mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update apparmor profiles

Browse Source
This commit is contained in:
Mikhail Morfikov 2021-02-13 15:00:16 +01:00
parent 8e075d25fa
commit 0f64093e46
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
96 changed files with 645 additions and 240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
apparmor.d/abstractions/devices-usb Normal file
View File

@ -0,0 +1,30 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/dev/ r,
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
@{sys}/class/ r,
@{sys}/bus/ r,
@{sys}/bus/usb/ r,
@{sys}/bus/usb/devices/{,**} r,
@{sys}/devices/**/usb[0-9]/{,**} rw,
# Udev data about usb devices (~equal to content of lsusb -v)
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c16[6,7]* r,
@{run}/udev/data/c18[0,8,9]* r,

2
apparmor.d/abstractions/disks-read
View File

@ -20,7 +20,7 @@
/dev/sd[a-z][0-9]* rk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rk,

2
apparmor.d/abstractions/disks-write
View File

@ -20,7 +20,7 @@
/dev/sd[a-z][0-9]* rwk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rwk,

9
apparmor.d/abstractions/libvirt-lxc
View File

@ -1,4 +1,8 @@
include <abstractions/base>
#include <abstractions/base>
# Allow receiving signals from libvirtd
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
umount,
@ -112,3 +116,6 @@
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,
# Site-specific additions and overrides. See local/README for details.
#include <local/abstractions/libvirt-lxc>

10
apparmor.d/abstractions/libvirt-qemu
View File

@ -1,6 +1,6 @@
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
# required for reading disk images
capability dac_override,
@ -102,6 +102,7 @@
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/kvm-spice rmix,
/usr/bin/qemu rmix,
/usr/bin/qemu-aarch64 rmix,
/usr/bin/qemu-alpha rmix,
@ -242,3 +243,6 @@
# /sys/bus/nd/devices
/ r, # harmless on any lsb compliant system
/sys/bus/nd/devices/{,**/} r,
# Site-specific additions and overrides. See local/README for details.
#include <local/abstractions/libvirt-qemu>

6
apparmor.d/adequate
View File

@ -36,7 +36,11 @@ profile adequate @{exec_path} flags=(complain) {
/{usr/,}bin/pkg-config rCx -> pkg-config,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/update-alternatives rPx,
/var/lib/adequate/pending rwk,

2
apparmor.d/amarok
View File

@ -52,6 +52,7 @@ profile amarok @{exec_path} {
include <abstractions/wutmp>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
ptrace (trace) peer=@{profile_name},
@ -160,7 +161,6 @@ profile amarok @{exec_path} {
deny @{sys}/devices/ r,
deny @{sys}/devices/virtual/net/**/{uevent,type} r,
deny @{sys}/devices/virtual/sound/seq/uevent r,
deny @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{manufacturer,product,uevent,type} r,
deny @{sys}/devices/system/node/ r,
deny @{run}/udev/data/* r,

11
apparmor.d/android-studio
View File

@ -33,6 +33,7 @@ profile android-studio @{exec_path} {
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@ -230,11 +231,6 @@ profile android-studio @{exec_path} {
/dev/kvm rw,
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/serial r,
@{sys}/devices/virtual/block/**/rotational r,
@ -282,7 +278,10 @@ profile android-studio @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,

5
apparmor.d/anki
View File

@ -185,6 +185,11 @@ profile anki @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

6
apparmor.d/apt-key
View File

@ -43,7 +43,11 @@ profile apt-key @{exec_path} {
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/apt-config rPx,
# For shell pwd

5
apparmor.d/apt-listbugs
View File

@ -36,7 +36,10 @@ profile apt-listbugs @{exec_path} {
/{usr/,}bin/logname rix,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,

6
apparmor.d/apt-listchanges
View File

@ -30,7 +30,11 @@ profile apt-listchanges @{exec_path} {
/{usr/,}bin/tar rix,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/dpkg-deb rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
#
/{usr/,}bin/sensible-pager rCx -> pager,
# Send results using email
/{usr/,}sbin/exim4 rPx,

3
apparmor.d/apt-systemd-daily
View File

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} {
profile apt-systemd-daily @{exec_path} flags=(complain) {
include <abstractions/base>
# Needed to remove the following error:
@ -55,6 +55,7 @@ profile apt-systemd-daily @{exec_path} {
/var/lib/apt/daily_lock wk,
/var/lib/apt/extended_states r,
/var/lib/apt/periodic/autoclean-stamp w,
/var/backups/ r,
/var/backups/apt.extended_states rw,

83
apparmor.d/arduino
View File

@ -22,7 +22,7 @@ profile arduino @{exec_path} {
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/deny-dconf>
include <abstractions/devices-usb>
network inet dgram,
network inet6 dgram,
@ -30,69 +30,63 @@ profile arduino @{exec_path} {
network inet6 stream,
network netlink raw,
ptrace (read) peer=arduino//open,
ptrace (read) peer=arduino-builder,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/id rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/groups rix,
/{usr/,}bin/avr-g++ rix,
/{usr/,}bin/avr-gcc rix,
/{usr/,}bin/avr-size rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/avrdude rix,
/{usr/,}lib/gcc/avr/*/cc1plus rix,
/{usr/,}lib/gcc/avr/*/cc1 rix,
/{usr/,}lib/gcc/avr/*/collect2 rix,
/{usr/,}lib/avr/bin/as rix,
/{usr/,}lib/avr/bin/ar rix,
/{usr/,}lib/avr/bin/ld rix,
/{usr/,}lib/avr/bin/objcopy rix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/arduino-builder rPx,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
/usr/share/java/*.jar r,
/etc/java-[0-9]*-openjdk/** r,
/etc/ssl/certs/java/cacerts r,
owner @{HOME}/.java/fonts/*/ rw,
owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw,
owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw,
/usr/share/arduino/ r,
/usr/share/arduino/** r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/doc/arduino-core/ r,
/usr/share/doc/arduino-core/** r,
/usr/share/arduino/{,**} r,
/usr/share/arduino-builder/{,**} r,
/usr/share/doc/arduino/{,**} r,
/usr/share/doc/arduino-core/{,**} r,
owner @{HOME}/ r,
owner @{HOME}/.arduino/ rw,
owner @{HOME}/.arduino/preferences.txt rw,
owner @{HOME}/sketchbook/ rw,
owner @{HOME}/sketchbook/** rw,
owner @{HOME}/.arduino{,15}/{,**} rw,
owner @{HOME}/Arduino/{,**} rw,
owner @{HOME}/sketchbook/{,**} rw,
owner @{HOME}/.Xauthority r,
/tmp/ r,
owner /tmp/cc*.s rw,
owner /tmp/cc*.res rw,
owner /tmp/cc*.c rw,
owner /tmp/cc*.o rw,
owner /tmp/cc*.ld rw,
owner /tmp/cc*.le rw,
owner /tmp/cc*.{s,res,c,o,ld,le} rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
owner /tmp/untitled[0-9]*.tmp rw,
owner /tmp/untitled[0-9]*.tmp/ rw,
owner /tmp/untitled[0-9]*.tmp/sketch_*/ rw,
owner /tmp/untitled[0-9]*.tmp/sketch_*/sketch_*.ino rw,
owner /tmp/untitled[0-9]*.tmp/sketch_*/sketch_*.ino[0-9]*.tmp rw,
owner /tmp/untitled[0-9]*.tmp/{,**} rw,
owner /tmp/console[0-9]*.tmp rw,
owner /tmp/console[0-9]*.tmp/ rw,
owner /tmp/console[0-9]*.tmp/stdout.txt rw,
owner /tmp/console[0-9]*.tmp/stderr.txt rw,
owner /tmp/console[0-9]*.tmp/{,**} rw,
owner /tmp/build[0-9]*.tmp rw,
owner /tmp/build[0-9]*.tmp/ rw,
owner /tmp/build[0-9]*.tmp/* rw,
owner /tmp/build[0-9]*.tmp/{,**} rw,
owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw,
owner /tmp/{library,package}_index.json*.tmp* rw,
owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw,
owner @{run}/lock/tmp* rw,
owner @{run}/lock/LCK..ttyS[0-9]* rw,
@ -104,6 +98,9 @@ profile arduino @{exec_path} {
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
# For java
@{PROC}/@{pids}/stat r,
#
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
@ -113,12 +110,11 @@ profile arduino @{exec_path} {
/etc/avrdude.conf r,
@{sys}/fs/cgroup/** r,
@{sys}/class/tty/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r,
/dev/ r,
/dev/ttyS[0-9]* rw,
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
/dev/ttyACM[0-9]* rw,
# Silencer
deny /usr/share/arduino/** w,
@ -130,9 +126,10 @@ profile arduino @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,

56
apparmor.d/arduino-builder Normal file
View File

@ -0,0 +1,56 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino-builder
profile arduino-builder @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/avr-g++ rix,
/{usr/,}bin/avr-gcc rix,
/{usr/,}bin/avr-gcc-ar rix,
/{usr/,}bin/avr-size rix,
/{usr/,}bin/avrdude rix,
/{usr/,}lib/gcc/avr/[0-9]*/cc1plus rix,
/{usr/,}lib/gcc/avr/[0-9]*/cc1 rix,
/{usr/,}lib/gcc/avr/[0-9]*/collect2 rix,
/{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix,
/{usr/,}lib/gcc/avr/[0-9]*/lto1 rix,
/{usr/,}lib/avr/bin/as rix,
/{usr/,}lib/avr/bin/ar rix,
/{usr/,}lib/avr/bin/ld rix,
/{usr/,}lib/avr/bin/objcopy rix,
/{usr/,}bin/arduino-ctags rPx,
/usr/share/arduino/{,**} r,
/usr/share/arduino-builder/{,**} r,
/usr/share/doc/arduino/{,**} r,
owner @{HOME}/Arduino/{,**} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/tmp/ r,
owner /tmp/cc* rw,
owner /tmp/untitled[0-9]*.tmp/{,**} rw,
owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw,
owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw,
include if exists <local/arduino-builder>
}

27
apparmor.d/arduino-ctags Normal file
View File

@ -0,0 +1,27 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino-ctags
profile arduino-ctags @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner /tmp/tags.* rw,
owner /tmp/arduino_build_[0-9]*/** r,
include if exists <local/arduino-ctags>
}

5
apparmor.d/at-spi-bus-launcher
View File

@ -18,7 +18,6 @@ include <tunables/global>
profile at-spi-bus-launcher @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
# Needed?
@ -40,6 +39,10 @@ profile at-spi-bus-launcher @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,

5
apparmor.d/atom
View File

@ -191,6 +191,11 @@ profile atom @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/birdtray
View File

@ -87,6 +87,11 @@ profile birdtray @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/brave
View File

@ -209,6 +209,11 @@ profile brave @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

23
apparmor.d/calibre
View File

@ -46,6 +46,7 @@ profile calibre @{exec_path} {
include <abstractions/python>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@ -142,25 +143,8 @@ profile calibre @{exec_path} {
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**.pak r,
# For sending books to a phone
/dev/bus/usb/ r,
/dev/bus/usb/** rw,
@{sys}/class/ r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{bDeviceClass,bcdDevice,manufacturer,product} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{idVendor,idProduct} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}serial r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{speed,descriptors,bConfigurationValue,interface} r,
@{sys}/devices/pci[0-9]*/**/irq r,
@{run}/udev/data/+usb* r, #
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
/dev/shm/ r,
/dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/.org.chromium.Chromium.* rw,
@ -185,7 +169,10 @@ profile calibre @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,

8
apparmor.d/cawbird
View File

@ -50,7 +50,8 @@ profile cawbird @{exec_path} {
# This is needed as cawbird stores its settings in the dconf database.
include <abstractions/dconf>
@{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -76,6 +77,11 @@ profile cawbird @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

2
apparmor.d/chage
View File

@ -22,6 +22,8 @@ profile chage @{exec_path} {
# To write records to the kernel auditing log.
capability audit_write,
network netlink raw,
@{exec_path} mr,
/etc/login.defs r,

6
apparmor.d/check-support-status
View File

@ -46,7 +46,11 @@ profile check-support-status @{exec_path} {
/{usr/,}bin/envsubst rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/debconf-escape rCx -> debconf-escape,

5
apparmor.d/child-dpkg
View File

@ -29,7 +29,10 @@ profile child-dpkg {
/{usr/,}bin/dpkg mr,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,

6
apparmor.d/child-lsb_release
View File

@ -45,7 +45,11 @@ profile child-lsb_release {
# /{usr/,}bin/sed ixr,
# /{usr/,}bin/tr ixr,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/ r,

5
apparmor.d/chromium-chromium
View File

@ -197,7 +197,10 @@ profile chromium-chromium @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,

8
apparmor.d/colord
View File

@ -17,6 +17,7 @@ include <tunables/global>
profile colord @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
network netlink raw,
@ -32,18 +33,11 @@ profile colord @{exec_path} {
/usr/share/color/icc/{,**} r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/video4linux/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP}-*/{enabled,edid} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, #
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,

11
apparmor.d/colord-sane
View File

@ -17,6 +17,7 @@ include <tunables/global>
@{exec_path} += /usr/libexec/colord-sane
profile colord-sane @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@ -31,17 +32,9 @@ profile colord-sane @{exec_path} flags=(complain) {
/var/lib/snmp/{mib,cert}_indexes/ rw,
/usr/share/snmp/mibs/{,*} r,
/dev/bus/usb/ r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/bus/scsi/devices/ r,
@{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,busnum,devnum,speed,descriptors} r,
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, #
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
@{PROC}/sys/dev/parport/ r,

1
apparmor.d/dbus-daemon
View File

@ -16,6 +16,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-daemon
profile dbus-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability setgid,

6
apparmor.d/debsums
View File

@ -33,7 +33,11 @@ profile debsums @{exec_path} {
/etc/locale.nopurge r,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert,

5
apparmor.d/discord
View File

@ -199,6 +199,11 @@ profile discord @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

3
apparmor.d/dpkg
View File

@ -37,11 +37,12 @@ profile dpkg @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/dpkg-deb rpx,
#
/{usr/,}bin/dpkg-split rPx,
/usr/share/debian-security-support/check-support-status.hook rPx,

5
apparmor.d/dpkg-split
View File

@ -22,7 +22,10 @@ profile dpkg-split @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dpkg-deb rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
/var/lib/dpkg/parts/ r,
/var/lib/dpkg/parts/* r,

5
apparmor.d/dropbox
View File

@ -135,6 +135,11 @@ profile dropbox @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/engrampa
View File

@ -101,6 +101,11 @@ profile engrampa @{exec_path} {
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/firefox
View File

@ -201,6 +201,11 @@ profile firefox @{exec_path} {
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

13
apparmor.d/firejail-default
View File

@ -4,7 +4,7 @@
# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
# and <abstractions/dbus-session-strict>.
include <tunables/global>
#include <tunables/global>
##########
# A simple PID declaration based on Ubuntu's @{pid}
@ -14,14 +14,14 @@ include <tunables/global>
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
profile firejail-default flags=(attach_disconnected, complain, mediate_deleted) {
profile firejail-default flags=(attach_disconnected,mediate_deleted) {
##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
# Add rule in order to avoid dbus-*=filter breakage (#3432)
owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
@ -112,7 +112,8 @@ network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark
# needed for wireshark, tcpdump etc
network bluetooth,
network packet,
##########
@ -161,5 +162,5 @@ capability setfcap,
#capability mac_admin,
# Site-specific additions and overrides. See local/README for details.
include <local/firejail-default>
#include <local/firejail-default>
}

5
apparmor.d/flameshot
View File

@ -84,6 +84,11 @@ profile flameshot @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/freetube
View File

@ -132,6 +132,11 @@ profile freetube @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

2
apparmor.d/frontend
View File

@ -123,7 +123,7 @@ profile frontend @{exec_path} flags=(complain) {
@{sys}/ r,
@{sys}/**/ r,
@{run}/ r,
@{run}/** r,
@{run}/** rw,
/tmp/ r,
owner /tmp/** rw,

4
apparmor.d/geany
View File

@ -34,8 +34,10 @@ profile geany @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
# For the sorting feature
/{usr/,}bin/sort rix,
/{usr/,}bin/sort rix,
# When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following
# root processes:

5
apparmor.d/google-chrome-chrome
View File

@ -192,6 +192,11 @@ profile google-chrome-chrome @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/gpartedbin
View File

@ -217,6 +217,11 @@ profile gpartedbin @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/gpodder
View File

@ -84,6 +84,11 @@ profile gpodder @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/gtk-youtube-viewer
View File

@ -108,6 +108,11 @@ profile gtk-youtube-viewer @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/hardinfo
View File

@ -168,6 +168,11 @@ profile hardinfo @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/inxi
View File

@ -45,7 +45,10 @@ profile inxi @{exec_path} {
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/compton rPx,
/{usr/,}bin/xrandr rPx,

5
apparmor.d/jdownloader
View File

@ -112,6 +112,11 @@ profile jdownloader @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

16
apparmor.d/keepassxc
View File

@ -31,6 +31,7 @@ profile keepassxc @{exec_path} {
include <abstractions/qt5-settings-write>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
network inet dgram,
@ -90,16 +91,6 @@ profile keepassxc @{exec_path} {
/etc/fstab r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,speed,descriptors} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, #
/dev/bus/usb/ r,
/dev/shm/#[0-9]*[0-9] rw,
# For browser integration
@ -133,6 +124,11 @@ profile keepassxc @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

2
apparmor.d/kodi
View File

@ -79,8 +79,8 @@ profile kodi @{exec_path} {
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{bDeviceClass,idProduct,idVendor} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{bDeviceClass,idProduct,idVendor} r,
@{sys}/devices/system/node/node0/meminfo r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,

5
apparmor.d/labwc
View File

@ -26,6 +26,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
network netlink raw,
@ -49,8 +50,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/input/ r,
@{sys}/devices/pci[0-9]*/**/boot_vga r,
@ -62,11 +61,9 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+acpi* r, # for ?
@{run}/udev/data/+hid* r, # for HID-Compliant Keyboard
@{run}/udev/data/+pci* r, # for VGA compatible controller
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/+sound:card* r, # for sound
@{run}/udev/data/+serio* r, # for touchpad?
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{run}/systemd/sessions/[0-9]* r,

5
apparmor.d/lsb_release
View File

@ -24,7 +24,10 @@ profile lsb_release @{exec_path} {
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/etc/lsb-release r,
/etc/debian_version r,

14
apparmor.d/lsusb
View File

@ -16,23 +16,13 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/lsusb
profile lsusb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
/dev/bus/usb/ r,
/dev/bus/usb/** rw,
@{sys}/class/ r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r,
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, #
/etc/udev/hwdb.bin r,
include if exists <local/lsusb>

5
apparmor.d/megasync
View File

@ -102,6 +102,11 @@ profile megasync @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/" r,

5
apparmor.d/minitube
View File

@ -112,6 +112,11 @@ profile minitube @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/mumble
View File

@ -91,6 +91,11 @@ profile mumble @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/okular
View File

@ -109,6 +109,11 @@ profile okular @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/opera
View File

@ -189,6 +189,11 @@ profile opera @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/orage
View File

@ -58,6 +58,11 @@ profile orage @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

51
apparmor.d/pcb-gtk Normal file
View File

@ -0,0 +1,51 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pcb-gtk
profile pcb-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
@{exec_path} mr,
/usr/share/pcb/ListLibraryContents.sh rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/tr rix,
/usr/share/pcb/ r,
/usr/share/pcb/** r,
owner @{HOME}/.pcb/ rw,
owner @{HOME}/.pcb/preferences rw,
owner @{HOME}/PCB.[0-9]*.backup rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
include if exists <local/pcb-gtk>
}

6
apparmor.d/popularity-contest
View File

@ -34,7 +34,11 @@ profile popularity-contest @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert,

5
apparmor.d/psi-plus
View File

@ -147,6 +147,11 @@ profile psi-plus @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

3
apparmor.d/qbittorrent
View File

@ -159,6 +159,9 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,

5
apparmor.d/qnapi
View File

@ -136,6 +136,11 @@ profile qnapi @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

7
apparmor.d/qpdfview
View File

@ -54,7 +54,7 @@ profile qpdfview @{exec_path} {
owner /media/**/ r,
/tmp/ r,
/tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{qpdfview_ext} rw,
owner /{home,media,tmp,tmp/mozilla_*}/**.@{qpdfview_ext} rw,
owner @{HOME}/.config/qpdfview/ rw,
owner @{HOME}/.config/qpdfview/* rwkl -> @{HOME}/.config/qpdfview/#[0-9]*[0-9],
@ -109,6 +109,11 @@ profile qpdfview @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/querybts
View File

@ -70,6 +70,11 @@ profile querybts @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/quiterss
View File

@ -102,6 +102,11 @@ profile quiterss @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

11
apparmor.d/reportbug
View File

@ -54,7 +54,11 @@ profile reportbug @{exec_path} {
/{usr/,}bin/debsums rPx,
/{usr/,}bin/dlocate rPx,
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}sbin/exim4 rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
@ -127,6 +131,11 @@ profile reportbug @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

10
apparmor.d/scdaemon
View File

@ -16,6 +16,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnupg/scdaemon
profile scdaemon @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@ -27,14 +28,7 @@ profile scdaemon @{exec_path} {
@{PROC}/@{pid}/task/@{tid}/comm rw,
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, #
/dev/bus/usb/ r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/bConfigurationValue r,
include if exists <local/scdaemon>
}

5
apparmor.d/smtube
View File

@ -98,6 +98,11 @@ profile smtube @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/strawberry
View File

@ -129,6 +129,11 @@ profile strawberry @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/syncthing
View File

@ -55,6 +55,11 @@ profile syncthing @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

52
apparmor.d/system-config-printer
View File

@ -13,8 +13,9 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/system-config-printer /usr/share/system-config-printer/system-config-printer.py
profile system-config-printer @{exec_path} {
@{exec_path} = /{usr/,}bin/system-config-printer
@{exec_path} += /usr/share/system-config-printer/system-config-printer.py
profile system-config-printer @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
@ -23,7 +24,6 @@ profile system-config-printer @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/openssl>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
network inet stream,
@ -34,23 +34,55 @@ profile system-config-printer @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}lib/cups/*/* rCx -> cups,
# For HP printers
/usr/share/hplip/query.py rPUx,
/usr/share/system-config-printer/{,**} r,
/usr/share/cups/data/testprint r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/fstab r,
/etc/cups/cupsd.conf r,
/etc/cupshelpers/preferreddrivers.xml r,
/etc/papersize r,
# To set the default printer
owner @{HOME}/.cups/ rw,
owner @{HOME}/.cups/lpoptions rw,
owner /tmp/* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
/etc/cups/cupsd.conf r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner /tmp/* rw,
include <abstractions/dconf>
@{run}/user/[0-9]*/dconf/ rw,
@{run}/user/[0-9]*/dconf/user rw,
# file_inherit
owner /dev/tty[0-9]* rw,
profile cups flags=(complain) {
include <abstractions/base>
network inet dgram,
network inet6 dgram,
/{usr/,}lib/cups/*/* mr,
/etc/cups/snmp.conf r,
}
include if exists <local/system-config-printer>
}

6
apparmor.d/tasksel
View File

@ -31,7 +31,11 @@ profile tasksel @{exec_path} flags=(complain) {
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/debconf-apt-progress rPx,

8
apparmor.d/telegram-desktop
View File

@ -45,6 +45,8 @@ profile telegram-desktop @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
# Launch external apps
/{usr/,}bin/xdg-open rCx -> open,
@ -66,6 +68,7 @@ profile telegram-desktop @{exec_path} {
/dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@ -97,7 +100,10 @@ profile telegram-desktop @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{TELEGRAM_WORK_DIR}/ r,

1
apparmor.d/thinkfan
View File

@ -20,6 +20,7 @@ profile thinkfan @{exec_path} {
@{exec_path} mr,
/etc/thinkfan.conf r,
/etc/thinkfan.yaml r,
@{sys}/devices/platform/**/hwmon/**/pwm[0-9]* rw,
@{sys}/devices/platform/**/hwmon/**/pwm[0-9]*_enable rw,

5
apparmor.d/thunderbird
View File

@ -254,6 +254,11 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

6
apparmor.d/ucf
View File

@ -41,7 +41,11 @@ profile ucf @{exec_path} flags=(complain) {
/{usr/,}bin/dirname rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/dpkg-divert rPx,
/{usr/,}bin/sensible-pager rCx -> pager,

11
apparmor.d/udevadm
View File

@ -40,8 +40,12 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/chgrp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/chgrp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/setfacl rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/nohup rix,
/{usr/,}sbin/* rPUx,
@ -49,6 +53,8 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
/{usr/,}lib/systemd/systemd-* rPUx,
/{usr/,}lib/crda/* rPUx,
/usr/share/hplip/config_usb_printer.py rPUx,
/etc/console-setup/*.sh rPUx,
/etc/default/* r,
@ -79,6 +85,7 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
/dev/ rw,
/dev/** rwk,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/cgroup r,

5
apparmor.d/udiskie
View File

@ -59,6 +59,11 @@ profile udiskie @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

2
apparmor.d/uname
View File

@ -20,6 +20,8 @@ profile uname @{exec_path} {
@{exec_path} mr,
owner /tmp/mktexlsr.* rw,
# file_inherit
owner @{HOME}/.xsession-errors w,

6
apparmor.d/update-ca-certificates
View File

@ -90,7 +90,11 @@ profile update-ca-certificates @{exec_path} {
/{usr/,}bin/sed rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mountpoint rix,
/{usr/,}bin/dpkg-query rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/dpkg rPx -> child-dpkg,
/usr/share/ca-certificates-java/ca-certificates-java.jar r,

8
apparmor.d/upowerd
View File

@ -16,6 +16,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd
profile upowerd @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@ -30,12 +31,8 @@ profile upowerd @{exec_path} {
/var/lib/upower/history-*.dat{,.*} rw,
# Are all of these needed? (#FIXME#)
/dev/bus/usb/ r,
/dev/input/event* r,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/bus/hid/devices/ r,
@{sys}/class/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/class/input/ r,
@ -43,7 +40,6 @@ profile upowerd @{exec_path} {
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum,speed,descriptors} r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@ -53,10 +49,8 @@ profile upowerd @{exec_path} {
@{run}/udev/data/ r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+input* r,
@{run}/udev/data/+usb* r,
@{run}/udev/data/+hid* r,
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/systemd/inhibit/[0-9]*.ref rw,

6
apparmor.d/usb-devices
View File

@ -16,6 +16,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/usb-devices
profile usb-devices @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@ -26,11 +27,6 @@ profile usb-devices @{exec_path} {
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r,
# For shell pwd
/root/ r,

10
apparmor.d/usbguard
View File

@ -17,6 +17,10 @@ include <tunables/global>
profile usbguard @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/devices-usb>
# Needed to create policy (usbguard generate-policy)
network netlink dgram,
@{exec_path} mr,
@ -27,11 +31,7 @@ profile usbguard @{exec_path} {
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
# For "usbguard generate-policy"
@{sys}/bus/usb/devices/{,**} r,
@{sys}/devices/pci[0-9]*/**/uevent rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{authorized_default,authorized,remove} rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r,
@{sys}/devices/pci[0-9]*/**/uevent r,
include if exists <local/usbguard>
}

7
apparmor.d/usbguard-daemon
View File

@ -17,6 +17,7 @@ include <tunables/global>
profile usbguard-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
# Needed? (##FIXME##)
#capability chown,
@ -38,11 +39,7 @@ profile usbguard-daemon @{exec_path} {
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/ rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
@{sys}/bus/usb/devices/{,**} r,
@{sys}/devices/pci[0-9]*/**/uevent rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{authorized_default,authorized,remove} rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r,
@{sys}/devices/pci[0-9]*/**/uevent r,
include if exists <local/usbguard-daemon>
}

2
apparmor.d/usermod
View File

@ -37,6 +37,8 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
capability sys_ptrace,
ptrace (read),
network netlink raw,
@{exec_path} mr,
/etc/login.defs r,

35
apparmor.d/usr.sbin.cupsd
View File

@ -2,17 +2,17 @@
# Last Modified: Thu Aug 2 12:54:46 2007
# Author: Martin Pitt <martin.pitt@ubuntu.com>
include <tunables/global>
#include <tunables/global>
/usr/sbin/cupsd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/authentication>
include <abstractions/dbus>
include <abstractions/fonts>
include <abstractions/nameservice>
include <abstractions/perl>
include <abstractions/user-tmp>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/authentication>
#include <abstractions/dbus>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/perl>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
@ -47,6 +47,11 @@ include <tunables/global>
network econet dgram,
network ash dgram,
# CUPS is of systemd service type "notify" now, meaning that cupsd notifies
# systemd when it is up and running, give CUPS access to systemd's
# notification socket
/run/systemd/notify w,
/{usr/,}bin/bash ixr,
/{usr/,}bin/dash ixr,
/{usr/,}bin/hostname ixr,
@ -169,15 +174,15 @@ include <tunables/global>
}
# Site-specific additions and overrides. See local/README for details.
include <local/usr.sbin.cupsd>
#include <local/usr.sbin.cupsd>
}
# separate profile since this needs to write into /home
/usr/lib/cups/backend/cups-pdf {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/nameservice>
include <abstractions/user-tmp>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
@ -211,7 +216,7 @@ include <tunables/global>
# allow read and write on almost anything in @{HOME} (lenient, but
# private-files-strict is in effect), to support customized "Out"
# setting in cups-pdf.conf (Debian#940578)
include <abstractions/private-files-strict>
#include <abstractions/private-files-strict>
@{HOME}/[^.]*/{,**/} rw,
@{HOME}/[^.]*/** rw,
}

10
apparmor.d/usr.sbin.libvirtd
View File

@ -1,9 +1,9 @@
include <tunables/global>
#include <tunables/global>
@{LIBVIRT}="libvirt"
profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus>
#include <abstractions/base>
#include <abstractions/dbus>
capability kill,
capability net_admin,
@ -115,7 +115,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
include <abstractions/base>
#include <abstractions/base>
capability setuid,
capability setgid,
@ -137,5 +137,5 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
}
# Site-specific additions and overrides. See local/README for details.
include <local/usr.sbin.libvirtd>
#include <local/usr.sbin.libvirtd>
}

16
apparmor.d/usr.sbin.ntpd
View File

@ -11,13 +11,13 @@
#
# ------------------------------------------------------------------
include <tunables/global>
include <tunables/ntpd>
#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/user-tmp>
include <abstractions/openssl>
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
capability ipc_lock,
capability net_admin,
@ -70,7 +70,7 @@ include <tunables/ntpd>
/var/log/ntpsec/protostats* rwl,
/var/log/ntpsec/rawstats* rwl,
/var/log/ntpsec/sysstats* rwl,
/var/log/ntpsec/usestats.* rwl,
/var/log/ntpsec/usestats* rwl,
/{,var/}run/ntpd.pid w,
@ -87,5 +87,5 @@ include <tunables/ntpd>
# capability ipc_owner,
# Site-specific additions and overrides. See local/README for details.
include <local/usr.sbin.ntpd>
#include <local/usr.sbin.ntpd>
}

5
apparmor.d/vidcutter
View File

@ -145,6 +145,11 @@ profile vidcutter @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

15
apparmor.d/virt-manager
View File

@ -32,6 +32,7 @@ profile virt-manager @{exec_path} {
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/deny-dconf>
network inet stream,
@ -91,20 +92,6 @@ profile virt-manager @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/net/route r,
/dev/ r,
# For USB devices
/dev/bus/usb/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{busnum,devnum,speed,descriptors} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/uevent r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{busnum,devnum,speed,descriptors} r,
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** r,
@{sys}/devices/pci[0-9]*/**/drm/ r,
/etc/fstab r,

8
apparmor.d/vlc
View File

@ -75,6 +75,7 @@ profile vlc @{exec_path} {
include <abstractions/vulkan>
include <abstractions/user-download-strict>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill) peer=anyremote//*,
@ -130,17 +131,10 @@ profile vlc @{exec_path} {
@{sys}/devices/**/uevent r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,speed} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{run}/udev/data/b254:[0-9]* r, # for /dev/zram*
@{run}/udev/data/b253:[0-9]* r, # for /dev/dm*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # for ?
/dev/ r,
/dev/bus/usb/ r,
/etc/fstab r,

5
apparmor.d/wireshark
View File

@ -100,6 +100,11 @@ profile wireshark @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,

5
apparmor.d/xarchiver
View File

@ -86,7 +86,10 @@ profile xarchiver @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,