{,*.conf} r,
/dev/tty rw,
include if exists <local/systemd-environment-d-generator> include if exists <local/systemd-environment-d-generator>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sleep @{exec_path} = /{usr/,}lib/systemd/systemd-sleep
profile systemd-sleep @{exec_path} { profile systemd-sleep @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/systemd-common> include <abstractions/systemd-common>
@ -29,7 +30,6 @@ profile systemd-sleep @{exec_path} {
@{PROC}/driver/nvidia/suspend w, @{PROC}/driver/nvidia/suspend w,
/dev/tty rw,
include if exists <local/systemd-sleep> include if exists <local/systemd-sleep>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{local/,}bin/k3s @{exec_path} = /{usr/,}{local/,}bin/k3s
profile k3s @{exec_path} { profile k3s @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -166,7 +167,6 @@ profile k3s @{exec_path} {
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
/dev/kmsg r, /dev/kmsg r,
/dev/pts/[0-9]* rw,
include if exists <local/k3s> include if exists <local/k3s>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/acpid @{exec_path} = /{usr/,}{s,}bin/acpid
profile acpid @{exec_path} flags=(attach_disconnected) { profile acpid @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -33,7 +34,6 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/loginuid r,
/dev/input/{,**} r, /dev/input/{,**} r,
/dev/tty rw,
include if exists <local/acpid> include if exists <local/acpid>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd @{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} flags=(complain) { profile apparmor.systemd @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability mac_admin, capability mac_admin,
@ -41,7 +42,6 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
@{PROC}/filesystems r, @{PROC}/filesystems r,
@{PROC}/mounts r, @{PROC}/mounts r,
/dev/tty rw,
include if exists <local/apparmor.systemd> include if exists <local/apparmor.systemd>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh @{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh
profile askpass @{exec_path} { profile askpass @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -25,7 +26,6 @@ profile askpass @{exec_path} {
owner /tmp/tmp.* rw, owner /tmp/tmp.* rw,
/dev/tty rw,
include if exists <local/askpass> include if exists <local/askpass>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/augenrules @{exec_path} = /{usr/,}bin/augenrules
profile augenrules @{exec_path} { profile augenrules @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -19,7 +20,6 @@ profile augenrules @{exec_path} {
owner /tmp/aurules.* rw, owner /tmp/aurules.* rw,
/dev/tty rw,
include if exists <local/augenrules> include if exists <local/augenrules>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/aurpublish/*.hook @{exec_path} = /usr/share/aurpublish/*.hook
profile aurpublish @{exec_path} { profile aurpublish @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
signal (receive) peer=git, signal (receive) peer=git,
@ -25,7 +26,6 @@ profile aurpublish @{exec_path} {
owner @{user_projects_dirs}/**/.SRCINFO rw, owner @{user_projects_dirs}/**/.SRCINFO rw,
owner @{user_projects_dirs}/**/PKGBUILD r, owner @{user_projects_dirs}/**/PKGBUILD r,
/dev/tty rw,
include if exists <local/aurpublish> include if exists <local/aurpublish>
} }

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/blueman-* @{exec_path} = /{usr/,}bin/blueman-*
profile blueman @{exec_path} flags=(attach_disconnected) { profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
@ -67,7 +68,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/rfkill r, /dev/rfkill r,
/dev/shm/ r, /dev/shm/ r,
/dev/tty rw,
profile open { profile open {
include <abstractions/base> include <abstractions/base>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced @{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced
profile evince @{exec_path} { profile evince @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/openssl> include <abstractions/openssl>
@ -40,7 +41,6 @@ profile evince @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
/dev/tty rw,
include if exists <local/evince> include if exists <local/evince>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/firecfg @{exec_path} = /{usr/,}bin/firecfg
profile firecfg @{exec_path} flags=(attach_disconnected) { profile firecfg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -34,7 +35,6 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
@{user_share_dirs}/applications/ r, @{user_share_dirs}/applications/ r,
@{user_share_dirs}/applications/*.desktop rw, @{user_share_dirs}/applications/*.desktop rw,
/dev/tty rw,
deny /apparmor/.null rw, deny /apparmor/.null rw,

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/fwupdmgr @{exec_path} = /{usr/,}bin/fwupdmgr
profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -42,7 +43,6 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
profile dbus { profile dbus {
include <abstractions/base> include <abstractions/base>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/install-info @{exec_path} = /{usr/,}bin/install-info
profile install-info @{exec_path} { profile install-info @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -20,8 +21,6 @@ profile install-info @{exec_path} {
/usr/share/info/{,**} r, /usr/share/info/{,**} r,
/usr/share/info/dir rw, /usr/share/info/dir rw,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,
deny network inet stream, deny network inet stream,

View file

@ -9,14 +9,13 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount.zfs @{exec_path} = /{usr/,}{s,}bin/mount.zfs
profile mount-zfs @{exec_path} flags=(complain) { profile mount-zfs @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_admin, # To mount anything. capability sys_admin, # To mount anything.
@{exec_path} mr, @{exec_path} mr,
/dev/pts/[0-9]* rw,
@{MOUNTDIRS}/ r, @{MOUNTDIRS}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
@{MOUNTS}/*/ r, @{MOUNTS}/*/ r,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions @{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions
profile needrestart-iucode-scan-versions @{exec_path} { profile needrestart-iucode-scan-versions @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -29,7 +30,6 @@ profile needrestart-iucode-scan-versions @{exec_path} {
@{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r, @{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r,
/dev/tty rw,
include if exists <local/needrestart-iucode-scan-versions> include if exists <local/needrestart-iucode-scan-versions>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pass @{exec_path} = /{usr/,}bin/pass
profile pass @{exec_path} { profile pass @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -65,7 +66,6 @@ profile pass @{exec_path} {
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r, @{PROC}/uptime r,
/dev/tty rw,
profile editor { profile editor {
include <abstractions/base> include <abstractions/base>

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pkttyagent @{exec_path} = /{usr/,}bin/pkttyagent
profile pkttyagent @{exec_path} { profile pkttyagent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -39,7 +40,6 @@ profile pkttyagent @{exec_path} {
owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/stat r,
/dev/tty rw,
include if exists <local/pkttyagent> include if exists <local/pkttyagent>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}sbin/resolvconf @{exec_path} = /{usr/,}sbin/resolvconf
profile resolvconf @{exec_path} { profile resolvconf @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -33,7 +34,6 @@ profile resolvconf @{exec_path} {
owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/{,**} rw,
owner @{run}/resolvconf/run-lock wk, owner @{run}/resolvconf/run-lock wk,
/dev/tty rw,
include if exists <local/resolvconf> include if exists <local/resolvconf>
} }

View file

@ -9,13 +9,13 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/start-pulseaudio-x11 @{exec_path} = /{usr/,}bin/start-pulseaudio-x11
profile start-pulseaudio-x11 @{exec_path} { profile start-pulseaudio-x11 @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pactl rPx, /{usr/,}bin/pactl rPx,
/dev/tty rw,
include if exists <local/start-pulseaudio-x11> include if exists <local/start-pulseaudio-x11>
} }

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/udisksctl @{exec_path} = /{usr/,}bin/udisksctl
profile udisksctl @{exec_path} { profile udisksctl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -19,7 +20,6 @@ profile udisksctl @{exec_path} {
/{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager,
/dev/tty rw,
include if exists <local/udisksctl> include if exists <local/udisksctl>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/update-ca-trust @{exec_path} = /{usr/,}bin/update-ca-trust
profile update-ca-trust @{exec_path} { profile update-ca-trust @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
capability dac_read_search, capability dac_read_search,
@ -30,7 +31,6 @@ profile update-ca-trust @{exec_path} {
/etc/ssl/certs/{,*} rw, /etc/ssl/certs/{,*} rw,
/etc/ssl/certs/java/cacerts{,.*} w, /etc/ssl/certs/java/cacerts{,.*} w,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/wl-{copy,paste} @{exec_path} = /{usr/,}bin/wl-{copy,paste}
profile wl-copy @{exec_path} { profile wl-copy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -19,7 +20,6 @@ profile wl-copy @{exec_path} {
owner /tmp/wl-copy-buffer-*/{,**} rw, owner /tmp/wl-copy-buffer-*/{,**} rw,
/dev/tty rw,
include if exists <local/wl-copy> include if exists <local/wl-copy>
} }

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool @{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
profile zpool @{exec_path} { profile zpool @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
capability sys_admin, capability sys_admin,
@ -31,7 +32,6 @@ profile zpool @{exec_path} {
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/sys/kernel/spl/hostid r, @{PROC}/sys/kernel/spl/hostid r,
/dev/pts/[0-9]* rw,
/dev/zfs rw, /dev/zfs rw,
include if exists <local/zpool> include if exists <local/zpool>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl @{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl
profile zsysd @{exec_path} flags=(complain) { profile zsysd @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -41,7 +42,6 @@ profile zsysd @{exec_path} flags=(complain) {
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/dev/pts/[0-9]* rw,
/dev/zfs rw, /dev/zfs rw,
include if exists <local/zsysd> include if exists <local/zsysd>