mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
fade97486d
commit
209688fe86
16 changed files with 37 additions and 30 deletions
|
|
@ -109,6 +109,7 @@
|
||||||
|
|
||||||
/dev/hidraw@{int} rw,
|
/dev/hidraw@{int} rw,
|
||||||
/dev/input/ r,
|
/dev/input/ r,
|
||||||
|
/dev/ptmx rw,
|
||||||
/dev/pts/ptmx rw,
|
/dev/pts/ptmx rw,
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,8 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
dbus (send) bus=session path=/org/gtk/vfs/mounttracker
|
dbus (send) bus=session path=/org/gtk/vfs/mounttracker
|
||||||
interface=org.gtk.vfs.MountTracker
|
interface=org.gtk.vfs.MountTracker
|
||||||
member=ListMountableInfo
|
member=ListMountableInfo
|
||||||
|
|
|
||||||
|
|
@ -43,6 +43,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability fowner,
|
capability fowner,
|
||||||
|
capability fsetid,
|
||||||
capability kill,
|
capability kill,
|
||||||
capability mknod,
|
capability mknod,
|
||||||
capability perfmon,
|
capability perfmon,
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ profile gdm-xsession @{exec_path} {
|
||||||
|
|
||||||
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
||||||
@{bin}/dpkg-query rpx,
|
@{bin}/dpkg-query rpx,
|
||||||
@{bin}/flatpak rPUx,
|
@{bin}/flatpak rPx,
|
||||||
@{bin}/gpgconf rPx,
|
@{bin}/gpgconf rPx,
|
||||||
@{bin}/gsettings rPx,
|
@{bin}/gsettings rPx,
|
||||||
@{bin}/im-launch rPx,
|
@{bin}/im-launch rPx,
|
||||||
|
|
|
||||||
|
|
@ -27,11 +27,13 @@ profile gnome-control-center-goa-helper @{exec_path} {
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
signal (send) set=(kill) peer=bwrap,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/bwrap rPUx,
|
@{bin}/bwrap rPUx,
|
||||||
|
|
||||||
@{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
@{lib}/webkit2gtk-*/WebKitNetworkProcess rix,
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/themes/{,**} r,
|
/usr/share/themes/{,**} r,
|
||||||
|
|
@ -43,6 +45,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
|
||||||
|
|
||||||
owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl,
|
owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk,
|
||||||
owner @{user_share_dirs}/webkitgtk/{,**} rw,
|
owner @{user_share_dirs}/webkitgtk/{,**} rw,
|
||||||
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
|
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -69,7 +69,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{bin}/Xorg rPx,
|
@{bin}/Xorg rPx,
|
||||||
/etc/sddm/Xsession rPx,
|
/etc/sddm/Xsession rPx,
|
||||||
|
|
||||||
@{bin}/flatpak rPUx,
|
@{bin}/flatpak rPx,
|
||||||
@{bin}/sway rPUx,
|
@{bin}/sway rPUx,
|
||||||
@{bin}/xauth rCx -> xauth,
|
@{bin}/xauth rCx -> xauth,
|
||||||
@{bin}/xsetroot rPx,
|
@{bin}/xsetroot rPx,
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ profile sddm-xsession @{exec_path} {
|
||||||
@{bin}/zsh rix,
|
@{bin}/zsh rix,
|
||||||
|
|
||||||
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
||||||
@{bin}/flatpak rPUx,
|
@{bin}/flatpak rPx,
|
||||||
@{bin}/numlockx rPx,
|
@{bin}/numlockx rPx,
|
||||||
@{bin}/xhost rPx,
|
@{bin}/xhost rPx,
|
||||||
@{bin}/xrdb rPx,
|
@{bin}/xrdb rPx,
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ profile xdm-xsession @{exec_path} {
|
||||||
@{bin}/whoami rix,
|
@{bin}/whoami rix,
|
||||||
|
|
||||||
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
||||||
@{bin}/flatpak rPUx,
|
@{bin}/flatpak rPx,
|
||||||
@{bin}/pidof rPx,
|
@{bin}/pidof rPx,
|
||||||
@{bin}/startplasma-x11 rPx,
|
@{bin}/startplasma-x11 rPx,
|
||||||
@{bin}/systemctl rPx -> child-systemctl,
|
@{bin}/systemctl rPx -> child-systemctl,
|
||||||
|
|
@ -77,13 +77,7 @@ profile xdm-xsession @{exec_path} {
|
||||||
|
|
||||||
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||||
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
|
|
||||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
|
|
||||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
|
|
||||||
owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
|
||||||
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
|
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
owner /tmp/ssh-*/ rw,
|
owner /tmp/ssh-*/ rw,
|
||||||
owner /tmp/ssh-*/agent.* rw,
|
owner /tmp/ssh-*/agent.* rw,
|
||||||
|
|
|
||||||
|
|
@ -54,10 +54,10 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
ptrace (read,trace) peer=@{systemd},
|
ptrace (read,trace) peer=@{systemd},
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
dbus send bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login[0-9].Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member={CreateSession,ReleaseSession}
|
member={CreateSession,ReleaseSession}
|
||||||
peer=(name=org.freedesktop.login[0-9]),
|
peer=(name=org.freedesktop.login1),
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -29,22 +29,21 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
dbus bind bus=system name=org.freedesktop.resolve1,
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/freedesktop/resolve1
|
||||||
|
interface=org.freedesktop.{resolve1.Manager,DBus.Peer,DBus.Properties},
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/DBus
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={RequestName,GetConnectionUnixUser}
|
member={RequestName,GetConnectionUnixUser}
|
||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/resolve[0-9]
|
dbus receive bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.{resolve[0-9].Manager,DBus.Peer,DBus.Properties},
|
interface=org.freedesktop.login1.Manager
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login[0-9]*
|
|
||||||
interface=org.freedesktop.login[0-9]*.Manager
|
|
||||||
member={PrepareForSleep,PrepareForShutdown}
|
member={PrepareForSleep,PrepareForShutdown}
|
||||||
peer=(name=:*, label=systemd-logind),
|
peer=(name=:*, label=systemd-logind),
|
||||||
|
|
||||||
dbus bind bus=system
|
|
||||||
name=org.freedesktop.resolve[0-9],
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/systemd/resolved.conf r,
|
/etc/systemd/resolved.conf r,
|
||||||
|
|
|
||||||
|
|
@ -137,6 +137,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r,
|
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r,
|
||||||
@{etc_rw}/libvirt/{,**} rw,
|
@{etc_rw}/libvirt/{,**} rw,
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/mdevctl.d/{,**} r,
|
/etc/mdevctl.d/{,**} r,
|
||||||
/etc/sasl2/qemu.conf r,
|
/etc/sasl2/qemu.conf r,
|
||||||
/etc/xml/catalog r,
|
/etc/xml/catalog r,
|
||||||
|
|
|
||||||
|
|
@ -50,7 +50,9 @@ profile snap @{exec_path} {
|
||||||
@{bin}/systemctl rPx -> child-systemctl,
|
@{bin}/systemctl rPx -> child-systemctl,
|
||||||
|
|
||||||
/snap/{,**} rw,
|
/snap/{,**} rw,
|
||||||
# @{lib_dirs}/snap-confine rPx -> /usr/lib/snapd/snap-confine,
|
/snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx,
|
||||||
|
@{lib}/snapd/snap-confine rPx,
|
||||||
|
|
||||||
@{lib_dirs}/snapd/snap-seccomp rPx,
|
@{lib_dirs}/snapd/snap-seccomp rPx,
|
||||||
@{lib_dirs}/snapd/snapd rPx,
|
@{lib_dirs}/snapd/snapd rPx,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2022 Mikhail Morfikov
|
# Copyright (C) 2019-2022 Mikhail Morfikov
|
||||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -8,6 +8,7 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/sudo
|
@{exec_path} = @{bin}/sudo
|
||||||
|
#@{bin}/su
|
||||||
profile sudo @{exec_path} {
|
profile sudo @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app-launcher-root>
|
include <abstractions/app-launcher-root>
|
||||||
|
|
@ -40,10 +41,10 @@ profile sudo @{exec_path} {
|
||||||
signal (send) set=(cont,hup) peer=su,
|
signal (send) set=(cont,hup) peer=su,
|
||||||
signal (send) set=(winch),
|
signal (send) set=(winch),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
dbus send bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login[0-9].Manager
|
interface=org.freedesktop.logi1.Manager
|
||||||
member=CreateSession
|
member=CreateSession
|
||||||
peer=(name=org.freedesktop.login[0-9]),
|
peer=(name=org.freedesktop.login1),
|
||||||
|
|
||||||
dbus (send receive) bus=session path=/org/freedesktop/systemd1
|
dbus (send receive) bus=session path=/org/freedesktop/systemd1
|
||||||
interface=org.freedesktop.systemd.Manager
|
interface=org.freedesktop.systemd.Manager
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,9 @@ profile transmission-gtk @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/xdg-open rPx -> child-open,
|
||||||
|
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||||
|
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
|
||||||
owner @{user_torrents_dirs}/ r,
|
owner @{user_torrents_dirs}/ r,
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ profile x11-xsession @{exec_path} {
|
||||||
@{bin}/run-parts rCx -> run-parts,
|
@{bin}/run-parts rCx -> run-parts,
|
||||||
@{bin}/udevadm rCx -> udevadm,
|
@{bin}/udevadm rCx -> udevadm,
|
||||||
|
|
||||||
@{bin}/flatpak rPUx,
|
@{bin}/flatpak rPx,
|
||||||
@{bin}/xrdb rPx,
|
@{bin}/xrdb rPx,
|
||||||
@{bin}/numlockx rPx,
|
@{bin}/numlockx rPx,
|
||||||
@{bin}/xhost rPx,
|
@{bin}/xhost rPx,
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@ profile xinit @{exec_path} {
|
||||||
@{bin}/run-parts rCx -> run-parts,
|
@{bin}/run-parts rCx -> run-parts,
|
||||||
@{bin}/udevadm rCx -> udevadm,
|
@{bin}/udevadm rCx -> udevadm,
|
||||||
|
|
||||||
@{bin}/flatpak rPUx,
|
@{bin}/flatpak rPx,
|
||||||
@{bin}/glxinfo rPx,
|
@{bin}/glxinfo rPx,
|
||||||
@{bin}/numlockx rPx,
|
@{bin}/numlockx rPx,
|
||||||
@{bin}/X rPx,
|
@{bin}/X rPx,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue