mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(profiles): general update.
This commit is contained in:
parent
58b96a7ba9
commit
177d27d94c
@ -18,7 +18,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
||||
network netlink raw,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,ColorManager},
|
||||
interface=org.freedesktop.{DBus.Properties,ColorManager*},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
|
@ -53,6 +53,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member={CheckPermissions,StateChanged,PropertiesChanged},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.GeoClue2,
|
||||
|
||||
|
@ -32,13 +32,13 @@ profile plymouthd @{exec_path} {
|
||||
|
||||
@{run}/udev/data/+drm:* r,
|
||||
@{run}/udev/data/c226:* r,
|
||||
@{run}/udev/data/c29:* r,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/uevent r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/uevent r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/renderD128/uevent r,
|
||||
@{sys}/class/graphics/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/{,uevent} r,
|
||||
@{sys}/devices/virtual/tty/console/active r,
|
||||
@{sys}/firmware/acpi/bgrt/{,*} r,
|
||||
|
||||
|
@ -13,6 +13,7 @@ include <tunables/global>
|
||||
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
|
||||
profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
@ -40,6 +41,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*}
|
||||
interface=org.freedesktop.{DBus.Properties,login1.Session}
|
||||
member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID}
|
||||
peer=(name=org.freedesktop.login[0-9]),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login[0-9]/session/*
|
||||
interface=org.freedesktop.login1.Session
|
||||
member=PauseDevice,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login[0-9].Manager
|
||||
member=CreateSession,
|
||||
member={CreateSession,ReleaseSession},
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
@ -10,9 +10,8 @@ include <tunables/global>
|
||||
profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/dbus>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
@ -35,54 +34,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
signal (send) set=(kill) peer=unconfined,
|
||||
signal (send) set=(kill) peer=passwd,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop{,ModemManager[0-9],UDisks2}
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects,
|
||||
|
||||
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
||||
interface=net.reactivated.Fprint.Manager
|
||||
member=GetDevices,
|
||||
|
||||
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=CheckAuthorization,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.Accounts
|
||||
member={ListCachedUsers,FindUserById},
|
||||
|
||||
dbus send bus=system path=/net/hadess/SwitcherooControl
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=GetPermissions,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
|
||||
interface=org.freedesktop.NetworkManager.Settings.Connection
|
||||
member=GetSettings,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,Get},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,b,d,rb}ash rUx,
|
||||
@ -101,7 +52,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
||||
/usr/share/language-tools/language2locale rix,
|
||||
|
||||
/snap/*/[0-9]*/*.png r,
|
||||
/snap/*/[0-9]*/**.png r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
/usr/share/cups/data/testprint r,
|
||||
/usr/share/egl/{,**} r,
|
||||
@ -109,12 +60,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/gnome-background-properties/{,**} r,
|
||||
/usr/share/gnome-bluetooth{-*,}/{,**} r,
|
||||
/usr/share/gnome-color-manager/{,**} r,
|
||||
/usr/share/gnome-control-center/{,**} r,
|
||||
/usr/share/gnome-shell/search-providers/{,**} r,
|
||||
/usr/share/gnome/gnome-version.xml r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/thumbnailers/{,*} r,
|
||||
/usr/share/ubuntu/applications/ r,
|
||||
/usr/share/ubuntu/applications/{,*} r,
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/zoneinfo/{,**} r,
|
||||
|
||||
@ -135,9 +87,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/mimeapps.list.* rw,
|
||||
owner @{user_share_dirs}/backgrounds/{,**} rw,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/icc/{,edid-*} r,
|
||||
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
|
||||
owner @{user_share_dirs}/webkitgtk/{,**} r,
|
||||
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
|
||||
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
|
||||
@ -145,10 +99,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/cups/cups.sock rw,
|
||||
@{run}/samba/ rw,
|
||||
@{run}/systemd/sessions/ r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/cups/cups.sock rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
@{run}/udev/data/+dmi:* r,
|
||||
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
||||
|
@ -19,6 +19,11 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
signal (receive) set=(term) peer=gdm,
|
||||
signal (send) set=(term) peer=ssh-agent,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]/session/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.login[0-9]),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login[0-9].Manager
|
||||
member=GetSession
|
||||
|
@ -18,10 +18,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
dbus (send, receive) bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager,
|
||||
dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*}
|
||||
interface=org.freedesktop.ColorManager*,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*}
|
||||
dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/*,/profiles/*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
|
@ -92,8 +92,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
||||
@{sys}/devices/platform/**/leds/*backlight*/max_brightness r,
|
||||
@{sys}/devices/platform/**/leds/*backlight*/brightness rw,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
@ -31,6 +31,9 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,ServiceBrowserNew},
|
||||
|
||||
dbus receive bus=system path=/org/cups/cupsd/Notifier
|
||||
interface=org.cups.cupsd.Notifier,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=StateChanged,
|
||||
|
@ -27,6 +27,7 @@ profile tracker-miner @{exec_path} {
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
|
||||
/usr/share/tracker3-miners/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
/usr/share/ubuntu/applications/ r,
|
||||
|
@ -18,6 +18,11 @@ profile gvfsd-dnssd @{exec_path} {
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={Ping,GetAPIVersion,GetState,ServiceBrowserNew},
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={CacheExhausted,AllForNow},
|
||||
|
@ -10,9 +10,23 @@ include <tunables/global>
|
||||
profile software-properties-dbus @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/python>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=RequestName
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=com.ubuntu.SoftwareProperties
|
||||
member=Reload,
|
||||
|
||||
dbus bind bus=system
|
||||
name=com.ubuntu.SoftwareProperties,
|
||||
@ -31,6 +45,7 @@ profile software-properties-dbus @{exec_path} {
|
||||
owner /tmp/tmp*/{,apt.conf} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
include if exists <local/software-properties-dbus>
|
||||
}
|
@ -16,8 +16,22 @@ profile software-properties-gtk @{exec_path} {
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/openssl>
|
||||
|
||||
dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=com.ubuntu.SoftwareProperties
|
||||
member=Reload,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/ r,
|
||||
|
||||
/{usr/,}bin/aplay rPx,
|
||||
/{usr/,}bin/apt-key rPx,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
@ -25,25 +39,36 @@ profile software-properties-gtk @{exec_path} {
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/ubuntu-advantage rPx,
|
||||
|
||||
/usr/share/distro-info/*.csv r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/pixmaps/ r,
|
||||
/usr/share/python-apt/{,**} r,
|
||||
/usr/share/software-properties/{,**} r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/ubuntu-drivers-common/detect/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
||||
/etc/gtk-3.0/settings.ini r,
|
||||
/etc/machine-id r,
|
||||
/etc/update-manager/release-upgrades r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner /tmp/[a-z0-9]* rw,
|
||||
owner /tmp/tmp*/{,apt.conf} rw,
|
||||
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/**/ r,
|
||||
@{sys}/devices/**/modalias r,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
include if exists <local/software-properties-gtk>
|
||||
}
|
@ -7,8 +7,9 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/boltd
|
||||
profile boltd @{exec_path} {
|
||||
profile boltd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability net_admin,
|
||||
@ -21,6 +22,7 @@ profile boltd @{exec_path} {
|
||||
|
||||
owner @{run}/boltd/{,**} rw,
|
||||
|
||||
@{run}/systemd/journal/socket w,
|
||||
@{run}/udev/data/+thunderbolt:* r,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
|
@ -32,7 +32,7 @@ profile hugo @{exec_path} {
|
||||
owner @{user_projects_dirs}/**/.hugo_build.lock rwk,
|
||||
owner @{user_projects_dirs}/**/go.{mod,sum} rwk,
|
||||
|
||||
owner /tmp/hugo_cache/{,**} rwk,
|
||||
owner /tmp/hugo_cache/{,**} rwkl,
|
||||
owner /tmp/go-codehost-[0-9]* rw,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
@ -28,6 +28,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
||||
/{usr/,}bin/fail2ban-server rPx,
|
||||
/{usr/,}bin/locale rix,
|
||||
/{usr/,}bin/python3.[0-9]* rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/stty rix,
|
||||
/{usr/,}bin/systemctl rPx,
|
||||
/{usr/,}bin/systemd-detect-virt rPx,
|
||||
@ -37,6 +38,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
||||
/{usr/,}lib/needrestart/iucode-scan-versions rPx,
|
||||
/usr/share/debconf/frontend rix,
|
||||
|
||||
/{usr/,}bin/gettext.sh r,
|
||||
/usr/share/needrestart/{,**} r,
|
||||
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
|
||||
|
||||
@ -48,8 +50,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
||||
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/environ r,
|
||||
@{PROC}/@{pids}/maps r,
|
||||
|
@ -25,9 +25,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
interface=org.freedesktop.DBus
|
||||
member=RequestName,
|
||||
|
||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus receive bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
member={GetAll,Set},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
|
@ -60,7 +60,8 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
||||
owner @{HOME}/.cups/ rw,
|
||||
owner @{HOME}/.cups/lpoptions rw,
|
||||
|
||||
owner @{run}/@{uid}/gvfsd/socket-* rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
@{run}/cups/cups.sock rw,
|
||||
|
||||
owner /tmp/* rw,
|
||||
|
Loading…
Reference in New Issue
Block a user