mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
General profiles update.
This commit is contained in:
parent
d7be27411b
commit
20c3b0575c
@ -1,5 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2022 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
@ -61,6 +62,8 @@ profile apt-methods-http @{exec_path} {
|
|||||||
|
|
||||||
owner /tmp/apt-changelog-*/*.changelog rw,
|
owner /tmp/apt-changelog-*/*.changelog rw,
|
||||||
|
|
||||||
|
@{run}/resolvconf/resolv.conf r,
|
||||||
|
|
||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
@{PROC}/@{pid}/cgroup r,
|
@{PROC}/@{pid}/cgroup r,
|
||||||
|
|
||||||
|
@ -9,20 +9,52 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}bin/unattended-upgrade
|
@{exec_path} = /{usr/,}bin/unattended-upgrade
|
||||||
profile unattended-upgrade @{exec_path} {
|
profile unattended-upgrade @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
|
|
||||||
|
capability chown,
|
||||||
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
|
capability kill,
|
||||||
|
capability setgid,
|
||||||
|
capability setuid,
|
||||||
|
capability sys_nice,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/python3.[0-9]* rix,
|
/{usr/,}bin/ r,
|
||||||
/{usr/,}bin/uname rix,
|
|
||||||
/{usr/,}bin/dpkg rPx,
|
/{usr/,}bin/dpkg rPx,
|
||||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||||
|
/{usr/,}bin/python3.[0-9]* rix,
|
||||||
|
/{usr/,}bin/uname rix,
|
||||||
|
/{usr/,}lib/apt/methods/http{,s} rPx,
|
||||||
|
|
||||||
|
/usr/share/dpkg/*table r,
|
||||||
|
|
||||||
|
/etc/apt/*.list r,
|
||||||
|
/etc/apt/apt.conf.d/{,**} r,
|
||||||
|
/etc/apt/preferences.d/{,**} r,
|
||||||
|
/etc/apt/sources.list.d/{,**} r,
|
||||||
|
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
/var/log/unattended-upgrades/*.log rw,
|
/var/log/unattended-upgrades/*.log rw,
|
||||||
|
|
||||||
|
/var/lib/apt/extended_states r,
|
||||||
|
/var/lib/apt/lists/{,**} r,
|
||||||
|
/var/lib/dpkg/lock rwk,
|
||||||
|
/var/lib/dpkg/lock-frontend rwk,
|
||||||
|
/var/lib/dpkg/status r,
|
||||||
|
|
||||||
|
/var/cache/apt/archives/{,**} rw,
|
||||||
|
/var/cache/apt/pkgcache.bin r,
|
||||||
|
|
||||||
owner @{run}/unattended-upgrades.pid rw,
|
owner @{run}/unattended-upgrades.pid rw,
|
||||||
owner @{run}/unattended-upgrades.lock rwk,
|
owner @{run}/unattended-upgrades.lock rwk,
|
||||||
|
|
||||||
|
owner /tmp/#[0-9]* rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pids}/fd/ r,
|
owner @{PROC}/@{pids}/fd/ r,
|
||||||
|
|
||||||
include if exists <local/unattended-upgrade>
|
include if exists <local/unattended-upgrade>
|
||||||
|
@ -64,6 +64,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||||||
/{usr/,}bin/xdg-settings rPx,
|
/{usr/,}bin/xdg-settings rPx,
|
||||||
|
|
||||||
/usr/share/chromium/{,**} r,
|
/usr/share/chromium/{,**} r,
|
||||||
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/mozilla/extensions/{,**} r,
|
/usr/share/mozilla/extensions/{,**} r,
|
||||||
/usr/share/webext/{,**} r,
|
/usr/share/webext/{,**} r,
|
||||||
@ -74,6 +75,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/libva.conf r,
|
/etc/libva.conf r,
|
||||||
/etc/opensc.conf r,
|
/etc/opensc.conf r,
|
||||||
|
/etc/igfx_user_feature{,_next}.txt w,
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
@ -147,6 +149,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/devices/virtual/**/report_descriptor r,
|
@{sys}/devices/virtual/**/report_descriptor r,
|
||||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
|
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||||
|
|
||||||
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
|
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
|
||||||
|
|
||||||
|
@ -177,6 +177,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||||||
deny owner @{PROC}/@{pids}/environ r,
|
deny owner @{PROC}/@{pids}/environ r,
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
|
/dev/video[0-9]* rw,
|
||||||
/dev/hidraw[0-9]* rw,
|
/dev/hidraw[0-9]* rw,
|
||||||
owner /dev/dri/card[0-9]* rw, # File Inherit
|
owner /dev/dri/card[0-9]* rw, # File Inherit
|
||||||
owner /dev/shm/org.chromium.* rw,
|
owner /dev/shm/org.chromium.* rw,
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
# Copyright (C) 2020-2022 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
@ -10,23 +11,18 @@ include <tunables/global>
|
|||||||
@{exec_path} += @{libexec}/accounts-daemon
|
@{exec_path} += @{libexec}/accounts-daemon
|
||||||
profile accounts-daemon @{exec_path} {
|
profile accounts-daemon @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/wutmp>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/wutmp>
|
||||||
|
|
||||||
# Needed?
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
capability sys_nice,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
deny capability sys_nice,
|
|
||||||
|
|
||||||
ptrace (read) peer=unconfined,
|
ptrace (read) peer=unconfined,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner /var/lib/AccountsService/ r,
|
|
||||||
owner /var/lib/AccountsService/** rw,
|
|
||||||
|
|
||||||
/usr/share/accountsservice/{,**} r,
|
/usr/share/accountsservice/{,**} r,
|
||||||
|
|
||||||
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
|
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
|
||||||
|
|
||||||
/etc/gdm/custom.conf r,
|
/etc/gdm/custom.conf r,
|
||||||
@ -34,9 +30,15 @@ profile accounts-daemon @{exec_path} {
|
|||||||
/etc/shadow r,
|
/etc/shadow r,
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
/etc/gdm/custom.conf.* rw,
|
||||||
|
|
||||||
|
owner /var/lib/AccountsService/ r,
|
||||||
|
owner /var/lib/AccountsService/** rw,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
@{PROC}/1/environ r,
|
@{PROC}/1/environ r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
||||||
include if exists <local/accounts-daemon>
|
include if exists <local/accounts-daemon>
|
||||||
}
|
}
|
||||||
|
@ -33,6 +33,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
owner @{HOME}/.xsession-errors w,
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/at-spi/ w,
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
@ -15,15 +15,15 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
capability mknod,
|
capability mknod,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
deny capability sys_nice,
|
capability sys_nice,
|
||||||
|
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} mr,
|
||||||
/{usr/,}bin/python3.[0-9]* r,
|
|
||||||
|
|
||||||
|
/{usr/,}bin/python3.[0-9]* r,
|
||||||
@{libexec}/ r,
|
@{libexec}/ r,
|
||||||
|
|
||||||
/var/lib/blueman/network.state rw,
|
/var/lib/blueman/network.state rw,
|
||||||
|
@ -51,6 +51,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||||
/usr/share/zoneinfo/{,**} r,
|
/usr/share/zoneinfo/{,**} r,
|
||||||
|
|
||||||
|
/etc/pipewire/client.conf.d/ r,
|
||||||
|
/etc/security/pwquality.conf r,
|
||||||
|
/etc/security/pwquality.conf.d/{,**} r,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
|
@ -108,6 +108,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||||
|
|
||||||
|
owner /dev/shm/.org.chromium.Chromium.* rw,
|
||||||
|
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||||
|
|
||||||
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
||||||
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
||||||
|
|
||||||
@ -176,7 +179,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
|
||||||
|
|
||||||
include if exists <local/gnome-shell>
|
include if exists <local/gnome-shell>
|
||||||
}
|
}
|
||||||
|
@ -15,7 +15,7 @@ profile gpgconf @{exec_path} {
|
|||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
/{usr/,}bin/gpg-connect-agent rPx,
|
/{usr/,}bin/gpg-connect-agent rPx,
|
||||||
/{usr/,}bin/gpg rPx,
|
/{usr/,}bin/gpg rPUx,
|
||||||
/{usr/,}bin/gpg-agent rPx,
|
/{usr/,}bin/gpg-agent rPx,
|
||||||
/{usr/,}bin/dirmngr rPx,
|
/{usr/,}bin/dirmngr rPx,
|
||||||
/{usr/,}bin/gpgsm rPx,
|
/{usr/,}bin/gpgsm rPx,
|
||||||
|
@ -29,8 +29,8 @@ profile arch-audit @{exec_path} {
|
|||||||
|
|
||||||
/var/lib/pacman/local/{,**} r,
|
/var/lib/pacman/local/{,**} r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
@{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
|
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
|
||||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||||
|
@ -12,10 +12,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
capability mknod,
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability sys_chroot,
|
capability mknod,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
capability sys_chroot,
|
||||||
|
|
||||||
unix (receive) type=stream,
|
unix (receive) type=stream,
|
||||||
|
|
||||||
@ -59,12 +59,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
|
|||||||
/{usr/,}lib{,32,64}/ld-*.so* rix,
|
/{usr/,}lib{,32,64}/ld-*.so* rix,
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/lvm/lvm.conf r,
|
|
||||||
/etc/vconsole.conf r,
|
|
||||||
/etc/locale.conf r,
|
/etc/locale.conf r,
|
||||||
|
/etc/lvm/lvm.conf r,
|
||||||
/etc/mkinitcpio.conf r,
|
/etc/mkinitcpio.conf r,
|
||||||
/etc/mkinitcpio.d/{,**} r,
|
/etc/mkinitcpio.d/{,**} r,
|
||||||
/etc/modprobe.d/{,*} r,
|
/etc/modprobe.d/{,*} r,
|
||||||
|
/etc/vconsole.conf r,
|
||||||
|
|
||||||
/usr/share/kbd/keymaps/{,**} r,
|
/usr/share/kbd/keymaps/{,**} r,
|
||||||
/usr/share/terminfo/x/xterm-256color r,
|
/usr/share/terminfo/x/xterm-256color r,
|
||||||
@ -88,7 +88,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{run}/mkinitcpio.*/{,**} rw,
|
owner @{run}/mkinitcpio.*/{,**} rw,
|
||||||
owner /tmp/mkinitcpio.*/{,**} rw,
|
owner /tmp/mkinitcpio.*/{,**} rw,
|
||||||
|
|
||||||
owner @{PROC}/[0-9]*/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
# Inherit silencer
|
# Inherit silencer
|
||||||
deny @{HOME}/** r,
|
deny @{HOME}/** r,
|
||||||
|
@ -57,9 +57,12 @@ profile pacman @{exec_path} {
|
|||||||
/{usr/,}bin/gettext rix,
|
/{usr/,}bin/gettext rix,
|
||||||
/{usr/,}bin/ghc-pkg-* rix,
|
/{usr/,}bin/ghc-pkg-* rix,
|
||||||
/{usr/,}bin/grep rix,
|
/{usr/,}bin/grep rix,
|
||||||
|
/{usr/,}bin/head rix,
|
||||||
/{usr/,}bin/iscsi-iname rix,
|
/{usr/,}bin/iscsi-iname rix,
|
||||||
/{usr/,}bin/killall rix,
|
/{usr/,}bin/killall rix,
|
||||||
|
/{usr/,}bin/ln rix,
|
||||||
/{usr/,}bin/rm rix,
|
/{usr/,}bin/rm rix,
|
||||||
|
/{usr/,}bin/sed rix,
|
||||||
/{usr/,}bin/setcap rix,
|
/{usr/,}bin/setcap rix,
|
||||||
/{usr/,}bin/vercmp rix,
|
/{usr/,}bin/vercmp rix,
|
||||||
/{usr/,}bin/xmlcatalog rix,
|
/{usr/,}bin/xmlcatalog rix,
|
||||||
@ -77,6 +80,7 @@ profile pacman @{exec_path} {
|
|||||||
/{usr/,}bin/install-info rPx,
|
/{usr/,}bin/install-info rPx,
|
||||||
/{usr/,}bin/journalctl rPx,
|
/{usr/,}bin/journalctl rPx,
|
||||||
/{usr/,}bin/locale-gen rPx,
|
/{usr/,}bin/locale-gen rPx,
|
||||||
|
/{usr/,}bin/mkinitcpio rPx,
|
||||||
/{usr/,}bin/pacdiff rPx,
|
/{usr/,}bin/pacdiff rPx,
|
||||||
/{usr/,}bin/pacman-key rPx,
|
/{usr/,}bin/pacman-key rPx,
|
||||||
/{usr/,}bin/sysctl rPx,
|
/{usr/,}bin/sysctl rPx,
|
||||||
|
@ -51,11 +51,7 @@ profile systemd-journald @{exec_path} {
|
|||||||
@{run}/udev/data/+scsi:* r,
|
@{run}/udev/data/+scsi:* r,
|
||||||
@{run}/udev/data/+bluetooth:* r,
|
@{run}/udev/data/+bluetooth:* r,
|
||||||
@{run}/udev/data/+usb-serial:* r,
|
@{run}/udev/data/+usb-serial:* r,
|
||||||
@{run}/udev/data/+platform:intel_pmc_core.[0-9]* r,
|
@{run}/udev/data/+platform* r,
|
||||||
@{run}/udev/data/+platform:iTCO_wdt r,
|
|
||||||
@{run}/udev/data/+platform:regulatory.[0-9]* r,
|
|
||||||
@{run}/udev/data/+platform:rtsx_pci_sdmmc.[0-9]* r,
|
|
||||||
@{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,
|
|
||||||
|
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||||
|
@ -9,25 +9,17 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp
|
@{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp
|
||||||
profile systemd-update-utmp @{exec_path} {
|
profile systemd-update-utmp @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/systemd-common>
|
||||||
|
include <abstractions/wutmp>
|
||||||
|
|
||||||
capability audit_write,
|
capability audit_write,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
ptrace (read) peer=unconfined,
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner /var/log/wtmp rwk,
|
|
||||||
owner @{run}/utmp rwk,
|
|
||||||
|
|
||||||
@{run}/host/container-manager r,
|
@{run}/host/container-manager r,
|
||||||
|
|
||||||
@{PROC}/1/cmdline r,
|
|
||||||
@{PROC}/1/environ r,
|
|
||||||
@{PROC}/cmdline r,
|
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
|
||||||
|
|
||||||
include if exists <local/systemd-update-utmp>
|
include if exists <local/systemd-update-utmp>
|
||||||
}
|
}
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||||||
profile systemd-user-runtime-dir @{exec_path} {
|
profile systemd-user-runtime-dir @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
@ -17,8 +18,6 @@ profile systemd-user-runtime-dir @{exec_path} {
|
|||||||
capability net_admin,
|
capability net_admin,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
||||||
ptrace (read) peer=unconfined,
|
|
||||||
|
|
||||||
mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
|
mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
|
||||||
umount @{run}/user/@{uid}/,
|
umount @{run}/user/@{uid}/,
|
||||||
|
|
||||||
@ -28,9 +27,5 @@ profile systemd-user-runtime-dir @{exec_path} {
|
|||||||
|
|
||||||
@{run}/user/@{uid}/{,**} rw,
|
@{run}/user/@{uid}/{,**} rw,
|
||||||
|
|
||||||
@{PROC}/1/environ r,
|
|
||||||
@{PROC}/cmdline r,
|
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
|
||||||
|
|
||||||
include if exists <local/systemd-user-runtime-dir>
|
include if exists <local/systemd-user-runtime-dir>
|
||||||
}
|
}
|
@ -9,11 +9,10 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions
|
@{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions
|
||||||
profile systemd-user-sessions @{exec_path} {
|
profile systemd-user-sessions @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
ptrace (read) peer=unconfined,
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner @{run}/.#nologin* rw,
|
owner @{run}/.#nologin* rw,
|
||||||
@ -22,10 +21,5 @@ profile systemd-user-sessions @{exec_path} {
|
|||||||
|
|
||||||
@{run}/host/container-manager r,
|
@{run}/host/container-manager r,
|
||||||
|
|
||||||
@{PROC}/1/cmdline r,
|
|
||||||
@{PROC}/1/environ r,
|
|
||||||
@{PROC}/cmdline r,
|
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
|
||||||
|
|
||||||
include if exists <local/systemd-user-sessions>
|
include if exists <local/systemd-user-sessions>
|
||||||
}
|
}
|
@ -7,12 +7,13 @@ abi <abi/3.0>,
|
|||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/virtlogd
|
@{exec_path} = /{usr/,}bin/virtlogd
|
||||||
profile virtlogd @{exec_path} {
|
profile virtlogd @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
ptrace (read) peer=libvirtd,
|
ptrace (read) peer=libvirtd,
|
||||||
|
ptrace (read) peer=virtqemud,
|
||||||
ptrace (read) peer=unconfined,
|
ptrace (read) peer=unconfined,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
@ -21,8 +22,15 @@ profile virtlogd @{exec_path} {
|
|||||||
|
|
||||||
/var/log/libvirt/qemu/*.log rw,
|
/var/log/libvirt/qemu/*.log rw,
|
||||||
|
|
||||||
@{run}/virtlogd.pid rwk,
|
owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/common/system.token rw,
|
||||||
|
owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk,
|
||||||
|
owner @{run}/user/@{uid}/libvirt/virtlogd* w,
|
||||||
|
|
||||||
@{run}/libvirt/common/system.token rwk,
|
@{run}/libvirt/common/system.token rwk,
|
||||||
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
@{run}/virtlogd.pid rwk,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||||
@ -32,5 +40,7 @@ profile virtlogd @{exec_path} {
|
|||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
||||||
|
/dev/dri/ r,
|
||||||
|
|
||||||
include if exists <local/virtlogd>
|
include if exists <local/virtlogd>
|
||||||
}
|
}
|
@ -48,17 +48,20 @@ profile mount-nfs @{exec_path} flags=(complain) {
|
|||||||
@{MOUNTS}/*/ r,
|
@{MOUNTS}/*/ r,
|
||||||
@{MOUNTS}/*/*/ r,
|
@{MOUNTS}/*/*/ r,
|
||||||
|
|
||||||
|
|
||||||
# Allow to mount smb/cifs disks only under the /media/ dirs
|
# Allow to mount smb/cifs disks only under the /media/ dirs
|
||||||
mount fstype=nfs -> @{MOUNTS}/*/,
|
mount fstype=nfs -> @{MOUNTS}/*/,
|
||||||
mount fstype=nfs -> @{MOUNTS}/*/*/,
|
mount fstype=nfs -> @{MOUNTS}/*/*/,
|
||||||
mount fstype=nfs -> /mnt/,
|
mount fstype=nfs -> /mnt/,
|
||||||
mount fstype=nfs -> /mnt/*/,
|
mount fstype=nfs -> /mnt/*/,
|
||||||
|
mount fstype=nfs -> /,
|
||||||
|
mount fstype=nfs -> /*/,
|
||||||
|
|
||||||
umount @{MOUNTS}/*/,
|
umount @{MOUNTS}/*/,
|
||||||
umount @{MOUNTS}/*/*/,
|
umount @{MOUNTS}/*/*/,
|
||||||
umount /mnt/,
|
umount /mnt/,
|
||||||
umount /mnt/*/,
|
umount /mnt/*/,
|
||||||
|
umount /,
|
||||||
|
umount /*/,
|
||||||
|
|
||||||
include if exists <local/mount-nfs>
|
include if exists <local/mount-nfs>
|
||||||
}
|
}
|
||||||
|
@ -82,5 +82,7 @@ profile sudo @{exec_path} {
|
|||||||
/dev/ r, # interactive login
|
/dev/ r, # interactive login
|
||||||
/dev/ptmx rw,
|
/dev/ptmx rw,
|
||||||
|
|
||||||
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
include if exists <local/sudo>
|
include if exists <local/sudo>
|
||||||
}
|
}
|
||||||
|
@ -1,58 +0,0 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
|
||||||
# Copyright (C) Jamie Strandboge <jamie@canonical.com>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
#include <tunables/global>
|
|
||||||
|
|
||||||
/usr/bin/totem {
|
|
||||||
#include <abstractions/audio>
|
|
||||||
#include <abstractions/dconf>
|
|
||||||
#include <abstractions/ibus>
|
|
||||||
#include <abstractions/mesa>
|
|
||||||
#include <abstractions/nvidia>
|
|
||||||
#include <abstractions/python>
|
|
||||||
#include <abstractions/totem>
|
|
||||||
#include <abstractions/ubuntu-helpers>
|
|
||||||
|
|
||||||
signal (send) set=("kill") peer=unconfined,
|
|
||||||
|
|
||||||
# Maybe in an abstraction?
|
|
||||||
/usr/include/**/pyconfig.h r,
|
|
||||||
|
|
||||||
/usr/bin/totem r,
|
|
||||||
/usr/bin/totem-video-thumbnailer Pix,
|
|
||||||
/usr/bin/bwrap PUx,
|
|
||||||
/usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
|
|
||||||
/usr/{lib/@{multiarch},libexec}/totem-gallery-thumbnailer Pix,
|
|
||||||
/dev/sr* r,
|
|
||||||
|
|
||||||
# Help browser
|
|
||||||
/usr/bin/yelp Cx -> sanitized_helper,
|
|
||||||
# GDesktopAppInfo in GLib 2.64.x uses a very small shell script
|
|
||||||
# to launch .desktop files, instead of gio-launch-desktop
|
|
||||||
/{usr/,}bin/{dash,bash} ixr,
|
|
||||||
# With older GLib we might still be on the fallback code path
|
|
||||||
# (remove this after Debian 11 and Ubuntu 20.04)
|
|
||||||
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
|
|
||||||
|
|
||||||
# Quiet logs
|
|
||||||
deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
|
|
||||||
|
|
||||||
# Allow read and write on almost anything in @{HOME}. Lenient, but
|
|
||||||
# private-files-strict is in effect.
|
|
||||||
#include <abstractions/private-files-strict>
|
|
||||||
owner @{HOME}/[^.]* rw,
|
|
||||||
owner @{HOME}/[^.]*/** rw,
|
|
||||||
|
|
||||||
# Allow usage of openat with O_TMPFILE
|
|
||||||
owner @{HOME}/#[0-9]*[0-9] m,
|
|
||||||
|
|
||||||
owner /{,var/}run/user/@{uid}/dconf/user w,
|
|
||||||
owner /{,var/}run/user/@{uid}/at-spi2-*/ rw,
|
|
||||||
owner /{,var/}run/user/@{uid}/at-spi2-*/** rw,
|
|
||||||
|
|
||||||
/sys/devices/pci[0-9]*/**/config r,
|
|
||||||
/sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
|
|
||||||
|
|
||||||
include if exists <local/usr.bin.totem>
|
|
||||||
}
|
|
@ -1,40 +0,0 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
|
||||||
# Copyright (C) Jamie Strandboge <jamie@canonical.com>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
/usr/bin/totem-video-thumbnailer flags=(attach_disconnected) {
|
|
||||||
include <abstractions/totem>
|
|
||||||
|
|
||||||
# Probably needed due to this program being run with bwrap
|
|
||||||
@{HOMEDIRS} w,
|
|
||||||
owner @{HOME}/ w,
|
|
||||||
|
|
||||||
# Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
|
|
||||||
# effect.
|
|
||||||
include <abstractions/private-files-strict>
|
|
||||||
owner @{HOME}/[^.]* rw,
|
|
||||||
owner @{HOME}/[^.]*/** rw,
|
|
||||||
|
|
||||||
# Not needed by nautilus, but maybe other applications
|
|
||||||
owner /**.[pP][nN][gG] w,
|
|
||||||
owner /**.[jJ][pP]{,[eE]}[gG] w,
|
|
||||||
|
|
||||||
/usr/bin/totem-video-thumbnailer rm,
|
|
||||||
|
|
||||||
include if exists <local/usr.bin.totem-previewers>
|
|
||||||
}
|
|
||||||
|
|
||||||
/usr/bin/totem-audio-preview flags=(attach_disconnected) {
|
|
||||||
include <abstractions/totem>
|
|
||||||
include <abstractions/audio>
|
|
||||||
|
|
||||||
# Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
|
|
||||||
# effect.
|
|
||||||
include <abstractions/private-files-strict>
|
|
||||||
owner @{HOME}/[^.]* rw,
|
|
||||||
owner @{HOME}/[^.]*/** rw,
|
|
||||||
|
|
||||||
include if exists <local/usr.bin.totem-previewers>
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user