mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profiles): replace old [0-9]* glob by @{int}
Beware some [0-9]* glob are actually not proper @{int}.
This commit is contained in:
Alexandre Pujol
parent
8ea4491a56
commit
275d6b6e62
@ -181,7 +181,7 @@
|
||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||
@{sys}/devices/pci[0-9]*/**/{resource,irq} r,
|
||||
@{sys}/devices/pci[0-9]*/**/report_descriptor r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
|
||||
@{sys}/devices/system/cpu/kernel_max r,
|
||||
@{sys}/devices/system/cpu/present r,
|
||||
@{sys}/devices/virtual/**/report_descriptor r,
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-????????"),
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/ rw,
|
||||
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,
|
||||
|
||||
owner /tmp/dbus-@{rand8} rw,
|
||||
|
||||
@ -6,4 +6,4 @@
|
||||
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/kioclient*.[0-9]*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
@ -8,4 +8,4 @@
|
||||
|
||||
/etc/nvidia/nvidia-application-profiles* r,
|
||||
|
||||
/dev/char/195:[0-9]* rw,
|
||||
/dev/char/195:@{int} rw,
|
||||
|
||||
@ -22,7 +22,7 @@ profile akonadi_birthdays_resource @{exec_path} {
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/qt{5,}/translations/*.qm r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
@ -22,7 +22,7 @@ profile akonadi_contacts_resource @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
@ -26,7 +26,7 @@ profile akonadi_control @{exec_path} {
|
||||
|
||||
/usr/share/akonadi/{,**} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
@ -26,7 +26,7 @@ profile akonadi_followupreminder_agent @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
@ -24,7 +24,7 @@ profile akonadi_indexing_agent @{exec_path} {
|
||||
/usr/share/akonadi/plugins/serializer/ r,
|
||||
/usr/share/akonadi/plugins/serializer/*.desktop r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
@ -24,7 +24,7 @@ profile akonadi_maildir_resource @{exec_path} {
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
@ -29,7 +29,7 @@ profile akonadi_maildispatcher_agent @{exec_path} {
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
@ -27,7 +27,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
|
||||
/usr/share/akonadi/plugins/serializer/*.desktop r,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
@ -62,7 +62,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
|
||||
owner @{user_share_dirs}/akonadi/file_db_data/{,**} rw,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
@ -26,7 +26,7 @@ profile akonadi_mailmerge_agent @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/qt{5,}/translations/*.qm r,
|
||||
/usr/share/qt5/qtlogging.ini r,
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ profile akonadi_migration_agent @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
||||
@ -24,7 +24,7 @@ profile akonadi_newmailnotifier_agent @{exec_path} {
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/knotifications5/akonadi_newmailnotifier_agent.notifyrc r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
@ -27,7 +27,7 @@ profile akonadi_notes_agent @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
||||
@ -27,7 +27,7 @@ profile akonadi_sendlater_agent @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
@ -45,7 +45,7 @@ profile akonadi_sendlater_agent @{exec_path} {
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ profile akonadi_unifiedmailbox_agent @{exec_path} {
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
@ -40,7 +40,7 @@ profile akonadi_unifiedmailbox_agent @{exec_path} {
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
|
||||
@ -248,7 +248,7 @@ profile android-studio @{exec_path} {
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.android/avd/** r,
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -134,16 +134,16 @@ profile calibre @{exec_path} {
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
|
||||
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
|
||||
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
owner @{user_cache_dirs}/gstreamer-@{int}/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
