mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (7)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:59:53 +01:00
parent 7c2c806ffa
commit 2b2c42d23c
Failed to generate hash of commit
155 changed files with 938 additions and 938 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/profiles-s-z/s3fs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/s3fs
@{exec_path} = @{bin}/s3fs
profile s3fs @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -24,7 +24,7 @@ profile s3fs @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/fusermount{,3} rCx -> fusermount,
/etc/mime.types r,
/etc/passwd-s3fs r,
@ -53,7 +53,7 @@ profile s3fs @{exec_path} {
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
/etc/fuse.conf r,

6
apparmor.d/profiles-s-z/sanoid
View file

@ -12,9 +12,9 @@ profile sanoid @{exec_path} flags=(complain) {
include <abstractions/perl>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/ps rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/perl rix,
@{bin}/ps rPx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
/etc/sanoid/{*,} r,

6
apparmor.d/profiles-s-z/sbctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sbctl
@{exec_path} = @{bin}/sbctl
profile sbctl @{exec_path} {
include <abstractions/base>
@ -15,14 +15,14 @@ profile sbctl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/lsblk rPx,
@{bin}/lsblk rPx,
/usr/share/secureboot/{,**} rw,
/{boot,efi}/{,**} r,
/{boot,efi}/EFI/{,**} rw,
/{boot,efi}/vmlinuz-linux* rw,
/{usr/,}lib/fwupd/efi/{,**} rw,
@{lib}/fwupd/efi/{,**} rw,
@{sys}/firmware/efi/efivars/db-@{uuid} rw,
@{sys}/firmware/efi/efivars/KEK-@{uuid} rw,

4
apparmor.d/profiles-s-z/scrcpy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/scrcpy
@{exec_path} = @{bin}/scrcpy
profile scrcpy @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
@ -22,7 +22,7 @@ profile scrcpy @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/adb rPx,
@{bin}/adb rPx,
/usr/share/scrcpy/{,*} r,
/usr/share/icons/{,**} r,

6
apparmor.d/profiles-s-z/scrot
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/scrot
@{exec_path} = @{bin}/scrot
profile scrot @{exec_path} {
include <abstractions/base>
include <abstractions/user-download-strict>
@ -14,8 +14,8 @@ profile scrot @{exec_path} {
@{exec_path} mr,
# "mv" is needed to change the image dir
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
# The image dir
owner @{HOME}/*.png rw,

2
apparmor.d/profiles-s-z/sdcv
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sdcv
@{exec_path} = @{bin}/sdcv
profile sdcv @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-s-z/sensors
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sensors
@{exec_path} = @{bin}/sensors
profile sensors @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

12
apparmor.d/profiles-s-z/sensors-detect
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sensors-detect
@{exec_path} = @{bin}/sensors-detect
profile sensors-detect @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} {
capability syslog,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/usr/bin/uname rix,
@ -48,7 +48,7 @@ profile sensors-detect @{exec_path} {
ptrace (read),
/{usr/,}bin/udevadm mr,
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
@ -62,12 +62,12 @@ profile sensors-detect @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{PROC}/cmdline r,
/{usr/,}lib/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,

2
apparmor.d/profiles-s-z/setpci
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/setpci
@{exec_path} = @{bin}/setpci
profile setpci @{exec_path} flags=(complain) {
include <abstractions/base>

2
apparmor.d/profiles-s-z/sfdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sfdisk
@{exec_path} = @{bin}/sfdisk
profile sfdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/sgdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sgdisk
@{exec_path} = @{bin}/sgdisk
profile sgdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/slirp4netns
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/slirp4netns
@{exec_path} = @{bin}/slirp4netns
profile slirp4netns @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

2
apparmor.d/profiles-s-z/smartctl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/smartctl
@{exec_path} = @{bin}/smartctl
profile smartctl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

14
apparmor.d/profiles-s-z/smartd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/smartd
@{exec_path} = @{bin}/smartd
profile smartd @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@ -25,12 +25,12 @@ profile smartd @{exec_path} {
deny capability net_admin,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/mail rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/run-parts rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/hostname rix,
@{bin}/mail rix,
@{bin}/mktemp rix,
@{bin}/run-parts rix,
/usr/share/smartmontools/{smartd-runner,smartd_warning.sh} rix,
/etc/smartmontools/run.d/* rix,

12
apparmor.d/profiles-s-z/smplayer
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/smplayer
@{exec_path} = @{bin}/smplayer
profile smplayer @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -40,11 +40,11 @@ profile smplayer @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/pacmd rPx,
/{usr/,}bin/smtube rPx,
/{usr/,}bin/youtube-dl rPx,
/{usr/,}bin/yt-dlp rPx,
@{bin}/mpv rPx,
@{bin}/pacmd rPx,
@{bin}/smtube rPx,
@{bin}/youtube-dl rPx,
@{bin}/yt-dlp rPx,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,

30
apparmor.d/profiles-s-z/smtube
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/smtube
@{exec_path} = @{bin}/smtube
profile smtube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -64,17 +64,17 @@ profile smtube @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
# Players
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/cvlc rPUx,
/{usr/,}bin/youtube-dl rPUx,
/{usr/,}bin/yt-dlp rPUx,
@{bin}/mpv rPUx,
@{bin}/smplayer rPUx,
@{bin}/vlc rPUx,
@{bin}/cvlc rPUx,
@{bin}/youtube-dl rPUx,
@{bin}/yt-dlp rPUx,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -84,19 +84,19 @@ profile smtube @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

14
apparmor.d/profiles-s-z/snap
View file

@ -37,10 +37,10 @@ profile snap @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/mount rix,
@{bin}/mount rix,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/systemctl rPx -> child-systemctl,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/systemctl rPx -> child-systemctl,
/snap/{,**} rw,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx,
@ -85,11 +85,11 @@ profile snap @{exec_path} {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
@{bin}/dirmngr rix,
@{bin}/gpg-agent rix,
@{bin}/gpg-connect-agent rix,
owner @{HOME}/.snap/gnupg/ rw,
owner @{HOME}/.snap/gnupg/** rwkl,

2
apparmor.d/profiles-s-z/snap-device-helper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/snapd/snap-device-helper
@{exec_path} = @{lib}/snapd/snap-device-helper
profile snap-device-helper @{exec_path} {
include <abstractions/base>

44
apparmor.d/profiles-s-z/snapd
View file

@ -60,29 +60,29 @@ profile snapd @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/adduser rPx,
/{usr/,}{s,}bin/groupadd rPx,
/{usr/,}{s,}bin/useradd rPx,
/{usr/,}bin/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
/{usr/,}bin/hostnamectl rPx,
/{usr/,}bin/ssh-keygen rPx,
@{bin}/adduser rPx,
@{bin}/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
@{bin}/groupadd rPx,
@{bin}/hostnamectl rPx,
@{bin}/ssh-keygen rPx,
@{bin}/useradd rPx,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}{s,}bin/runuser rCx -> runuser,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/journalctl rPx,
/{usr/,}bin/mount rix,
/{usr/,}bin/snap rPx,
/{usr/,}bin/sync rix,
/{usr/,}bin/systemctl rix,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/tar rix,
/{usr/,}bin/udevadm rPx,
/{usr/,}bin/umount rix,
/{usr/,}bin/unsquashfs rix,
/{usr/,}bin/update-desktop-database rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/apparmor_parser rPx,
@{bin}/cp rix,
@{bin}/gzip rix,
@{bin}/journalctl rPx,
@{bin}/mount rix,
@{bin}/runuser rCx -> runuser,
@{bin}/snap rPx,
@{bin}/sync rix,
@{bin}/systemctl rix,
@{bin}/systemd-detect-virt rPx,
@{bin}/tar rix,
@{bin}/udevadm rPx,
@{bin}/umount rix,
@{bin}/unsquashfs rix,
@{bin}/update-desktop-database rPx,
/{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* mr,
/{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx,

2
apparmor.d/profiles-s-z/spacefm
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spacefm
@{exec_path} = @{bin}/spacefm
profile spacefm @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

4
apparmor.d/profiles-s-z/spacefm-auth
View file

@ -6,12 +6,12 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spacefm-auth
@{exec_path} = @{bin}/spacefm-auth
profile spacefm-auth @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
include if exists <local/spacefm-auth>
}

111
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -22,57 +22,56 @@ profile spectre-meltdown-checker @{exec_path} {
ptrace (read),
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/{,g,m}awk rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/od rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/id rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/zstd rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/base64 rix,
/{usr/,}bin/unzip rix,
/{usr/,}bin/{,@{multiarch}-}readelf rix,
/{usr/,}bin/{,@{multiarch}-}strings rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
/{usr/,}{s,}bin/iucode_tool rix,
/{usr/,}{s,}bin/rdmsr rix,
/{usr/,}bin/dmesg rix,
/{usr/,}{s,}bin/mount rix,
/{usr/,}bin/find rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/date rix,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/kmod rCx -> kmod,
@{bin}/ r,
@{bin}/{,@{multiarch}-}objdump rix,
@{bin}/{,@{multiarch}-}readelf rix,
@{bin}/{,@{multiarch}-}strings rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/{,g,m}awk rix,
@{bin}/base64 rix,
@{bin}/basename rix,
@{bin}/bunzip2 rix,
@{bin}/cat rix,
@{bin}/ccache rCx -> ccache,
@{bin}/cut rix,
@{bin}/date rix,
@{bin}/dd rix,
@{bin}/dirname rix,
@{bin}/dmesg rix,
@{bin}/find rix,
@{bin}/gunzip rix,
@{bin}/gzip rix,
@{bin}/head rix,
@{bin}/id rix,
@{bin}/iucode_tool rix,
@{bin}/kmod rCx -> kmod,
@{bin}/lzop rix,
@{bin}/mktemp rix,
@{bin}/mount rix,
@{bin}/nproc rix,
@{bin}/od rix,
@{bin}/perl rix,
@{bin}/pgrep rCx -> pgrep,
@{bin}/rdmsr rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/seq rix,
@{bin}/sort rix,
@{bin}/stat rix,
@{bin}/tail rix,
@{bin}/tr rix,
@{bin}/uname rix,
@{bin}/unzip rix,
@{bin}/xargs rix,
@{bin}/xz rix,
@{bin}/zstd rix,
# To fetch MCE.db from the MCExtractor project
/{usr/,}bin/wget rCx -> mcedb,
/{usr/,}bin/sqlite3 rCx -> mcedb,
@{bin}/wget rCx -> mcedb,
@{bin}/sqlite3 rCx -> mcedb,
owner /tmp/mcedb-* rw,
owner /tmp/smc-* rw,
owner /tmp/{,smc-}intelfw-*/ rw,
@ -116,11 +115,11 @@ profile spectre-meltdown-checker @{exec_path} {
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
@{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
@ -133,7 +132,7 @@ profile spectre-meltdown-checker @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/pgrep mr,
@{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@ -159,8 +158,8 @@ profile spectre-meltdown-checker @{exec_path} {
network inet6 stream,
network netlink raw,
/{usr/,}bin/wget mr,
/{usr/,}bin/sqlite3 mr,
@{bin}/wget mr,
@{bin}/sqlite3 mr,
/etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk,
@ -184,7 +183,7 @@ profile spectre-meltdown-checker @{exec_path} {
owner @{sys}/module/cpuid/** r,
owner @{sys}/module/msr/** r,
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,

10
apparmor.d/profiles-s-z/speedtest
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/speedtest{,-cli}
@{exec_path} = @{bin}/speedtest{,-cli}
profile speedtest @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -20,11 +20,11 @@ profile speedtest @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/file rix,
/{usr/,}bin/uname rix,
@{bin}/ r,
@{bin}/file rix,
@{bin}/uname rix,
owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/spice-client-glib-usb-acl-helper
@{exec_path} = @{lib}/spice-client-glib-usb-acl-helper
profile spice-client-glib-usb-acl-helper @{exec_path} {
include <abstractions/base>
@ -17,7 +17,7 @@ profile spice-client-glib-usb-acl-helper @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/gconv/gconv-modules r,
@{lib}/gconv/gconv-modules r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/cap_last_cap r,

2
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spice-vdagent
@{exec_path} = @{bin}/spice-vdagent
profile spice-vdagent @{exec_path} {
include <abstractions/base>
include <abstractions/audio>

2
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/spice-vdagentd
@{exec_path} = @{bin}/spice-vdagentd
profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

6
apparmor.d/profiles-s-z/start-pulseaudio-x11
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/start-pulseaudio-x11
@{exec_path} = @{bin}/start-pulseaudio-x11
profile start-pulseaudio-x11 @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pactl rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/pactl rPx,
/dev/tty rw,

28
apparmor.d/profiles-s-z/startx
View file

@ -7,28 +7,28 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/startx
@{exec_path} = @{bin}/startx
profile startx @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/deallocvt rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/mcookie rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/uname rix,
@{bin}/{,e}grep rix,
@{bin}/deallocvt rix,
@{bin}/expr rix,
@{bin}/hostname rix,
@{bin}/mcookie rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/tty rix,
@{bin}/uname rix,
/{usr/,}bin/xauth rPx,
/{usr/,}bin/xinit rPx,
@{bin}/xauth rPx,
@{bin}/xinit rPx,
/usr/share/terminfo/** r,

84
apparmor.d/profiles-s-z/steam
View file

@ -43,46 +43,46 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/*sum rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/file rix,
/{usr/,}bin/find rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/ldconfig rix,
/{usr/,}bin/ldd rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/lsof rix,
/{usr/,}bin/lspci rCx -> lspci,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/realpath rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/steam-runtime-urlopen rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/timeout rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-icon-resource rPx,
/{usr/,}bin/xdg-user-dir rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zenity rix,
/{usr/,}lib{32,64}/ld-linux.so* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/*sum rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cmp rix,
@{bin}/cp rix,
@{bin}/cut rix,
@{bin}/dirname rix,
@{bin}/file rix,
@{bin}/find rix,
@{bin}/getopt rix,
@{bin}/grep rix,
@{bin}/head rix,
@{bin}/ldconfig rix,
@{bin}/ldd rix,
@{bin}/ln rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsof rix,
@{bin}/lspci rCx -> lspci,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/rm rix,
@{bin}/rmdir rix,
@{bin}/sed rix,
@{bin}/steam-runtime-urlopen rix,
@{bin}/tail rix,
@{bin}/tar rix,
@{bin}/timeout rix,
@{bin}/touch rix,
@{bin}/tr rix,
@{bin}/uname rix,
@{bin}/which rix,
@{bin}/xdg-icon-resource rPx,
@{bin}/xdg-user-dir rix,
@{bin}/xz rix,
@{bin}/zenity rix,
@{lib}/ld-linux.so* rix,
@{steam_lib_dirs}/*.so* mr,
@{steam_lib_dirs}/*driverquery rix,
@ -116,7 +116,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
/ r,
/{usr/,}{local/,} r,
/{usr/,}{local/,}share/ r,
/{usr/,}lib{,32,64}/ r,
@{lib}/ r,
/etc/ r,
/home/ r,
/run/ r,
@ -238,7 +238,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
include <abstractions/consoles>
include <abstractions/nameservice-strict>
/{usr/,}bin/lspci mr,
@{bin}/lspci mr,
owner @{HOME}/.steam/steam.pipe r,

38
apparmor.d/profiles-s-z/steam-game
View file

@ -64,26 +64,26 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/bwrap rix,
/{usr/,}bin/env rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/localedef rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/steam-runtime-launcher-interface-* rix,
/{usr/,}bin/steam-runtime-system-info rix,
/{usr/,}bin/timeout rix,
/{usr/,}bin/true rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xdg-open rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/bwrap rix,
@{bin}/env rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/localedef rix,
@{bin}/python3.[0-9]* rix,
@{bin}/readlink rix,
@{bin}/steam-runtime-launcher-interface-* rix,
@{bin}/steam-runtime-system-info rix,
@{bin}/timeout rix,
@{bin}/true rix,
@{bin}/uname rix,
@{bin}/xdg-open rPx,
/{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-adverb rix,
/{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
/{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
/{usr/,}lib/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
/{usr/,}libexec/steam-runtime-tools*/* mrix,
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-adverb rix,
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
@{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
@{lib}exec/steam-runtime-tools*/* mrix,
@{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
@{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,

20
apparmor.d/profiles-s-z/strawberry
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/strawberry
@{exec_path} = @{bin}/strawberry
profile strawberry @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -39,9 +39,9 @@ profile strawberry @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/strawberry-tagreader rPx,
@{bin}/strawberry-tagreader rPx,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Media library
owner @{user_music_dirs}/ r,
@ -97,7 +97,7 @@ profile strawberry @{exec_path} {
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -108,19 +108,19 @@ profile strawberry @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

2
apparmor.d/profiles-s-z/strawberry-tagreader
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/strawberry-tagreader
@{exec_path} = @{bin}/strawberry-tagreader
profile strawberry-tagreader @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

8
apparmor.d/profiles-s-z/su
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/su
@{exec_path} = @{bin}/su
profile su @{exec_path} {
include <abstractions/base>
include <abstractions/app-launcher-root>
@ -43,9 +43,9 @@ profile su @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx,
/{usr/,}{s,}bin/nologin rPx,
@{bin}/{,b,d,rb}ash rUx,
@{bin}/{c,k,tc,z}sh rUx,
@{bin}/nologin rPx,
@{etc_ro}/default/su r,
@{etc_ro}/environment r,

12
apparmor.d/profiles-s-z/sudo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sudo
@{exec_path} = @{bin}/sudo
profile sudo @{exec_path} {
include <abstractions/base>
include <abstractions/app-launcher-root>
@ -51,13 +51,13 @@ profile sudo @{exec_path} {
@{exec_path} mr,
@{libexec}/sudo/** mr,
@{lib}/sudo/** mr,
@{bin}/{,b,d,rb}ash rUx,
@{bin}/{c,k,tc,z}sh rUx,
@{lib}/cockpit/cockpit-askpass rPx,
@{lib}/molly-guard/molly-guard rPx,
/snap/snapd/[0-9]*/usr/bin/snap rPx,
/{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx,
/{usr/,}lib/cockpit/cockpit-askpass rPx,
/{usr/,}lib/molly-guard/molly-guard rPx,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,

8
apparmor.d/profiles-s-z/suid3num
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/suid3num
@{exec_path} += /{usr/,}bin/suid3num.py
@{exec_path} = @{bin}/suid3num
@{exec_path} += @{bin}/suid3num.py
profile suid3num @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@ -18,9 +18,9 @@ profile suid3num @{exec_path} {
ptrace (read),
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/usr/bin/find rix,
owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-s-z/sulogin
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sulogin
@{exec_path} = @{bin}/sulogin
profile sulogin @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -15,7 +15,7 @@ profile sulogin @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rux,
@{bin}/{,ba,da}sh rux,
/etc/shadow r,

2
apparmor.d/profiles-s-z/swaplabel
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swaplabel
@{exec_path} = @{bin}/swaplabel
profile swaplabel @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/swapoff
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swapoff
@{exec_path} = @{bin}/swapoff
profile swapoff @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/swapon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swapon
@{exec_path} = @{bin}/swapon
profile swapon @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/switcheroo-control
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/switcheroo-control
@{exec_path} = @{lib}/switcheroo-control
profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/profiles-s-z/swtpm
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm
@{exec_path} = @{bin}/swtpm
profile swtpm @{exec_path} {
include <abstractions/base>
include <abstractions/openssl>

2
apparmor.d/profiles-s-z/swtpm_ioctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm_ioctl
@{exec_path} = @{bin}/swtpm_ioctl
profile swtpm_ioctl @{exec_path} {
include <abstractions/base>

6
apparmor.d/profiles-s-z/swtpm_localca
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm_localca
@{exec_path} = @{bin}/swtpm_localca
profile swtpm_localca @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/certtool rix,
/{usr/,}bin/swtpm_cert rix,
@{bin}/certtool rix,
@{bin}/swtpm_cert rix,
/etc/swtpm-localca.conf r,
/etc/swtpm-localca.options r,

6
apparmor.d/profiles-s-z/swtpm_setup
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm_setup
@{exec_path} = @{bin}/swtpm_setup
profile swtpm_setup @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/swtpm rPx,
/{usr/,}bin/swtpm_localca rPx,
@{bin}/swtpm rPx,
@{bin}/swtpm_localca rPx,
/etc/swtpm_setup.conf r,

12
apparmor.d/profiles-s-z/syncoid
View file

@ -13,12 +13,12 @@ profile syncoid @{exec_path} flags=(complain) {
include <abstractions/perl>
@{exec_path} mr,
/{usr/,}bin/grep rix,
/{usr/,}bin/mbuffer rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/pv rix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
@{bin}/grep rix,
@{bin}/mbuffer rix,
@{bin}/perl rix,
@{bin}/ps rPx,
@{bin}/pv rix,
/{usr/,}{local/,}{s,}bin/zfs rPx,
/{usr/,}{local/,}{s,}bin/zpool rPx,

20
apparmor.d/profiles-s-z/syncthing
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/syncthing
@{exec_path} = @{bin}/syncthing
profile syncthing @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -21,8 +21,8 @@ profile syncthing @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/ip rix,
@{bin}/xdg-open rCx -> open,
@{bin}/ip rix,
/usr/share/mime/{,*} r,
@ -45,19 +45,19 @@ profile syncthing @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/firefox rPx,
/{usr/,}lib/firefox/firefox rPx,
@{bin}/firefox rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

2
apparmor.d/profiles-s-z/sysctl
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sysctl
@{exec_path} = @{bin}/sysctl
profile sysctl @{exec_path} {
include <abstractions/base>

8
apparmor.d/profiles-s-z/system-config-printer
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/system-config-printer
@{exec_path} = @{bin}/system-config-printer
@{exec_path} += /usr/share/system-config-printer/system-config-printer.py
profile system-config-printer @{exec_path} flags=(complain) {
include <abstractions/base>
@ -41,9 +41,9 @@ profile system-config-printer @{exec_path} flags=(complain) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}lib/cups/*/* rPUx,
@{bin}/{,ba,da}sh rix,
@{bin}/python3.[0-9]* r,
@{lib}/cups/*/* rPUx,
/usr/share/hplip/query.py rPUx,
/usr/share/cups/data/testprint r,

6
apparmor.d/profiles-s-z/system-config-printer-applet
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/system-config-printer-applet /usr/share/system-config-printer/applet.py
@{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py
profile system-config-printer-applet @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@ -18,8 +18,8 @@ profile system-config-printer-applet @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/{,ba,da}sh rix,
@{bin}/python3.[0-9]* r,
/usr/share/system-config-printer/{,**} r,

34
apparmor.d/profiles-s-z/tasksel
View file

@ -6,19 +6,19 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tasksel
@{exec_path} = @{bin}/tasksel
profile tasksel @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tempfile rix,
/{usr/,}lib/tasksel/tasksel-debconf rix,
@{bin}/{,ba,da}sh rix,
@{bin}/tempfile rix,
@{lib}/tasksel/tasksel-debconf rix,
/{usr/,}lib/tasksel/tests/* rCx -> tasksel-tests,
@{lib}/tasksel/tests/* rCx -> tasksel-tests,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
@ -27,11 +27,11 @@ profile tasksel @{exec_path} flags=(complain) {
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
#
/{usr/,}bin/apt-cache rPx,
@{bin}/apt-cache rPx,
/{usr/,}bin/debconf-apt-progress rPx,
@{bin}/debconf-apt-progress rPx,
/usr/share/tasksel/** r,
@ -43,8 +43,8 @@ profile tasksel @{exec_path} flags=(complain) {
profile tasksel-tests flags=(complain) {
include <abstractions/base>
/{usr/,}lib/tasksel/tests/* r,
/{usr/,}bin/{,ba,da}sh rix,
@{lib}/tasksel/tests/* r,
@{bin}/{,ba,da}sh rix,
}
@ -55,16 +55,16 @@ profile tasksel @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/tasksel rPx,
@{bin}/tasksel rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx,
@{bin}/whiptail rPx,
owner /tmp/file* w,
/usr/share/debconf/confmodule r,

2
apparmor.d/profiles-s-z/tftp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tftp
@{exec_path} = @{bin}/tftp
profile tftp @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>

2
apparmor.d/profiles-s-z/thermald
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/thermald
@{exec_path} = @{bin}/thermald
profile thermald @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/profiles-s-z/thinkfan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/thinkfan
@{exec_path} = @{bin}/thinkfan
profile thinkfan @{exec_path} {
include <abstractions/base>

4
apparmor.d/profiles-s-z/tint2
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tint2
@{exec_path} = @{bin}/tint2
profile tint2 @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
@ -35,7 +35,7 @@ profile tint2 @{exec_path} {
owner @{user_config_dirs}/launchers/{,*.desktop} r,
owner @{user_config_dirs}/launchers/icons/{,*.png} r,
/{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr,
@{lib}/@{multiarch}/imlib2/loaders/*.so mr,
# Some missing icons
/usr/share/**.png r,

6
apparmor.d/profiles-s-z/tint2conf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tint2conf
@{exec_path} = @{bin}/tint2conf
profile tint2conf @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -16,9 +16,9 @@ profile tint2conf @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/tint2 rPx,
@{bin}/tint2 rPx,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/usr/share/tint2/{,*} r,

2
apparmor.d/profiles-s-z/top
View file

@ -8,7 +8,7 @@ include <tunables/global>
# When any of the "ns*" fields is displayed, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="top" name="".
@{exec_path} = /{usr/,}bin/top
@{exec_path} = @{bin}/top
profile top @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-s-z/torify
View file

@ -6,12 +6,12 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/torify
@{exec_path} = @{bin}/torify
profile torify @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
include if exists <local/torify>
}

4
apparmor.d/profiles-s-z/torsocks
View file

@ -6,12 +6,12 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/torsocks
@{exec_path} = @{bin}/torsocks
profile torsocks @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
include if exists <local/torsocks>
}

10
apparmor.d/profiles-s-z/tpacpi-bat
View file

@ -6,19 +6,19 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tpacpi-bat
@{exec_path} = @{bin}/tpacpi-bat
profile tpacpi-bat @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} mr,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
# To load the acpi_call module
/{usr/,}bin/kmod rPx,
@{bin}/kmod rPx,
@{PROC}/acpi/call rw,

2
apparmor.d/profiles-s-z/transmission-qt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/transmission-qt
@{exec_path} = @{bin}/transmission-qt
profile transmission-qt @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

2
apparmor.d/profiles-s-z/tune2fs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{tune2fs,e2label}
@{exec_path} = @{bin}/{tune2fs,e2label}
profile tune2fs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

66
apparmor.d/profiles-s-z/ucf
View file

@ -7,42 +7,42 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ucf
@{exec_path} = @{bin}/ucf
profile ucf @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/id rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/{m,g,}awk rix,
@{bin}/getopt rix,
@{bin}/id rix,
@{bin}/md5sum rix,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/perl rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/seq rix,
@{bin}/stat rix,
@{bin}/tr rix,
@{bin}/which{,.debianutils} rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
#
/{usr/,}bin/dpkg-divert rPx,
@{bin}/dpkg-divert rPx,
/{usr/,}bin/sensible-pager rCx -> pager,
@{bin}/sensible-pager rCx -> pager,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
@ -73,8 +73,8 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
@{bin}/ r,
@{bin}/sensible-pager mr,
# For shell pwd
/root/ r,
@ -88,13 +88,13 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/ucf rPx,
@{bin}/ucf rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@ -105,8 +105,8 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

24
apparmor.d/profiles-s-z/udiskie
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie
@{exec_path} = @{bin}/udiskie
profile udiskie @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -22,10 +22,10 @@ profile udiskie @{exec_path} {
include <abstractions/dri-enumerate>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/ r,
@{bin}/xdg-open rCx -> open,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
@ -37,28 +37,28 @@ profile udiskie @{exec_path} {
/etc/fstab r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
@{bin}/spacefm rPx,
# Silencer
deny /{usr/,}lib/** w,
deny @{lib}/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
@{bin}/spacefm rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

4
apparmor.d/profiles-s-z/udiskie-info
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-info
@{exec_path} = @{bin}/udiskie-info
profile udiskie-info @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/usr/bin/ r,

4
apparmor.d/profiles-s-z/udiskie-mount
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-mount
@{exec_path} = @{bin}/udiskie-mount
profile udiskie-mount @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/usr/bin/ r,

4
apparmor.d/profiles-s-z/udiskie-umount
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-umount
@{exec_path} = @{bin}/udiskie-umount
profile udiskie-umount @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/usr/bin/ r,

10
apparmor.d/profiles-s-z/udisksctl
View file

@ -7,17 +7,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udisksctl
@{exec_path} = @{bin}/udisksctl
profile udisksctl @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
/dev/tty rw,

38
apparmor.d/profiles-s-z/udisksd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,udisks2/}udisksd
@{exec_path} = @{lib}/{,udisks2/}udisksd
profile udisksd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -95,25 +95,25 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/umount rix,
@{bin}/{,ba,da}sh rix,
@{bin}/umount rix,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}{s,}bin/dumpe2fs rPx,
/{usr/,}{s,}bin/fsck.fat rPx,
/{usr/,}{s,}bin/lvm rPUx,
/{usr/,}{s,}bin/mke2fs rPx,
/{usr/,}{s,}bin/mkfs.btrfs rPx,
/{usr/,}{s,}bin/mkfs.ext{2,3,4} rPx,
/{usr/,}{s,}bin/mkfs.fat rPx,
/{usr/,}{s,}bin/sfdisk rPx,
/{usr/,}{s,}bin/sgdisk rPx,
/{usr/,}bin/eject rPx,
/{usr/,}bin/mount.exfat-fuse rPUx,
/{usr/,}bin/ntfs-3g rPx,
/{usr/,}bin/ntfsfix rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-escape rPx,
@{bin}/dmidecode rPx,
@{bin}/dumpe2fs rPx,
@{bin}/eject rPx,
@{bin}/fsck.fat rPx,
@{bin}/lvm rPUx,
@{bin}/mke2fs rPx,
@{bin}/mkfs.btrfs rPx,
@{bin}/mkfs.ext{2,3,4} rPx,
@{bin}/mkfs.fat rPx,
@{bin}/mount.exfat-fuse rPUx,
@{bin}/ntfs-3g rPx,
@{bin}/ntfsfix rPx,
@{bin}/sfdisk rPx,
@{bin}/sgdisk rPx,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemd-escape rPx,
/etc/udisks2/{,**} r,
/etc/libblockdev/{,**} r,

6
apparmor.d/profiles-s-z/umount
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/umount
@{exec_path} = @{bin}/umount
profile umount @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -27,8 +27,8 @@ profile umount @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/umount.* rPx,
/{usr/,}{s,}bin/mount.* rPx,
@{bin}/umount.* rPx,
@{bin}/mount.* rPx,
# Mount points
@{HOME}/ r,

2
apparmor.d/profiles-s-z/umount.udisks2
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/umount.udisks2
@{exec_path} = @{bin}/umount.udisks2
profile umount.udisks2 @{exec_path} flags=(complain) {
include <abstractions/base>

2
apparmor.d/profiles-s-z/uname
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/uname
@{exec_path} = @{bin}/uname
profile uname @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

6
apparmor.d/profiles-s-z/unhide-linux
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide{,-linux}
@{exec_path} = @{bin}/unhide{,-linux}
profile unhide-linux @{exec_path} {
include <abstractions/base>
@ -17,8 +17,8 @@ profile unhide-linux @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ps rix,
@{bin}/{,ba,da}sh rix,
@{bin}/ps rix,
@{PROC}/ r,
@{PROC}/uptime r,

10
apparmor.d/profiles-s-z/unhide-posix
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide-posix
@{exec_path} = @{bin}/unhide-posix
profile unhide-posix @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -17,10 +17,10 @@ profile unhide-posix @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ps rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/ps rix,
@{PROC}/ r,
@{PROC}/uptime r,

2
apparmor.d/profiles-s-z/unhide-rb
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide_rb
@{exec_path} = @{bin}/unhide_rb
profile unhide-rb @{exec_path} {
include <abstractions/base>

12
apparmor.d/profiles-s-z/unhide-tcp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide-tcp
@{exec_path} = @{bin}/unhide-tcp
profile unhide-tcp @{exec_path} {
include <abstractions/base>
@ -17,11 +17,11 @@ profile unhide-tcp @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/ss rix,
/{usr/,}bin/netstat rix,
/{usr/,}bin/fuser rix,
@{bin}/{,ba,da}sh rix,
@{bin}/fuser rix,
@{bin}/netstat rix,
@{bin}/sed rix,
@{bin}/ss rix,
@{PROC}/@{pids}/net/tcp{,6} r,
@{PROC}/@{pids}/net/udp{,6} r,

2
apparmor.d/profiles-s-z/unix-chkpwd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unix_chkpwd
@{exec_path} = @{bin}/unix_chkpwd
profile unix-chkpwd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

37
apparmor.d/profiles-s-z/unmkinitramfs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/unmkinitramfs
@{exec_path} = @{bin}/unmkinitramfs
profile unmkinitramfs @{exec_path} {
include <abstractions/base>
@ -15,25 +15,24 @@ profile unmkinitramfs @{exec_path} {
capability mknod,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/xzcat rix,
/{usr/,}bin/lz4cat rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/bzip2 rix,
@{bin}/cat rix,
@{bin}/cpio rix,
@{bin}/dd rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/lz4cat rix,
@{bin}/lzma rix,
@{bin}/lzop rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/xz rix,
@{bin}/xzcat rix,
@{bin}/zstd rix,
/boot/ r,
owner /boot/initrd.img-* r,

10
apparmor.d/profiles-s-z/update-alternatives
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-alternatives
@{exec_path} = @{bin}/update-alternatives
profile update-alternatives @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -20,11 +20,11 @@ profile update-alternatives @{exec_path} {
/var/lib/dpkg/alternatives/ r,
/var/lib/dpkg/alternatives/* rw,
/{usr/,}bin/* w,
/{usr/,}bin/*.dpkg-tmp rw,
@{bin}/* w,
@{bin}/*.dpkg-tmp rw,
/{usr/,}sbin/* w,
/{usr/,}sbin/*.dpkg-tmp rw,
@{bin}/* w,
@{bin}/*.dpkg-tmp rw,
/usr/** rw,

60
apparmor.d/profiles-s-z/update-ca-certificates
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-ca-certificates
@{exec_path} = @{bin}/update-ca-certificates
profile update-ca-certificates @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -15,28 +15,28 @@ profile update-ca-certificates @{exec_path} {
include <abstractions/ssl_certs>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/find rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/test rix,
/{usr/,}bin/wc rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/find rix,
@{bin}/flock rix,
@{bin}/ln rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/test rix,
@{bin}/wc rix,
/{usr/,}bin/openssl rix,
@{bin}/openssl rix,
/etc/ca-certificates/update.d/ r,
/etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore,
/{usr/,}bin/run-parts rCx -> run-parts,
@{bin}/run-parts rCx -> run-parts,
/etc/ r,
/etc/ca-certificates.conf r,
@ -44,7 +44,7 @@ profile update-ca-certificates @{exec_path} {
/etc/ssl/certs/*.pem rw,
/etc/ssl/certs/@{hex}.[0-9] rw,
/{usr/,}lib/locale/locale-archive r,
@{lib}/locale/locale-archive r,
/tmp/ r,
owner /tmp/ca-certificates{,.crt}.tmp.* rw,
@ -57,7 +57,7 @@ profile update-ca-certificates @{exec_path} {
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
@{bin}/run-parts mr,
/etc/ca-certificates/update.d/ r,
@ -74,21 +74,21 @@ profile update-ca-certificates @{exec_path} {
/etc/ca-certificates/update.d/jks-keystore mr,
/{usr/,}lib/ r,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
@{lib}/ r,
@{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix,
@{lib}/jvm/java-[0-9]*-openjdk-*/bin/java rix,
@{lib}/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mountpoint rix,
@{bin}/{,ba,da}sh rix,
@{bin}/sed rix,
@{bin}/head rix,
@{bin}/mountpoint rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
#
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
/usr/share/ca-certificates-java/ca-certificates-java.jar r,
/usr/share/java/java-atk-wrapper.jar r,

10
apparmor.d/profiles-s-z/update-ca-trust
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-ca-trust
@{exec_path} = @{bin}/update-ca-trust
profile update-ca-trust @{exec_path} {
include <abstractions/base>
include <abstractions/ssl_certs>
@ -15,10 +15,10 @@ profile update-ca-trust @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/find rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/trust rix,
@{bin}/bash rix,
@{bin}/find rix,
@{bin}/ln rix,
@{bin}/trust rix,
/ r,
/usr/share/p11-kit/modules/{,*} r,

12
apparmor.d/profiles-s-z/update-command-not-found
View file

@ -8,8 +8,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/command-not-found/cnf-update-db
@{exec_path} += /{usr/,}{s,}bin/update-command-not-found
@{exec_path} += /{usr/,}lib/cnf-update-db
@{exec_path} += @{bin}/update-command-not-found
@{exec_path} += @{lib}/cnf-update-db
profile update-command-not-found @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -20,11 +20,11 @@ profile update-command-not-found @{exec_path} {
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}lib/ r,
@{bin}/python3.[0-9]* r,
@{lib}/ r,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}lib/apt/apt-helper rix,
@{bin}/dpkg rPx -> child-dpkg,
@{lib}/apt/apt-helper rix,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,

22
apparmor.d/profiles-s-z/update-cracklib
View file

@ -6,23 +6,23 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-cracklib
@{exec_path} = @{bin}/update-cracklib
profile update-cracklib @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}{s,}bin/cracklib-format rix,
/{usr/,}{s,}bin/cracklib-packer rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix,
/{usr/,}bin/file rix,
/{usr/,}bin/find rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/tr rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cracklib-format rix,
@{bin}/cracklib-packer rPx,
@{bin}/env rix,
@{bin}/file rix,
@{bin}/find rix,
@{bin}/grep rix,
@{bin}/gzip rix,
@{bin}/sort rix,
@{bin}/tr rix,
/ r,
/usr/share/dict/{,*} r,

22
apparmor.d/profiles-s-z/update-dlocatedb
View file

@ -6,24 +6,24 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-dlocatedb
@{exec_path} = @{bin}/update-dlocatedb
profile update-dlocatedb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
@{bin}/cat rix,
@{bin}/uname rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/uniq rix,
/{usr/,}bin/ionice rix,
@{bin}/ionice rix,
/usr/share/dlocate/updatedb rCx -> updatedb,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/2 w,
@ -38,7 +38,7 @@ profile update-dlocatedb @{exec_path} {
include <abstractions/perl>
/usr/share/dlocate/updatedb r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/etc/default/dlocate r,
@ -54,7 +54,7 @@ profile update-dlocatedb @{exec_path} {
/var/lib/dpkg/info/*.list r,
# For compression
/{usr/,}bin/gzip rix,
@{bin}/gzip rix,
/var/lib/dlocate/dlocatedb.gz rw,
}

32
apparmor.d/profiles-s-z/update-initramfs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/update-initramfs
@{exec_path} = @{bin}/update-initramfs
profile update-initramfs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -15,24 +15,24 @@ profile update-initramfs @{exec_path} {
ptrace (read) peer=unconfined,
@{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/ r,
@{bin}/ r,
/{usr/,}bin/cat rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sha1sum rix,
/{usr/,}bin/sync rix,
/{usr/,}bin/uname rix,
@{bin}/cat rix,
@{bin}/{m,g,}awk rix,
@{bin}/getopt rix,
@{bin}/ischroot rix,
@{bin}/ln rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sha1sum rix,
@{bin}/sync rix,
@{bin}/uname rix,
/{usr/,}bin/dpkg-trigger rPx,
/{usr/,}bin/linux-version rPx,
/{usr/,}sbin/mkinitramfs rPx,
@{bin}/dpkg-trigger rPx,
@{bin}/linux-version rPx,
@{bin}/mkinitramfs rPx,
/var/lib/initramfs-tools/* w,

46
apparmor.d/profiles-s-z/update-pciids
View file

@ -6,33 +6,33 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-pciids
@{exec_path} = @{bin}/update-pciids
profile update-pciids @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/zgrep rix,
@{bin}/touch rix,
@{bin}/rm rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/chown rix,
@{bin}/chmod rix,
@{bin}/echo rix,
@{bin}/cat rix,
@{bin}/which{,.debianutils} rix,
@{bin}/bunzip2 rix,
@{bin}/bzip2 rix,
@{bin}/gzip rix,
@{bin}/ln rix,
@{bin}/zgrep rix,
/{usr/,}bin/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse,
@{bin}/wget rCx -> browse,
@{bin}/curl rCx -> browse,
@{bin}/lynx rCx -> browse,
/usr/share/misc/ r,
/usr/share/misc/* rwl -> /usr/share/misc/*,
@ -52,9 +52,9 @@ profile update-pciids @{exec_path} {
network inet stream,
network inet6 stream,
/{usr/,}bin/wget mr,
/{usr/,}bin/curl mr,
/{usr/,}bin/lynx mr,
@{bin}/wget mr,
@{bin}/curl mr,
@{bin}/lynx mr,
/etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk,

20
apparmor.d/profiles-s-z/update-secureboot-policy
View file

@ -7,22 +7,22 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{,s}bin/update-secureboot-policy
@{exec_path} = @{bin}/update-secureboot-policy
profile update-secureboot-policy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/dpkg-trigger rPx,
/{usr/,}bin/find rix,
/{usr/,}bin/id rix,
/{usr/,}bin/od rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/wc rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,m,g}awk rix,
@{bin}/dpkg-trigger rPx,
@{bin}/find rix,
@{bin}/id rix,
@{bin}/od rix,
@{bin}/sort rix,
@{bin}/touch rix,
@{bin}/wc rix,
/usr/share/debconf/frontend rPx,
/usr/share/debconf/confmodule r,

50
apparmor.d/profiles-s-z/update-smart-drivedb
View file

@ -6,33 +6,33 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-smart-drivedb
@{exec_path} = @{bin}/update-smart-drivedb
profile update-smart-drivedb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cmp rix,
@{bin}/cat rix,
@{bin}/dirname rix,
@{bin}/sed rix,
@{bin}/rm rix,
@{bin}/dd rix,
@{bin}/wc rix,
@{bin}/touch rix,
@{bin}/mkdir rix,
@{bin}/chmod rix,
@{bin}/mv rix,
@{bin}/cmp rix,
/{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/smartctl rPx,
@{bin}/ r,
@{bin}/smartctl rPx,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/wget rCx -> browse,
@{bin}/curl rCx -> browse,
@{bin}/lynx rCx -> browse,
/var/lib/smartmontools/drivedb/drivedb.h{,.*} rw,
@ -46,9 +46,9 @@ profile update-smart-drivedb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
/{usr/,}bin/gpg-agent rix,
@{bin}/gpg-agent rix,
owner @{PROC}/@{pid}/fd/ r,
@ -71,11 +71,11 @@ profile update-smart-drivedb @{exec_path} {
network inet stream,
network inet6 stream,
/{usr/,}bin/wget mr,
/{usr/,}bin/curl mr,
/{usr/,}bin/lynx mr,
@{bin}/wget mr,
@{bin}/curl mr,
@{bin}/lynx mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/etc/mime.types r,
/etc/mailcap r,

4
apparmor.d/profiles-s-z/updatedb-mlocate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/updatedb.mlocate
@{exec_path} = @{bin}/updatedb.mlocate
profile updatedb-mlocate @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -18,7 +18,7 @@ profile updatedb-mlocate @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/on_ac_power rPx,
@{bin}/on_ac_power rPx,
# For shell pwd
/ r,

2
apparmor.d/profiles-s-z/updatedb.plocate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/updatedb.plocate
@{exec_path} = @{bin}/updatedb.plocate
profile updatedb.plocate @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-s-z/uptime
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/uptime
@{exec_path} = @{bin}/uptime
profile uptime @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/uptimed
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/uptimed
@{exec_path} = @{bin}/uptimed
profile uptimed @{exec_path} {
include <abstractions/base>

14
apparmor.d/profiles-s-z/usb-devices
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/usb-devices
@{exec_path} = @{bin}/usb-devices
profile usb-devices @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -16,13 +16,13 @@ profile usb-devices @{exec_path} {
deny capability dac_override,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/readlink rix,
# For shell pwd
/root/ r,

2
apparmor.d/profiles-s-z/usbguard
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/usbguard
@{exec_path} = @{bin}/usbguard
profile usbguard @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/usbguard-applet-qt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/usbguard-applet-qt
@{exec_path} = @{bin}/usbguard-applet-qt
profile usbguard-applet-qt @{exec_path} {
include <abstractions/base>
include <abstractions/X>

2
apparmor.d/profiles-s-z/usbguard-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-daemon
@{exec_path} = @{bin}/usbguard-daemon
profile usbguard-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-s-z/usbguard-dbus
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-dbus
@{exec_path} = @{bin}/usbguard-dbus
profile usbguard-dbus @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-s-z/usbguard-notifier
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-notifier
@{exec_path} = @{bin}/usbguard-notifier
profile usbguard-notifier @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

34
apparmor.d/profiles-s-z/uscan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/uscan
@{exec_path} = @{bin}/uscan
profile uscan @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -22,21 +22,21 @@ profile uscan @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pwd rix,
/{usr/,}bin/find rix,
/{usr/,}bin/file rix,
/{usr/,}bin/getconf rix,
@{bin}/{,ba,da}sh rix,
@{bin}/pwd rix,
@{bin}/find rix,
@{bin}/file rix,
@{bin}/getconf rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/xz rix,
@{bin}/tar rix,
@{bin}/gzip rix,
@{bin}/bzip2 rix,
@{bin}/gunzip rix,
@{bin}/xz rix,
/{usr/,}bin/uupdate rPUx,
@{bin}/uupdate rPUx,
# To run custom maintainer scripts
owner @{user_build_dirs}/**/debian/* rPUx,
@ -44,8 +44,8 @@ profile uscan @{exec_path} {
/usr/share/*/debian/ r,
/usr/share/*/debian/changelog r,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgv rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgv rCx -> gpg,
/etc/dpkg/origins/debian r,
@ -62,8 +62,8 @@ profile uscan @{exec_path} {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgv mr,
@{bin}/gpg{,2} mr,
@{bin}/gpgv mr,
owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/pubring.{gpg,kbx} r,

8
apparmor.d/profiles-s-z/useradd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/useradd
@{exec_path} = @{bin}/useradd
profile useradd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -24,9 +24,9 @@ profile useradd @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/usermod rPx,
@{bin}/usermod rPx,
/{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2,
@{bin}/pam_tally2 rCx -> pam_tally2,
/etc/default/useradd r,
/etc/login.defs r,
@ -63,7 +63,7 @@ profile useradd @{exec_path} {
capability audit_write,
/{usr/,}{s,}bin/pam_tally2 mr,
@{bin}/pam_tally2 mr,
/var/log/tallylog rw,

2
apparmor.d/profiles-s-z/userdel
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/userdel
@{exec_path} = @{bin}/userdel
profile userdel @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

Some files were not shown because too many files have changed in this diff Show more