mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (2)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 13:30:27 +01:00
parent bb71f49598
commit 2eed3b725f
Failed to generate hash of commit
101 changed files with 538 additions and 538 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
apparmor.d/groups/bus/dbus-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-daemon
@{exec_path} = @{bin}/dbus-daemon
profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -38,21 +38,21 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/ r,
@{bin}/ r,
@{libexec}/{,at-spi2{,-core}/}at-spi2-registryd rPx,
@{libexec}/* rPUx,
@{libexec}/gnome-shell/gnome-shell-calendar-server rPx,
@{libexec}/kauth/* rPx,
@{libexec}/kf5/kiod5 rPUx,
@{libexec}/xfce[0-9]/xfconf/xfconfd rPx,
/{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper rPx,
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
/{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
/{usr/,}lib/atril/atrild rPx,
/{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}lib/telepathy/mission-control-5 rPx,
@{bin}/[a-z0-9]* rPUx,
@{lib}/{,at-spi2{,-core}/}at-spi2-registryd rPx,
@{lib}/@{multiarch}/tumbler-1/tumblerd rPUx,
@{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
@{lib}/* rPUx,
@{lib}/atril/atrild rPx,
@{lib}/dbus-1*/dbus-daemon-launch-helper rPx,
@{lib}/gnome-shell/gnome-shell-calendar-server rPx,
@{lib}/ibus/ibus-* rPx,
@{lib}/kauth/* rPx,
@{lib}/kf5/kiod5 rPUx,
@{lib}/telepathy/mission-control-5 rPx,
@{lib}/xfce[0-9]/xfconf/xfconfd rPx,
/usr/share/gnome-documents/org.gnome.Documents rPx,
/usr/share/org.gnome.Characters/org.gnome.Characters rPx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,

12
apparmor.d/groups/bus/dbus-daemon-launch-helper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper
@{exec_path} = @{lib}/dbus-1*/dbus-daemon-launch-helper
profile dbus-daemon-launch-helper @{exec_path} {
include <abstractions/base>
include <abstractions/app-launcher-root>
@ -18,11 +18,11 @@ profile dbus-daemon-launch-helper @{exec_path} {
@{exec_path} mr,
@{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx,
@{libexec}/kauth/* rPx,
@{libexec}/language-selector/ls-dbus-backend rPx,
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
/{usr/,}lib/software-properties/software-properties-dbus rPx,
@{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx,
@{lib}/@{multiarch}/cups-pk-helper-mechanism rPx,
@{lib}/kauth/* rPx,
@{lib}/language-selector/ls-dbus-backend rPx,
@{lib}/software-properties/software-properties-dbus rPx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/usr/share/usb-creator/usb-creator-helper rPx,

12
apparmor.d/groups/bus/dbus-run-session
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session
@{exec_path} = @{bin}/dbus-run-session
profile dbus-run-session @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -16,11 +16,11 @@ profile dbus-run-session @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dbus-daemon rPx,
/{usr/,}bin/gnome-session rix,
/{usr/,}bin/gnome-shell rPx,
/{usr/,}bin/gsettings rPx,
@{libexec}/gnome-session-binary rPx,
@{bin}/dbus-daemon rPx,
@{bin}/gnome-session rix,
@{bin}/gnome-shell rPx,
@{bin}/gsettings rPx,
@{lib}/gnome-session-binary rPx,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gdm/greeter-dconf-defaults r,

8
apparmor.d/groups/bus/ibus-daemon
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ibus-daemon
@{exec_path} = @{bin}/ibus-daemon
profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@ -45,9 +45,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/ibus/ibus-* rPx,
@{libexec}/ibus-* rPx,
@{bin}/{,ba,da}sh rix,
@{lib}/ibus/ibus-* rPx,
@{lib}/ibus-* rPx,
/usr/share/ibus/{,**} r,
/usr/share/ibus-table/tables/ r,

4
apparmor.d/groups/bus/ibus-dconf
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/ibus/ibus-dconf
@{exec_path} += @{libexec}/ibus-dconf
@{exec_path} = @{lib}/ibus/ibus-dconf
@{exec_path} += @{lib}/ibus-dconf
profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf-write>

4
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/ibus/ibus-engine-simple
@{exec_path} += @{libexec}/ibus-engine-simple
@{exec_path} = @{lib}/ibus/ibus-engine-simple
@{exec_path} += @{lib}/ibus-engine-simple
profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/ibus>

2
apparmor.d/groups/bus/ibus-engine-table
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/ibus-engine-table
@{exec_path} = @{lib}/ibus-engine-table
profile ibus-engine-table @{exec_path} {
include <abstractions/base>
include <abstractions/python>

4
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3
@{exec_path} += @{libexec}/ibus-extension-gtk3
@{exec_path} = @{lib}/ibus/ibus-extension-gtk3
@{exec_path} += @{lib}/ibus-extension-gtk3
profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>

2
apparmor.d/groups/bus/ibus-memconf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/ibus-memconf
@{exec_path} = @{lib}/ibus-memconf
profile ibus-memconf @{exec_path} {
include <abstractions/base>
include <abstractions/ibus>

8
apparmor.d/groups/bus/ibus-portal
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/ibus/ibus-portal
@{exec_path} += @{libexec}/ibus-portal
@{exec_path} = @{lib}/ibus/ibus-portal
@{exec_path} += @{lib}/ibus-portal
profile ibus-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@ -29,8 +29,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/gio/modules/{,*} r,
/{usr/,}lib/locale/locale-archive r,
@{lib}/gio/modules/{,*} r,
@{lib}/locale/locale-archive r,
/usr/share/locale/locale.alias r,

4
apparmor.d/groups/bus/ibus-x11
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/ibus/ibus-x11
@{exec_path} += @{libexec}/ibus-x11
@{exec_path} = @{lib}/ibus/ibus-x11
@{exec_path} += @{lib}/ibus-x11
profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>

10
apparmor.d/groups/children/child-dpkg
View file

@ -12,7 +12,7 @@ abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/dpkg by default
# Do not attach to @{bin}/dpkg by default
profile child-dpkg {
include <abstractions/base>
include <abstractions/consoles>
@ -21,14 +21,14 @@ profile child-dpkg {
capability dac_read_search,
capability setgid,
/{usr/,}bin/dpkg mr,
@{bin}/dpkg mr,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/dpkg-deb rPx,
/{usr/,}bin/dpkg-split rPx,
@{bin}/dpkg-query rpx,
@{bin}/dpkg-deb rPx,
@{bin}/dpkg-split rPx,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,

4
apparmor.d/groups/children/child-dpkg-divert
View file

@ -12,11 +12,11 @@ abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/dpkg-divert by default
# Do not attach to @{bin}/dpkg-divert by default
profile child-dpkg-divert {
include <abstractions/base>
/{usr/,}bin/dpkg-divert mr,
@{bin}/dpkg-divert mr,
/var/lib/dpkg/arch r,
/var/lib/dpkg/status r,

94
apparmor.d/groups/children/child-open
View file

@ -6,7 +6,7 @@
# intended to be used only via "Px -> child-open" exec transitions
# from other profiles.
# Instead of allowing the run of all software in /{usr/,}bin/, the purpose of
# Instead of allowing the run of all software in @{bin}/, the purpose of
# this profile is to list all GUI program that can open resources.
# Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
@ -21,71 +21,71 @@ profile child-open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/exo-open mr,
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix,
/{usr/,}lib/gio-launch-desktop mrix,
@{bin}/exo-open mr,
@{bin}/xdg-open mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix,
@{lib}/gio-launch-desktop mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,m,g}awk rix,
@{bin}/basename rix,
@{bin}/readlink rix,
# Sandbox managers
/{usr/,}bin/bwrap rPUx,
/{usr/,}bin/firejail rPUx,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/snap rPUx,
@{bin}/bwrap rPUx,
@{bin}/firejail rPUx,
@{bin}/flatpak rPUx,
@{bin}/snap rPUx,
# Files explorer
/{usr/,}bin/nautilus rPx,
@{bin}/nautilus rPx,
# Firefox
/{usr/,}bin/firefox{,.sh,-esr,-bin} rPx,
/{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
@{bin}/firefox{,.sh,-esr,-bin} rPx,
@{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
/opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
# Brave
/opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin} rPx,
# Chromium
/{usr/,}lib/chromium/chromium rPx,
@{lib}/chromium/chromium rPx,
# Chrome
/opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx,
# Opera
/{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
@{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
# Text editors
/{usr/,}bin/code rPx,
/{usr/,}bin/gedit rPUx,
@{bin}/code rPx,
@{bin}/gedit rPUx,
/usr/share/code/{bin/,}code rPx,
# Others
/{usr/,}bin/*Foliate rPUx,
/{usr/,}bin/discord{,-ptb} rPx,
/{usr/,}bin/draw.io rPUx,
/{usr/,}bin/dropbox rPx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/eog rPUx,
/{usr/,}bin/evince rPx,
/{usr/,}bin/filezilla rPx,
/{usr/,}bin/file-roller rPUx,
/{usr/,}bin/flameshot rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/gnome-calculator rPUx,
/{usr/,}bin/gnome-disk-image-mounter rPx,
/{usr/,}bin/gnome-disks rPx,
/{usr/,}bin/kgx rPx,
/{usr/,}bin/okular rPx,
/{usr/,}bin/qbittorrent rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/teams rPUx,
/{usr/,}bin/telegram-desktop rPx,
/{usr/,}bin/thunderbird rPx,
/{usr/,}bin/transmission-gtk rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx,
@{bin}/*Foliate rPUx,
@{bin}/discord{,-ptb} rPx,
@{bin}/draw.io rPUx,
@{bin}/dropbox rPx,
@{bin}/engrampa rPx,
@{bin}/eog rPUx,
@{bin}/evince rPx,
@{bin}/file-roller rPUx,
@{bin}/filezilla rPx,
@{bin}/flameshot rPx,
@{bin}/geany rPx,
@{bin}/gnome-calculator rPUx,
@{bin}/gnome-disk-image-mounter rPx,
@{bin}/gnome-disks rPx,
@{bin}/kgx rPx,
@{bin}/okular rPx,
@{bin}/qbittorrent rPx,
@{bin}/qpdfview rPx,
@{bin}/smplayer rPx,
@{bin}/spacefm rPx,
@{bin}/teams rPUx,
@{bin}/telegram-desktop rPx,
@{bin}/thunderbird rPx,
@{bin}/transmission-gtk rPx,
@{bin}/viewnior rPUx,
@{bin}/vlc rPx,
@{bin}/xarchiver rPx,
include if exists <usr/child-open.d>
include if exists <local/child-open>

10
apparmor.d/groups/children/child-pager
View file

@ -13,7 +13,7 @@ abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/pager by default
# Do not attach to @{bin}/pager by default
profile child-pager {
include <abstractions/base>
include <abstractions/consoles>
@ -23,10 +23,10 @@ profile child-pager {
signal (receive) set=(stop, cont, term, kill),
/{usr/,}bin/ r,
/{usr/,}bin/pager mr,
/{usr/,}bin/less mr,
/{usr/,}bin/more mr,
@{bin}/ r,
@{bin}/pager mr,
@{bin}/less mr,
@{bin}/more mr,
@{system_share_dirs}/terminfo/{,**} r,

4
apparmor.d/groups/children/child-systemctl
View file

@ -13,7 +13,7 @@ abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/systemctl by default
# Do not attach to @{bin}/systemctl by default
profile child-systemctl flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) {
interface=org.freedesktop.systemd[0-9].Manager
member=GetUnitFileState,
/{usr/,}bin/systemctl mr,
@{bin}/systemctl mr,
/etc/machine-id r,
/etc/systemd/user/{,**} rwl,

14
apparmor.d/groups/cron/cron
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cron
@{exec_path} = @{bin}/cron
profile cron @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-root>
@ -28,13 +28,13 @@ profile cron @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/run-parts rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/nice rix,
@{bin}/ionice rix,
@{bin}/run-parts rPx,
/{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
/{usr/,}lib/sysstat/debian-sa1 rPUx,
@{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
@{lib}/sysstat/debian-sa1 rPUx,
/usr/share/rsync/scripts/rrsync rPUx,
/etc/cron.d/{,*} r,

8
apparmor.d/groups/cron/cron-anacron
View file

@ -12,10 +12,10 @@ profile cron-anacron @{exec_path} {
@{exec_path} r,
/{usr/,}{s,}bin/anacron rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/date rix,
@{bin}/anacron rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/date rix,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/{,**} r,

6
apparmor.d/groups/cron/cron-apport
View file

@ -12,9 +12,9 @@ profile cron-apport @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
@{bin}/{,ba,da}sh rix,
@{bin}/find rix,
@{bin}/rm rix,
/ r,
/var/crash/ r,

62
apparmor.d/groups/cron/cron-apt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/cron-apt
@{exec_path} = @{bin}/cron-apt
profile cron-apt @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -16,36 +16,36 @@ profile cron-apt @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dotlockfile rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/diff rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/cksum rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/fold rix,
@{bin}/{,ba,da}sh rix,
@{bin}/dotlockfile rix,
@{bin}/sed rix,
@{bin}/mktemp rix,
@{bin}/diff rix,
@{bin}/mkdir rix,
@{bin}/rmdir rix,
@{bin}/rm rix,
@{bin}/{,e}grep rix,
@{bin}/md5sum rix,
@{bin}/stat rix,
@{bin}/date rix,
@{bin}/cat rix,
@{bin}/expr rix,
@{bin}/cp rix,
@{bin}/dd rix,
@{bin}/cksum rix,
@{bin}/{m,g,}awk rix,
@{bin}/sleep rix,
@{bin}/mv rix,
@{bin}/logger rix,
@{bin}/ls rix,
@{bin}/touch rix,
@{bin}/uname rix,
@{bin}/fold rix,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/apt-file rPx,
/{usr/,}bin/aptitude{,-curses} rPx,
/{usr/,}sbin/exim4 rPx,
@{bin}/apt-get rPx,
@{bin}/apt-file rPx,
@{bin}/aptitude{,-curses} rPx,
@{bin}/exim4 rPx,
/usr/share/cron-apt/{,*} r,
@ -70,7 +70,7 @@ profile cron-apt @{exec_path} {
/var/log/cron-apt/lastfullmessage rw,
# For the "ls" command
/{usr/,}lib/locale/locale-archive r,
@{lib}/locale/locale-archive r,
# TMP
/tmp/ r,

18
apparmor.d/groups/cron/cron-apt-compat
View file

@ -11,18 +11,18 @@ profile cron-apt-compat @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/on_ac_power rPx,
/{usr/,}bin/apt-config rPx,
/{usr/,}lib/apt/apt.systemd.daily rPx,
@{bin}/apt-config rPx,
@{lib}/apt/apt.systemd.daily rPx,
/{usr/,}bin/dd rix,
/{usr/,}bin/cksum rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/sleep rix,
@{bin}/dd rix,
@{bin}/cksum rix,
@{bin}/cut rix,
@{bin}/which{,.debianutils} rix,
@{bin}/sleep rix,
include if exists <local/cron-apt-compat>
}

18
apparmor.d/groups/cron/cron-apt-listbugs
View file

@ -11,9 +11,9 @@ profile cron-apt-listbugs @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
@{lib}/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
@{run}/systemd/system r,
@ -21,14 +21,14 @@ profile cron-apt-listbugs @{exec_path} {
profile prefclean {
include <abstractions/base>
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
@{lib}/ruby/vendor_ruby/aptlistbugs/prefclean mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/cp rix,
@{bin}/date rix,
@{bin}/cat rix,
/var/spool/apt-listbugs/lastprefclean rw,

4
apparmor.d/groups/cron/cron-apt-show-versions
View file

@ -11,9 +11,9 @@ profile cron-apt-show-versions @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/apt-show-versions rPx,
@{bin}/apt-show-versions rPx,
# For shell pwd
/ r,

16
apparmor.d/groups/cron/cron-apt-xapian-index
View file

@ -11,17 +11,17 @@ profile cron-apt-xapian-index @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/which{,.debianutils} rix,
@{bin}/{,e}grep rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
@{bin}/nice rix,
@{bin}/ionice rix,
/{usr/,}sbin/ r,
/{usr/,}sbin/update-apt-xapian-index rPx,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/ r,
@{bin}/update-apt-xapian-index rPx,
@{bin}/on_ac_power rPx,
# For shell pwd
/ r,

22
apparmor.d/groups/cron/cron-aptitude
View file

@ -11,20 +11,20 @@ profile cron-aptitude @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
@{bin}/cp rix,
@{bin}/date rix,
@{bin}/basename rix,
@{bin}/which{,.debianutils} rix,
@{bin}/dirname rix,
@{bin}/rm rix,
@{bin}/mv rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/cmp rix,
@{bin}/savelog rix,
@{bin}/cmp rix,
/{usr/,}bin/gzip rix,
@{bin}/gzip rix,
/var/lib/aptitude/pkgstates r,

6
apparmor.d/groups/cron/cron-cracklib
View file

@ -13,9 +13,9 @@ profile cron-cracklib @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix,
/{usr/,}sbin/update-cracklib rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/logger rix,
@{bin}/update-cracklib rPx,
/etc/cracklib/cracklib.conf r,

18
apparmor.d/groups/cron/cron-debsums
View file

@ -12,16 +12,16 @@ profile cron-debsums @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/true rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/{,ba,da}sh rix,
@{bin}/true rix,
@{bin}/logger rix,
@{bin}/sed rix,
@{bin}/{,e}grep rix,
/{usr/,}bin/ionice rix,
@{bin}/ionice rix,
/{usr/,}bin/debsums rPx,
/{usr/,}bin/tee rCx -> tee,
@{bin}/debsums rPx,
@{bin}/tee rCx -> tee,
/etc/ r,
/etc/default/debsums r,
@ -38,7 +38,7 @@ profile cron-debsums @{exec_path} {
# Needed to write to /proc/self/fd/3
capability dac_override,
/{usr/,}bin/tee mr,
@{bin}/tee mr,
owner @{PROC}/@{pid}/fd/3 rw,

2
apparmor.d/groups/cron/cron-debtags
View file

@ -11,7 +11,7 @@ profile cron-debtags @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/usr/bin/debtags rPx,

4
apparmor.d/groups/cron/cron-dlocate
View file

@ -11,9 +11,9 @@ profile cron-dlocate @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/update-dlocatedb rPx,
@{bin}/update-dlocatedb rPx,
include if exists <local/cron-dlocate>
}

8
apparmor.d/groups/cron/cron-etckeeper
View file

@ -13,10 +13,10 @@ profile cron-etckeeper @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/find rix,
/{usr/,}bin/etckeeper rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/rm rix,
@{bin}/find rix,
@{bin}/etckeeper rPx,
/etc/etckeeper/daily rix,
/etc/etckeeper/etckeeper.conf r,

26
apparmor.d/groups/cron/cron-exim4-base
View file

@ -24,22 +24,22 @@ profile cron-exim4-base @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/mail rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/find rix,
/{usr/,}sbin/eximstats rix,
@{bin}/sed rix,
@{bin}/{,e}grep rix,
@{bin}/logger rix,
@{bin}/mail rix,
@{bin}/hostname rix,
@{bin}/xargs rix,
@{bin}/find rix,
@{bin}/eximstats rix,
/{usr/,}sbin/exim4 rPx,
/{usr/,}sbin/exim_tidydb rix,
@{bin}/exim4 rPx,
@{bin}/exim_tidydb rix,
/{usr/,}sbin/start-stop-daemon rix,
/{usr/,}sbin/runuser rix,
@{bin}/start-stop-daemon rix,
@{bin}/runuser rix,
/etc/default/exim4 r,

4
apparmor.d/groups/cron/cron-ipset-autoban-save
View file

@ -12,9 +12,9 @@ profile cron-ipset-autoban-save @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/ipset rix,
@{bin}/ipset rix,
/etc/peerblock/autoban rw,

6
apparmor.d/groups/cron/cron-logrotate
View file

@ -11,11 +11,11 @@ profile cron-logrotate @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/logrotate rPx,
@{bin}/logrotate rPx,
/{usr/,}bin/logger rix,
@{bin}/logger rix,
# For shell pwd
/ r,

12
apparmor.d/groups/cron/cron-man-db
View file

@ -16,14 +16,14 @@ profile cron-man-db @{exec_path} {
capability setuid,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}sbin/start-stop-daemon rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/find rix,
@{bin}/{,e}grep rix,
@{bin}/start-stop-daemon rix,
@{bin}/xargs rix,
@{bin}/find rix,
/{usr/,}bin/mandb rPx,
@{bin}/mandb rPx,
owner @{PROC}/@{pid}/fd/ r,

18
apparmor.d/groups/cron/cron-mlocate
View file

@ -12,17 +12,17 @@ profile cron-mlocate @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/true rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/nocache rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/nice rix,
@{bin}/which{,.debianutils} rix,
@{bin}/true rix,
@{bin}/flock rix,
@{bin}/nocache rix,
@{bin}/ionice rix,
@{bin}/nice rix,
/{usr/,}bin/updatedb.mlocate rPx,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/updatedb.mlocate rPx,
@{bin}/on_ac_power rPx,
@{run}/mlocate.daily.lock rwk,

18
apparmor.d/groups/cron/cron-plocate
View file

@ -12,17 +12,17 @@ profile cron-plocate @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/true rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/nocache rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/nice rix,
@{bin}/which{,.debianutils} rix,
@{bin}/true rix,
@{bin}/flock rix,
@{bin}/nocache rix,
@{bin}/ionice rix,
@{bin}/nice rix,
/{usr/,}sbin/updatedb.plocate rPx,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/updatedb.plocate rPx,
@{bin}/on_ac_power rPx,
@{run}/plocate.daily.lock rwk,

64
apparmor.d/groups/cron/cron-popularity-contest
View file

@ -11,28 +11,28 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,
@{bin}/popularity-contest rPx,
/{usr/,}bin/logger rix,
/{usr/,}bin/date rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/setsid rix,
@{bin}/logger rix,
@{bin}/date rix,
@{bin}/mktemp rix,
@{bin}/mkdir rix,
@{bin}/rm rix,
@{bin}/mv rix,
@{bin}/cat rix,
@{bin}/setsid rix,
# To send reports via TOR
/{usr/,}bin/torify rix,
/{usr/,}bin/torsocks rix,
/{usr/,}sbin/getcap rix,
@{bin}/torify rix,
@{bin}/torsocks rix,
@{bin}/getcap rix,
/usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}sbin/runuser rCx -> runuser,
/{usr/,}bin/savelog rCx -> savelog,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/runuser rCx -> runuser,
@{bin}/savelog rCx -> savelog,
/usr/share/popularity-contest/ r,
/usr/share/popularity-contest/default.conf r,
@ -62,18 +62,18 @@ profile cron-popularity-contest @{exec_path} {
profile savelog {
include <abstractions/base>
/{usr/,}bin/savelog mr,
@{bin}/savelog mr,
/{usr/,}bin/date rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/gzip rix,
@{bin}/date rix,
@{bin}/basename rix,
@{bin}/which{,.debianutils} rix,
@{bin}/dirname rix,
@{bin}/rm rix,
@{bin}/mv rix,
@{bin}/touch rix,
@{bin}/gzip rix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/var/log/ r,
/var/log/popularity-contest.[0-9]*.gz rw,
@ -91,11 +91,11 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/authentication>
/{usr/,}sbin/runuser mr,
@{bin}/runuser mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,
@{bin}/popularity-contest rPx,
owner @{PROC}/@{pids}/loginuid r,
@{PROC}/1/limits r,
@ -113,7 +113,7 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
/usr/share/popularity-contest/debian-popcon.gpg r,
@ -141,9 +141,9 @@ profile cron-popularity-contest @{exec_path} {
network netlink raw,
/usr/share/popularity-contest/popcon-upload r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/gzip rix,
@{bin}/gzip rix,
/var/log/ r,
/var/log/popularity-contest.new.gpg r,

4
apparmor.d/groups/cron/cron-sysstat
View file

@ -13,8 +13,8 @@ profile cron-sysstat @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/sysstat/sa2 rPx,
@{bin}/{,ba,da}sh rix,
@{lib}/sysstat/sa2 rPx,
/etc/default/sysstat r,

16
apparmor.d/groups/cron/crontab
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/crontab
@{exec_path} = @{bin}/crontab
profile crontab @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -17,11 +17,11 @@ profile crontab @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
# When editing the crontab file
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
@{bin}/sensible-editor rCx -> editor,
@{bin}/vim.* rCx -> editor,
/etc/cron.{allow,deny} r,
@ -38,10 +38,10 @@ profile crontab @{exec_path} {
capability fsetid,
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/sensible-editor mr,
@{bin}/vim.* mrix,
@{bin}/{,ba,da}sh rix,
@{bin}/which{,.debianutils} rix,
owner @{HOME}/.selected_editor r,

14
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,accountsservice/}accounts-daemon
@{exec_path} = @{lib}/{,accountsservice/}accounts-daemon
profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -43,13 +43,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/cat rix,
@{bin}/adduser rPx,
@{bin}/cat rix,
@{bin}/chage rPx,
@{bin}/passwd rPx,
@{bin}/userdel rPx,
@{bin}/usermod rPx,
/{usr/,}{s,}bin/adduser rPx,
/{usr/,}{s,}bin/usermod rPx,
/{usr/,}{s,}bin/userdel rPx,
/{usr/,}bin/passwd rPx,
/{usr/,}bin/chage rPx,
/usr/share/language-tools/language-validate rPx,
/usr/share/language-tools/set-language-helper rPUx,

6
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session>
@ -29,8 +29,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/dbus-daemon rPx,
/{usr/,}bin/dbus-broker-launch rPUx,
@{bin}/dbus-daemon rPx,
@{bin}/dbus-broker-launch rPUx,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/dconf/profile/gdm r,

2
apparmor.d/groups/freedesktop/at-spi2-registryd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>

6
apparmor.d/groups/freedesktop/colord
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord
@{exec_path} = @{lib}/{,colord/}colord
profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -57,8 +57,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/colord/colord-sane rPx,
@{libexec}/colord-sane rPx,
@{lib}/colord/colord-sane rPx,
@{lib}/colord-sane rPx,
/etc/machine-id r,
/etc/udev/hwdb.bin r,

2
apparmor.d/groups/freedesktop/colord-sane
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord-sane
@{exec_path} = @{lib}/{,colord/}colord-sane
profile colord-sane @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/freedesktop/colord-session
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord-session
@{exec_path} = @{lib}/{,colord/}colord-session
profile colord-session @{exec_path} {
include <abstractions/base>

10
apparmor.d/groups/freedesktop/cpupower
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cpupower
@{exec_path} = @{bin}/cpupower
profile cpupower @{exec_path} {
include <abstractions/base>
@ -19,9 +19,9 @@ profile cpupower @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/man rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/kmod rCx -> kmod,
@{bin}/man rPx,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
@ -43,7 +43,7 @@ profile cpupower @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{PROC}/cmdline r,
#@{PROC}/modules r,

2
apparmor.d/groups/freedesktop/dconf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf
@{exec_path} = @{bin}/dconf
profile dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf-write>

2
apparmor.d/groups/freedesktop/dconf-editor
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf-editor
@{exec_path} = @{bin}/dconf-editor
profile dconf-editor @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>

2
apparmor.d/groups/freedesktop/dconf-service
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,dconf/}dconf-service
@{exec_path} = @{lib}/{,dconf/}dconf-service
profile dconf-service @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>

2
apparmor.d/groups/freedesktop/desktop-file-install
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/desktop-file-install
@{exec_path} = @{bin}/desktop-file-install
profile desktop-file-install @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/fc-list
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fc-list
@{exec_path} = @{bin}/fc-list
profile fc-list @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>

2
apparmor.d/groups/freedesktop/geoclue
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/geoclue @{libexec}/geoclue-2.0/demos/agent
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

6
apparmor.d/groups/freedesktop/pipewire
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire
@{exec_path} = @{bin}/pipewire
profile pipewire @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
@ -44,8 +44,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/pactl rix,
/{usr/,}bin/pipewire-media-session rPx,
@{bin}/pactl rix,
@{bin}/pipewire-media-session rPx,
/usr/share/pipewire/pipewire*.conf r,

2
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-media-session
@{exec_path} = @{bin}/pipewire-media-session
profile pipewire-media-session @{exec_path} {
include <abstractions/base>
include <abstractions/audio>

4
apparmor.d/groups/freedesktop/pipewire-pulse
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-pulse
@{exec_path} = @{bin}/pipewire-pulse
profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
@ -19,7 +19,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/pactl rix,
@{bin}/pactl rix,
/var/lib/dbus/machine-id r,
/etc/machine-id r,

2
apparmor.d/groups/freedesktop/plymouth
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth
@{exec_path} = @{bin}/plymouth
profile plymouth @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

10
apparmor.d/groups/freedesktop/plymouth-set-default-theme
View file

@ -6,16 +6,16 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth-set-default-theme
@{exec_path} = @{bin}/plymouth-set-default-theme
profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/plymouth rPx,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/grep rix,
@{bin}/plymouth rPx,
@{bin}/{,ba,da}sh rix,
/etc/plymouth/{,*} r,

2
apparmor.d/groups/freedesktop/plymouthd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/plymouthd
@{exec_path} = @{bin}/plymouthd
profile plymouthd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/groups/freedesktop/polkit-agent-helper
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
@{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]
@{exec_path} += @{lib}/polkit-agent-helper-[0-9]
profile polkit-agent-helper @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>

6
apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib{,exec}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
@{exec_path} += /{usr/,}lib{,exec}/polkit-kde-authentication-agent-[0-9]
@{exec_path} = @{lib}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
@{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9]
profile polkit-kde-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -29,7 +29,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,

4
apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
@{exec_path} = @{lib}/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
profile polkit-mate-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -24,7 +24,7 @@ profile polkit-mate-authentication-agent @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/usr/share/X11/xkb/** r,

2
apparmor.d/groups/freedesktop/polkitd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,polkit-1/}polkitd
@{exec_path} = @{lib}/{,polkit-1/}polkitd
profile polkitd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>

8
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pulseaudio
@{exec_path} = @{bin}/pulseaudio
profile pulseaudio @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -132,9 +132,9 @@ profile pulseaudio @{exec_path} {
@{exec_path} mrix,
@{libexec}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
/{usr/,}lib/pulse-*/modules/*.so mr,
@{lib}/pulse/gsettings-helper mrix,
@{lib}/@{multiarch}/pulse/gconf-helper mrix,
@{lib}/pulse-*/modules/*.so mr,
/usr/share/pulseaudio/{,**} r,

2
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-desktop-database
@{exec_path} = @{bin}/update-desktop-database
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/freedesktop/update-mime-database
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-mime-database
@{exec_path} = @{bin}/update-mime-database
profile update-mime-database @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/freedesktop/upower
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/upower
@{exec_path} = @{bin}/upower
profile upower @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/upowerd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,upower/}upowerd
@{exec_path} = @{lib}/{,upower/}upowerd
profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
@{exec_path} = @{bin}/xdg-dbus-proxy
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/freedesktop/xdg-desktop-icon
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-desktop-icon
@{exec_path} = @{bin}/xdg-desktop-icon
profile xdg-desktop-icon @{exec_path} {
include <abstractions/base>

32
apparmor.d/groups/freedesktop/xdg-desktop-menu
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-desktop-menu
@{exec_path} = @{bin}/xdg-desktop-menu
profile xdg-desktop-menu @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -14,22 +14,22 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/whoami rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/readlink rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mkdir rix,
@{bin}/sed rix,
@{bin}/cut rix,
@{bin}/basename rix,
@{bin}/rm rix,
@{bin}/cp rix,
@{bin}/cat rix,
@{bin}/touch rix,
@{bin}/{m,g,}awk rix,
@{bin}/whoami rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/readlink rix,
/{usr/,}bin/update-desktop-database rPx,
@{bin}/update-desktop-database rPx,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw,
owner @{user_share_dirs}/applications/chrome-*.desktop rw,

16
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal
@{exec_path} = @{lib}/xdg-desktop-portal
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-network-manager-strict>
@ -107,14 +107,14 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nautilus rPx,
/{usr/,}bin/snap rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/nautilus rPx,
@{bin}/snap rPx,
/{usr/,}bin/kreadconfig5 rPx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/xdg-desktop-portal-validate-icon rPUx,
@{bin}/kreadconfig5 rPx,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{lib}/xdg-desktop-portal-validate-icon rPUx,
/ r,
/.flatpak-info r,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
@{exec_path} = @{lib}/xdg-desktop-portal-gnome
profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-kde
@{exec_path} = @{lib}/xdg-desktop-portal-kde
profile xdg-desktop-portal-kde @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

10
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-document-portal
@{exec_path} = @{lib}/xdg-document-portal
profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@ -51,8 +51,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/flatpak rCx -> flatpak,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/flatpak rCx -> flatpak,
@{bin}/fusermount{,3} rCx -> fusermount,
/ r,
@ -73,7 +73,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
profile flatpak {
include <abstractions/base>
/{usr/,}bin/flatpak mr,
@{bin}/flatpak mr,
/ r,
/etc/flatpak/remotes.d/{,*} r,
@ -103,7 +103,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
# network inet stream,
# network inet6 stream,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
/etc/fuse{,3}.conf r,

18
apparmor.d/groups/freedesktop/xdg-email
View file

@ -7,20 +7,20 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-email
@{exec_path} = @{bin}/xdg-email
profile xdg-email @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-mime rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/gio rPx,
@{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/which rix,
@{bin}/xdg-mime rPx,
owner /dev/tty[0-9]* rw,

24
apparmor.d/groups/freedesktop/xdg-icon-resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-icon-resource
@{exec_path} = @{bin}/xdg-icon-resource
profile xdg-icon-resource @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -14,18 +14,18 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/whoami rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/touch rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/whoami rix,
@{bin}/sed rix,
@{bin}/basename rix,
@{bin}/mkdir rix,
@{bin}/cp rix,
@{bin}/rm rix,
@{bin}/readlink rix,
@{bin}/touch rix,
/{usr/,}bin/gtk{,4}-update-icon-cache rPx,
@{bin}/gtk{,4}-update-icon-cache rPx,
/usr/share/**/icons/**.png r,
/usr/share/icons/**.png rw,

48
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -7,30 +7,30 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-mime
@{exec_path} = @{bin}/xdg-mime
profile xdg-mime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/freedesktop.org>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/file rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/cut rix,
@{bin}/file rix,
@{bin}/head rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/tr rix,
@{bin}/uname rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/mimetype rPx,
/{usr/,}bin/xprop rPx,
@{bin}/gio rPx,
@{bin}/mimetype rPx,
@{bin}/xprop rPx,
/usr/share/terminfo/x/xterm-256color r,
@ -51,10 +51,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Xdg-mime works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
@ -62,9 +62,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
@{HOME}/.Xauthority r,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

36
apparmor.d/groups/freedesktop/xdg-open
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-open
@{exec_path} = @{bin}/xdg-open
profile xdg-open @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
@ -15,23 +15,23 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/cut rix,
@{bin}/which{,.debianutils} rix,
@{bin}/cat rix,
@{bin}/uname rix,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
@{bin}/xprop rPx,
@{bin}/xdg-mime rPx,
/{usr/,}bin/exo-open rPx,
/{usr/,}bin/gio rPx,
#/{usr/,}bin/kde-open5 rPUx,
@{bin}/exo-open rPx,
@{bin}/gio rPx,
#@{bin}/kde-open5 rPUx,
/{usr/,}bin/dbus-launch rCx -> dbus,
/{usr/,}bin/dbus-send rCx -> dbus,
@{bin}/dbus-launch rCx -> dbus,
@{bin}/dbus-send rCx -> dbus,
/** r,
owner /** rw,
@ -46,9 +46,9 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

2
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-permission-store
@{exec_path} = @{lib}/xdg-permission-store
profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>

30
apparmor.d/groups/freedesktop/xdg-screensaver
View file

@ -6,30 +6,30 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-screensaver
@{exec_path} = @{bin}/xdg-screensaver
profile xdg-screensaver @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/ r,
@{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/cat rix,
@{bin}/uname rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xset rPx,
/{usr/,}bin/hostname rix,
@{bin}/xprop rPx,
@{bin}/xdg-mime rPx,
@{bin}/xset rPx,
@{bin}/hostname rix,
/dev/dri/card[0-9] rw,

42
apparmor.d/groups/freedesktop/xdg-settings
View file

@ -7,31 +7,31 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-settings
@{exec_path} = @{bin}/xdg-settings
profile xdg-settings @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/uname rix,
@{bin}/wc rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/dbus-launch rCx -> dbus,
/{usr/,}bin/dbus-send rCx -> dbus,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xprop rPx,
@{bin}/dbus-launch rCx -> dbus,
@{bin}/dbus-send rCx -> dbus,
@{bin}/xdg-mime rPx,
@{bin}/xprop rPx,
/usr/share/terminfo/x/xterm-256color r,
@ -61,9 +61,9 @@ profile xdg-settings @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

6
apparmor.d/groups/freedesktop/xdg-user-dir
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dir
@{exec_path} = @{bin}/xdg-user-dir
profile xdg-user-dir @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix,
@{bin}/{,ba,da}sh rix,
@{bin}/env rix,
owner @{user_config_dirs}/user-dirs.dirs r,

2
apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dirs-gtk-update
@{exec_path} = @{bin}/xdg-user-dirs-gtk-update
profile xdg-user-dirs-gtk-update @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

2
apparmor.d/groups/freedesktop/xdg-user-dirs-update
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dirs-update
@{exec_path} = @{bin}/xdg-user-dirs-update
profile xdg-user-dirs-update @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/xhost
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xhost
@{exec_path} = @{bin}/xhost
profile xhost @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/freedesktop/xkbcomp
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xkbcomp
@{exec_path} = @{bin}/xkbcomp
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

20
apparmor.d/groups/freedesktop/xorg
View file

@ -7,10 +7,10 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/X
@{exec_path} += /{usr/,}bin/Xorg{,.bin}
@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
@{exec_path} = @{bin}/X
@{exec_path} += @{bin}/Xorg{,.bin}
@{exec_path} += @{lib}/Xorg{,.wrap}
@{exec_path} += @{lib}/xorg/Xorg{,.wrap}
profile xorg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -58,13 +58,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xkbcomp rPx,
/{usr/,}bin/pkexec rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/xkbcomp rPx,
@{bin}/pkexec rPx,
/{usr/,}lib/xorg/ r,
/{usr/,}lib/xorg/modules/ r,
/{usr/,}lib/xorg/modules/** mr,
@{lib}/xorg/ r,
@{lib}/xorg/modules/ r,
@{lib}/xorg/modules/** mr,
/var/lib/xkb/server-[0-9]*.xkm rw,
/var/lib/xkb/compiled/server-[0-9]*.xkm rw,

2
apparmor.d/groups/freedesktop/xprop
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xprop
@{exec_path} = @{bin}/xprop
profile xprop @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/xrandr
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xrandr
@{exec_path} = @{bin}/xrandr
profile xrandr @{exec_path} {
include <abstractions/base>

12
apparmor.d/groups/freedesktop/xrdb
View file

@ -7,18 +7,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xrdb
@{exec_path} = @{bin}/xrdb
profile xrdb @{exec_path} {
include <abstractions/base>
include <abstractions/X-strict>
@{exec_path} mr,
/{usr/,}bin/{,*-}cpp-[0-9]* rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cpp rix,
/{usr/,}lib{,32,64}/gcc/*/[0-9]*/cc1 rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
@{bin}/{,*-}cpp-[0-9]* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cpp rix,
@{lib}/gcc/*/[0-9]*/cc1 rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
/usr/include/stdc-predef.h r,
/usr/etc/X11/xdm/Xresources r,

2
apparmor.d/groups/freedesktop/xset
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xset
@{exec_path} = @{bin}/xset
profile xset @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/freedesktop/xsetroot
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xsetroot
@{exec_path} = @{bin}/xsetroot
profile xsetroot @{exec_path} {
include <abstractions/base>

6
apparmor.d/groups/freedesktop/xwayland
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/Xwayland
@{exec_path} = @{bin}/Xwayland
profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dri-common>
@ -25,8 +25,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xkbcomp rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/xkbcomp rPx,
/usr/share/egl/{,**} r,
/usr/share/fonts/{,**} r,

2
apparmor.d/groups/gpg/dirmngr
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dirmngr
@{exec_path} = @{bin}/dirmngr
profile dirmngr @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

14
apparmor.d/groups/gpg/gpg
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpg
@{exec_path} = @{bin}/gpg
profile gpg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -21,12 +21,12 @@ profile gpg @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/dirmngr rPx,
/{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/gpgsm rPx,
/{usr/,}lib/gnupg/scdaemon rPx,
@{bin}/dirmngr rPx,
@{bin}/gpg-agent rPx,
@{bin}/gpg-connect-agent rPx,
@{bin}/gpgconf rPx,
@{bin}/gpgsm rPx,
@{lib}/gnupg/scdaemon rPx,
/etc/inputrc r,

10
apparmor.d/groups/gpg/gpg-agent
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpg-agent
@{exec_path} = @{bin}/gpg-agent
profile gpg-agent @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -17,9 +17,9 @@ profile gpg-agent @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/pinentry{,-*} rPx,
/{usr/,}bin/scdaemon rPx,
/{usr/,}lib/gnupg/scdaemon rPx,
@{bin}/pinentry{,-*} rPx,
@{bin}/scdaemon rPx,
@{lib}/gnupg/scdaemon rPx,
/usr/share/gnupg/* r,
@ -84,7 +84,7 @@ profile gpg-agent @{exec_path} {
@{PROC}/@{pid}/fd/ r,
# Silencer
deny /{usr/,}bin/.gnupg/ w,
deny @{bin}/.gnupg/ w,
# file inherit
owner /dev/tty[0-9]* rw,

4
apparmor.d/groups/gpg/gpg-connect-agent
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpg-connect-agent
@{exec_path} = @{bin}/gpg-connect-agent
profile gpg-connect-agent @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/gpg-agent rPx,
@{bin}/gpg-agent rPx,
/etc/inputrc r,

16
apparmor.d/groups/gpg/gpgconf
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpgconf
@{exec_path} = @{bin}/gpgconf
profile gpgconf @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -17,14 +17,14 @@ profile gpgconf @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpg{,2} rPx,
/{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/dirmngr rPx,
/{usr/,}bin/gpgsm rPx,
/{usr/,}lib/gnupg/scdaemon rPx,
@{bin}/gpg-connect-agent rPx,
@{bin}/gpg{,2} rPx,
@{bin}/gpg-agent rPx,
@{bin}/dirmngr rPx,
@{bin}/gpgsm rPx,
@{lib}/gnupg/scdaemon rPx,
/{usr/,}bin/pinentry-* rPx,
@{bin}/pinentry-* rPx,
/etc/gcrypt/hwf.deny r,

2
apparmor.d/groups/gpg/gpgsm
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpgsm
@{exec_path} = @{bin}/gpgsm
profile gpgsm @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

Some files were not shown because too many files have changed in this diff Show more