mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(abs): general improvment.
This commit is contained in:
parent
63888f07a7
commit
21e8456383
@ -11,8 +11,8 @@
|
|||||||
# Sandbox managers
|
# Sandbox managers
|
||||||
@{bin}/bwrap rPUx,
|
@{bin}/bwrap rPUx,
|
||||||
@{bin}/firejail rPUx,
|
@{bin}/firejail rPUx,
|
||||||
@{bin}/flatpak rPUx,
|
@{bin}/flatpak rPx,
|
||||||
@{bin}/snap rPUx,
|
@{bin}/snap rPx,
|
||||||
|
|
||||||
# Labeled programs
|
# Labeled programs
|
||||||
@{archive_viewers_path} rPUx,
|
@{archive_viewers_path} rPUx,
|
||||||
|
@ -4,7 +4,13 @@
|
|||||||
|
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|
||||||
@{bin}/kmod mr,
|
@{bin}/depmod mr,
|
||||||
|
@{bin}/insmod mr,
|
||||||
|
@{bin}/kmod mr,
|
||||||
|
@{bin}/lsmod mr,
|
||||||
|
@{bin}/modinfo mr,
|
||||||
|
@{bin}/modprobe mr,
|
||||||
|
@{bin}/rmmod mr,
|
||||||
|
|
||||||
@{lib}/modprobe.d/ r,
|
@{lib}/modprobe.d/ r,
|
||||||
@{lib}/modprobe.d/*.conf r,
|
@{lib}/modprobe.d/*.conf r,
|
||||||
|
@ -57,7 +57,6 @@
|
|||||||
@{PROC}/@{pid}/limits r,
|
@{PROC}/@{pid}/limits r,
|
||||||
@{PROC}/@{pid}/loginuid r,
|
@{PROC}/@{pid}/loginuid r,
|
||||||
@{PROC}/@{pid}/stat r,
|
@{PROC}/@{pid}/stat r,
|
||||||
@{PROC}/sys/kernel/ngroups_max r,
|
|
||||||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
|
@ -20,8 +20,6 @@
|
|||||||
|
|
||||||
ptrace (readby) peer=systemd-coredump,
|
ptrace (readby) peer=systemd-coredump,
|
||||||
|
|
||||||
/usr/share/locale/ r,
|
|
||||||
|
|
||||||
@{etc_rw}/localtime r,
|
@{etc_rw}/localtime r,
|
||||||
/etc/locale.conf r,
|
/etc/locale.conf r,
|
||||||
|
|
||||||
|
@ -50,6 +50,7 @@
|
|||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/electron-flags.conf r,
|
||||||
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
|
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
|
||||||
|
|
||||||
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
|
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
|
||||||
@ -87,6 +88,8 @@
|
|||||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
||||||
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||||
|
|
||||||
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
include if exists <abstractions/common/electron.d>
|
include if exists <abstractions/common/electron.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
# Minimal set of rules for all gnome based UI application.
|
# Minimal set of rules for all gnome based UI application.
|
||||||
|
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
@ -11,42 +11,56 @@
|
|||||||
|
|
||||||
# The only legitimate use in this project is for file browser and search engine.
|
# The only legitimate use in this project is for file browser and search engine.
|
||||||
|
|
||||||
deny @{HOME}/.*.bak mrwkl,
|
# User defined private directories
|
||||||
deny @{HOME}/.*.swp mrwkl,
|
deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
|
||||||
deny @{HOME}/.*~ mrwkl,
|
deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
|
||||||
deny @{HOME}/.*~1~ mrwkl,
|
deny @{user_private_dirs}/{,**} mrxwlk,
|
||||||
|
|
||||||
|
# Files with secret paswords and tokens
|
||||||
deny @{HOME}/.*age*{,/{,**}} mrwkl,
|
deny @{HOME}/.*age*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*aws*{,/{,**}} mrwkl,
|
deny @{HOME}/.*aws*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*cert*{,/{,**}} mrwkl,
|
deny @{HOME}/.*cert*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*history mrwkl,
|
|
||||||
deny @{HOME}/.*key*{,/{,**}} mrwkl,
|
deny @{HOME}/.*key*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*pass*{,/{,**}} mrwkl,
|
deny @{HOME}/.*pass*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*pki*{,/{,**}} mrwkl,
|
deny @{HOME}/.*pki*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*private*{,/{,**}} mrwkl,
|
deny @{HOME}/.*private*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*secret*{,/{,**}} mrwkl,
|
deny @{HOME}/.*secret*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.*yubi*{,/{,**}} mrwkl,
|
deny @{HOME}/.*yubi*{,/{,**}} mrwkl,
|
||||||
deny @{HOME}/.fetchmail* mrwkl,
|
deny @{HOME}/.aws/{,**} mrwkl,
|
||||||
deny @{HOME}/.lesshst* mrwkl,
|
deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
||||||
deny @{HOME}/.mozilla/{,**} mrwkl,
|
|
||||||
deny @{HOME}/.mutt* mrwkl,
|
|
||||||
deny @{HOME}/.thunderbird/{,**} mrwkl,
|
|
||||||
deny @{HOME}/.viminfo* mrwkl,
|
|
||||||
deny @{HOME}/.wget-hsts mrwkl,
|
|
||||||
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,
|
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,
|
||||||
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
|
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
|
||||||
|
deny @{run}/user/@{uid}/keyring** mrwkl,
|
||||||
deny @{user_config_dirs}/*-store/{,**} mrwkl,
|
deny @{user_config_dirs}/*-store/{,**} mrwkl,
|
||||||
deny @{user_config_dirs}/chromium/{,**} mrwkl,
|
|
||||||
deny @{user_password_store_dirs}/{,**} mrwkl,
|
deny @{user_password_store_dirs}/{,**} mrwkl,
|
||||||
deny @{user_share_dirs}/kwalletd/{,**} mrwkl,
|
deny @{user_share_dirs}/kwalletd/{,**} mrwkl,
|
||||||
|
|
||||||
# User defined private directories
|
# Privacy violations
|
||||||
deny @{user_private_dirs}/{,**} mrxwlk,
|
deny @{HOME}/.*.bak mrwkl,
|
||||||
deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
|
deny @{HOME}/.*.swp mrwkl,
|
||||||
deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
|
deny @{HOME}/.*~ mrwkl,
|
||||||
|
deny @{HOME}/.*~1~ mrwkl,
|
||||||
|
deny @{HOME}/.*history mrwkl,
|
||||||
|
deny @{HOME}/.evolution/{,**} mrwkl,
|
||||||
|
deny @{HOME}/.fetchmail* mrwkl,
|
||||||
|
deny @{HOME}/.gnome2_private/{,**} mrwkl,
|
||||||
|
deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
|
||||||
|
deny @{HOME}/.lesshst* mrwkl,
|
||||||
|
deny @{HOME}/.mozilla/{,**} mrwkl,
|
||||||
|
deny @{HOME}/.mutt** mrwkl,
|
||||||
|
deny @{HOME}/.thunderbird/{,**} mrwkl,
|
||||||
|
deny @{HOME}/.viminfo* mrwkl,
|
||||||
|
deny @{HOME}/.wget-hsts mrwkl,
|
||||||
|
deny @{user_config_dirs}/chromium/{,**} mrwkl,
|
||||||
|
deny @{user_config_dirs}/evolution/{,**} mrwkl,
|
||||||
|
|
||||||
# Deny executable mapping in writable space as allowed in abstractions/fonts
|
# Deny executable mapping in writable space as allowed in abstractions/fonts
|
||||||
deny @{HOME}/.{,cache/}fontconfig/ rw,
|
deny @{HOME}/.{,cache/}fontconfig/ rw,
|
||||||
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
|
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
|
||||||
|
|
||||||
|
# special attention to (potentially) executable files
|
||||||
|
deny @{HOME}/bin wl,
|
||||||
|
deny @{HOME}/bin/{,**} wl,
|
||||||
|
|
||||||
include if exists <abstractions/deny-sensitive-home.d>
|
include if exists <abstractions/deny-sensitive-home.d>
|
||||||
|
|
||||||
|
@ -5,7 +5,11 @@
|
|||||||
# Extra Mesa rules for desktop environments
|
# Extra Mesa rules for desktop environments
|
||||||
owner @{desktop_cache_dirs}/ w,
|
owner @{desktop_cache_dirs}/ w,
|
||||||
owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw,
|
owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw,
|
||||||
|
owner @{desktop_cache_dirs}/mesa_shader_cache_db/index rw,
|
||||||
|
owner @{desktop_cache_dirs}/mesa_shader_cache_db/marker rw,
|
||||||
owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw,
|
owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw,
|
||||||
|
owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk,
|
||||||
|
owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk,
|
||||||
owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
|
owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
|
||||||
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
|
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
|
||||||
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,
|
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,
|
||||||
|
@ -4,11 +4,12 @@
|
|||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
@{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
|
@{python_path} r,
|
||||||
|
|
||||||
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
|
owner @{user_lib_dirs}/@{python_name}/ r,
|
||||||
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
|
owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r,
|
||||||
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
|
owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr,
|
||||||
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
|
owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r,
|
||||||
|
owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r,
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
Loading…
Reference in New Issue
Block a user