mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-02-12 21:25:07 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
48751f75b2
commit
185dc96d45
48 changed files with 165 additions and 120 deletions
|
|
@ -47,6 +47,7 @@
|
|||
owner @{user_config_dirs}/pipewire/client.conf r,
|
||||
|
||||
owner @{user_share_dirs}/openal/hrtf/{,**} r,
|
||||
owner @{user_share_dirs}/sounds/ r,
|
||||
owner @{user_share_dirs}/sounds/__custom/index.theme r,
|
||||
|
||||
owner @{run}/user/@{uid}/pipewire-@{int} rw,
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
capability sys_chroot,
|
||||
capability sys_ptrace,
|
||||
|
||||
@{bin}/electron rix,
|
||||
@{bin}/electron@{int} rix,
|
||||
@{lib}/electron@{int}/{,**} r,
|
||||
@{lib}/electron@{int}/electron rix,
|
||||
|
|
|
|||
|
|
@ -33,6 +33,8 @@
|
|||
|
||||
/var/cache/gio-@{version}/gnome-mimeapps.list r,
|
||||
|
||||
/ r, # deny?
|
||||
|
||||
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
# else if @{DE} == kde
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@
|
|||
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
|
||||
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
|
||||
@{run}/udev/data/b25[0-4]:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
||||
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@
|
|||
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
|
||||
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
|
||||
@{run}/udev/data/b25[0-4]:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
||||
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
include <abstractions/nvidia-strict>
|
||||
include <abstractions/vulkan-strict>
|
||||
|
||||
/etc/igfx_user_feature{,_next}.txt w,
|
||||
/etc/igfx_user_feature{,_next,_report}.txt w,
|
||||
/etc/libva.conf r,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@
|
|||
@{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
|
||||
@{lib}/gstreamer-1.0/gst-plugin-scanner rix,
|
||||
|
||||
/usr/share/gstreamer-1.0/presets/Gst*Enc.prs r,
|
||||
|
||||
/etc/openni2/OpenNI.ini r,
|
||||
|
||||
/tmp/ r,
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
network netlink dgram,
|
||||
network netlink raw,
|
||||
|
||||
signal (receive) set=(hup),
|
||||
signal receive set=hup,
|
||||
|
||||
@{bin}/bwrap rPx -> bwrap,
|
||||
@{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ include <tunables/global>
|
|||
@{cache_dirs} = @{user_cache_dirs}/google-@{name}
|
||||
|
||||
@{exec_path} = @{lib_dirs}/@{name}
|
||||
profile chrome @{exec_path} {
|
||||
profile chrome @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/chromium>
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ include <tunables/global>
|
|||
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||
|
||||
@{exec_path} = @{lib_dirs}/@{name}
|
||||
profile chromium @{exec_path} {
|
||||
profile chromium @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/chromium>
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/chromium
|
||||
profile chromium-wrapper @{exec_path} {
|
||||
profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
|
|
|
|||
|
|
@ -38,12 +38,15 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/xdg-dbus-proxy rix,
|
||||
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
|
||||
|
||||
/usr/share/enchant*/{,**} r,
|
||||
|
||||
owner /bindfile@{rand6} rw,
|
||||
owner @{att}/.flatpak-info r,
|
||||
|
||||
owner @{user_config_dirs}/glib-2.0/ w,
|
||||
owner @{user_config_dirs}/glib-2.0/settings/ w,
|
||||
|
||||
owner @{tmp}/ContentRuleList@{rand6} rw,
|
||||
owner @{tmp}/epiphany-*-@{rand6}/{,**} rw,
|
||||
owner @{tmp}/Serialized@{rand9} rw,
|
||||
owner @{tmp}/WebKit-Media-@{rand6} rw,
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/nvidia-modprobe
|
||||
profile child-modprobe-nvidia flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability chown,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/update-desktop-database
|
||||
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/freedesktop.org>
|
||||
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{desktop_cache_dirs}/dconf/user r,
|
||||
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
|
||||
owner @{desktop_config_dirs}/dconf/user r,
|
||||
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/fuse rw,
|
||||
/dev/fuse rw,
|
||||
|
||||
profile fusermount flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
|
|
|||
|
|
@ -35,6 +35,8 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/xdg-mime Px,
|
||||
@{open_path} Px -> child-open-any,
|
||||
|
||||
@{PROC}/version r,
|
||||
|
||||
profile bus {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/bus>
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
|
|
@ -29,6 +30,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,
|
||||
|
||||
/var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w,
|
||||
/var/log/Xorg.@{int}.log w,
|
||||
owner /var/log/lightdm/x-@{int}.log w,
|
||||
|
||||
owner @{run}/user/@{uid}/server-@{int}.xkm rwk,
|
||||
|
|
@ -38,9 +40,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/dri/card@{int} rw,
|
||||
/dev/fb@{int} rw,
|
||||
/dev/tty rw,
|
||||
|
||||
deny /dev/input/event@{int} rw,
|
||||
deny /var/log/Xorg.@{int}.log w,
|
||||
/dev/input/event@{int} rw,
|
||||
|
||||
include if exists <local/xkbcomp>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -134,6 +134,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/shm/shmfd-* rw,
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
/dev/udmabuf rw,
|
||||
/dev/vga_arbiter rw, # Graphic card modules
|
||||
|
||||
profile pkexec {
|
||||
|
|
|
|||
|
|
@ -10,6 +10,12 @@ include <tunables/global>
|
|||
profile makepkg @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/shells>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
|
|||
|
|
@ -15,13 +15,14 @@ profile pacman-hook-systemd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bash rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/touch rix,
|
||||
|
||||
@{bin}/journalctl rPx,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/systemd-hwdb rPx,
|
||||
@{bin}/systemd-notify rPx,
|
||||
@{bin}/systemd-sysusers rPx,
|
||||
@{bin}/systemd-tmpfiles rPx,
|
||||
@{bin}/udevadm rPx,
|
||||
|
|
|
|||
|
|
@ -55,6 +55,10 @@ profile yay @{exec_path} {
|
|||
|
||||
/usr/share/git{,-core}/{,**} r,
|
||||
|
||||
owner @{user_build_dirs}/**/.git/** r,
|
||||
owner @{user_pkg_dirs}/**/.git/** r,
|
||||
owner @{user_projects_dirs}/**/.git/** r,
|
||||
|
||||
owner @{HOME}/.gitconfig r,
|
||||
owner @{user_cache_dirs}/yay/ rw,
|
||||
owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**,
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile systemd-journald @{exec_path} {
|
|||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/+virtio:* r,
|
||||
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
|
||||
@{run}/udev/data/b259:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
||||
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
|
|
|
|||
|
|
@ -45,15 +45,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
mount options=(rw rslave) -> /,
|
||||
|
||||
remount /tmp/containerd-mount@{int10}/,
|
||||
remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
|
||||
remount /var/lib/docker/**/,
|
||||
|
||||
umount /.pivot_root@{int}/,
|
||||
umount /run/docker/netns/*,
|
||||
umount /tmp/containerd-mount@{int}/,
|
||||
umount /var/lib/docker/buildkit/**/,
|
||||
umount /var/lib/docker/rootfs/**/,
|
||||
umount /var/lib/docker/overlay*/**/,
|
||||
umount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
umount /var/lib/docker/**/,
|
||||
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
|
|||
|
|
@ -11,10 +11,8 @@ profile file-roller @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/common/gnome>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/user-read-strict>
|
||||
include <abstractions/user-write-strict>
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.ArchiveManager1
|
||||
#aa:dbus own bus=session name=org.gnome.FileRoller
|
||||
|
|
@ -23,6 +21,9 @@ profile file-roller @{exec_path} {
|
|||
|
||||
@{open_path} rPx -> child-open-help,
|
||||
|
||||
@{bin}/mv rix,
|
||||
@{bin}/rm rix,
|
||||
|
||||
# Archivers
|
||||
@{bin}/7z rix,
|
||||
@{bin}/7zz rix,
|
||||
|
|
@ -38,6 +39,11 @@ profile file-roller @{exec_path} {
|
|||
@{bin}/zstd rix,
|
||||
@{lib}/p7zip/7z rix,
|
||||
|
||||
# Full access to user's data
|
||||
@{MOUNTS}/** rw,
|
||||
owner @{HOME}/** rw,
|
||||
owner @{tmp}/** rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -62,6 +62,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
|
|||
owner @{HOME}/.var/ w,
|
||||
owner @{HOME}/.var/app/{,**} rw,
|
||||
|
||||
owner @{user_documents_dirs}/ rw,
|
||||
|
||||
owner @{user_cache_dirs}/flatpak/{,**} rw,
|
||||
owner @{user_config_dirs}/pulse/client.conf r,
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# Copyright (C) 2011-2014 Jérémy Bobbio <lunar@debian.org>;
|
||||
# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,11 +1,12 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/hbbr
|
||||
@{exec_path} = @{bin}/hbbr
|
||||
profile hbbr @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,11 +1,12 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/hbbs
|
||||
@{exec_path} = @{bin}/hbbs
|
||||
profile hbbs @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -16,14 +16,17 @@ profile issue-generator @{exec_path} {
|
|||
@{sh_path} r,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/cmp rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sort rix,
|
||||
|
||||
/etc/issue.d/{,**} r,
|
||||
/etc/sysconfig/issue-generator r,
|
||||
|
||||
@{run}/agetty.reload w,
|
||||
@{run}/issue r,
|
||||
@{run}/issue.@{rand10} rw,
|
||||
@{run}/issue.d/{,**} r,
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
@ -34,9 +35,9 @@ profile rustdesk @{exec_path} {
|
|||
@{bin}/curl rix,
|
||||
@{bin}/ls rix,
|
||||
|
||||
@{bin}/sudo rCx -> sudo,
|
||||
@{bin}/python3.@{int} rPx -> rustdesk_python,
|
||||
@{sh_path} rPx -> rustdesk_shell,
|
||||
@{bin}/sudo rCx -> sudo,
|
||||
@{bin}/python3.@{int} rCx -> python,
|
||||
@{sh_path} rCx -> shell,
|
||||
|
||||
/etc/gdm{,3}/custom.conf r,
|
||||
|
||||
|
|
@ -59,80 +60,72 @@ profile rustdesk @{exec_path} {
|
|||
|
||||
profile sudo {
|
||||
include <abstractions/base>
|
||||
include <abstractions/python>
|
||||
include <abstractions/app/sudo>
|
||||
include <abstractions/python>
|
||||
|
||||
@{bin}/rustdesk rPx,
|
||||
@{bin}/python3.@{int} rPx -> rustdesk_python,
|
||||
@{bin}/python3.@{int} rPx -> rustdesk//python,
|
||||
|
||||
include if exists <local/rustdesk_sudo>
|
||||
}
|
||||
|
||||
profile python {
|
||||
include <abstractions/base>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
capability dac_override,
|
||||
|
||||
@{bin}/python3.@{int} r,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/uname rPx,
|
||||
/usr/share/rustdesk/files/pynput_service.py rix,
|
||||
|
||||
/usr/share/[rR]ust[dD]esk/files/{,**} r,
|
||||
/tmp/[rR]ust[dD]esk/ w,
|
||||
/tmp/[rR]ust[dD]esk/pynput_service rw,
|
||||
|
||||
@{run}/user/@{uid}/gdm{,3}/Xauthority r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# X-tiny
|
||||
/tmp/.X11-unix/* rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
include if exists <local/rustdesk_python>
|
||||
}
|
||||
|
||||
profile shell {
|
||||
include <abstractions/base>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace read,
|
||||
|
||||
@{sh_path} r,
|
||||
|
||||
@{bin}/tr rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/tail rix,
|
||||
@{bin}/xargs rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/cat rix,
|
||||
|
||||
@{bin}/ps rPx,
|
||||
|
||||
@{PROC}/@{pid}/environ r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/rustdesk_shell>
|
||||
}
|
||||
|
||||
include if exists <local/rustdesk>
|
||||
}
|
||||
|
||||
profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
include if exists <local/rustdesk_pynput_service>
|
||||
}
|
||||
|
||||
profile rustdesk_python {
|
||||
include <abstractions/base>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
capability dac_override,
|
||||
|
||||
@{bin}/python3.@{int} r,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/uname rPx,
|
||||
/usr/share/rustdesk/files/pynput_service.py rPx,
|
||||
|
||||
/usr/share/[rR]ust[dD]esk/files/{,**} r,
|
||||
/tmp/[rR]ust[dD]esk/ w,
|
||||
/tmp/[rR]ust[dD]esk/pynput_service rw,
|
||||
|
||||
@{run}/user/@{uid}/gdm{,3}/Xauthority r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# X-tiny
|
||||
/tmp/.X11-unix/* rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
include if exists <local/rustdesk_python>
|
||||
}
|
||||
|
||||
profile rustdesk_shell {
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_ptrace,
|
||||
capability dac_read_search,
|
||||
deny capability dac_override,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{sh_path} r,
|
||||
|
||||
@{bin}/tr rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/tail rix,
|
||||
@{bin}/xargs rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/cat rix,
|
||||
|
||||
@{bin}/ps rPx,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/environ r,
|
||||
|
||||
include if exists <local/rustdesk_shell>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -1,11 +1,12 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/rustdesk-utils
|
||||
@{exec_path} = @{bin}/rustdesk-utils
|
||||
profile rustdesk-utils @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -6,26 +6,25 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid
|
||||
@{exec_path} = @{bin}/sanoid
|
||||
profile sanoid @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/perl>
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path} mr,
|
||||
@{sh_path} rix,
|
||||
@{bin}/perl rix,
|
||||
@{bin}/ps rPx,
|
||||
/{usr/,}{local/,}{s,}bin/zfs rPx,
|
||||
@{bin}/zfs rPx,
|
||||
|
||||
/etc/sanoid/{*,} r,
|
||||
/usr/share/sanoid/{,**} r,
|
||||
|
||||
/var/cache/sanoid/snapshots.txt rw,
|
||||
/etc/sanoid/{,*} r,
|
||||
|
||||
/usr/share/sanoid/{**,} r,
|
||||
/var/cache/sanoid/{,**} rw,
|
||||
|
||||
@{run}/sanoid/ rw,
|
||||
@{run}/sanoid/sanoid_cacheupdate.lock rwk,
|
||||
@{run}/sanoid/sanoid_pruning.lock rwk,
|
||||
@{run}/sanoid/** rwk,
|
||||
|
||||
include if exists <local/sanoid>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,12 +8,13 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/snapshot
|
||||
profile snapshot @{exec_path} {
|
||||
profile snapshot @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/gnome>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/video>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -22,6 +23,8 @@ profile snapshot @{exec_path} {
|
|||
owner @{user_pictures_dirs}/Camera/{,**} rw,
|
||||
owner @{user_videos_dirs}/Camera/{,**} rw,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
|
||||
include if exists <local/snapshot>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ include <tunables/global>
|
|||
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||
|
||||
@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
|
||||
profile spotify @{exec_path} {
|
||||
profile spotify @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/electron>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# shadowsocks-rust only:
|
||||
|
|
@ -8,7 +9,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/sslocal
|
||||
@{exec_path} = @{bin}/sslocal
|
||||
profile sslocal @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# shadowsocks-rust only:
|
||||
|
|
@ -8,7 +9,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/ssmanager
|
||||
@{exec_path} = @{bin}/ssmanager
|
||||
profile ssmanager @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# shadowsocks-rust only:
|
||||
|
|
@ -8,7 +9,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/ssserver
|
||||
@{exec_path} = @{bin}/ssserver
|
||||
profile ssserver @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# shadowsocks-rust only:
|
||||
|
|
@ -8,7 +9,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/ssservice
|
||||
@{exec_path} = @{bin}/ssservice
|
||||
profile ssservice @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# shadowsocks-rust only:
|
||||
|
|
@ -8,7 +9,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{,usr/}{,local/}bin/ssurl
|
||||
@{exec_path} = @{bin}/ssurl
|
||||
profile ssurl @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
|||
|
|
@ -107,6 +107,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
|
||||
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix,
|
||||
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
|
||||
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix,
|
||||
@{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
|
||||
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
|
||||
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web,
|
||||
|
|
@ -182,6 +183,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw,
|
||||
|
||||
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
||||
|
||||
|
|
@ -366,6 +368,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
include <abstractions/common/bwrap>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
unix receive type=stream,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ include <tunables/global>
|
|||
@{app_dirs} = @{share_dirs}/steamapps/common/
|
||||
|
||||
@{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap
|
||||
profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
|
||||
profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/bwrap>
|
||||
include <abstractions/common/steam-game>
|
||||
|
|
@ -34,6 +34,8 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
@{bin}/bwrap mrix,
|
||||
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/fc-match rix,
|
||||
@{bin}/getopt rix,
|
||||
@{bin}/gzip rix,
|
||||
@{bin}/ldconfig rix,
|
||||
|
|
@ -44,7 +46,6 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/steam-runtime-system-info rix,
|
||||
@{bin}/steam-runtime-urlopen rix,
|
||||
@{bin}/true rix,
|
||||
@{bin}/chmod rix,
|
||||
@{open_path} rix,
|
||||
|
||||
@{lib_dirs}/** mr,
|
||||
|
|
@ -52,12 +53,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/pressure-vessel/from-host/@{lib}/** rix,
|
||||
@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
|
||||
|
||||
@{app_dirs}/** mr,
|
||||
@{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
|
||||
@{app_dirs}/Proton*/files/@{bin}/* rix,
|
||||
@{app_dirs}/Proton*/files/@{lib}/** rix,
|
||||
@{app_dirs}/Proton*/proton rix,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
|
||||
@{app_dirs}/** mrix,
|
||||
|
||||
@{run}/host/@{bin}/ldconfig rix,
|
||||
@{run}/host/@{bin}/localedef rix,
|
||||
|
|
@ -73,6 +69,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
|
|||
owner /var/pressure-vessel/** rw,
|
||||
owner /var/cache/ldconfig/aux-cache* rw,
|
||||
|
||||
owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw,
|
||||
owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk,
|
||||
owner @{app_dirs}/Proton*/** rwkl,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ include <tunables/global>
|
|||
@{app_dirs} = @{share_dirs}/steamapps/common/
|
||||
|
||||
@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote
|
||||
profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
|
||||
profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
|
||||
capability sys_boot,
|
||||
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.thermald
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -56,6 +56,8 @@ profile thunderbird @{exec_path} {
|
|||
owner @{tmp}/nsma rw,
|
||||
owner @{tmp}/pid-@{pid}/{,**} w,
|
||||
|
||||
/dev/urandom w,
|
||||
|
||||
# Silencer
|
||||
deny capability sys_ptrace,
|
||||
deny @{lib_dirs}/** w,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 odomingao
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
@ -15,6 +16,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/electron>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/video>
|
||||
|
|
@ -27,6 +29,9 @@ profile vesktop @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/speech-dispatcher rPx,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
owner /tmp/.org.chromium.Chromium.@{rand6} mr,
|
||||
owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue