mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update profiles.

Browse Source
This commit is contained in:
Alexandre Pujol 2022-01-09 20:23:18 +01:00
parent accf5538bd
commit 2e7b6f8ba8
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
13 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apparmor.d/abstractions/fontconfig-cache-write
View File

@ -26,6 +26,11 @@
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
owner /var/cache/fontconfig/{,**} rw,
owner /var/cache/fontconfig/*.cache-[0-9]* rwk,
owner /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
# For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
owner @{user_share_dirs}/fonts/ rw,
owner @{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*} rw,

12
apparmor.d/abstractions/python.d/complete
View File

@ -3,11 +3,11 @@
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/bin/python{2.[4-7],3,3.[0-9]} r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so} mr,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/ r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r,

3
apparmor.d/groups/browsers/firefox
View File

@ -86,10 +86,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/mozilla/plugins/ r,
/{usr/,}lib/mozilla/plugins/libvlcplugin.so mr,
/usr/share/doc/{,**} r,
/usr/share/egl/{,**} r,
/usr/share/firefox/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mozilla/extensions/{,**} r,
/usr/share/webext/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/firefox/{,**} r,
/etc/fstab r,

1
apparmor.d/groups/bus/ibus-extension-gtk3
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3
profile ibus-extension-gtk3 @{exec_path} {
include <abstractions/base>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>

1
apparmor.d/groups/gnome/gnome-shell
View File

@ -13,6 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-write>
include <abstractions/gnome>
include <abstractions/mesa>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/pacman/pacman-hook-dconf
View File

@ -10,6 +10,8 @@ include <tunables/global>
profile pacman-hook-dconf @{exec_path} {
include <abstractions/base>
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/bash rix,

1
apparmor.d/groups/systemd/systemd-sleep
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sleep
profile systemd-sleep @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
capability net_admin,

1
apparmor.d/profiles-a-f/browserpass
View File

@ -36,6 +36,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
deny network inet stream,
deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
deny /dev/dri/card[0-9]* rw,
deny /dev/dri/renderD128 rw,

7
apparmor.d/profiles-g-l/gtk-query-immodules
View File

@ -10,10 +10,13 @@ include <tunables/global>
profile gtk-query-immodules @{exec_path} {
include <abstractions/base>
capability dac_override,
capability dac_override,
@{exec_path} mr,
/{usr/,}lib/gtk-{3,4}.0/**/immodules.cache w,
/{usr/,}lib/gtk-{3,4}.0/**/immodules.cache.[0-9A-Z]* w,
/{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache w,
/{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w,
# Inherit silencer
deny network inet6 stream,

2
apparmor.d/profiles-s-z/udiskie
View File

@ -23,7 +23,7 @@ profile udiskie @{exec_path} {
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/xdg-open rCx -> open,

2
apparmor.d/profiles-s-z/udiskie-info
View File

@ -12,7 +12,7 @@ profile udiskie-info @{exec_path} {
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/{usr/,}bin/python3.[0-9]* r,
/usr/bin/ r,

2
apparmor.d/profiles-s-z/udiskie-mount
View File

@ -12,7 +12,7 @@ profile udiskie-mount @{exec_path} {
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/{usr/,}bin/python3.[0-9]* r,
/usr/bin/ r,

2
apparmor.d/profiles-s-z/udiskie-umount
View File

@ -12,7 +12,7 @@ profile udiskie-umount @{exec_path} {
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/{usr/,}bin/python3.[0-9]* r,
/usr/bin/ r,