mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Profiles update.

Browse Source
This commit is contained in:
Alexandre Pujol 2021-04-12 13:33:24 +01:00
parent b435bc7821
commit 2175a86979
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
15 changed files with 49 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/abstractions/app-launcher-user
View File

@ -8,7 +8,7 @@
/ r, / r,
/usr/ r, /usr/ r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}bin/[a-zA-Z0-9]* rPUx,
# Firefox # Firefox
/{usr/,}lib/ r, /{usr/,}lib/ r,

1
apparmor.d/groups/desktop/blueman
View File

@ -24,6 +24,7 @@ profile blueman @{exec_path} {
network bluetooth raw, network bluetooth raw,
ptrace (read) peer=gjs-console, ptrace (read) peer=gjs-console,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/blueman-tray rPx, /{usr/,}bin/blueman-tray rPx,

4
apparmor.d/groups/desktop/dbus-run-session
View File

@ -25,6 +25,10 @@ profile dbus-run-session @{exec_path} {
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw, owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw, owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
/dev/tty rw,
include if exists <local/dbus-run-session> include if exists <local/dbus-run-session>
} }

3
apparmor.d/groups/gnome/gdm-wayland-session
View File

@ -9,10 +9,10 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gdm-wayland-session @{exec_path} = /{usr/,}lib/gdm-wayland-session
profile gdm-wayland-session @{exec_path} { profile gdm-wayland-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/zsh> include <abstractions/zsh>
include <abstractions/bash>
signal (send) set=(term) peer=dbus-run-session, signal (send) set=(term) peer=dbus-run-session,
signal (send) set=(term) peer=gnome-session-binary, signal (send) set=(term) peer=gnome-session-binary,
@ -30,6 +30,7 @@ profile gdm-wayland-session @{exec_path} {
/{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-daemon rPx,
/{usr/,}lib/gnome-session-binary rPx, /{usr/,}lib/gnome-session-binary rPx,
/etc/shells r,
/etc/gdm/custom.conf r, /etc/gdm/custom.conf r,
/usr/share/gdm/gdm.schemas r, /usr/share/gdm/gdm.schemas r,

2
apparmor.d/groups/gnome/gdm-x-session
View File

@ -20,7 +20,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/gdm.schemas r, /usr/share/gdm/gdm.schemas r,
/var/lib/gdm/.cache/gdm/Xauthority rw, /var/lib/gdm/.cache/gdm/Xauthority rw,
owner /proc/9503/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,

6
apparmor.d/groups/gnome/gdm-xsession
View File

@ -7,11 +7,11 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /etc/gdm/Xsession @{exec_path} = /etc/gdm/Xsession
profile sddm-xsession @{exec_path} { profile gdm-xsession @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/bash>
@{exec_path} r, @{exec_path} r,
@ -39,5 +39,5 @@ profile sddm-xsession @{exec_path} {
} }
include if exists <local/sddm-xsession> include if exists <local/gdm-xsession>
} }

8
apparmor.d/groups/gnome/gnome-session-binary
View File

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-session-binary @{exec_path} = /{usr/,}lib/gnome-session-binary
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/nameservice-strict>
signal (send) set=(term) peer=gsd-*, signal (send) set=(term) peer=gsd-*,
signal (receive) set=(term) peer=gdm-wayland-session, signal (receive) set=(term) peer=gdm-wayland-session,
@ -67,10 +67,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/[0-9]*/gnome-session-leader-fifo rw, owner @{run}/user/[0-9]*/gnome-session-leader-fifo rw,
owner @{run}/user/[0-9]*/ICEauthority{,-[a-z]} rwl, owner @{run}/user/[0-9]*/ICEauthority{,-[a-z]} rwl,
@{run}/systemd/users/[0-9]* r,
@{run}/systemd/sessions/[0-9].ref rw,
@{run}/systemd/sessions/[0-9] r,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/[0-9] r,
@{run}/systemd/sessions/[0-9].ref rw,
@{run}/systemd/users/[0-9]* r,
@{sys}/devices/**/{vendor,device} r, @{sys}/devices/**/{vendor,device} r,

18
apparmor.d/groups/gnome/gnome-shell
View File

@ -69,6 +69,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/libgweather/{,**} r, owner @{user_cache_dirs}/libgweather/{,**} r,
owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r,
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw, owner @{run}/user/[0-9]*/dconf/ rw,
@ -83,6 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* rw,
@{run}/systemd/users/[0-9]* r, @{run}/systemd/users/[0-9]* r,
@{run}/systemd/sessions/ r,
@{run}/systemd/sessions/[0-9] r, @{run}/systemd/sessions/[0-9] r,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@ -120,14 +122,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
owner @{PROC}/[0-9]*/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/[0-9]*/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/[0-9]*/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/[0-9]*/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/[0-9]*/attr/current r, owner @{PROC}/@{pid}/attr/current r,
@{PROC}/[0-9]*/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/[0-9]*/task/[0-9]*/stat r, @{PROC}/@{pid}/task/@{tid}/stat r,
@{PROC}/[0-9]*/net/* r, @{PROC}/@{pid}/net/* r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

3
apparmor.d/groups/gnome/gsd-power
View File

@ -27,8 +27,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/pulse/client.conf r, /etc/pulse/client.conf r,
owner @{user_config_dirs}/pulse/cookie rk,
owner @{user_cache_dirs}/event-sound-cache.tdb.* rwk, owner @{user_cache_dirs}/event-sound-cache.tdb.* rwk,
owner @{user_config_dirs}/pulse//client.conf r,
owner @{user_config_dirs}/pulse/cookie rk,
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw, owner @{run}/user/[0-9]*/dconf/ rw,

13
apparmor.d/groups/gnome/gsd-xsettings
View File

@ -9,15 +9,16 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-xsettings @{exec_path} = /{usr/,}lib/gsd-xsettings
profile gsd-xsettings @{exec_path} { profile gsd-xsettings @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/dri-common>
include <abstractions/fonts> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/gtk>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/xrdb rPx, /{usr/,}bin/xrdb rPx,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/drirc.d/{,*} r,
/etc/xdg/Xwayland-session.d/ r, /etc/xdg/Xwayland-session.d/ r,
/etc/xdg/Xwayland-session.d/00-xrdb rix, /etc/xdg/Xwayland-session.d/00-xrdb rix,
@ -30,16 +31,10 @@ profile gsd-xsettings @{exec_path} {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/dconf/user r,
@{sys}/devices/pci[0-9]*/**/{device,vendor,uevent} r,
@{sys}/devices/pci[0-9]*/**/{subsystem_device,subsystem_vendor} r,
owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/dri/ r,
/dev/dri/renderD[0-9]* rw,
/dev/tty rw, /dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,

10
apparmor.d/groups/gvfs/gvfsd-recent
View File

@ -17,14 +17,20 @@ profile gvfsd-recent @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
# Full access to user's data
owner @{HOME}/{,**} rw,
owner /media/*/{,**} rw,
owner /mnt/*/{,**} rw,
owner @{HOME}/.zshenv r, owner @{HOME}/.zshenv r,
owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r,
owner @{HOME}/.local/share/recently-used.xbel r, owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_share_dirs}/recently-used.xbel r,
owner @{run}/user/[0-9]*/gvfsd/ rw, owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw, owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
owner @{PROC}/81380/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,

2
apparmor.d/profiles-a-l/git
View File

@ -66,6 +66,7 @@ profile git @{exec_path} {
/{usr/,}bin/meld rPUx, /{usr/,}bin/meld rPUx,
/{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor, /{usr/,}bin/vim.* rCx -> editor,
owner @{HOME}/.gitconfig rw, owner @{HOME}/.gitconfig rw,
@ -144,6 +145,7 @@ profile git @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr, /{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim mrix,
/{usr/,}bin/vim.* mrix, /{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,

2
apparmor.d/profiles-m-z/sensors
View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov # Copyright (C) 2015-2020 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -27,6 +28,7 @@ profile sensors @{exec_path} {
@{sys}/devices/virtual/hwmon/hwmon[0-9]*/fan[0-9]_label r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/fan[0-9]_label r,
@{sys}/devices/**/hwmon*/{,**/} r, @{sys}/devices/**/hwmon*/{,**/} r,
@{sys}/devices/**/hwmon*/{name,temp*,*_input} r, @{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
@{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r,
@{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
# file_inherit # file_inherit

1
apparmor.d/profiles-m-z/xclip
View File

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xclip @{exec_path} = /{usr/,}bin/xclip
profile xclip @{exec_path} { profile xclip @{exec_path} {
include <abstractions/base> include <abstractions/base>
network unix stream, network unix stream,
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/profiles-m-z/xdg-dbus-proxy
View File

@ -10,9 +10,12 @@ include <tunables/global>
profile xdg-dbus-proxy @{exec_path} flags=(complain) { profile xdg-dbus-proxy @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} mr,
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
owner @{run}/user/@{pid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
/dev/dri/card[0-9]* rw,
include if exists <local/xdg-dbus-proxy> include if exists <local/xdg-dbus-proxy>
} }