mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
dec5a29e19
commit
11617131ce
14 changed files with 57 additions and 23 deletions
|
|
@ -2,8 +2,10 @@
|
|||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),
|
||||
|
||||
owner @{HOME}/.nv/nvidia-application-profiles* r,
|
||||
|
||||
/etc/nvidia/nvidia-application-profiles* r,
|
||||
|
||||
unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),
|
||||
/dev/char/195:[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -46,8 +46,9 @@ profile cron @{exec_path} flags=(attach_disconnected) {
|
|||
/var/spool/cron/crontabs/{,*} r,
|
||||
/var/spool/cron/tabs/{,*} r,
|
||||
|
||||
@{run}/crond.pid rwk,
|
||||
@{run}/crond.reboot rw,
|
||||
owner @{run}/cron.pid rwk,
|
||||
owner @{run}/cron.reboot rw,
|
||||
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
|
|
|
|||
|
|
@ -28,10 +28,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
capability sys_rawio,
|
||||
|
||||
# These can be denied?
|
||||
#audit capability dac_override,
|
||||
#audit capability sys_rawio,
|
||||
#audit capability sys_nice,
|
||||
#capability sys_tty_config,
|
||||
|
||||
|
|
@ -139,6 +139,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/ioports r,
|
||||
@{PROC}/mtrr rw,
|
||||
|
||||
/dev/fb[0-9] rw,
|
||||
/dev/input/event[0-9]* rw,
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
/dev/shm/shmfd-* rw,
|
||||
|
|
|
|||
|
|
@ -590,6 +590,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
|
||||
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/systemd/notify rw,
|
||||
owner @{run}/user//@{uid}/wayland-[0-9]* rwk,
|
||||
|
||||
owner /dev/shm/.org.chromium.Chromium.* rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -9,8 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/drkonqi
|
||||
profile drkonqi @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/qt5>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
@ -18,6 +19,7 @@ profile drkonqi @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/drkonqi/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
|
|
|
|||
|
|
@ -25,6 +25,8 @@ profile kcminit @{exec_path} {
|
|||
/etc/xdg/kcminputrc r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
||||
owner @{HOME}/.Xdefaults r,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl,
|
||||
owner @{user_config_dirs}/gtkrc{,.??????} rwl,
|
||||
|
|
@ -33,6 +35,7 @@ profile kcminit @{exec_path} {
|
|||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kgammarc r,
|
||||
owner @{user_config_dirs}/touchpadrc r,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,9 +14,14 @@ profile kioslave5 @{exec_path} {
|
|||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/trash>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
signal (receive) set=term peer=plasmashell,
|
||||
|
|
@ -25,6 +30,7 @@ profile kioslave5 @{exec_path} {
|
|||
|
||||
@{libexec}/libheif/ r,
|
||||
@{libexec}/libheif/*.so* rm,
|
||||
@{libexec}/kf5/kio_http_cache_cleaner rPx,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
|
|
|||
|
|
@ -24,8 +24,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
/{usr/,}bin/rm rix,
|
||||
|
||||
@{libexec}/kscreenlocker_greet rPx,
|
||||
@{libexec}/DiscoverNotifier rPUx, # TODO: rPx,
|
||||
@{libexec}/drkonqi rPx,
|
||||
@{libexec}/kscreenlocker_greet rPx,
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile plasma-discover @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -21,9 +22,14 @@ profile plasma-discover @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/kreadconfig5 rPx,
|
||||
|
||||
@{libexec}/kf5/kioslave5 rPx,
|
||||
@{libexec}/kf5/kio_http_cache_cleaner rPx,
|
||||
|
||||
/usr/share/kservices5/{,*} r,
|
||||
|
||||
/etc/appstream.conf r,
|
||||
/etc/machine-id r,
|
||||
/etc/flatpak/remotes.d/{,**} r,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ profile plasmashell @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5-shader-cache>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/user-tmp>
|
||||
# include <abstractions/user-tmp>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
|
|
@ -47,20 +47,21 @@ profile plasmashell @{exec_path} {
|
|||
/{usr/,}bin/dolphin rPUx, # TODO: rPx,
|
||||
/{usr/,}bin/plasma-discover rPUx,
|
||||
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/akonadi/firstrun/{,*} r,
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/desktop-directories/kf5-*.directory r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
/usr/share/konsole/ r,
|
||||
/usr/share/krunner/{,**} r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
/usr/share/lshw/artwork/logo.svg r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/plasma/{,**} r,
|
||||
/usr/share/solid/actions/{,**} r,
|
||||
/usr/share/wallpapers/{,**} r,
|
||||
/usr/share/krunner/{,**} r,
|
||||
/usr/share/konsole/ r,
|
||||
/usr/share/akonadi/firstrun/{,*} r,
|
||||
/usr/share/lshw/artwork/logo.svg r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
/usr/share/desktop-directories/kf5-*.directory r,
|
||||
|
||||
/etc/appstream.conf r,
|
||||
/etc/cups/client.conf r,
|
||||
|
|
@ -74,14 +75,14 @@ profile plasmashell @{exec_path} {
|
|||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kioslaverc r,
|
||||
/etc/xdg/krunnerrc r,
|
||||
/etc/xdg/kshorturifilterrc r,
|
||||
/etc/xdg/kwinrc r,
|
||||
/etc/xdg/menus/ r,
|
||||
/etc/xdg/menus/applications.menu r,
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
/etc/xdg/menus/applications.menu r,
|
||||
/etc/xdg/plasmanotifyrc r,
|
||||
/etc/xdg/plasmarc r,
|
||||
/etc/xdg/taskmanagerrulesrc r,
|
||||
/etc/xdg/kshorturifilterrc r,
|
||||
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
|
||||
|
|
@ -121,8 +122,8 @@ profile plasmashell @{exec_path} {
|
|||
owner @{user_config_dirs}/plasma-pk-updates r,
|
||||
owner @{user_config_dirs}/plasma*desktop* rwlk,
|
||||
owner @{user_config_dirs}/plasmanotifyrc rw,
|
||||
owner @{user_config_dirs}/plasmanotifyrc.lock rwk,
|
||||
owner @{user_config_dirs}/plasmanotifyrc.* rwl,
|
||||
owner @{user_config_dirs}/plasmanotifyrc.lock rwk,
|
||||
owner @{user_config_dirs}/plasmaparc r,
|
||||
owner @{user_config_dirs}/plasmashellrc r,
|
||||
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||
|
|
@ -157,14 +158,15 @@ profile plasmashell @{exec_path} {
|
|||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,
|
||||
owner @{PROC}/@{pid}/attr/current r,
|
||||
owner @{PROC}/@{pid}/environ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,
|
||||
owner @{PROC}/@{pid}/attr/current r,
|
||||
|
||||
/dev/shm/ r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
/dev/rfkill r,
|
||||
/dev/shm/ r,
|
||||
|
||||
include if exists <local/plasmashell>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -60,6 +60,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/tlp/{,*} rw,
|
||||
@{run}/chrony-dhcp/ rw,
|
||||
|
||||
@{sys}/class/net/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ profile aa-log @{exec_path} {
|
|||
/{usr/,}bin/journalctl rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/passwd r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/log/audit/* r,
|
||||
|
|
|
|||
|
|
@ -37,6 +37,8 @@ profile bluetoothd @{exec_path} {
|
|||
@{sys}/devices/platform/**/rfkill/**/name r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
|
||||
@{PROC}/sys/kernel/hostname r,
|
||||
|
||||
/dev/uhid rw,
|
||||
/dev/uinput rw,
|
||||
/dev/rfkill rw,
|
||||
|
|
|
|||
|
|
@ -32,7 +32,10 @@ profile xauth @{exec_path} {
|
|||
owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n,
|
||||
|
||||
owner /tmp/runtime-*/xauth_?????? r,
|
||||
@{run}/user/@{uid}/xauth_?????? rw,
|
||||
|
||||
owner @{run}/user/@{uid}/xauth_?????? rw,
|
||||
owner @{run}/user/@{uid}/xauth_??????-c w,
|
||||
owner @{run}/user/@{uid}/xauth_??????-l wl,
|
||||
|
||||
include if exists <local/xauth>
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue