mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 17:08:09 +01:00
feat(profile): cleanup some rules already included in abs.
This commit is contained in:
Alexandre Pujol
parent
b15aaae553
commit
0c5e71f971
36 changed files with 20 additions and 72 deletions
|
|
@ -19,8 +19,6 @@
|
|||
|
||||
@{lib}/sudo/** mr,
|
||||
|
||||
@{bin}/unix_chkpwd rPx,
|
||||
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*} r,
|
||||
/etc/sudo.conf r,
|
||||
|
|
@ -34,7 +32,6 @@
|
|||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/kernel/cap_last_cap r,
|
||||
@{PROC}/sys/kernel/ngroups_max r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||
|
||||
/dev/ r, # interactive login
|
||||
|
|
|
|||
|
|
@ -60,11 +60,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
|||
@{bin}/wireplumber rPx -> systemd-user//&wireplumber,
|
||||
|
||||
/usr/ r,
|
||||
/usr/share/dbus-1/{,**} r,
|
||||
/usr/share/defaults/**.conf r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/etc/systemd/user.conf r,
|
||||
/etc/systemd/user.conf.d/{,**} r,
|
||||
/etc/systemd/user/{,**} r,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ profile akonadi_archivemail_agent @{exec_path} {
|
|||
owner @{user_share_dirs}/akonadi/file_db_data/{,**} r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
|
|
|
|||
|
|
@ -46,7 +46,6 @@ profile akonadi_indexing_agent @{exec_path} {
|
|||
owner @{user_share_dirs}/akonadi/** rwlk -> @{user_share_dirs}/akonadi/**,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
|
|
|
|||
|
|
@ -57,7 +57,6 @@ profile akonadi_mailfilter_agent @{exec_path} {
|
|||
owner @{user_share_dirs}/akonadi/file_db_data/{,**} rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,23 +9,16 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_newmailnotifier_agent
|
||||
profile akonadi_newmailnotifier_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/knotifications{5,6}/akonadi_newmailnotifier_agent.notifyrc r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
|
|
@ -36,15 +29,11 @@ profile akonadi_newmailnotifier_agent @{exec_path} {
|
|||
owner @{user_config_dirs}/emaildefaults r,
|
||||
owner @{user_config_dirs}/emailidentities.lock rwk,
|
||||
owner @{user_config_dirs}/emailidentities* rwl,
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kmail2rc r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/specialmailcollectionsrc r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
|
|
|
|||
|
|
@ -42,8 +42,6 @@ profile polkit-agent-helper @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/unix_chkpwd rPx,
|
||||
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||
|
|
|
|||
|
|
@ -60,7 +60,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/gnome-keyring-daemon rPx,
|
||||
@{bin}/unix_chkpwd rPx,
|
||||
@{etc_ro}/X11/xdm/Xstartup rPUx,
|
||||
@{lib}/{,gdm/}gdm-{x,wayland}-session rPx -> gdm-session,
|
||||
/etc/gdm{3,}/{Pre,Post}Session/Default rix,
|
||||
|
|
|
|||
|
|
@ -10,23 +10,18 @@ include <tunables/global>
|
|||
profile gnome-disk-image-mounter @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/gnome-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
# Allow to mount user files
|
||||
owner @{HOME}/{,**} r,
|
||||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
include if exists <local/gnome-disk-image-mounter>
|
||||
}
|
||||
|
|
@ -101,7 +101,6 @@ profile gnome-software @{exec_path} {
|
|||
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||
|
|
|
|||
|
|
@ -41,7 +41,6 @@ profile baloo @{exec_path} {
|
|||
owner @{user_share_dirs}/baloo/{,**} rwk,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
|
|
|
|||
|
|
@ -87,7 +87,6 @@ profile dolphin @{exec_path} {
|
|||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,5 @@ profile gmenudbusmenuproxy @{exec_path} {
|
|||
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
include if exists <local/gmenudbusmenuproxy>
|
||||
}
|
||||
|
|
@ -38,7 +38,6 @@ profile kactivitymanagerd @{exec_path} {
|
|||
owner @{user_share_dirs}/recently-used.xbel r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
|
|
|
|||
|
|
@ -65,7 +65,6 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/rfkill r,
|
||||
|
|
|
|||
|
|
@ -154,7 +154,6 @@ profile kded @{exec_path} {
|
|||
@{PROC}/@{pids}/fd/info/@{int} r,
|
||||
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5-shader-cache>
|
||||
include <abstractions/qt5>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -60,7 +59,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
include if exists <local/ksmserver-logout-greeter>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,7 +46,6 @@ profile kwalletmanager @{exec_path} {
|
|||
@{PROC}/@{pid}/mountinfo r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
/dev/shm/ r,
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw,
|
||||
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int},
|
||||
owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
|
||||
owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
|
|
@ -118,7 +118,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
|
||||
@{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/input/event@{int} rw,
|
||||
/dev/tty r,
|
||||
|
|
|
|||
|
|
@ -41,8 +41,9 @@ profile kwin_x11 @{exec_path} {
|
|||
owner @{user_cache_dirs}/kwin/{,**} rwl,
|
||||
owner @{user_cache_dirs}/plasmarc r,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
|
||||
owner @{user_cache_dirs}/session/#@{int} rw,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
|
|
|
|||
|
|
@ -99,7 +99,6 @@ profile plasma-discover @{exec_path} {
|
|||
owner @{run}/user/@{uid}/discover@{rand6}.* rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
/dev/tty r,
|
||||
|
|
|
|||
|
|
@ -108,12 +108,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int},
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w,
|
||||
owner @{user_cache_dirs}/ksvg-elements* rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/ksvg-elements rw,
|
||||
owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasmashell/ rw,
|
||||
owner @{user_cache_dirs}/plasmashell/** rwkl -> @{user_cache_dirs}/plasmashell/**,
|
||||
owner @{user_cache_dirs}/org.kde.*/ rw,
|
||||
|
|
@ -191,7 +194,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
@{PROC}/diskstats r,
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/uptime r,
|
||||
@{PROC}/vmstat r,
|
||||
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,
|
||||
|
|
|
|||
|
|
@ -38,7 +38,6 @@ profile sddm-greeter @{exec_path} {
|
|||
/usr/share/hunspell/** r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
/etc/sddm.conf r,
|
||||
/etc/sddm.conf.d/{,*} r,
|
||||
/etc/xdg/plasmarc r,
|
||||
|
|
@ -53,7 +52,9 @@ profile sddm-greeter @{exec_path} {
|
|||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements-* rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/sddm-greeter/{,**} rwl,
|
||||
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
|
@ -68,9 +69,9 @@ profile sddm-greeter @{exec_path} {
|
|||
|
||||
owner @{run}/sddm/{,*} rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
include if exists <local/sddm-greeter>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -66,7 +66,6 @@ profile startplasma @{exec_path} {
|
|||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
/dev/tty@{int} rw,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,5 @@ profile systemd-homework @{exec_path} {
|
|||
|
||||
/etc/machine-id r,
|
||||
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
include if exists <local/systemd-homework>
|
||||
}
|
||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile systemd-machined @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability chown,
|
||||
|
|
@ -40,7 +41,6 @@ profile systemd-machined @{exec_path} {
|
|||
/etc/machine-id r,
|
||||
|
||||
@{run}/systemd/machines/{,**} rw,
|
||||
@{run}/systemd/userdb/io.systemd.Machine rw,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,5 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/machine-id r,
|
||||
/etc/shadow r,
|
||||
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
include if exists <local/systemd-userwork>
|
||||
}
|
||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile aa-log @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
|
|
@ -18,8 +19,6 @@ profile aa-log @{exec_path} {
|
|||
@{bin}/journalctl rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/passwd r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/log/audit/* r,
|
||||
|
|
@ -30,7 +29,6 @@ profile aa-log @{exec_path} {
|
|||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/sys/kernel/cap_last_cap r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
|
|
|||
|
|
@ -109,7 +109,6 @@ profile qbittorrent @{exec_path} {
|
|||
owner /tmp/qtsingleapp-qBitto-*-lockfile rwk,
|
||||
owner /tmp/tmp* rw,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pids}/comm r,
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
/dev/shm/ r,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
|
|||
|
||||
owner /tmp/@{uuid} w,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
include if exists <local/YACReaderLibrary>
|
||||
|
|
|
|||
|
|
@ -80,7 +80,6 @@ profile snap @{exec_path} {
|
|||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/cgroups r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/sys/kernel/random/uuid r,
|
||||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||
@{PROC}/version r,
|
||||
|
|
|
|||
|
|
@ -169,7 +169,6 @@ profile snapd @{exec_path} {
|
|||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/cgroups r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||
@{PROC}/version r,
|
||||
owner @{PROC}/@{pids}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -16,12 +16,12 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{run}/spice-vdagentd/spice-vdagent-sock r,
|
||||
owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,
|
||||
@{run}/systemd/journal/dev-log w,
|
||||
@{run}/systemd/seats/seat@{int} r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
owner @{run}/spice-vdagentd/spice-vdagent-sock r,
|
||||
owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,5 @@ profile swtpm_setup @{exec_path} {
|
|||
owner /tmp/swtpm_setup.certs.*/*.cert rw,
|
||||
owner /tmp/.swtpm_setup.pidfile* rw,
|
||||
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
include if exists <local/swtpm_setup>
|
||||
}
|
||||
|
|
@ -111,7 +111,6 @@ profile vlc @{exec_path} {
|
|||
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
|
||||
|
||||
@{PROC}/@{pids}/net/if_inet6 r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
|
|
|||
Loading…
Reference in a new issue