mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
bf973760fd
commit
319b976beb
@ -39,6 +39,7 @@ profile dpkg-preconfigure @{exec_path} {
|
||||
owner /var/cache/debconf/ rw,
|
||||
owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
|
||||
owner /var/cache/debconf/tmp.ci/ r,
|
||||
owner /var/cache/debconf/tmp.ci/* rix,
|
||||
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
|
||||
|
||||
@{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
|
||||
|
||||
@ -39,6 +39,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||
|
||||
owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
|
||||
/usr/share/**/icons/**.png r,
|
||||
/usr/share/icons/**.png rw,
|
||||
/usr/share/icons/*/.xdg-icon-resource-dummy rw,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
owner /tmp/.com.google.Chrome.*/chrome-*.png r,
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/xprop rPx,
|
||||
@{bin}/ktraderclient5 rPx,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
|
||||
|
||||
@ -34,7 +34,7 @@ profile xdg-settings @{exec_path} {
|
||||
@{bin}/xdg-mime rPx,
|
||||
@{bin}/xprop rPx,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/xdg/xfce4/helpers.rc r,
|
||||
/etc/machine-id r,
|
||||
|
||||
@ -29,6 +29,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||
capability sys_resource,
|
||||
capability sys_tty_config,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
signal (receive) set=term peer=gdm,
|
||||
signal (receive) set=hup peer=@{systemd},
|
||||
signal (send) set=hup peer=at-spi*,
|
||||
@ -45,8 +47,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||
signal (send) set=hup peer=xwayland,
|
||||
signal (send) set=term peer=gdm-*-session,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=*Session
|
||||
|
||||
@ -30,7 +30,7 @@ profile gnome-extensions-app @{exec_path} {
|
||||
|
||||
/usr/share/gnome-shell/org.gnome.Extensions* r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
@ -73,6 +73,9 @@ profile gnome-terminal-server @{exec_path} {
|
||||
/etc/pulse/client.conf.d/{,**} r,
|
||||
/etc/shells r,
|
||||
|
||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
|
||||
|
||||
owner @{user_config_dirs}/*xdg-terminals.list* rw,
|
||||
@ -81,6 +84,8 @@ profile gnome-terminal-server @{exec_path} {
|
||||
owner @{run}/user/@{uid}/pulse/ r,
|
||||
owner @{run}/user/@{uid}/pulse/native rw,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
|
||||
|
||||
@ -91,10 +91,10 @@ profile gsd-xsettings @{exec_path} {
|
||||
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
@ -108,6 +108,7 @@ profile gsd-xsettings @{exec_path} {
|
||||
|
||||
/etc/X11/Xresources/ r,
|
||||
|
||||
include if exists <local/gsd-xsettings_run-parts>
|
||||
}
|
||||
|
||||
include if exists <local/gsd-xsettings>
|
||||
|
||||
@ -114,13 +114,13 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/nautilus/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||
/usr/share/terminfo/ r,
|
||||
/usr/share/terminfo/** r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
/usr/share/tracker*/{,**} r,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
/var/cache/fontconfig/ r,
|
||||
/var/cache/fontconfig/ rw,
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
# Full access to user's data
|
||||
|
||||
@ -72,7 +72,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/default/grub.d/{*,} r,
|
||||
|
||||
/usr/share/grub/{**,} r,
|
||||
/usr/share/terminfo/{,x/xterm-256color} r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/.zfs/snapshot/*/boot/ r,
|
||||
/.zfs/snapshot/*/etc/{machine-id,} r,
|
||||
|
||||
@ -12,7 +12,7 @@ profile iwctl @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/inputrc r,
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ profile wg-quick @{exec_path} {
|
||||
@{bin}/wg rPx,
|
||||
@{bin}/xtables-nft-multi rix,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/iproute2/group r,
|
||||
/etc/iproute2/rt_realms r,
|
||||
|
||||
@ -25,7 +25,7 @@ profile arch-audit @{exec_path} {
|
||||
|
||||
/etc/arch-audit/settings.toml r,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/var/lib/pacman/local/{,**} r,
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@ profile aurpublish @{exec_path} {
|
||||
@{bin}/wc rix,
|
||||
|
||||
/usr/share/makepkg/{,**} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/makepkg.conf r,
|
||||
|
||||
|
||||
@ -85,7 +85,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/plymouth/*.png r,
|
||||
/usr/share/plymouth/plymouthd.defaults r,
|
||||
/usr/share/plymouth/themes/{,**} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
# Can copy any program to the initframs
|
||||
/{usr/,}{local/,}{s,}bin/ r,
|
||||
|
||||
@ -29,7 +29,7 @@ profile paccache @{exec_path} {
|
||||
@{bin}/xargs rix,
|
||||
|
||||
/usr/share/makepkg/util/*.sh r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/var/cache/pacman/pkg/{,*} rw,
|
||||
|
||||
|
||||
@ -31,7 +31,7 @@ profile pacman-key @{exec_path} {
|
||||
|
||||
/usr/share/makepkg/{,**} r,
|
||||
/usr/share/pacman/keyrings/{,*} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/pacman.d/gnupg/gpg.conf r,
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
@ -30,7 +30,10 @@ profile ssh @{exec_path} {
|
||||
@{etc_ro}/ssh/ssh_config r,
|
||||
@{etc_ro}/ssh/sshd_config r,
|
||||
@{etc_ro}/ssh/sshd_config.d/{,*} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/ssh/ssh_config r,
|
||||
/etc/ssh/ssh_config.d/{,*} r,
|
||||
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/ r,
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/config r,
|
||||
@ -40,17 +43,12 @@ profile ssh @{exec_path} {
|
||||
owner @{user_projects_dirs}/**/ssh/{,*} r,
|
||||
owner @{user_projects_dirs}/**/config r,
|
||||
|
||||
/etc/ssh/ssh_config r,
|
||||
/etc/ssh/ssh_config.d/{,*} r,
|
||||
# Needed to work for systemd-homed users
|
||||
/etc/machine-id r,
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
|
||||
|
||||
owner @{run}/user/@{uid}/keyring/ssh rw,
|
||||
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
|
||||
|
||||
include if exists <local/ssh>
|
||||
}
|
||||
|
||||
@ -61,7 +61,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
|
||||
/usr/share/gcc/** r,
|
||||
/usr/share/gdb/{,**} r,
|
||||
/usr/share/glib-2.0/gdb/{,**} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/inputrc r,
|
||||
/etc/gdb/** r,
|
||||
|
||||
@ -25,7 +25,6 @@ profile systemd-shutdown @{exec_path} {
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/1/cgroup r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/sys/kernel/core_pattern w,
|
||||
owner @{PROC}/sys/kernel/printk rw,
|
||||
|
||||
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /usr/share/apport/apport
|
||||
profile apport @{exec_path} {
|
||||
profile apport @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/nameservice-strict>
|
||||
@ -15,7 +15,11 @@ profile apport @{exec_path} {
|
||||
include <abstractions/python>
|
||||
|
||||
capability fsetid,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read) peer=gnome-shell,
|
||||
ptrace (read) peer=snap.cups.cupsd,
|
||||
|
||||
@{exec_path} mr,
|
||||
@ -27,11 +31,11 @@ profile apport @{exec_path} {
|
||||
|
||||
@{run}/apport.lock rwk,
|
||||
|
||||
@{PROC}/sys/fs/suid_dumpable w,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/core_pattern w,
|
||||
@{PROC}/sys/kernel/core_pipe_limit w,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/fs/suid_dumpable w,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/core_pattern w,
|
||||
@{PROC}/sys/kernel/core_pipe_limit w,
|
||||
|
||||
include if exists <local/apport>
|
||||
}
|
||||
@ -14,23 +14,25 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
|
||||
capability sys_ptrace,
|
||||
capability syslog,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
||||
# mqueue type=posix /,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/fuser rix,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/net/unix r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/maps r,
|
||||
@{PROC}/swaps r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/net/unix r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
include if exists <local/package-system-locked>
|
||||
}
|
||||
@ -19,7 +19,7 @@ profile aa-enforce @{exec_path} {
|
||||
@{bin}/ r,
|
||||
@{bin}/apparmor_parser rPx,
|
||||
|
||||
/usr/share/terminfo/{,**} r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/apparmor/logprof.conf r,
|
||||
/etc/apparmor.d/{,**} rw,
|
||||
|
||||
@ -25,18 +25,15 @@ profile aa-notify @{exec_path} {
|
||||
|
||||
/etc/apparmor/*.conf r,
|
||||
/etc/inputrc r,
|
||||
|
||||
/usr/etc/inputrc.keys r,
|
||||
/usr/share/terminfo/d/dumb r,
|
||||
/usr/share/terminfo/x/xterm r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/var/log/audit/audit.log r,
|
||||
|
||||
owner @{HOME}/.inputrc r,
|
||||
owner @{HOME}/.terminfo/@{int}/dumb r,
|
||||
|
||||
owner /tmp/*@{rand6} rw,
|
||||
owner /tmp/@{rand8} rw,
|
||||
owner /tmp/apparmor-bugreport-*.txt rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
|
||||
@ -18,7 +18,7 @@ profile aa-teardown @{exec_path} {
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{lib}/apparmor/apparmor.systemd rPx,
|
||||
|
||||
/usr/share/terminfo/x/* r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
|
||||
@ -40,8 +40,8 @@ profile atril @{exec_path} {
|
||||
|
||||
@{bin}/atril-previewer rPx,
|
||||
|
||||
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
|
||||
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
|
||||
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix,
|
||||
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix,
|
||||
|
||||
/usr/share/atril/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
|
||||
@ -21,7 +21,7 @@ profile code-extension-git-askpass @{exec_path} {
|
||||
@{bin}/rm rix,
|
||||
@{lib}/electron@{int}/electron rix,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
owner /tmp/tmp.* rw,
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ profile dmesg @{exec_path} {
|
||||
@{bin}/less rPx -> child-pager,
|
||||
|
||||
/dev/kmsg r,
|
||||
/usr/share/terminfo/{,**} r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
deny /{usr/,}local/bin/ r,
|
||||
deny @{bin}/{,*/} r,
|
||||
|
||||
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/gdk-pixbuf-query-loaders
|
||||
profile gdk-pixbuf-query-loaders @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
@ -78,7 +78,7 @@ profile git @{exec_path} {
|
||||
@{bin}/vim.* rCx -> editor,
|
||||
|
||||
/usr/share/git{,-core}/{,**} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/gitconfig r,
|
||||
/etc/mailname r,
|
||||
@ -175,7 +175,7 @@ profile git @{exec_path} {
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
|
||||
/usr/share/vim/{,**} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/vimrc r,
|
||||
/etc/vim/{,**} r,
|
||||
|
||||
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/glib-compile-schemas
|
||||
profile glib-compile-schemas @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
@ -18,16 +18,18 @@ profile htop @{exec_path} {
|
||||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
||||
signal (send),
|
||||
ptrace (read),
|
||||
|
||||
network netlink raw,
|
||||
|
||||
signal (send),
|
||||
signal (receive) set=(hup) peer=gnome-terminal-server,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/lsof rix,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/sensors.d/ r,
|
||||
/etc/sensors3.conf r,
|
||||
|
||||
@ -28,7 +28,7 @@ profile hugo @{exec_path} {
|
||||
|
||||
/usr/share/git{,-core}/{,**} r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/mime.types r,
|
||||
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
@ -10,12 +11,12 @@ include <tunables/global>
|
||||
profile jami-gnome @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-download-strict>
|
||||
@ -24,6 +25,12 @@ profile jami-gnome @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix,
|
||||
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix,
|
||||
|
||||
/usr/share/ring/{,**} r,
|
||||
/usr/share/sounds/jami-gnome/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/jami-gnome/ rw,
|
||||
owner @{user_cache_dirs}/jami-gnome/** rw,
|
||||
@ -38,11 +45,9 @@ profile jami-gnome @{exec_path} {
|
||||
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w,
|
||||
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w,
|
||||
|
||||
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
|
||||
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
|
||||
|
||||
/usr/share/ring/{,**} r,
|
||||
/usr/share/sounds/jami-gnome/{,**} r,
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/fs/cgroup/** r,
|
||||
|
||||
owner @{PROC}/@{pid}/statm r,
|
||||
owner @{PROC}/@{pid}/smaps r,
|
||||
@ -50,9 +55,5 @@ profile jami-gnome @{exec_path} {
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/zoneinfo r,
|
||||
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/fs/cgroup/** r,
|
||||
|
||||
include if exists <local/jami-gnome>
|
||||
}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-203 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
@ -28,7 +28,7 @@ profile modprobed-db @{exec_path} {
|
||||
@{bin}/uniq rix,
|
||||
@{bin}/wc rix,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
owner @{user_config_dirs}/modprobed-db.conf r,
|
||||
owner @{user_config_dirs}/modprobed.db rw,
|
||||
|
||||
@ -22,7 +22,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
owner @{user_config_dirs}/nvtop/{,**} rw,
|
||||
|
||||
|
||||
@ -51,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
|
||||
@{lib}/os-probes/{,**} rix,
|
||||
|
||||
/usr/share/os-prober/common.sh r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/var/lib/os-prober/{,**} rw,
|
||||
|
||||
|
||||
@ -55,7 +55,7 @@ profile pass @{exec_path} {
|
||||
@{bin}/qrencode rPUx, # pass-otp
|
||||
@{bin}/tomb rPUx, # pass-tomb
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
owner @{user_password_store_dirs}/{,**} rw,
|
||||
owner /dev/shm/pass.*/{,*} rw,
|
||||
@ -75,7 +75,7 @@ profile pass @{exec_path} {
|
||||
|
||||
/etc/vim/{,**} r,
|
||||
/etc/vimrc r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
/usr/share/vim/{,**} r,
|
||||
/tmp/ r,
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ profile pinentry-curses @{exec_path} {
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
include if exists <local/pinentry-curses>
|
||||
}
|
||||
@ -103,7 +103,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
||||
|
||||
/usr/lib/os-release rk,
|
||||
/usr/share/fonts/**.{ttf,otf} rk,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
/usr/share/zenity/* r,
|
||||
|
||||
@ -55,8 +55,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
||||
mount -> /tmp/newroot/,
|
||||
umount /{,oldroot/},
|
||||
|
||||
pivot_root /newroot/,
|
||||
pivot_root oldroot=/tmp/oldroot/ /tmp/,
|
||||
pivot_root oldroot=/newroot/ -> /newroot/,
|
||||
pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
|
||||
|
||||
signal (receive) peer=steam,
|
||||
|
||||
@ -122,7 +122,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/udev/udev.conf r,
|
||||
|
||||
@ -16,7 +16,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
capability sys_boot,
|
||||
|
||||
dbus (bind) bus=system name=org.freedesktop.thermald,
|
||||
dbus bind bus=system name=org.freedesktop.thermald,
|
||||
|
||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
@ -25,8 +25,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/thermald/thermal-conf.xml r,
|
||||
/etc/thermald/thermal-cpu-cdev-order.xml r,
|
||||
/etc/thermald/{,*} r,
|
||||
|
||||
owner @{run}/thermald/ rw,
|
||||
owner @{run}/thermald/thd_preference.conf rw,
|
||||
|
||||
@ -31,7 +31,7 @@ profile top @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/loadavg r,
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
@ -23,6 +23,8 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
|
||||
capability net_raw,
|
||||
capability sys_module,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
network packet dgram,
|
||||
network packet raw,
|
||||
@ -30,7 +32,8 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
|
||||
dbus bind bus=system name=fi.w1.wpa_supplicant1,
|
||||
dbus receive bus=system path=/fi/w1/wpa_supplicant1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
member=GetAll
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
||||
@ -12,13 +12,13 @@ profile xinit @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
signal (receive) set=(usr1) peer=xorg,
|
||||
|
||||
signal (send) set=(term, kill) peer=xorg,
|
||||
signal (send) set=(hup),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@ -86,6 +86,7 @@ profile xinit @{exec_path} {
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/xinit_run-parts>
|
||||
}
|
||||
|
||||
profile udevadm {
|
||||
@ -95,25 +96,26 @@ profile xinit @{exec_path} {
|
||||
|
||||
/etc/udev/udev.conf r,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/1/sched r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/*/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{run}/udev/data/* r,
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/1/sched r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/xinit_udevadm>
|
||||
}
|
||||
|
||||
include if exists <local/xinit>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user