mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
Alexandre Pujol
parent
6fd05f26af
commit
02d8aaee7f
@ -61,19 +61,24 @@
|
||||
owner @{user_share_dirs}/** rwkl,
|
||||
owner @{user_games_dirs}/{,**} rm,
|
||||
|
||||
owner /var/cache/tmp/** rwk,
|
||||
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
|
||||
owner @{tmp}/** rmwk,
|
||||
owner /dev/shm/** rwlk -> /dev/shm/**,
|
||||
|
||||
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
|
||||
@{run}/host/{,**} r,
|
||||
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
|
||||
@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
@{run}/utmp rk,
|
||||
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
|
||||
@{sys}/ r,
|
||||
@{sys}/block/ r,
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/*/devices/ r,
|
||||
@{sys}/bus/pci/slots/ r,
|
||||
@{sys}/bus/pci/slots/@{int}/address r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/** r,
|
||||
|
||||
|
||||
@ -36,10 +36,13 @@
|
||||
@{lib}/kde{,3,4}/plugins/*/ r,
|
||||
@{lib}/kde{,3,4}/plugins/*/*.so mr,
|
||||
|
||||
/etc/xdg/kcminputrc r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/ r,
|
||||
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
|
||||
@ -31,6 +31,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
|
||||
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/plasmarc r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
|
||||
@ -31,6 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
|
||||
owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,
|
||||
|
||||
@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
|
||||
owner @{run}/flatpak/doc/** r,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
|
||||
|
||||
@ -25,9 +25,11 @@ profile kgx @{exec_path} {
|
||||
@{bin}/@{shells} rUx,
|
||||
|
||||
# Some CLI program can be launched directly from Gnome Shell
|
||||
@{bin}/btop rPUx,
|
||||
@{bin}/htop rPx,
|
||||
@{bin}/micro rPUx,
|
||||
@{bin}/nvtop rPx,
|
||||
@{bin}/nvtop rPx,
|
||||
@{bin}/vim rUx,
|
||||
|
||||
@{open_path} rPx -> child-open-help,
|
||||
|
||||
@ -16,6 +16,7 @@ profile dolphin @{exec_path} {
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
@ -28,13 +29,17 @@ profile dolphin @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ldd rix,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{lib}/{,@{multiarch}/}utempter/utempter rPx,
|
||||
@{thunderbird_path} rPx,
|
||||
|
||||
#aa:exec kioworker
|
||||
|
||||
/usr/share/kf5/kmoretools/{,**} r,
|
||||
/usr/share/kio/{,**} r,
|
||||
/usr/share/kservices{5,6}/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
/usr/share/misc/termcap r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
@ -84,9 +89,10 @@ profile dolphin @{exec_path} {
|
||||
|
||||
owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},
|
||||
|
||||
@{run}/issue r,
|
||||
@{run}/mount/utab r,
|
||||
owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/*/devices/ r,
|
||||
|
||||
@ -10,6 +10,7 @@ include <tunables/global>
|
||||
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi
|
||||
profile drkonqi @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
|
||||
network inet stream,
|
||||
@ -22,11 +23,17 @@ profile drkonqi @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
|
||||
/usr/share/drkonqi/{,**} r,
|
||||
/usr/share/knotifications{5,6}/*.notifyrc r,
|
||||
|
||||
owner @{user_cache_dirs}/drkonqi/ rw,
|
||||
owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/* w,
|
||||
|
||||
owner @{user_config_dirs}/drkonqirc r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/drkonqi>
|
||||
|
||||
@ -10,6 +10,7 @@ include <tunables/global>
|
||||
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil
|
||||
profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
|
||||
@ -91,6 +91,7 @@ profile kioworker @{exec_path} {
|
||||
@{run}/mount/utab r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
@ -30,6 +30,14 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
@{lib}/libheif/** mr,
|
||||
@{lib}/{,@{multiarch}/}utempter/utempter rPx,
|
||||
|
||||
# Some CLI program can be launched directly from KDE
|
||||
@{bin}/btop rPUx,
|
||||
@{bin}/htop rPx,
|
||||
@{bin}/micro rPUx,
|
||||
@{bin}/nvtop rPx,
|
||||
@{bin}/nvtop rPx,
|
||||
@{bin}/vim rUx,
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/kf6/{,**} r,
|
||||
/usr/share/knotifications{5,6}/konsole.notifyrc r,
|
||||
|
||||
@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} {
|
||||
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc.lock rwk,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
owner @{user_config_dirs}/plasmashellrc r,
|
||||
|
||||
@ -22,6 +22,7 @@ profile ksplashqml @{exec_path} {
|
||||
/usr/share/plasma/** r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/plasmarc r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksplash/ rw,
|
||||
|
||||
@ -104,6 +104,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||
owner @{user_share_dirs}/kscreen/* r,
|
||||
owner @{user_share_dirs}/kwin/scripts/{,**} r,
|
||||
|
||||
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
|
||||
|
||||
@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
|
||||
@ -59,6 +59,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
/opt/**/share/icons/{,**} r,
|
||||
/opt/*/**/*.desktop r,
|
||||
/opt/*/**/*.png r,
|
||||
/usr/share/*/icons/{,**} r,
|
||||
/usr/share/akonadi/{,**} r,
|
||||
/usr/share/desktop-base/{,**} r,
|
||||
/usr/share/desktop-directories/kf5-*.directory r,
|
||||
@ -93,6 +94,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
@{MOUNTS}/ r,
|
||||
|
||||
@{HOME}/ r,
|
||||
owner @{HOME}/.var/app/**.{png,jpg,svg} r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
owner @{user_pictures_dirs}/{,**} r,
|
||||
@ -186,6 +188,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
@{run}/mount/utab r,
|
||||
@{run}/user/@{uid}/gvfs/ r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
|
||||
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||
owner @{run}/user/@{uid}/kdesud_:@{int} w,
|
||||
owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
@ -205,6 +208,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/diskstats r,
|
||||
|
||||
@ -9,7 +9,10 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/systemsettings
|
||||
profile systemsettings @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
@ -22,7 +25,9 @@ profile systemsettings @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/eglinfo rPUx,
|
||||
@{bin}/kcminit rPx,
|
||||
@{bin}/lspci rPx,
|
||||
@{bin}/openssl rix,
|
||||
@ -38,7 +43,8 @@ profile systemsettings @{exec_path} {
|
||||
/usr/share/kcmkeys/{,*.kksrc} r,
|
||||
/usr/share/kglobalaccel/* r,
|
||||
/usr/share/kinfocenter/{,**} r,
|
||||
/usr/share/kinfocenter/{,**} r,
|
||||
/usr/share/knotifications{5,6}/{,**} r,
|
||||
/usr/share/solid/{,**} r,
|
||||
/usr/share/kpackage/{,**} r,
|
||||
/usr/share/kservices{5,6}/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
@ -46,9 +52,9 @@ profile systemsettings @{exec_path} {
|
||||
/usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r,
|
||||
/usr/share/plasma/{,**} r,
|
||||
/usr/share/sddm/themes/{,**} r,
|
||||
/usr/share/sddm/themes/{,**} r,
|
||||
/usr/share/systemsettings/{,**} r,
|
||||
/usr/share/wallpapers/{,**} r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
@ -56,10 +62,19 @@ profile systemsettings @{exec_path} {
|
||||
/etc/xdg/plasmanotifyrc r,
|
||||
/etc/xdg/ui/ui_standards.rc r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/xdg/* r,
|
||||
|
||||
/var/cache/cracklib/cracklib_dict.* r,
|
||||
/var/cache/samba/ rw,
|
||||
/var/lib/AccountsService/icons/* r,
|
||||
/var/lib/flatpak/repo/{,**} r,
|
||||
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kinfocenter/{,**} rwl,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
|
||||
owner @{user_cache_dirs}/kinfocenter/{,**} rwlk,
|
||||
owner @{user_cache_dirs}/ksvg-elements rw,
|
||||
owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
|
||||
@ -69,22 +84,24 @@ profile systemsettings @{exec_path} {
|
||||
owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**,
|
||||
|
||||
owner @{user_config_dirs}/{P,p}lasma* r,
|
||||
owner @{user_config_dirs}/*rc r,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk,
|
||||
owner @{user_config_dirs}/emaildefaults r,
|
||||
owner @{user_config_dirs}/kactivitymanagerdrc r,
|
||||
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
||||
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/khotkeysrc r,
|
||||
owner @{user_config_dirs}/kinfocenterrc* rwlk,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
owner @{user_config_dirs}/session/ rw,
|
||||
owner @{user_config_dirs}/session/** rwlk,
|
||||
owner @{user_config_dirs}/systemsettingsrc.lock rwk,
|
||||
owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_share_dirs}/baloo/index r,
|
||||
|
||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk,
|
||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
|
||||
@ -98,12 +115,25 @@ profile systemsettings @{exec_path} {
|
||||
owner @{user_share_dirs}/systemsettings/** rwlk,
|
||||
owner @{user_share_dirs}/wallpapers/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
|
||||
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/acpi/devices/ r,
|
||||
@{sys}/bus/cpu/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
|
||||
@{PROC}/interrupts r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/input/ r,
|
||||
/dev/rfkill r,
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/systemsettings>
|
||||
|
||||
@ -20,6 +20,8 @@ profile xwaylandvideobridge @{exec_path} {
|
||||
owner @{user_cache_dirs}/xwaylandvideobridge/ rw,
|
||||
owner @{user_cache_dirs}/xwaylandvideobridge/** rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||
|
||||
include if exists <local/xwaylandvideobridge>
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{bin}/dnsmasq rPx,
|
||||
|
||||
/etc/libvirt/libvirt.conf r,
|
||||
/etc/libvirt/*.conf r,
|
||||
|
||||
owner /var/lib/libvirt/dnsmasq/*.macs* rw,
|
||||
|
||||
|
||||
@ -29,8 +29,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/pci.ids r,
|
||||
|
||||
/etc/libvirt/libvirt.conf r,
|
||||
/etc/libvirt/virtnodedevd.conf r,
|
||||
/etc/libvirt/*.conf r,
|
||||
/etc/mdevctl.d/{,**} r,
|
||||
|
||||
@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
@ -64,6 +63,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
|
||||
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
|
||||
@{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport*
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
|
||||
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
|
||||
@ -90,6 +90,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/mtrr w,
|
||||
owner @{PROC}/uptime r,
|
||||
|
||||
include if exists <local/virtnodedevd>
|
||||
}
|
||||
|
||||
@ -25,8 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
|
||||
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
|
||||
|
||||
/etc/libvirt/**/ r,
|
||||
/etc/libvirt/libvirt.conf r,
|
||||
/etc/libvirt/{,**} r,
|
||||
|
||||
# For disk images
|
||||
@{MOUNTS}/ r,
|
||||
|
||||
@ -25,6 +25,7 @@ profile aa-enforce @{exec_path} {
|
||||
/etc/apparmor.d/{,**} rw,
|
||||
|
||||
@{etc_ro}/inputrc r,
|
||||
@{etc_ro}/inputrc.keys r,
|
||||
|
||||
owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
|
||||
owner /var/lib/snapd/apparmor/{,**} rw,
|
||||
|
||||
@ -57,6 +57,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
|
||||
/var/lib/flatpak/app/*/**/@{bin}/** rmix,
|
||||
/var/lib/flatpak/app/*/**/@{lib}/** rmix,
|
||||
|
||||
@{run}/flatpak/app/*/**so* rm,
|
||||
@{run}/parent/@{bin}/** rmix,
|
||||
@{run}/parent/@{lib}/** rmix,
|
||||
@{run}/parent/app/** rmix,
|
||||
|
||||
@ -58,7 +58,7 @@ profile keepassxc @{exec_path} {
|
||||
owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r,
|
||||
owner @{user_config_dirs}/keepassxcrc r,
|
||||
|
||||
# Database locations
|
||||
owner @{user_cache_dirs}/keepassxc/ rw,
|
||||
|
||||
@ -12,12 +12,14 @@ profile libreoffice @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5-settings-write>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-read-strict>
|
||||
include <abstractions/user-write-strict>
|
||||
@ -59,21 +61,28 @@ profile libreoffice @{exec_path} {
|
||||
@{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w,
|
||||
|
||||
/usr/share/hyphen/{,**} r,
|
||||
/usr/share/knotifications{5,6}/plasma_workspace.notifyrc r,
|
||||
/usr/share/libexttextcat/{,**} r,
|
||||
/usr/share/liblangtag/{,**} r,
|
||||
/usr/share/libreoffice/{,**} r,
|
||||
/usr/share/mythes/{,**} r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
|
||||
/etc/java-openjdk/{,**} r,
|
||||
/etc/libreoffice/{,**} r,
|
||||
/etc/paperspecs r,
|
||||
/etc/xdg/* r,
|
||||
|
||||
owner @{user_cache_dirs}/libreoffice/{,**} rw,
|
||||
owner @{user_config_dirs}/libreoffice/ rw,
|
||||
owner @{user_config_dirs}/libreoffice/** rwk,
|
||||
owner @{user_config_dirs}/soffice.*.lock rwk,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
owner @{user_config_dirs}/plasma_workspace.notifyrc r,
|
||||
owner @{user_config_dirs}/kservicemenurc r,
|
||||
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
owner @{tmp}/ r,
|
||||
owner @{tmp}/@{rand6} rwk,
|
||||
@ -83,6 +92,8 @@ profile libreoffice @{exec_path} {
|
||||
owner @{tmp}/hsperfdata_@{user}/ rw,
|
||||
owner @{tmp}/hsperfdata_@{user}/@{int} rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
|
||||
@{sys}/devices/virtual/block/**/queue/rotational r,
|
||||
@{sys}/kernel/mm/hugepages/ r,
|
||||
@ -95,6 +106,7 @@ profile libreoffice @{exec_path} {
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/coredump_filter rw,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
|
||||
@ -46,6 +46,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{run}/ r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/?@{int}.ref rw,
|
||||
|
||||
include if exists <local/sudo>
|
||||
}
|
||||
|
||||
@ -36,6 +36,7 @@ profile xauth @{exec_path} {
|
||||
owner @{tmp}/xauth_@{rand6} r,
|
||||
owner @{tmp}/xauth_@{rand6}-c w,
|
||||
owner @{tmp}/xauth_@{rand6}-l wl,
|
||||
owner @{tmp}/xauth.@{rand10}-c w,
|
||||
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6}-c w,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user