mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-02-11 12:45:10 +01:00
Merge branch 'roddhjav:main' into main
This commit is contained in:
Besanon
GitHub
commit
2bee0206fc
230 changed files with 1440 additions and 708 deletions
40
.github/workflows/main.yml
vendored
40
.github/workflows/main.yml
vendored
|
|
@ -3,8 +3,19 @@ name: Ubuntu
|
|||
on: [push, pull_request, workflow_dispatch]
|
||||
|
||||
jobs:
|
||||
check:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run basic profile linter check
|
||||
run: |
|
||||
make check
|
||||
|
||||
build:
|
||||
runs-on: ${{ matrix.os }}
|
||||
needs: check
|
||||
strategy:
|
||||
matrix:
|
||||
os:
|
||||
|
|
@ -89,6 +100,30 @@ jobs:
|
|||
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
|
||||
sudo systemctl restart apparmor.service
|
||||
|
||||
- name: Restart some services to ensure they are confined
|
||||
run: |
|
||||
services=(
|
||||
containerd cron
|
||||
dbus docker
|
||||
ModemManager multipathd
|
||||
networkd-dispatcher
|
||||
packagekit polkit
|
||||
snapd
|
||||
systemd-journald systemd-hostnamed systemd-logind systemd-networkd
|
||||
systemd-resolved systemd-udevd
|
||||
udisks2
|
||||
)
|
||||
sudo systemctl daemon-reload
|
||||
for service in "${services[@]}"; do
|
||||
sudo systemctl restart "$service" || systemctl status "$service.service" || true
|
||||
done
|
||||
sudo ps auxZ | grep -v '\[.*\]'
|
||||
sudo aa-log -s --raw
|
||||
|
||||
- name: Install integration dependencies
|
||||
run: |
|
||||
bash tests/requirements.sh
|
||||
|
||||
- name: Run the bats integration tests
|
||||
run: |
|
||||
make bats
|
||||
|
|
@ -97,3 +132,8 @@ jobs:
|
|||
if: always()
|
||||
run: |
|
||||
sudo aa-log -s --raw
|
||||
|
||||
- name: Show final processes security context
|
||||
if: always()
|
||||
run: |
|
||||
sudo ps auxZ | grep -v '\[.*\]'
|
||||
|
|
|
|||
2
Makefile
2
Makefile
|
|
@ -113,7 +113,7 @@ check:
|
|||
|
||||
.PHONY: bats
|
||||
bats:
|
||||
@bats --print-output-on-failure tests/bats/
|
||||
@bats --timing --print-output-on-failure tests/bats/
|
||||
|
||||
.PHONY: manual
|
||||
manual:
|
||||
|
|
|
|||
|
|
@ -186,6 +186,7 @@
|
|||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pid}/statm r,
|
||||
@{PROC}/@{pid}/task/@{tid}/status r,
|
||||
@{PROC}/pressure/{memory,cpu,io} r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
|
|
@ -201,7 +202,6 @@
|
|||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
owner @{PROC}/@{pid}/setgroups w,
|
||||
owner @{PROC}/@{pid}/statm r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
|
|
|||
|
|
@ -101,7 +101,7 @@
|
|||
owner @{tmp}/Temp-@{uuid}/ rw,
|
||||
owner @{tmp}/Temp-@{uuid}/* rwk,
|
||||
owner @{tmp}/tmp-*.xpi rw,
|
||||
owner @{tmp}/tmpaddon r,
|
||||
owner @{tmp}/tmpaddon rw,
|
||||
owner @{tmp}/tmpaddon-@{int} r,
|
||||
|
||||
owner /dev/shm/org.chromium.@{rand6} rw,
|
||||
|
|
|
|||
|
|
@ -24,10 +24,10 @@
|
|||
|
||||
network netlink raw, # PAM
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.logi1.Manager
|
||||
member=CreateSession
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
unix bind type=stream addr=@@{udbus}/bus/sudo/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
|
||||
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
|
||||
|
||||
dbus (send receive) bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd.Manager
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
unix bind type=stream addr=@@{hex16}/bus/systemctl/,
|
||||
unix bind type=stream addr=@@{udbus}/bus/systemctl/,
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -7,6 +7,10 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
@{att}/@{run}/systemd/journal/dev-log w,
|
||||
@{att}/@{run}/systemd/journal/socket w,
|
||||
|
||||
deny /apparmor/.null rw,
|
||||
deny @{att}/apparmor/.null rw,
|
||||
|
||||
include if exists <abstractions/attached/base.d>
|
||||
|
|
|
|||
|
|
@ -33,6 +33,4 @@
|
|||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -7,12 +7,12 @@
|
|||
dbus send bus=accessibility path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/ rw,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
|
|
|
|||
|
|
@ -11,12 +11,12 @@
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
|
|
|||
|
|
@ -7,12 +7,12 @@
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{run}/dbus/system_bus_socket rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@
|
|||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus, label=dbus-accessibility),
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
|
|
|
|||
|
|
@ -14,6 +14,11 @@
|
|||
member={Get,GetAll}
|
||||
peer=(name=org.freedesktop.hostname1),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.hostname1.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
dbus send bus=system path=/org/freedesktop/systemd1{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@
|
|||
owner @{HOME}/** rwlk -> @{HOME}/**,
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,
|
||||
owner @{user_games_dirs}/** rm,
|
||||
owner @{user_games_dirs}/** rmix,
|
||||
|
||||
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
|
||||
owner @{tmp}/** rmwk,
|
||||
|
|
|
|||
|
|
@ -44,8 +44,11 @@
|
|||
owner /tmp/newroot/ w,
|
||||
owner /tmp/oldroot/ w,
|
||||
|
||||
@{PROC}/sys/kernel/overflowgid r,
|
||||
@{PROC}/sys/kernel/overflowuid r,
|
||||
@{PROC}/sys/kernel/overflowgid r,
|
||||
@{PROC}/sys/kernel/overflowuid r,
|
||||
@{PROC}/sys/user/max_user_namespaces r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
@{att}/@{PROC}/sys/user/max_user_namespaces rw,
|
||||
owner @{att}/@{PROC}/@{pid}/cgroup r,
|
||||
owner @{att}/@{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@
|
|||
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
|
||||
deny @{run}/user/@{uid}/keyring** mrwkl,
|
||||
deny @{user_config_dirs}/*-store/{,**} mrwkl,
|
||||
deny @{user_password_store_dirs}/{,**} mrwkl,
|
||||
deny @{user_passwordstore_dirs}/{,**} mrwkl,
|
||||
deny @{user_share_dirs}/kwalletd/{,**} mrwkl,
|
||||
|
||||
# Privacy violations
|
||||
|
|
|
|||
|
|
@ -5,24 +5,11 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/@{int}/ r,
|
||||
/dev/bus/usb/@{int}/@{int} rwk,
|
||||
include <abstractions/devices-usb-read>
|
||||
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/usbmisc/ r,
|
||||
/dev/bus/usb/@{int}/@{int} wk,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/usb/ r,
|
||||
@{sys}/bus/usb/devices/{,**} r,
|
||||
|
||||
@{sys}/devices/**/usb@{int}/{,**} rw,
|
||||
|
||||
# Udev data about usb devices (~equal to content of lsusb -v)
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
@{sys}/devices/**/usb@{int}/{,**} w,
|
||||
|
||||
include if exists <abstractions/devices-usb.d>
|
||||
|
||||
|
|
|
|||
29
apparmor.d/abstractions/devices-usb-read
Normal file
29
apparmor.d/abstractions/devices-usb-read
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/@{int}/ r,
|
||||
/dev/bus/usb/@{int}/@{int} r,
|
||||
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/usbmisc/ r,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/usb/ r,
|
||||
@{sys}/bus/usb/devices/{,**} r,
|
||||
|
||||
@{sys}/devices/**/usb@{int}/{,**} r,
|
||||
|
||||
# Udev data about usb devices (~equal to content of lsusb -v)
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
|
||||
include if exists <abstractions/devices-usb-read.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -26,4 +26,6 @@
|
|||
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk,
|
||||
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk,
|
||||
|
||||
@{PROC}/sys/dev/xe/observation_paranoid r,
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@
|
|||
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw,
|
||||
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw,
|
||||
owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
|
||||
owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w,
|
||||
|
||||
owner @{user_share_dirs}/vulkan/ rw,
|
||||
owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw,
|
||||
|
|
|
|||
31
apparmor.d/abstractions/webkit
Normal file
31
apparmor.d/abstractions/webkit
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Minimal set of rules for webkit UI.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info,
|
||||
|
||||
@{bin}/xdg-dbus-proxy rix,
|
||||
|
||||
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
|
||||
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
|
||||
|
||||
owner /bindfile@{rand6} rw,
|
||||
owner @{att}/.flatpak-info r,
|
||||
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/.flatpak/ w,
|
||||
owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/webkitgtk/ w,
|
||||
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,
|
||||
|
||||
include if exists <abstractions/webkit.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
20
apparmor.d/abstractions/wine
Normal file
20
apparmor.d/abstractions/wine
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Basic set of resources for wine regardless of the installation method (system or through a game launcher).
