mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-11-29 12:02:38 +00:00
parent d52a7bd52a
commit 1e5d90afe8
Failed to generate hash of commit
19 changed files with 78 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/chromium-common
View file

@ -14,13 +14,10 @@
owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/uid_map w,
/var/tmp/ r,
/tmp/ r, /tmp/ r,
owner /tmp/.org.chromium.Chromium.*/ rw, /var/tmp/ r,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
owner /tmp/.org.chromium.Chromium.*/SingletonSocket w,
owner /tmp/.org.chromium.Chromium.*/SS w,
owner /tmp/.org.chromium.Chromium.* rw, owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/.org.chromium.Chromium.*/{,**} rw,
owner /tmp/scoped_dir*/ rw, owner /tmp/scoped_dir*/ rw,
owner /tmp/scoped_dir*/SingletonCookie w, owner /tmp/scoped_dir*/SingletonCookie w,
owner /tmp/scoped_dir*/SingletonSocket w, owner /tmp/scoped_dir*/SingletonSocket w,

2
apparmor.d/abstractions/devices-usb
View file

@ -7,7 +7,7 @@
/dev/ r, /dev/ r,
/dev/bus/usb/ r, /dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r, /dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw, /dev/bus/usb/[0-9]*/[0-9]* rwk,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/usbmisc/ r, @{sys}/class/usbmisc/ r,

11
apparmor.d/groups/browsers/chromium-chromium
View file

@ -15,6 +15,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio> include <abstractions/audio>
include <abstractions/chromium-common> include <abstractions/chromium-common>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -111,9 +112,10 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /tmp/scoped_dir*/{,**} rw,
owner /tmp/tmp.* rw,
owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/ rw,
owner /tmp/tmp.*/** rwk, owner /tmp/tmp.*/** rwk,
owner /tmp/scoped_dir*/{,**} rw,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@ -142,12 +144,10 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/**/ r, @{sys}/class/**/ r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
@{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/boot_vga r,
@{sys}/devices/pci[0-9]*/**/irq r, @{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/pci[0-9]*/**/report_descriptor r, @{sys}/devices/pci[0-9]*/**/report_descriptor r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
@{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r,
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@ -155,8 +155,9 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/tty/tty[0-9]/active r, @{sys}/devices/virtual/tty/tty[0-9]/active r,
/dev/ r, /dev/ r,
/dev/video[0-9]* rw,
/dev/hidraw[0-9]* rw, /dev/hidraw[0-9]* rw,
/dev/tty rw,
/dev/video[0-9]* rw,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

18
apparmor.d/groups/children/child-systemctl
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is # Note: This profile does not specify an attachment path because it is
@ -19,6 +20,7 @@ profile child-systemctl flags=(attach_disconnected) {
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/wutmp> include <abstractions/wutmp>
capability mknod,
capability net_admin, capability net_admin,
capability sys_ptrace, capability sys_ptrace,
@ -33,17 +35,25 @@ profile child-systemctl flags=(attach_disconnected) {
/{usr/,}bin/systemctl mr, /{usr/,}bin/systemctl mr,
/etc/machine-id r,
/etc/systemd/user/{,**} rwl, /etc/systemd/user/{,**} rwl,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
@{run}/systemd/private rw, @{run}/systemd/private rw,
owner @{PROC}/@{pid}/stat r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/1/sched r, @{PROC}/1/sched r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg w, /dev/kmsg w,

7
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -125,11 +125,16 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{PROC}/@{pids}/cgroup r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/@{pid}/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/ r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pids}/cgroup r,
include if exists <local/xdg-desktop-portal> include if exists <local/xdg-desktop-portal>
} }

7
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -12,6 +12,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
@ -20,7 +21,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/user-download> include <abstractions/user-download>
include <abstractions/user-read>
include <abstractions/vulkan> include <abstractions/vulkan>
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
@ -123,6 +123,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {
/var/lib/snapd/desktop/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r,
owner @{HOME}/*/{,**} rw,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@ -130,7 +132,10 @@ profile xdg-desktop-portal-gnome @{exec_path} {
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{PROC}/@{pid}/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/ r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
include if exists <local/xdg-desktop-portal-gnome> include if exists <local/xdg-desktop-portal-gnome>
} }

1
apparmor.d/groups/gnome/gnome-contacts-search-provider
View file

@ -20,6 +20,7 @@ profile gnome-contacts-search-provider @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
owner @{user_share_dirs}/mime/mime.cache r,
owner @{user_share_dirs}/folks/relationships.ini r, owner @{user_share_dirs}/folks/relationships.ini r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,

3
apparmor.d/groups/gnome/gnome-disks
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gnome-disks @{exec_path} { profile gnome-disks @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/disks-write>
include <abstractions/gnome> include <abstractions/gnome>
@{exec_path} mr, @{exec_path} mr,
@ -17,6 +18,8 @@ profile gnome-disks @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,
owner @{user_cache_dirs}/gnome-disks/{,**} rw,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,

19
apparmor.d/groups/gnome/gnome-software
View file

@ -66,26 +66,31 @@ profile gnome-software @{exec_path} {
/var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/offline-update-competed r,
/var/lib/PackageKit/prepared-update r, /var/lib/PackageKit/prepared-update r,
owner @{HOME}/.var/app/{,**/} r,
owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw,
owner @{user_cache_dirs}/gnome-software/{,**} rw,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/flatpak/repo/{,**} rw,
/var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/ rw,
/var/tmp/flatpak-cache-*/** rwkl, /var/tmp/flatpak-cache-*/** rwkl,
/var/tmp/#[0-9]* rw, /var/tmp/#[0-9]* rw,
owner @{HOME}/.var/app/{,**} rw,
owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw,
owner @{user_cache_dirs}/gnome-software/{,**} rw,
owner @{user_config_dirs}/pulse/*.conf r,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/flatpak/repo/{,**} rw,
owner @{user_share_dirs}/gnome-software/{,**} rw,
owner /tmp/ostree-gpg-*/ rw, owner /tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner /tmp/#[0-9]* rw, owner /tmp/#[0-9]* rw,
@{run}/systemd/inhibit/*.ref rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw,
owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw,
owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-[0-9A-Z]* rw,
owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak-cache rw,
owner @{run}/user/@{uid}/.flatpak/{,**} rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw,
owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk, owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
owner @{run}/user/@{uid}/app/{,*/} rw,
@{run}/systemd/inhibit/*.ref rw,
@{sys}/module/nvidia/version r, @{sys}/module/nvidia/version r,

1
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -175,6 +175,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.config/pulse/cookie rk, /var/lib/gdm{3,}/.config/pulse/cookie rk,
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,

7
apparmor.d/groups/gnome/nautilus
View file

@ -63,8 +63,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{libexec}/ r, @{libexec}/ r,
@{MOUNTDIRS}/ r, @{MOUNTDIRS}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
@{MOUNTS}/** rw,
owner @{HOME}/{,**} rw, owner @{HOME}/{,**} rw,
owner @{MOUNTS}/** rw,
owner @{run}/user/@{uid}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw,
owner /tmp/{,**} rw, owner /tmp/{,**} rw,
@ -83,11 +83,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
@{sys}/devices/system/cpu/possible r, @{sys}/devices/pci[0-9]*/**/revision r,
@{PROC}/@{pids}/net/wireless r,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pids}/net/wireless r,
/dev/tty rw, /dev/tty rw,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,

3
apparmor.d/groups/network/nm-dispatcher
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability sys_nice, capability sys_nice,
@ -36,5 +37,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
include if exists <local/nm-dispatcher> include if exists <local/nm-dispatcher>
} }

1
apparmor.d/groups/pacman/aurpublish
View file

@ -35,6 +35,7 @@ profile aurpublish @{exec_path} {
/etc/makepkg.conf r, /etc/makepkg.conf r,
owner @{user_build_dirs}/**/ w, owner @{user_build_dirs}/**/ w,
owner @{user_projects_dirs}/**/ r,
owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
owner @{user_projects_dirs}/**/.SRCINFO rw, owner @{user_projects_dirs}/**/.SRCINFO rw,
owner @{user_projects_dirs}/**/PKGBUILD r, owner @{user_projects_dirs}/**/PKGBUILD r,

7
apparmor.d/groups/pacman/mkinitcpio
View file

@ -22,6 +22,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{exec_path} rmix, @{exec_path} rmix,
/{usr/,}bin/{,ba}sh rix, /{usr/,}bin/{,ba}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/bsdtar rix, /{usr/,}bin/bsdtar rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
@ -29,22 +30,22 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/findmnt rPx, /{usr/,}bin/findmnt rPx,
/{usr/,}bin/fsck rix, /{usr/,}bin/fsck rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/grep rix, /{usr/,}bin/grep rix,
/{usr/,}bin/hexdump rix, /{usr/,}bin/hexdump rix,
/{usr/,}bin/install rix, /{usr/,}bin/install rix,
/{usr/,}bin/ldconfig rix, /{usr/,}bin/ldconfig rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/sync rix,
/{usr/,}bin/ldd rix, /{usr/,}bin/ldd rix,
/{usr/,}bin/ln rix, /{usr/,}bin/ln rix,
/{usr/,}bin/loadkeys rix, /{usr/,}bin/loadkeys rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/realpath rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sort rix, /{usr/,}bin/sort rix,
/{usr/,}bin/stat rix, /{usr/,}bin/stat rix,
/{usr/,}bin/sync rix,
/{usr/,}bin/tee rix, /{usr/,}bin/tee rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
/{usr/,}bin/tput rix, /{usr/,}bin/tput rix,

1
apparmor.d/groups/systemd/bootctl
View file

@ -65,6 +65,7 @@ profile bootctl @{exec_path} {
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
@{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/poolsize r,

2
apparmor.d/groups/systemd/systemd-tmpfiles
View file

@ -37,7 +37,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
# Where the tmpfiles can be created, # Where the tmpfiles can be created,
/{,*} rw, /{,*} rw,
/dev/{,**} rw, /dev/{,**} rw,
/etc/{,**} r, /etc/{,**} rw,
/home/ rw, /home/ rw,
/opt/{,**} rw, /opt/{,**} rw,
/run/{,**} rw, /run/{,**} rw,

11
apparmor.d/groups/virt/dockerd
View file

@ -21,6 +21,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
capability kill, capability kill,
capability mknod, capability mknod,
capability net_admin, capability net_admin,
capability setfcap,
capability sys_admin, capability sys_admin,
capability sys_chroot, capability sys_chroot,
capability sys_ptrace, capability sys_ptrace,
@ -60,12 +61,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/unpigz rix, /{usr/,}bin/unpigz rix,
# Docker needs full access of its containers. # Docker needs full access of the containers it manage.
# TODO: should be in a sub profile started with pivot_root, not supported yet. # TODO: should be in a sub profile started with pivot_root, not supported yet.
/{,**} rw, /{,**} rwl,
deny /boot/{,**} rw, deny /boot/{,**} rwl,
deny /media/{,**} rw, deny /media/{,**} rwl,
deny /mnt/{,**} rw, deny /mnt/{,**} rwl,
owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw, owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/{,**} rwk,

6
apparmor.d/groups/virt/libvirtd
View file

@ -126,7 +126,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/etc/xen/scripts/** rmix, /etc/xen/scripts/** rmix,
/var/lib/libvirt/virtd* rix, /var/lib/libvirt/virtd* rix,
/usr/share/edk2-ovmf/{,**} r, /usr/share/edk2*/{,**} rk,
/usr/share/hwdata/* r, /usr/share/hwdata/* r,
/usr/share/libvirt/{,**} r, /usr/share/libvirt/{,**} r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
@ -135,6 +135,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r,
@{etc_rw}/libvirt/{,**} rw, @{etc_rw}/libvirt/{,**} rw,
/etc/mdevctl.d/{,**} r, /etc/mdevctl.d/{,**} r,
/etc/sasl2/qemu.conf r,
/etc/xml/catalog r, /etc/xml/catalog r,
/var/cache/libvirt/{,**} rw, /var/cache/libvirt/{,**} rw,
@ -206,6 +207,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{sys}/kernel/security/apparmor/profiles r, @{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/kvm_intel/parameters/nested r, @{sys}/module/kvm_intel/parameters/nested r,
@{sys}/module/vhost/parameters/max_mem_regions r,
@{sys}/fs/cgroup/ r, @{sys}/fs/cgroup/ r,
@{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cgroup.controllers r,
@ -229,6 +231,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/net/ip_tables_names r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/dri/ r, /dev/dri/ r,
/dev/hugepages/{,**} w, /dev/hugepages/{,**} w,
@ -239,6 +242,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/dev/shm/libvirt/{,**} rw, /dev/shm/libvirt/{,**} rw,
/dev/vfio/[0-9]* rwk, /dev/vfio/[0-9]* rwk,
/dev/vhost-net rw, /dev/vhost-net rw,
/dev/ptmx rw,
# Force the use of virt-aa-helper # Force the use of virt-aa-helper
audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, audit deny /{usr/,}{s,}bin/apparmor_parser rwxl,

1
apparmor.d/profiles-a-f/flatpak-portal
View file

@ -30,6 +30,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
/.flatpak-info r, /.flatpak-info r,
owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_share_dirs}/mime/mime.cache r,
owner @{run}/user/@{uid}/.flatpak/[0-9]*/bwrapinfo.json r, owner @{run}/user/@{uid}/.flatpak/[0-9]*/bwrapinfo.json r,
owner @{run}/user/@{uid}/.flatpak/[0-9]*/info r, owner @{run}/user/@{uid}/.flatpak/[0-9]*/info r,