mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
a1d6d318cc
commit
01dd9ebb0c
10 changed files with 31 additions and 10 deletions
|
|
@ -17,7 +17,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(term hup kill) peer=dbus-session,
|
||||
signal (receive) set=(term hup kill) peer=gdm,
|
||||
signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
|
||||
|
||||
dbus bus=accessibility,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dconf-write>
|
||||
|
||||
signal (receive) set=(term kill hup) peer=dbus-session,
|
||||
signal (receive) set=(term hup) peer=gdm,
|
||||
signal (receive) set=(term hup) peer=gdm{,-session-worker},
|
||||
|
||||
#aa:dbus own bus=session name=ca.desrt.dconf
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ include <tunables/global>
|
|||
@{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1
|
||||
profile polkit-gnome-authentication-agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gnome-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -34,10 +34,10 @@ profile epiphany-search-provider @{exec_path} {
|
|||
owner /tmp/ContentRuleList@{rand6} rw,
|
||||
owner /tmp/Serialized* rw,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
|
||||
|
||||
@{PROC}/driver/nvidia/params r,
|
||||
@{PROC}/modules r,
|
||||
|
|
|
|||
|
|
@ -33,11 +33,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=term peer=gdm,
|
||||
signal (send) set=(hup term) peer=gdm-session,
|
||||
signal (send) set=hup peer=at-spi*,
|
||||
signal (send) set=hup peer=dbus-accessibility,
|
||||
signal (send) set=hup peer=dbus-session,
|
||||
signal (send) set=hup peer=dconf-service,
|
||||
signal (send) set=hup peer=gjs-console,
|
||||
signal (send) set=hup peer=gnome-*,
|
||||
signal (send) set=hup peer=gsd-*,
|
||||
signal (send) set=hup peer=ibus-*,
|
||||
signal (send) set=hup peer=mutter-x11-frames,
|
||||
signal (send) set=hup peer=tracker-miner,
|
||||
signal (send) set=hup peer=xdg-*,
|
||||
signal (send) set=hup peer=xorg,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.Calendar interface={org.freedesktop.Application,org.gtk.Actions}
|
||||
#aa:dbus own bus=session name=org.gnome.Calendar
|
||||
|
||||
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
|
||||
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ profile yelp @{exec_path} {
|
|||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
|
||||
|
||||
owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r,
|
||||
|
||||
@{PROC}/zoneinfo r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -100,6 +100,7 @@ profile pacman @{exec_path} {
|
|||
@{bin}/xmlcatalog rix,
|
||||
@{lib}/systemd/systemd-* rPx,
|
||||
@{lib}/vlc/vlc-cache-gen rPx,
|
||||
/opt/Mullvad*/resources/mullvad-setup rPx,
|
||||
/usr/share/code-features/patch.py rPx,
|
||||
/usr/share/code-marketplace/patch.py rPx,
|
||||
/usr/share/libalpm/scripts/* rPUx,
|
||||
|
|
@ -189,6 +190,19 @@ profile pacman @{exec_path} {
|
|||
include <abstractions/app/systemctl>
|
||||
|
||||
capability net_admin,
|
||||
capability dac_read_search,
|
||||
capability sys_resource,
|
||||
|
||||
@{bin}/pager rPx -> child-pager,
|
||||
@{bin}/less rPx -> child-pager,
|
||||
@{bin}/more rPx -> child-pager,
|
||||
@{bin}/diff rPx -> child-pager,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/@{hex32}/ r,
|
||||
/{run,var}/log/journal/@{hex32}/*.journal* r,
|
||||
|
||||
include if exists <local/pacman_systemctl>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,6 +29,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
/ r,
|
||||
/.flatpak-info r,
|
||||
|
||||
|
|
|
|||
|
|
@ -85,10 +85,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/virtual/drm/ttm/uevent r,
|
||||
|
||||
@{PROC}/@{pids}/net/route r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/net/route r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
/dev/media@{int} r,
|
||||
/dev/video@{int} rw,
|
||||
|
|
|
|||
Loading…
Reference in a new issue