mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 06:45:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

update apparmor profiles

Browse source 
Adpated to the apparmor.d structure.

Signed-off-by: Mikhail Morfikov <mmorfikov@gmail.com>
This commit is contained in:
Mikhail Morfikov 2021-04-10 08:11:07 +02:00 committed by Alexandre Pujol
parent c1e2b1d15e
commit 0573b2d996
Failed to generate hash of commit
29 changed files with 534 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
apparmor.d/abstractions/trash
View file

@ -49,3 +49,28 @@
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]* rw,
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/ rw,
owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/** rw,
# Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /{media,mnt}/*/*/.Trash/ rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/ rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/#[0-9]*[0-9] rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/directorysizes{,.*} rwl -> /{media,mnt}/*/.Trash/[0-9]*/#[0-9]*[0-9],
owner /{media,mnt}/*/*/.Trash/[0-9]*/files/{,**} rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/info/ rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/ rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/[0-9]* rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/[0-9]*/ rw,
owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/[0-9]*/** rw,
# Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /{media,mnt}/*/*/.Trash-[0-9]*/ rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/#[0-9]*[0-9] rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/directorysizes{,.*} rwl -> /{media,mnt}/*/.Trash-[0-9]*/#[0-9]*[0-9],
owner /{media,mnt}/*/*/.Trash-[0-9]*/files/{,**} rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/info/ rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/ rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]* rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]*/ rw,
owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]*/** rw,

8
apparmor.d/abstractions/user-download-strict
View file

@ -5,16 +5,16 @@
abi <abi/3.0>,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner /media/*/@{XDG_DOWNLOAD_DIR}/ r,
owner /media/*/@{XDG_DOWNLOAD_DIR}/** rwl,
owner /media/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner /mnt/*/@{XDG_DOWNLOAD_DIR}/ r,
owner /mnt/*/@{XDG_DOWNLOAD_DIR}/** rwl,
owner /mnt/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwl,
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl,
# For SSHFS mounts (without owner as files in such mounts can be owned by different users)
@{HOME}/mount-sshfs/ r,

2
apparmor.d/groups/apps/atom
View file

@ -120,7 +120,7 @@ profile atom @{exec_path} {
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/loginuid r,

2
apparmor.d/groups/apps/code
View file

@ -99,7 +99,7 @@ profile code @{exec_path} {
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/net/dev r,

2
apparmor.d/groups/apps/discord
View file

@ -82,7 +82,7 @@ profile discord @{exec_path} {
deny @{PROC}/vmstat r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pids}/statm r,
deny @{PROC}/@{pids}/cmdline r,

3
apparmor.d/groups/apps/freetube
View file

@ -73,8 +73,7 @@ profile freetube @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
# @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
# @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pids}/statm r,
deny owner @{PROC}/@{pid}/cmdline r,

2
apparmor.d/groups/apps/spotify
View file

@ -46,7 +46,7 @@ profile spotify @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/stat r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pids}/oom_score_adj w,

4
apparmor.d/groups/apt/apt-show-versions
View file

@ -6,6 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-show-versions
profile apt-show-versions @{exec_path} {
include <abstractions/base>
@ -29,6 +31,8 @@ profile apt-show-versions @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,

2
apparmor.d/groups/browsers/brave
View file

@ -140,7 +140,7 @@ profile brave @{exec_path} {
#
deny @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/task/ r,
deny @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/status r,
deny owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/groups/browsers/chromium-chromium
View file

@ -136,7 +136,7 @@ profile chromium-chromium @{exec_path} {
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pids}/task/ r,
deny @{PROC}/@{pids}/task/@{tid}/stat r,
deny @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/status r,
deny owner @{PROC}/@{pid}/limits r,
deny owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/groups/browsers/google-chrome-chrome
View file

@ -134,7 +134,7 @@ profile google-chrome-chrome @{exec_path} {
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/task/ r,
deny @{PROC}/@{pids}/task/@{tid}/stat r,
deny @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/status r,
deny owner @{PROC}/@{pid}/limits r,
deny owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/groups/browsers/opera
View file

@ -126,7 +126,7 @@ profile opera @{exec_path} {
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/task/ r,
deny @{PROC}/@{pids}/task/@{tid}/stat r,
deny @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/status r,
deny owner @{PROC}/@{pid}/limits r,
deny owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r,

5
apparmor.d/groups/cron/crontab
View file

@ -23,6 +23,8 @@ profile crontab @{exec_path} {
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
/etc/cron.{allow,deny} r,
/var/spool/cron/ r,
/var/spool/cron/crontabs/ rw,
owner /var/spool/cron/crontabs/* rw,
@ -53,6 +55,9 @@ profile crontab @{exec_path} {
/tmp/ r,
owner /tmp/crontab.*/crontab rw,
# file_inherit
/etc/cron.{allow,deny} r,
}
include if exists <local/crontab>

81
apparmor.d/groups/systemd/coredumpctl Normal file
View file

@ -0,0 +1,81 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/coredumpctl
profile coredumpctl @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
signal (send) peer=child-pager,
@{exec_path} mr,
/{usr/,}bin/gdb rCx -> gdb,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
owner /tmp/*.coredump w,
owner /tmp/core.* w,
owner /var/tmp/coredump-* rw,
/var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
profile gdb {
include <abstractions/base>
include <abstractions/python>
ptrace (trace),
/{usr/,}bin/gdb mr,
/{usr/,}bin/iconv rix,
/{usr/,}bin/* r,
/{usr/,}sbin/* r,
@{PROC}/@{pids}/fd/ r,
/etc/inputrc r,
/etc/gdb/** r,
/usr/share/gdb/{,**} r,
/usr/share/glib-2.0/gdb/{,**} r,
/usr/share/gcc-[0-9]*/python/{,**} r,
/usr/share/gcc/** r,
owner /var/tmp/coredump-* rw,
# Silencer
deny /usr/share/** w,
}
include if exists <local/coredumpctl>
}

52
apparmor.d/groups/systemd/systemd-coredump Normal file
View file

@ -0,0 +1,52 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-coredump
profile systemd-coredump @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/systemd-common>
capability setpcap,
capability setuid,
capability setgid,
capability dac_read_search,
capability sys_ptrace,
# Needed?
deny capability net_admin,
@{exec_path} mr,
/{usr/,}bin/* r,
/{usr/,}sbin/* r,
/usr/libexec/** r,
/etc/systemd/coredump.conf r,
/var/lib/systemd/coredump/ r,
owner /var/lib/systemd/coredump/#[0-9]* rw,
owner /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
owner @{PROC}/@{pid}/setgroups r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/limits r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/fdinfo/[0-9]* r,
include if exists <local/systemd-coredump>
}

8
apparmor.d/groups/systemd/systemd-journald
View file

@ -17,6 +17,14 @@ profile systemd-journald @{exec_path} {
capability sys_ptrace,
capability dac_read_search,
capability kill,
capability sys_admin,
capability setuid,
capability setgid,
# For audit logs
capability audit_control,
network netlink raw,
@{exec_path} mr,

1
apparmor.d/groups/systemd/systemd-sysctl
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
profile systemd-sysctl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/systemd-common>
# Are these needed?

2
apparmor.d/profiles-a-l/anki
View file

@ -80,7 +80,7 @@ profile anki @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/task/ r,
deny owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pid}/cmdline r,

4
apparmor.d/profiles-a-l/debtags
View file

@ -6,6 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/debtags
profile debtags @{exec_path} {
include <abstractions/base>
@ -34,6 +36,8 @@ profile debtags @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
/var/log/cron-apt/temp w ,

88
apparmor.d/profiles-m-z/mediainfo-gui Normal file
View file

@ -0,0 +1,88 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{mediainfo_ext} = [aA]{52,[aA][cC],[cC]3}
@{mediainfo_ext} += [mM][kK][aA]
@{mediainfo_ext} += [fF][lL][aA][cC]
@{mediainfo_ext} += [mM][pP][123cC]
@{mediainfo_ext} += [oO][gGmM][aA]
@{mediainfo_ext} += [wW]{,[aA]}[vV]
@{mediainfo_ext} += [wW][mM]{,[aA]}
@{mediainfo_ext} += 3[gG]{[2pP],[pP][2pP]}
@{mediainfo_ext} += [aA][sS][fF]
@{mediainfo_ext} += [aA][vV][iI]
@{mediainfo_ext} += [dD][iI][vV][xX]
@{mediainfo_ext} += [mM][124][vV]
@{mediainfo_ext} += [mM][kKoO][vV]
@{mediainfo_ext} += [mM][pP][4aAeEgG]
@{mediainfo_ext} += [mM][pP][eE][gG]{,[124]}
@{mediainfo_ext} += [oO][gG][gGmMxXvV]
@{mediainfo_ext} += [rR][mM]{,[vV][bB]}
@{mediainfo_ext} += [wW][eE][bB][mM]
@{mediainfo_ext} += [wW][mMtT][vV]
@{mediainfo_ext} += [mM][pP]2[tT]
@{exec_path} = /{usr/,}bin/mediainfo-gui
profile mediainfo-gui @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
# Which media files mediainfo-gui should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
owner /{home,media}/**.@{mediainfo_ext} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/mediainfo-gui>
}

3
apparmor.d/profiles-m-z/mkvtoolnix-gui
View file

@ -59,7 +59,8 @@ profile mkvtoolnix-gui @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/mkvmerge rPx,
/{usr/,}bin/mkvmerge rPx,
/{usr/,}bin/mediainfo-gui rPx,
# Which files mkvtoolnix should be able to open
/ r,

1
apparmor.d/profiles-m-z/mpv
View file

@ -163,6 +163,7 @@ profile mpv @{exec_path} {
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/xscreensaver-command rix,
owner @{HOME}/.Xauthority r,

14
apparmor.d/profiles-m-z/openbox
View file

@ -22,9 +22,11 @@ profile openbox @{exec_path} {
/{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart,
# Apps allowed to run
/{usr/,}{s,}bin/* rPUx,
/{usr/,}bin/* rPUx,
/usr/{lib,libexec}/* rPUx,
/{usr/,}sbin/* rPUx,
/{usr/,}bin/* rPUx,
/usr/local/bin/* rPUx,
/usr/{lib,libexec}/* rPUx,
/{usr/,}lib/@{multiarch}/*/** rPUx,
/usr/share/themes/*/openbox-3/themerc r,
@ -60,8 +62,14 @@ profile openbox @{exec_path} {
/{usr/,}bin/which rix,
# Apps allowed to run
/{usr/,}sbin/* rPUx,
/{usr/,}bin/* rPUx,
<<<<<<< HEAD:apparmor.d/profiles-m-z/openbox
/usr/{lib,libexec}/* rPUx,
=======
/usr/local/bin/* rPUx,
/usr/libexec/* rPUx,
>>>>>>> ff78b17 (update apparmor profiles):apparmor.d/openbox
/{usr/,}lib/@{multiarch}/*/** rPUx,
/usr/local/lib/python*/dist-packages/ r,

101
apparmor.d/profiles-m-z/qtox Normal file
View file

@ -0,0 +1,101 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/qtox
profile qtox @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
# For importing old profile
owner @{HOME}/**.tox r,
owner /media/*/**.tox r,
owner @{HOME}/ r,
owner @{user_cache_dirs}/qTox/ rw,
owner @{user_cache_dirs}/qTox/qtox.log rw,
owner @{user_config_dirs}/tox/ rw,
owner @{user_config_dirs}/tox/** rwkl -> @{HOME}/.config/tox/**,
owner @{user_config_dirs}/autostart/qTox*.desktop rw,
owner @{user_share_dirs}/qTox/ rw,
owner @{user_share_dirs}/qTox/** rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/core_pattern r, # for KCrash::initialize()
@{PROC}/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
@{sys}/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/dev/ r,
/dev/video[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{user_cache_dirs}/qTox/qtox.log w,
deny /dev/video[0-9]* rw,
}
include if exists <local/qtox>
}

1
apparmor.d/profiles-m-z/spectre-meltdown-checker
View file

@ -119,6 +119,7 @@ profile spectre-meltdown-checker @{exec_path} {
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r,
}

1
apparmor.d/profiles-m-z/unhide-tcp
View file

@ -26,7 +26,6 @@ profile unhide-tcp @{exec_path} {
@{PROC}/@{pids}/net/tcp{,6} r,
@{PROC}/@{pids}/net/udp{,6} r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/maps r,
# For logs
/**/unhide-tcp_[0-9]*-[0-9]*-[0-9]*.log w,

84
apparmor.d/profiles-m-z/utox Normal file
View file

@ -0,0 +1,84 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/utox
profile utox @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
owner @{HOME}/ r,
owner @{user_config_dirs}/tox/ rw,
owner @{user_config_dirs}/tox/** rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny owner @{PROC}/@{pid}/cmdline r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
# For video support
owner /dev/shm/libv4l-* rw,
/dev/video[0-9]* rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/product_{name,version} r,
@{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{user_config_dirs}/tox/[0-9A-F].ftinfo w,
owner @{user_config_dirs}/tox/[0-9A-F].ftoutfo w,
deny /dev/video[0-9]* rw,
}
include if exists <local/utox>
}

6
apparmor.d/profiles-m-z/vidcutter
View file

@ -58,9 +58,9 @@ profile vidcutter @{exec_path} {
/{usr/,}bin/ r,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/ffprobe rPUx,
/{usr/,}bin/mediainfo rPUx,
/{usr/,}bin/ffmpeg rPx,
/{usr/,}bin/ffprobe rPx,
/{usr/,}bin/mediainfo rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,

49
apparmor.d/profiles-m-z/warzone2100 Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/warzone2100
profile warzone2100 @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/vulkan>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
owner @{user_share_dirs}/warzone2100-*/ rw,
owner @{user_share_dirs}/warzone2100-*/** rw,
# What's this for?
deny owner @{user_share_dirs}/applications/*.desktop w,
/usr/share/warzone2100/{,**} r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
include if exists <local/warzone2100>
}