mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update apparmor profiles

Browse Source 
Adpated to the apparmor.d structure.

Signed-off-by: Mikhail Morfikov <mmorfikov@gmail.com>
This commit is contained in:
Mikhail Morfikov 2021-04-03 12:03:57 +02:00 committed by Alexandre Pujol
parent 19521569ce
commit 046443a702
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
35 changed files with 798 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
apparmor.d/abstractions/gstreamer
View File

@ -1,45 +1,53 @@
# vim:syntax=apparmor
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/base>
include <abstractions/p11-kit>
include <abstractions/X>
abi <abi/3.0>,
##include <abstractions/p11-kit>
##include <abstractions/X>
# TODO: adjust when support finer-grained netlink rules
network netlink raw,
#network netlink raw,
/etc/udev/udev.conf r,
/etc/wildmidi/wildmidi.cfg r,
#/etc/udev/udev.conf r,
#/etc/wildmidi/wildmidi.cfg r,
/dev/ r,
/dev/bus/usb/ r,
/dev/dri/ r,
# /dev/shm is a symlink to /run/shm on ubuntu
owner /{dev,run}/shm/shmfd-* rw,
#owner /{dev,run}/shm/shmfd-* rw,
/run/udev/data/c* r,
/run/udev/data/+pci:* r,
/run/udev/data/+usb* r,
#
@{run}/udev/data/c81:* r, # For video4linux
@{run}/udev/data/c226:* r, # For /dev/dri/card[0-9]*
@{run}/udev/data/+drm:* r, # For screen outputs
#@{run}/udev/data/+pci:* r,
@{run}/udev/data/+usb:* r,
/sys/bus/ r,
/sys/bus/usb/devices/ r,
/sys/class/ r,
/sys/class/drm/ r,
/sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
/sys/devices/system/node/ r,
/sys/devices/system/node/*/meminfo r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
owner /tmp/orcexec.* mrw,
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
# needed if /tmp is mounted noexec:
owner @{HOME}/orcexec.* mr,
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
# The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec
# flag.
owner @{run}/user/[0-9]*/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
/usr/lib/frei0r-[0-9]/*.so m,
# /usr/lib/@{multiarch}/dri/** mr,
/usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
/usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
/{usr/,}lib/frei0r-[0-9]/*.so mr,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr,
/{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr,
/{usr/,}lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,

15
apparmor.d/abstractions/trash
View File

@ -20,7 +20,10 @@
owner @{user_share_dirs}/Trash/files/{,**} rw,
owner @{user_share_dirs}/Trash/info/ rw,
owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw,
owner @{user_share_dirs}/Trash/expunged/{,**} rw,
owner @{user_share_dirs}/Trash/expunged/ rw,
owner @{user_share_dirs}/Trash/expunged/[0-9]* rw,
owner @{user_share_dirs}/Trash/expunged/[0-9]*/ rw,
owner @{user_share_dirs}/Trash/expunged/[0-9]*/** rw,
# Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /{media,mnt}/*/.Trash/ rw,
@ -30,7 +33,10 @@
owner /{media,mnt}/*/.Trash/[0-9]*/files/{,**} rw,
owner /{media,mnt}/*/.Trash/[0-9]*/info/ rw,
owner /{media,mnt}/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw,
owner /{media,mnt}/*/.Trash/[0-9]*/expunged/{,**} rw,
owner /{media,mnt}/*/.Trash/[0-9]*/expunged/ rw,
owner /{media,mnt}/*/.Trash/[0-9]*/expunged/[0-9]* rw,
owner /{media,mnt}/*/.Trash/[0-9]*/expunged/[0-9]*/ rw,
owner /{media,mnt}/*/.Trash/[0-9]*/expunged/[0-9]*/** rw,
# Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /{media,mnt}/*/.Trash-[0-9]*/ rw,
@ -39,4 +45,7 @@
owner /{media,mnt}/*/.Trash-[0-9]*/files/{,**} rw,
owner /{media,mnt}/*/.Trash-[0-9]*/info/ rw,
owner /{media,mnt}/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw,
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/{,**} rw,
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/ rw,
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]* rw,
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/ rw,
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/** rw,

4
apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
View File

@ -32,6 +32,10 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
/usr/lib/apt-cacher-ng/acngtool ixr,
# Allow serving local documentation
/etc/mime.types r,
/usr/share/doc/apt-cacher-ng/html/** r,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,

32
apparmor.d/groups/desktop/obexautofs
View File

@ -17,10 +17,13 @@ profile obexautofs @{exec_path} {
@{exec_path} mr,
/usr/bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
owner @{HOME}/bluetooth/ r,
mount fstype=fuse.obexautofs -> @{HOME}/bluetooth/,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype=fuse.obexautofs -> @{HOME}/*/,
mount fstype=fuse.obexautofs -> @{HOME}/*/*/,
@{sys}/bus/ r,
@{sys}/class/ r,
@ -31,10 +34,31 @@ profile obexautofs @{exec_path} {
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{uevent,busnum,devnum,speed,descriptors} r,
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c189:* r,
@{run}/udev/data/c189:* r, # for /dev/bus/usb/**
/dev/bus/usb/ r,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
/etc/fuse.conf r,
/dev/fuse rw,
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/,
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/obexautofs>
}

32
apparmor.d/groups/desktop/obexfs
View File

@ -16,12 +16,38 @@ profile obexfs @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
owner @{HOME}/bluetooth/ r,
mount fstype=fuse.obexfs -> @{HOME}/bluetooth/,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype=fuse.obexfs -> @{HOME}/*/,
mount fstype=fuse.obexfs -> @{HOME}/*/*/,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
network bluetooth stream,
/{usr/,}bin/fusermount{,3} mr,
/etc/fuse.conf r,
/dev/fuse rw,
mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/obexfs>
}

4
apparmor.d/groups/gvfs/gvfsd
View File

@ -16,8 +16,8 @@ profile gvfsd @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
# Don't strip env here.
/{usr/,}lib/gvfs/gvfsd-* rPx,
/usr/{lib,libexec}/gvfsd-* rPx,
/{usr/,}lib/gvfs/gvfsd-* rpx,
/usr/{lib,libexec}/gvfsd-* rpx,
/usr/share/gvfs/{,**} r,

12
apparmor.d/groups/gvfs/gvfsd-archive
View File

@ -15,9 +15,15 @@ profile gvfsd-archive @{exec_path} {
@{exec_path} mr,
owner /**.tar r,
owner /**.tar.gz r,
owner /**.zip r,
owner @{HOME}/**.{tar,tar.gz,zip} r,
owner /media/**.{TAR,TAR.GZ,ZIP} r,
owner @{HOME}/**.{tar,tar.gz,zip} r,
owner /media/**.{TAR,TAR.GZ,ZIP} r,
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
owner /media/*/**.{iso,img,bin,mdf,nrg} r,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} r,
include if exists <local/gvfsd-archive>
}

27
apparmor.d/groups/gvfs/gvfsd-fuse
View File

@ -13,13 +13,34 @@ profile gvfsd-fuse @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
@{PROC}/sys/fs/pipe-max-size r,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
umount @{run}/user/[0-9]*/**/,
/etc/fuse.conf r,
/dev/fuse rw,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/gvfsd-fuse>
}

1
apparmor.d/groups/gvfs/gvfsd-mtp
View File

@ -12,6 +12,7 @@ profile gvfsd-mtp @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/devices-usb>
include <abstractions/user-download-strict>
network netlink raw,

6
apparmor.d/groups/gvfs/gvfsd-network
View File

@ -17,5 +17,11 @@ profile gvfsd-network @{exec_path} {
owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
include if exists <local/gvfsd-network>
}

3
apparmor.d/groups/gvfs/gvfsd-smb-browse
View File

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += /usr/{lib,libexec}/gvfsd-smb-browse
profile gvfsd-smb-browse @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network netlink raw,
network inet stream,
@ -27,5 +28,7 @@ profile gvfsd-smb-browse @{exec_path} {
/etc/samba/smb.conf r,
owner @{run}samba/ rw,
include if exists <local/gvfsd-smb-browse>
}

27
apparmor.d/groups/ssh/sshfs
View File

@ -13,14 +13,35 @@ profile sshfs @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/ssh rPx,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
/dev/fuse rw,
mount fstype=fuse.sshfs -> @{HOME}/*/,
mount fstype=fuse.sshfs -> @{HOME}/*/*/,
mount fstype=fuse.sshfs -> /media/*/,
mount fstype=fuse.sshfs -> /media/*/*/,
@{PROC}/sys/fs/pipe-max-size r,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
/etc/fuse.conf r,
/dev/fuse rw,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/sshfs>
}

28
apparmor.d/profiles-a-l/appimage-beyond-all-reason
View File

@ -47,7 +47,7 @@ profile appimage-beyond-all-reason @{exec_path} {
/{usr/,}bin/x86_64-linux-gnu-addr2line rix,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,
@ -105,5 +105,31 @@ profile appimage-beyond-all-reason @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.*.AppImage} -> /tmp/.mount_*/,
umount /tmp/.mount_*/,
/dev/fuse rw,
/etc/fuse.conf r,
owner @{HOME}/**.AppImage r,
owner /media/*/**.AppImage r,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/appimage-beyond-all-reason>
}

57
apparmor.d/profiles-a-l/archivemount Normal file
View File

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/archivemount
profile archivemount @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
/**.{tar,tar.gz,zip} r,
/**.{TAR,TAR.GZ,ZIP} r,
owner /**.{tar,tar.gz,zip} w,
owner /**.{TAR,TAR.GZ,ZIP} w,
owner @{HOME}/ r,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype=fuse.archivemount -> @{HOME}/*/,
mount fstype=fuse.archivemount -> @{HOME}/*/*/,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/,
mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/,
/dev/fuse rw,
/etc/fuse.conf r,
owner @{HOME}/ r,
/**.{tar,tar.gz,zip} r,
/**.{TAR,TAR.GZ,ZIP} r,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/archivemount>
}

24
apparmor.d/profiles-a-l/aspell Normal file
View File

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aspell
profile aspell @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/usr/share/aspell/{,*} r,
/usr/lib/aspell/{,*} r,
/var/lib/aspell/{,*} r,
/var/lib/aspell/*.rws rw,
include if exists <local/aspell>
}

74
apparmor.d/profiles-a-l/aspell-autobuildhash Normal file
View File

@ -0,0 +1,74 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/aspell-autobuildhash
profile aspell-autobuildhash @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/precat rix,
/{usr/,}bin/zcat rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/prezip-bin rix,
/{usr/,}bin/dpkg-trigger rPx,
/{usr/,}bin/aspell rPx,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/usr/share/aspell/{,*} r,
/usr/lib/aspell/{,*} r,
/usr/lib/aspell/*.rws rw,
/var/lib/aspell/ r,
/var/lib/aspell/* rw,
profile frontend {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}sbin/aspell-autobuildhash rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
}
include if exists <local/aspell-autobuildhash>
}

19
apparmor.d/profiles-a-l/borg
View File

@ -33,11 +33,12 @@ profile borg @{exec_path} {
/{usr/,}bin/{,@{multiarch}-}ld.bfd rix,
/{usr/,}bin/ccache rCx -> ccache,
/usr/bin/fusermount{,3} rPx,
/usr/bin/fusermount{,3} rCx -> fusermount,
mount fstype=fuse -> /media/*/,
mount fstype=fuse -> /media/*/*/,
umount /media/*/,
umount /media/*/*/,
/dev/fuse rw,
@ -91,5 +92,19 @@ profile borg @{exec_path} {
}
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
umount /media/*/,
umount /media/*/*/,
}
include if exists <local/borg>
}

18
apparmor.d/profiles-a-l/cawbird
View File

@ -17,6 +17,7 @@ profile cawbird @{exec_path} {
include <abstractions/ssl_certs>
include <abstractions/enchant>
include <abstractions/audio>
include <abstractions/gstreamer>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
@ -26,17 +27,12 @@ profile cawbird @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPx,
owner @{user_config_dirs}/cawbird/ rw,
owner @{user_config_dirs}/cawbird/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/cawbird-* rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
@ -49,18 +45,6 @@ profile cawbird @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node0/meminfo r,
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
owner @{run}/user/[0-9]*/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
/dev/ r,
/dev/dri/ r,
owner @{PROC}/@{pid}/fd/ r,

33
apparmor.d/profiles-a-l/czkawka-cli Normal file
View File

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/czkawka_cli
profile czkawka-cli @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
owner /media/** rw,
owner @{user_config_dirs}/czkawka/ rw,
owner @{user_config_dirs}/czkawka/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/czkawka/ rw,
owner @{user_cache_dirs}/czkawka/** rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/fs/cgroup/{,**} r,
include if exists <local/czkawka-cli>
}

73
apparmor.d/profiles-a-l/czkawka-gui Normal file
View File

@ -0,0 +1,73 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/czkawka_gui
profile czkawka-gui @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
owner /media/** rw,
owner @{user_config_dirs}/czkawka/ rw,
owner @{user_config_dirs}/czkawka/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/czkawka/ rw,
owner @{user_cache_dirs}/czkawka/** rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/fs/cgroup/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
#/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/czkawka-gui>
}

1
apparmor.d/profiles-a-l/exo-open
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/exo-open
profile exo-open @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>

10
apparmor.d/profiles-a-l/font-manager
View File

@ -14,6 +14,7 @@ profile font-manager @{exec_path} {
include <abstractions/fontconfig-cache-write>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/gstreamer>
include <abstractions/ssl_certs>
network inet dgram,
@ -27,15 +28,10 @@ profile font-manager @{exec_path} {
/{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix,
/{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/font-manager/ rw,
owner @{user_cache_dirs}/font-manager/* rwk,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{user_config_dirs}/font-manager/ rw,
owner @{user_config_dirs}/font-manager/* rw,
@ -61,12 +57,8 @@ profile font-manager @{exec_path} {
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/devices/system/node/ r,
@{sys}/fs/cgroup/{,**} r,
/dev/ r,
/dev/dri/ r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,

1
apparmor.d/profiles-a-l/frontend
View File

@ -29,6 +29,7 @@ profile frontend @{exec_path} flags=(complain) {
/{usr/,}bin/linux-check-removal rPx,
/{usr/,}bin/ucf rPx,
/{usr/,}sbin/pam-auth-update rPx,
/{usr/,}sbin/aspell-autobuildhash rPx,
/usr/share/debian-security-support/check-support-status.hook rPx,
# Run the package maintainer's scripts

34
apparmor.d/profiles-a-l/fuseiso
View File

@ -13,15 +13,17 @@ profile fuseiso @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
# Where to mount ISO files
owner @{HOME}/*/ rw,
owner @{HOME}/*/*/ rw,
owner @{HOME}/.cache/**/ r,
# Be able to mount ISO images
mount fstype=fuse.fuseiso -> @{HOME}/*/,
mount fstype=fuse.fuseiso -> @{HOME}/*/*/,
mount fstype=fuse.fuseiso -> @{HOME}/.cache/**/,
# Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
@ -34,5 +36,35 @@ profile fuseiso @{exec_path} {
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/,
mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/,
mount fstype={fuse,fuse.fuseiso} -> @{HOME}/.cache/**/,
/dev/fuse rw,
/etc/fuse.conf r,
@{PROC}/@{pid}/mounts r,
# Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
owner /media/*/**.{iso,img,bin,mdf,nrg} r,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} r,
}
include if exists <local/fuseiso>
}

28
apparmor.d/profiles-a-l/fusermount
View File

@ -15,12 +15,7 @@ profile fusermount @{exec_path} {
# fusermount: mount failed: Operation not permitted
capability sys_admin,
# This is needed when mounting MTP devices via some file manager:
# fusermount: mount failed: Permission denied
capability dac_read_search,
# For obexfs
network bluetooth stream,
#capability dac_read_search,
@{exec_path} mr,
@ -35,32 +30,13 @@ profile fusermount @{exec_path} {
mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
mount fstype={fuse,fuse.*} -> /media/*/,
mount fstype={fuse,fuse.*} -> /media/*/*/,
# For MTP
mount -> /,
# For AppImage
mount fstype={fuse,fuse.*} -> /tmp/.mount_*/,
# For GVFS
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
# Be able to unmount the ISO images
umount @{HOME}/*/,
umount @{HOME}/*/*/,
umount @{HOME}/.cache/**/,
umount /media/*/,
umount /media/*/*/,
umount /tmp/.mount_*/,
umount @{run}/user/[0-9]*/**/,
# Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# AppImage files
owner @{HOME}/**.AppImage r,
owner /media/*/**.AppImage r,
/etc/fuse.conf r,

71
apparmor.d/profiles-a-l/gajim
View File

@ -9,11 +9,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gajim
profile gajim @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-common>
include <abstractions/audio>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
@ -21,7 +22,8 @@ profile gajim @{exec_path} {
include <abstractions/python>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-dconf>
include <abstractions/gstreamer>
include <abstractions/enchant>
include <abstractions/deny-root-dir-access>
network inet dgram,
@ -38,22 +40,26 @@ profile gajim @{exec_path} {
/{usr/,}{s,}bin/ldconfig rix,
# To play sounds
/{usr/,}bin/aplay rCx -> audio,
/{usr/,}bin/pacat rCx -> audio,
/{usr/,}bin/aplay rix,
/{usr/,}bin/pacat rix,
# Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
# External apps
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/xdg-settings rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
# Gajim plugins
/usr/share/gajim/plugins/{,**} r,
# Gajim home files
owner @{HOME}/ r,
owner @{user_config_dirs}/gajim/{,**} rw,
owner @{user_config_dirs}/gajim/ rw,
owner @{user_config_dirs}/gajim/** rwk,
owner @{user_share_dirs}/gajim/ rw,
owner @{user_share_dirs}/gajim/** rwk,
@ -62,45 +68,62 @@ profile gajim @{exec_path} {
owner @{user_cache_dirs}/gajim/ rw,
owner @{user_cache_dirs}/gajim/** rwk,
owner @{HOME}/.cache/farstream/ rw,
owner @{HOME}/.cache/farstream/codecs.audio.x86_64.cache{,.tmp*} rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
# For video streaming
@{sys}/class/video4linux/ r,
/dev/video[0-9]* rw,
# TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
# owner /var/tmp/* rw,
# owner @{HOME}/* rw,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
# Silencer
deny /usr/share/gajim/** w,
profile audio {
include <abstractions/base>
include <abstractions/audio>
/{usr/,}bin/aplay mr,
/{usr/,}bin/pacat mr,
owner @{HOME}/.Xauthority r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
}
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
/{usr/,}lib/gnupg/scdaemon rix,
# without owner
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
owner @{run}/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/.local/share/gajim/openpgp/ rw,
owner @{HOME}/.local/share/gajim/openpgp/** rwkl -> @{HOME}/.local/share/gajim/openpgp/**,
}
include if exists <local/gajim>

53
apparmor.d/profiles-a-l/jmtpfs Normal file
View File

@ -0,0 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jmtpfs
profile jmtpfs @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
# Mount points
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
/etc/magic r,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
/etc/fuse.conf r,
/dev/fuse rw,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/jmtpfs>
}

161
apparmor.d/profiles-m-z/psi Normal file
View File

@ -0,0 +1,161 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/psi
profile psi @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=child-lsb_release,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
@{exec_path} mr,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg,
# Needed for playing sound events
/{usr/,}bin/aplay rCx -> aplay,
# PSI files
/usr/share/psi/{,**} r,
# PSI config files
owner @{HOME}/ r,
owner @{user_config_dirs}/psi/ rw,
owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9],
owner @{user_share_dirs}/psi/ rw,
owner @{user_share_dirs}/psi/** rwk,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# Cache files
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/psi/{,**} rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Autostart
owner @{user_config_dirs}/autostart/psi.desktop rw,
/etc/debian_version r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],
@{run}/systemd/inhibit/[0-9]*.ref rw,
/usr/share/hwdata/pnp.ids r,
# file_inherit
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile aplay {
include <abstractions/base>
include <abstractions/audio>
/{usr/,}bin/aplay mr,
#/{usr/,}bin/pulseaudio rPUx,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/psi/sound/** r,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
}
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
# file_inherit
/dev/dri/card[0-9]* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/psi>
}

2
apparmor.d/profiles-m-z/pulseaudio
View File

@ -31,7 +31,7 @@ profile pulseaudio @{exec_path} {
/{usr/,}lib/pulse/gsettings-helper mrix,
# PulseAudio files
/usr/share/pulseaudio/** r,
/usr/share/pulseaudio/{,**} r,
/{usr/,}lib/pulse-*/modules/*.so mr,
# PulseAudio home config files

16
apparmor.d/profiles-m-z/quiterss
View File

@ -23,8 +23,8 @@ profile quiterss @{exec_path} {
include <abstractions/wayland>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/gstreamer>
include <abstractions/deny-root-dir-access>
# This one is needed when you want to receive sound notifications
include <abstractions/audio>
@ -39,8 +39,6 @@ profile quiterss @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
@ -53,9 +51,6 @@ profile quiterss @{exec_path} {
owner @{user_cache_dirs}/QuiteRss/ rw,
owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
@ -69,14 +64,7 @@ profile quiterss @{exec_path} {
/usr/share/hwdata/pnp.ids r,
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
owner @{run}/user/[0-9]*/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#[0-9]*[0-9] rw,
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,

9
apparmor.d/profiles-m-z/smtube
View File

@ -20,6 +20,7 @@ profile smtube @{exec_path} {
include <abstractions/qt5-compose-cache-write>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/gstreamer>
include <abstractions/deny-root-dir-access>
network inet dgram,
@ -31,8 +32,6 @@ profile smtube @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
# SMTube config files
owner @{user_config_dirs}/smtube/ rw,
owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#[0-9]*[0-9],
@ -54,16 +53,12 @@ profile smtube @{exec_path} {
owner @{user_cache_dirs}/smtube/ rw,
owner @{user_cache_dirs}/smtube/* rwk,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,

19
apparmor.d/profiles-m-z/strawberry
View File

@ -26,6 +26,7 @@ profile strawberry @{exec_path} {
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/gstreamer>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=strawberry-tagreader,
@ -42,7 +43,6 @@ profile strawberry @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/strawberry-tagreader rPx,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
/{usr/,}bin/xdg-open rCx -> open,
@ -68,9 +68,6 @@ profile strawberry @{exec_path} {
owner @{user_cache_dirs}/strawberry/ rw,
owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#[0-9]*[0-9],
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{user_cache_dirs}/xine-lib/ rw,
owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw,
@ -87,18 +84,8 @@ profile strawberry @{exec_path} {
/etc/fstab r,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/sr[0-9]* r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
owner @{run}/user/[0-9]*/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
/dev/shm/#[0-9]*[0-9] rw,
/dev/sr[0-9]* r,
owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
owner /tmp/.*/ rw,

3
apparmor.d/profiles-m-z/umount
View File

@ -30,7 +30,8 @@ profile umount @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}{s,}bin/umount.* rPx,
/{usr/,}sbin/umount.* rPx,
/{usr/,}sbin/mount.* rPx,
# Mount points
@{HOME}/ r,

17
apparmor.d/profiles-m-z/virt-manager
View File

@ -26,6 +26,7 @@ profile virt-manager @{exec_path} {
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/gstreamer>
include <abstractions/deny-dconf>
network inet stream,
@ -42,8 +43,6 @@ profile virt-manager @{exec_path} {
/{usr/,}{s,}bin/libvirtd rPx,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
/usr/share/virt-manager/{,**} r,
owner @{HOME}/ r,
@ -51,9 +50,6 @@ profile virt-manager @{exec_path} {
owner @{user_cache_dirs}/virt-manager/ rw,
owner @{user_cache_dirs}/virt-manager/** rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
# For disk images
/media/ r,
/media/*/ r,
@ -88,22 +84,13 @@ profile virt-manager @{exec_path} {
/etc/fstab r,
@{run}/mount/utab r,
@{run}/mount/utab r,
owner @{run}/user/[0-9]*/libvirt/libvirtd.lock rwk,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
owner @{run}/user/[0-9]*/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
# Silecne the noise
deny /usr/share/virt-manager/{,**} w,

1
apparmor.d/profiles-m-z/xdg-open
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-open
profile xdg-open @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app-launcher-user>
@{exec_path} r,