owner /tmp/calibre_*_tmp_*/{,**} rw,
|
||||
owner /tmp/calibre-*/{,**} rw,
|
||||
owner /tmp/[0-9]*-*/ rw,
|
||||
owner /tmp/[0-9]*-*/** rwl,
|
||||
# owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, # newer AA version
|
||||
owner /tmp/@{int}-*/ rw,
|
||||
owner /tmp/@{int}-*/** rwl,
|
||||
# owner /tmp/@{int}-*/** rwl -> /tmp/@{int}-*/**, # newer AA version
|
||||
owner /tmp/* rw,
|
||||
|
||||
owner /dev/shm/#@{int} rw,
|
||||
@ -167,7 +167,7 @@ profile calibre @{exec_path} {
|
||||
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
deny @{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/calibre>
|
||||
}
|
||||
|
||||
@ -62,8 +62,8 @@ profile discord @{exec_path} {
|
||||
|
||||
owner @{DISCORD_HOMEDIR}/ rw,
|
||||
owner @{DISCORD_HOMEDIR}/** rwk,
|
||||
owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/*.node mrwk,
|
||||
owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/lib*.so.[0-9] mrw,
|
||||
owner @{DISCORD_HOMEDIR}/@{int}/modules/discord_[a-z]*/*.node mrwk,
|
||||
owner @{DISCORD_HOMEDIR}/@{int}/modules/discord_[a-z]*/lib*.so.[0-9] mrw,
|
||||
|
||||
# Reading of the /proc/ dir is needed to start discord.
|
||||
# Otherwise it returns the following error:
|
||||
@ -110,7 +110,7 @@ profile discord @{exec_path} {
|
||||
@{lib}/firefox/firefox rPx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile xdg-mime {
|
||||
|
||||
@ -65,7 +65,7 @@ profile filezilla @{exec_path} {
|
||||
/*/*/ r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/filezilla>
|
||||
}
|
||||
|
||||
@ -66,7 +66,7 @@ profile flameshot @{exec_path} {
|
||||
/dev/shm/#@{int} rw,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile open {
|
||||
|
||||
@ -93,7 +93,7 @@ profile freetube @{exec_path} {
|
||||
@{bin}/vlc rPx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile open {
|
||||
|
||||
@ -70,7 +70,7 @@ profile spotify @{exec_path} {
|
||||
owner /tmp/@{hex}-@{hex}-@{hex}-@{hex} rw,
|
||||
|
||||
# What's this for?
|
||||
#owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,
|
||||
#owner /tmp/@{int}.@{int}.@{int}.[0-9]*-linux-*.zip rw,
|
||||
|
||||
include if exists <local/spotify>
|
||||
}
|
||||
|
||||
@ -88,7 +88,7 @@ profile telegram-desktop @{exec_path} {
|
||||
@{bin}/geany rPx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile open {
|
||||
|
||||
@ -194,7 +194,7 @@ profile vlc @{exec_path} {
|
||||
audit owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
/dev/shm/#@{int} rw,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
# Silencer
|
||||
deny @{lib}/@{multiarch}/vlc/{,**} w,
|
||||
@ -217,7 +217,7 @@ profile vlc @{exec_path} {
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
# file_inherit
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
|
||||
@ -144,7 +144,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
||||
/tmp/apt-changelog-*/*.changelog w,
|
||||
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
|
||||
owner /tmp/apt-dpkg-install-*/ rw,
|
||||
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
|
||||
owner /tmp/apt-dpkg-install-*/@{int}-*.deb w,
|
||||
owner /tmp/apt.conf.* rw,
|
||||
owner /tmp/apt.data.* rw,
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ profile apt-listbugs @{exec_path} {
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} r,
|
||||
@{bin}/ruby[0-9].[0-9]* rix,
|
||||
@{bin}/ruby[0-9].@{int} rix,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/logname rix,
|
||||
|
||||
@ -13,7 +13,7 @@ profile apt-listbugs-migratepins @{exec_path} {
|
||||
include <abstractions/ruby>
|
||||
|
||||
@{exec_path} r,
|
||||
@{bin}/ruby[0-9].[0-9]* rix,
|
||||
@{bin}/ruby[0-9].@{int} rix,
|
||||
|
||||
/usr/share/rubygems-integration/*/specifications/ r,
|
||||
/usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
|
||||
|
||||
@ -13,7 +13,7 @@ profile apt-listbugs-prefclean @{exec_path} {
|
||||
include <abstractions/ruby>
|
||||
|
||||
@{exec_path} r,
|
||||
@{bin}/ruby[0-9].[0-9]* rix,
|
||||
@{bin}/ruby[0-9].@{int} rix,
|
||||
|
||||
@{bin}/date rix,
|
||||
@{bin}/cat rix,
|
||||
|
||||
@ -25,7 +25,7 @@ profile apt-mark @{exec_path} {
|
||||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
|
||||
/dev/pts/[0-9]* rw,
|
||||
/dev/pts/@{int} rw,
|
||||
|
||||
include if exists <local/apt-mark>
|
||||
}
|
||||
|
||||
@ -38,7 +38,7 @@ profile apt-methods-cdrom @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/apt-methods-cdrom>
|
||||
}
|
||||
|
||||
@ -48,7 +48,7 @@ profile apt-methods-copy @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
/var/log/cron-apt/temp w,
|
||||
|
||||
include if exists <local/apt-methods-copy>
|
||||
|
||||
@ -48,7 +48,7 @@ profile apt-methods-file @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
/var/log/cron-apt/temp w,
|
||||
|
||||
include if exists <local/apt-methods-file>
|
||||
|
||||
@ -38,7 +38,7 @@ profile apt-methods-ftp @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/apt-methods-ftp>
|
||||
}
|
||||
|
||||
@ -89,7 +89,7 @@ profile apt-methods-gpgv @{exec_path} {
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
/var/log/cron-apt/temp w,
|
||||
|
||||
include if exists <local/apt-methods-gpgv>
|
||||
|
||||
@ -75,7 +75,7 @@ profile apt-methods-http @{exec_path} {
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/apt-methods-http>
|
||||
}
|
||||
|
||||
@ -38,7 +38,7 @@ profile apt-methods-mirror @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/apt-methods-mirror>
|
||||
}
|
||||
|
||||
@ -48,7 +48,7 @@ profile apt-methods-rred @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
/var/log/cron-apt/temp w,
|
||||
|
||||
include if exists <local/apt-methods-rred>
|
||||
|
||||
@ -38,7 +38,7 @@ profile apt-methods-rsh @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/apt-methods-rsh>
|
||||
}
|
||||
|
||||
@ -54,7 +54,7 @@ profile apt-methods-store @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner /var/log/cron-apt/temp w,
|
||||
|
||||
include if exists <local/apt-methods-store>
|
||||
|
||||
@ -37,7 +37,7 @@ profile apt-show-versions @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner /var/log/cron-apt/temp w,
|
||||
|
||||
include if exists <local/apt-show-versions>
|
||||
|
||||
@ -124,7 +124,7 @@ profile aptitude @{exec_path} flags=(complain) {
|
||||
owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw,
|
||||
/tmp/aptitude-*.@{pid}:*/pkgstates* r,
|
||||
owner /tmp/apt-dpkg-install-*/ rw,
|
||||
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
|
||||
owner /tmp/apt-dpkg-install-*/@{int}-*.deb w,
|
||||
|
||||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
@ -152,7 +152,7 @@ profile aptitude @{exec_path} flags=(complain) {
|
||||
# aptitude[]: /dev/tty2: Permission denied
|
||||
# aptitude[]: *** err
|
||||
# aptitude[]: Oh, oh, it's an error! possibly I die!
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ profile command-not-found @{exec_path} {
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
# Silencer
|
||||
deny /usr/lib/ r,
|
||||
|
||||
@ -17,7 +17,7 @@ profile deborphan @{exec_path} {
|
||||
/var/lib/dpkg/status r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.synaptic/selections.{update,proceed} w,
|
||||
|
||||
include if exists <local/deborphan>
|
||||
|
||||
@ -110,7 +110,7 @@ profile dpkg @{exec_path} {
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
profile diff {
|
||||
include <abstractions/base>
|
||||
|
||||
@ -23,7 +23,7 @@ profile dpkg-query @{exec_path} {
|
||||
|
||||
# file_inherit
|
||||
/tmp/#@{int} rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/dpkg-query>
|
||||
}
|
||||
|
||||
@ -129,7 +129,7 @@ profile synaptic @{exec_path} {
|
||||
|
||||
/tmp/ r,
|
||||
owner /tmp/apt-dpkg-install-*/ rw,
|
||||
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
|
||||
owner /tmp/apt-dpkg-install-*/@{int}-*.deb w,
|
||||
|
||||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
@ -156,7 +156,7 @@ profile synaptic @{exec_path} {
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile dbus {
|
||||
|
||||
@ -37,7 +37,7 @@ profile update-apt-xapian-index @{exec_path} {
|
||||
/etc/machine-id r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/update-apt-xapian-index>
|
||||
}
|
||||
|
||||
@ -29,8 +29,8 @@ profile chrome-crashpad-handler @{exec_path} {
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/task/ r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_max_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r,
|
||||
|
||||
include if exists <local/chrome-crashpad-handler>
|
||||
}
|
||||
|
||||
@ -28,8 +28,8 @@ profile chromium-crashpad-handler @{exec_path} {
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/task/ r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_max_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r,
|
||||
|
||||
include if exists <local/chromium-crashpad-handler>
|
||||
}
|
||||
|
||||
@ -42,7 +42,7 @@ profile chromium-wrapper @{exec_path} {
|
||||
owner /tmp/tmp.*/ rw,
|
||||
owner /tmp/tmp.*/** rwk,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
/dev/dri/card[0-9] rw,
|
||||
|
||||
# Silencer
|
||||
|
||||
@ -185,8 +185,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{HOME}/ r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
|
||||
owner @{user_cache_dirs}/gstreamer-@{int}/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp*} rw,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
|
||||
@ -237,7 +237,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||
@{sys}/class/**/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/pci[0-9]*/**/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card@{int}/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/irq r,
|
||||
@{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
|
||||
@ -269,15 +269,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{PROC}/@{pids}/environ r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/hidraw[0-9]* rw,
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/shm/ r,
|
||||
/dev/tty rw,
|
||||
/dev/video[0-9]* rw,
|
||||
owner /dev/dri/card[0-9]* rw, # File Inherit
|
||||
/dev/video@{int} rw,
|
||||
owner /dev/dri/card@{int} rw, # File Inherit
|
||||
owner /dev/shm/org.chromium.* rw,
|
||||
owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||
owner /dev/tty[0-9]* rw, # File Inherit
|
||||
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
|
||||
owner /dev/tty@{int} rw, # File Inherit
|
||||
|
||||
# X-tiny
|
||||
/tmp/.X0-lock r,
|
||||
|
||||
@ -54,9 +54,9 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
||||
owner /tmp/@{hex}.{dmp,extra} rw,
|
||||
owner /tmp/firefox/.parentlock w,
|
||||
|
||||
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
|
||||
owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
/dev/dri/renderD128 rw,
|
||||
|
||||
# Silencer
|
||||
|
||||
@ -22,7 +22,7 @@ profile firefox-kmozillahelper @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/mime/ r,
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ profile firefox-minidump-analyzer @{exec_path} {
|
||||
owner /tmp/@{hex}.{dmp,extra} rw,
|
||||
owner /tmp/firefox/.parentlock w,
|
||||
|
||||
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
|
||||
owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r,
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
@ -27,7 +27,7 @@ profile firefox-pingsender @{exec_path} {
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/firefox-pingsender>
|
||||
}
|
||||
|
||||
@ -96,9 +96,9 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/input/event[0-9]* rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
/dev/input/event@{int} rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/dbus-daemon>
|
||||
}
|
||||
|
||||
@ -34,7 +34,7 @@ profile dbus-run-session @{exec_path} {
|
||||
|
||||
# file_inherit
|
||||
/dev/tty rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/dbus-run-session>
|
||||
}
|
||||
|
||||
@ -62,7 +62,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-daemon>
|
||||
}
|
||||
|
||||
@ -43,7 +43,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-dconf>
|
||||
}
|
||||
|
||||
@ -23,7 +23,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-engine-simple>
|
||||
}
|
||||
|
||||
@ -80,7 +80,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
# file inherit
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-extension-gtk3>
|
||||
}
|
||||
|
||||
@ -39,7 +39,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-portal>
|
||||
}
|
||||
|
||||
@ -53,7 +53,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-x11>
|
||||
}
|
||||
|
||||
@ -32,7 +32,7 @@ profile child-pager {
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.lesshs* rw,
|
||||
owner @{HOME}/.terminfo/[0-9]*/* r,
|
||||
owner @{HOME}/.terminfo/@{int}/* r,
|
||||
owner @{user_cache_dirs}/lesshs* rw,
|
||||
owner @{user_state_dirs}/ r,
|
||||
owner @{user_state_dirs}/lesshs* rw,
|
||||
|
||||
@ -54,7 +54,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/1/cgroup r,
|
||||
|
||||
owner /dev/tty[0-9]* rw, # file_inherit
|
||||
owner /dev/tty@{int} rw, # file_inherit
|
||||
|
||||
include if exists <local/at-spi-bus-launcher>
|
||||
}
|
||||
|
||||
@ -95,7 +95,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/at-spi2-registryd>
|
||||
}
|
||||
|
||||
@ -10,7 +10,7 @@ include <tunables/global>
|
||||
profile cpupower @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
# Needed to read the /dev/cpu/[0-9]*/msr device, and hence remove the following error:
|
||||
# Needed to read the /dev/cpu/@{int}/msr device, and hence remove the following error:
|
||||
# Could not read perf-bias value[-1]
|
||||
capability sys_rawio,
|
||||
|
||||
@ -25,19 +25,19 @@ profile cpupower @{exec_path} {
|
||||
|
||||
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r,
|
||||
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/{cpufreq,cpuidle}/ r,
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/{cpufreq,cpuidle}/** r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{min,max}_freq rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_setspeed rw,
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/cpuidle/state[0-9]/disable rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cpuidle/state[0-9]/disable rw,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/topology/{physical_package_id,core_id} r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/online r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/online r,
|
||||
|
||||
/dev/cpu/[0-9]*/msr r,
|
||||
/dev/cpu/@{int}/msr r,
|
||||
|
||||
|
||||
profile kmod {
|
||||
|
||||
@ -27,7 +27,7 @@ profile dconf-editor @{exec_path} {
|
||||
owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/dconf-editor>
|
||||
}
|
||||
|
||||
@ -52,7 +52,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/dconf-service>
|
||||
}
|
||||
|
||||
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
|
||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}bin/fc-cache{,-32,-v*}
|
||||
profile fc-cache @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@ -82,7 +82,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/media[0-9]* rw,
|
||||
/dev/media@{int} rw,
|
||||
|
||||
include if exists <local/pipewire>
|
||||
}
|
||||
|
||||
@ -70,11 +70,11 @@ profile pipewire-media-session @{exec_path} {
|
||||
@{sys}/devices/pci[0-9]*/**/sound/**/pcm_class r,
|
||||
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/video[0-9]* rw,
|
||||
/dev/video@{int} rw,
|
||||
/dev/snd/ r,
|
||||
|
||||
include if exists <local/pipewire-media-session>
|
||||
|
||||
@ -59,7 +59,7 @@ profile plymouthd @{exec_path} {
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
/dev/ttyS[0-9]* rw,
|
||||
|
||||
include if exists <local/plymouthd>
|
||||
|
||||
@ -49,7 +49,7 @@ profile polkit-agent-helper @{exec_path} {
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/polkit-agent-helper>
|
||||
}
|
||||
|
||||
@ -32,7 +32,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
|
||||
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/qt5ct/** r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
@ -33,7 +33,7 @@ profile polkit-mate-authentication-agent @{exec_path} {
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
@{PROC}/1/cgroup r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
@ -190,11 +190,11 @@ profile pulseaudio @{exec_path} {
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/cmdline r,
|
||||
|
||||
/dev/media[0-9]* r,
|
||||
/dev/video[0-9]* rw,
|
||||
/dev/media@{int} r,
|
||||
/dev/video@{int} rw,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/pulseaudio>
|
||||
|
||||
@ -19,8 +19,8 @@ profile update-mime-database @{exec_path} {
|
||||
|
||||
/usr/share/mime/{,**} rw,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
owner /dev/pts/[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
owner /dev/pts/@{int} rw,
|
||||
|
||||
# Inherit silencer
|
||||
deny network inet6 stream,
|
||||
|
||||
@ -44,7 +44,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
member=GetSettings
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-{system,user} rw,
|
||||
owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw,
|
||||
@ -52,7 +52,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
|
||||
@ -129,7 +129,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
||||
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
|
||||
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
owner @{HOME}/*/{,**} rw,
|
||||
|
||||
@ -157,7 +157,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
||||
|
||||
/ r,
|
||||
|
||||
owner /var/lib/xkb/server-[0-9]*.xkm rw,
|
||||
owner /var/lib/xkb/server-@{int}.xkm rw,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.* r,
|
||||
|
||||
@ -26,7 +26,7 @@ profile xdg-desktop-portal-kde @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/qt5/qtlogging.ini r,
|
||||
|
||||
|
||||
@ -68,7 +68,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
||||
/dev/fuse rw,
|
||||
|
||||
# file inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
profile flatpak {
|
||||
include <abstractions/base>
|
||||
|
||||
@ -23,7 +23,7 @@ profile xdg-email @{exec_path} flags=(complain) {
|
||||
@{bin}/which rix,
|
||||
@{bin}/xdg-mime rPx,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xdg-email>
|
||||
}
|
||||
|
||||
@ -39,10 +39,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r,
|
||||
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
|
||||
@{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
|
||||
@{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
/dev/tty rw,
|
||||
|
||||
# When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
|
||||
|
||||
@ -54,7 +54,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_share_dirs}/flatpak/db/background rw,
|
||||
owner @{user_share_dirs}/flatpak/db/notifications rw,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xdg-permission-store>
|
||||
}
|
||||
|
||||
@ -35,7 +35,7 @@ profile xdg-screensaver @{exec_path} {
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||
owner /tmp/xauth-@{int}-_[0-9] r,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ profile xhost @{exec_path} {
|
||||
/tmp/.X11-unix/* rw,
|
||||
|
||||
# file_inherit
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
# Silencer
|
||||
|
||||
@ -20,25 +20,25 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/var/lib/xkb/server-[0-9]*.xkm w,
|
||||
/var/lib/xkb/compiled/server-[0-9]*.xkm rw,
|
||||
/var/lib/xkb/server-@{int}.xkm w,
|
||||
/var/lib/xkb/compiled/server-@{int}.xkm rw,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{HOME}/*.{xkb,xkm} rw,
|
||||
|
||||
owner @{user_share_dirs}/xorg/Xorg.[0-9].log w,
|
||||
owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,
|
||||
|
||||
/var/lib/gdm{3,}/.local/share/xorg/Xorg.[0-9].log w,
|
||||
owner /var/log/lightdm/x-[0-9]*.log w,
|
||||
/var/lib/gdm{3,}/.local/share/xorg/Xorg.@{int}.log w,
|
||||
owner /var/log/lightdm/x-@{int}.log w,
|
||||
|
||||
owner /tmp/server-[0-9]*.xkm rwk,
|
||||
owner /tmp/server-@{int}.xkm rwk,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
/dev/tty rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
deny /dev/input/event[0-9]* rw,
|
||||
deny /var/log/Xorg.[0-9]*.log w,
|
||||
deny /dev/input/event@{int} rw,
|
||||
deny /var/log/Xorg.@{int}.log w,
|
||||
|
||||
include if exists <local/xkbcomp>
|
||||
}
|
||||
|
||||
@ -66,8 +66,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
@{lib}/xorg/modules/ r,
|
||||
@{lib}/xorg/modules/** mr,
|
||||
|
||||
/var/lib/xkb/server-[0-9]*.xkm rw,
|
||||
/var/lib/xkb/compiled/server-[0-9]*.xkm rw,
|
||||
/var/lib/xkb/server-@{int}.xkm rw,
|
||||
/var/lib/xkb/compiled/server-@{int}.xkm rw,
|
||||
|
||||
/usr/share/egl/{,**} rw,
|
||||
/usr/share/libinput*/ r,
|
||||
@ -140,11 +140,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
@{PROC}/mtrr rw,
|
||||
|
||||
/dev/fb[0-9] rw,
|
||||
/dev/input/event[0-9]* rw,
|
||||
/dev/input/event@{int} rw,
|
||||
/dev/shm/#@{int} rw,
|
||||
/dev/shm/shmfd-* rw,
|
||||
/dev/tty rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
/dev/vga_arbiter rw, # Graphic card modules
|
||||
|
||||
include if exists <local/xorg>
|
||||
|
||||
@ -25,7 +25,7 @@ profile xprop @{exec_path} {
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/xprop>
|
||||
|
||||
@ -17,7 +17,7 @@ profile xrandr @{exec_path} {
|
||||
/usr/share/X11/XErrorDB r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xrandr>
|
||||
}
|
||||
|
||||
@ -17,7 +17,7 @@ profile xrdb @{exec_path} {
|
||||
@{bin}/{,*-}cpp-[0-9]* rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/cpp rix,
|
||||
@{lib}/gcc/*/[0-9]*/cc1 rix,
|
||||
@{lib}/gcc/*/@{int}/cc1 rix,
|
||||
@{lib}/llvm-[0-9]*/bin/clang rix,
|
||||
|
||||
/usr/include/stdc-predef.h r,
|
||||
@ -40,10 +40,10 @@ profile xrdb @{exec_path} {
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||
|
||||
@{run}/sddm/\{@{uuid}\} r,
|
||||
@{run}/sddm/xauth_?????? r,
|
||||
@{run}/sddm/xauth_@{rand6} r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
@ -16,12 +16,12 @@ profile xset @{exec_path} {
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
@{run}/sddm/\{@{uuid}\} r,
|
||||
@{run}/sddm/xauth_?????? r,
|
||||
@{run}/sddm/xauth_@{rand6} r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
deny /dev/dri/card[0-9]* rw,
|
||||
deny /dev/dri/card@{int} rw,
|
||||
|
||||
include if exists <local/xset>
|
||||
}
|
||||
|
||||
@ -36,7 +36,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||
|
||||
owner /tmp/server-[0-9]*.xkm rwk,
|
||||
owner /tmp/server-@{int}.xkm rwk,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw,
|
||||
|
||||
@ -45,7 +45,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pids}/comm r,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/xwayland>
|
||||
|
||||
@ -40,7 +40,7 @@ profile evolution-addressbook-factory @{exec_path} {
|
||||
@{exec_path}-subprocess rix,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
owner @{user_share_dirs}/evolution/{,**} rwk,
|
||||
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
|
||||
|
||||
@ -92,7 +92,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
||||
@{run}/gdm{3,}/custom.conf r,
|
||||
@{run}/gdm{3,}/gdm.pid rw,
|
||||
@{run}/gdm{3,}/greeter/ rw,
|
||||
@{run}/systemd/seats/seat[0-9]* r,
|
||||
@{run}/systemd/seats/seat@{int} r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/*.ref r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user