mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (7)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:59:53 +01:00
parent 7c2c806ffa
commit 2b2c42d23c
Failed to generate hash of commit
155 changed files with 938 additions and 938 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/profiles-s-z/s3fs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/s3fs @{exec_path} = @{bin}/s3fs
profile s3fs @{exec_path} { profile s3fs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -24,7 +24,7 @@ profile s3fs @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount, @{bin}/fusermount{,3} rCx -> fusermount,
/etc/mime.types r, /etc/mime.types r,
/etc/passwd-s3fs r, /etc/passwd-s3fs r,
@ -53,7 +53,7 @@ profile s3fs @{exec_path} {
umount @{MOUNTS}/, umount @{MOUNTS}/,
umount @{MOUNTS}/*/, umount @{MOUNTS}/*/,
/{usr/,}bin/fusermount{,3} mr, @{bin}/fusermount{,3} mr,
/etc/fuse.conf r, /etc/fuse.conf r,

6
apparmor.d/profiles-s-z/sanoid
View file

@ -12,9 +12,9 @@ profile sanoid @{exec_path} flags=(complain) {
include <abstractions/perl> include <abstractions/perl>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/perl rix, @{bin}/perl rix,
/{usr/,}bin/ps rPx, @{bin}/ps rPx,
/{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zfs rPx,
/etc/sanoid/{*,} r, /etc/sanoid/{*,} r,

6
apparmor.d/profiles-s-z/sbctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/sbctl @{exec_path} = @{bin}/sbctl
profile sbctl @{exec_path} { profile sbctl @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -15,14 +15,14 @@ profile sbctl @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/lsblk rPx, @{bin}/lsblk rPx,
/usr/share/secureboot/{,**} rw, /usr/share/secureboot/{,**} rw,
/{boot,efi}/{,**} r, /{boot,efi}/{,**} r,
/{boot,efi}/EFI/{,**} rw, /{boot,efi}/EFI/{,**} rw,
/{boot,efi}/vmlinuz-linux* rw, /{boot,efi}/vmlinuz-linux* rw,
/{usr/,}lib/fwupd/efi/{,**} rw, @{lib}/fwupd/efi/{,**} rw,
@{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/db-@{uuid} rw,
@{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw,

4
apparmor.d/profiles-s-z/scrcpy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/scrcpy @{exec_path} = @{bin}/scrcpy
profile scrcpy @{exec_path} { profile scrcpy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>
@ -22,7 +22,7 @@ profile scrcpy @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/adb rPx, @{bin}/adb rPx,
/usr/share/scrcpy/{,*} r, /usr/share/scrcpy/{,*} r,
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,

6
apparmor.d/profiles-s-z/scrot
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/scrot @{exec_path} = @{bin}/scrot
profile scrot @{exec_path} { profile scrot @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
@ -14,8 +14,8 @@ profile scrot @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# "mv" is needed to change the image dir # "mv" is needed to change the image dir
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
# The image dir # The image dir
owner @{HOME}/*.png rw, owner @{HOME}/*.png rw,

2
apparmor.d/profiles-s-z/sdcv
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/sdcv @{exec_path} = @{bin}/sdcv
profile sdcv @{exec_path} { profile sdcv @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-s-z/sensors
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/sensors @{exec_path} = @{bin}/sensors
profile sensors @{exec_path} { profile sensors @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

12
apparmor.d/profiles-s-z/sensors-detect
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sensors-detect @{exec_path} = @{bin}/sensors-detect
profile sensors-detect @{exec_path} { profile sensors-detect @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} {
capability syslog, capability syslog,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/usr/bin/uname rix, /usr/bin/uname rix,
@ -48,7 +48,7 @@ profile sensors-detect @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/udevadm mr, @{bin}/udevadm mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
@ -62,12 +62,12 @@ profile sensors-detect @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
@{PROC}/cmdline r, @{PROC}/cmdline r,
/{usr/,}lib/modprobe.d/ r, @{lib}/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r, @{lib}/modprobe.d/*.conf r,
/etc/modprobe.d/ r, /etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r, /etc/modprobe.d/*.conf r,

2
apparmor.d/profiles-s-z/setpci
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/setpci @{exec_path} = @{bin}/setpci
profile setpci @{exec_path} flags=(complain) { profile setpci @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-s-z/sfdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sfdisk @{exec_path} = @{bin}/sfdisk
profile sfdisk @{exec_path} { profile sfdisk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/sgdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sgdisk @{exec_path} = @{bin}/sgdisk
profile sgdisk @{exec_path} { profile sgdisk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/slirp4netns
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/slirp4netns @{exec_path} = @{bin}/slirp4netns
profile slirp4netns @{exec_path} flags=(attach_disconnected) { profile slirp4netns @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-s-z/smartctl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/smartctl @{exec_path} = @{bin}/smartctl
profile smartctl @{exec_path} { profile smartctl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

14
apparmor.d/profiles-s-z/smartd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/smartd @{exec_path} = @{bin}/smartd
profile smartd @{exec_path} { profile smartd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read> include <abstractions/disks-read>
@ -25,12 +25,12 @@ profile smartd @{exec_path} {
deny capability net_admin, deny capability net_admin,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/hostname rix, @{bin}/hostname rix,
/{usr/,}bin/mail rix, @{bin}/mail rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/run-parts rix, @{bin}/run-parts rix,
/usr/share/smartmontools/{smartd-runner,smartd_warning.sh} rix, /usr/share/smartmontools/{smartd-runner,smartd_warning.sh} rix,
/etc/smartmontools/run.d/* rix, /etc/smartmontools/run.d/* rix,

12
apparmor.d/profiles-s-z/smplayer
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/smplayer @{exec_path} = @{bin}/smplayer
profile smplayer @{exec_path} { profile smplayer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
@ -40,11 +40,11 @@ profile smplayer @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/mpv rPx, @{bin}/mpv rPx,
/{usr/,}bin/pacmd rPx, @{bin}/pacmd rPx,
/{usr/,}bin/smtube rPx, @{bin}/smtube rPx,
/{usr/,}bin/youtube-dl rPx, @{bin}/youtube-dl rPx,
/{usr/,}bin/yt-dlp rPx, @{bin}/yt-dlp rPx,
/usr/share/qt5ct/** r, /usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,

30
apparmor.d/profiles-s-z/smtube
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/smtube @{exec_path} = @{bin}/smtube
profile smtube @{exec_path} { profile smtube @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -64,17 +64,17 @@ profile smtube @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r, deny @{PROC}/sys/kernel/random/boot_id r,
# Players # Players
/{usr/,}bin/mpv rPUx, @{bin}/mpv rPUx,
/{usr/,}bin/smplayer rPUx, @{bin}/smplayer rPUx,
/{usr/,}bin/vlc rPUx, @{bin}/vlc rPUx,
/{usr/,}bin/cvlc rPUx, @{bin}/cvlc rPUx,
/{usr/,}bin/youtube-dl rPUx, @{bin}/youtube-dl rPUx,
/{usr/,}bin/yt-dlp rPUx, @{bin}/yt-dlp rPUx,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -84,19 +84,19 @@ profile smtube @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

14
apparmor.d/profiles-s-z/snap
View file

@ -37,10 +37,10 @@ profile snap @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/mount rix, @{bin}/mount rix,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
/snap/{,**} rw, /snap/{,**} rw,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx,
@ -85,11 +85,11 @@ profile snap @{exec_path} {
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
/{usr/,}bin/dirmngr rix, @{bin}/dirmngr rix,
/{usr/,}bin/gpg-agent rix, @{bin}/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix, @{bin}/gpg-connect-agent rix,
owner @{HOME}/.snap/gnupg/ rw, owner @{HOME}/.snap/gnupg/ rw,
owner @{HOME}/.snap/gnupg/** rwkl, owner @{HOME}/.snap/gnupg/** rwkl,

2
apparmor.d/profiles-s-z/snap-device-helper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/snapd/snap-device-helper @{exec_path} = @{lib}/snapd/snap-device-helper
profile snap-device-helper @{exec_path} { profile snap-device-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>

44
apparmor.d/profiles-s-z/snapd
View file

@ -60,29 +60,29 @@ profile snapd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/adduser rPx, @{bin}/adduser rPx,
/{usr/,}{s,}bin/groupadd rPx, @{bin}/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
/{usr/,}{s,}bin/useradd rPx, @{bin}/groupadd rPx,
/{usr/,}bin/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope @{bin}/hostnamectl rPx,
/{usr/,}bin/hostnamectl rPx, @{bin}/ssh-keygen rPx,
/{usr/,}bin/ssh-keygen rPx, @{bin}/useradd rPx,
/{usr/,}{s,}bin/apparmor_parser rPx, @{bin}/{,ba,da}sh rix,
/{usr/,}{s,}bin/runuser rCx -> runuser, @{bin}/apparmor_parser rPx,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/cp rix,
/{usr/,}bin/cp rix, @{bin}/gzip rix,
/{usr/,}bin/gzip rix, @{bin}/journalctl rPx,
/{usr/,}bin/journalctl rPx, @{bin}/mount rix,
/{usr/,}bin/mount rix, @{bin}/runuser rCx -> runuser,
/{usr/,}bin/snap rPx, @{bin}/snap rPx,
/{usr/,}bin/sync rix, @{bin}/sync rix,
/{usr/,}bin/systemctl rix, @{bin}/systemctl rix,
/{usr/,}bin/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/udevadm rPx, @{bin}/udevadm rPx,
/{usr/,}bin/umount rix, @{bin}/umount rix,
/{usr/,}bin/unsquashfs rix, @{bin}/unsquashfs rix,
/{usr/,}bin/update-desktop-database rPx, @{bin}/update-desktop-database rPx,
/{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* mr, /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* mr,
/{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, /{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx,

2
apparmor.d/profiles-s-z/spacefm
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/spacefm @{exec_path} = @{bin}/spacefm
profile spacefm @{exec_path} { profile spacefm @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>

4
apparmor.d/profiles-s-z/spacefm-auth
View file

@ -6,12 +6,12 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/spacefm-auth @{exec_path} = @{bin}/spacefm-auth
profile spacefm-auth @{exec_path} { profile spacefm-auth @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
include if exists <local/spacefm-auth> include if exists <local/spacefm-auth>
} }

111
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -22,57 +22,56 @@ profile spectre-meltdown-checker @{exec_path} {
ptrace (read), ptrace (read),
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/dirname rix, @{bin}/{,@{multiarch}-}objdump rix,
/{usr/,}bin/uname rix, @{bin}/{,@{multiarch}-}readelf rix,
/{usr/,}bin/cut rix, @{bin}/{,@{multiarch}-}strings rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/head rix, @{bin}/{,e}grep rix,
/{usr/,}bin/{,g,m}awk rix, @{bin}/{,g,m}awk rix,
/{usr/,}bin/sed rix, @{bin}/base64 rix,
/{usr/,}bin/od rix, @{bin}/basename rix,
/{usr/,}bin/dd rix, @{bin}/bunzip2 rix,
/{usr/,}bin/id rix, @{bin}/cat rix,
/{usr/,}bin/gunzip rix, @{bin}/ccache rCx -> ccache,
/{usr/,}bin/gzip rix, @{bin}/cut rix,
/{usr/,}bin/zstd rix, @{bin}/date rix,
/{usr/,}bin/bunzip2 rix, @{bin}/dd rix,
/{usr/,}bin/lzop rix, @{bin}/dirname rix,
/{usr/,}bin/mktemp rix, @{bin}/dmesg rix,
/{usr/,}bin/tr rix, @{bin}/find rix,
/{usr/,}bin/stat rix, @{bin}/gunzip rix,
/{usr/,}bin/tail rix, @{bin}/gzip rix,
/{usr/,}bin/xz rix, @{bin}/head rix,
/{usr/,}bin/seq rix, @{bin}/id rix,
/{usr/,}bin/rm rix, @{bin}/iucode_tool rix,
/{usr/,}bin/sort rix, @{bin}/kmod rCx -> kmod,
/{usr/,}bin/cat rix, @{bin}/lzop rix,
/{usr/,}bin/basename rix, @{bin}/mktemp rix,
/{usr/,}bin/perl rix, @{bin}/mount rix,
/{usr/,}bin/base64 rix, @{bin}/nproc rix,
/{usr/,}bin/unzip rix, @{bin}/od rix,
/{usr/,}bin/{,@{multiarch}-}readelf rix, @{bin}/perl rix,
/{usr/,}bin/{,@{multiarch}-}strings rix, @{bin}/pgrep rCx -> pgrep,
/{usr/,}bin/{,@{multiarch}-}objdump rix, @{bin}/rdmsr rix,
/{usr/,}{s,}bin/iucode_tool rix, @{bin}/readlink rix,
/{usr/,}{s,}bin/rdmsr rix, @{bin}/rm rix,
/{usr/,}bin/dmesg rix, @{bin}/sed rix,
/{usr/,}{s,}bin/mount rix, @{bin}/seq rix,
/{usr/,}bin/find rix, @{bin}/sort rix,
/{usr/,}bin/xargs rix, @{bin}/stat rix,
/{usr/,}bin/readlink rix, @{bin}/tail rix,
/{usr/,}bin/nproc rix, @{bin}/tr rix,
/{usr/,}bin/date rix, @{bin}/uname rix,
@{bin}/unzip rix,
/{usr/,}bin/pgrep rCx -> pgrep, @{bin}/xargs rix,
/{usr/,}bin/ccache rCx -> ccache, @{bin}/xz rix,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/zstd rix,
# To fetch MCE.db from the MCExtractor project # To fetch MCE.db from the MCExtractor project
/{usr/,}bin/wget rCx -> mcedb, @{bin}/wget rCx -> mcedb,
/{usr/,}bin/sqlite3 rCx -> mcedb, @{bin}/sqlite3 rCx -> mcedb,
owner /tmp/mcedb-* rw, owner /tmp/mcedb-* rw,
owner /tmp/smc-* rw, owner /tmp/smc-* rw,
owner /tmp/{,smc-}intelfw-*/ rw, owner /tmp/{,smc-}intelfw-*/ rw,
@ -116,11 +115,11 @@ profile spectre-meltdown-checker @{exec_path} {
profile ccache { profile ccache {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/ccache mr, @{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw, /media/ccache/*/** rw,
@ -133,7 +132,7 @@ profile spectre-meltdown-checker @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/pgrep mr, @{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r, @{PROC}/ r,
@ -159,8 +158,8 @@ profile spectre-meltdown-checker @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
/{usr/,}bin/wget mr, @{bin}/wget mr,
/{usr/,}bin/sqlite3 mr, @{bin}/sqlite3 mr,
/etc/wgetrc r, /etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk, owner @{HOME}/.wget-hsts rwk,
@ -184,7 +183,7 @@ profile spectre-meltdown-checker @{exec_path} {
owner @{sys}/module/cpuid/** r, owner @{sys}/module/cpuid/** r,
owner @{sys}/module/msr/** r, owner @{sys}/module/msr/** r,
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
/etc/modprobe.d/ r, /etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r, /etc/modprobe.d/*.conf r,

10
apparmor.d/profiles-s-z/speedtest
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/speedtest{,-cli} @{exec_path} = @{bin}/speedtest{,-cli}
profile speedtest @{exec_path} { profile speedtest @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -20,11 +20,11 @@ profile speedtest @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/file rix, @{bin}/file rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/spice-client-glib-usb-acl-helper @{exec_path} = @{lib}/spice-client-glib-usb-acl-helper
profile spice-client-glib-usb-acl-helper @{exec_path} { profile spice-client-glib-usb-acl-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -17,7 +17,7 @@ profile spice-client-glib-usb-acl-helper @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/gconv/gconv-modules r, @{lib}/gconv/gconv-modules r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/cap_last_cap r, @{PROC}/sys/kernel/cap_last_cap r,

2
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/spice-vdagent @{exec_path} = @{bin}/spice-vdagent
profile spice-vdagent @{exec_path} { profile spice-vdagent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>

2
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/spice-vdagentd @{exec_path} = @{bin}/spice-vdagentd
profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

6
apparmor.d/profiles-s-z/start-pulseaudio-x11
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/start-pulseaudio-x11 @{exec_path} = @{bin}/start-pulseaudio-x11
profile start-pulseaudio-x11 @{exec_path} { profile start-pulseaudio-x11 @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/pactl rPx, @{bin}/pactl rPx,
/dev/tty rw, /dev/tty rw,

28
apparmor.d/profiles-s-z/startx
View file

@ -7,28 +7,28 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/startx @{exec_path} = @{bin}/startx
profile startx @{exec_path} flags=(attach_disconnected) { profile startx @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/deallocvt rix, @{bin}/deallocvt rix,
/{usr/,}bin/expr rix, @{bin}/expr rix,
/{usr/,}bin/hostname rix, @{bin}/hostname rix,
/{usr/,}bin/mcookie rix, @{bin}/mcookie rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/tty rix, @{bin}/tty rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/xauth rPx, @{bin}/xauth rPx,
/{usr/,}bin/xinit rPx, @{bin}/xinit rPx,
/usr/share/terminfo/** r, /usr/share/terminfo/** r,

84
apparmor.d/profiles-s-z/steam
View file

@ -43,46 +43,46 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/*sum rix, @{bin}/*sum rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/cmp rix, @{bin}/cmp rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/file rix, @{bin}/file rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/getopt rix, @{bin}/getopt rix,
/{usr/,}bin/grep rix, @{bin}/grep rix,
/{usr/,}bin/head rix, @{bin}/head rix,
/{usr/,}bin/ldconfig rix, @{bin}/ldconfig rix,
/{usr/,}bin/ldd rix, @{bin}/ldd rix,
/{usr/,}bin/ln rix, @{bin}/ln rix,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/lsof rix, @{bin}/lsof rix,
/{usr/,}bin/lspci rCx -> lspci, @{bin}/lspci rCx -> lspci,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/realpath rix, @{bin}/realpath rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/rmdir rix, @{bin}/rmdir rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/steam-runtime-urlopen rix, @{bin}/steam-runtime-urlopen rix,
/{usr/,}bin/tail rix, @{bin}/tail rix,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/timeout rix, @{bin}/timeout rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}bin/tr rix, @{bin}/tr rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/which rix, @{bin}/which rix,
/{usr/,}bin/xdg-icon-resource rPx, @{bin}/xdg-icon-resource rPx,
/{usr/,}bin/xdg-user-dir rix, @{bin}/xdg-user-dir rix,
/{usr/,}bin/xz rix, @{bin}/xz rix,
/{usr/,}bin/zenity rix, @{bin}/zenity rix,
/{usr/,}lib{32,64}/ld-linux.so* rix, @{lib}/ld-linux.so* rix,
@{steam_lib_dirs}/*.so* mr, @{steam_lib_dirs}/*.so* mr,
@{steam_lib_dirs}/*driverquery rix, @{steam_lib_dirs}/*driverquery rix,
@ -116,7 +116,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
/ r, / r,
/{usr/,}{local/,} r, /{usr/,}{local/,} r,
/{usr/,}{local/,}share/ r, /{usr/,}{local/,}share/ r,
/{usr/,}lib{,32,64}/ r, @{lib}/ r,
/etc/ r, /etc/ r,
/home/ r, /home/ r,
/run/ r, /run/ r,
@ -238,7 +238,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/lspci mr, @{bin}/lspci mr,
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,

38
apparmor.d/profiles-s-z/steam-game
View file

@ -64,26 +64,26 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/bwrap rix, @{bin}/bwrap rix,
/{usr/,}bin/env rix, @{bin}/env rix,
/{usr/,}bin/getopt rix, @{bin}/getopt rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/{usr/,}bin/localedef rix, @{bin}/localedef rix,
/{usr/,}bin/python3.[0-9]* rix, @{bin}/python3.[0-9]* rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/steam-runtime-launcher-interface-* rix, @{bin}/steam-runtime-launcher-interface-* rix,
/{usr/,}bin/steam-runtime-system-info rix, @{bin}/steam-runtime-system-info rix,
/{usr/,}bin/timeout rix, @{bin}/timeout rix,
/{usr/,}bin/true rix, @{bin}/true rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/xdg-open rPx, @{bin}/xdg-open rPx,
/{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-adverb rix, @{lib}/pressure-vessel/from-host/bin/pressure-vessel-adverb rix,
/{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix, @{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
/{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix, @{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
/{usr/,}lib/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix, @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
/{usr/,}libexec/steam-runtime-tools*/* mrix, @{lib}exec/steam-runtime-tools*/* mrix,
@{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix, @{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
@{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix, @{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,

20
apparmor.d/profiles-s-z/strawberry
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/strawberry @{exec_path} = @{bin}/strawberry
profile strawberry @{exec_path} { profile strawberry @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -39,9 +39,9 @@ profile strawberry @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/strawberry-tagreader rPx, @{bin}/strawberry-tagreader rPx,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
# Media library # Media library
owner @{user_music_dirs}/ r, owner @{user_music_dirs}/ r,
@ -97,7 +97,7 @@ profile strawberry @{exec_path} {
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -108,19 +108,19 @@ profile strawberry @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

2
apparmor.d/profiles-s-z/strawberry-tagreader
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/strawberry-tagreader @{exec_path} = @{bin}/strawberry-tagreader
profile strawberry-tagreader @{exec_path} { profile strawberry-tagreader @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

8
apparmor.d/profiles-s-z/su
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/su @{exec_path} = @{bin}/su
profile su @{exec_path} { profile su @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-root> include <abstractions/app-launcher-root>
@ -43,9 +43,9 @@ profile su @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,b,d,rb}ash rUx, @{bin}/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx, @{bin}/{c,k,tc,z}sh rUx,
/{usr/,}{s,}bin/nologin rPx, @{bin}/nologin rPx,
@{etc_ro}/default/su r, @{etc_ro}/default/su r,
@{etc_ro}/environment r, @{etc_ro}/environment r,

14
apparmor.d/profiles-s-z/sudo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/sudo @{exec_path} = @{bin}/sudo
profile sudo @{exec_path} { profile sudo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-root> include <abstractions/app-launcher-root>
@ -51,13 +51,13 @@ profile sudo @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{libexec}/sudo/** mr, @{lib}/sudo/** mr,
/snap/snapd/[0-9]*/usr/bin/snap rPx, @{bin}/{,b,d,rb}ash rUx,
/{usr/,}bin/{,b,d,rb}ash rUx, @{bin}/{c,k,tc,z}sh rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx, @{lib}/cockpit/cockpit-askpass rPx,
/{usr/,}lib/cockpit/cockpit-askpass rPx, @{lib}/molly-guard/molly-guard rPx,
/{usr/,}lib/molly-guard/molly-guard rPx, /snap/snapd/[0-9]*/usr/bin/snap rPx,
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/security/limits.d/{,*} r,

8
apparmor.d/profiles-s-z/suid3num
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/suid3num @{exec_path} = @{bin}/suid3num
@{exec_path} += /{usr/,}bin/suid3num.py @{exec_path} += @{bin}/suid3num.py
profile suid3num @{exec_path} { profile suid3num @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@ -18,9 +18,9 @@ profile suid3num @{exec_path} {
ptrace (read), ptrace (read),
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/usr/bin/find rix, /usr/bin/find rix,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-s-z/sulogin
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sulogin @{exec_path} = @{bin}/sulogin
profile sulogin @{exec_path} { profile sulogin @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -15,7 +15,7 @@ profile sulogin @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rux, @{bin}/{,ba,da}sh rux,
/etc/shadow r, /etc/shadow r,

2
apparmor.d/profiles-s-z/swaplabel
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swaplabel @{exec_path} = @{bin}/swaplabel
profile swaplabel @{exec_path} { profile swaplabel @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/swapoff
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swapoff @{exec_path} = @{bin}/swapoff
profile swapoff @{exec_path} { profile swapoff @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/swapon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swapon @{exec_path} = @{bin}/swapon
profile swapon @{exec_path} { profile swapon @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/switcheroo-control
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/switcheroo-control @{exec_path} = @{lib}/switcheroo-control
profile switcheroo-control @{exec_path} flags=(attach_disconnected) { profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

2
apparmor.d/profiles-s-z/swtpm
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm @{exec_path} = @{bin}/swtpm
profile swtpm @{exec_path} { profile swtpm @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/openssl> include <abstractions/openssl>

2
apparmor.d/profiles-s-z/swtpm_ioctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm_ioctl @{exec_path} = @{bin}/swtpm_ioctl
profile swtpm_ioctl @{exec_path} { profile swtpm_ioctl @{exec_path} {
include <abstractions/base> include <abstractions/base>

6
apparmor.d/profiles-s-z/swtpm_localca
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm_localca @{exec_path} = @{bin}/swtpm_localca
profile swtpm_localca @{exec_path} { profile swtpm_localca @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/certtool rix, @{bin}/certtool rix,
/{usr/,}bin/swtpm_cert rix, @{bin}/swtpm_cert rix,
/etc/swtpm-localca.conf r, /etc/swtpm-localca.conf r,
/etc/swtpm-localca.options r, /etc/swtpm-localca.options r,

6
apparmor.d/profiles-s-z/swtpm_setup
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm_setup @{exec_path} = @{bin}/swtpm_setup
profile swtpm_setup @{exec_path} { profile swtpm_setup @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/swtpm rPx, @{bin}/swtpm rPx,
/{usr/,}bin/swtpm_localca rPx, @{bin}/swtpm_localca rPx,
/etc/swtpm_setup.conf r, /etc/swtpm_setup.conf r,

12
apparmor.d/profiles-s-z/syncoid
View file

@ -13,12 +13,12 @@ profile syncoid @{exec_path} flags=(complain) {
include <abstractions/perl> include <abstractions/perl>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/grep rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/mbuffer rix, @{bin}/grep rix,
/{usr/,}bin/perl rix, @{bin}/mbuffer rix,
/{usr/,}bin/ps rPx, @{bin}/perl rix,
/{usr/,}bin/pv rix, @{bin}/ps rPx,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/pv rix,
/{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zfs rPx,
/{usr/,}{local/,}{s,}bin/zpool rPx, /{usr/,}{local/,}{s,}bin/zpool rPx,

20
apparmor.d/profiles-s-z/syncthing
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/syncthing @{exec_path} = @{bin}/syncthing
profile syncthing @{exec_path} { profile syncthing @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -21,8 +21,8 @@ profile syncthing @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}bin/ip rix, @{bin}/ip rix,
/usr/share/mime/{,*} r, /usr/share/mime/{,*} r,
@ -45,19 +45,19 @@ profile syncthing @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/firefox rPx, @{bin}/firefox rPx,
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

2
apparmor.d/profiles-s-z/sysctl
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sysctl @{exec_path} = @{bin}/sysctl
profile sysctl @{exec_path} { profile sysctl @{exec_path} {
include <abstractions/base> include <abstractions/base>

8
apparmor.d/profiles-s-z/system-config-printer
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/system-config-printer @{exec_path} = @{bin}/system-config-printer
@{exec_path} += /usr/share/system-config-printer/system-config-printer.py @{exec_path} += /usr/share/system-config-printer/system-config-printer.py
profile system-config-printer @{exec_path} flags=(complain) { profile system-config-printer @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
@ -41,9 +41,9 @@ profile system-config-printer @{exec_path} flags=(complain) {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}lib/cups/*/* rPUx, @{lib}/cups/*/* rPUx,
/usr/share/hplip/query.py rPUx, /usr/share/hplip/query.py rPUx,
/usr/share/cups/data/testprint r, /usr/share/cups/data/testprint r,

6
apparmor.d/profiles-s-z/system-config-printer-applet
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/system-config-printer-applet /usr/share/system-config-printer/applet.py @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py
profile system-config-printer-applet @{exec_path} { profile system-config-printer-applet @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@ -18,8 +18,8 @@ profile system-config-printer-applet @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/usr/share/system-config-printer/{,**} r, /usr/share/system-config-printer/{,**} r,

34
apparmor.d/profiles-s-z/tasksel
View file

@ -6,19 +6,19 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/tasksel @{exec_path} = @{bin}/tasksel
profile tasksel @{exec_path} flags=(complain) { profile tasksel @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/tempfile rix, @{bin}/tempfile rix,
/{usr/,}lib/tasksel/tasksel-debconf rix, @{lib}/tasksel/tasksel-debconf rix,
/{usr/,}lib/tasksel/tests/* rCx -> tasksel-tests, @{lib}/tasksel/tests/* rCx -> tasksel-tests,
# Think what to do about this (#FIXME#) # Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx, /usr/share/debconf/frontend rPx,
@ -27,11 +27,11 @@ profile tasksel @{exec_path} flags=(complain) {
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
# #
/{usr/,}bin/apt-cache rPx, @{bin}/apt-cache rPx,
/{usr/,}bin/debconf-apt-progress rPx, @{bin}/debconf-apt-progress rPx,
/usr/share/tasksel/** r, /usr/share/tasksel/** r,
@ -43,8 +43,8 @@ profile tasksel @{exec_path} flags=(complain) {
profile tasksel-tests flags=(complain) { profile tasksel-tests flags=(complain) {
include <abstractions/base> include <abstractions/base>
/{usr/,}lib/tasksel/tests/* r, @{lib}/tasksel/tests/* r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
} }
@ -55,16 +55,16 @@ profile tasksel @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r, /usr/share/debconf/frontend r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/tasksel rPx, @{bin}/tasksel rPx,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/stty rix, @{bin}/stty rix,
/{usr/,}bin/locale rix, @{bin}/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend. # The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx, @{bin}/whiptail rPx,
owner /tmp/file* w, owner /tmp/file* w,
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,

2
apparmor.d/profiles-s-z/tftp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/tftp @{exec_path} = @{bin}/tftp
profile tftp @{exec_path} { profile tftp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice> include <abstractions/nameservice>

2
apparmor.d/profiles-s-z/thermald
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/thermald @{exec_path} = @{bin}/thermald
profile thermald @{exec_path} flags=(attach_disconnected) { profile thermald @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

2
apparmor.d/profiles-s-z/thinkfan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/thinkfan @{exec_path} = @{bin}/thinkfan
profile thinkfan @{exec_path} { profile thinkfan @{exec_path} {
include <abstractions/base> include <abstractions/base>

4
apparmor.d/profiles-s-z/tint2
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/tint2 @{exec_path} = @{bin}/tint2
profile tint2 @{exec_path} { profile tint2 @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -35,7 +35,7 @@ profile tint2 @{exec_path} {
owner @{user_config_dirs}/launchers/{,*.desktop} r, owner @{user_config_dirs}/launchers/{,*.desktop} r,
owner @{user_config_dirs}/launchers/icons/{,*.png} r, owner @{user_config_dirs}/launchers/icons/{,*.png} r,
/{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr, @{lib}/@{multiarch}/imlib2/loaders/*.so mr,
# Some missing icons # Some missing icons
/usr/share/**.png r, /usr/share/**.png r,

6
apparmor.d/profiles-s-z/tint2conf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/tint2conf @{exec_path} = @{bin}/tint2conf
profile tint2conf @{exec_path} { profile tint2conf @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
@ -16,9 +16,9 @@ profile tint2conf @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/tint2 rPx, @{bin}/tint2 rPx,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/usr/share/tint2/{,*} r, /usr/share/tint2/{,*} r,

2
apparmor.d/profiles-s-z/top
View file

@ -8,7 +8,7 @@ include <tunables/global>
# When any of the "ns*" fields is displayed, the following error will be printed: # When any of the "ns*" fields is displayed, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="top" name="". # "Failed name lookup - disconnected path" error=-13 profile="top" name="".
@{exec_path} = /{usr/,}bin/top @{exec_path} = @{bin}/top
profile top @{exec_path} flags=(attach_disconnected) { profile top @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/profiles-s-z/torify
View file

@ -6,12 +6,12 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/torify @{exec_path} = @{bin}/torify
profile torify @{exec_path} { profile torify @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
include if exists <local/torify> include if exists <local/torify>
} }

4
apparmor.d/profiles-s-z/torsocks
View file

@ -6,12 +6,12 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/torsocks @{exec_path} = @{bin}/torsocks
profile torsocks @{exec_path} { profile torsocks @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
include if exists <local/torsocks> include if exists <local/torsocks>
} }

10
apparmor.d/profiles-s-z/tpacpi-bat
View file

@ -6,19 +6,19 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/tpacpi-bat @{exec_path} = @{bin}/tpacpi-bat
profile tpacpi-bat @{exec_path} { profile tpacpi-bat @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
# To load the acpi_call module # To load the acpi_call module
/{usr/,}bin/kmod rPx, @{bin}/kmod rPx,
@{PROC}/acpi/call rw, @{PROC}/acpi/call rw,

2
apparmor.d/profiles-s-z/transmission-qt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/transmission-qt @{exec_path} = @{bin}/transmission-qt
profile transmission-qt @{exec_path} { profile transmission-qt @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>

2
apparmor.d/profiles-s-z/tune2fs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{tune2fs,e2label} @{exec_path} = @{bin}/{tune2fs,e2label}
profile tune2fs @{exec_path} { profile tune2fs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

66
apparmor.d/profiles-s-z/ucf
View file

@ -7,42 +7,42 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/ucf @{exec_path} = @{bin}/ucf
profile ucf @{exec_path} flags=(complain) { profile ucf @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/getopt rix, @{bin}/getopt rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/md5sum rix, @{bin}/md5sum rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/perl rix, @{bin}/perl rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/seq rix, @{bin}/seq rix,
/{usr/,}bin/stat rix, @{bin}/stat rix,
/{usr/,}bin/tr rix, @{bin}/tr rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
# #
/{usr/,}bin/dpkg-divert rPx, @{bin}/dpkg-divert rPx,
/{usr/,}bin/sensible-pager rCx -> pager, @{bin}/sensible-pager rCx -> pager,
# Think what to do about this (#FIXME#) # Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx, /usr/share/debconf/frontend rPx,
@ -73,8 +73,8 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/sensible-pager mr, @{bin}/sensible-pager mr,
# For shell pwd # For shell pwd
/root/ r, /root/ r,
@ -88,13 +88,13 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r, /usr/share/debconf/frontend r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/ucf rPx, @{bin}/ucf rPx,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/stty rix, @{bin}/stty rix,
/{usr/,}bin/locale rix, @{bin}/locale rix,
/etc/debconf.conf r, /etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@ -105,8 +105,8 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix, @{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

24
apparmor.d/profiles-s-z/udiskie
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie @{exec_path} = @{bin}/udiskie
profile udiskie @{exec_path} { profile udiskie @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -22,10 +22,10 @@ profile udiskie @{exec_path} {
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r, owner @{user_config_dirs}/udiskie/config.yml r,
@ -37,28 +37,28 @@ profile udiskie @{exec_path} {
/etc/fstab r, /etc/fstab r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/spacefm rPx, @{bin}/spacefm rPx,
# Silencer # Silencer
deny /{usr/,}lib/** w, deny @{lib}/** w,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/spacefm rPx, @{bin}/spacefm rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

4
apparmor.d/profiles-s-z/udiskie-info
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-info @{exec_path} = @{bin}/udiskie-info
profile udiskie-info @{exec_path} { profile udiskie-info @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/usr/bin/ r, /usr/bin/ r,

4
apparmor.d/profiles-s-z/udiskie-mount
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-mount @{exec_path} = @{bin}/udiskie-mount
profile udiskie-mount @{exec_path} { profile udiskie-mount @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/usr/bin/ r, /usr/bin/ r,

4
apparmor.d/profiles-s-z/udiskie-umount
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-umount @{exec_path} = @{bin}/udiskie-umount
profile udiskie-umount @{exec_path} { profile udiskie-umount @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/usr/bin/ r, /usr/bin/ r,

10
apparmor.d/profiles-s-z/udisksctl
View file

@ -7,17 +7,17 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/udisksctl @{exec_path} = @{bin}/udisksctl
profile udisksctl @{exec_path} { profile udisksctl @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager, @{bin}/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager, @{bin}/more rPx -> child-pager,
/dev/tty rw, /dev/tty rw,

38
apparmor.d/profiles-s-z/udisksd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/{,udisks2/}udisksd @{exec_path} = @{lib}/{,udisks2/}udisksd
profile udisksd @{exec_path} flags=(attach_disconnected) { profile udisksd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -95,25 +95,25 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/umount rix, @{bin}/umount rix,
/{usr/,}{s,}bin/dmidecode rPx, @{bin}/dmidecode rPx,
/{usr/,}{s,}bin/dumpe2fs rPx, @{bin}/dumpe2fs rPx,
/{usr/,}{s,}bin/fsck.fat rPx, @{bin}/eject rPx,
/{usr/,}{s,}bin/lvm rPUx, @{bin}/fsck.fat rPx,
/{usr/,}{s,}bin/mke2fs rPx, @{bin}/lvm rPUx,
/{usr/,}{s,}bin/mkfs.btrfs rPx, @{bin}/mke2fs rPx,
/{usr/,}{s,}bin/mkfs.ext{2,3,4} rPx, @{bin}/mkfs.btrfs rPx,
/{usr/,}{s,}bin/mkfs.fat rPx, @{bin}/mkfs.ext{2,3,4} rPx,
/{usr/,}{s,}bin/sfdisk rPx, @{bin}/mkfs.fat rPx,
/{usr/,}{s,}bin/sgdisk rPx, @{bin}/mount.exfat-fuse rPUx,
/{usr/,}bin/eject rPx, @{bin}/ntfs-3g rPx,
/{usr/,}bin/mount.exfat-fuse rPUx, @{bin}/ntfsfix rPx,
/{usr/,}bin/ntfs-3g rPx, @{bin}/sfdisk rPx,
/{usr/,}bin/ntfsfix rPx, @{bin}/sgdisk rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-escape rPx, @{bin}/systemd-escape rPx,
/etc/udisks2/{,**} r, /etc/udisks2/{,**} r,
/etc/libblockdev/{,**} r, /etc/libblockdev/{,**} r,

6
apparmor.d/profiles-s-z/umount
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/umount @{exec_path} = @{bin}/umount
profile umount @{exec_path} { profile umount @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -27,8 +27,8 @@ profile umount @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/umount.* rPx, @{bin}/umount.* rPx,
/{usr/,}{s,}bin/mount.* rPx, @{bin}/mount.* rPx,
# Mount points # Mount points
@{HOME}/ r, @{HOME}/ r,

2
apparmor.d/profiles-s-z/umount.udisks2
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/umount.udisks2 @{exec_path} = @{bin}/umount.udisks2
profile umount.udisks2 @{exec_path} flags=(complain) { profile umount.udisks2 @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-s-z/uname
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/uname @{exec_path} = @{bin}/uname
profile uname @{exec_path} { profile uname @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

6
apparmor.d/profiles-s-z/unhide-linux
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide{,-linux} @{exec_path} = @{bin}/unhide{,-linux}
profile unhide-linux @{exec_path} { profile unhide-linux @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -17,8 +17,8 @@ profile unhide-linux @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/ps rix, @{bin}/ps rix,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/uptime r, @{PROC}/uptime r,

10
apparmor.d/profiles-s-z/unhide-posix
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide-posix @{exec_path} = @{bin}/unhide-posix
profile unhide-posix @{exec_path} { profile unhide-posix @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -17,10 +17,10 @@ profile unhide-posix @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/ps rix, @{bin}/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/{,e}grep rix, @{bin}/ps rix,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/uptime r, @{PROC}/uptime r,

2
apparmor.d/profiles-s-z/unhide-rb
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide_rb @{exec_path} = @{bin}/unhide_rb
profile unhide-rb @{exec_path} { profile unhide-rb @{exec_path} {
include <abstractions/base> include <abstractions/base>

12
apparmor.d/profiles-s-z/unhide-tcp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide-tcp @{exec_path} = @{bin}/unhide-tcp
profile unhide-tcp @{exec_path} { profile unhide-tcp @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -17,11 +17,11 @@ profile unhide-tcp @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/sed rix, @{bin}/fuser rix,
/{usr/,}bin/ss rix, @{bin}/netstat rix,
/{usr/,}bin/netstat rix, @{bin}/sed rix,
/{usr/,}bin/fuser rix, @{bin}/ss rix,
@{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/tcp{,6} r,
@{PROC}/@{pids}/net/udp{,6} r, @{PROC}/@{pids}/net/udp{,6} r,

2
apparmor.d/profiles-s-z/unix-chkpwd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unix_chkpwd @{exec_path} = @{bin}/unix_chkpwd
profile unix-chkpwd @{exec_path} { profile unix-chkpwd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

37
apparmor.d/profiles-s-z/unmkinitramfs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/unmkinitramfs @{exec_path} = @{bin}/unmkinitramfs
profile unmkinitramfs @{exec_path} { profile unmkinitramfs @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -15,25 +15,24 @@ profile unmkinitramfs @{exec_path} {
capability mknod, capability mknod,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/xzcat rix, @{bin}/{,e}grep rix,
/{usr/,}bin/lz4cat rix, @{bin}/bzip2 rix,
/{usr/,}bin/mkdir rix, @{bin}/cat rix,
/{usr/,}bin/mktemp rix, @{bin}/cpio rix,
/{usr/,}bin/rm rix, @{bin}/dd rix,
/{usr/,}bin/dd rix, @{bin}/getopt rix,
/{usr/,}bin/{,e}grep rix, @{bin}/gzip rix,
/{usr/,}bin/getopt rix, @{bin}/lz4cat rix,
@{bin}/lzma rix,
/{usr/,}bin/cpio rix, @{bin}/lzop rix,
/{usr/,}bin/gzip rix, @{bin}/mkdir rix,
/{usr/,}bin/bzip2 rix, @{bin}/mktemp rix,
/{usr/,}bin/lzma rix, @{bin}/rm rix,
/{usr/,}bin/lzop rix, @{bin}/xz rix,
/{usr/,}bin/xz rix, @{bin}/xzcat rix,
/{usr/,}bin/zstd rix, @{bin}/zstd rix,
/boot/ r, /boot/ r,
owner /boot/initrd.img-* r, owner /boot/initrd.img-* r,

10
apparmor.d/profiles-s-z/update-alternatives
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/update-alternatives @{exec_path} = @{bin}/update-alternatives
profile update-alternatives @{exec_path} { profile update-alternatives @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -20,11 +20,11 @@ profile update-alternatives @{exec_path} {
/var/lib/dpkg/alternatives/ r, /var/lib/dpkg/alternatives/ r,
/var/lib/dpkg/alternatives/* rw, /var/lib/dpkg/alternatives/* rw,
/{usr/,}bin/* w, @{bin}/* w,
/{usr/,}bin/*.dpkg-tmp rw, @{bin}/*.dpkg-tmp rw,
/{usr/,}sbin/* w, @{bin}/* w,
/{usr/,}sbin/*.dpkg-tmp rw, @{bin}/*.dpkg-tmp rw,
/usr/** rw, /usr/** rw,

60
apparmor.d/profiles-s-z/update-ca-certificates
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-ca-certificates @{exec_path} = @{bin}/update-ca-certificates
profile update-ca-certificates @{exec_path} { profile update-ca-certificates @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -15,28 +15,28 @@ profile update-ca-certificates @{exec_path} {
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/flock rix, @{bin}/flock rix,
/{usr/,}bin/ln rix, @{bin}/ln rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/test rix, @{bin}/test rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/{usr/,}bin/openssl rix, @{bin}/openssl rix,
/etc/ca-certificates/update.d/ r, /etc/ca-certificates/update.d/ r,
/etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore, /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore,
/{usr/,}bin/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
/etc/ r, /etc/ r,
/etc/ca-certificates.conf r, /etc/ca-certificates.conf r,
@ -44,7 +44,7 @@ profile update-ca-certificates @{exec_path} {
/etc/ssl/certs/*.pem rw, /etc/ssl/certs/*.pem rw,
/etc/ssl/certs/@{hex}.[0-9] rw, /etc/ssl/certs/@{hex}.[0-9] rw,
/{usr/,}lib/locale/locale-archive r, @{lib}/locale/locale-archive r,
/tmp/ r, /tmp/ r,
owner /tmp/ca-certificates{,.crt}.tmp.* rw, owner /tmp/ca-certificates{,.crt}.tmp.* rw,
@ -57,7 +57,7 @@ profile update-ca-certificates @{exec_path} {
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/run-parts mr, @{bin}/run-parts mr,
/etc/ca-certificates/update.d/ r, /etc/ca-certificates/update.d/ r,
@ -74,21 +74,21 @@ profile update-ca-certificates @{exec_path} {
/etc/ca-certificates/update.d/jks-keystore mr, /etc/ca-certificates/update.d/jks-keystore mr,
/{usr/,}lib/ r, @{lib}/ r,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix, @{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix, @{lib}/jvm/java-[0-9]*-openjdk-*/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, @{lib}/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/head rix, @{bin}/head rix,
/{usr/,}bin/mountpoint rix, @{bin}/mountpoint rix,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
# #
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/usr/share/ca-certificates-java/ca-certificates-java.jar r, /usr/share/ca-certificates-java/ca-certificates-java.jar r,
/usr/share/java/java-atk-wrapper.jar r, /usr/share/java/java-atk-wrapper.jar r,

10
apparmor.d/profiles-s-z/update-ca-trust
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/update-ca-trust @{exec_path} = @{bin}/update-ca-trust
profile update-ca-trust @{exec_path} { profile update-ca-trust @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -15,10 +15,10 @@ profile update-ca-trust @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/bash rix, @{bin}/bash rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/ln rix, @{bin}/ln rix,
/{usr/,}bin/trust rix, @{bin}/trust rix,
/ r, / r,
/usr/share/p11-kit/modules/{,*} r, /usr/share/p11-kit/modules/{,*} r,

12
apparmor.d/profiles-s-z/update-command-not-found
View file

@ -8,8 +8,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/command-not-found/cnf-update-db @{exec_path} = /usr/share/command-not-found/cnf-update-db
@{exec_path} += /{usr/,}{s,}bin/update-command-not-found @{exec_path} += @{bin}/update-command-not-found
@{exec_path} += /{usr/,}lib/cnf-update-db @{exec_path} += @{lib}/cnf-update-db
profile update-command-not-found @{exec_path} { profile update-command-not-found @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -20,11 +20,11 @@ profile update-command-not-found @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}lib/ r, @{lib}/ r,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,

22
apparmor.d/profiles-s-z/update-cracklib
View file

@ -6,23 +6,23 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-cracklib @{exec_path} = @{bin}/update-cracklib
profile update-cracklib @{exec_path} { profile update-cracklib @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/cracklib-format rix, @{bin}/{,ba,da}sh rix,
/{usr/,}{s,}bin/cracklib-packer rPx, @{bin}/cracklib-format rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/cracklib-packer rPx,
/{usr/,}bin/env rix, @{bin}/env rix,
/{usr/,}bin/file rix, @{bin}/file rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/grep rix, @{bin}/grep rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/tr rix, @{bin}/tr rix,
/ r, / r,
/usr/share/dict/{,*} r, /usr/share/dict/{,*} r,

22
apparmor.d/profiles-s-z/update-dlocatedb
View file

@ -6,24 +6,24 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-dlocatedb @{exec_path} = @{bin}/update-dlocatedb
profile update-dlocatedb @{exec_path} { profile update-dlocatedb @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/uniq rix, @{bin}/uniq rix,
/{usr/,}bin/ionice rix, @{bin}/ionice rix,
/usr/share/dlocate/updatedb rCx -> updatedb, /usr/share/dlocate/updatedb rCx -> updatedb,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/2 w, owner @{PROC}/@{pid}/fd/2 w,
@ -38,7 +38,7 @@ profile update-dlocatedb @{exec_path} {
include <abstractions/perl> include <abstractions/perl>
/usr/share/dlocate/updatedb r, /usr/share/dlocate/updatedb r,
/{usr/,}bin/perl r, @{bin}/perl r,
/etc/default/dlocate r, /etc/default/dlocate r,
@ -54,7 +54,7 @@ profile update-dlocatedb @{exec_path} {
/var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.list r,
# For compression # For compression
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/var/lib/dlocate/dlocatedb.gz rw, /var/lib/dlocate/dlocatedb.gz rw,
} }

32
apparmor.d/profiles-s-z/update-initramfs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/update-initramfs @{exec_path} = @{bin}/update-initramfs
profile update-initramfs @{exec_path} { profile update-initramfs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -15,24 +15,24 @@ profile update-initramfs @{exec_path} {
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
@{exec_path} rix, @{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}sbin/ r, @{bin}/ r,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/getopt rix, @{bin}/getopt rix,
/{usr/,}bin/ischroot rix, @{bin}/ischroot rix,
/{usr/,}bin/ln rix, @{bin}/ln rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sha1sum rix, @{bin}/sha1sum rix,
/{usr/,}bin/sync rix, @{bin}/sync rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/dpkg-trigger rPx, @{bin}/dpkg-trigger rPx,
/{usr/,}bin/linux-version rPx, @{bin}/linux-version rPx,
/{usr/,}sbin/mkinitramfs rPx, @{bin}/mkinitramfs rPx,
/var/lib/initramfs-tools/* w, /var/lib/initramfs-tools/* w,

46
apparmor.d/profiles-s-z/update-pciids
View file

@ -6,33 +6,33 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-pciids @{exec_path} = @{bin}/update-pciids
profile update-pciids @{exec_path} { profile update-pciids @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/chown rix, @{bin}/chown rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/echo rix, @{bin}/echo rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/bunzip2 rix, @{bin}/bunzip2 rix,
/{usr/,}bin/bzip2 rix, @{bin}/bzip2 rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/{usr/,}bin/ln rix, @{bin}/ln rix,
/{usr/,}bin/zgrep rix, @{bin}/zgrep rix,
/{usr/,}bin/wget rCx -> browse, @{bin}/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse, @{bin}/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse, @{bin}/lynx rCx -> browse,
/usr/share/misc/ r, /usr/share/misc/ r,
/usr/share/misc/* rwl -> /usr/share/misc/*, /usr/share/misc/* rwl -> /usr/share/misc/*,
@ -52,9 +52,9 @@ profile update-pciids @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
/{usr/,}bin/wget mr, @{bin}/wget mr,
/{usr/,}bin/curl mr, @{bin}/curl mr,
/{usr/,}bin/lynx mr, @{bin}/lynx mr,
/etc/wgetrc r, /etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk, owner @{HOME}/.wget-hsts rwk,

20
apparmor.d/profiles-s-z/update-secureboot-policy
View file

@ -7,22 +7,22 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{,s}bin/update-secureboot-policy @{exec_path} = @{bin}/update-secureboot-policy
profile update-secureboot-policy @{exec_path} { profile update-secureboot-policy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} rm, @{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix, @{bin}/{,m,g}awk rix,
/{usr/,}bin/dpkg-trigger rPx, @{bin}/dpkg-trigger rPx,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/od rix, @{bin}/od rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/usr/share/debconf/frontend rPx, /usr/share/debconf/frontend rPx,
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,

50
apparmor.d/profiles-s-z/update-smart-drivedb
View file

@ -6,33 +6,33 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-smart-drivedb @{exec_path} = @{bin}/update-smart-drivedb
profile update-smart-drivedb @{exec_path} { profile update-smart-drivedb @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/dd rix, @{bin}/dd rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/cmp rix, @{bin}/cmp rix,
/{usr/,}{s,}bin/ r, @{bin}/ r,
/{usr/,}{s,}bin/smartctl rPx, @{bin}/smartctl rPx,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/wget rCx -> browse, @{bin}/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse, @{bin}/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse, @{bin}/lynx rCx -> browse,
/var/lib/smartmontools/drivedb/drivedb.h{,.*} rw, /var/lib/smartmontools/drivedb/drivedb.h{,.*} rw,
@ -46,9 +46,9 @@ profile update-smart-drivedb @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
/{usr/,}bin/gpg-agent rix, @{bin}/gpg-agent rix,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@ -71,11 +71,11 @@ profile update-smart-drivedb @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
/{usr/,}bin/wget mr, @{bin}/wget mr,
/{usr/,}bin/curl mr, @{bin}/curl mr,
/{usr/,}bin/lynx mr, @{bin}/lynx mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/etc/mime.types r, /etc/mime.types r,
/etc/mailcap r, /etc/mailcap r,

4
apparmor.d/profiles-s-z/updatedb-mlocate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/updatedb.mlocate @{exec_path} = @{bin}/updatedb.mlocate
profile updatedb-mlocate @{exec_path} { profile updatedb-mlocate @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -18,7 +18,7 @@ profile updatedb-mlocate @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/on_ac_power rPx, @{bin}/on_ac_power rPx,
# For shell pwd # For shell pwd
/ r, / r,

2
apparmor.d/profiles-s-z/updatedb.plocate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/updatedb.plocate @{exec_path} = @{bin}/updatedb.plocate
profile updatedb.plocate @{exec_path} { profile updatedb.plocate @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

2
apparmor.d/profiles-s-z/uptime
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/uptime @{exec_path} = @{bin}/uptime
profile uptime @{exec_path} { profile uptime @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-s-z/uptimed
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/uptimed @{exec_path} = @{bin}/uptimed
profile uptimed @{exec_path} { profile uptimed @{exec_path} {
include <abstractions/base> include <abstractions/base>

14
apparmor.d/profiles-s-z/usb-devices
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/usb-devices @{exec_path} = @{bin}/usb-devices
profile usb-devices @{exec_path} { profile usb-devices @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -16,13 +16,13 @@ profile usb-devices @{exec_path} {
deny capability dac_override, deny capability dac_override,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
# For shell pwd # For shell pwd
/root/ r, /root/ r,

2
apparmor.d/profiles-s-z/usbguard
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/usbguard @{exec_path} = @{bin}/usbguard
profile usbguard @{exec_path} { profile usbguard @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-s-z/usbguard-applet-qt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/usbguard-applet-qt @{exec_path} = @{bin}/usbguard-applet-qt
profile usbguard-applet-qt @{exec_path} { profile usbguard-applet-qt @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/X>

2
apparmor.d/profiles-s-z/usbguard-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-daemon @{exec_path} = @{bin}/usbguard-daemon
profile usbguard-daemon @{exec_path} { profile usbguard-daemon @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

2
apparmor.d/profiles-s-z/usbguard-dbus
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-dbus @{exec_path} = @{bin}/usbguard-dbus
profile usbguard-dbus @{exec_path} { profile usbguard-dbus @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-s-z/usbguard-notifier
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-notifier @{exec_path} = @{bin}/usbguard-notifier
profile usbguard-notifier @{exec_path} { profile usbguard-notifier @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

34
apparmor.d/profiles-s-z/uscan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/uscan @{exec_path} = @{bin}/uscan
profile uscan @{exec_path} { profile uscan @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -22,21 +22,21 @@ profile uscan @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/pwd rix, @{bin}/pwd rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/file rix, @{bin}/file rix,
/{usr/,}bin/getconf rix, @{bin}/getconf rix,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/{usr/,}bin/bzip2 rix, @{bin}/bzip2 rix,
/{usr/,}bin/gunzip rix, @{bin}/gunzip rix,
/{usr/,}bin/xz rix, @{bin}/xz rix,
/{usr/,}bin/uupdate rPUx, @{bin}/uupdate rPUx,
# To run custom maintainer scripts # To run custom maintainer scripts
owner @{user_build_dirs}/**/debian/* rPUx, owner @{user_build_dirs}/**/debian/* rPUx,
@ -44,8 +44,8 @@ profile uscan @{exec_path} {
/usr/share/*/debian/ r, /usr/share/*/debian/ r,
/usr/share/*/debian/changelog r, /usr/share/*/debian/changelog r,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgv rCx -> gpg, @{bin}/gpgv rCx -> gpg,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,
@ -62,8 +62,8 @@ profile uscan @{exec_path} {
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
/{usr/,}bin/gpgv mr, @{bin}/gpgv mr,
owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/pubring.{gpg,kbx} r, owner @{HOME}/@{XDG_GPG_DIR}/pubring.{gpg,kbx} r,

8
apparmor.d/profiles-s-z/useradd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/useradd @{exec_path} = @{bin}/useradd
profile useradd @{exec_path} { profile useradd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -24,9 +24,9 @@ profile useradd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/usermod rPx, @{bin}/usermod rPx,
/{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, @{bin}/pam_tally2 rCx -> pam_tally2,
/etc/default/useradd r, /etc/default/useradd r,
/etc/login.defs r, /etc/login.defs r,
@ -63,7 +63,7 @@ profile useradd @{exec_path} {
capability audit_write, capability audit_write,
/{usr/,}{s,}bin/pam_tally2 mr, @{bin}/pam_tally2 mr,
/var/log/tallylog rw, /var/log/tallylog rw,

2
apparmor.d/profiles-s-z/userdel
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/userdel @{exec_path} = @{bin}/userdel
profile userdel @{exec_path} flags=(attach_disconnected) { profile userdel @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

Some files were not shown because too many files have changed in this diff Show more