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
owner @{user_share_dirs}/applications/wine/ rw,
|
||||
owner @{user_share_dirs}/applications/wine/**/ rw,
|
||||
|
||||
owner @{tmp}/.wine-@{uid}/ rw,
|
||||
owner @{tmp}/.wine-@{uid}/** rwk,
|
||||
|
||||
owner /dev/shm/wine-@{hex6}-fsync rw,
|
||||
owner /dev/shm/wine-@{hex6}@{h}-fsync rw,
|
||||
|
||||
include if exists <abstractions/wine.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixUser
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{bin}/** Px,
|
||||
@{lib}/** Px,
|
||||
|
|
|
|||
|
|
@ -32,8 +32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
|
||||
unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
|
||||
unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
|
||||
unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.systemd1
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (send) peer=apt-methods-*,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/apt/system,
|
||||
unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
|
||||
unix bind type=stream addr=@@{udbus}/bus/apt/system,
|
||||
|
||||
unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
|
||||
unix (send, receive) type=stream peer=(label=snapd),
|
||||
|
||||
|
|
@ -43,7 +45,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus/Bus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
dbus send bus=system
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -30,8 +30,9 @@ profile apt-methods-file @{exec_path} {
|
|||
|
||||
@{lib}/apt/apt-helper rix,
|
||||
|
||||
/etc/apt/apt.conf.d/{,*} r,
|
||||
/etc/apt/apt-mirrors.txt r,
|
||||
/etc/apt/apt.conf r,
|
||||
/etc/apt/apt.conf.d/{,*} r,
|
||||
/etc/apt/mirrors/* r,
|
||||
|
||||
/usr/share/dpkg/cputable r,
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ profile apt-methods-mirror @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/apt/apt-mirrors.txt r,
|
||||
/etc/apt/mirrors/* r,
|
||||
|
||||
# For shell pwd
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (send) peer=apt-methods-http,
|
||||
|
||||
unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
|
||||
unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/chromium/chrome-sandbox
|
||||
profile chromium-sandbox @{exec_path} {
|
||||
profile chromium-sandbox @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
capability dac_override,
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/webkit>
|
||||
|
||||
capability dac_override,
|
||||
|
||||
|
|
@ -28,21 +29,14 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
@{bin}/bwrap rix,
|
||||
@{bin}/xdg-dbus-proxy rix,
|
||||
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
|
||||
|
||||
/usr/share/enchant*/{,**} r,
|
||||
|
||||
owner /bindfile@{rand6} rw,
|
||||
owner @{att}/.flatpak-info r,
|
||||
|
||||
owner @{user_config_dirs}/glib-2.0/ w,
|
||||
owner @{user_config_dirs}/glib-2.0/settings/ w,
|
||||
|
||||
|
|
@ -51,14 +45,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{tmp}/Serialized@{rand9} rw,
|
||||
owner @{tmp}/WebKit-Media-@{rand6} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/.flatpak/ w,
|
||||
owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/ w,
|
||||
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r,
|
||||
|
|
|
|||
|
|
@ -16,10 +16,11 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus/org.gnome.SessionManager>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
signal (receive) set=(term) peer=gdm,
|
||||
signal receive set=term peer=gdm,
|
||||
signal receive set=hup peer=gdm-session-worker,
|
||||
|
||||
#aa:dbus own bus=accessibility name=org.a11y.atspi
|
||||
#aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
|
||||
#aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}"
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -28,6 +28,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
#aa:dbus own bus=accessibility name=org.freedesktop.DBus
|
||||
#aa:dbus own bus=session name=org.a11y.{B,b}us
|
||||
dbus receive bus=accessibility path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=Hello
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -31,6 +31,10 @@ profile dbus-session flags=(attach_disconnected) {
|
|||
signal (send) set=(term hup kill) peer=xdg-*,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus}
|
||||
dbus receive bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=Hello
|
||||
peer=(name=@{busname}),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,11 @@ profile dbus-system flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read) peer=@{p_systemd},
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.DBus
|
||||
#aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
|
||||
dbus receive bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=Hello
|
||||
peer=(name=@{busname}),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,ibus/}ibus-engine-simple
|
||||
profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/ibus>
|
||||
|
|
@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{desktop_config_dirs}/ibus/bus/ r,
|
||||
owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-engine-simple>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,ibus/}ibus-x11
|
||||
profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
|
|
@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-x11>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile cron-apport @{exec_path} {
|
|||
|
||||
/ r,
|
||||
/var/crash/ r,
|
||||
/var/crash/*.crash w,
|
||||
/var/crash/* w,
|
||||
|
||||
include if exists <local/cron-apport>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -28,15 +28,10 @@ profile cpupower @{exec_path} {
|
|||
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu@{int}/online r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw,
|
||||
|
||||
/dev/cpu/@{int}/msr r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,dconf/}dconf-service
|
||||
profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/dconf-write>
|
||||
|
||||
|
|
@ -38,8 +39,6 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/dconf-service>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/fc-list
|
||||
@{exec_path} = @{bin}/fc-list @{bin}/fc-match @{bin}/fc-pattern
|
||||
profile fc-list @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
|
||||
profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/fi.w1.wpa_supplicant1>
|
||||
include <abstractions/bus/org.freedesktop.Avahi>
|
||||
|
|
@ -29,7 +30,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixProcessID
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ include <tunables/global>
|
|||
|
||||
@{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]
|
||||
@{exec_path} += @{lib}/polkit-agent-helper-[0-9]
|
||||
profile polkit-agent-helper @{exec_path} {
|
||||
profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/bus-system>
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -53,6 +53,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/polkit{,-1}/localauthority/{,**} r,
|
||||
owner /var/lib/polkit{,-1}/.cache/ rw,
|
||||
|
||||
@{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
|
||||
@{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
|
||||
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,9 +10,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/upower
|
||||
profile upower @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/consoles>
|
||||
|
||||
# Needed?
|
||||
audit capability sys_nice,
|
||||
#aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
ptrace read,
|
||||
|
||||
signal receive set=term peer=gdm,
|
||||
signal receive set=hup peer=gdm-session-worker,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
|
|
@ -46,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
@ -62,8 +63,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/xdg-desktop-portal-validate-icon rPx,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/ r,
|
||||
@{att}/.flatpak-info r,
|
||||
/ r,
|
||||
@{att}/.flatpak-info r,
|
||||
owner @{att}/ r,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/xdg-desktop-portal/** r,
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/user-download-strict>
|
||||
|
||||
signal receive set=term peer=gdm,
|
||||
signal receive set=hup peer=gdm-session-worker,
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/,
|
||||
|
||||
signal (receive) set=(term) peer=gdm,
|
||||
signal receive set=term peer=gdm,
|
||||
signal receive set=hup peer=gdm-session-worker,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
|
|
@ -40,6 +41,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/flatpak rPUx,
|
||||
@{bin}/fusermount{,3} rCx -> fusermount,
|
||||
|
||||
/ r,
|
||||
owner @{att}/ r,
|
||||
owner @{att}/.flatpak-info r,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,8 +15,9 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability sys_nice,
|
||||
|
||||
signal (receive) set=(term hup kill) peer=dbus-session,
|
||||
signal (receive) set=(term hup kill) peer=gdm,
|
||||
signal receive set=(term hup kill) peer=dbus-session,
|
||||
signal receive set=(term hup kill) peer=gdm,
|
||||
signal receive set=(term hup kill) peer=gdm-session-worker,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.impl.portal.PermissionStore
|
||||
|
||||
|
|
@ -42,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/flatpak/db/ rw,
|
||||
owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
|
||||
owner @{user_share_dirs}/flatpak/db/background rw,
|
||||
owner @{user_share_dirs}/flatpak/db/desktop-used-apps r,
|
||||
owner @{user_share_dirs}/flatpak/db/devices rw,
|
||||
owner @{user_share_dirs}/flatpak/db/documents rw,
|
||||
owner @{user_share_dirs}/flatpak/db/notifications rw,
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
signal (send) set=hup peer=xorg,
|
||||
signal (send) set=hup peer=xwayland,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
|
||||
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/grep rix,
|
||||
@{bin}/locale rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/tecla rix,
|
||||
@{bin}/tecla rPx,
|
||||
|
||||
@{bin}/bwrap rCx -> bwrap,
|
||||
@{bin}/gkbd-keyboard-display rPx,
|
||||
|
|
|
|||
|
|
@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus*
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus*
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile gnome-session @{exec_path} {
|
|||
|
||||
@{shells_path} rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/find rix,
|
||||
@{bin}/gettext rix,
|
||||
@{bin}/gettext.sh r,
|
||||
@{bin}/grep rix,
|
||||
|
|
@ -32,6 +33,7 @@ profile gnome-session @{exec_path} {
|
|||
@{bin}/tr rix,
|
||||
@{bin}/tty rix,
|
||||
@{bin}/uname rPx,
|
||||
@{bin}/xargs rix,
|
||||
|
||||
@{bin}/dpkg-query rpx,
|
||||
@{bin}/flatpak rCx -> flatpak,
|
||||
|
|
@ -57,6 +59,7 @@ profile gnome-session @{exec_path} {
|
|||
/etc/X11/Xsession.d/*im-config_launch r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
|
||||
peer=(name=org.freedesktop.DBus label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
include <abstractions/bus/net.hadess.SwitcherooControl>
|
||||
include <abstractions/bus/net.reactivated.Fprint>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.Accounts>
|
||||
include <abstractions/bus/org.freedesktop.background.Monitor>
|
||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||
include <abstractions/bus/org.freedesktop.GeoClue2>
|
||||
|
|
@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
# Talk with gnome-shell
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
|
||||
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
|
||||
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
|
||||
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
|
||||
|
|
@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
# Session bus
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
dbus send bus=session path=/
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
|
|
@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
dbus send bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=session path=/org/gnome/*/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
|
|
@ -175,6 +175,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
@{bin}/glib-compile-schemas rPx,
|
||||
@{bin}/ibus-daemon rPx,
|
||||
@{bin}/Xwayland rPx,
|
||||
@{bin}/tecla rPx,
|
||||
@{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
|
||||
@{lib}/mutter-x11-frames rPx,
|
||||
#aa:exec polkit-agent-helper
|
||||
|
|
@ -198,10 +199,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gdm/greeter/applications/{,**} r,
|
||||
/usr/share/libgweather/Locations.xml r,
|
||||
/usr/share/libinput*/ r,
|
||||
/usr/share/libinput*/{,**/}@{int2}-*.quirks r,
|
||||
/usr/share/libinput*/libinput/ r,
|
||||
/usr/share/libinput*/{,**} r,
|
||||
/usr/share/libwacom/{,*.stylus,*.tablet} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
/usr/share/wallpapers/** r,
|
||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/
|
||||
interface=org.freedesktop.DBus
|
||||
member=ListNames
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SettingsDaemon/Power
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetId
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/user-read-strict>
|
||||
include <abstractions/user-write-strict>
|
||||
|
||||
signal (send) set=(kill) peer=loupe//bwrap,
|
||||
signal send set=kill peer=loupe//bwrap,
|
||||
|
||||
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
|
||||
|
||||
|
|
@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/ r,
|
||||
|
||||
owner @{user_cache_dirs}/glycin/{,**} rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
|
|
@ -51,7 +53,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(kill) peer=loupe,
|
||||
|
||||
@{bin}/bwrap mr,
|
||||
@{lib}/glycin-loaders/*/glycin-image-rs rix,
|
||||
@{lib}/glycin-loaders/*/glycin-* rix,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=ListActivatableNames
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/dbus
|
||||
interface=org.freedesktop.DBus
|
||||
member=NameHasOwner
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/org.gnome.NautilusPreviewer
|
||||
profile org.gnome.NautilusPreviewer @{exec_path} {
|
||||
profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
|
|||
19
apparmor.d/groups/gnome/tecla
Normal file
19
apparmor.d/groups/gnome/tecla
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/tecla
|
||||
profile tecla @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/gnome>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
include if exists <local/tecla>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/dirmngr
|
||||
profile dirmngr @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/gnupg/keyboxd
|
||||
profile keyboxd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,6 @@ profile startplasma @{exec_path} {
|
|||
/usr/share/kservicetypes5/{,**} r,
|
||||
/usr/share/plasma/{,**} r,
|
||||
|
||||
/etc/locale.alias r,
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/menus/{,**} r,
|
||||
/etc/xdg/plasma-workspace/env/{,*} r,
|
||||
|
|
|
|||
|
|
@ -25,9 +25,13 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{run}/udev/data/+acpi:* r, # for acpi
|
||||
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
||||
@{run}/udev/data/+platform:* r,
|
||||
@{run}/udev/data/+pnp:* r,
|
||||
@{run}/udev/data/+serial*:* r,
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/+vmbus:* r,
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
|
||||
|
|
@ -43,9 +47,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/class/tty/ r,
|
||||
@{sys}/class/wwan/ r,
|
||||
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/@{pci}/revision r,
|
||||
@{sys}/devices/virtual/net/*/ r,
|
||||
@{sys}/devices/**/net/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/virtual/tty/*/ r,
|
||||
|
||||
include if exists <local/ModemManager>
|
||||
|
|
|
|||
|
|
@ -47,6 +47,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
#aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
|
||||
#aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/nm_dispatcher
|
||||
interface=org.freedesktop.nm_dispatcher
|
||||
peer=(name=org.freedesktop.nm_dispatcher),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
|
|
@ -70,7 +74,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -128,10 +132,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/+rfkill:* r,
|
||||
@{run}/udev/data/n@{int} r,
|
||||
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/virtual/net/{,**} r,
|
||||
@{sys}/devices/@{pci}/net/*/{,**} r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r,
|
||||
@{sys}/devices/**/@{uuid}/net/*/{,**} r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/virtual/net/{,**} r,
|
||||
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/1/environ r,
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/chmod rix,
|
||||
@{bin}/cmp rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/resolvconf rPx,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sed rix,
|
||||
@{lib}/dhcpcd/dhcpcd-run-hooks rix,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/netplan/generate rix,
|
||||
|
|
@ -22,21 +24,34 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/netplan/{,*} r,
|
||||
|
||||
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
|
||||
@{run}/netplan/ r,
|
||||
|
||||
@{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw,
|
||||
@{run}/NetworkManager/system-connections/ rw,
|
||||
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
|
||||
|
||||
@{run}/systemd/network/ r,
|
||||
@{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
|
||||
@{run}/systemd/system/ r,
|
||||
@{run}/systemd/system/netplan-* rw,
|
||||
@{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
|
||||
@{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw,
|
||||
@{run}/systemd/system/systemd-networkd.service.wants/ rw,
|
||||
@{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
|
||||
|
||||
@{run}/udev/rules.d/ r,
|
||||
@{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,
|
||||
@{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
|
||||
|
||||
@{sys}/devices/**/net/*/address r,
|
||||
|
||||
profile udevadm {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/udevadm>
|
||||
|
||||
@{run}/udev/control rw,
|
||||
capability net_admin,
|
||||
|
||||
@{att}/@{run}/udev/control rw,
|
||||
|
||||
@{run}/udev/rules.d/90-netplan.rules rw,
|
||||
@{run}/udev/rules.d/90-netplan.rules.@{rand6} rw,
|
||||
|
||||
|
|
@ -49,6 +64,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability net_admin,
|
||||
|
||||
@{att}/@{run}/systemd/private rw,
|
||||
|
||||
include if exists <local/netplan.script_systemctl>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ profile networkd-dispatcher @{exec_path} {
|
|||
@{bin}/sed rix,
|
||||
|
||||
@{lib}/networkd-dispatcher/routable.d/postfix rix,
|
||||
@{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix,
|
||||
|
||||
/etc/networkd-dispatcher/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile nm-online @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||
include <abstractions/consoles>
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
|
||||
interface=org.freedesktop.NetworkManager.Connection.Active
|
||||
|
|
|
|||
|
|
@ -9,10 +9,14 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/nmcli
|
||||
profile nmcli @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_nice,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{pager_path} rPx -> child-pager,
|
||||
|
|
|
|||
|
|
@ -84,6 +84,7 @@ profile yay @{exec_path} {
|
|||
|
||||
@{bin}/gpg{,2} mr,
|
||||
@{bin}/gpg-agent rPx,
|
||||
@{bin}/dirmngr rPx,
|
||||
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=UpdateActivationEnvironment
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ profile ssh-keygen @{exec_path} {
|
|||
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
|
||||
|
||||
/tmp/snapd@{int}/*_*{,.pub} w,
|
||||
/tmp/snapd@{int}/*.key{,.pub} w,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
/dev/ttyS@{int} rw,
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read,trace) peer=@{p_systemd},
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/sshd/system,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/sshd/system,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile busctl @{exec_path} {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl,
|
||||
|
||||
signal (send) set=(cont) peer=child-pager,
|
||||
|
||||
|
|
@ -33,7 +33,7 @@ profile busctl @{exec_path} {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Monitoring
|
||||
member=BecomeMonitor
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
39
apparmor.d/groups/systemd/homectl
Normal file
39
apparmor.d/groups/systemd/homectl
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/homectl
|
||||
profile homectl @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/common/systemd>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
signal send peer=child-pager,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/pkttyagent rpx,
|
||||
|
||||
@{pager_path} rPx -> child-pager,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/homectl>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -10,10 +10,13 @@ include <tunables/global>
|
|||
profile hostnamectl @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.systemd1>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability net_admin,
|
||||
|
||||
unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read) peer=@{p_systemd},
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
|
||||
# No label available
|
||||
|
|
|
|||
|
|
@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} {
|
|||
|
||||
signal (send) peer=child-pager,
|
||||
|
||||
unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -9,14 +9,13 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/systemd-cat
|
||||
profile systemd-cat @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-root>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability net_admin,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/cat rix,
|
||||
@{bin}/echo rix,
|
||||
|
||||
include if exists <local/systemd-cat>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,8 +9,17 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/systemd-cgls
|
||||
profile systemd-cgls @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.systemd1>
|
||||
include <abstractions/consoles>
|
||||
|
||||
ptrace (read),
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace read,
|
||||
|
||||
signal send set=cont peer=child-pager,
|
||||
|
||||
unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ include <tunables/global>
|
|||
profile systemd-escape @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
|
|||
mount options=(rw, rslave) -> @{run}/,
|
||||
mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/,
|
||||
|
||||
unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.home1
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
@ -61,6 +63,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/home/{,**} rw,
|
||||
@{run}/systemd/userdb/io.systemd.home r,
|
||||
@{run}/systemd/user-home-mount/{,**} rw,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/fs/ r,
|
||||
|
|
|
|||
|
|
@ -18,14 +18,14 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
network unix stream,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.hostname1
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixUser
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/machine-info rw,
|
||||
/etc/os-release r,
|
||||
|
||||
@{att}/@{run}/systemd/notify rw,
|
||||
|
||||
@{run}/systemd/default-hostname rw,
|
||||
@{run}/systemd/notify rw,
|
||||
@{run}/udev/data/+dmi:* r, # for motherboard info
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/ r,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.locale1
|
||||
|
||||
|
|
@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/X11/xorg.conf.d/.#*.confd* rw,
|
||||
/etc/X11/xorg.conf.d/*.conf rw,
|
||||
|
||||
@{run}/systemd/notify rw,
|
||||
@{att}/@{run}/systemd/notify rw,
|
||||
|
||||
include if exists <local/systemd-localed>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
mqueue r type=posix /,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.login1
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -94,10 +94,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
||||
@{att}/@{run}/systemd/notify w,
|
||||
@{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
|
||||
|
||||
@{run}/systemd/inhibit/ rw,
|
||||
@{run}/systemd/inhibit/.#* rw,
|
||||
@{run}/systemd/inhibit/@{int}{,.ref} rw,
|
||||
@{run}/systemd/notify rw,
|
||||
@{run}/systemd/seats/ rw,
|
||||
@{run}/systemd/seats/.#seat* rw,
|
||||
@{run}/systemd/seats/seat@{int} rw,
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile systemd-modules-load @{exec_path} {
|
|||
include <abstractions/common/systemd>
|
||||
|
||||
capability net_admin,
|
||||
capability perfmon,
|
||||
capability sys_module,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
|
|||
network packet dgram,
|
||||
network packet raw,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.network1
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
|
|||
capability dac_override,
|
||||
capability kill,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.oom1
|
||||
|
||||
|
|
@ -24,9 +24,11 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/systemd/oomd.conf r,
|
||||
/etc/systemd/oomd.conf.d/{,**} r,
|
||||
|
||||
@{att}/@{run}/systemd/notify w,
|
||||
@{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
|
||||
|
||||
@{run}/systemd/io.system.ManagedOOM rw,
|
||||
@{run}/systemd/io.systemd.ManagedOOM rw,
|
||||
@{run}/systemd/notify rw,
|
||||
|
||||
@{sys}/fs/cgroup/cgroup.controllers r,
|
||||
@{sys}/fs/cgroup/memory.* r,
|
||||
|
|
|
|||
|
|
@ -34,15 +34,16 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-system),
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/systemd/resolved.conf r,
|
||||
/etc/systemd/resolved.conf.d/{,*} r,
|
||||
|
||||
@{att}/@{run}/systemd/notify w,
|
||||
|
||||
@{run}/systemd/netif/links/* r,
|
||||
@{run}/systemd/notify rw,
|
||||
@{run}/systemd/resolve/{,**} rw,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability perfmon,
|
||||
capability sys_admin,
|
||||
capability sys_tty_config,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,8 +16,12 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
|
|||
capability fsetid,
|
||||
capability net_admin,
|
||||
|
||||
signal send set=cont peer=child-pager,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{pager_path} rPx -> child-pager,
|
||||
|
||||
# Config file locations
|
||||
/etc/sysusers.d/{,*.conf} r,
|
||||
@{run}/sysusers.d/{,*.conf} r,
|
||||
|
|
@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/.#{group,gshadow}@{hex} rw,
|
||||
/etc/.pwd.lock rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
owner /dev/pts/@{int} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability sys_time,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.timedate1
|
||||
|
||||
|
|
@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/.#timezone* rw,
|
||||
/etc/timezone rw,
|
||||
|
||||
@{run}/systemd/notify rw,
|
||||
@{att}/@{run}/systemd/notify rw,
|
||||
|
||||
/dev/rtc@{int} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
|||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync,
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync,
|
||||
unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none),
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.timesync1
|
||||
|
|
@ -34,9 +34,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner /var/lib/systemd/timesync/clock rw,
|
||||
|
||||
@{att}/@{run}/systemd/notify rw,
|
||||
|
||||
@{run}/resolvconf/*.conf r,
|
||||
@{run}/systemd/netif/state r,
|
||||
@{run}/systemd/notify rw,
|
||||
@{run}/systemd/timesyncd.conf.d/{,**} r,
|
||||
owner @{run}/systemd/timesync/synchronized rw,
|
||||
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue