mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
55ae6d2b75
commit
1a1daeae07
23 changed files with 118 additions and 100 deletions
|
|
@ -93,6 +93,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
||||||
# Ubuntu specificities
|
# Ubuntu specificities
|
||||||
@{lib}/ubuntu-advantage/apt-esm-hook rPx,
|
@{lib}/ubuntu-advantage/apt-esm-hook rPx,
|
||||||
@{lib}/ubuntu-advantage/apt-esm-json-hook rPx,
|
@{lib}/ubuntu-advantage/apt-esm-json-hook rPx,
|
||||||
|
@{lib}/ubuntu-release-upgrader/do-partial-upgrade rPx,
|
||||||
@{lib}/update-notifier/update-motd-updates-available rPx,
|
@{lib}/update-notifier/update-motd-updates-available rPx,
|
||||||
/usr/share/command-not-found/cnf-update-db rPx,
|
/usr/share/command-not-found/cnf-update-db rPx,
|
||||||
/usr/share/language-tools/language-options rPx,
|
/usr/share/language-tools/language-options rPx,
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/dbus-broker-launch
|
@{exec_path} = @{bin}/dbus-broker-launch
|
||||||
profile dbus-broker-launch @{exec_path} {
|
profile dbus-broker-launch @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
|
@ -19,13 +19,16 @@ profile dbus-broker-launch @{exec_path} {
|
||||||
|
|
||||||
@{bin}/dbus-broker rPUx,
|
@{bin}/dbus-broker rPUx,
|
||||||
|
|
||||||
@{system_share_dirs}/dbus-1/{,**} r,
|
|
||||||
@{system_share_dirs}/dbus-1/services/{,**} r,
|
|
||||||
/usr/share/dbus-1/{,**} r,
|
/usr/share/dbus-1/{,**} r,
|
||||||
/usr/share/defaults/**.conf r,
|
/usr/share/defaults/**.conf r,
|
||||||
|
|
||||||
|
# Extra rules for Flatpak
|
||||||
|
@{system_share_dirs}/dbus-1/{,**} r,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
@{run}/user/@{uid}/dbus-1/{,**} r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
include if exists <local/dbus-broker-launch>
|
include if exists <local/dbus-broker-launch>
|
||||||
|
|
|
||||||
|
|
@ -91,10 +91,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
/var/lib/snapd/dbus-1/services/{,**} r,
|
/var/lib/snapd/dbus-1/services/{,**} r,
|
||||||
/var/lib/snapd/dbus-1/system-services/{,**} r,
|
/var/lib/snapd/dbus-1/system-services/{,**} r,
|
||||||
|
|
||||||
@{user_share_dirs}/icc/{,edid-*} r,
|
@{user_share_dirs}/icc/ r,
|
||||||
|
@{user_share_dirs}/icc/edid-*.icc r,
|
||||||
owner @{user_share_dirs}/dbus-1/{,**} r,
|
owner @{user_share_dirs}/dbus-1/{,**} r,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
@{run}/systemd/notify w,
|
@{run}/systemd/notify w,
|
||||||
@{run}/systemd/sessions/*.ref rw,
|
@{run}/systemd/sessions/*.ref rw,
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
|
||||||
|
|
@ -63,12 +63,15 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||||
/ r,
|
/ r,
|
||||||
/.flatpak-info r,
|
/.flatpak-info r,
|
||||||
|
|
||||||
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/pipewire/client.conf r,
|
/usr/share/pipewire/client.conf r,
|
||||||
/usr/share/xdg-desktop-portal/** r,
|
/usr/share/xdg-desktop-portal/** r,
|
||||||
|
|
||||||
/etc/pipewire/client.conf.d/ r,
|
/etc/pipewire/client.conf.d/ r,
|
||||||
/etc/sysconfig/proxy r,
|
/etc/sysconfig/proxy r,
|
||||||
|
|
||||||
|
/var/lib/gdm{,3}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||||
/var/lib/flatpak/exports/share/applications/{**,} r,
|
/var/lib/flatpak/exports/share/applications/{**,} r,
|
||||||
|
|
||||||
|
|
@ -87,6 +90,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/task/ r,
|
owner @{PROC}/@{pid}/task/ r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/ r,
|
owner @{PROC}/@{pid}/task/@{tid}/ r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
||||||
owner @{PROC}/@{pids}/cgroup r,
|
owner @{PROC}/@{pids}/cgroup r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,10 @@ profile gdm-generate-config @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
capability chown,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
capability fowner,
|
||||||
|
capability fsetid,
|
||||||
capability setgid,
|
capability setgid,
|
||||||
capability setuid,
|
capability setuid,
|
||||||
|
|
||||||
|
|
@ -29,8 +32,8 @@ profile gdm-generate-config @{exec_path} {
|
||||||
/usr/share/gdm/{,**} r,
|
/usr/share/gdm/{,**} r,
|
||||||
|
|
||||||
/var/lib/ r,
|
/var/lib/ r,
|
||||||
|
/var/lib/gdm{3,}/ rw,
|
||||||
/var/lib/gdm{3,}/{,**} r,
|
/var/lib/gdm{3,}/{,**} r,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/greeter-dconf-defaults rw,
|
/var/lib/gdm{3,}/greeter-dconf-defaults rw,
|
||||||
/var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
|
/var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/gio-launch-desktop rix,
|
@{bin}/gnome-terminal rPUx,
|
||||||
|
@{lib}/gio-launch-desktop rix,
|
||||||
|
|
||||||
owner @{HOME}/{,**} rw,
|
owner @{HOME}/{,**} rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||||
include <abstractions/bus/org.gnome.Shell.Introspect>
|
include <abstractions/bus/org.gnome.Shell.Introspect>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/fontconfig-cache-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
@ -59,7 +60,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/gnome-shell/{,**} r,
|
/usr/share/gnome-shell/{,**} r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
|
||||||
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
|
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
|
||||||
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
|
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
|
||||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ profile gnome-calculator-search-provider @{exec_path} {
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
signal (send) set=kill peer=unconfined,
|
signal (send) set=kill peer=unconfined,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,8 @@ profile gnome-initial-setup @{exec_path} {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/mesa>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -22,11 +23,19 @@ profile gnome-initial-setup @{exec_path} {
|
||||||
|
|
||||||
@{bin}/df rPx,
|
@{bin}/df rPx,
|
||||||
@{bin}/dpkg rPx -> child-dpkg,
|
@{bin}/dpkg rPx -> child-dpkg,
|
||||||
|
@{bin}/locale rix,
|
||||||
@{bin}/lscpu rPx,
|
@{bin}/lscpu rPx,
|
||||||
@{bin}/lspci rPx,
|
@{bin}/lspci rPx,
|
||||||
@{bin}/xrandr rPx,
|
@{bin}/xrandr rPx,
|
||||||
|
|
||||||
@{lib}/gnome-initial-setup-goa-helper rix,
|
@{lib}/gnome-initial-setup-goa-helper rix,
|
||||||
|
|
||||||
|
/usr/share/dconf/profile/gdm r,
|
||||||
|
|
||||||
|
/var/lib/gdm{,3}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/ibus/bus/ r,
|
||||||
|
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||||
|
|
||||||
include if exists <local/gnome-initial-setup>
|
include if exists <local/gnome-initial-setup>
|
||||||
}
|
}
|
||||||
|
|
@ -28,6 +28,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
|
@{bin}/env r,
|
||||||
@{bin}/python3.@{int} rix,
|
@{bin}/python3.@{int} rix,
|
||||||
@{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,
|
@{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,
|
||||||
|
|
||||||
|
|
@ -44,8 +45,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_share_dirs}/grilo-plugins/ rwk,
|
owner @{user_share_dirs}/grilo-plugins/ rwk,
|
||||||
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
|
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
|
||||||
|
|
||||||
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
||||||
owner /var/tmp/etilqs_@{hex} rw,
|
owner /var/tmp/etilqs_@{hex} rw,
|
||||||
|
|
|
||||||
|
|
@ -377,6 +377,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/input/event@{int} rw,
|
/dev/input/event@{int} rw,
|
||||||
/dev/media@{int} rw,
|
/dev/media@{int} rw,
|
||||||
|
|
|
||||||
|
|
@ -104,6 +104,7 @@ profile gnome-software @{exec_path} {
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
/dev/fuse rw,
|
/dev/fuse rw,
|
||||||
|
|
|
||||||
|
|
@ -60,6 +60,8 @@ profile gnome-terminal-server @{exec_path} {
|
||||||
owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
|
owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
|
||||||
|
|
||||||
owner @{user_config_dirs}/*xdg-terminals.list* rw,
|
owner @{user_config_dirs}/*xdg-terminals.list* rw,
|
||||||
|
owner @{user_config_dirs}/ibus/bus/ r,
|
||||||
|
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||||
owner @{user_config_dirs}/pulse/cookie rk,
|
owner @{user_config_dirs}/pulse/cookie rk,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/pulse/ r,
|
owner @{run}/user/@{uid}/pulse/ r,
|
||||||
|
|
|
||||||
|
|
@ -40,6 +40,9 @@ profile goa-daemon @{exec_path} {
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
|
|
||||||
|
owner /var/lib/gdm{3,}/.config/ w,
|
||||||
|
owner /var/lib/gdm{3,}/.config/goa-1.0/ w,
|
||||||
|
|
||||||
owner @{user_config_dirs}/goa-1.0/ rw,
|
owner @{user_config_dirs}/goa-1.0/ rw,
|
||||||
owner @{user_config_dirs}/goa-1.0/accounts.conf* rw,
|
owner @{user_config_dirs}/goa-1.0/accounts.conf* rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
include <abstractions/fontconfig-cache-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
|
|
|
||||||
|
|
@ -21,9 +21,11 @@ profile ksplashqml @{exec_path} {
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/qt/translations/*.qm r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/ksplash/ rw,
|
||||||
|
owner @{user_cache_dirs}/ksplash/qmlcache/ rw,
|
||||||
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
||||||
owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw,
|
|
||||||
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
||||||
|
owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
owner @{user_config_dirs}/kdedefaults/* r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
|
||||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
# Profile for a systemd service, it does not specify an attachment path because
|
|
||||||
# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile dmesg.service {
|
|
||||||
include <abstractions/base>
|
|
||||||
|
|
||||||
@{bin}/savelog mr,
|
|
||||||
|
|
||||||
@{bin}/basename rix,
|
|
||||||
@{bin}/chmod rix,
|
|
||||||
@{bin}/date rix,
|
|
||||||
@{bin}/dirname rix,
|
|
||||||
@{bin}/gzip rix,
|
|
||||||
@{bin}/ln rix,
|
|
||||||
@{bin}/mv rix,
|
|
||||||
@{bin}/rm rix,
|
|
||||||
@{bin}/touch rix,
|
|
||||||
|
|
||||||
/var/log/ r,
|
|
||||||
/var/log/dmesg rw,
|
|
||||||
/var/log/dmesg.* rwl -> /var/log/dmesg,
|
|
||||||
|
|
||||||
include if exists <usr/dmesg.service.d>
|
|
||||||
include if exists <local/dmesg.service>
|
|
||||||
}
|
|
||||||
|
|
@ -9,6 +9,13 @@ include <tunables/global>
|
||||||
@{exec_path} = /etc/init.d/exim4
|
@{exec_path} = /etc/init.d/exim4
|
||||||
profile init-exim4 @{exec_path} {
|
profile init-exim4 @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
capability chown,
|
||||||
|
capability dac_read_search,
|
||||||
|
capability fowner,
|
||||||
|
capability fsetid,
|
||||||
|
capability net_admin,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -23,6 +30,7 @@ profile init-exim4 @{exec_path} {
|
||||||
@{bin}/install rix,
|
@{bin}/install rix,
|
||||||
@{bin}/mv rix,
|
@{bin}/mv rix,
|
||||||
@{bin}/plymouth rPx,
|
@{bin}/plymouth rPx,
|
||||||
|
@{bin}/rm rix,
|
||||||
@{bin}/run-parts rix,
|
@{bin}/run-parts rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/start-stop-daemon rix,
|
@{bin}/start-stop-daemon rix,
|
||||||
|
|
@ -31,7 +39,13 @@ profile init-exim4 @{exec_path} {
|
||||||
@{bin}/tr rix,
|
@{bin}/tr rix,
|
||||||
@{bin}/update-exim4.conf rix,
|
@{bin}/update-exim4.conf rix,
|
||||||
|
|
||||||
/var/lib/exim4/config.autogenerated.tmp rw,
|
/etc/default/exim4 r,
|
||||||
|
/etc/exim4/* r,
|
||||||
|
/etc/mailname r,
|
||||||
|
|
||||||
|
/var/lib/exim4/* rw,
|
||||||
|
|
||||||
|
owner @{run}/exim4/{,**} rw,
|
||||||
|
|
||||||
include if exists <local/init-exim4>
|
include if exists <local/init-exim4>
|
||||||
}
|
}
|
||||||
|
|
@ -15,24 +15,20 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
||||||
@{bin}/{,ba,da}sh rm,
|
# TODO:
|
||||||
|
mount -> @{sys}/fs/fuse/connections/,
|
||||||
|
mount -> @{sys}/kernel/*/,
|
||||||
|
mount -> /dev/*/,
|
||||||
|
mount -> /efi/,
|
||||||
|
mount -> /tmp/,
|
||||||
|
|
||||||
@{bin}/cp rix,
|
@{bin}/mount rix, # TODO: maybe, keep it in systemed
|
||||||
@{bin}/find rix,
|
|
||||||
@{bin}/grep rix,
|
|
||||||
@{bin}/install rix,
|
|
||||||
@{bin}/mkdir rix,
|
|
||||||
@{bin}/mount rix,
|
|
||||||
@{bin}/rm rix,
|
|
||||||
@{bin}/systemctl rix,
|
@{bin}/systemctl rix,
|
||||||
|
@{coreutils_path} rix,
|
||||||
|
@{shells_path} rmix,
|
||||||
|
|
||||||
@{bin}/grub-editenv rPx,
|
@{bin}/grub-editenv rPx,
|
||||||
@{bin}/ibus-daemon rPx,
|
@{bin}/ibus-daemon rPx,
|
||||||
|
|
||||||
@{bin}/chgrp rPx -> dmesg.service,
|
|
||||||
@{bin}/chmod rPx -> dmesg.service,
|
|
||||||
@{bin}/savelog rPx -> dmesg.service,
|
|
||||||
|
|
||||||
@{bin}/ldconfig rPx -> ldconfig.service,
|
@{bin}/ldconfig rPx -> ldconfig.service,
|
||||||
|
|
||||||
@{lib}/ r,
|
@{lib}/ r,
|
||||||
|
|
@ -43,6 +39,10 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) {
|
||||||
/boot/grub/grubenv rw,
|
/boot/grub/grubenv rw,
|
||||||
/boot/grub/ w,
|
/boot/grub/ w,
|
||||||
|
|
||||||
|
/var/log/ r,
|
||||||
|
/var/log/dmesg rw,
|
||||||
|
/var/log/dmesg.* rwl -> /var/log/dmesg,
|
||||||
|
|
||||||
# snapd.system-shutdown.service
|
# snapd.system-shutdown.service
|
||||||
@{run}/initramfs/shutdown rw,
|
@{run}/initramfs/shutdown rw,
|
||||||
@{run}/initramfs/ rw,
|
@{run}/initramfs/ rw,
|
||||||
|
|
@ -50,5 +50,6 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) {
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
||||||
|
include if exists <usr/systemd.service.d>
|
||||||
include if exists <local/systemd.service>
|
include if exists <local/systemd.service>
|
||||||
}
|
}
|
||||||
|
|
@ -42,6 +42,7 @@ profile systemd-journald @{exec_path} {
|
||||||
owner @{run}/systemd/notify rw,
|
owner @{run}/systemd/notify rw,
|
||||||
|
|
||||||
@{run}/host/container-manager r,
|
@{run}/host/container-manager r,
|
||||||
|
@{run}/utmp rk,
|
||||||
|
|
||||||
@{run}/udev/data/+acpi:* r,
|
@{run}/udev/data/+acpi:* r,
|
||||||
@{run}/udev/data/+bluetooth:* r,
|
@{run}/udev/data/+bluetooth:* r,
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,10 @@ profile dleyna-server-service @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{user_config_dirs}/dleyna-server-service.conf r,
|
/etc/dleyna-server-service.conf r,
|
||||||
|
|
||||||
|
@{user_config_dirs}/dleyna-server-service.conf r,
|
||||||
|
owner @{user_config_dirs}/dleyna-server-service.conf w,
|
||||||
|
|
||||||
include if exists <local/dleyna-server-service>
|
include if exists <local/dleyna-server-service>
|
||||||
}
|
}
|
||||||
|
|
@ -1,13 +1,12 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
# When any of the "ns*" fields is displayed, the following error will be printed:
|
|
||||||
# "Failed name lookup - disconnected path" error=-13 profile="top" name="".
|
|
||||||
@{exec_path} = @{bin}/top
|
@{exec_path} = @{bin}/top
|
||||||
profile top @{exec_path} flags=(attach_disconnected) {
|
profile top @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
@ -15,62 +14,57 @@ profile top @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/wutmp>
|
include <abstractions/wutmp>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
# To be able to read the /proc/ files of all processes in the system.
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
# To manage priorities.
|
|
||||||
capability sys_nice,
|
|
||||||
|
|
||||||
# To terminate other users' processes when top is started as root.
|
|
||||||
capability kill,
|
capability kill,
|
||||||
|
capability sys_nice,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
signal (send),
|
signal (send),
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/terminfo/** r,
|
/usr/share/terminfo/** r,
|
||||||
|
|
||||||
@{PROC}/ r,
|
|
||||||
@{PROC}/loadavg r,
|
|
||||||
@{PROC}/uptime r,
|
|
||||||
@{PROC}/tty/drivers r,
|
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
|
||||||
@{PROC}/sys/kernel/pid_max r,
|
|
||||||
|
|
||||||
@{PROC}/@{pids}/cmdline r,
|
|
||||||
@{PROC}/@{pids}/stat r,
|
|
||||||
@{PROC}/@{pids}/statm r,
|
|
||||||
@{PROC}/@{pids}/environ r,
|
|
||||||
@{PROC}/@{pids}/oom_{,score_}adj r,
|
|
||||||
@{PROC}/@{pids}/oom_score r,
|
|
||||||
@{PROC}/@{pids}/cgroup r,
|
|
||||||
@{PROC}/@{pids}/wchan r,
|
|
||||||
|
|
||||||
@{PROC}/@{pids}/task/ r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/cmdline r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/stat r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/statm r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/environ r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/oom_score r,
|
|
||||||
@{PROC}/@{pids}/oom_{,score_}adj r,
|
|
||||||
@{PROC}/@{pids}/oom_score r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/cgroup r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/wchan r,
|
|
||||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
|
||||||
|
|
||||||
/etc/topdefaultrc r,
|
/etc/topdefaultrc r,
|
||||||
/etc/toprc r,
|
/etc/toprc r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/procps/ rw,
|
||||||
|
owner @{user_config_dirs}/procps/toprc rw,
|
||||||
|
|
||||||
|
@{run}/systemd/sessions/ r,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
@{sys}/devices/system/node/node@{int}/cpumap r,
|
@{sys}/devices/system/node/node@{int}/cpumap r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/procps/ rw,
|
@{PROC}/ r,
|
||||||
owner @{user_config_dirs}/procps/toprc rw,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
|
@{PROC}/@{pids}/cmdline r,
|
||||||
|
@{PROC}/@{pids}/environ r,
|
||||||
|
@{PROC}/@{pids}/oom_{,score_}adj r,
|
||||||
|
@{PROC}/@{pids}/oom_{,score_}adj r,
|
||||||
|
@{PROC}/@{pids}/oom_score r,
|
||||||
|
@{PROC}/@{pids}/oom_score r,
|
||||||
|
@{PROC}/@{pids}/stat r,
|
||||||
|
@{PROC}/@{pids}/statm r,
|
||||||
|
@{PROC}/@{pids}/task/ r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/cgroup r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/cmdline r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/environ r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/oom_score r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/stat r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/statm r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||||
|
@{PROC}/@{pids}/task/@{tid}/wchan r,
|
||||||
|
@{PROC}/@{pids}/wchan r,
|
||||||
|
@{PROC}/loadavg r,
|
||||||
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
@{PROC}/sys/kernel/pid_max r,
|
||||||
|
@{PROC}/tty/drivers r,
|
||||||
|
@{PROC}/uptime r,
|
||||||
|
|
||||||
include if exists <local/top>
|
include if exists <local/top>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -41,8 +41,11 @@ profile wireplumber @{exec_path} {
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
/var/lib/gdm{3,}/.local/state/ w,
|
||||||
|
/var/lib/gdm{3,}/.local/ w,
|
||||||
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
|
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
|
||||||
|
|
||||||
|
owner @{HOME}/.local/ w,
|
||||||
owner @{user_state_dirs}/ w,
|
owner @{user_state_dirs}/ w,
|
||||||
owner @{user_state_dirs}/wireplumber/{,**} rw,
|
owner @{user_state_dirs}/wireplumber/{,**} rw,
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue