mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-20 17:05:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(abs): minor improvements over some abstractions.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-13 16:18:54 +00:00
parent c33cd740c9
commit 30656bdc48
Failed to generate hash of commit
10 changed files with 42 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
apparmor.d/abstractions/app-open
View file

@ -32,8 +32,17 @@
@{bin}/gnome-text-editor rPUx,
/usr/share/code/{bin/,}code rPUx,
# Others
# Emails
@{thunderbird_path} rPx,
@{bin}/geany rPUx,
# Documents viewers
@{bin}/evince rPx,
@{bin}/okular rPx,
@{bin}/*{F,f}oliate rPUx,
@{bin}/YACReader rPx,
# Others
@{bin}/blueman-tray rPx,
@{bin}/discord{,-ptb} rPx,
@{bin}/draw.io rPUx,
@ -41,13 +50,11 @@
@{bin}/element-desktop rPx,
@{bin}/engrampa rPx,
@{bin}/eog rPUx,
@{bin}/evince rPx,
@{bin}/extension-manager rPx,
@{bin}/file-roller rPUx,
@{bin}/filezilla rPx,
@{bin}/flameshot rPx,
@{bin}/flatpak rPUx,
@{bin}/geany rPx,
@{bin}/gimp* rPUx,
@{bin}/gnome-calculator rPUx,
@{bin}/gnome-disk-image-mounter rPx,
@ -62,7 +69,6 @@
@{bin}/steam-runtime rPUx,
@{bin}/teams rPUx,
@{bin}/telegram-desktop rPx,
@{bin}/thunderbird rPx,
@{bin}/transmission-gtk rPx,
@{bin}/viewnior rPUx,
@{bin}/vlc rPUx,

2
apparmor.d/abstractions/audio-client
View file

@ -27,7 +27,7 @@
owner @{HOME}/.libao r,
owner @{HOME}/.esd_auth r,
owner @{user_cache_dirs}/event-sound-cache.@{md5}.@{multiarch} rwk, # libcanberra
@{user_cache_dirs}/event-sound-cache.@{md5}.@{multiarch} rwk, # libcanberra
owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/client.conf r,

2
apparmor.d/abstractions/audio.d/complete
View file

@ -7,7 +7,7 @@
@{lib}/ladspa/ r,
@{lib}/ladspa/*.so mr,
@{run}/udev/data/+sound:card@{int} r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{sys}/class/ r,
@{sys}/class/sound/ r,

2
apparmor.d/abstractions/audio2
View file

@ -6,7 +6,7 @@
include <abstractions/audio-client>
@{run}/udev/data/+sound:card@{int} r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{sys}/class/ r,
@{sys}/class/sound/ r,

6
apparmor.d/abstractions/bus/net.reactivated.Fprint
View file

@ -4,17 +4,17 @@
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member=GetDefaultDevice
member={GetDevices,GetDefaultDevice}
peer=(name=:*, label=fprintd),
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member=GetDefaultDevice
member={GetDevices,GetDefaultDevice}
peer=(name=net.reactivated.Fprint),
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member=GetDefaultDevice
member={GetDevices,GetDefaultDevice}
peer=(name=net.reactivated.Fprint, label=fprintd),
include if exists <abstractions/bus/net.reactivated.Fprint.d>

4
apparmor.d/abstractions/bus/org.freedesktop.PackageKit
View file

@ -11,6 +11,10 @@
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.freedesktop.PackageKit),
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.PackageKit

1
apparmor.d/abstractions/deny-sensitive-home
View file

@ -37,6 +37,7 @@
deny @{user_config_dirs}/*-store/{,**} mrwkl,
deny @{user_config_dirs}/chromium/{,**} mrwkl,
deny @{user_password_store_dirs}/{,**} mrwkl,
deny @{user_share_dirs}/kwalletd/{,**} mrwkl,
# Deny executable mapping in writable space as allowed in abstractions/fonts
deny @{HOME}/.{,cache/}fontconfig/ rw,

2
apparmor.d/abstractions/gstreamer
View file

@ -5,7 +5,7 @@
@{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
@{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
@{lib}/frei0r-[0-9]/*.so mr,
@{lib}/frei0r-@{int}/*.so mr,
# FIXME: not compatible with FSP mode due conflicting x modifiers
@{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mrix,

18
apparmor.d/abstractions/nameservice-strict
View file

@ -3,6 +3,9 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Many programs wish to perform nameservice-like operations, such as looking up
# users by name or id, groups by name or id, hosts by name or IP, etc.
@{etc_ro}/default/nss r,
@{etc_ro}/gai.conf r,
@{etc_ro}/group r,
@ -14,11 +17,14 @@
@{etc_ro}/resolv.conf r,
@{etc_ro}/services r,
/var/lib/nscd/group r,
/var/lib/nscd/passwd r,
# On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
@{etc_ro}/authselect/nsswitch.conf r,
# Alternative location for group & passwd files
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
/var/lib/nscd/group r,
/var/lib/nscd/passwd r,
@{run}/nscd/db* r,
@{run}/resolvconf/resolv.conf r,
@ -26,6 +32,14 @@
@{run}/systemd/resolve/stub-resolv.conf r,
# NSS records from systemd-userdbd.service
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
#
# https://systemd.io/USER_GROUP_API/
# https://systemd.io/USER_RECORD/
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
#
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs

4
apparmor.d/abstractions/systemctl
View file

@ -12,10 +12,14 @@
owner @{run}/systemd/private rw,
@{PROC}/1/cgroup r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,