mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
fd88162c55
commit
26f838b73f
23 changed files with 121 additions and 78 deletions
|
|
@ -113,25 +113,25 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||
owner /tmp/tmp.*/** rwk,
|
||||
owner /tmp/scoped_dir*/{,**} rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/vmstat r,
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/statm r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
deny @{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pids}/environ r,
|
||||
owner @{PROC}/@{pids}/task/ r,
|
||||
@{PROC}/@{pids}/task/@{tid}/stat r,
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
owner @{PROC}/@{pid}/limits r,
|
||||
owner @{PROC}/@{pid}/mem r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
owner @{PROC}/@{pids}/clear_refs w,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/statm r,
|
||||
@{PROC}/@{pids}/task/@{tid}/stat r,
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
@{PROC}/vmstat r,
|
||||
owner @{PROC}/@{pid}/limits r,
|
||||
owner @{PROC}/@{pid}/mem r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pids}/clear_refs w,
|
||||
owner @{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pids}/environ r,
|
||||
owner @{PROC}/@{pids}/task/ r,
|
||||
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
|
|
@ -140,6 +140,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/class/ r,
|
||||
@{sys}/class/**/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||
@{sys}/devices/pci[0-9]*/**/irq r,
|
||||
@{sys}/devices/pci[0-9]*/**/report_descriptor r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
|
||||
|
|
@ -149,9 +150,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/virtual/**/report_descriptor r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||
|
||||
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
|
||||
@{sys}/devices/virtual/tty/tty[0-9]/active r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/video[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile google-chrome-chrome @{exec_path} {
|
|||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-intel>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-download-strict>
|
||||
|
|
@ -99,23 +99,25 @@ profile google-chrome-chrome @{exec_path} {
|
|||
# owner @{user_config_dirs}/chromium/*/ r,
|
||||
# owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
|
||||
|
||||
@{PROC}/ r,
|
||||
deny @{PROC}/vmstat r,
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
deny @{PROC}/@{pids}/stat r,
|
||||
deny @{PROC}/@{pids}/statm r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
deny @{PROC}/@{pids}/cmdline r,
|
||||
deny owner @{PROC}/@{pids}/environ r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
deny @{PROC}/@{pids}/task/@{tid}/stat r,
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
deny owner @{PROC}/@{pid}/limits r,
|
||||
deny owner @{PROC}/@{pid}/mem r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
deny @{PROC}/diskstats r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/statm r,
|
||||
@{PROC}/@{pids}/task/@{tid}/stat r,
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
@{PROC}/vmstat r,
|
||||
owner @{PROC}/@{pid}/limits r,
|
||||
owner @{PROC}/@{pid}/mem r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pids}/clear_refs w,
|
||||
owner @{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pids}/environ r,
|
||||
owner @{PROC}/@{pids}/task/ r,
|
||||
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
|
|
@ -124,14 +126,21 @@ profile google-chrome-chrome @{exec_path} {
|
|||
@{sys}/class/ r,
|
||||
@{sys}/class/**/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||
@{sys}/devices/pci[0-9]*/**/irq r,
|
||||
@{sys}/devices/pci[0-9]*/**/report_descriptor r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
|
||||
@{sys}/devices/virtual/**/report_descriptor r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/tty/tty[0-9]/active r,
|
||||
|
||||
# Silencer
|
||||
deny @{CHROME_INSTALLDIR}/** w,
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
include if exists <local/google-chrome-chrome>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,8 +23,8 @@ profile child-open {
|
|||
|
||||
/{usr/,}bin/exo-open mr,
|
||||
/{usr/,}bin/xdg-open mr,
|
||||
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
|
||||
/{usr/,}lib/gio-launch-desktop mr,
|
||||
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix,
|
||||
/{usr/,}lib/gio-launch-desktop mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,m,g}awk rix,
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/media/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/devices/**/device:*/**/path r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
|
|
|
|||
|
|
@ -12,10 +12,13 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/user-read>
|
||||
include <abstractions/vulkan>
|
||||
|
|
@ -125,5 +128,9 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
include if exists <local/xdg-desktop-portal-gnome>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,6 +30,8 @@ profile gnome-terminal-server @{exec_path} {
|
|||
|
||||
# Some CLI program can be launched directly from Gnome Shell
|
||||
/{usr/,}bin/htop rPx,
|
||||
/{usr/,}bin/micro rPUx,
|
||||
/{usr/,}bin/nvtop rPx,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
|
|
|||
|
|
@ -9,13 +9,14 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-color
|
||||
profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,13 +9,14 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-keyboard
|
||||
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,8 +12,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/trash>
|
||||
include <abstractions/vulkan>
|
||||
|
|
@ -42,20 +45,22 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/firejail rPUx,
|
||||
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
|
||||
|
||||
/usr/share/*ubuntu/applications/{,**} r,
|
||||
/usr/share/nautilus/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||
/usr/share/terminfo/ r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
/usr/share/*ubuntu/applications/{,**} r,
|
||||
/usr/share/tracker/domain-ontologies/*.rule r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
# Full access to user's data
|
||||
include <abstractions/deny-sensitive-home>
|
||||
/ r,
|
||||
/home/ r,
|
||||
/*/ r,
|
||||
/{usr/,}bin/ r,
|
||||
@{libexec}/ r,
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
owner @{HOME}/{,**} rw,
|
||||
|
|
@ -74,10 +79,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ profile pacman @{exec_path} {
|
|||
/{usr/,}bin/iscsi-iname rix,
|
||||
/{usr/,}bin/killall rix,
|
||||
/{usr/,}bin/ln rix,
|
||||
/{usr/,}bin/perl rix,
|
||||
/{usr/,}bin/pkill rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
|
|
@ -140,7 +141,7 @@ profile pacman @{exec_path} {
|
|||
|
||||
# Silencer,
|
||||
deny /tmp/ r,
|
||||
deny @{HOME}/{,**} r,
|
||||
deny @{HOME}/ r,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/openssh/sftp-server
|
||||
@{exec_path} += /{usr/,}lib/ssh/sftp-server
|
||||
profile sftp-server @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/openssl>
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_read_search,
|
||||
capability dac_override,
|
||||
capability fowner,
|
||||
capability kill,
|
||||
capability net_bind_service,
|
||||
|
|
@ -65,6 +66,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}lib/openssh/sftp-server rPx,
|
||||
|
||||
/etc/shells r,
|
||||
/etc/default/locale r,
|
||||
/etc/environment r,
|
||||
/etc/gss/mech.d/{,*} r,
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
|||
/etc/udev/ r,
|
||||
/etc/udev/udev.conf r,
|
||||
/etc/udev/rules.d/ r,
|
||||
/etc/udev/rules.d/[0-9][0-9]-*.rules r,
|
||||
/etc/udev/rules.d/*.rules r,
|
||||
|
||||
/etc/udev/hwdb.d/ r,
|
||||
/etc/udev/hwdb.d/[0-9][0-9]-*.hwdb r,
|
||||
|
|
@ -84,8 +84,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
|||
@{run}/udev/ rw,
|
||||
@{run}/udev/** rw,
|
||||
|
||||
@{run}/systemd/seats/seat[0-9]* r,
|
||||
@{run}/systemd/network/ r,
|
||||
@{run}/systemd/notify rw,
|
||||
@{run}/systemd/seats/seat[0-9]* r,
|
||||
|
||||
@{sys}/** rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -10,17 +11,23 @@ include <tunables/global>
|
|||
profile frontend @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/perl>
|
||||
|
||||
#capability sys_tty_config,
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/perl r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/stty rix,
|
||||
/{usr/,}bin/locale rix,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/hostname rix,
|
||||
/{usr/,}bin/locale rix,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/stty rix,
|
||||
|
||||
# debconf apps
|
||||
/{usr/,}{s,}bin/aspell-autobuildhash rPx,
|
||||
|
|
@ -69,24 +76,16 @@ profile frontend @{exec_path} flags=(complain) {
|
|||
owner /tmp/file* w,
|
||||
owner /var/cache/debconf/* rwk,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
|
||||
@{run}/user/@{uid}/pk-debconf-socket rw,
|
||||
|
||||
# The following is needed when debconf uses GUI frontends.
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/freedesktop.org>
|
||||
capability dac_read_search,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/hostname rix,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{HOME}/.Xauthority r,
|
||||
|
||||
profile scripts flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
# What's this for? (#FIXME#)
|
||||
capability dac_read_search,
|
||||
|
||||
/var/lib/dpkg/info/*.config r,
|
||||
|
|
|
|||
|
|
@ -76,8 +76,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
|
||||
/etc/pki/fwupd/{,**} r,
|
||||
/etc/pki/fwupd-metadata/{,**} r,
|
||||
/etc/fwupd/{,**} r,
|
||||
/etc/fwupd/remotes.d/* rw,
|
||||
/etc/fwupd/{,**} rw,
|
||||
|
||||
/var/cache/fwupd/{,**} rw,
|
||||
/var/lib/fwupd/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -7,12 +7,13 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/login
|
||||
profile login @{exec_path} {
|
||||
profile login @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wutmp>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
capability chown,
|
||||
capability fsetid,
|
||||
|
|
@ -25,6 +26,10 @@ profile login @{exec_path} {
|
|||
|
||||
# network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.*
|
||||
peer=(name=org.freedesktop.login1),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,z,ba,da}sh rUx,
|
||||
|
|
@ -51,11 +56,7 @@ profile login @{exec_path} {
|
|||
|
||||
owner @{user_cache_dirs}/motd.legal-displayed rw,
|
||||
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"),
|
||||
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"),
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/login>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,8 +23,11 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
|
||||
owner @{user_config_dirs}/nvtop/{,**} rw,
|
||||
|
||||
@{run}/systemd/inhibit/*.ref r,
|
||||
@{run}/udev/data/+drm:* r,
|
||||
@{run}/udev/data/+pci* r,
|
||||
@{run}/udev/data/c226:[0-9]* r,
|
||||
@{run}/udev/data/c236:[0-9]* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/ssl_certs>
|
||||
include if exists <abstractions/apt-common>
|
||||
|
||||
capability net_admin,
|
||||
capability sys_nice,
|
||||
|
||||
network inet stream,
|
||||
|
|
|
|||
|
|
@ -24,7 +24,11 @@ profile pacmd @{exec_path} {
|
|||
|
||||
/app/lib/libzypak*.so* mr,
|
||||
|
||||
owner @{run}/user/@{uid}/pulse rw,
|
||||
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
include if exists <local/pacmd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,5 +31,7 @@ profile pactl @{exec_path} {
|
|||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{HOME}/.anyRemote/anyremote.stdout w,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
include if exists <local/pactl>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile rngd @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/swtpm
|
||||
profile swtpm @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/openssl>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -40,14 +40,15 @@ profile wireplumber @{exec_path} {
|
|||
@{run}/udev/data/c81:[0-9]* r, # For video4linux
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/media/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/sound/ r,
|
||||
@{sys}/devices/**/device:*/**/path r,
|
||||
@{sys}/devices/**/sound/**/pcm_class r,
|
||||
@{sys}/devices/**/sound/**/uevent r,
|
||||
@{sys}/devices/pci[0-9]*/**/modalias r,
|
||||
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
@{sys}/devices/**/device:*/**/path r,
|
||||
|
||||
/dev/media[0-9]* rw,
|
||||
/dev/snd/ r,
|
||||
|
|
|
|||
Loading…
Reference in a new issue