mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
refactor(profiles): use @{bin} and @{lib} in profiles (2)
This commit is contained in:
parent
bb71f49598
commit
2eed3b725f
101 changed files with 538 additions and 538 deletions
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/dbus-daemon
|
||||
@{exec_path} = @{bin}/dbus-daemon
|
||||
profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -38,21 +38,21 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/ r,
|
||||
@{bin}/ r,
|
||||
|
||||
@{libexec}/{,at-spi2{,-core}/}at-spi2-registryd rPx,
|
||||
@{libexec}/* rPUx,
|
||||
@{libexec}/gnome-shell/gnome-shell-calendar-server rPx,
|
||||
@{libexec}/kauth/* rPx,
|
||||
@{libexec}/kf5/kiod5 rPUx,
|
||||
@{libexec}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||
/{usr/,}bin/[a-z0-9]* rPUx,
|
||||
/{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper rPx,
|
||||
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
|
||||
/{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||
/{usr/,}lib/atril/atrild rPx,
|
||||
/{usr/,}lib/ibus/ibus-* rPx,
|
||||
/{usr/,}lib/telepathy/mission-control-5 rPx,
|
||||
@{bin}/[a-z0-9]* rPUx,
|
||||
@{lib}/{,at-spi2{,-core}/}at-spi2-registryd rPx,
|
||||
@{lib}/@{multiarch}/tumbler-1/tumblerd rPUx,
|
||||
@{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||
@{lib}/* rPUx,
|
||||
@{lib}/atril/atrild rPx,
|
||||
@{lib}/dbus-1*/dbus-daemon-launch-helper rPx,
|
||||
@{lib}/gnome-shell/gnome-shell-calendar-server rPx,
|
||||
@{lib}/ibus/ibus-* rPx,
|
||||
@{lib}/kauth/* rPx,
|
||||
@{lib}/kf5/kiod5 rPUx,
|
||||
@{lib}/telepathy/mission-control-5 rPx,
|
||||
@{lib}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||
/usr/share/gnome-documents/org.gnome.Documents rPx,
|
||||
/usr/share/org.gnome.Characters/org.gnome.Characters rPx,
|
||||
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper
|
||||
@{exec_path} = @{lib}/dbus-1*/dbus-daemon-launch-helper
|
||||
profile dbus-daemon-launch-helper @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-root>
|
||||
|
@ -18,11 +18,11 @@ profile dbus-daemon-launch-helper @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx,
|
||||
@{libexec}/kauth/* rPx,
|
||||
@{libexec}/language-selector/ls-dbus-backend rPx,
|
||||
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
|
||||
/{usr/,}lib/software-properties/software-properties-dbus rPx,
|
||||
@{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx,
|
||||
@{lib}/@{multiarch}/cups-pk-helper-mechanism rPx,
|
||||
@{lib}/kauth/* rPx,
|
||||
@{lib}/language-selector/ls-dbus-backend rPx,
|
||||
@{lib}/software-properties/software-properties-dbus rPx,
|
||||
|
||||
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
|
||||
/usr/share/usb-creator/usb-creator-helper rPx,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/dbus-run-session
|
||||
@{exec_path} = @{bin}/dbus-run-session
|
||||
profile dbus-run-session @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
|
@ -16,11 +16,11 @@ profile dbus-run-session @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
/{usr/,}bin/gnome-session rix,
|
||||
/{usr/,}bin/gnome-shell rPx,
|
||||
/{usr/,}bin/gsettings rPx,
|
||||
@{libexec}/gnome-session-binary rPx,
|
||||
@{bin}/dbus-daemon rPx,
|
||||
@{bin}/gnome-session rix,
|
||||
@{bin}/gnome-shell rPx,
|
||||
@{bin}/gsettings rPx,
|
||||
@{lib}/gnome-session-binary rPx,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/ibus-daemon
|
||||
@{exec_path} = @{bin}/ibus-daemon
|
||||
profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
@ -45,9 +45,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}lib/ibus/ibus-* rPx,
|
||||
@{libexec}/ibus-* rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{lib}/ibus/ibus-* rPx,
|
||||
@{lib}/ibus-* rPx,
|
||||
|
||||
/usr/share/ibus/{,**} r,
|
||||
/usr/share/ibus-table/tables/ r,
|
||||
|
|
|
@ -6,8 +6,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/ibus/ibus-dconf
|
||||
@{exec_path} += @{libexec}/ibus-dconf
|
||||
@{exec_path} = @{lib}/ibus/ibus-dconf
|
||||
@{exec_path} += @{lib}/ibus-dconf
|
||||
profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
|
@ -6,8 +6,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/ibus/ibus-engine-simple
|
||||
@{exec_path} += @{libexec}/ibus-engine-simple
|
||||
@{exec_path} = @{lib}/ibus/ibus-engine-simple
|
||||
@{exec_path} += @{lib}/ibus-engine-simple
|
||||
profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/ibus>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/ibus-engine-table
|
||||
@{exec_path} = @{lib}/ibus-engine-table
|
||||
profile ibus-engine-table @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/python>
|
||||
|
|
|
@ -6,8 +6,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3
|
||||
@{exec_path} += @{libexec}/ibus-extension-gtk3
|
||||
@{exec_path} = @{lib}/ibus/ibus-extension-gtk3
|
||||
@{exec_path} += @{lib}/ibus-extension-gtk3
|
||||
profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/ibus-memconf
|
||||
@{exec_path} = @{lib}/ibus-memconf
|
||||
profile ibus-memconf @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/ibus>
|
||||
|
|
|
@ -6,8 +6,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/ibus/ibus-portal
|
||||
@{exec_path} += @{libexec}/ibus-portal
|
||||
@{exec_path} = @{lib}/ibus/ibus-portal
|
||||
@{exec_path} += @{lib}/ibus-portal
|
||||
profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
@ -29,8 +29,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/gio/modules/{,*} r,
|
||||
/{usr/,}lib/locale/locale-archive r,
|
||||
@{lib}/gio/modules/{,*} r,
|
||||
@{lib}/locale/locale-archive r,
|
||||
|
||||
/usr/share/locale/locale.alias r,
|
||||
|
||||
|
|
|
@ -6,8 +6,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/ibus/ibus-x11
|
||||
@{exec_path} += @{libexec}/ibus-x11
|
||||
@{exec_path} = @{lib}/ibus/ibus-x11
|
||||
@{exec_path} += @{lib}/ibus-x11
|
||||
profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
|
|
@ -12,7 +12,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
# Do not attach to /{usr/,}bin/dpkg by default
|
||||
# Do not attach to @{bin}/dpkg by default
|
||||
profile child-dpkg {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -21,14 +21,14 @@ profile child-dpkg {
|
|||
capability dac_read_search,
|
||||
capability setgid,
|
||||
|
||||
/{usr/,}bin/dpkg mr,
|
||||
@{bin}/dpkg mr,
|
||||
|
||||
# Do not strip env to avoid errors like the following:
|
||||
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
|
||||
# shared object file): ignored.
|
||||
/{usr/,}bin/dpkg-query rpx,
|
||||
/{usr/,}bin/dpkg-deb rPx,
|
||||
/{usr/,}bin/dpkg-split rPx,
|
||||
@{bin}/dpkg-query rpx,
|
||||
@{bin}/dpkg-deb rPx,
|
||||
@{bin}/dpkg-split rPx,
|
||||
|
||||
/etc/dpkg/dpkg.cfg.d/{,*} r,
|
||||
/etc/dpkg/dpkg.cfg r,
|
||||
|
|
|
@ -12,11 +12,11 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
# Do not attach to /{usr/,}bin/dpkg-divert by default
|
||||
# Do not attach to @{bin}/dpkg-divert by default
|
||||
profile child-dpkg-divert {
|
||||
include <abstractions/base>
|
||||
|
||||
/{usr/,}bin/dpkg-divert mr,
|
||||
@{bin}/dpkg-divert mr,
|
||||
|
||||
/var/lib/dpkg/arch r,
|
||||
/var/lib/dpkg/status r,
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
# intended to be used only via "Px -> child-open" exec transitions
|
||||
# from other profiles.
|
||||
|
||||
# Instead of allowing the run of all software in /{usr/,}bin/, the purpose of
|
||||
# Instead of allowing the run of all software in @{bin}/, the purpose of
|
||||
# this profile is to list all GUI program that can open resources.
|
||||
|
||||
# Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
|
||||
|
@ -21,71 +21,71 @@ profile child-open {
|
|||
include <abstractions/base>
|
||||
include <abstractions/xdg-open>
|
||||
|
||||
/{usr/,}bin/exo-open mr,
|
||||
/{usr/,}bin/xdg-open mr,
|
||||
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix,
|
||||
/{usr/,}lib/gio-launch-desktop mrix,
|
||||
@{bin}/exo-open mr,
|
||||
@{bin}/xdg-open mr,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix,
|
||||
@{lib}/gio-launch-desktop mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,m,g}awk rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,m,g}awk rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/readlink rix,
|
||||
|
||||
# Sandbox managers
|
||||
/{usr/,}bin/bwrap rPUx,
|
||||
/{usr/,}bin/firejail rPUx,
|
||||
/{usr/,}bin/flatpak rPUx,
|
||||
/{usr/,}bin/snap rPUx,
|
||||
@{bin}/bwrap rPUx,
|
||||
@{bin}/firejail rPUx,
|
||||
@{bin}/flatpak rPUx,
|
||||
@{bin}/snap rPUx,
|
||||
|
||||
# Files explorer
|
||||
/{usr/,}bin/nautilus rPx,
|
||||
@{bin}/nautilus rPx,
|
||||
|
||||
# Firefox
|
||||
/{usr/,}bin/firefox{,.sh,-esr,-bin} rPx,
|
||||
/{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
|
||||
@{bin}/firefox{,.sh,-esr,-bin} rPx,
|
||||
@{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
|
||||
/opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
|
||||
# Brave
|
||||
/opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin} rPx,
|
||||
# Chromium
|
||||
/{usr/,}lib/chromium/chromium rPx,
|
||||
@{lib}/chromium/chromium rPx,
|
||||
# Chrome
|
||||
/opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx,
|
||||
# Opera
|
||||
/{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
|
||||
@{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
|
||||
|
||||
# Text editors
|
||||
/{usr/,}bin/code rPx,
|
||||
/{usr/,}bin/gedit rPUx,
|
||||
@{bin}/code rPx,
|
||||
@{bin}/gedit rPUx,
|
||||
/usr/share/code/{bin/,}code rPx,
|
||||
|
||||
# Others
|
||||
/{usr/,}bin/*Foliate rPUx,
|
||||
/{usr/,}bin/discord{,-ptb} rPx,
|
||||
/{usr/,}bin/draw.io rPUx,
|
||||
/{usr/,}bin/dropbox rPx,
|
||||
/{usr/,}bin/engrampa rPx,
|
||||
/{usr/,}bin/eog rPUx,
|
||||
/{usr/,}bin/evince rPx,
|
||||
/{usr/,}bin/filezilla rPx,
|
||||
/{usr/,}bin/file-roller rPUx,
|
||||
/{usr/,}bin/flameshot rPx,
|
||||
/{usr/,}bin/geany rPx,
|
||||
/{usr/,}bin/gnome-calculator rPUx,
|
||||
/{usr/,}bin/gnome-disk-image-mounter rPx,
|
||||
/{usr/,}bin/gnome-disks rPx,
|
||||
/{usr/,}bin/kgx rPx,
|
||||
/{usr/,}bin/okular rPx,
|
||||
/{usr/,}bin/qbittorrent rPx,
|
||||
/{usr/,}bin/qpdfview rPx,
|
||||
/{usr/,}bin/smplayer rPx,
|
||||
/{usr/,}bin/spacefm rPx,
|
||||
/{usr/,}bin/teams rPUx,
|
||||
/{usr/,}bin/telegram-desktop rPx,
|
||||
/{usr/,}bin/thunderbird rPx,
|
||||
/{usr/,}bin/transmission-gtk rPx,
|
||||
/{usr/,}bin/viewnior rPUx,
|
||||
/{usr/,}bin/vlc rPx,
|
||||
/{usr/,}bin/xarchiver rPx,
|
||||
@{bin}/*Foliate rPUx,
|
||||
@{bin}/discord{,-ptb} rPx,
|
||||
@{bin}/draw.io rPUx,
|
||||
@{bin}/dropbox rPx,
|
||||
@{bin}/engrampa rPx,
|
||||
@{bin}/eog rPUx,
|
||||
@{bin}/evince rPx,
|
||||
@{bin}/file-roller rPUx,
|
||||
@{bin}/filezilla rPx,
|
||||
@{bin}/flameshot rPx,
|
||||
@{bin}/geany rPx,
|
||||
@{bin}/gnome-calculator rPUx,
|
||||
@{bin}/gnome-disk-image-mounter rPx,
|
||||
@{bin}/gnome-disks rPx,
|
||||
@{bin}/kgx rPx,
|
||||
@{bin}/okular rPx,
|
||||
@{bin}/qbittorrent rPx,
|
||||
@{bin}/qpdfview rPx,
|
||||
@{bin}/smplayer rPx,
|
||||
@{bin}/spacefm rPx,
|
||||
@{bin}/teams rPUx,
|
||||
@{bin}/telegram-desktop rPx,
|
||||
@{bin}/thunderbird rPx,
|
||||
@{bin}/transmission-gtk rPx,
|
||||
@{bin}/viewnior rPUx,
|
||||
@{bin}/vlc rPx,
|
||||
@{bin}/xarchiver rPx,
|
||||
|
||||
include if exists <usr/child-open.d>
|
||||
include if exists <local/child-open>
|
||||
|
|
|
@ -13,7 +13,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
# Do not attach to /{usr/,}bin/pager by default
|
||||
# Do not attach to @{bin}/pager by default
|
||||
profile child-pager {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -23,10 +23,10 @@ profile child-pager {
|
|||
|
||||
signal (receive) set=(stop, cont, term, kill),
|
||||
|
||||
/{usr/,}bin/ r,
|
||||
/{usr/,}bin/pager mr,
|
||||
/{usr/,}bin/less mr,
|
||||
/{usr/,}bin/more mr,
|
||||
@{bin}/ r,
|
||||
@{bin}/pager mr,
|
||||
@{bin}/less mr,
|
||||
@{bin}/more mr,
|
||||
|
||||
@{system_share_dirs}/terminfo/{,**} r,
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
# Do not attach to /{usr/,}bin/systemctl by default
|
||||
# Do not attach to @{bin}/systemctl by default
|
||||
profile child-systemctl flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.systemd[0-9].Manager
|
||||
member=GetUnitFileState,
|
||||
|
||||
/{usr/,}bin/systemctl mr,
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/systemd/user/{,**} rwl,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}{s,}bin/cron
|
||||
@{exec_path} = @{bin}/cron
|
||||
profile cron @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-root>
|
||||
|
@ -28,13 +28,13 @@ profile cron @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/nice rix,
|
||||
/{usr/,}bin/ionice rix,
|
||||
/{usr/,}bin/run-parts rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/nice rix,
|
||||
@{bin}/ionice rix,
|
||||
@{bin}/run-parts rPx,
|
||||
|
||||
/{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
|
||||
/{usr/,}lib/sysstat/debian-sa1 rPUx,
|
||||
@{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
|
||||
@{lib}/sysstat/debian-sa1 rPUx,
|
||||
/usr/share/rsync/scripts/rrsync rPUx,
|
||||
|
||||
/etc/cron.d/{,*} r,
|
||||
|
|
|
@ -12,10 +12,10 @@ profile cron-anacron @{exec_path} {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}{s,}bin/anacron rPx,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/date rix,
|
||||
@{bin}/anacron rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/date rix,
|
||||
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/devices/**/power_supply/{,**} r,
|
||||
|
|
|
@ -12,9 +12,9 @@ profile cron-apport @{exec_path} {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/find rix,
|
||||
@{bin}/rm rix,
|
||||
|
||||
/ r,
|
||||
/var/crash/ r,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}sbin/cron-apt
|
||||
@{exec_path} = @{bin}/cron-apt
|
||||
profile cron-apt @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
@ -16,36 +16,36 @@ profile cron-apt @{exec_path} {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/dotlockfile rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/diff rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/rmdir rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/md5sum rix,
|
||||
/{usr/,}bin/stat rix,
|
||||
/{usr/,}bin/date rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/expr rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/dd rix,
|
||||
/{usr/,}bin/cksum rix,
|
||||
/{usr/,}bin/{m,g,}awk rix,
|
||||
/{usr/,}bin/sleep rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/logger rix,
|
||||
/{usr/,}bin/ls rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
/{usr/,}bin/uname rix,
|
||||
/{usr/,}bin/fold rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/dotlockfile rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/diff rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/rmdir rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/md5sum rix,
|
||||
@{bin}/stat rix,
|
||||
@{bin}/date rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/expr rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/dd rix,
|
||||
@{bin}/cksum rix,
|
||||
@{bin}/{m,g,}awk rix,
|
||||
@{bin}/sleep rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/logger rix,
|
||||
@{bin}/ls rix,
|
||||
@{bin}/touch rix,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/fold rix,
|
||||
|
||||
/{usr/,}bin/apt-get rPx,
|
||||
/{usr/,}bin/apt-file rPx,
|
||||
/{usr/,}bin/aptitude{,-curses} rPx,
|
||||
/{usr/,}sbin/exim4 rPx,
|
||||
@{bin}/apt-get rPx,
|
||||
@{bin}/apt-file rPx,
|
||||
@{bin}/aptitude{,-curses} rPx,
|
||||
@{bin}/exim4 rPx,
|
||||
|
||||
/usr/share/cron-apt/{,*} r,
|
||||
|
||||
|
@ -70,7 +70,7 @@ profile cron-apt @{exec_path} {
|
|||
/var/log/cron-apt/lastfullmessage rw,
|
||||
|
||||
# For the "ls" command
|
||||
/{usr/,}lib/locale/locale-archive r,
|
||||
@{lib}/locale/locale-archive r,
|
||||
|
||||
# TMP
|
||||
/tmp/ r,
|
||||
|
|
|
@ -11,18 +11,18 @@ profile cron-apt-compat @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}sbin/on_ac_power rPx,
|
||||
@{bin}/on_ac_power rPx,
|
||||
|
||||
/{usr/,}bin/apt-config rPx,
|
||||
/{usr/,}lib/apt/apt.systemd.daily rPx,
|
||||
@{bin}/apt-config rPx,
|
||||
@{lib}/apt/apt.systemd.daily rPx,
|
||||
|
||||
/{usr/,}bin/dd rix,
|
||||
/{usr/,}bin/cksum rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/sleep rix,
|
||||
@{bin}/dd rix,
|
||||
@{bin}/cksum rix,
|
||||
@{bin}/cut rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/sleep rix,
|
||||
|
||||
include if exists <local/cron-apt-compat>
|
||||
}
|
||||
|
|
|
@ -11,9 +11,9 @@ profile cron-apt-listbugs @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
|
||||
@{lib}/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
|
||||
|
||||
@{run}/systemd/system r,
|
||||
|
||||
|
@ -21,14 +21,14 @@ profile cron-apt-listbugs @{exec_path} {
|
|||
profile prefclean {
|
||||
include <abstractions/base>
|
||||
|
||||
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
|
||||
@{lib}/ruby/vendor_ruby/aptlistbugs/prefclean mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/date rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/date rix,
|
||||
@{bin}/cat rix,
|
||||
|
||||
/var/spool/apt-listbugs/lastprefclean rw,
|
||||
|
||||
|
|
|
@ -11,9 +11,9 @@ profile cron-apt-show-versions @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/apt-show-versions rPx,
|
||||
@{bin}/apt-show-versions rPx,
|
||||
|
||||
# For shell pwd
|
||||
/ r,
|
||||
|
|
|
@ -11,17 +11,17 @@ profile cron-apt-xapian-index @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
|
||||
/{usr/,}bin/nice rix,
|
||||
/{usr/,}bin/ionice rix,
|
||||
@{bin}/nice rix,
|
||||
@{bin}/ionice rix,
|
||||
|
||||
/{usr/,}sbin/ r,
|
||||
/{usr/,}sbin/update-apt-xapian-index rPx,
|
||||
/{usr/,}sbin/on_ac_power rPx,
|
||||
@{bin}/ r,
|
||||
@{bin}/update-apt-xapian-index rPx,
|
||||
@{bin}/on_ac_power rPx,
|
||||
|
||||
# For shell pwd
|
||||
/ r,
|
||||
|
|
|
@ -11,20 +11,20 @@ profile cron-aptitude @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/date rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/dirname rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/date rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/dirname rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/mv rix,
|
||||
|
||||
/{usr/,}bin/savelog rix,
|
||||
/{usr/,}bin/cmp rix,
|
||||
@{bin}/savelog rix,
|
||||
@{bin}/cmp rix,
|
||||
|
||||
/{usr/,}bin/gzip rix,
|
||||
@{bin}/gzip rix,
|
||||
|
||||
/var/lib/aptitude/pkgstates r,
|
||||
|
||||
|
|
|
@ -13,9 +13,9 @@ profile cron-cracklib @{exec_path} {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/logger rix,
|
||||
/{usr/,}sbin/update-cracklib rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/logger rix,
|
||||
@{bin}/update-cracklib rPx,
|
||||
|
||||
/etc/cracklib/cracklib.conf r,
|
||||
|
||||
|
|
|
@ -12,16 +12,16 @@ profile cron-debsums @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/true rix,
|
||||
/{usr/,}bin/logger rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/true rix,
|
||||
@{bin}/logger rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
|
||||
/{usr/,}bin/ionice rix,
|
||||
@{bin}/ionice rix,
|
||||
|
||||
/{usr/,}bin/debsums rPx,
|
||||
/{usr/,}bin/tee rCx -> tee,
|
||||
@{bin}/debsums rPx,
|
||||
@{bin}/tee rCx -> tee,
|
||||
|
||||
/etc/ r,
|
||||
/etc/default/debsums r,
|
||||
|
@ -38,7 +38,7 @@ profile cron-debsums @{exec_path} {
|
|||
# Needed to write to /proc/self/fd/3
|
||||
capability dac_override,
|
||||
|
||||
/{usr/,}bin/tee mr,
|
||||
@{bin}/tee mr,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/3 rw,
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ profile cron-debtags @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/usr/bin/debtags rPx,
|
||||
|
||||
|
|
|
@ -11,9 +11,9 @@ profile cron-dlocate @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}sbin/update-dlocatedb rPx,
|
||||
@{bin}/update-dlocatedb rPx,
|
||||
|
||||
include if exists <local/cron-dlocate>
|
||||
}
|
||||
|
|
|
@ -13,10 +13,10 @@ profile cron-etckeeper @{exec_path} {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/etckeeper rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/find rix,
|
||||
@{bin}/etckeeper rPx,
|
||||
|
||||
/etc/etckeeper/daily rix,
|
||||
/etc/etckeeper/etckeeper.conf r,
|
||||
|
|
|
@ -24,22 +24,22 @@ profile cron-exim4-base @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/logger rix,
|
||||
/{usr/,}bin/mail rix,
|
||||
/{usr/,}bin/hostname rix,
|
||||
/{usr/,}bin/xargs rix,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}sbin/eximstats rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/logger rix,
|
||||
@{bin}/mail rix,
|
||||
@{bin}/hostname rix,
|
||||
@{bin}/xargs rix,
|
||||
@{bin}/find rix,
|
||||
@{bin}/eximstats rix,
|
||||
|
||||
/{usr/,}sbin/exim4 rPx,
|
||||
/{usr/,}sbin/exim_tidydb rix,
|
||||
@{bin}/exim4 rPx,
|
||||
@{bin}/exim_tidydb rix,
|
||||
|
||||
/{usr/,}sbin/start-stop-daemon rix,
|
||||
/{usr/,}sbin/runuser rix,
|
||||
@{bin}/start-stop-daemon rix,
|
||||
@{bin}/runuser rix,
|
||||
|
||||
/etc/default/exim4 r,
|
||||
|
||||
|
|
|
@ -12,9 +12,9 @@ profile cron-ipset-autoban-save @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}sbin/ipset rix,
|
||||
@{bin}/ipset rix,
|
||||
|
||||
/etc/peerblock/autoban rw,
|
||||
|
||||
|
|
|
@ -11,11 +11,11 @@ profile cron-logrotate @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}sbin/logrotate rPx,
|
||||
@{bin}/logrotate rPx,
|
||||
|
||||
/{usr/,}bin/logger rix,
|
||||
@{bin}/logger rix,
|
||||
|
||||
# For shell pwd
|
||||
/ r,
|
||||
|
|
|
@ -16,14 +16,14 @@ profile cron-man-db @{exec_path} {
|
|||
capability setuid,
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}sbin/start-stop-daemon rix,
|
||||
/{usr/,}bin/xargs rix,
|
||||
/{usr/,}bin/find rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/start-stop-daemon rix,
|
||||
@{bin}/xargs rix,
|
||||
@{bin}/find rix,
|
||||
|
||||
/{usr/,}bin/mandb rPx,
|
||||
@{bin}/mandb rPx,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
|
|
@ -12,17 +12,17 @@ profile cron-mlocate @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/true rix,
|
||||
/{usr/,}bin/flock rix,
|
||||
/{usr/,}bin/nocache rix,
|
||||
/{usr/,}bin/ionice rix,
|
||||
/{usr/,}bin/nice rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/true rix,
|
||||
@{bin}/flock rix,
|
||||
@{bin}/nocache rix,
|
||||
@{bin}/ionice rix,
|
||||
@{bin}/nice rix,
|
||||
|
||||
/{usr/,}bin/updatedb.mlocate rPx,
|
||||
/{usr/,}sbin/on_ac_power rPx,
|
||||
@{bin}/updatedb.mlocate rPx,
|
||||
@{bin}/on_ac_power rPx,
|
||||
|
||||
@{run}/mlocate.daily.lock rwk,
|
||||
|
||||
|
|
|
@ -12,17 +12,17 @@ profile cron-plocate @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/true rix,
|
||||
/{usr/,}bin/flock rix,
|
||||
/{usr/,}bin/nocache rix,
|
||||
/{usr/,}bin/ionice rix,
|
||||
/{usr/,}bin/nice rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/true rix,
|
||||
@{bin}/flock rix,
|
||||
@{bin}/nocache rix,
|
||||
@{bin}/ionice rix,
|
||||
@{bin}/nice rix,
|
||||
|
||||
/{usr/,}sbin/updatedb.plocate rPx,
|
||||
/{usr/,}sbin/on_ac_power rPx,
|
||||
@{bin}/updatedb.plocate rPx,
|
||||
@{bin}/on_ac_power rPx,
|
||||
|
||||
@{run}/plocate.daily.lock rwk,
|
||||
|
||||
|
|
|
@ -11,28 +11,28 @@ profile cron-popularity-contest @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}sbin/popularity-contest rPx,
|
||||
@{bin}/popularity-contest rPx,
|
||||
|
||||
/{usr/,}bin/logger rix,
|
||||
/{usr/,}bin/date rix,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/setsid rix,
|
||||
@{bin}/logger rix,
|
||||
@{bin}/date rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/setsid rix,
|
||||
|
||||
# To send reports via TOR
|
||||
/{usr/,}bin/torify rix,
|
||||
/{usr/,}bin/torsocks rix,
|
||||
/{usr/,}sbin/getcap rix,
|
||||
@{bin}/torify rix,
|
||||
@{bin}/torsocks rix,
|
||||
@{bin}/getcap rix,
|
||||
|
||||
/usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
|
||||
/{usr/,}bin/gpg{,2} rCx -> gpg,
|
||||
/{usr/,}sbin/runuser rCx -> runuser,
|
||||
/{usr/,}bin/savelog rCx -> savelog,
|
||||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/runuser rCx -> runuser,
|
||||
@{bin}/savelog rCx -> savelog,
|
||||
|
||||
/usr/share/popularity-contest/ r,
|
||||
/usr/share/popularity-contest/default.conf r,
|
||||
|
@ -62,18 +62,18 @@ profile cron-popularity-contest @{exec_path} {
|
|||
profile savelog {
|
||||
include <abstractions/base>
|
||||
|
||||
/{usr/,}bin/savelog mr,
|
||||
@{bin}/savelog mr,
|
||||
|
||||
/{usr/,}bin/date rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/dirname rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
/{usr/,}bin/gzip rix,
|
||||
@{bin}/date rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/dirname rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/touch rix,
|
||||
@{bin}/gzip rix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/var/log/ r,
|
||||
/var/log/popularity-contest.[0-9]*.gz rw,
|
||||
|
@ -91,11 +91,11 @@ profile cron-popularity-contest @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/authentication>
|
||||
|
||||
/{usr/,}sbin/runuser mr,
|
||||
