mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(profiles) add initial support for ubuntu 22.04
This commit is contained in:
Alexandre Pujol
parent
3ac7d41bf5
commit
0dbe0d2790
33 changed files with 253 additions and 121 deletions
|
|
@ -1,6 +1,6 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
# Copyright (C) 2020-2022 Mikhail Morfikov
|
||||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -13,6 +13,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
capability audit_write,
|
||||||
capability setgid,
|
capability setgid,
|
||||||
capability setuid,
|
capability setuid,
|
||||||
capability sys_resource,
|
capability sys_resource,
|
||||||
|
|
@ -45,26 +46,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/dbus-1/{,**} r,
|
/usr/share/dbus-1/{,**} r,
|
||||||
/usr/share/defaults/**.conf r,
|
/usr/share/defaults/**.conf r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/dbus-1/{,**} r,
|
|
||||||
@{user_share_dirs}/icc/{,edid-*} r,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
|
||||||
@{PROC}/@{pid}/oom_score_adj rw,
|
|
||||||
@{PROC}/@{pids}/cmdline r,
|
|
||||||
@{PROC}/1/environ r,
|
|
||||||
@{PROC}/cmdline r,
|
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
|
||||||
|
|
||||||
@{sys}/module/apparmor/parameters/enabled r,
|
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
|
||||||
@{run}/systemd/sessions/[0-9]*.ref rw,
|
|
||||||
@{run}/systemd/users/@{uid} r,
|
|
||||||
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
|
|
||||||
owner @{run}/user/@{uid}/dbus-1/ rw,
|
|
||||||
owner @{run}/user/@{uid}/dbus-1/services/ rw,
|
|
||||||
|
|
||||||
# Extra rules for GDM
|
# Extra rules for GDM
|
||||||
/var/lib/gdm/.local/share/icc/ r,
|
/var/lib/gdm/.local/share/icc/ r,
|
||||||
/var/lib/gdm/.local/share/icc/edid-*.icc r,
|
/var/lib/gdm/.local/share/icc/edid-*.icc r,
|
||||||
|
|
@ -73,12 +54,39 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
/var/lib/flatpak/exports/share/dbus-1/{,**} r,
|
/var/lib/flatpak/exports/share/dbus-1/{,**} r,
|
||||||
/var/lib/flatpak/app/**/export/share/dbus-1/services/{,**} r,
|
/var/lib/flatpak/app/**/export/share/dbus-1/services/{,**} r,
|
||||||
|
|
||||||
/dev/dri/card[0-9]* rw,
|
# Extra rules for Snap
|
||||||
/dev/input/event[0-9]* rw,
|
/var/lib/snapd/dbus-1/services/ r,
|
||||||
|
/var/lib/snapd/dbus-1/system-services/ r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/dbus-1/{,**} r,
|
||||||
|
@{user_share_dirs}/icc/{,edid-*} r,
|
||||||
|
|
||||||
owner /tmp/dbus-[0-9a-zA-Z]* rw,
|
owner /tmp/dbus-[0-9a-zA-Z]* rw,
|
||||||
|
|
||||||
# file_inherit
|
owner @{run}/user/@{uid}/bus w,
|
||||||
|
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
|
||||||
|
owner @{run}/user/@{uid}/dbus-1/ rw,
|
||||||
|
owner @{run}/user/@{uid}/dbus-1/services/ rw,
|
||||||
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
@{run}/systemd/sessions/[0-9]*.ref rw,
|
||||||
|
@{run}/systemd/userdb/io.systemd.DynamicUser w,
|
||||||
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
||||||
|
@{sys}/kernel/security/apparmor/.access rw,
|
||||||
|
@{sys}/kernel/security/apparmor/features/dbus/mask r,
|
||||||
|
@{sys}/module/apparmor/parameters/enabled r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
@{PROC}/@{pids}/attr/apparmor/current r,
|
||||||
|
@{PROC}/@{pids}/oom_score_adj rw,
|
||||||
|
@{PROC}/@{pids}/cmdline r,
|
||||||
|
@{PROC}/1/environ r,
|
||||||
|
@{PROC}/cmdline r,
|
||||||
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
||||||
|
/dev/dri/card[0-9]* rw,
|
||||||
|
/dev/input/event[0-9]* rw,
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
|
|
||||||
include if exists <local/dbus-daemon>
|
include if exists <local/dbus-daemon>
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ profile dbus-run-session @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/dbus-daemon rPx,
|
/{usr/,}bin/dbus-daemon rPx,
|
||||||
/{usr/,}bin/gnome-session rix,
|
/{usr/,}bin/gnome-session rix,
|
||||||
|
/{usr/,}bin/gnome-shell rPx,
|
||||||
/{usr/,}bin/gsettings rix,
|
/{usr/,}bin/gsettings rix,
|
||||||
@{libexec}/gnome-session-binary rPx,
|
@{libexec}/gnome-session-binary rPx,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,14 +17,19 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}lib/ibus/ibus-* rPx,
|
/{usr/,}lib/ibus/ibus-* rPx,
|
||||||
|
@{libexec}/ibus-* rPx,
|
||||||
|
|
||||||
/usr/share/ibus/{,**} r,
|
/usr/share/ibus/{,**} r,
|
||||||
|
/usr/share/ibus-table/tables/ r,
|
||||||
|
|
||||||
|
/etc/machine-id r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/ibus/{,**} rw,
|
owner @{user_config_dirs}/ibus/{,**} rw,
|
||||||
owner @{user_cache_dirs}/ibus/{,**} rw,
|
owner @{user_cache_dirs}/ibus/{,**} rw,
|
||||||
/var/lib/gdm/.config/ibus/{,**} rw,
|
/var/lib/gdm{3,}/.config/ibus/{,**} rw,
|
||||||
/var/lib/gdm/.cache/ibus/{,**} rw,
|
/var/lib/gdm{3,}/.cache/ibus/{,**} rw,
|
||||||
|
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||||
|
|
||||||
owner @{PROC}/@{pids}/fd/ r,
|
owner @{PROC}/@{pids}/fd/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/pipewire/client.conf r,
|
/usr/share/pipewire/client.conf r,
|
||||||
/usr/share/pipewire/pipewire-pulse.conf r,
|
/usr/share/pipewire/pipewire-pulse.conf r,
|
||||||
|
|
||||||
|
/var/lib/gdm/.config/pulse/cookie rwk,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/pulse/pid w,
|
owner @{run}/user/@{uid}/pulse/pid w,
|
||||||
|
|
||||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,7 @@ profile polkit-agent-helper @{exec_path} {
|
||||||
owner @{HOME}/.xsession-errors w,
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
|
||||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||||
|
@{run}/systemd/userdb/io.systemd.DynamicUser w,
|
||||||
|
|
||||||
include if exists <local/polkit-agent-helper>
|
include if exists <local/polkit-agent-helper>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,8 @@ profile polkitd @{exec_path} {
|
||||||
# System rules
|
# System rules
|
||||||
/etc/polkit-1/rules.d/ r,
|
/etc/polkit-1/rules.d/ r,
|
||||||
/etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
|
/etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
|
||||||
|
/etc/polkit-1/localauthority/{,**} r,
|
||||||
|
/etc/polkit-1/localauthority.conf.d/{,**} r,
|
||||||
|
|
||||||
# Vendor rules
|
# Vendor rules
|
||||||
/usr/share/polkit-1/rules.d/ r,
|
/usr/share/polkit-1/rules.d/ r,
|
||||||
|
|
@ -46,9 +48,11 @@ profile polkitd @{exec_path} {
|
||||||
/usr/share/polkit-1/actions/*.policy.choice r,
|
/usr/share/polkit-1/actions/*.policy.choice r,
|
||||||
|
|
||||||
owner /var/lib/polkit-1/.cache/ rw,
|
owner /var/lib/polkit-1/.cache/ rw,
|
||||||
|
/var/lib/polkit-1/localauthority/{,**} r,
|
||||||
|
|
||||||
@{run}/systemd/sessions/* r,
|
@{run}/systemd/sessions/* r,
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
@{run}/systemd/userdb/io.systemd.DynamicUser w,
|
||||||
|
|
||||||
# Silencer
|
# Silencer
|
||||||
deny /.cache/ rw,
|
deny /.cache/ rw,
|
||||||
|
|
|
||||||
|
|
@ -45,6 +45,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pids}/cgroup r,
|
owner @{PROC}/@{pids}/cgroup r,
|
||||||
|
@{PROC}/ r,
|
||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
|
||||||
|
|
@ -14,12 +14,20 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/user-download>
|
include <abstractions/user-download>
|
||||||
|
include <abstractions/user-read>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
/usr/share/ubuntu/applications/ r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
|
||||||
|
/etc/gnome/defaults.list r,
|
||||||
|
|
||||||
|
/var/lib/snapd/desktop/icons/{,**} r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/ r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,8 @@ profile xdg-document-portal @{exec_path} {
|
||||||
/ r,
|
/ r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/flatpak/db/documents r,
|
owner @{user_share_dirs}/flatpak/db/documents r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/bus rw,
|
||||||
owner @{run}/user/@{uid}/doc/ rw,
|
owner @{run}/user/@{uid}/doc/ rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,8 @@ profile evolution-alarm-notify @{exec_path} {
|
||||||
|
|
||||||
/usr/share/evolution-data-server/{,**} r,
|
/usr/share/evolution-data-server/{,**} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
/usr/share/ubuntu/applications/ r,
|
||||||
|
/usr/share/zoneinfo-icu/{,**} r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
|
||||||
|
|
@ -44,10 +44,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||||
/{usr/,}bin/gnome-keyring-daemon rPx,
|
/{usr/,}bin/gnome-keyring-daemon rPx,
|
||||||
@{libexec}/gdm-wayland-session rPx,
|
@{libexec}/gdm-wayland-session rPx,
|
||||||
@{libexec}/gdm-x-session rPx,
|
@{libexec}/gdm-x-session rPx,
|
||||||
/etc/gdm/{Pre,Post}Session/Default rix,
|
/etc/gdm{3,}/{Pre,Post}Session/Default rix,
|
||||||
|
|
||||||
|
/etc/default/locale r,
|
||||||
/etc/environment r,
|
/etc/environment r,
|
||||||
/etc/gdm/custom.conf r,
|
/etc/gdm{3,}/custom.conf r,
|
||||||
/etc/locale.conf r,
|
/etc/locale.conf r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/motd r,
|
/etc/motd r,
|
||||||
|
|
@ -64,9 +65,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
@{run}/utmp rwk,
|
@{run}/utmp rwk,
|
||||||
|
|
||||||
|
@{run}/systemd/userdb/io.systemd.DynamicUser w,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/loginuid rw,
|
owner @{PROC}/@{pid}/loginuid rw,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
|
||||||
owner @{PROC}/@{pid}/uid_map r,
|
owner @{PROC}/@{pid}/uid_map r,
|
||||||
|
@{PROC}/1/limits r,
|
||||||
|
@{PROC}/keys r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
|
|
|
||||||
|
|
@ -22,27 +22,38 @@ profile gdm-wayland-session @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
# It can run hooks, how to handle them nicely? rCx? them mostly include if exist
|
||||||
|
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
|
/{usr/,}bin/env rix,
|
||||||
/{usr/,}bin/gnome-session rix,
|
/{usr/,}bin/gnome-session rix,
|
||||||
/{usr/,}bin/grep rix,
|
/{usr/,}bin/grep rix,
|
||||||
/{usr/,}bin/gsettings rix,
|
/{usr/,}bin/gsettings rix,
|
||||||
|
/{usr/,}bin/locale rix,
|
||||||
|
/{usr/,}bin/locale-check rix,
|
||||||
|
/{usr/,}bin/sed rix,
|
||||||
/{usr/,}bin/tty rix,
|
/{usr/,}bin/tty rix,
|
||||||
|
/{usr/,}bin/gettext rix,
|
||||||
/{usr/,}bin/zsh rix,
|
/{usr/,}bin/zsh rix,
|
||||||
|
|
||||||
/{usr/,}bin/dbus-daemon rPx,
|
/{usr/,}bin/dbus-daemon rPx,
|
||||||
/{usr/,}bin/dbus-run-session rPx,
|
/{usr/,}bin/dbus-run-session rPx,
|
||||||
|
/{usr/,}bin/dpkg-query rpx,
|
||||||
/{usr/,}bin/flatpak rPUx,
|
/{usr/,}bin/flatpak rPUx,
|
||||||
@{libexec}/gnome-session-binary rPx,
|
@{libexec}/gnome-session-binary rPx,
|
||||||
|
|
||||||
/etc/gdm/custom.conf r,
|
/usr/share/im-config/{,**} r,
|
||||||
|
|
||||||
|
/etc/default/im-config r,
|
||||||
|
/etc/gdm{3,}/custom.conf r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
/etc/X11/Xsession.d/*im-config_launch r,
|
||||||
|
|
||||||
/usr/share/gdm/gdm.schemas r,
|
/usr/share/gdm/gdm.schemas r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
@{run}/gdm/custom.conf r,
|
owner @{run}/user/@{uid}/bus rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
@{run}/gdm/custom.conf r,
|
@{run}/gdm/custom.conf r,
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
/{usr/,}bin/mkdir rix,
|
/{usr/,}bin/mkdir rix,
|
||||||
/{usr/,}bin/touch rix,
|
/{usr/,}bin/touch rix,
|
||||||
/{usr/,}bin/gsettings rix,
|
/{usr/,}bin/gsettings rix,
|
||||||
|
/{usr/,}bin/session-migration rix,
|
||||||
/{usr/,}bin/xdg-user-dirs-gtk-update rix,
|
/{usr/,}bin/xdg-user-dirs-gtk-update rix,
|
||||||
@{libexec}/gnome-session-check-accelerated rix,
|
@{libexec}/gnome-session-check-accelerated rix,
|
||||||
@{libexec}/gnome-session-check-accelerated-gl-helper rix,
|
@{libexec}/gnome-session-check-accelerated-gl-helper rix,
|
||||||
|
|
@ -42,16 +43,21 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/{usr/,}bin/aa-notify rPx,
|
/{usr/,}bin/aa-notify rPx,
|
||||||
/{usr/,}bin/blueman-applet rPx,
|
/{usr/,}bin/blueman-applet rPx,
|
||||||
|
/{usr/,}bin/xdg-user-dirs-update rPx,
|
||||||
/{usr/,}bin/firewall-applet rPUx,
|
/{usr/,}bin/firewall-applet rPUx,
|
||||||
/{usr/,}bin/gnome-keyring-daemon rPx,
|
/{usr/,}bin/gnome-keyring-daemon rPx,
|
||||||
/{usr/,}bin/gnome-shell rPx,
|
/{usr/,}bin/gnome-shell rPx,
|
||||||
|
/{usr/,}bin/im-launch rPx,
|
||||||
/{usr/,}bin/pkcs11-register rPx,
|
/{usr/,}bin/pkcs11-register rPx,
|
||||||
|
/{usr/,}bin/snap rPUx,
|
||||||
/{usr/,}bin/start-pulseaudio-x11 rPx,
|
/{usr/,}bin/start-pulseaudio-x11 rPx,
|
||||||
/{usr/,}bin/xbrlapi rPx,
|
/{usr/,}bin/xbrlapi rPx,
|
||||||
|
@{libexec}/at-spi-bus-launcher rPx,
|
||||||
@{libexec}/evolution-data-server/evolution-alarm-notify rPx,
|
@{libexec}/evolution-data-server/evolution-alarm-notify rPx,
|
||||||
@{libexec}/gsd-* rPx,
|
@{libexec}/gsd-* rPx,
|
||||||
|
|
||||||
/usr/share/applications//{,**} r,
|
/usr/share/applications/{,**} r,
|
||||||
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/gdm/greeter-dconf-defaults r,
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
/usr/share/gdm/greeter/applications/{,**} r,
|
/usr/share/gdm/greeter/applications/{,**} r,
|
||||||
/usr/share/gdm/greeter/autostart/{,*.desktop} r,
|
/usr/share/gdm/greeter/autostart/{,*.desktop} r,
|
||||||
|
|
@ -59,19 +65,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/glvnd/egl_vendor.d/ r,
|
/usr/share/glvnd/egl_vendor.d/ r,
|
||||||
/usr/share/gnome-session/hardware-compatibility r,
|
/usr/share/gnome-session/hardware-compatibility r,
|
||||||
/usr/share/gnome-session/sessions/*.session r,
|
/usr/share/gnome-session/sessions/*.session r,
|
||||||
|
/usr/share/gnome/autostart/{,*.desktop} r,
|
||||||
/usr/share/icons/{,**} r,
|
/usr/share/icons/{,**} r,
|
||||||
/usr/share/dconf/profile/gdm r,
|
|
||||||
/usr/share/mime/mime.cache r,
|
/usr/share/mime/mime.cache r,
|
||||||
|
/usr/share/ubuntu/applications/{,*.desktop} r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
|
||||||
|
/etc/gnome/defaults.list r,
|
||||||
/etc/xdg/autostart/{,*.desktop} r,
|
/etc/xdg/autostart/{,*.desktop} r,
|
||||||
|
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||||
/var/lib/gdm/.cache/mesa_shader_cache/index rw,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
/var/lib/gdm/.config/gnome-session/ rw,
|
/var/lib/gdm{3,}/.config/gnome-session/ rw,
|
||||||
/var/lib/gdm/.config/gnome-session/saved-session/ rw,
|
/var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw,
|
||||||
/var/lib/gdm/.local/share/applications/{,**} r,
|
/var/lib/gdm{3,}/.local/share/applications/{,**} r,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
|
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
|
||||||
/var/lib/flatpak/exports/share/applications/{,**} r,
|
/var/lib/flatpak/exports/share/applications/{,**} r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/autostart/{,*.desktop} r,
|
owner @{user_config_dirs}/autostart/{,*.desktop} r,
|
||||||
|
|
@ -83,6 +93,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||||
owner @{user_config_dirs}/user-dirs.locale r,
|
owner @{user_config_dirs}/user-dirs.locale r,
|
||||||
owner @{user_share_dirs}/applications/ r,
|
owner @{user_share_dirs}/applications/ r,
|
||||||
|
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
@ -108,5 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
|
|
||||||
|
include if exists <usr/gnome-session-binary.d>
|
||||||
include if exists <local/gnome-session-binary>
|
include if exists <local/gnome-session-binary>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,9 @@ profile gnome-session-ctl @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/bus rw,
|
||||||
owner @{run}/user/@{uid}/gnome-session-leader-fifo r,
|
owner @{run}/user/@{uid}/gnome-session-leader-fifo r,
|
||||||
|
@{run}/user/@{uid}/systemd/notify rw,
|
||||||
|
|
||||||
include if exists <local/gnome-session-ctl>
|
include if exists <local/gnome-session-ctl>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
@{libexec}/polkit-1/polkit* rPx,
|
@{libexec}/polkit-1/polkit* rPx,
|
||||||
@{libexec}/* rPUx,
|
@{libexec}/* rPUx,
|
||||||
|
|
||||||
|
/opt/*/**/*.png r,
|
||||||
/usr/share/backgrounds/{,**} r,
|
/usr/share/backgrounds/{,**} r,
|
||||||
/usr/share/dconf/profile/gdm r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/desktop-directories/{,*.directory} r,
|
/usr/share/desktop-directories/{,*.directory} r,
|
||||||
|
|
@ -57,29 +58,40 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/libinput/ r,
|
/usr/share/libinput/ r,
|
||||||
/usr/share/libinput/[0-9][0-9]-*.quirks r,
|
/usr/share/libinput/[0-9][0-9]-*.quirks r,
|
||||||
/usr/share/libwacom/{,*.stylus,*.tablet} r,
|
/usr/share/libwacom/{,*.stylus,*.tablet} r,
|
||||||
|
/usr/share/plymouth/*.png r,
|
||||||
|
/usr/share/ubuntu/applications/{,*.desktop} r,
|
||||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||||
/usr/share/xsessions/{,*.desktop} r,
|
/usr/share/xsessions/{,*.desktop} r,
|
||||||
/opt/*/**/*.png r,
|
|
||||||
|
|
||||||
/.flatpak-info r,
|
/.flatpak-info r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/xdg/menus/gnome-applications.menu r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
/var/lib/gdm{3,}/.cache/ w,
|
||||||
/var/lib/gdm/.config/ibus/ rw,
|
/var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
|
||||||
/var/lib/gdm/.config/ibus/bus/ rw,
|
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
|
||||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
|
||||||
/var/lib/gdm/.config/pulse/ r,
|
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
|
||||||
/var/lib/gdm/.config/pulse/client.conf r,
|
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||||
/var/lib/gdm/.config/pulse/cookie rwk,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
/var/lib/gdm/.local/share/applications/{,**} r,
|
/var/lib/gdm{3,}/.config/ibus/ rw,
|
||||||
/var/lib/gdm/.local/share/gnome-shell/ rw,
|
/var/lib/gdm{3,}/.config/ibus/bus/ rw,
|
||||||
|
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||||
|
/var/lib/gdm{3,}/.config/pulse/ r,
|
||||||
|
/var/lib/gdm{3,}/.config/pulse/client.conf r,
|
||||||
|
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
|
||||||
|
/var/lib/gdm{3,}/.local/share/applications/{,**} r,
|
||||||
|
/var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
||||||
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
||||||
|
|
||||||
|
/var/lib/snapd/desktop/icons/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
||||||
owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r,
|
owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r,
|
||||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||||
|
|
@ -91,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_config_dirs}/monitors.xml{,~} rwl,
|
owner @{user_config_dirs}/monitors.xml{,~} rwl,
|
||||||
|
|
||||||
owner @{user_share_dirs}/backgrounds/{,**} rw,
|
owner @{user_share_dirs}/backgrounds/{,**} rw,
|
||||||
|
owner @{user_share_dirs}/desktop-directories/{,**} r,
|
||||||
owner @{user_share_dirs}/gnome-shell/{,**} rw,
|
owner @{user_share_dirs}/gnome-shell/{,**} rw,
|
||||||
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
||||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
@ -103,13 +116,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_cache_dirs}/media-art/{,**} r,
|
owner @{user_cache_dirs}/media-art/{,**} r,
|
||||||
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
|
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
|
||||||
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
||||||
|
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
|
||||||
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
|
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
|
||||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
|
||||||
|
|
||||||
owner /dev/shm/.org.chromium.Chromium.* rw,
|
owner /dev/shm/.org.chromium.Chromium.* rw,
|
||||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||||
|
|
@ -144,30 +158,34 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/class/net/ r,
|
|
||||||
@{sys}/class/input/ r,
|
|
||||||
@{sys}/class/hwmon/ r,
|
@{sys}/class/hwmon/ r,
|
||||||
|
@{sys}/class/input/ r,
|
||||||
|
@{sys}/class/net/ r,
|
||||||
@{sys}/class/power_supply/ r,
|
@{sys}/class/power_supply/ r,
|
||||||
@{sys}/**/uevent r,
|
@{sys}/**/uevent r,
|
||||||
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
|
|
||||||
@{sys}/devices/**/power_supply/**/{type,online} r,
|
|
||||||
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
|
|
||||||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
|
||||||
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
|
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
|
||||||
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
|
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
|
||||||
|
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
|
||||||
|
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||||
|
@{sys}/devices/**/power_supply/**/{type,online} r,
|
||||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||||
|
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||||
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
|
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
|
||||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||||
|
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/comm r,
|
owner @{PROC}/@{pid}/comm r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
|
||||||
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pid}/attr/current r,
|
@{PROC}/@{pid}/attr/current r,
|
||||||
@{PROC}/@{pid}/cgroup r,
|
@{PROC}/@{pid}/cgroup r,
|
||||||
@{PROC}/@{pid}/net/* r,
|
@{PROC}/@{pid}/net/* r,
|
||||||
@{PROC}/@{pid}/stat r,
|
@{PROC}/@{pid}/stat r,
|
||||||
@{PROC}/@{pid}/task/@{tid}/stat r,
|
@{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
|
@{PROC}/@{pids}/cmdline r,
|
||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ profile gnome-shell-calendar-server @{exec_path} {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
/usr/share/zoneinfo-icu/{,**} r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
owner @{run}/user/@{uid}/doc/ rw,
|
||||||
|
|
||||||
@{run}/systemd/sessions/[0-9]*{,.ref} r,
|
@{run}/systemd/sessions/[0-9]*{,.ref} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,12 +26,16 @@ profile gnome-terminal-server @{exec_path} {
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||||
|
/var/lib/snapd/desktop/icons/{,**} r,
|
||||||
|
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||||
|
owner @{run}/user/@{uid}/bus rw,
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||||
|
|
||||||
owner /tmp/#[0-9]* rw,
|
owner /tmp/#[0-9]* rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,9 +26,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/X11/xkb/** r,
|
/usr/share/X11/xkb/** r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
/var/lib/gdm/.local/share/icc/ rw,
|
/var/lib/gdm{3,}/.local/share/icc/ rw,
|
||||||
/var/lib/gdm/.local/share/icc/edid-*.icc rw,
|
/var/lib/gdm{3,}/.local/share/icc/edid-*.icc rw,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/icc/ r,
|
owner @{user_share_dirs}/icc/ r,
|
||||||
owner @{user_share_dirs}/icc/edid-*.icc rw,
|
owner @{user_share_dirs}/icc/edid-*.icc rw,
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
owner /dev/tty[0-9]* rw,
|
owner /dev/tty[0-9]* rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,8 +24,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/icons/{,**} r,
|
/usr/share/icons/{,**} r,
|
||||||
/usr/share/X11/xkb/** r,
|
/usr/share/X11/xkb/** r,
|
||||||
|
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
/var/lib/gdm/.config/.gsd-keyboard.settings-ported* rw,
|
/var/lib/gdm{3,}/.config/.gsd-keyboard.settings-ported* rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
|
owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
|
||||||
owner @{user_share_dirs}/gnome-settings-daemon/ rw,
|
owner @{user_share_dirs}/gnome-settings-daemon/ rw,
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
|
include <abstractions/p11-kit>
|
||||||
|
|
||||||
signal (receive) set=(term, hup) peer=gdm*,
|
signal (receive) set=(term, hup) peer=gdm*,
|
||||||
|
|
||||||
|
|
@ -23,6 +24,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
/var/lib/gdm/.config/dconf/user r,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
owner /dev/tty[0-9]* rw,
|
owner /dev/tty[0-9]* rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -22,8 +22,9 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
/var/lib/gdm/.local/share/sounds/ rw,
|
/var/lib/gdm{3,}/.local/share/sounds/ rw,
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/sounds/ rw,
|
owner @{user_share_dirs}/sounds/ rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,15 +26,21 @@ profile gsd-xsettings @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}bin/cat rix,
|
||||||
|
/{usr/,}bin/which{,.debianutils} rix,
|
||||||
|
|
||||||
|
/{usr/,}bin/run-parts rCx -> run-parts,
|
||||||
/{usr/,}bin/busctl rPx,
|
/{usr/,}bin/busctl rPx,
|
||||||
/{usr/,}bin/pactl rPx,
|
/{usr/,}bin/pactl rPx,
|
||||||
/{usr/,}bin/xrdb rPx,
|
/{usr/,}bin/xrdb rPx,
|
||||||
/{usr/,}lib/ibus/ibus-x11 rPx,
|
/{usr/,}lib/ibus/ibus-x11 rPx,
|
||||||
|
@{libexec}/ibus-x11 rPx,
|
||||||
|
|
||||||
/usr/share/dconf/profile/gdm r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/gdm/greeter-dconf-defaults r,
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
|
|
||||||
|
/etc/X11/Xsession.options r,
|
||||||
/etc/xdg/Xwayland-session.d/ r,
|
/etc/xdg/Xwayland-session.d/ r,
|
||||||
/etc/xdg/Xwayland-session.d/* rix,
|
/etc/xdg/Xwayland-session.d/* rix,
|
||||||
|
|
||||||
|
|
@ -47,10 +53,22 @@ profile gsd-xsettings @{exec_path} {
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||||
|
|
||||||
|
owner @{run}/systemd/users/@{uid}/ r,
|
||||||
|
@{run}/systemd/sessions/[0-9]* r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
|
|
||||||
|
profile run-parts {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
/{usr/,}bin/run-parts mr,
|
||||||
|
|
||||||
|
/etc/X11/Xresources/ r,
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
include if exists <local/gsd-xsettings>
|
include if exists <local/gsd-xsettings>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -22,17 +22,22 @@ profile tracker-extract @{exec_path} {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/applications/*.desktop r,
|
/usr/share/applications/*.desktop r,
|
||||||
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
/usr/share/hwdata/*.ids r,
|
||||||
/usr/share/ladspa/rdf/{,**} r,
|
/usr/share/ladspa/rdf/{,**} r,
|
||||||
/usr/share/mime/mime.cache r,
|
/usr/share/mime/mime.cache r,
|
||||||
/usr/share/osinfo/{,**} r,
|
/usr/share/osinfo/{,**} r,
|
||||||
/usr/share/poppler/{,**} r,
|
/usr/share/poppler/{,**} r,
|
||||||
/usr/share/tracker3-miners/{,**} r,
|
/usr/share/tracker3-miners/{,**} r,
|
||||||
/usr/share/tracker3/{,**} r,
|
/usr/share/tracker3/{,**} r,
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
|
|
||||||
/etc/libva.conf r,
|
/etc/libva.conf r,
|
||||||
|
|
||||||
|
/var/lib/gdm{3,}/.cache/ rw,
|
||||||
|
/var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
# Allow to search user files
|
# Allow to search user files
|
||||||
owner @{HOME}/{,**} r,
|
owner @{HOME}/{,**} r,
|
||||||
owner @{MOUNTS}/*/{,**} r,
|
owner @{MOUNTS}/*/{,**} r,
|
||||||
|
|
@ -42,6 +47,7 @@ profile tracker-extract @{exec_path} {
|
||||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/bus rw,
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
@{run}/blkid/blkid.tab r,
|
@{run}/blkid/blkid.tab r,
|
||||||
|
|
|
||||||
|
|
@ -9,20 +9,33 @@ include <tunables/global>
|
||||||
@{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3
|
@{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3
|
||||||
profile tracker-miner @{exec_path} {
|
profile tracker-miner @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/dbus-session-strict> # TODO: FIXME: See if we keep them like this.
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
include <abstractions/private-files>
|
include <abstractions/private-files>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/tracker3/{,**} r,
|
/usr/share/applications/{,mimeinfo.cache,*.list} r,
|
||||||
/usr/share/tracker3-miners/{,**} r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
|
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/applications/{,mimeinfo.cache} r,
|
|
||||||
/usr/share/mime/mime.cache r,
|
/usr/share/mime/mime.cache r,
|
||||||
|
/usr/share/tracker3-miners/{,**} r,
|
||||||
|
/usr/share/tracker3/{,**} r,
|
||||||
|
/usr/share/ubuntu/applications/ r,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r,
|
/var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r,
|
||||||
|
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
|
||||||
|
|
||||||
|
/var/lib/gdm{3,}/ r,
|
||||||
|
/var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk,
|
||||||
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||||
|
|
||||||
# Allow to search user files
|
# Allow to search user files
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/NetworkManager
|
@{exec_path} = /{usr/,}{,s}bin/NetworkManager
|
||||||
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
|
@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
|
||||||
profile systemd-hostnamed @{exec_path} {
|
profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/systemd/systemd-localed
|
@{exec_path} = /{usr/,}lib/systemd/systemd-localed
|
||||||
profile systemd-localed @{exec_path} {
|
profile systemd-localed @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
|
||||||
|
|
@ -7,14 +7,16 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/systemd/systemd-logind
|
@{exec_path} = /{usr/,}lib/systemd/systemd-logind
|
||||||
profile systemd-logind @{exec_path} flags=(complain) {
|
profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/dbus-strict>
|
||||||
include <abstractions/disks-write>
|
include <abstractions/disks-write>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
capability chown,
|
capability chown,
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
capability fowner,
|
capability fowner,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
capability sys_tty_config,
|
capability sys_tty_config,
|
||||||
|
|
@ -42,6 +44,10 @@ profile systemd-logind @{exec_path} flags=(complain) {
|
||||||
@{run}/udev/tags/uaccess/ r,
|
@{run}/udev/tags/uaccess/ r,
|
||||||
@{run}/udev/static_node-tags/uaccess/ r,
|
@{run}/udev/static_node-tags/uaccess/ r,
|
||||||
|
|
||||||
|
@{run}/udev/data/+backlight:intel_backlight r,
|
||||||
|
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
|
||||||
|
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
||||||
|
@{run}/udev/data/+pci* r,
|
||||||
@{run}/udev/data/c10:[0-9]* r,
|
@{run}/udev/data/c10:[0-9]* r,
|
||||||
@{run}/udev/data/c116:[0-9]* r, # for ALSA
|
@{run}/udev/data/c116:[0-9]* r, # for ALSA
|
||||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||||
|
|
@ -52,46 +58,35 @@ profile systemd-logind @{exec_path} flags=(complain) {
|
||||||
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
||||||
|
|
||||||
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
@{run}/systemd/inhibit/ rw,
|
||||||
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
|
@{run}/systemd/inhibit/.#* rw,
|
||||||
@{run}/udev/data/+backlight:intel_backlight r,
|
@{run}/systemd/inhibit/[0-9]*{,.ref} rw,
|
||||||
@{run}/udev/data/+pci* r,
|
|
||||||
|
|
||||||
@{run}/systemd/seats/ rw,
|
@{run}/systemd/seats/ rw,
|
||||||
@{run}/systemd/seats/.#seat* rw,
|
@{run}/systemd/seats/.#seat* rw,
|
||||||
@{run}/systemd/seats/seat[0-9]* rw,
|
@{run}/systemd/seats/seat[0-9]* rw,
|
||||||
@{run}/systemd/inhibit/ rw,
|
|
||||||
@{run}/systemd/inhibit/[0-9]*{,.ref} rw,
|
|
||||||
@{run}/systemd/inhibit/.#* rw,
|
|
||||||
@{run}/systemd/sessions/ rw,
|
@{run}/systemd/sessions/ rw,
|
||||||
@{run}/systemd/sessions/[0-9]*{,.ref} rw,
|
|
||||||
@{run}/systemd/sessions/.#* rw,
|
@{run}/systemd/sessions/.#* rw,
|
||||||
@{run}/systemd/users/ rw,
|
@{run}/systemd/sessions/[0-9]*{,.ref} rw,
|
||||||
@{run}/systemd/users/@{uid} rw,
|
|
||||||
@{run}/systemd/users/.#* rw,
|
|
||||||
@{run}/systemd/userdb/ r,
|
@{run}/systemd/userdb/ r,
|
||||||
|
@{run}/systemd/users/ rw,
|
||||||
|
@{run}/systemd/users/.#* rw,
|
||||||
|
@{run}/systemd/users/@{uid} rw,
|
||||||
|
|
||||||
/dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc)
|
@{run}/systemd/journal/socket rw,
|
||||||
/dev/dri/card[0-9]* rw,
|
@{run}/systemd/notify rw,
|
||||||
/dev/tty[0-9]* rw,
|
|
||||||
/dev/nvme* r,
|
|
||||||
/dev/shm/{,**/} r,
|
|
||||||
/dev/mqueue/ r,
|
|
||||||
|
|
||||||
@{sys}/module/vt/parameters/default_utf8 r,
|
|
||||||
@{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
|
|
||||||
@{sys}/fs/cgroup/memory.max r,
|
|
||||||
@{sys}/devices/virtual/tty/tty[0-9]*/active r,
|
|
||||||
@{sys}/devices/**/{uevent,enabled,status} r,
|
|
||||||
@{sys}/devices/**/brightness rw,
|
|
||||||
|
|
||||||
@{sys}/class/drm/ r,
|
@{sys}/class/drm/ r,
|
||||||
@{sys}/power/{state,resume_offset,resume,disk} r,
|
@{sys}/devices/**/{uevent,enabled,status} r,
|
||||||
|
@{sys}/devices/**/brightness rw,
|
||||||
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
@{sys}/devices/virtual/tty/tty[0-9]*/active r,
|
||||||
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
|
|
||||||
@{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
|
@{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
|
||||||
@{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
|
@{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
|
||||||
|
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
|
||||||
|
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
||||||
|
@{sys}/fs/cgroup/memory.max r,
|
||||||
|
@{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
|
||||||
|
@{sys}/module/vt/parameters/default_utf8 r,
|
||||||
|
@{sys}/power/{state,resume_offset,resume,disk} r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/cgroup r,
|
@{PROC}/@{pid}/cgroup r,
|
||||||
@{PROC}/@{pid}/comm r,
|
@{PROC}/@{pid}/comm r,
|
||||||
|
|
@ -103,5 +98,12 @@ profile systemd-logind @{exec_path} flags=(complain) {
|
||||||
@{PROC}/swaps r,
|
@{PROC}/swaps r,
|
||||||
@{PROC}/sysvipc/{shm,sem,msg} r,
|
@{PROC}/sysvipc/{shm,sem,msg} r,
|
||||||
|
|
||||||
|
/dev/dri/card[0-9]* rw,
|
||||||
|
/dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc)
|
||||||
|
/dev/mqueue/ r,
|
||||||
|
/dev/nvme* r,
|
||||||
|
/dev/shm/{,**/} rw,
|
||||||
|
/dev/tty[0-9]* rw,
|
||||||
|
|
||||||
include if exists <local/systemd-logind>
|
include if exists <local/systemd-logind>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,9 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/systemd/systemd-timedated
|
@{exec_path} = /{usr/,}lib/systemd/systemd-timedated
|
||||||
profile systemd-timedated @{exec_path} {
|
profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/dbus-strict>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
capability sys_time,
|
capability sys_time,
|
||||||
|
|
|
||||||
|
|
@ -28,10 +28,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
||||||
owner /var/lib/systemd/timesync/clock rw,
|
owner /var/lib/systemd/timesync/clock rw,
|
||||||
|
|
||||||
owner @{run}/systemd/journal/socket w,
|
owner @{run}/systemd/journal/socket w,
|
||||||
owner @{run}/systemd/notify rw,
|
|
||||||
owner @{run}/systemd/timesync/synchronized rw,
|
owner @{run}/systemd/timesync/synchronized rw,
|
||||||
@{run}/systemd/netif/state r,
|
|
||||||
@{run}/resolvconf/*.conf r,
|
@{run}/resolvconf/*.conf r,
|
||||||
|
@{run}/systemd/netif/state r,
|
||||||
|
@{run}/systemd/notify rw,
|
||||||
|
|
||||||
include if exists <local/systemd-timesyncd>
|
include if exists <local/systemd-timesyncd>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -11,8 +11,8 @@ include <tunables/global>
|
||||||
@{exec_path} += /{usr/,}lib/systemd/systemd-udevd
|
@{exec_path} += /{usr/,}lib/systemd/systemd-udevd
|
||||||
profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
capability chown,
|
capability chown,
|
||||||
|
|
@ -49,12 +49,12 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
||||||
|
|
||||||
/{usr/,}{s,}bin/* rPUx,
|
/{usr/,}{s,}bin/* rPUx,
|
||||||
|
|
||||||
/{usr/,}lib/udev/* rPUx,
|
/{usr,/}lib/pm-utils/power.d/* rPUx,
|
||||||
/{usr/,}lib/systemd/systemd-* rPx,
|
/{usr,/}lib/snapd/snap-device-helper rPx, # TODO: but later
|
||||||
/{usr/,}lib/crda/* rPUx,
|
/{usr/,}lib/crda/* rPUx,
|
||||||
/{usr/,}lib/gdm-runtime-config rPx,
|
/{usr/,}lib/gdm-runtime-config rPx,
|
||||||
/{usr,/}lib/pm-utils/power.d/* PUx,
|
/{usr/,}lib/systemd/systemd-* rPx,
|
||||||
|
/{usr/,}lib/udev/* rPUx,
|
||||||
/usr/share/hplip/config_usb_printer.py rPUx,
|
/usr/share/hplip/config_usb_printer.py rPUx,
|
||||||
|
|
||||||
/etc/console-setup/*.sh rPUx,
|
/etc/console-setup/*.sh rPUx,
|
||||||
|
|
@ -83,20 +83,18 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
||||||
@{run}/udev/** rw,
|
@{run}/udev/** rw,
|
||||||
|
|
||||||
@{run}/systemd/seats/seat[0-9]* r,
|
@{run}/systemd/seats/seat[0-9]* r,
|
||||||
|
@{run}/systemd/notify rw,
|
||||||
|
|
||||||
@{sys}/** rw,
|
@{sys}/** rw,
|
||||||
|
|
||||||
/dev/ rw,
|
|
||||||
/dev/** rwk,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/loginuid r,
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
@{PROC}/devices r,
|
@{PROC}/devices r,
|
||||||
|
|
||||||
# file_inherit
|
/dev/ rw,
|
||||||
owner @{HOME}/.xsession-errors w,
|
/dev/** rwk,
|
||||||
|
|
||||||
deny /apparmor/.null rw,
|
deny /apparmor/.null rw,
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue