mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
cd09dc7688
commit
06abeac2ee
33 changed files with 154 additions and 47 deletions
|
|
@ -34,6 +34,7 @@ profile child-open {
|
|||
@{sh_path} rix,
|
||||
@{bin}/{,m,g}awk rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/env rix,
|
||||
@{bin}/readlink rix,
|
||||
|
||||
include if exists <usr/child-open.d>
|
||||
|
|
|
|||
|
|
@ -25,6 +25,11 @@ profile pipewire-media-session @{exec_path} {
|
|||
|
||||
signal (receive) set=(cont term) peer=@{systemd_user},
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixProcessID
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
|
|
|
|||
|
|
@ -30,15 +30,15 @@ profile polkit-agent-helper @{exec_path} {
|
|||
signal (receive) set=(term, kill) peer=pkttyagent,
|
||||
signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*),
|
||||
peer=(name=:*, label=polkitd),
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=AuthenticationAgentResponse2
|
||||
peer=(name=:*),
|
||||
peer=(name=:*, label=polkitd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=*Session
|
||||
member={*Session,CreateSessionWithPIDFD}
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||
|
|
|
|||
|
|
@ -45,6 +45,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
member=GetActive
|
||||
peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
dbus send bus=session path=/org/gnome/Shell
|
||||
interface=org.gnome.Shell.Extensions
|
||||
member=ListExtensions
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
|
|
|
|||
|
|
@ -11,9 +11,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/dbus>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
|
|
@ -32,6 +32,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
|
||||
|
||||
dbus bus=accessibility,
|
||||
dbus bus=session,
|
||||
dbus bus=system,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/@{shells} rUx,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ profile gnome-extension-ding @{exec_path} {
|
|||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||
include <abstractions/bus/org.freedesktop.Notifications>
|
||||
include <abstractions/bus/org.gnome.ArchiveManager1>
|
||||
include <abstractions/bus/org.gnome.Nautilus.FileOperations2>
|
||||
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||
include <abstractions/bus/org.gtk.vfs.Daemon>
|
||||
|
|
@ -29,17 +30,13 @@ profile gnome-extension-ding @{exec_path} {
|
|||
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||
|
||||
# dbus: own bus=session name=com.rastersoft.ding
|
||||
# dbus: own bus=session name=com.rastersoft.ding interface={org.freedesktop.DBus.Properties,org.gtk.Actions}
|
||||
# dbus: talk bus=session name=com.rastersoft.dingextension label=gnome-shell
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus*
|
||||
|
|
@ -48,6 +45,11 @@ profile gnome-extension-ding @{exec_path} {
|
|||
interface=org.freedesktop.DBus*
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member=Set
|
||||
peer=(name=:*, label=gvfsd-metadata),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
|
|
|||
|
|
@ -9,15 +9,20 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/gnome-initial-setup
|
||||
profile gnome-initial-setup @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
# dbus: own bus=session name=org.gnome.InitialSetup
|
||||
# dbus: own bus=session name=org.gnome.InitialSetup interface={org.freedesktop.DBus.Properties,org.gtk.Actions}
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -35,6 +40,9 @@ profile gnome-initial-setup @{exec_path} {
|
|||
|
||||
/var/lib/gdm{,3}/greeter-dconf-defaults r,
|
||||
|
||||
@{run}/systemd/sessions/@{int} r,
|
||||
owner @{run}/systemd/users/@{uid} r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.freedesktop.secrets>
|
||||
include <abstractions/bus/org.gnome.SessionManager>
|
||||
include <abstractions/openssl>
|
||||
|
||||
|
|
@ -25,13 +24,18 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
signal (send) set=(term) peer=ssh-agent,
|
||||
|
||||
# dbus: own bus=session name=org.gnome.keyring
|
||||
# dbus: own bus=session name=org.freedesktop.secrets
|
||||
# dbus: own bus=session name=org.freedesktop.{S,s}ecret{,s}
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=GetSession
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ssh-add rix,
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
peer=(name=org.freedesktop.systemd1, label=@{systemd}),
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus-session>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
|
@ -24,9 +25,14 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (send) set=(kill term cont stop),
|
||||
|
||||
# dbus: own bus=session name=org.gnome.SystemMonitor
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/lsblk rPx,
|
||||
@{bin}/pkexec rPx,
|
||||
@{bin}/sed rix,
|
||||
@{sh_path} rix,
|
||||
|
||||
/usr/share/gnome-system-monitor/{,**} r,
|
||||
/usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
|
||||
|
|
@ -64,6 +70,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/statm r,
|
||||
@{PROC}/@{pids}/wchan r,
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/vmstat r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile gnome-terminal-server @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=StartTransientUnit
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.ColorManager>
|
||||
include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
|
||||
include <abstractions/bus/org.gnome.SessionManager>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
|
|
@ -27,6 +26,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# dbus: own bus=session name=org.gnome.SettingsDaemon.Color
|
||||
|
||||
# dbus: talk bus=system name=org.freedesktop.ColorManager label=colord
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
|
|
|||
|
|
@ -39,6 +39,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
@{run}/systemd/sessions/@{int} r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/gsd-sharing>
|
||||
|
|
|
|||
|
|
@ -26,6 +26,9 @@ profile mutter-x11-frames @{exec_path} {
|
|||
|
||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,gvfs/}gvfsd-http
|
||||
profile gvfsd-http @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -22,6 +23,21 @@ profile gvfsd-http @{exec_path} {
|
|||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
# dbus: own bus=session name=org.gtk.vfs.mountpoint_http
|
||||
|
||||
dbus receive bus=session path=/org/gtk/vfs/mountable
|
||||
interface=org.gtk.vfs.Mountable
|
||||
member=Mount
|
||||
peer=(name=:*, label=gvfsd),
|
||||
dbus send bus=session path=/org/gtk/gvfs/exec_spaw/0
|
||||
interface=org.gtk.vfs.Spawner
|
||||
member=Spawned
|
||||
peer=(name=:*, label=gvfsd),
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=RegisterMount
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ profile ssh-agent-launch @{exec_path} {
|
|||
|
||||
@{bin}/{,z,ba,da}sh rix,
|
||||
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
||||
@{bin}/getopt rix,
|
||||
@{bin}/grep rix,
|
||||
@{bin}/ssh-agent rPx,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/busctl
|
||||
profile busctl @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
|
|
@ -19,15 +22,25 @@ profile busctl @{exec_path} {
|
|||
|
||||
unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
|
||||
|
||||
dbus eavesdrop bus=session,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Monitoring
|
||||
member=BecomeMonitor
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/less rPx -> child-pager,
|
||||
@{bin}/more rPx -> child-pager,
|
||||
@{bin}/pager rPx -> child-pager,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/comm r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
owner @{PROC}/@{pid}/sessionid r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
include if exists <local/busctl>
|
||||
}
|
||||
|
|
@ -19,6 +19,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{run}/cloud-init/ds-identify.log w,
|
||||
@{run}/host/container-manager r,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,8 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/systemd-detect-virt rPx,
|
||||
@{lib}/cloud-init/ds-identify rPUx,
|
||||
|
||||
@{run}/cloud-init/cloud-init-generator.log rw,
|
||||
@{run}/cloud-init/ w,
|
||||
@{run}/cloud-init/cloud-init-generator.* rw,
|
||||
@{run}/cloud-init/disabled w,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -20,7 +20,10 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/tr rix,
|
||||
@{bin}/uname rix,
|
||||
|
||||
@{run}/cloud-init/.ds-identify.result r,
|
||||
@{run}/cloud-init/{,.}ds-identify.* rw,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
include if exists <local/systemd-generator-ds-identify>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ profile systemd-journald @{exec_path} {
|
|||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability kill,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
/ r,
|
||||
/boot/{,**} r,
|
||||
/efi/{,**} r,
|
||||
/swap.img r,
|
||||
/swap/swapfile r,
|
||||
/swapfile r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,10 +10,13 @@ include <tunables/global>
|
|||
profile apport @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.gnome.SessionManager>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
capability fsetid,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
|
@ -21,21 +24,32 @@ profile apport @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read) peer=gnome-shell,
|
||||
ptrace (read) peer=snap.cups.cupsd,
|
||||
ptrace (read) peer=tracker-extract,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/apport/ r,
|
||||
@{bin}/dpkg rPx,
|
||||
@{bin}/gdbus rix,
|
||||
|
||||
/usr/share/apport/{,**} r,
|
||||
|
||||
/etc/apport/report-ignore/{,**} r,
|
||||
|
||||
/var/crash/ rw,
|
||||
/var/crash/*.@{uid}.crash rw,
|
||||
owner /var/log/apport.log rw,
|
||||
|
||||
@{run}/apport.lock rwk,
|
||||
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/fs/suid_dumpable w,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/core_pattern w,
|
||||
@{PROC}/sys/kernel/core_pipe_limit w,
|
||||
@{PROC}/@{pid}/environ r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/fs/suid_dumpable w,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/core_pattern w,
|
||||
@{PROC}/sys/kernel/core_pipe_limit w,
|
||||
owner @{PROC}/@{pid}/attr/current r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/apport>
|
||||
}
|
||||
|
|
@ -14,13 +14,11 @@ profile apport-gtk @{exec_path} {
|
|||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/wayland>
|
||||
|
||||
capability fowner,
|
||||
capability sys_ptrace,
|
||||
|
|
|
|||
|
|
@ -22,17 +22,24 @@ profile update-notifier @{exec_path} {
|
|||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
||||
# dbus: talk bus=system name=org.debian.apt label=apt
|
||||
unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
|
||||
|
||||
# dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
|
||||
# interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
|
||||
# peer=(name=:*, label=gnome-shell),
|
||||
# dbus: talk bus=system name=org.debian.apt label=apt
|
||||
|
||||
dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu
|
||||
interface=com.canonical.dbusmenu
|
||||
member={AboutToShow,GetGroupProperties,GetLayout}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ profile anacron @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(usr1) peer=@{systemd},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile file-roller @{exec_path} {
|
|||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -17,13 +17,12 @@ profile obexd @{exec_path} {
|
|||
network bluetooth stream,
|
||||
network bluetooth seqpacket,
|
||||
|
||||
# dbus: own bus=system name=org.bluez.obex
|
||||
# dbus: own bus=session name=org.bluez.obex
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/obexd/ rw,
|
||||
owner @{user_cache_dirs}/obexd/* rw,
|
||||
owner @{user_cache_dirs}/obexd/{,**} rw,
|
||||
|
||||
owner @{HOME}/bluetooth/* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ profile snap @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
|
||||
unix (send, receive) type=stream peer=(label=apt),
|
||||
|
|
@ -28,12 +29,12 @@ profile snap @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=StartTransientUnit
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=JobRemoved
|
||||
peer=(name=:*, label="@{systemd}"),
|
||||
peer=(name=:*, label="@{systemd_user}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.portal.Documents
|
||||
|
|
@ -47,9 +48,6 @@ profile snap @{exec_path} {
|
|||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
|
||||
/snap/{,**} rw,
|
||||
@{lib}/snapd/snap-confine rPx -> /usr/lib/snapd/snap-confine,
|
||||
|
||||
@{lib_dirs}/snapd/snap-confine rPx,
|
||||
@{lib_dirs}/snapd/snap-seccomp rPx,
|
||||
@{lib_dirs}/snapd/snapd rPx,
|
||||
|
|
@ -60,6 +58,7 @@ profile snap @{exec_path} {
|
|||
/var/cache/snapd/commands.db rwk,
|
||||
/var/cache/snapd/names r,
|
||||
|
||||
/snap/{,**} rw,
|
||||
@{HOME}/snap/{,**} rw,
|
||||
|
||||
owner /tmp/snapd-auto-import-mount-@{int}/ rw,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} {
|
|||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/apparmor_parser rPx,
|
||||
|
||||
@{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser,
|
||||
@{lib_dirs}/snapd/info r,
|
||||
|
||||
/var/lib/snapd/apparmor/profiles/ r,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{name} = thunderbird{,-bin}
|
||||
@{name} = thunderbird{,.sh,-bin}
|
||||
@{lib_dirs} = @{lib}/@{name}
|
||||
@{config_dirs} = @{HOME}/.@{name}/
|
||||
@{cache_dirs} = @{user_cache_dirs}/@{name}/
|
||||
|
|
@ -59,7 +59,8 @@ profile thunderbird @{exec_path} {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/which.debianutils rix,
|
||||
|
||||
@{lib_dirs}/{,**} r,
|
||||
@{lib_dirs}/*.so mr,
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ man
|
|||
|
||||
# Work in progress profiles
|
||||
plasma-discover
|
||||
snap
|
||||
steam
|
||||
steam-fossilize
|
||||
steam-game
|
||||
|
|
|
|||
Loading…
Reference in a new issue