mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-04-03 21:04:18 +01:00
parent 4490db45c9
commit 095254864f
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
26 changed files with 52 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
apparmor.d/abstractions/app/chromium
View File

@ -2,15 +2,19 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# For chromium based browser. If your application requires chromium to run
# (like electron) use abstractions/common/chromium instead.
# This abstraction requires the following variables definied in the profile header:
# Full set of rules for all chromium based browsers. It works as a *function*
# and requires some variables to be provided as *arguments* and set in the
# header of the calling profile. Example:
#
# @{name} = chromium
# @{domain} = org.chromium.Chromium
# @{lib_dirs} = @{lib}/chromium
# @{config_dirs} = @{user_config_dirs}/chromium
# @{cache_dirs} = @{user_cache_dirs}/chromium
#
# If your application requires chromium to run use abstractions/common/chromium
# or abstractions/common/electron instead.
#
include <abstractions/audio-client>
include <abstractions/bus-session>
@ -98,7 +102,6 @@
/usr/share/@{name}/{,**} r,
/usr/share/chromium/extensions/{,**} r,
/usr/share/egl/{,**} r,
/usr/share/hwdata/pnp.ids r,
/usr/share/mozilla/extensions/{,**} r,
/usr/share/qt{5,}/translations/*.qm r,

2
apparmor.d/abstractions/base.d/complete
View File

@ -25,4 +25,6 @@
@{sys}/devices/system/cpu/possible r,
@{PROC}/sys/kernel/core_pattern r,
deny /apparmor/.null rw,

5
apparmor.d/abstractions/common/bwrap
View File

@ -17,8 +17,8 @@
network netlink raw,
mount options=(rw rbind) -> /newroot/{,**},
mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/,
mount options=(rw rbind) /oldroot/{,**} -> /newroot/{,**},
mount options=(rw silent rprivate) -> /oldroot/,
mount options=(rw silent rslave) -> /,
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,
@ -40,10 +40,9 @@
owner /tmp/newroot/ w,
owner /tmp/oldroot/ w,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/user/max_user_namespaces r,
@{PROC}/sys/user/max_user_namespaces rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map rw,

1
apparmor.d/abstractions/common/electron
View File

@ -74,6 +74,7 @@
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/stat r,

2
apparmor.d/groups/_full/systemd-user
View File

@ -26,7 +26,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
network netlink raw,
signal (send) set=(term, cont, kill),
signal (receive) set=(hup) peer=@{systemd},
signal (receive) set=(hup) peer=@{p_systemd},
ptrace (read),@{p_systemd}

2
apparmor.d/groups/children/child-systemctl
View File

@ -31,7 +31,7 @@ profile child-systemctl flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetUnitFileState
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
@{exec_path} mr,

8
apparmor.d/groups/freedesktop/xdg-document-portal
View File

@ -12,15 +12,16 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
capability sys_nice,
capability sys_resource,
capability sys_admin,
capability sys_nice,
capability sys_ptrace,
capability sys_resource,
mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/,
signal (receive) set=(term) peer=gdm,
ptrace (read) peer=xdg-desktop-portal,
ptrace (read),
unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount),
@ -37,6 +38,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
@{bin}/fusermount{,3} rCx -> fusermount,
/ r,
owner /.flatpak-info r,
owner @{user_share_dirs}/flatpak/db/documents r,
owner @{user_share_dirs}/Trash/files/** r,

1
apparmor.d/groups/freedesktop/xorg
View File

@ -56,7 +56,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/var/lib/xkb/server-@{int}.xkm rw,
/var/lib/xkb/compiled/server-@{int}.xkm rw,
/usr/share/egl/{,**} rw,
/usr/share/libinput*/ r,
/usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
/usr/share/libinput*/libinput/ r,

2
apparmor.d/groups/gnome/gnome-control-center
View File

@ -20,6 +20,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/thumbnails-cache-write>
network inet dgram,
network inet6 dgram,
@ -99,7 +100,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_config_dirs}/background rw,
owner @{user_config_dirs}/gnome-control-center/{,**} rw,

1
apparmor.d/groups/gnome/gnome-shell
View File

@ -211,7 +211,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/share/dconf/profile/gdm r,
/usr/share/desktop-base/** r,
/usr/share/desktop-directories/{,*.directory} r,
/usr/share/egl/{,**} r,
/usr/share/gdm/BuiltInSessions/{,*.desktop} r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/gdm/greeter/applications/{,**} r,

4
apparmor.d/groups/gnome/gnome-software
View File

@ -71,6 +71,8 @@ profile gnome-software @{exec_path} {
/var/tmp/flatpak-cache-*/** rwkl,
/var/tmp/#@{int} rw,
/ r,
owner @{HOME}/.var/app/{,**} rw,
owner @{user_cache_dirs}/flatpak/{,**} rwl,
@ -92,7 +94,7 @@ profile gnome-software @{exec_path} {
owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/.flatpak-cache rw,
owner @{run}/user/@{uid}/.flatpak/{,**} rw,
owner @{run}/user/@{uid}/.flatpak/{,**} rwl,
owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
owner @{run}/user/@{uid}/app/{,*/} rw,

2
apparmor.d/groups/gnome/gnome-tweaks
View File

@ -13,6 +13,7 @@ profile gnome-tweaks @{exec_path} {
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/python>
include <abstractions/thumbnails-cache-read>
@{exec_path} mr,
@ -28,7 +29,6 @@ profile gnome-tweaks @{exec_path} {
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{user_cache_dirs}/thumbnails/{,**} r,
owner @{user_config_dirs}/autostart/ rw,
owner @{user_config_dirs}/autostart/*.desktop r,
owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw,

3
apparmor.d/groups/gnome/gsd-housekeeping
View File

@ -14,7 +14,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write>
include <abstractions/thumbnails-cache-read>
include <abstractions/thumbnails-cache-write>
signal (receive) set=(term, hup) peer=gdm*,
signal (receive) set=(term, hup) peer=gnome*,
@ -38,7 +38,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
owner @{gdm_config_dirs}/dconf/user r,
owner @{gdm_share_dirs}/applications/ w,
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_share_dirs}/applications/ rw,
@{run}/mount/utab r,

1
apparmor.d/groups/gnome/tracker-miner
View File

@ -48,6 +48,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
/usr/share/ladspa/rdf/{,**} r,
/usr/share/poppler/{,**} r,
/usr/share/tracker3-miners/{,**} r,
/usr/share/tracker3/{,**} r,

1
apparmor.d/groups/ssh/sshd
View File

@ -77,6 +77,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
/etc/issue.net r,
/etc/legal r,
/etc/machine-id r,
/etc/motd r,
/etc/shells r,
@{etc_ro}/ssh/sshd_config r,

4
apparmor.d/groups/systemd/systemd-oomd
View File

@ -33,7 +33,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
@{sys}/fs/cgroup/memory.pressure r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,
@{PROC}/pressure/{cpu,io,memory} r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
include if exists <local/systemd-oomd>
}

4
apparmor.d/groups/systemd/systemd-userdbd
View File

@ -31,7 +31,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
@{run}/systemd/userdb/{,**} rw,
@{PROC}/@{pid}/cgroup r,
@{PROC}/pressure/* r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
include if exists <local/systemd-userdbd>
}

4
apparmor.d/profiles-a-f/cups-notifier-dbus
View File

@ -17,7 +17,9 @@ profile cups-notifier-dbus @{exec_path} {
@{exec_path} mr,
/tmp/cups-dbus-notifier-lockfile rwk,
/etc/cups/client.conf r,
owner /tmp/cups-dbus-notifier-lockfile rwk,
include if exists <local/cups-notifier-dbus>
}

2
apparmor.d/profiles-a-f/evince
View File

@ -17,6 +17,7 @@ profile evince @{exec_path} {
include <abstractions/gnome-strict>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
include <abstractions/thumbnails-cache-write>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
include <abstractions/user-write-strict>
@ -46,7 +47,6 @@ profile evince @{exec_path} {
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_config_dirs}/evince/{,*} rw,
owner /tmp/*.pdf r,

3
apparmor.d/profiles-a-f/flatpak
View File

@ -14,7 +14,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
include <abstractions/bus/org.freedesktop.Accounts>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/desktop>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@ -86,6 +86,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
@{sys}/module/nvidia/version r,
@{PROC}/sys/fs/pipe-max-size r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/stat r,
/dev/fuse rw,

6
apparmor.d/profiles-a-f/flatpak-app
View File

@ -24,7 +24,6 @@ include <tunables/global>
profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/common/app>
include <abstractions/common/bwrap>
@ -76,11 +75,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
/var/tmp/etilqs_@{hex} rw,
@{run}/.userns r,
owner @{run}/user/@{uid}/*.kioworker.socket r,
owner @{run}/user/@{uid}/#@{int} rwl,
owner @{run}/flatpak/{,**} rk,
owner @{run}/flatpak/app/*/*ipc* rw,
owner @{run}/flatpak/doc/** rw,
owner @{run}/ld-so-cache-dir/* rw,
owner @{run}/user/@{uid}/*.kioworker.socket r,
owner @{run}/user/@{uid}/#@{int} rwl,
include if exists <usr/flatpak-app.d>
include if exists <local/flatpak-app>

3
apparmor.d/profiles-a-f/flatpak-system-helper
View File

@ -48,7 +48,8 @@ profile flatpak-system-helper @{exec_path} {
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
profile gpg {
include <abstractions/base>
include <abstractions/nameservice-strict>

5
apparmor.d/profiles-m-r/mate-notification-daemon
View File

@ -9,13 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/mate-notification-daemon/mate-notification-daemon
profile mate-notification-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/dconf-write>
include <abstractions/freedesktop.org>
include <abstractions/desktop>
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
include if exists <local/mate-notification-daemon>
}

4
apparmor.d/profiles-m-r/mpv
View File

@ -12,9 +12,8 @@ profile mpv @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/consoles>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@ -38,7 +37,6 @@ profile mpv @{exec_path} {
@{bin}/youtube-dl rPx,
@{bin}/yt-dlp rPx,
/etc/libva.conf r,
/etc/mpv/* r,
/etc/samba/smb.conf r,

1
apparmor.d/profiles-s-z/start-pulseaudio-x11
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/start-pulseaudio-x11
profile start-pulseaudio-x11 @{exec_path} {
include <abstractions/base>
include <abstractions/X-strict>
@{exec_path} mr,

5
apparmor.d/profiles-s-z/wireplumber
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/wireplumber
profile wireplumber @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/audio-server>
include <abstractions/bus-session>
include <abstractions/bus-system>
@ -58,10 +59,12 @@ profile wireplumber @{exec_path} {
@{sys}/bus/ r,
@{sys}/bus/media/devices/ r,
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
@{sys}/devices/**/device:*/**/path r,
@{sys}/devices/**/sound/**/pcm_class r,
@{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,