mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Profiles update.

Browse source
This commit is contained in:
Alexandre Pujol 2021-05-06 16:44:49 +01:00
parent ae5f781175
commit 0d566a43b9
Failed to generate hash of commit
18 changed files with 77 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
apparmor.d/groups/browsers/firefox
View file

@ -125,7 +125,7 @@ profile firefox @{exec_path} {
/etc/mailcap r, /etc/mailcap r,
# Set default browser # Set default browser
/{usr/,}bin/update-mime-database rPUx, /{usr/,}bin/update-mime-database rPx,
owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
@ -197,13 +197,19 @@ profile firefox @{exec_path} {
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/ r,
@{user_share_dirs}/gvfs-metadata/home-*.log r, owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
# Silencer
deny owner @{HOME}/.* r,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>

1
apparmor.d/groups/bus/dbus-daemon
View file

@ -33,6 +33,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/ibus/ibus-* rPx, /{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
/etc/dbus-1/{,**} r, /etc/dbus-1/{,**} r,
/usr/share/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r,

17
apparmor.d/groups/bus/dbus-daemon-launch-helper Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper
profile dbus-daemon-launch-helper @{exec_path} {
include <abstractions/base>
include <abstractions/app-launcher-root>
@{exec_path} mr,
include if exists <local/dbus-daemon-launch-helper>
}

2
apparmor.d/groups/desktop/at-spi-bus-launcher
View file

@ -17,7 +17,7 @@ profile at-spi-bus-launcher @{exec_path} {
# Needed? # Needed?
deny capability sys_nice, deny capability sys_nice,
signal (receive) set=term peer=gdm, signal (receive) set=(term hup) peer=gdm*,
signal (send) set=(term, kill) peer=dbus-daemon, signal (send) set=(term, kill) peer=dbus-daemon,
network inet stream, network inet stream,

2
apparmor.d/groups/desktop/xwayland
View file

@ -14,7 +14,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=term peer=gdm, signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mrix, @{exec_path} mrix,

1
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -25,6 +25,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
capability sys_tty_config, capability sys_tty_config,
signal (receive) set=term peer=gdm, signal (receive) set=term peer=gdm,
signal (send) set=hup peer=at-spi-bus-launcher,
signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=dbus-daemon,
signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gjs-console,
signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gnome-*,

1
apparmor.d/groups/gnome/gnome-contacts
View file

@ -21,6 +21,7 @@ profile gnome-contacts @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/applications/{,*.desktop} r,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
owner @{user_cache_dirs}/gstreamer*/{,**} r, owner @{user_cache_dirs}/gstreamer*/{,**} r,

25
apparmor.d/groups/gnome/gnome-control-center-search-provider Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-control-center-search-provider
profile gnome-control-center-search-provider @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/{,**} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/gnome-control-center-search-provider>
}

1
apparmor.d/groups/gnome/gnome-shell
View file

@ -76,6 +76,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/libgweather/{,**} r, owner @{user_cache_dirs}/libgweather/{,**} r,
owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r,
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,

1
apparmor.d/groups/gnome/nautilus
View file

@ -30,6 +30,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner /tmp/{,**} rw, owner /tmp/{,**} rw,
# Silencer for non user's data # Silencer for non user's data
deny owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
deny /boot rw, deny /boot rw,
deny /opt rw, deny /opt rw,
deny /root rw, deny /root rw,

15
apparmor.d/groups/network/NetworkManager
View file

@ -59,11 +59,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/NetworkManager/{,**} rw, /var/lib/NetworkManager/{,**} rw,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/sys/net/** rw,
@{PROC}/sys/kernel/random/boot_id r,
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/rfkill/ r, @{sys}/class/rfkill/ r,
@ -82,9 +77,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/net/*/{,**} r, @{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r,
@{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/1/environ r, @{PROC}/@{pids}/stat r,
@{PROC}/cmdline r, @{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/net/** rw,
include if exists <local/NetworkManager> include if exists <local/NetworkManager>
} }

1
apparmor.d/groups/ssh/ssh-agent
View file

@ -12,6 +12,7 @@ profile ssh-agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/openssl> include <abstractions/openssl>
signal (receive) set=term peer=cockpit-bridge,
signal (receive) set=term peer=gnome-keyring-daemon, signal (receive) set=term peer=gnome-keyring-daemon,
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-coredump
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-coredump @{exec_path} = /{usr/,}lib/systemd/systemd-coredump
profile systemd-coredump @{exec_path} flags=(complain) { profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/systemd-common> include <abstractions/systemd-common>

2
apparmor.d/profiles-a-l/aa-notify
View file

@ -18,7 +18,7 @@ profile aa-notify @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}/bin/ r, /{usr/,}bin/ r,
/etc/apparmor/*.conf r, /etc/apparmor/*.conf r,
/etc/inputrc r, /etc/inputrc r,

11
apparmor.d/profiles-a-l/browserpass
View file

@ -11,8 +11,6 @@ profile browserpass @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
deny network inet6 stream,
deny network inet stream,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@ -27,10 +25,13 @@ profile browserpass @{exec_path} {
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{user_share_dirs}/gvfs-metadata/home r,
@{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
# Silencer
deny network inet6 stream,
deny network inet stream,
deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} r,
include if exists <local/browserpass> include if exists <local/browserpass>
} }

2
apparmor.d/profiles-a-l/child-pager
View file

@ -28,7 +28,7 @@ profile child-pager {
/{usr/,}bin/less mr, /{usr/,}bin/less mr,
/{usr/,}bin/more mr, /{usr/,}bin/more mr,
owner @{user_cache_dirs}/lesshs* rw, @{user_cache_dirs}/lesshs* rw,
owner /root/.lesshs* rw, owner /root/.lesshs* rw,
# Display properly on different host terminals # Display properly on different host terminals

2
apparmor.d/profiles-a-l/dkms
View file

@ -62,7 +62,7 @@ profile dkms @{exec_path} {
/{usr/,}lib/modules/*/updates/ rw, /{usr/,}lib/modules/*/updates/ rw,
/{usr/,}lib/modules/*/updates/dkms/ rw, /{usr/,}lib/modules/*/updates/dkms/ rw,
/{usr/,}lib/modules/*/updates/dkms/*.ko rw, /{usr/,}lib/modules/*/updates/dkms/*.ko rw,
/{usr/,}lib/modules/*/kernel/drivers/{,**.ko.xz} rw, /{usr/,}lib/modules/*/kernel/drivers/{,*.**.ko.xz} rw,
/var/lib/dkms/ r, /var/lib/dkms/ r,
/var/lib/dkms/** rw, /var/lib/dkms/** rw,

1
apparmor.d/profiles-m-z/sudo
View file

@ -56,6 +56,7 @@ profile sudo @{exec_path} {
/{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}{s,}bin/[a-z0-9]* rPUx, /{usr/,}{s,}bin/[a-z0-9]* rPUx,
/{usr/,}lib/cockpit/cockpit-askpass rPx,
/dev/ r, /dev/ r,
/dev/ptmx rw, /dev/ptmx rw,