@{bin}/runuser mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}sbin/popularity-contest rPx,
|
||||
@{bin}/popularity-contest rPx,
|
||||
|
||||
owner @{PROC}/@{pids}/loginuid r,
|
||||
@{PROC}/1/limits r,
|
||||
|
@ -113,7 +113,7 @@ profile cron-popularity-contest @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
/{usr/,}bin/gpg{,2} mr,
|
||||
@{bin}/gpg{,2} mr,
|
||||
|
||||
/usr/share/popularity-contest/debian-popcon.gpg r,
|
||||
|
||||
|
@ -141,9 +141,9 @@ profile cron-popularity-contest @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
/usr/share/popularity-contest/popcon-upload r,
|
||||
/{usr/,}bin/perl r,
|
||||
@{bin}/perl r,
|
||||
|
||||
/{usr/,}bin/gzip rix,
|
||||
@{bin}/gzip rix,
|
||||
|
||||
/var/log/ r,
|
||||
/var/log/popularity-contest.new.gpg r,
|
||||
|
|
|
@ -13,8 +13,8 @@ profile cron-sysstat @{exec_path} {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}lib/sysstat/sa2 rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{lib}/sysstat/sa2 rPx,
|
||||
|
||||
/etc/default/sysstat r,
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/crontab
|
||||
@{exec_path} = @{bin}/crontab
|
||||
profile crontab @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -17,11 +17,11 @@ profile crontab @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
# When editing the crontab file
|
||||
/{usr/,}bin/sensible-editor rCx -> editor,
|
||||
/{usr/,}bin/vim.* rCx -> editor,
|
||||
@{bin}/sensible-editor rCx -> editor,
|
||||
@{bin}/vim.* rCx -> editor,
|
||||
|
||||
/etc/cron.{allow,deny} r,
|
||||
|
||||
|
@ -38,10 +38,10 @@ profile crontab @{exec_path} {
|
|||
|
||||
capability fsetid,
|
||||
|
||||
/{usr/,}bin/sensible-editor mr,
|
||||
/{usr/,}bin/vim.* mrix,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
@{bin}/sensible-editor mr,
|
||||
@{bin}/vim.* mrix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
|
||||
owner @{HOME}/.selected_editor r,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,accountsservice/}accounts-daemon
|
||||
@{exec_path} = @{lib}/{,accountsservice/}accounts-daemon
|
||||
profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
@ -43,13 +43,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/cat rix,
|
||||
@{bin}/adduser rPx,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/chage rPx,
|
||||
@{bin}/passwd rPx,
|
||||
@{bin}/userdel rPx,
|
||||
@{bin}/usermod rPx,
|
||||
|
||||
/{usr/,}{s,}bin/adduser rPx,
|
||||
/{usr/,}{s,}bin/usermod rPx,
|
||||
/{usr/,}{s,}bin/userdel rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}bin/chage rPx,
|
||||
/usr/share/language-tools/language-validate rPx,
|
||||
/usr/share/language-tools/set-language-helper rPUx,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher
|
||||
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
|
||||
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session>
|
||||
|
@ -29,8 +29,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
/{usr/,}bin/dbus-broker-launch rPUx,
|
||||
@{bin}/dbus-daemon rPx,
|
||||
@{bin}/dbus-broker-launch rPUx,
|
||||
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd
|
||||
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
|
||||
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,colord/}colord
|
||||
@{exec_path} = @{lib}/{,colord/}colord
|
||||
profile colord @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
@ -57,8 +57,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/colord/colord-sane rPx,
|
||||
@{libexec}/colord-sane rPx,
|
||||
@{lib}/colord/colord-sane rPx,
|
||||
@{lib}/colord-sane rPx,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/udev/hwdb.bin r,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,colord/}colord-sane
|
||||
@{exec_path} = @{lib}/{,colord/}colord-sane
|
||||
profile colord-sane @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,colord/}colord-session
|
||||
@{exec_path} = @{lib}/{,colord/}colord-session
|
||||
profile colord-session @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/cpupower
|
||||
@{exec_path} = @{bin}/cpupower
|
||||
profile cpupower @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
@ -19,9 +19,9 @@ profile cpupower @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/kmod rCx -> kmod,
|
||||
/{usr/,}bin/man rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/kmod rCx -> kmod,
|
||||
@{bin}/man rPx,
|
||||
|
||||
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r,
|
||||
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
|
||||
|
@ -43,7 +43,7 @@ profile cpupower @{exec_path} {
|
|||
profile kmod {
|
||||
include <abstractions/base>
|
||||
|
||||
/{usr/,}bin/kmod mr,
|
||||
@{bin}/kmod mr,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
#@{PROC}/modules r,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/dconf
|
||||
@{exec_path} = @{bin}/dconf
|
||||
profile dconf @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/dconf-editor
|
||||
@{exec_path} = @{bin}/dconf-editor
|
||||
profile dconf-editor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,dconf/}dconf-service
|
||||
@{exec_path} = @{lib}/{,dconf/}dconf-service
|
||||
profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/desktop-file-install
|
||||
@{exec_path} = @{bin}/desktop-file-install
|
||||
profile desktop-file-install @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/fc-list
|
||||
@{exec_path} = @{bin}/fc-list
|
||||
profile fc-list @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/geoclue @{libexec}/geoclue-2.0/demos/agent
|
||||
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
|
||||
profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/pipewire
|
||||
@{exec_path} = @{bin}/pipewire
|
||||
profile pipewire @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
|
@ -44,8 +44,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/pactl rix,
|
||||
/{usr/,}bin/pipewire-media-session rPx,
|
||||
@{bin}/pactl rix,
|
||||
@{bin}/pipewire-media-session rPx,
|
||||
|
||||
/usr/share/pipewire/pipewire*.conf r,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/pipewire-media-session
|
||||
@{exec_path} = @{bin}/pipewire-media-session
|
||||
profile pipewire-media-session @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/pipewire-pulse
|
||||
@{exec_path} = @{bin}/pipewire-pulse
|
||||
profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
|
@ -19,7 +19,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/pactl rix,
|
||||
@{bin}/pactl rix,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/plymouth
|
||||
@{exec_path} = @{bin}/plymouth
|
||||
profile plymouth @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
@ -6,16 +6,16 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/plymouth-set-default-theme
|
||||
@{exec_path} = @{bin}/plymouth-set-default-theme
|
||||
profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{m,g,}awk rix,
|
||||
/{usr/,}bin/grep rix,
|
||||
/{usr/,}bin/plymouth rPx,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
@{bin}/{m,g,}awk rix,
|
||||
@{bin}/grep rix,
|
||||
@{bin}/plymouth rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/etc/plymouth/{,*} r,
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}{s,}bin/plymouthd
|
||||
@{exec_path} = @{bin}/plymouthd
|
||||
profile plymouthd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
@ -7,8 +7,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]
|
||||
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
|
||||
@{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]
|
||||
@{exec_path} += @{lib}/polkit-agent-helper-[0-9]
|
||||
profile polkit-agent-helper @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
|
|
|
@ -7,8 +7,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib{,exec}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
|
||||
@{exec_path} += /{usr/,}lib{,exec}/polkit-kde-authentication-agent-[0-9]
|
||||
@{exec_path} = @{lib}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
|
||||
@{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9]
|
||||
profile polkit-kde-authentication-agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -29,7 +29,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
|
||||
@{exec_path} = @{lib}/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
|
||||
profile polkit-mate-authentication-agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
|
@ -24,7 +24,7 @@ profile polkit-mate-authentication-agent @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,polkit-1/}polkitd
|
||||
@{exec_path} = @{lib}/{,polkit-1/}polkitd
|
||||
profile polkitd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/pulseaudio
|
||||
@{exec_path} = @{bin}/pulseaudio
|
||||
profile pulseaudio @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
|
@ -132,9 +132,9 @@ profile pulseaudio @{exec_path} {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{libexec}/pulse/gsettings-helper mrix,
|
||||
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
|
||||
/{usr/,}lib/pulse-*/modules/*.so mr,
|
||||
@{lib}/pulse/gsettings-helper mrix,
|
||||
@{lib}/@{multiarch}/pulse/gconf-helper mrix,
|
||||
@{lib}/pulse-*/modules/*.so mr,
|
||||
|
||||
/usr/share/pulseaudio/{,**} r,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/update-desktop-database
|
||||
@{exec_path} = @{bin}/update-desktop-database
|
||||
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/update-mime-database
|
||||
@{exec_path} = @{bin}/update-mime-database
|
||||
profile update-mime-database @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/upower
|
||||
@{exec_path} = @{bin}/upower
|
||||
profile upower @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,upower/}upowerd
|
||||
@{exec_path} = @{lib}/{,upower/}upowerd
|
||||
profile upowerd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
|
||||
@{exec_path} = @{bin}/xdg-dbus-proxy
|
||||
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-desktop-icon
|
||||
@{exec_path} = @{bin}/xdg-desktop-icon
|
||||
profile xdg-desktop-icon @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-desktop-menu
|
||||
@{exec_path} = @{bin}/xdg-desktop-menu
|
||||
profile xdg-desktop-menu @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
@ -14,22 +14,22 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
/{usr/,}bin/{m,g,}awk rix,
|
||||
/{usr/,}bin/whoami rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/cut rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/touch rix,
|
||||
@{bin}/{m,g,}awk rix,
|
||||
@{bin}/whoami rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/readlink rix,
|
||||
|
||||
/{usr/,}bin/update-desktop-database rPx,
|
||||
@{bin}/update-desktop-database rPx,
|
||||
|
||||
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw,
|
||||
owner @{user_share_dirs}/applications/chrome-*.desktop rw,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/xdg-desktop-portal
|
||||
@{exec_path} = @{lib}/xdg-desktop-portal
|
||||
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
|
@ -107,14 +107,14 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/nautilus rPx,
|
||||
/{usr/,}bin/snap rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/nautilus rPx,
|
||||
@{bin}/snap rPx,
|
||||
|
||||
/{usr/,}bin/kreadconfig5 rPx,
|
||||
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
|
||||
/{usr/,}lib/xdg-desktop-portal-validate-icon rPUx,
|
||||
@{bin}/kreadconfig5 rPx,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/xdg-desktop-portal-validate-icon rPUx,
|
||||
|
||||
/ r,
|
||||
/.flatpak-info r,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
|
||||
@{exec_path} = @{lib}/xdg-desktop-portal-gnome
|
||||
profile xdg-desktop-portal-gnome @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
|
||||
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
|
||||
profile xdg-desktop-portal-gtk @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/xdg-desktop-portal-kde
|
||||
@{exec_path} = @{lib}/xdg-desktop-portal-kde
|
||||
profile xdg-desktop-portal-kde @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/xdg-document-portal
|
||||
@{exec_path} = @{lib}/xdg-document-portal
|
||||
profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
@ -51,8 +51,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/flatpak rCx -> flatpak,
|
||||
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
|
||||
@{bin}/flatpak rCx -> flatpak,
|
||||
@{bin}/fusermount{,3} rCx -> fusermount,
|
||||
|
||||
/ r,
|
||||
|
||||
|
@ -73,7 +73,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
profile flatpak {
|
||||
include <abstractions/base>
|
||||
|
||||
/{usr/,}bin/flatpak mr,
|
||||
@{bin}/flatpak mr,
|
||||
|
||||
/ r,
|
||||
/etc/flatpak/remotes.d/{,*} r,
|
||||
|
@ -103,7 +103,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
# network inet stream,
|
||||
# network inet6 stream,
|
||||
|
||||
/{usr/,}bin/fusermount{,3} mr,
|
||||
@{bin}/fusermount{,3} mr,
|
||||
|
||||
/etc/fuse{,3}.conf r,
|
||||
|
||||
|
|
|
@ -7,20 +7,20 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-email
|
||||
@{exec_path} = @{bin}/xdg-email
|
||||
profile xdg-email @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/gio rPx,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/which rix,
|
||||
/{usr/,}bin/xdg-mime rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/gio rPx,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/which rix,
|
||||
@{bin}/xdg-mime rPx,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-icon-resource
|
||||
@{exec_path} = @{bin}/xdg-icon-resource
|
||||
profile xdg-icon-resource @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -14,18 +14,18 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/whoami rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/whoami rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/touch rix,
|
||||
|
||||
/{usr/,}bin/gtk{,4}-update-icon-cache rPx,
|
||||
@{bin}/gtk{,4}-update-icon-cache rPx,
|
||||
|
||||
/usr/share/**/icons/**.png r,
|
||||
/usr/share/icons/**.png rw,
|
||||
|
|
|
@ -7,30 +7,30 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-mime
|
||||
@{exec_path} = @{bin}/xdg-mime
|
||||
profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/freedesktop.org>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/{m,g,}awk rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/file rix,
|
||||
/{usr/,}bin/head rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/tr rix,
|
||||
/{usr/,}bin/uname rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/{m,g,}awk rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/cut rix,
|
||||
@{bin}/file rix,
|
||||
@{bin}/head rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/tr rix,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
|
||||
/{usr/,}bin/gio rPx,
|
||||
/{usr/,}bin/mimetype rPx,
|
||||
/{usr/,}bin/xprop rPx,
|
||||
@{bin}/gio rPx,
|
||||
@{bin}/mimetype rPx,
|
||||
@{bin}/xprop rPx,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
|
||||
|
@ -51,10 +51,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
|||
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
|
||||
#
|
||||
# Should this be allowed? Xdg-mime works fine without this.
|
||||
#/{usr/,}bin/dbus-launch rCx -> dbus,
|
||||
#/{usr/,}bin/dbus-send rCx -> dbus,
|
||||
deny /{usr/,}bin/dbus-launch rx,
|
||||
deny /{usr/,}bin/dbus-send rx,
|
||||
#@{bin}/dbus-launch rCx -> dbus,
|
||||
#@{bin}/dbus-send rCx -> dbus,
|
||||
deny @{bin}/dbus-launch rx,
|
||||
deny @{bin}/dbus-send rx,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
|
@ -62,9 +62,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
/{usr/,}bin/dbus-launch mr,
|
||||
/{usr/,}bin/dbus-send mr,
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
@{bin}/dbus-launch mr,
|
||||
@{bin}/dbus-send mr,
|
||||
@{bin}/dbus-daemon rPx,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-open
|
||||
@{exec_path} = @{bin}/xdg-open
|
||||
profile xdg-open @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-user>
|
||||
|
@ -15,23 +15,23 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/uname rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/cut rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/uname rix,
|
||||
|
||||
/{usr/,}bin/xprop rPx,
|
||||
/{usr/,}bin/xdg-mime rPx,
|
||||
@{bin}/xprop rPx,
|
||||
@{bin}/xdg-mime rPx,
|
||||
|
||||
/{usr/,}bin/exo-open rPx,
|
||||
/{usr/,}bin/gio rPx,
|
||||
#/{usr/,}bin/kde-open5 rPUx,
|
||||
@{bin}/exo-open rPx,
|
||||
@{bin}/gio rPx,
|
||||
#@{bin}/kde-open5 rPUx,
|
||||
|
||||
/{usr/,}bin/dbus-launch rCx -> dbus,
|
||||
/{usr/,}bin/dbus-send rCx -> dbus,
|
||||
@{bin}/dbus-launch rCx -> dbus,
|
||||
@{bin}/dbus-send rCx -> dbus,
|
||||
|
||||
/** r,
|
||||
owner /** rw,
|
||||
|
@ -46,9 +46,9 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
/{usr/,}bin/dbus-launch mr,
|
||||
/{usr/,}bin/dbus-send mr,
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
@{bin}/dbus-launch mr,
|
||||
@{bin}/dbus-send mr,
|
||||
@{bin}/dbus-daemon rPx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/xdg-permission-store
|
||||
@{exec_path} = @{lib}/xdg-permission-store
|
||||
profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
|
|
@ -6,30 +6,30 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-screensaver
|
||||
@{exec_path} = @{bin}/xdg-screensaver
|
||||
profile xdg-screensaver @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/ r,
|
||||
@{bin}/ r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/uname rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/uname rix,
|
||||
|
||||
/{usr/,}bin/xautolock rix,
|
||||
/{usr/,}bin/dbus-send rix,
|
||||
@{bin}/xautolock rix,
|
||||
@{bin}/dbus-send rix,
|
||||
|
||||
/{usr/,}bin/xprop rPx,
|
||||
/{usr/,}bin/xdg-mime rPx,
|
||||
/{usr/,}bin/xset rPx,
|
||||
/{usr/,}bin/hostname rix,
|
||||
@{bin}/xprop rPx,
|
||||
@{bin}/xdg-mime rPx,
|
||||
@{bin}/xset rPx,
|
||||
@{bin}/hostname rix,
|
||||
|
||||
/dev/dri/card[0-9] rw,
|
||||
|
||||
|
|
|
@ -7,31 +7,31 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-settings
|
||||
@{exec_path} = @{bin}/xdg-settings
|
||||
profile xdg-settings @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/sort rix,
|
||||
/{usr/,}bin/uname rix,
|
||||
/{usr/,}bin/wc rix,
|
||||
/{usr/,}bin/which{,.debianutils} rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/cut rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/sort rix,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/wc rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
|
||||
/{usr/,}bin/dbus-launch rCx -> dbus,
|
||||
/{usr/,}bin/dbus-send rCx -> dbus,
|
||||
/{usr/,}bin/xdg-mime rPx,
|
||||
/{usr/,}bin/xprop rPx,
|
||||
@{bin}/dbus-launch rCx -> dbus,
|
||||
@{bin}/dbus-send rCx -> dbus,
|
||||
@{bin}/xdg-mime rPx,
|
||||
@{bin}/xprop rPx,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
|
||||
|
@ -61,9 +61,9 @@ profile xdg-settings @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
/{usr/,}bin/dbus-launch mr,
|
||||
/{usr/,}bin/dbus-send mr,
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
@{bin}/dbus-launch mr,
|
||||
@{bin}/dbus-send mr,
|
||||
@{bin}/dbus-daemon rPx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
|
|
@ -6,14 +6,14 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-user-dir
|
||||
@{exec_path} = @{bin}/xdg-user-dir
|
||||
profile xdg-user-dir @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/env rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/env rix,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-user-dirs-gtk-update
|
||||
@{exec_path} = @{bin}/xdg-user-dirs-gtk-update
|
||||
profile xdg-user-dirs-gtk-update @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/gtk>
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xdg-user-dirs-update
|
||||
@{exec_path} = @{bin}/xdg-user-dirs-update
|
||||
profile xdg-user-dirs-update @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xhost
|
||||
@{exec_path} = @{bin}/xhost
|
||||
profile xhost @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xkbcomp
|
||||
@{exec_path} = @{bin}/xkbcomp
|
||||
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -7,10 +7,10 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/X
|
||||
@{exec_path} += /{usr/,}bin/Xorg{,.bin}
|
||||
@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
|
||||
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
|
||||
@{exec_path} = @{bin}/X
|
||||
@{exec_path} += @{bin}/Xorg{,.bin}
|
||||
@{exec_path} += @{lib}/Xorg{,.wrap}
|
||||
@{exec_path} += @{lib}/xorg/Xorg{,.wrap}
|
||||
profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
@ -58,13 +58,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/xkbcomp rPx,
|
||||
/{usr/,}bin/pkexec rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/xkbcomp rPx,
|
||||
@{bin}/pkexec rPx,
|
||||
|
||||
/{usr/,}lib/xorg/ r,
|
||||
/{usr/,}lib/xorg/modules/ r,
|
||||
/{usr/,}lib/xorg/modules/** mr,
|
||||
@{lib}/xorg/ r,
|
||||
@{lib}/xorg/modules/ r,
|
||||
@{lib}/xorg/modules/** mr,
|
||||
|
||||
/var/lib/xkb/server-[0-9]*.xkm rw,
|
||||
/var/lib/xkb/compiled/server-[0-9]*.xkm rw,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xprop
|
||||
@{exec_path} = @{bin}/xprop
|
||||
profile xprop @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xrandr
|
||||
@{exec_path} = @{bin}/xrandr
|
||||
profile xrandr @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -7,18 +7,18 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xrdb
|
||||
@{exec_path} = @{bin}/xrdb
|
||||
profile xrdb @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,*-}cpp-[0-9]* rix,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/cpp rix,
|
||||
/{usr/,}lib{,32,64}/gcc/*/[0-9]*/cc1 rix,
|
||||
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||
@{bin}/{,*-}cpp-[0-9]* rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/cpp rix,
|
||||
@{lib}/gcc/*/[0-9]*/cc1 rix,
|
||||
@{lib}/llvm-[0-9]*/bin/clang rix,
|
||||
|
||||
/usr/include/stdc-predef.h r,
|
||||
/usr/etc/X11/xdm/Xresources r,
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xset
|
||||
@{exec_path} = @{bin}/xset
|
||||
profile xset @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/xsetroot
|
||||
@{exec_path} = @{bin}/xsetroot
|
||||
profile xsetroot @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/Xwayland
|
||||
@{exec_path} = @{bin}/Xwayland
|
||||
profile xwayland @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
|
@ -25,8 +25,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/xkbcomp rPx,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/xkbcomp rPx,
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/fonts/{,**} r,
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/dirmngr
|
||||
@{exec_path} = @{bin}/dirmngr
|
||||
profile dirmngr @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gpg
|
||||
@{exec_path} = @{bin}/gpg
|
||||
profile gpg @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -21,12 +21,12 @@ profile gpg @{exec_path} {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/dirmngr rPx,
|
||||
/{usr/,}bin/gpg-agent rPx,
|
||||
/{usr/,}bin/gpg-connect-agent rPx,
|
||||
/{usr/,}bin/gpgconf rPx,
|
||||
/{usr/,}bin/gpgsm rPx,
|
||||
/{usr/,}lib/gnupg/scdaemon rPx,
|
||||
@{bin}/dirmngr rPx,
|
||||
@{bin}/gpg-agent rPx,
|
||||
@{bin}/gpg-connect-agent rPx,
|
||||
@{bin}/gpgconf rPx,
|
||||
@{bin}/gpgsm rPx,
|
||||
@{lib}/gnupg/scdaemon rPx,
|
||||
|
||||
/etc/inputrc r,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gpg-agent
|
||||
@{exec_path} = @{bin}/gpg-agent
|
||||
profile gpg-agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
@ -17,9 +17,9 @@ profile gpg-agent @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/pinentry{,-*} rPx,
|
||||
/{usr/,}bin/scdaemon rPx,
|
||||
/{usr/,}lib/gnupg/scdaemon rPx,
|
||||
@{bin}/pinentry{,-*} rPx,
|
||||
@{bin}/scdaemon rPx,
|
||||
@{lib}/gnupg/scdaemon rPx,
|
||||
|
||||
/usr/share/gnupg/* r,
|
||||
|
||||
|
@ -84,7 +84,7 @@ profile gpg-agent @{exec_path} {
|
|||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# Silencer
|
||||
deny /{usr/,}bin/.gnupg/ w,
|
||||
deny @{bin}/.gnupg/ w,
|
||||
|
||||
# file inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
@ -6,14 +6,14 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gpg-connect-agent
|
||||
@{exec_path} = @{bin}/gpg-connect-agent
|
||||
profile gpg-connect-agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/gpg-agent rPx,
|
||||
@{bin}/gpg-agent rPx,
|
||||
|
||||
/etc/inputrc r,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gpgconf
|
||||
@{exec_path} = @{bin}/gpgconf
|
||||
profile gpgconf @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -17,14 +17,14 @@ profile gpgconf @{exec_path} {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/gpg-connect-agent rPx,
|
||||
/{usr/,}bin/gpg{,2} rPx,
|
||||
/{usr/,}bin/gpg-agent rPx,
|
||||
/{usr/,}bin/dirmngr rPx,
|
||||
/{usr/,}bin/gpgsm rPx,
|
||||
/{usr/,}lib/gnupg/scdaemon rPx,
|
||||
@{bin}/gpg-connect-agent rPx,
|
||||
@{bin}/gpg{,2} rPx,
|
||||
@{bin}/gpg-agent rPx,
|
||||
@{bin}/dirmngr rPx,
|
||||
@{bin}/gpgsm rPx,
|
||||
@{lib}/gnupg/scdaemon rPx,
|
||||
|
||||
/{usr/,}bin/pinentry-* rPx,
|
||||
@{bin}/pinentry-* rPx,
|
||||
|
||||
/etc/gcrypt/hwf.deny r,
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gpgsm
|
||||
@{exec_path} = @{bin}/gpgsm
|
||||
profile gpgsm @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue