mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add @{MOUNTS} for all common mountpoints.

Browse Source
This commit is contained in:
Alexandre Pujol 2021-04-19 15:20:32 +01:00
parent a5ec3e559c
commit 1f11e6398b
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
127 changed files with 286 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
apparmor.d/abstractions/user-download-strict
View File

@ -7,11 +7,8 @@
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner /media/*/@{XDG_DOWNLOAD_DIR}/ r,
owner /media/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner /mnt/*/@{XDG_DOWNLOAD_DIR}/ r,
owner /mnt/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r,
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl,

8
apparmor.d/groups/apps/android-studio
View File

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{AS_LIBDIR} = /media/*/android-studio
@{AS_SDKDIR} = /media/*/SDK
@{AS_LIBDIR} = @{MOUNTS}/*/android-studio
@{AS_SDKDIR} = @{MOUNTS}/*/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects
@ -90,8 +90,8 @@ profile android-studio @{exec_path} {
/ r,
/home/ r,
/media/ r,
/media/*/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
/usr/ r,
/{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,

8
apparmor.d/groups/apps/atom
View File

@ -86,10 +86,10 @@ profile atom @{exec_path} {
# Git dirs
/ r,
/media/ r,
owner /media/*/ r,
owner /media/*/atom/ r,
owner /media/*/atom/** rwkl -> /media/*/atom/**,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/atom/ r,
owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**,
owner @{user_config_dirs}/git/config r,

10
apparmor.d/groups/apps/calibre
View File

@ -76,8 +76,8 @@ profile calibre @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{calibre_ext} rw,
/usr/share/calibre/{,**} r,
@ -85,9 +85,9 @@ profile calibre @{exec_path} {
owner @{HOME}/@{XDG_BOOKS_DIR} rw,
owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,
owner /media/*/@{XDG_BOOKS_DIR}/ r,
owner /media/*/@{XDG_BOOKS_DIR}*/ rw,
owner /media/*/@{XDG_BOOKS_DIR}*/** rwkl -> /media/*/@{XDG_BOOKS_DIR}*/**,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,
owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk,

8
apparmor.d/groups/apps/code
View File

@ -65,10 +65,10 @@ profile code @{exec_path} {
# Git dirs
/ r,
/media/ r,
owner /media/*/ r,
owner /media/*/code/ r,
owner /media/*/code/** rwkl -> /media/*/code/**,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/code/ r,
owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
# To remove the following error:
# Error initializing NSS with a persistent database

4
apparmor.d/groups/apps/filezilla
View File

@ -57,8 +57,8 @@ profile filezilla @{exec_path} {
/{usr/,}lib/firefox/firefox rPUx,
# FTP share folder
owner /media/*/ftp/ r,
owner /media/*/ftp/** rw,
owner @{MOUNTS}/*/ftp/ r,
owner @{MOUNTS}/*/ftp/** rw,
# Silencer
/ r,

6
apparmor.d/groups/apps/geany
View File

@ -72,9 +72,9 @@ profile geany @{exec_path} {
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
/media/ r,
/media/** r,
owner /media/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** r,
owner @{MOUNTS}/** rw,
/mnt/ r,
/mnt/** r,
owner /mnt/** rw,

4
apparmor.d/groups/apps/okular
View File

@ -33,8 +33,8 @@ profile okular @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
/tmp/ r,
/tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,

2
apparmor.d/groups/apps/telegram-desktop
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{TELEGRAM_WORK_DIR} = /media/Kabi/telegram
@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram
@{exec_path} = /{usr/,}bin/telegram-desktop
profile telegram-desktop @{exec_path} {

4
apparmor.d/groups/apps/vlc
View File

@ -86,8 +86,8 @@ profile vlc @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{vlc_ext} rw,
/var/lib/dbus/machine-id r,

2
apparmor.d/groups/apt/apt
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/apt
profile apt @{exec_path} flags=(complain) {

10
apparmor.d/groups/apt/apt-cdrom
View File

@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
# For pendrives
/media/*/*/ r,
/media/*/*/**/ r,
/media/*/*/.disk/info r,
/media/*/*/dists/**/binary-*/Packages{,.gz} r,
/media/*/*/dists/**/i18n/Translation-en{,.gz} r,
@{MOUNTS}/*/*/ r,
@{MOUNTS}/*/*/**/ r,
@{MOUNTS}/*/*/.disk/info r,
@{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r,
@{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw,

2
apparmor.d/groups/apt/apt-extracttemplates
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/apt-extracttemplates
profile apt-extracttemplates @{exec_path} {

2
apparmor.d/groups/apt/apt-ftparchive
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/apt-ftparchive
profile apt-ftparchive @{exec_path} {

2
apparmor.d/groups/apt/apt-get
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/apt-get
profile apt-get @{exec_path} flags=(complain) {

2
apparmor.d/groups/apt/apt-methods-cdrom
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/cdrom
profile apt-methods-cdrom @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-copy
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/copy
profile apt-methods-copy @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-file
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/file
profile apt-methods-file @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-ftp
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/ftp
profile apt-methods-ftp @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-gpgv
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/gpgv
profile apt-methods-gpgv @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-http
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/http{,s}
profile apt-methods-http @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-mirror
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
profile apt-methods-mirror @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-rred
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/rred
profile apt-methods-rred @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-rsh
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
profile apt-methods-rsh @{exec_path} {

2
apparmor.d/groups/apt/apt-methods-store
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/store
profile apt-methods-store @{exec_path} {

2
apparmor.d/groups/apt/apt-show-versions
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/apt-show-versions
profile apt-show-versions @{exec_path} {

2
apparmor.d/groups/apt/aptitude
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/aptitude{,-curses}
profile aptitude @{exec_path} flags=(complain) {

2
apparmor.d/groups/apt/dpkg-checkbuilddeps
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps
profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {

2
apparmor.d/groups/apt/dpkg-deb
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-deb
profile dpkg-deb @{exec_path} {

2
apparmor.d/groups/apt/dpkg-genbuildinfo
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-genbuildinfo
profile dpkg-genbuildinfo @{exec_path} flags=(complain) {

2
apparmor.d/groups/apt/dpkg-genchanges
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-genchanges
profile dpkg-genchanges @{exec_path} flags=(complain) {

2
apparmor.d/groups/apt/dpkg-split
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-split
profile dpkg-split @{exec_path} {

2
apparmor.d/groups/apt/synaptic
View File

@ -4,7 +4,7 @@
abi <abi/3.0>,
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
include <tunables/global>

4
apparmor.d/groups/desktop/obex-folder-listing
View File

@ -14,8 +14,8 @@ profile obex-folder-listing @{exec_path} {
owner @{HOME}/ r,
owner @{HOME}/**/ r,
owner /media/*/ r,
owner /media/*/**/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/**/ r,
include if exists <local/obex-folder-listing>
}

3
apparmor.d/groups/gnome/nautilus
View File

@ -25,9 +25,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
# Full access to user's data
/ r,
owner @{HOME}/{,**} rw,
owner @{MOUNTS}/*/{,**} rw,
owner @{run}/user/@{uid}/{,**} rw,
owner /media/*/{,**} rw,
owner /mnt/*/{,**} rw,
owner /tmp/{,**} rw,
# Silencer for non user's data

2
apparmor.d/groups/gnome/tracker-miner
View File

@ -24,7 +24,7 @@ profile tracker-miner @{exec_path} {
# Allow to search user files
owner @{HOME}/{,**} r,
owner /media/*/{,**} r,
owner @{MOUNTS}/*/{,**} r,
owner /tmp/*/{,**} r,
owner @{user_share_dirs}/{applications/,mime/mime.cache} r,

3
apparmor.d/groups/gpg/gpg
View File

@ -64,8 +64,7 @@ profile gpg @{exec_path} {
# Verify files
owner @{HOME}/** r,
owner /mnt/*/** r,
owner /media/*/** r,
owner @{MOUNTS}/*/** r,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

4
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View File

@ -35,8 +35,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
/etc/fstab r,
# Mount points
/media/*/ r,
/media/*/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
@{HOME}/*/*/ r,
@{HOME}/*/*/**/ r,
@{HOME}/bluetooth/ r,

6
apparmor.d/groups/gvfs/gvfsd-archive
View File

@ -16,14 +16,12 @@ profile gvfsd-archive @{exec_path} {
@{exec_path} mr,
owner @{HOME}/**.{tar,tar.gz,zip} r,
owner /media/**.{TAR,TAR.GZ,ZIP} r,
owner @{MOUNTS}/**.{TAR,TAR.GZ,ZIP} r,
owner @{HOME}/**.{tar,tar.gz,zip} r,
owner /mnt/**.{TAR,TAR.GZ,ZIP} r,
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
owner /media/*/**.{iso,img,bin,mdf,nrg} r,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
owner /mnt/*/**.{ISO,IMG,BIN,MDF,NRG} r,
include if exists <local/gvfsd-archive>
}

3
apparmor.d/groups/gvfs/gvfsd-recent
View File

@ -19,8 +19,7 @@ profile gvfsd-recent @{exec_path} {
# Full access to user's data
owner @{HOME}/{,**} rw,
owner /media/*/{,**} rw,
owner /mnt/*/{,**} rw,
owner @{MOUNTS}/*/{,**} rw,
owner @{HOME}/.zshenv r,
owner @{user_config_dirs}/user-dirs.dirs r,

3
apparmor.d/groups/gvfs/gvfsd-trash
View File

@ -31,8 +31,7 @@ profile gvfsd-trash @{exec_path} {
# Can restore all user files
owner @{HOME}/{,**} rw,
owner /media/*/{,**} rw,
owner /mnt/*/{,**} rw,
owner @{MOUNTS}/*/{,**} rw,
include if exists <local/gvfsd-trash>
}

4
apparmor.d/profiles-a-l/amarok
View File

@ -75,8 +75,8 @@ profile amarok @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{amarok_ext} rw,
# Amarok home files

2
apparmor.d/profiles-a-l/appimage-beyond-all-reason
View File

@ -125,7 +125,7 @@ profile appimage-beyond-all-reason @{exec_path} {
/etc/fuse.conf r,
owner @{HOME}/**.AppImage r,
owner /media/*/**.AppImage r,
owner @{MOUNTS}/*/**.AppImage r,
@{PROC}/@{pid}/mounts r,

2
apparmor.d/profiles-a-l/badblocks
View File

@ -19,7 +19,7 @@ profile badblocks @{exec_path} {
# A place for a list of already existing known bad blocks
@{HOME}/** rwk,
/media/*/** rwk,
@{MOUNTS}/*/** rwk,
include if exists <local/badblocks>
}

3
apparmor.d/profiles-a-l/blkid
View File

@ -29,8 +29,7 @@ profile blkid @{exec_path} {
# Image files
@{HOME}/** r,
/media/*/** r,
/mnt/*/** r,
@{MOUNTS}/*/** r,
include if exists <local/blkid>
}

17
apparmor.d/profiles-a-l/borg
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BACKUP_DIR} = /media/Arti/backup-*
@{BACKUP_DIR} = @{MOUNTS}/Arti/backup-*
@{exec_path} = /{usr/,}bin/borg
profile borg @{exec_path} {
@ -38,10 +38,10 @@ profile borg @{exec_path} {
/{usr/,}bin/ccache rCx -> ccache,
/usr/bin/fusermount{,3} rCx -> fusermount,
mount fstype=fuse -> /media/*/,
mount fstype=fuse -> /media/*/*/,
umount /media/*/,
umount /media/*/*/,
mount fstype=fuse -> @{MOUNTS}/*/,
mount fstype=fuse -> @{MOUNTS}/*/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
/dev/fuse rw,
@ -71,8 +71,7 @@ profile borg @{exec_path} {
/efi/{,**} r,
/etc/{,**} r,
/home/{,**} r,
/media/{,**} r,
/mnt/{,**} r,
@{MOUNTS}/{,**} r,
/opt/{,**} r,
/root/{,**} r,
/srv/{,**} r,
@ -107,8 +106,8 @@ profile borg @{exec_path} {
/{usr/,}bin/fusermount{,3} mr,
umount /media/*/,
umount /media/*/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
}

16
apparmor.d/profiles-a-l/btrfs
View File

@ -33,18 +33,18 @@ profile btrfs @{exec_path} {
/var/lib/btrfs/scrub.status.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*{,_tmp} rwk,
# Saved metadata
/media/*/ r,
/media/*/ext2_saved/ rw,
/media/*/ext2_saved/image rw,
/media/*/*/ r,
/media/*/*/ext2_saved/ rw,
/media/*/*/ext2_saved/image rw,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/ext2_saved/ rw,
@{MOUNTS}/*/ext2_saved/image rw,
@{MOUNTS}/*/*/ r,
@{MOUNTS}/*/*/ext2_saved/ rw,
@{MOUNTS}/*/*/ext2_saved/image rw,
# To be able to manage btrfs volumes
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs>
}

4
apparmor.d/profiles-a-l/btrfs-find-root
View File

@ -15,9 +15,9 @@ profile btrfs-find-root @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-find-root>
}

4
apparmor.d/profiles-a-l/btrfs-image
View File

@ -17,9 +17,9 @@ profile btrfs-image @{exec_path} {
# Image files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-image>
}

4
apparmor.d/profiles-a-l/btrfs-map-logical
View File

@ -15,9 +15,9 @@ profile btrfs-map-logical @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-map-logical>
}

6
apparmor.d/profiles-a-l/cfdisk
View File

@ -25,13 +25,13 @@ profile cfdisk @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# A place for backups
owner @{HOME}/**.{bak,back} rwk,
owner /media/*/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/cfdisk>
}

6
apparmor.d/profiles-a-l/cgdisk
View File

@ -17,13 +17,13 @@ profile cgdisk @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# A place for backups
owner @{HOME}/**.{bak,back} rwk,
owner /media/*/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/cgdisk>
}

2
apparmor.d/profiles-a-l/changestool
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/changestool
profile changestool @{exec_path} {

2
apparmor.d/profiles-a-l/czkawka-cli
View File

@ -14,7 +14,7 @@ profile czkawka-cli @{exec_path} {
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
owner /media/** rw,
owner @{MOUNTS}/** rw,
owner @{user_config_dirs}/czkawka/ rw,
owner @{user_config_dirs}/czkawka/** rw,

2
apparmor.d/profiles-a-l/czkawka-gui
View File

@ -20,7 +20,7 @@ profile czkawka-gui @{exec_path} {
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
owner /media/** rw,
owner @{MOUNTS}/** rw,
owner @{user_config_dirs}/czkawka/ rw,
owner @{user_config_dirs}/czkawka/** rw,

2
apparmor.d/profiles-a-l/debsign
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/debsign
profile debsign @{exec_path} {

2
apparmor.d/profiles-a-l/debtags
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/debtags
profile debtags @{exec_path} {

2
apparmor.d/profiles-a-l/dumpe2fs
View File

@ -19,7 +19,7 @@ profile dumpe2fs @{exec_path} {
# Image files
@{HOME}/** r,
/media/*/** r,
@{MOUNTS}/** r,
include if exists <local/dumpe2fs>
}

4
apparmor.d/profiles-a-l/e2fsck
View File

@ -28,9 +28,9 @@ profile e2fsck @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/e2fsck>
}

4
apparmor.d/profiles-a-l/e2image
View File

@ -19,9 +19,9 @@ profile e2image @{exec_path} {
# A place for the metadata image file
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/e2image>
}

4
apparmor.d/profiles-a-l/engrampa
View File

@ -54,8 +54,8 @@ profile engrampa @{exec_path} {
/home/ r,
#owner @{HOME}/ r,
#owner @{HOME}/** rw,
/media/ r,
/media/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
/tmp/ r,
owner /tmp/** rw,

2
apparmor.d/profiles-a-l/execute-dput
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/dput /usr/share/dput/execute-dput
profile execute-dput @{exec_path} flags=(complain) {

8
apparmor.d/profiles-a-l/f3read
View File

@ -13,13 +13,13 @@ profile f3read @{exec_path} {
@{exec_path} mr,
# USB drive mount locations
/media/*/ r,
/media/*/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
/mnt/ r,
# To be able to read h2w files
owner /media/*/[0-9]*.h2w r,
owner /media/*/*/[0-9]*.h2w r,
owner @{MOUNTS}/*/[0-9]*.h2w r,
owner @{MOUNTS}/*/*/[0-9]*.h2w r,
owner /mnt/[0-9]*.h2w r,
include if exists <local/f3read>

8
apparmor.d/profiles-a-l/f3write
View File

@ -17,13 +17,13 @@ profile f3write @{exec_path} {
@{exec_path} mr,
# USB drive mount locations
/media/*/ r,
/media/*/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
/mnt/ r,
# To be able to write h2w files
owner /media/*/[0-9]*.h2w w,
owner /media/*/*/[0-9]*.h2w w,
owner @{MOUNTS}/*/[0-9]*.h2w w,
owner @{MOUNTS}/*/*/[0-9]*.h2w w,
owner /mnt/[0-9]*.h2w w,
include if exists <local/f3write>

6
apparmor.d/profiles-a-l/fdisk
View File

@ -27,13 +27,13 @@ profile fdisk @{exec_path} {
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,
owner /media/*/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/fdisk>
}

4
apparmor.d/profiles-a-l/ffmpeg
View File

@ -64,8 +64,8 @@ profile ffmpeg @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS} r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{ffmpeg_ext}{,.[0-9]*} rw,
@{sys}/devices/system/node/ r,

4
apparmor.d/profiles-a-l/ffplay
View File

@ -52,8 +52,8 @@ profile ffplay @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{ffplay_ext} rw,
/etc/machine-id r,

4
apparmor.d/profiles-a-l/ffprobe
View File

@ -50,8 +50,8 @@ profile ffprobe @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{ffprobe_ext} rw,
@{sys}/devices/system/node/ r,

2
apparmor.d/profiles-a-l/fsck
View File

@ -25,7 +25,7 @@ profile fsck @{exec_path} {
owner @{run}/fsck/*.lock rwk,
# When a mount dir is passed to fsck as an argument.
/media/*/ r,
@{MOUNTS}/*/ r,
/boot/ r,
/home/ r,

4
apparmor.d/profiles-a-l/fsck-fat
View File

@ -16,9 +16,9 @@ profile fsck-fat @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/fsck-fat>
}

8
apparmor.d/profiles-a-l/fuseiso
View File

@ -27,9 +27,9 @@ profile fuseiso @{exec_path} {
# Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{HOME}/.mtab.fuseiso rwk,
owner @{HOME}/.mtab.fuseiso.new rw,
@ -60,9 +60,9 @@ profile fuseiso @{exec_path} {
# Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
owner /media/*/**.{iso,img,bin,mdf,nrg} r,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} r,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
}

8
apparmor.d/profiles-a-l/fusermount
View File

@ -28,14 +28,14 @@ profile fusermount @{exec_path} {
mount fstype={fuse,fuse.*} -> @{HOME}/*/,
mount fstype={fuse,fuse.*} -> @{HOME}/*/*/,
mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
mount fstype={fuse,fuse.*} -> /media/*/,
mount fstype={fuse,fuse.*} -> /media/*/*/,
mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/,
mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
umount @{HOME}/*/,
umount @{HOME}/*/*/,
umount @{HOME}/.cache/**/,
umount /media/*/,
umount /media/*/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /tmp/.mount_*/,
/etc/fuse.conf r,

6
apparmor.d/profiles-a-l/gdisk
View File

@ -24,13 +24,13 @@ profile gdisk @{exec_path} {
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,
owner /media/*/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/gdisk>
}

8
apparmor.d/profiles-a-l/gpartedbin
View File

@ -146,8 +146,8 @@ profile gpartedbin @{exec_path} {
mount /dev/sd[a-z][0-9]* -> /tmp/gparted-*/,
mount /dev/sd[a-z][0-9]* -> /boot/,
mount /dev/sd[a-z][0-9]* -> /media/*/,
mount /dev/sd[a-z][0-9]* -> /media/*/*/,
mount /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/,
mount /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/*/,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/dev r,
@ -169,8 +169,8 @@ profile gpartedbin @{exec_path} {
umount /tmp/gparted-*/,
umount /boot/,
umount /media/*/,
umount /media/*/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/profiles-a-l/hdparm
View File

@ -28,7 +28,7 @@ profile hdparm @{exec_path} flags=(complain) {
# Image files
@{HOME}/** r,
/media/*/** r,
@{MOUNTS}/*/** r,
include if exists <local/hdparm>
}

2
apparmor.d/profiles-a-l/hugo
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{HUGO_DIR} = /media/debuilder/hugo
@{HUGO_DIR} = @{MOUNTS}/debuilder/hugo
@{exec_path} = /{usr/,}bin/hugo
profile hugo @{exec_path} {

4
apparmor.d/profiles-a-l/hypnotix
View File

@ -55,8 +55,8 @@ profile hypnotix @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{hypnotix_ext} r,
# To be able to store settings

2
apparmor.d/profiles-a-l/ioping
View File

@ -37,7 +37,7 @@ profile ioping @{exec_path} {
/boot/** r,
/opt/** r,
/var/** r,
/media/** r,
@{MOUNTS}/** r,
/tmp/** r,
/home/** r,

2
apparmor.d/profiles-a-l/keepassxc-proxy
View File

@ -30,7 +30,7 @@ profile keepassxc-proxy @{exec_path} {
#
deny owner @{HOME}/.mozilla/** rw,
deny owner @{user_cache_dirs}/mozilla/** rw,
deny owner /media/*/.mozilla/** rw,
deny owner @{MOUNTS}/*/.mozilla/** rw,
deny owner /tmp/firefox*/.parentlock rw,
deny owner /tmp/tmp-*.xpi rw,
deny owner /tmp/tmpaddon r,

2
apparmor.d/profiles-a-l/kmod
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{BUILD_DIR} = @{MOUNTS}/debuilder/
@{exec_path} = /{usr/,}bin/{kmod,lsmod}
@{exec_path} += /{usr/,}{s,}bin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}

4
apparmor.d/profiles-m-z/mediainfo
View File

@ -43,8 +43,8 @@ profile mediainfo @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mediainfo_ext} r,
include if exists <local/mediainfo>

4
apparmor.d/profiles-m-z/mediainfo-gui
View File

@ -50,8 +50,8 @@ profile mediainfo-gui @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mediainfo_ext} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

6
apparmor.d/profiles-m-z/megasync
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{SYNC_FOLDER}=/media/*/cloud_storage
@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage
@{exec_path} = /{usr/,}bin/megasync
profile megasync @{exec_path} {
@ -57,8 +57,8 @@ profile megasync @{exec_path} {
# Sync folder
#/ r,
#/media/ r,
#/media/*/ r,
#@{MOUNTS}/ r,
#@{MOUNTS}/*/ r,
owner @{SYNC_FOLDER}/ r,
owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**,

4
apparmor.d/profiles-m-z/mke2fs
View File

@ -28,9 +28,9 @@ profile mke2fs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For virt-resize
owner /var/tmp/.guestfs-[0-9]*/** rwk,

4
apparmor.d/profiles-m-z/mkfs-btrfs
View File

@ -22,9 +22,9 @@ profile mkfs-btrfs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-btrfs>
}

4
apparmor.d/profiles-m-z/mkfs-fat
View File

@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-fat>
}

4
apparmor.d/profiles-m-z/mkvmerge
View File

@ -52,8 +52,8 @@ profile mkvmerge @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mkvmerge_ext} rw,
owner /tmp/MKVToolNix-process-*.json r,

4
apparmor.d/profiles-m-z/mkvtoolnix-gui
View File

@ -67,8 +67,8 @@ profile mkvtoolnix-gui @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mkvtoolnix_ext} rw,
owner @{user_config_dirs}/bunkus.org/ rw,

10
apparmor.d/profiles-m-z/mount
View File

@ -41,17 +41,15 @@ profile mount @{exec_path} flags=(complain) {
/{usr/,}{s,}bin/mount.* rPx,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
/media/cdrom[0-9]/ r,
# Mount iso/img files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# The special /dev/loop-control file can be used to create and destroy loop devices or to find
# the first available loop device.

14
apparmor.d/profiles-m-z/mount-cifs
View File

@ -30,19 +30,17 @@ profile mount-cifs @{exec_path} flags=(complain) {
owner @{HOME}/.smbcredentials r,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=cifs -> /media/*/,
mount fstype=cifs -> /media/*/*/,
mount fstype=cifs -> @{MOUNTS}/*/,
mount fstype=cifs -> @{MOUNTS}/*/*/,
mount fstype=cifs -> /mnt/,
mount fstype=cifs -> /mnt/*/,
umount /media/*/,
umount /media/*/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,

15
apparmor.d/profiles-m-z/mount-nfs
View File

@ -45,19 +45,18 @@ profile mount-nfs @{exec_path} flags=(complain) {
owner @{run}/rpc.statd.lock wk,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=nfs -> /media/*/,
mount fstype=nfs -> /media/*/*/,
mount fstype=nfs -> @{MOUNTS}/*/,
mount fstype=nfs -> @{MOUNTS}/*/*/,
mount fstype=nfs -> /mnt/,
mount fstype=nfs -> /mnt/*/,
umount /media/*/,
umount /media/*/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,

4
apparmor.d/profiles-m-z/mpv
View File

@ -92,8 +92,8 @@ profile mpv @{exec_path} {
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
/tmp/ r,
owner /tmp/mpsyt-input* rw,
owner /tmp/mpsyt-mpv*.sock rw,

4
apparmor.d/profiles-m-z/mtools
View File

@ -25,9 +25,9 @@ profile mtools @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mtools>
}

9
apparmor.d/profiles-m-z/nemo
View File

@ -56,12 +56,9 @@ profile nemo @{exec_path} {
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
/media/ r,
/media/** r,
owner /media/** rw,
/mnt/ r,
/mnt/** r,
owner /mnt/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** r,
owner @{MOUNTS}/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,

15
apparmor.d/profiles-m-z/ntfs-3g
View File

@ -32,20 +32,19 @@ profile ntfs-3g @{exec_path} {
/dev/fuse rw,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount ntfs disks only under the /media/ and /mnt/ dirs
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /media/*/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /media/*/*/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/*/,
# Allow to mount encrypted partition
mount fstype=fuseblk /dev/dm-[0-9]* -> /media/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /media/*/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/,

2
apparmor.d/profiles-m-z/ntfsclone
View File

@ -19,7 +19,7 @@ profile ntfsclone @{exec_path} {
# A place for backups
@{HOME}/** rwk,
/media/*/** rwk,
@{MOUNTS}/*/** rwk,
include if exists <local/ntfsclone>
}

8
apparmor.d/profiles-m-z/parted
View File

@ -44,9 +44,9 @@ profile parted @{exec_path} {
# Image files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
profile udevadm {
@ -70,9 +70,9 @@ profile parted @{exec_path} {
# file_inherit
include <abstractions/disks-write> # lots of files in this abstraction get inherited
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
}

14
apparmor.d/profiles-m-z/qbittorrent
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{TORRENT_DIR} = /media/*/torrent
@{TORRENT_DIR} = @{MOUNTS}/*/torrent
@{exec_path} = /{usr/,}bin/qbittorrent
profile qbittorrent @{exec_path} {
@ -58,8 +58,8 @@ profile qbittorrent @{exec_path} {
/usr/share/qt5ct/** r,
# Torrent files
/media/ r,
owner /media/*/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{TORRENT_DIR}/ r,
owner @{TORRENT_DIR}/** rw,
@ -140,7 +140,7 @@ profile qbittorrent @{exec_path} {
owner /tmp/tmp* rw,
# file_inherit
owner /media/*/torrent/** r,
owner @{MOUNTS}/*/torrent/** r,
deny /dev/dri/card[0-9]* rw,
}
@ -172,9 +172,9 @@ profile qbittorrent @{exec_path} {
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner /media/*/torrent/** r,
owner /media/*/torrent/**.[0-9a-f]*.parts rw,
owner "/media/*/torrent/**.!qB" rw,
owner @{MOUNTS}/*/torrent/** r,
owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw,
owner "@{MOUNTS}/*/torrent/**.!qB" rw,
owner @{HOME}/.xsession-errors w,

6
apparmor.d/profiles-m-z/qbittorrent-nox
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{TORRENT_DIR} = /media/*/torrent
@{TORRENT_DIR} = @{MOUNTS}/*/torrent
@{exec_path} = /{usr/,}bin/qbittorrent-nox
profile qbittorrent-nox @{exec_path} {
@ -37,8 +37,8 @@ profile qbittorrent-nox @{exec_path} {
owner @{user_cache_dirs}/qBittorrent/{,**} rw,
# Torrent files
/media/ r,
owner /media/*/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{TORRENT_DIR}/ r,
owner @{TORRENT_DIR}/** rw,

12
apparmor.d/profiles-m-z/qnapi
View File

@ -73,12 +73,12 @@ profile qnapi @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
# Movie dirs
/media/ r,
owner /media/*/ r,
owner /media/*/** r,
owner /media/*/**#[0-9]*[0-9] rw,
owner /media/*/**.@{qnapi_vid_ext} r,
owner /media/*/**.@{qnapi_txt_ext} rwl -> /media/*/**/#[0-9]*[0-9],
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/** r,
owner @{MOUNTS}/*/**#[0-9]*[0-9] rw,
owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r,
owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9],
owner @{HOME}/ r,
owner @{user_config_dirs}/qnapi.ini rw,

Some files were not shown because too many files have changed in this diff Show More