From 20c3b0575c149cef983225f98bfe8487600f0f87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Mar 2022 20:43:47 +0000 Subject: [PATCH] General profiles update. --- apparmor.d/groups/apt/apt-methods-http | 5 +- apparmor.d/groups/apt/unattended-upgrade | 36 +++++++++++- apparmor.d/groups/browsers/chromium-chromium | 3 + apparmor.d/groups/browsers/firefox | 1 + apparmor.d/groups/desktop/accounts-daemon | 24 ++++---- apparmor.d/groups/desktop/at-spi-bus-launcher | 1 + apparmor.d/groups/desktop/blueman-mechanism | 6 +- apparmor.d/groups/gnome/gnome-control-center | 4 ++ apparmor.d/groups/gnome/gnome-shell | 4 +- apparmor.d/groups/gpg/gpgconf | 2 +- apparmor.d/groups/pacman/arch-audit | 4 +- apparmor.d/groups/pacman/mkinitcpio | 10 ++-- apparmor.d/groups/pacman/pacman | 4 ++ apparmor.d/groups/systemd/systemd-journald | 6 +- apparmor.d/groups/systemd/systemd-update-utmp | 12 +--- .../groups/systemd/systemd-user-runtime-dir | 7 +-- .../groups/systemd/systemd-user-sessions | 8 +-- apparmor.d/groups/virt/virtlogd | 14 ++++- apparmor.d/profiles-m-r/mount-nfs | 5 +- apparmor.d/profiles-s-z/sudo | 2 + apparmor.d/profiles-s-z/usr.bin.totem | 58 ------------------- .../profiles-s-z/usr.bin.totem-previewers | 40 ------------- 22 files changed, 101 insertions(+), 155 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/usr.bin.totem delete mode 100644 apparmor.d/profiles-s-z/usr.bin.totem-previewers diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index c3e56edf..7f27b7d8 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -61,6 +62,8 @@ profile apt-methods-http @{exec_path} { owner /tmp/apt-changelog-*/*.changelog rw, + @{run}/resolvconf/resolv.conf r, + @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 0e7b5426..f716620c 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -9,20 +9,52 @@ include @{exec_path} = /{usr/,}bin/unattended-upgrade profile unattended-upgrade @{exec_path} { include + include include + capability chown, + capability dac_override, + capability dac_read_search, + capability kill, + capability setgid, + capability setuid, + capability sys_nice, + @{exec_path} mr, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/ r, + /{usr/,}bin/dpkg rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/uname rix, + /{usr/,}lib/apt/methods/http{,s} rPx, + + /usr/share/dpkg/*table r, + + /etc/apt/*.list r, + /etc/apt/apt.conf.d/{,**} r, + /etc/apt/preferences.d/{,**} r, + /etc/apt/sources.list.d/{,**} r, + + /etc/machine-id r, /var/log/unattended-upgrades/*.log rw, + /var/lib/apt/extended_states r, + /var/lib/apt/lists/{,**} r, + /var/lib/dpkg/lock rwk, + /var/lib/dpkg/lock-frontend rwk, + /var/lib/dpkg/status r, + + /var/cache/apt/archives/{,**} rw, + /var/cache/apt/pkgcache.bin r, + owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.lock rwk, + owner /tmp/#[0-9]* rw, + owner @{PROC}/@{pids}/fd/ r, include if exists diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 75962664..d4c4e6bf 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -64,6 +64,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-settings rPx, /usr/share/chromium/{,**} r, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, @@ -74,6 +75,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/libva.conf r, /etc/opensc.conf r, + /etc/igfx_user_feature{,_next}.txt w, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -147,6 +149,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, deny @{sys}/devices/virtual/tty/tty[0-9]/active r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 9a1209eb..4785cd93 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -177,6 +177,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { deny owner @{PROC}/@{pids}/environ r, /dev/ r, + /dev/video[0-9]* rw, /dev/hidraw[0-9]* rw, owner /dev/dri/card[0-9]* rw, # File Inherit owner /dev/shm/org.chromium.* rw, diff --git a/apparmor.d/groups/desktop/accounts-daemon b/apparmor.d/groups/desktop/accounts-daemon index 2d633ff0..073ddccb 100644 --- a/apparmor.d/groups/desktop/accounts-daemon +++ b/apparmor.d/groups/desktop/accounts-daemon @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,23 +11,18 @@ include @{exec_path} += @{libexec}/accounts-daemon profile accounts-daemon @{exec_path} { include - include include + include - # Needed? capability dac_read_search, + capability sys_nice, capability sys_ptrace, - deny capability sys_nice, ptrace (read) peer=unconfined, @{exec_path} mr, - owner /var/lib/AccountsService/ r, - owner /var/lib/AccountsService/** rw, - /usr/share/accountsservice/{,**} r, - /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r, /etc/gdm/custom.conf r, @@ -34,9 +30,15 @@ profile accounts-daemon @{exec_path} { /etc/shadow r, /etc/shells r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, + /etc/gdm/custom.conf.* rw, + + owner /var/lib/AccountsService/ r, + owner /var/lib/AccountsService/** rw, + + owner @{PROC}/@{pid}/cmdline r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, include if exists } diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index 345906ae..da34e0d5 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -33,6 +33,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, + owner @{run}/user/@{uid}/at-spi/ w, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/desktop/blueman-mechanism b/apparmor.d/groups/desktop/blueman-mechanism index 3827cf5d..3bcfb527 100644 --- a/apparmor.d/groups/desktop/blueman-mechanism +++ b/apparmor.d/groups/desktop/blueman-mechanism @@ -15,15 +15,15 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { capability mknod, capability net_admin, - deny capability sys_nice, + capability sys_nice, network inet stream, network inet6 stream, network netlink raw, - @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{exec_path} mr, + /{usr/,}bin/python3.[0-9]* r, @{libexec}/ r, /var/lib/blueman/network.state rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 193fc4e9..b5307a03 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -51,6 +51,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, + /etc/pipewire/client.conf.d/ r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,**} r, + /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 9b87772f..812f8738 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -108,6 +108,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner /dev/shm/.org.chromium.Chromium.* rw, + owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, + /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r, @@ -176,7 +179,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { # file_inherit /dev/tty[0-9]* rw, - owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index 11c5dfd4..d943273b 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -15,7 +15,7 @@ profile gpgconf @{exec_path} { @{exec_path} mrix, /{usr/,}bin/gpg-connect-agent rPx, - /{usr/,}bin/gpg rPx, + /{usr/,}bin/gpg rPUx, /{usr/,}bin/gpg-agent rPx, /{usr/,}bin/dirmngr rPx, /{usr/,}bin/gpgsm rPx, diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 3e23bb05..6b1a12d5 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -29,8 +29,8 @@ profile arch-audit @{exec_path} { /var/lib/pacman/local/{,**} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 205b633d..fcb8da5f 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -12,10 +12,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { include include - capability mknod, capability dac_read_search, - capability sys_chroot, + capability mknod, capability sys_admin, + capability sys_chroot, unix (receive) type=stream, @@ -59,12 +59,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}lib{,32,64}/ld-*.so* rix, /etc/fstab r, - /etc/lvm/lvm.conf r, - /etc/vconsole.conf r, /etc/locale.conf r, + /etc/lvm/lvm.conf r, /etc/mkinitcpio.conf r, /etc/mkinitcpio.d/{,**} r, /etc/modprobe.d/{,*} r, + /etc/vconsole.conf r, /usr/share/kbd/keymaps/{,**} r, /usr/share/terminfo/x/xterm-256color r, @@ -88,7 +88,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { owner @{run}/mkinitcpio.*/{,**} rw, owner /tmp/mkinitcpio.*/{,**} rw, - owner @{PROC}/[0-9]*/mountinfo r, + owner @{PROC}/@{pid}/mountinfo r, # Inherit silencer deny @{HOME}/** r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index a4841a29..facdc583 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -57,9 +57,12 @@ profile pacman @{exec_path} { /{usr/,}bin/gettext rix, /{usr/,}bin/ghc-pkg-* rix, /{usr/,}bin/grep rix, + /{usr/,}bin/head rix, /{usr/,}bin/iscsi-iname rix, /{usr/,}bin/killall rix, + /{usr/,}bin/ln rix, /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, /{usr/,}bin/setcap rix, /{usr/,}bin/vercmp rix, /{usr/,}bin/xmlcatalog rix, @@ -77,6 +80,7 @@ profile pacman @{exec_path} { /{usr/,}bin/install-info rPx, /{usr/,}bin/journalctl rPx, /{usr/,}bin/locale-gen rPx, + /{usr/,}bin/mkinitcpio rPx, /{usr/,}bin/pacdiff rPx, /{usr/,}bin/pacman-key rPx, /{usr/,}bin/sysctl rPx, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 2f5a5d19..6566ad3b 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -51,11 +51,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+scsi:* r, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+platform:intel_pmc_core.[0-9]* r, - @{run}/udev/data/+platform:iTCO_wdt r, - @{run}/udev/data/+platform:regulatory.[0-9]* r, - @{run}/udev/data/+platform:rtsx_pci_sdmmc.[0-9]* r, - @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r, + @{run}/udev/data/+platform* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index e2c7fd60..4463dde8 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -9,25 +9,17 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp profile systemd-update-utmp @{exec_path} { include + include + include capability audit_write, capability net_admin, network netlink raw, - ptrace (read) peer=unconfined, - @{exec_path} mr, - owner /var/log/wtmp rwk, - owner @{run}/utmp rwk, - @{run}/host/container-manager r, - @{PROC}/1/cmdline r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index ed4f35c5..0c61f1eb 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -10,6 +10,7 @@ include profile systemd-user-runtime-dir @{exec_path} { include include + include capability dac_override, capability dac_read_search, @@ -17,8 +18,6 @@ profile systemd-user-runtime-dir @{exec_path} { capability net_admin, capability sys_admin, - ptrace (read) peer=unconfined, - mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, @@ -28,9 +27,5 @@ profile systemd-user-runtime-dir @{exec_path} { @{run}/user/@{uid}/{,**} rw, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 89ea4af7..57a84b16 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -9,11 +9,10 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions profile systemd-user-sessions @{exec_path} { include + include capability net_admin, - ptrace (read) peer=unconfined, - @{exec_path} mr, owner @{run}/.#nologin* rw, @@ -22,10 +21,5 @@ profile systemd-user-sessions @{exec_path} { @{run}/host/container-manager r, - @{PROC}/1/cmdline r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index e9321700..900cfbd3 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -7,12 +7,13 @@ abi , include @{exec_path} = /{usr/,}bin/virtlogd -profile virtlogd @{exec_path} { +profile virtlogd @{exec_path} flags=(attach_disconnected) { include include include ptrace (read) peer=libvirtd, + ptrace (read) peer=virtqemud, ptrace (read) peer=unconfined, @{exec_path} mr, @@ -21,8 +22,15 @@ profile virtlogd @{exec_path} { /var/log/libvirt/qemu/*.log rw, - @{run}/virtlogd.pid rwk, + owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw, + + owner @{run}/user/@{uid}/common/system.token rw, + owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, + owner @{run}/user/@{uid}/libvirt/virtlogd* w, + @{run}/libvirt/common/system.token rwk, + @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/virtlogd.pid rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, @@ -32,5 +40,7 @@ profile virtlogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + /dev/dri/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index b9d67a1e..69c86061 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -48,17 +48,20 @@ profile mount-nfs @{exec_path} flags=(complain) { @{MOUNTS}/*/ r, @{MOUNTS}/*/*/ r, - # Allow to mount smb/cifs disks only under the /media/ dirs mount fstype=nfs -> @{MOUNTS}/*/, mount fstype=nfs -> @{MOUNTS}/*/*/, mount fstype=nfs -> /mnt/, mount fstype=nfs -> /mnt/*/, + mount fstype=nfs -> /, + mount fstype=nfs -> /*/, umount @{MOUNTS}/*/, umount @{MOUNTS}/*/*/, umount /mnt/, umount /mnt/*/, + umount /, + umount /*/, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index f090d4a6..0ef984ee 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -82,5 +82,7 @@ profile sudo @{exec_path} { /dev/ r, # interactive login /dev/ptmx rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/profiles-s-z/usr.bin.totem b/apparmor.d/profiles-s-z/usr.bin.totem deleted file mode 100644 index 53e4ee27..00000000 --- a/apparmor.d/profiles-s-z/usr.bin.totem +++ /dev/null @@ -1,58 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Jamie Strandboge -# SPDX-License-Identifier: GPL-2.0-only - -#include - -/usr/bin/totem { - #include - #include - #include - #include - #include - #include - #include - #include - - signal (send) set=("kill") peer=unconfined, - - # Maybe in an abstraction? - /usr/include/**/pyconfig.h r, - - /usr/bin/totem r, - /usr/bin/totem-video-thumbnailer Pix, - /usr/bin/bwrap PUx, - /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix, - /usr/{lib/@{multiarch},libexec}/totem-gallery-thumbnailer Pix, - /dev/sr* r, - - # Help browser - /usr/bin/yelp Cx -> sanitized_helper, - # GDesktopAppInfo in GLib 2.64.x uses a very small shell script - # to launch .desktop files, instead of gio-launch-desktop - /{usr/,}bin/{dash,bash} ixr, - # With older GLib we might still be on the fallback code path - # (remove this after Debian 11 and Ubuntu 20.04) - /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix, - - # Quiet logs - deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w, - - # Allow read and write on almost anything in @{HOME}. Lenient, but - # private-files-strict is in effect. - #include - owner @{HOME}/[^.]* rw, - owner @{HOME}/[^.]*/** rw, - - # Allow usage of openat with O_TMPFILE - owner @{HOME}/#[0-9]*[0-9] m, - - owner /{,var/}run/user/@{uid}/dconf/user w, - owner /{,var/}run/user/@{uid}/at-spi2-*/ rw, - owner /{,var/}run/user/@{uid}/at-spi2-*/** rw, - - /sys/devices/pci[0-9]*/**/config r, - /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/usr.bin.totem-previewers b/apparmor.d/profiles-s-z/usr.bin.totem-previewers deleted file mode 100644 index 2b23de55..00000000 --- a/apparmor.d/profiles-s-z/usr.bin.totem-previewers +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Jamie Strandboge -# SPDX-License-Identifier: GPL-2.0-only - -include - -/usr/bin/totem-video-thumbnailer flags=(attach_disconnected) { - include - - # Probably needed due to this program being run with bwrap - @{HOMEDIRS} w, - owner @{HOME}/ w, - - # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in - # effect. - include - owner @{HOME}/[^.]* rw, - owner @{HOME}/[^.]*/** rw, - - # Not needed by nautilus, but maybe other applications - owner /**.[pP][nN][gG] w, - owner /**.[jJ][pP]{,[eE]}[gG] w, - - /usr/bin/totem-video-thumbnailer rm, - - include if exists -} - -/usr/bin/totem-audio-preview flags=(attach_disconnected) { - include - include - - # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in - # effect. - include - owner @{HOME}/[^.]* rw, - owner @{HOME}/[^.]*/** rw, - - include if exists -}