mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-04-15 11:55:41 +01:00
parent c039fe6c99
commit 0e21955b0e
Failed to generate hash of commit
10 changed files with 48 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/gvfs/gvfsd-dav
View file

@ -30,5 +30,7 @@ profile gvfsd-dav @{exec_path} {
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
include if exists <local/gvfsd-dav> include if exists <local/gvfsd-dav>
} }

2
apparmor.d/groups/gvfs/gvfsd-sftp
View file

@ -18,6 +18,8 @@ profile gvfsd-sftp @{exec_path} {
/{usr/,}bin/ssh rPx, /{usr/,}bin/ssh rPx,
owner @{run}/user/@{uid}/gvfsd-sftp/ rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw, /dev/ptmx rw,

3
apparmor.d/groups/systemd/systemd-udevd
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/udevadm @{exec_path} = /{usr/,}bin/udevadm
@{exec_path} += /{usr/,}lib/systemd/systemd-udevd @{exec_path} += /{usr/,}lib/systemd/systemd-udevd
profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -60,6 +60,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
/{usr/,}lib/crda/* rPUx, /{usr/,}lib/crda/* rPUx,
/{usr/,}lib/gdm-runtime-config rPx, /{usr/,}lib/gdm-runtime-config rPx,
/{usr/,}lib/systemd/systemd-* rPx, /{usr/,}lib/systemd/systemd-* rPx,
@{libexec}/nfsrahead rPUx,
/{usr/,}lib/udev/* rPUx, /{usr/,}lib/udev/* rPUx,
/{usr/,}lib/open-iscsi/net-interface-handler rPUx, /{usr/,}lib/open-iscsi/net-interface-handler rPUx,
/usr/share/hplip/config_usb_printer.py rPUx, /usr/share/hplip/config_usb_printer.py rPUx,

1
apparmor.d/groups/virt/cockpit-tls
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile cockpit-tls @{exec_path} { profile cockpit-tls @{exec_path} {
include <abstractions/base> include <abstractions/base>
network inet stream,
network inet6 stream, network inet6 stream,
@{exec_path} mr, @{exec_path} mr,

18
apparmor.d/profiles-m-r/nmap
View file

@ -13,10 +13,8 @@ profile nmap @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
capability net_raw,
capability net_bind_service, capability net_bind_service,
capability net_raw,
signal (receive) set=(term, kill) peer=zenmap,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -27,12 +25,19 @@ profile nmap @{exec_path} {
network netlink raw, network netlink raw,
network packet raw, network packet raw,
signal (receive) set=(term, kill) peer=zenmap,
@{exec_path} mr, @{exec_path} mr,
/usr/share/nmap/** r,
owner /tmp/zenmap-stdout-* rw,
owner /tmp/zenmap-*.xml rw,
owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/net/route r,
owner @{PROC}/@{pid}/net/ipv6_route r, owner @{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/net/route r,
# unprivileged # unprivileged
# @{PROC}/@{pid}/net/dev r, # @{PROC}/@{pid}/net/dev r,
@ -40,10 +45,5 @@ profile nmap @{exec_path} {
# @{PROC}/@{pid}/net/route r, # @{PROC}/@{pid}/net/route r,
# @{PROC}/@{pid}/net/ipv6_route r, # @{PROC}/@{pid}/net/ipv6_route r,
/usr/share/nmap/** r,
owner /tmp/zenmap-stdout-* rw,
owner /tmp/zenmap-*.xml rw,
include if exists <local/nmap> include if exists <local/nmap>
} }

4
apparmor.d/profiles-s-z/scrcpy
View file

@ -25,7 +25,9 @@ profile scrcpy @{exec_path} {
/{usr/,}bin/adb rPx, /{usr/,}bin/adb rPx,
/usr/share/scrcpy/{,*} r, /usr/share/scrcpy/{,*} r,
/usr/share/icons/**/scrcpy.png r, /usr/share/icons/{,**} r,
/etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,

2
apparmor.d/profiles-s-z/which
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/which{.debianutils,} @{exec_path} = /{usr/,}bin/which{.debianutils,}
profile which @{exec_path} flags=(complain) { profile which @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

19
apparmor.d/profiles-s-z/wpa-action
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/wpa_action @{exec_path} = /{usr/,}{s,}bin/wpa_action
profile wpa-action @{exec_path} { profile wpa-action @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -16,27 +16,26 @@ profile wpa-action @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}sbin/wpa_cli rPx, /{usr/,}{s,}bin/wpa_cli rPx,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/ln rix,
/{usr/,}sbin/ifup rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/rm rix,
/{usr/,}sbin/ifup rix,
/etc/wpa_supplicant/{,**} r, /etc/wpa_supplicant/{,**} r,
/etc/network/interfaces r,
/etc/network/interfaces.d/{,*} r,
owner @{run}/wpa_action.wlan[0-9]*.ifupdown rw, owner @{run}/wpa_action.wlan[0-9]*.ifupdown rw,
owner @{run}/wpa_action.wlan[0-9]*.timestamp rw, owner @{run}/wpa_action.wlan[0-9]*.timestamp rw,
owner @{run}/network/ifstate.wlan[0-9]* rwk, owner @{run}/network/ifstate.wlan[0-9]* rwk,
owner @{run}/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan[0-9]*.pid rw, owner @{run}/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan[0-9]*.pid rw,
/etc/network/interfaces r,
/etc/network/interfaces.d/{,*} r,
include if exists <local/wpa-action> include if exists <local/wpa-action>
} }

14
apparmor.d/profiles-s-z/wpa-cli
View file

@ -6,21 +6,21 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/wpa_cli @{exec_path} = /{usr/,}{s,}bin/wpa_cli
profile wpa-cli @{exec_path} { profile wpa-cli @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}sbin/wpa_action rPx, /{usr/,}{s,}/wpa_action rPx,
/etc/inputrc r,
owner @{HOME}/.wpa_cli_history rw,
owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw,
owner @{run}/wpa_supplicant/ r, owner @{run}/wpa_supplicant/ r,
owner /tmp/wpa_ctrl_@{pid}-[0-9] rw, owner /tmp/wpa_ctrl_@{pid}-[0-9] rw,
# for interactive mode
/etc/inputrc r,
owner @{HOME}/.wpa_cli_history rw,
owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw,
include if exists <local/wpa-cli> include if exists <local/wpa-cli>
} }

27
apparmor.d/profiles-s-z/wpa-gui
View file

@ -9,32 +9,29 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/wpa_gui @{exec_path} = /{usr/,}{s,}bin/wpa_gui
profile wpa-gui @{exec_path} { profile wpa-gui @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/X>
@{exec_path} mr, @{exec_path} mr,
/usr/share/hwdata/pnp.ids r,
/usr/share/qt5ct/** r,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/wpa_ctrl_@{pid}-[0-9] w, owner /tmp/wpa_ctrl_@{pid}-[0-9] w,
owner /dev/shm/#[0-9]*[0-9] rw,
@{run}/wpa_supplicant/ r, @{run}/wpa_supplicant/ r,
/dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
include if exists <local/wpa-gui> include if exists <local/wpa-gui>