mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): remove some unused profiles.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-01-21 11:51:00 +00:00
parent b4a8733f39
commit 05b47adb13
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
2 changed files with 0 additions and 406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

287
apparmor.d/groups/apps/android-studio
View File

@ -1,287 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{AS_LIBDIR} = @{MOUNTS}/android-studio
@{AS_SDKDIR} = @{MOUNTS}/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects
@{exec_path} = @{AS_LIBDIR}/bin/studio.sh
profile android-studio @{exec_path} {
include <abstractions/base>
#icnlude <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/ssl_certs>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/chromium-common>
capability sys_ptrace,
signal (send) set=(term, kill) peer=android-studio//lsb-release,
ptrace (read) peer=android-studio//*,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network inet raw,
network inet6 raw,
network netlink raw,
@{exec_path} r,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/chattr rix,
@{bin}/chmod rix,
@{bin}/cut rix,
@{bin}/dirname rix,
@{bin}/kill rix,
@{bin}/ldconfig rix,
@{bin}/mktemp rix,
@{bin}/nice rix,
@{bin}/python3.[0-9]* rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/setsid rix,
@{bin}/uname rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xargs rix,
@{bin}/git rPx,
@{bin}/lsusb rPx,
@{bin}/ps rPx,
@{bin}/xdg-mime rPx,
@{bin}/xprop rPx,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/lsb_release rCx -> lsb-release,
@{bin}/xdg-open rCx -> open,
@{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/etc/java-[0-9]*-openjdk/** r,
/usr/share/java/java-atk-wrapper.jar r,
/etc/ssl/certs/java/cacerts r,
/ r,
/home/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
/usr/ r,
@{lib}/ r,
@{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix,
# A standard system android SDK location.
# Currently there is only the target platform of API Level 23 packaged, so only apps targeted at
# android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in
# order to use the SDK, build scripts need to be modified.
@{lib}/android-sdk/ r,
@{lib}/android-sdk/** mrkix,
/usr/share/android-sdk-platform-*/{,**} r,
deny @{lib}/android-sdk/build-tools/*/package.xml w,
deny @{lib}/android-sdk/platforms/android-*/package.xml w,
deny @{lib}/android-sdk/.knownPackages w,
# This one is used if the standard android SDK location is missing
@{AS_SDKDIR}/ rw,
@{AS_SDKDIR}/** mrwkix,
owner @{AS_HOMEDIR}/ rw,
owner @{AS_HOMEDIR}/** mrwkix,
owner @{AS_PROJECTDIR}/ rw,
owner @{AS_PROJECTDIR}/** rwk,
owner @{HOME}/AndroidStudio/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/** rw,
owner @{HOME}/Android/ rw,
owner @{HOME}/Android/** mrwkix,
owner "@{user_config_dirs}/Android Open Source Project/" rw,
owner "@{user_config_dirs}/Android Open Source Project/**" rwk,
owner @{user_config_dirs}/Google/ rw,
owner @{user_config_dirs}/Google/** rwk,
owner @{user_cache_dirs}/ rw,
owner "@{user_cache_dirs}/Android Open Source Project/" rw,
owner "@{user_cache_dirs}/Android Open Source Project/**" rw,
owner @{user_cache_dirs}/main.kts.compiled.cache/ rw,
owner @{user_cache_dirs}/main.kts.compiled.cache/** rw,
owner @{user_cache_dirs}/Google/ rw,
owner @{user_cache_dirs}/Google/** rwk,
# To remove the following error:
# Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp
# java.io.IOException: Cannot run program
# "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied
owner @{user_cache_dirs}/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix,
#
owner @{user_cache_dirs}/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk,
owner @{user_cache_dirs}/JNA/ rw,
owner @{user_cache_dirs}/JNA/** rw,
owner @{HOME}/.gradle/ rw,
owner @{HOME}/.gradle/** mrwkix,
owner @{HOME}/ r,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**,
owner @{user_share_dirs}/Google/ rw,
owner @{user_share_dirs}/Google/** rw,
owner @{user_share_dirs}/kotlin/ rw,
owner @{user_share_dirs}/kotlin/** rw,
owner "@{user_share_dirs}/Android Open Source Project/" rw,
owner "@{user_share_dirs}/Android Open Source Project/**" rwk,
owner @{HOME}/.java/ rw,
owner @{HOME}/.java/fonts/ rw,
owner @{HOME}/.java/fonts/*/ rw,
owner @{HOME}/.java/fonts/*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/*/fcinfo*.properties rw,
owner @{HOME}/.java/.userPrefs/ rw,
owner @{HOME}/.java/.userPrefs/** rwk,
owner @{HOME}/.emulator_console_auth_token rw,
deny owner @{HOME}/Desktop/* rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/coredump_filter rw,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/partitions r,
@{PROC}/vmstat r,
@{PROC}/loadavg r,
@{sys}/fs/cgroup/{,**} r,
owner /tmp/** rwk,
owner /tmp/native-platform[0-9]*dir/*.so rwm,
owner @{run}/user/@{uid}/avd/ rw,
owner @{run}/user/@{uid}/avd/running/ rw,
owner @{run}/user/@{uid}/avd/running/pid_@{pid}.ini rw,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/dev/kvm rw,
@{sys}/devices/virtual/block/**/rotational r,
profile gpg {
include <abstractions/base>
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
}
profile lsb-release {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
signal (receive) set=(term, kill) peer=android-studio,
@{bin}/lsb_release r,
@{bin}/python3.[0-9]* r,
@{bin}/ r,
@{bin}/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
/etc/dpkg/origins/** r,
/etc/debian_version r,
/usr/share/distro-info/*.csv r,
owner /tmp/android-*/emulator-* w,
owner /tmp/android-*/@{uuid}/opengl_* w,
# file_inherit
owner @{HOME}/.android/avd/** r,
/dev/dri/card@{int} rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{bin}/spacefm rPx,
@{bin}/smplayer rPx,
@{bin}/vlc rPx,
@{bin}/mpv rPx,
@{bin}/geany rPx,
@{bin}/viewnior rPUx,
@{bin}/qpdfview rPx,
@{bin}/ebook-viewer rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/android-studio>
}

119
apparmor.d/groups/apps/geany
View File

@ -1,119 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/geany
profile geany @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/nameservice-strict>
# To edit system files as root.
capability dac_read_search,
capability dac_override,
deny capability sys_nice,
network inet stream,
network inet6 stream,
@{exec_path} mr,
@{bin}/{,ba,da}sh rix,
# For the sorting feature
@{bin}/sort rix,
# When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following
# root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Geany works fine without this.
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/usr/share/geany/{,**} r,
owner @{user_config_dirs}/geany/{,**} rw,
owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in
# the list.
/ r,
/boot/ r,
/boot/** r,
owner /boot/** rw,
/etc/ r,
/etc/** r,
owner /etc/** rw,
/efi/ r,
/efi/** r,
owner /efi/** rw,
/home/ r,
/home/** r,
owner /home/** rw,
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** r,
owner @{MOUNTS}/** rw,
/mnt/ r,
/mnt/** r,
owner /mnt/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,
/root/ r,
/root/** r,
owner /root/** rw,
@{run}/ r,
@{run}/** r,
owner @{run}/** rw,
/srv/ r,
/srv/** r,
owner /srv/** rw,
/tmp/ r,
/tmp/** r,
owner /tmp/** rw,
/usr/ r,
/usr/** r,
owner /usr/** rw,
/var/ r,
/var/** r,
owner /var/** rw,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}
include if exists <local/geany>
}