General profiles update.

This commit is contained in:
Alexandre Pujol 2022-03-26 20:43:47 +00:00
parent d7be27411b
commit 20c3b0575c
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
22 changed files with 101 additions and 155 deletions

View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -61,6 +62,8 @@ profile apt-methods-http @{exec_path} {
owner /tmp/apt-changelog-*/*.changelog rw, owner /tmp/apt-changelog-*/*.changelog rw,
@{run}/resolvconf/resolv.conf r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,

View File

@ -9,20 +9,52 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/unattended-upgrade @{exec_path} = /{usr/,}bin/unattended-upgrade
profile unattended-upgrade @{exec_path} { profile unattended-upgrade @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
capability chown,
capability dac_override,
capability dac_read_search,
capability kill,
capability setgid,
capability setuid,
capability sys_nice,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/python3.[0-9]* rix, /{usr/,}bin/ r,
/{usr/,}bin/uname rix,
/{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/apt/methods/http{,s} rPx,
/usr/share/dpkg/*table r,
/etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r,
/etc/apt/preferences.d/{,**} r,
/etc/apt/sources.list.d/{,**} r,
/etc/machine-id r,
/var/log/unattended-upgrades/*.log rw, /var/log/unattended-upgrades/*.log rw,
/var/lib/apt/extended_states r,
/var/lib/apt/lists/{,**} r,
/var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/status r,
/var/cache/apt/archives/{,**} rw,
/var/cache/apt/pkgcache.bin r,
owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.pid rw,
owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.lock rwk,
owner /tmp/#[0-9]* rw,
owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/fd/ r,
include if exists <local/unattended-upgrade> include if exists <local/unattended-upgrade>

View File

@ -64,6 +64,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/xdg-settings rPx, /{usr/,}bin/xdg-settings rPx,
/usr/share/chromium/{,**} r, /usr/share/chromium/{,**} r,
/usr/share/egl/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mozilla/extensions/{,**} r, /usr/share/mozilla/extensions/{,**} r,
/usr/share/webext/{,**} r, /usr/share/webext/{,**} r,
@ -74,6 +75,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
/etc/fstab r, /etc/fstab r,
/etc/libva.conf r, /etc/libva.conf r,
/etc/opensc.conf r, /etc/opensc.conf r,
/etc/igfx_user_feature{,_next}.txt w,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
@ -147,6 +149,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r,
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/pci[0-9]*/**/boot_vga r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r, deny @{sys}/devices/virtual/tty/tty[0-9]/active r,

View File

@ -177,6 +177,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
deny owner @{PROC}/@{pids}/environ r, deny owner @{PROC}/@{pids}/environ r,
/dev/ r, /dev/ r,
/dev/video[0-9]* rw,
/dev/hidraw[0-9]* rw, /dev/hidraw[0-9]* rw,
owner /dev/dri/card[0-9]* rw, # File Inherit owner /dev/dri/card[0-9]* rw, # File Inherit
owner /dev/shm/org.chromium.* rw, owner /dev/shm/org.chromium.* rw,

View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,23 +11,18 @@ include <tunables/global>
@{exec_path} += @{libexec}/accounts-daemon @{exec_path} += @{libexec}/accounts-daemon
profile accounts-daemon @{exec_path} { profile accounts-daemon @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/wutmp>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wutmp>
# Needed?
capability dac_read_search, capability dac_read_search,
capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
deny capability sys_nice,
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
@{exec_path} mr, @{exec_path} mr,
owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw,
/usr/share/accountsservice/{,**} r, /usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r, /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
/etc/gdm/custom.conf r, /etc/gdm/custom.conf r,
@ -34,9 +30,15 @@ profile accounts-daemon @{exec_path} {
/etc/shadow r, /etc/shadow r,
/etc/shells r, /etc/shells r,
@{PROC}/sys/kernel/osrelease r, /etc/gdm/custom.conf.* rw,
owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw,
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/accounts-daemon> include if exists <local/accounts-daemon>
} }

View File

@ -33,6 +33,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/at-spi/ w,
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,

View File

@ -15,15 +15,15 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
capability mknod, capability mknod,
capability net_admin, capability net_admin,
deny capability sys_nice, capability sys_nice,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} mr,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/python3.[0-9]* r,
@{libexec}/ r, @{libexec}/ r,
/var/lib/blueman/network.state rw, /var/lib/blueman/network.state rw,

View File

@ -51,6 +51,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r, /usr/share/zoneinfo/{,**} r,
/etc/pipewire/client.conf.d/ r,
/etc/security/pwquality.conf r,
/etc/security/pwquality.conf.d/{,**} r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,

View File

@ -108,6 +108,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
/var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/app/**/gnome-shell/{,**} r,
/var/lib/flatpak/exports/share/gnome-shell/{,**} r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r,
@ -176,7 +179,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
# file_inherit # file_inherit
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
include if exists <local/gnome-shell> include if exists <local/gnome-shell>
} }

View File

@ -15,7 +15,7 @@ profile gpgconf @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/gpg-connect-agent rPx, /{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpg rPx, /{usr/,}bin/gpg rPUx,
/{usr/,}bin/gpg-agent rPx, /{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/dirmngr rPx, /{usr/,}bin/dirmngr rPx,
/{usr/,}bin/gpgsm rPx, /{usr/,}bin/gpgsm rPx,

View File

@ -29,8 +29,8 @@ profile arch-audit @{exec_path} {
/var/lib/pacman/local/{,**} r, /var/lib/pacman/local/{,**} r,
@{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,

View File

@ -12,10 +12,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability mknod,
capability dac_read_search, capability dac_read_search,
capability sys_chroot, capability mknod,
capability sys_admin, capability sys_admin,
capability sys_chroot,
unix (receive) type=stream, unix (receive) type=stream,
@ -59,12 +59,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib{,32,64}/ld-*.so* rix, /{usr/,}lib{,32,64}/ld-*.so* rix,
/etc/fstab r, /etc/fstab r,
/etc/lvm/lvm.conf r,
/etc/vconsole.conf r,
/etc/locale.conf r, /etc/locale.conf r,
/etc/lvm/lvm.conf r,
/etc/mkinitcpio.conf r, /etc/mkinitcpio.conf r,
/etc/mkinitcpio.d/{,**} r, /etc/mkinitcpio.d/{,**} r,
/etc/modprobe.d/{,*} r, /etc/modprobe.d/{,*} r,
/etc/vconsole.conf r,
/usr/share/kbd/keymaps/{,**} r, /usr/share/kbd/keymaps/{,**} r,
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,
@ -88,7 +88,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
owner @{run}/mkinitcpio.*/{,**} rw, owner @{run}/mkinitcpio.*/{,**} rw,
owner /tmp/mkinitcpio.*/{,**} rw, owner /tmp/mkinitcpio.*/{,**} rw,
owner @{PROC}/[0-9]*/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
# Inherit silencer # Inherit silencer
deny @{HOME}/** r, deny @{HOME}/** r,

View File

@ -57,9 +57,12 @@ profile pacman @{exec_path} {
/{usr/,}bin/gettext rix, /{usr/,}bin/gettext rix,
/{usr/,}bin/ghc-pkg-* rix, /{usr/,}bin/ghc-pkg-* rix,
/{usr/,}bin/grep rix, /{usr/,}bin/grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/iscsi-iname rix, /{usr/,}bin/iscsi-iname rix,
/{usr/,}bin/killall rix, /{usr/,}bin/killall rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/setcap rix, /{usr/,}bin/setcap rix,
/{usr/,}bin/vercmp rix, /{usr/,}bin/vercmp rix,
/{usr/,}bin/xmlcatalog rix, /{usr/,}bin/xmlcatalog rix,
@ -77,6 +80,7 @@ profile pacman @{exec_path} {
/{usr/,}bin/install-info rPx, /{usr/,}bin/install-info rPx,
/{usr/,}bin/journalctl rPx, /{usr/,}bin/journalctl rPx,
/{usr/,}bin/locale-gen rPx, /{usr/,}bin/locale-gen rPx,
/{usr/,}bin/mkinitcpio rPx,
/{usr/,}bin/pacdiff rPx, /{usr/,}bin/pacdiff rPx,
/{usr/,}bin/pacman-key rPx, /{usr/,}bin/pacman-key rPx,
/{usr/,}bin/sysctl rPx, /{usr/,}bin/sysctl rPx,

View File

@ -51,11 +51,7 @@ profile systemd-journald @{exec_path} {
@{run}/udev/data/+scsi:* r, @{run}/udev/data/+scsi:* r,
@{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb-serial:* r,
@{run}/udev/data/+platform:intel_pmc_core.[0-9]* r, @{run}/udev/data/+platform* r,
@{run}/udev/data/+platform:iTCO_wdt r,
@{run}/udev/data/+platform:regulatory.[0-9]* r,
@{run}/udev/data/+platform:rtsx_pci_sdmmc.[0-9]* r,
@{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

View File

@ -9,25 +9,17 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp @{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp
profile systemd-update-utmp @{exec_path} { profile systemd-update-utmp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/wutmp>
capability audit_write, capability audit_write,
capability net_admin, capability net_admin,
network netlink raw, network netlink raw,
ptrace (read) peer=unconfined,
@{exec_path} mr, @{exec_path} mr,
owner /var/log/wtmp rwk,
owner @{run}/utmp rwk,
@{run}/host/container-manager r, @{run}/host/container-manager r,
@{PROC}/1/cmdline r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-update-utmp> include if exists <local/systemd-update-utmp>
} }

View File

@ -10,6 +10,7 @@ include <tunables/global>
profile systemd-user-runtime-dir @{exec_path} { profile systemd-user-runtime-dir @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,
@ -17,8 +18,6 @@ profile systemd-user-runtime-dir @{exec_path} {
capability net_admin, capability net_admin,
capability sys_admin, capability sys_admin,
ptrace (read) peer=unconfined,
mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
umount @{run}/user/@{uid}/, umount @{run}/user/@{uid}/,
@ -28,9 +27,5 @@ profile systemd-user-runtime-dir @{exec_path} {
@{run}/user/@{uid}/{,**} rw, @{run}/user/@{uid}/{,**} rw,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-user-runtime-dir> include if exists <local/systemd-user-runtime-dir>
} }

View File

@ -9,11 +9,10 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions @{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions
profile systemd-user-sessions @{exec_path} { profile systemd-user-sessions @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/systemd-common>
capability net_admin, capability net_admin,
ptrace (read) peer=unconfined,
@{exec_path} mr, @{exec_path} mr,
owner @{run}/.#nologin* rw, owner @{run}/.#nologin* rw,
@ -22,10 +21,5 @@ profile systemd-user-sessions @{exec_path} {
@{run}/host/container-manager r, @{run}/host/container-manager r,
@{PROC}/1/cmdline r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-user-sessions> include if exists <local/systemd-user-sessions>
} }

View File

@ -7,12 +7,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/virtlogd @{exec_path} = /{usr/,}bin/virtlogd
profile virtlogd @{exec_path} { profile virtlogd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
ptrace (read) peer=libvirtd, ptrace (read) peer=libvirtd,
ptrace (read) peer=virtqemud,
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
@{exec_path} mr, @{exec_path} mr,
@ -21,8 +22,15 @@ profile virtlogd @{exec_path} {
/var/log/libvirt/qemu/*.log rw, /var/log/libvirt/qemu/*.log rw,
@{run}/virtlogd.pid rwk, owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw,
owner @{run}/user/@{uid}/common/system.token rw,
owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk,
owner @{run}/user/@{uid}/libvirt/virtlogd* w,
@{run}/libvirt/common/system.token rwk, @{run}/libvirt/common/system.token rwk,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/virtlogd.pid rwk,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/meminfo r,
@ -32,5 +40,7 @@ profile virtlogd @{exec_path} {
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
/dev/dri/ r,
include if exists <local/virtlogd> include if exists <local/virtlogd>
} }

View File

@ -48,17 +48,20 @@ profile mount-nfs @{exec_path} flags=(complain) {
@{MOUNTS}/*/ r, @{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r, @{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs # Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=nfs -> @{MOUNTS}/*/, mount fstype=nfs -> @{MOUNTS}/*/,
mount fstype=nfs -> @{MOUNTS}/*/*/, mount fstype=nfs -> @{MOUNTS}/*/*/,
mount fstype=nfs -> /mnt/, mount fstype=nfs -> /mnt/,
mount fstype=nfs -> /mnt/*/, mount fstype=nfs -> /mnt/*/,
mount fstype=nfs -> /,
mount fstype=nfs -> /*/,
umount @{MOUNTS}/*/, umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/, umount @{MOUNTS}/*/*/,
umount /mnt/, umount /mnt/,
umount /mnt/*/, umount /mnt/*/,
umount /,
umount /*/,
include if exists <local/mount-nfs> include if exists <local/mount-nfs>
} }

View File

@ -82,5 +82,7 @@ profile sudo @{exec_path} {
/dev/ r, # interactive login /dev/ r, # interactive login
/dev/ptmx rw, /dev/ptmx rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/sudo> include if exists <local/sudo>
} }

View File

@ -1,58 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Jamie Strandboge <jamie@canonical.com>
# SPDX-License-Identifier: GPL-2.0-only
#include <tunables/global>
/usr/bin/totem {
#include <abstractions/audio>
#include <abstractions/dconf>
#include <abstractions/ibus>
#include <abstractions/mesa>
#include <abstractions/nvidia>
#include <abstractions/python>
#include <abstractions/totem>
#include <abstractions/ubuntu-helpers>
signal (send) set=("kill") peer=unconfined,
# Maybe in an abstraction?
/usr/include/**/pyconfig.h r,
/usr/bin/totem r,
/usr/bin/totem-video-thumbnailer Pix,
/usr/bin/bwrap PUx,
/usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
/usr/{lib/@{multiarch},libexec}/totem-gallery-thumbnailer Pix,
/dev/sr* r,
# Help browser
/usr/bin/yelp Cx -> sanitized_helper,
# GDesktopAppInfo in GLib 2.64.x uses a very small shell script
# to launch .desktop files, instead of gio-launch-desktop
/{usr/,}bin/{dash,bash} ixr,
# With older GLib we might still be on the fallback code path
# (remove this after Debian 11 and Ubuntu 20.04)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
# Quiet logs
deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
# Allow read and write on almost anything in @{HOME}. Lenient, but
# private-files-strict is in effect.
#include <abstractions/private-files-strict>
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/** rw,
# Allow usage of openat with O_TMPFILE
owner @{HOME}/#[0-9]*[0-9] m,
owner /{,var/}run/user/@{uid}/dconf/user w,
owner /{,var/}run/user/@{uid}/at-spi2-*/ rw,
owner /{,var/}run/user/@{uid}/at-spi2-*/** rw,
/sys/devices/pci[0-9]*/**/config r,
/sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
include if exists <local/usr.bin.totem>
}

View File

@ -1,40 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Jamie Strandboge <jamie@canonical.com>
# SPDX-License-Identifier: GPL-2.0-only
include <tunables/global>
/usr/bin/totem-video-thumbnailer flags=(attach_disconnected) {
include <abstractions/totem>
# Probably needed due to this program being run with bwrap
@{HOMEDIRS} w,
owner @{HOME}/ w,
# Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
include <abstractions/private-files-strict>
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/** rw,
# Not needed by nautilus, but maybe other applications
owner /**.[pP][nN][gG] w,
owner /**.[jJ][pP]{,[eE]}[gG] w,
/usr/bin/totem-video-thumbnailer rm,
include if exists <local/usr.bin.totem-previewers>
}
/usr/bin/totem-audio-preview flags=(attach_disconnected) {
include <abstractions/totem>
include <abstractions/audio>
# Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
include <abstractions/private-files-strict>
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/** rw,
include if exists <local/usr.bin.totem-previewers>
}