mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 14:36:33 +01:00
feat(profile): various improvements and update.
Some checks are pending
Ubuntu / check (push) Waiting to run
Ubuntu / build (default, ubuntu-22.04) (push) Blocked by required conditions
Ubuntu / build (default, ubuntu-24.04) (push) Blocked by required conditions
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Blocked by required conditions
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Blocked by required conditions
Ubuntu / tests (push) Blocked by required conditions
Some checks are pending
Ubuntu / check (push) Waiting to run
Ubuntu / build (default, ubuntu-22.04) (push) Blocked by required conditions
Ubuntu / build (default, ubuntu-24.04) (push) Blocked by required conditions
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Blocked by required conditions
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Blocked by required conditions
Ubuntu / tests (push) Blocked by required conditions
This commit is contained in:
parent
57ddfd29ce
commit
2560e9645f
20 changed files with 22 additions and 16 deletions
|
@ -58,6 +58,8 @@ profile gnome-session @{exec_path} {
|
|||
/etc/X11/xinit/xinputrc r,
|
||||
/etc/X11/Xsession.d/*im-config_launch r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
|
|
@ -39,6 +39,7 @@ profile gnome-software @{exec_path} {
|
|||
|
||||
/usr/share/app-info/{,**} r,
|
||||
/usr/share/appdata/{,**} r,
|
||||
/usr/share/flatpak/remotes.d/ r,
|
||||
/usr/share/metainfo/{,**} r,
|
||||
/usr/share/swcatalog/{,**} r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
|
|
@ -59,6 +59,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{tmp}/@{uuid} rw,
|
||||
owner @{tmp}/talpid-openvpn-@{uuid} rw,
|
||||
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
|
|
|
@ -44,6 +44,7 @@ profile pacman-hook-systemd @{exec_path} {
|
|||
include <abstractions/app/systemctl>
|
||||
|
||||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
signal send set=term peer=systemd-tty-ask-password-agent,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/bootctl
|
||||
profile bootctl @{exec_path} {
|
||||
profile bootctl @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-read>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/busctl
|
||||
profile busctl @{exec_path} {
|
||||
profile busctl @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
|
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-backlight
|
||||
profile systemd-backlight @{exec_path} {
|
||||
profile systemd-backlight @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup
|
||||
profile systemd-cryptsetup @{exec_path} {
|
||||
profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
include <abstractions/disks-write>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator
|
||||
profile systemd-generator-user-autostart @{exec_path} {
|
||||
profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/user-environment-generators/*
|
||||
profile systemd-generator-user-environment @{exec_path} {
|
||||
profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-journald
|
||||
profile systemd-journald @{exec_path} {
|
||||
profile systemd-journald @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/common/systemd>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-machined
|
||||
profile systemd-machined @{exec_path} {
|
||||
profile systemd-machined @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-random-seed
|
||||
profile systemd-random-seed @{exec_path} {
|
||||
profile systemd-random-seed @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-update-done
|
||||
profile systemd-update-done @{exec_path} {
|
||||
profile systemd-update-done @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
capability net_admin,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-update-utmp
|
||||
profile systemd-update-utmp @{exec_path} {
|
||||
profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
include <abstractions/wutmp>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-user-runtime-dir
|
||||
profile systemd-user-runtime-dir @{exec_path} {
|
||||
profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-user-sessions
|
||||
profile systemd-user-sessions @{exec_path} {
|
||||
profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
|
|
|
@ -171,6 +171,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/+leds:* r,
|
||||
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
||||
@{run}/udev/data/+platform:* r,
|
||||
@{run}/udev/data/+power_supply:* r,
|
||||
@{run}/udev/data/+rfkill:* r,
|
||||
@{run}/udev/data/+sound:card@{int} r, # For sound card
|
||||
@{run}/udev/data/+thunderbolt:* r,
|
||||
|
|
|
@ -37,8 +37,9 @@ profile flatpak-system-helper @{exec_path} {
|
|||
/etc/flatpak/{,**} r,
|
||||
/etc/machine-id r,
|
||||
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/flatpak/remotes.d/ r,
|
||||
/usr/share/flatpak/triggers/ r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
/var/lib/flatpak/{,**} rwkl,
|
||||
/var/tmp/flatpak-cache-*/{,**} rw,
|
||||
|
|
|
@ -17,7 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
include <abstractions/bus/org.freedesktop.UDisks2>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/disks-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
@ -129,7 +129,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
/dev/mei@{int} rw,
|
||||
/dev/mem r,
|
||||
/dev/mtd@{int} rw,
|
||||
/dev/sd[a-z]* r,
|
||||
/dev/tpm@{int} rw,
|
||||
/dev/tpmrm@{int} rw,
|
||||
/dev/wmi/* r,
|
||||
|
|
Loading…
Reference in a new issue