mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
Update profiles.
This commit is contained in:
parent
86215013d3
commit
33f99711a2
@ -11,7 +11,7 @@ include <tunables/global>
|
||||
@{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla
|
||||
|
||||
@{exec_path} = @{MOZ_LIBDIR}/crashreporter
|
||||
profile firefox-crashreporter @{exec_path} {
|
||||
profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/nameservice>
|
||||
@ -65,6 +65,7 @@ profile firefox-crashreporter @{exec_path} {
|
||||
owner @{MOZ_HOMEDIR}/firefox/*.*/.parentlock rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
/dev/dri/renderD128 rw,
|
||||
/dev/dri/card[0-9]* rw,
|
||||
|
||||
include if exists <local/firefox-crashreporter>
|
||||
}
|
||||
|
@ -16,7 +16,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
||||
# Needed?
|
||||
deny capability sys_nice,
|
||||
|
||||
signal (receive) set=term peer=gdm,
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
@ -27,6 +27,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_cache_dirs}/dconf/ rw,
|
||||
owner @{user_cache_dirs}/dconf/user rw,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
/var/lib/gdm/.config/dconf/user.* rw,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
|
@ -25,7 +25,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||
capability sys_tty_config,
|
||||
|
||||
signal (receive) set=term peer=gdm,
|
||||
signal (send) set=hup peer=at-spi-bus-launcher,
|
||||
signal (send) set=hup peer=at-spi*,
|
||||
signal (send) set=hup peer=dbus-daemon,
|
||||
signal (send) set=hup peer=gjs-console,
|
||||
signal (send) set=hup peer=gnome-*,
|
||||
|
@ -19,7 +19,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
network netlink raw,
|
||||
|
||||
signal (receive) set=term peer=gdm,
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
/{usr/,}bin/ r,
|
||||
|
@ -52,6 +52,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{HOME}/.cat_installer/ca.pem r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
@ -69,6 +70,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/systemd/sessions/ r,
|
||||
@ -77,6 +79,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/+pci* r,
|
||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||
@{run}/udev/data/c235:[0-9]* r,
|
||||
@{run}/udev/data/n[0-9]* r,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
|
@ -70,7 +70,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_config_dirs}/.goutputstream{,*} rw,
|
||||
owner @{user_config_dirs}/ibus/* r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-wayland-[0-9] r,
|
||||
owner @{user_config_dirs}/monitors.xml rw,
|
||||
owner @{user_config_dirs}/monitors.xml{,~} rwl,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-wayland-[0-9] r,
|
||||
|
||||
owner @{user_share_dirs}/backgrounds/{,**} rw,
|
||||
|
@ -23,12 +23,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
|
||||
owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
|
||||
|
||||
|
@ -24,6 +24,7 @@ profile gsd-xsettings @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
/{usr/,}bin/xrdb rPx,
|
||||
/{usr/,}bin/pactl rPx,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
|
@ -16,11 +16,12 @@ profile tracker-extract @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/tracker3/{,**} r,
|
||||
/usr/share/tracker3-miners/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/applications/*.desktop r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/osinfo/{,**} r,
|
||||
/usr/share/tracker3-miners/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
|
||||
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||
@ -37,7 +38,10 @@ profile tracker-extract @{exec_path} {
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
@{run}/udev/data/c235:* r,
|
||||
@{run}/udev/data/c236:* r,
|
||||
|
||||
/dev/video[0-9]* rw,
|
||||
|
||||
include if exists <local/tracker-extract>
|
||||
}
|
||||
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/systemd-detect-virt
|
||||
profile systemd-detect-virt @{exec_path} {
|
||||
profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/systemd-common>
|
||||
|
@ -51,9 +51,10 @@ profile systemd-journald @{exec_path} {
|
||||
@{run}/udev/data/+scsi:* r,
|
||||
@{run}/udev/data/+bluetooth:* r,
|
||||
@{run}/udev/data/+usb-serial:* r,
|
||||
@{run}/udev/data/+platform:regulatory.[0-9]* r,
|
||||
@{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,
|
||||
@{run}/udev/data/+platform:iTCO_wdt r,
|
||||
@{run}/udev/data/+platform:regulatory.[0-9]* r,
|
||||
@{run}/udev/data/+platform:rtsx_pci_sdmmc.[0-9]* r,
|
||||
@{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,
|
||||
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
|
||||
|
@ -20,6 +20,7 @@ profile systemd-timesyncd @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/adjtime r,
|
||||
/etc/systemd/timesyncd.conf r,
|
||||
|
||||
owner /var/lib/systemd/timesync/clock rw,
|
||||
|
@ -12,17 +12,23 @@ profile auditd @{exec_path} {
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_control,
|
||||
capability fsetid,
|
||||
capability chown,
|
||||
capability fsetid,
|
||||
capability sys_resource,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/log/audit/audit.log rw,
|
||||
/var/log/audit/audit.log.[0-9] rw,
|
||||
/etc/audit/{,**} r,
|
||||
|
||||
/var/log/audit/{,**} rw,
|
||||
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/attr/current r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
owner @{PROC}/@{pid}/oom_score_adj r,
|
||||
|
||||
include if exists <local/auditd>
|
||||
}
|
||||
|
@ -1,5 +1,6 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
@ -9,26 +10,38 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd
|
||||
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
# This is needed in order to read/write from/to the /dev/tpm0 , device which is owned by tss:tss
|
||||
capability dac_override,
|
||||
|
||||
capability dac_read_search,
|
||||
capability linux_immutable,
|
||||
capability mknod,
|
||||
capability sys_admin,
|
||||
capability sys_nice,
|
||||
capability sys_rawio,
|
||||
capability syslog,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/gpg rCx -> gpg,
|
||||
/{usr/,}bin/gpgconf rCx -> gpg,
|
||||
/{usr/,}bin/gpgsm rCx -> gpg,
|
||||
|
||||
/usr/share/fwupd/** r,
|
||||
owner /var/cache/fwupd/** rw,
|
||||
owner /var/lib/fwupd/** r,
|
||||
owner /var/lib/fwupd/pending.db rwk,
|
||||
|
||||
/etc/pki/fwupd/** r,
|
||||
/etc/fwupd/** r,
|
||||
/usr/share/fwupd/** r,
|
||||
|
||||
/var/cache/fwupd/** rw,
|
||||
/var/lib/fwupd/{,**} rw,
|
||||
/var/lib/fwupd/pending.db rwk,
|
||||
|
||||
/boot/{,**} r,
|
||||
/boot/EFI/arch/fwupdx[0-9]*.efi rw,
|
||||
/boot/EFI/arch/fw/fwupd-*.cap{,.*} rw,
|
||||
|
||||
# In order to get to this file, the attach_disconnected flag has to be set
|
||||
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
|
||||
@ -36,37 +49,51 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/swaps r,
|
||||
@{PROC}/sys/kernel/tainted r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
|
||||
/dev/mem r,
|
||||
/dev/mei[0-9]* rw,
|
||||
/dev/tpm[0-9] rw,
|
||||
/dev/drm_dp_aux[0-9]* rw,
|
||||
/dev/sd[a-z] r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/[0-9]*/[0-9]* rw,
|
||||
/dev/wmi/* r,
|
||||
|
||||
@{sys}/**/ r,
|
||||
@{sys}/devices/** r,
|
||||
|
||||
@{sys}/firmware/dmi/tables/smbios_entry_point r,
|
||||
@{sys}/firmware/acpi/** r,
|
||||
@{sys}/firmware/dmi/tables/DMI r,
|
||||
@{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
|
||||
@{sys}/firmware/dmi/tables/smbios_entry_point r,
|
||||
@{sys}/firmware/efi/** r,
|
||||
@{sys}/firmware/efi/efivars/BootNext-* rw,
|
||||
@{sys}/firmware/efi/efivars/fwupd-ux-capsule-* rw,
|
||||
@{sys}/kernel/security/lockdown r,
|
||||
@{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
|
||||
@{sys}/power/mem_sleep r,
|
||||
|
||||
/{var,}run/udev/data/* r,
|
||||
/{var,}run/motd.d/fwupd/{,**} rw,
|
||||
|
||||
/{var,}run/motd.d/fwupd/85-fwupd w,
|
||||
/{var,}run/motd.d/fwupd/.goutputstream-* rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
|
||||
profile gpg {
|
||||
profile gpg flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
/{usr/,}bin/gpg mr,
|
||||
/{usr/,}bin/gpgconf mr,
|
||||
/{usr/,}bin/gpgsm mr,
|
||||
/{usr/,}bin/gpg-agent mr,
|
||||
|
||||
owner /var/lib/fwupd/gnupg/ rw,
|
||||
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
|
||||
|
@ -1,5 +1,6 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
@ -11,11 +12,20 @@ profile fwupdmgr @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/deny-dconf>
|
||||
include <abstractions/openssl>
|
||||
|
||||
signal (send),
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dbus-launch rCx -> dbus,
|
||||
/{usr/,}bin/pkttyagent rux, # TODO: Work in progress
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/fwupd/ rw,
|
||||
@ -31,6 +41,11 @@ profile fwupdmgr @{exec_path} flags=(complain) {
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
profile dbus {
|
||||
include <abstractions/base>
|
||||
|
@ -19,6 +19,8 @@ profile gitstatusd @{exec_path} {
|
||||
owner @{user_config_dirs}/git/{,*} r,
|
||||
|
||||
# Silencer
|
||||
deny capability dac_read_search,
|
||||
deny capability dac_override,
|
||||
deny owner @{HOME}/.*-store/{,**} r,
|
||||
|
||||
include if exists <local/gitstatusd>
|
||||
|
@ -1,12 +1,13 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gtk-update-icon-cache
|
||||
@{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache
|
||||
profile gtk-update-icon-cache @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
@ -32,6 +32,8 @@ profile htop @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/uptime r,
|
||||
@ -43,6 +45,7 @@ profile htop @{exec_path} {
|
||||
@{PROC}/pressure/memory r,
|
||||
@{PROC}/diskstats r,
|
||||
|
||||
@{PROC}/@{pids}/attr/current r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/statm r,
|
||||
@ -55,6 +58,7 @@ profile htop @{exec_path} {
|
||||
@{PROC}/@{pids}/comm r,
|
||||
|
||||
@{PROC}/@{pids}/task/ r,
|
||||
@{PROC}/@{pids}/task/@{tid}/attr/current r,
|
||||
@{PROC}/@{pids}/task/@{tid}/cmdline r,
|
||||
@{PROC}/@{pids}/task/@{tid}/stat r,
|
||||
@{PROC}/@{pids}/task/@{tid}/statm r,
|
||||
|
@ -43,6 +43,7 @@ profile pulseaudio @{exec_path} {
|
||||
|
||||
# Needed when PulseAudio is started via gdm
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
|
||||
owner @{HOME}/.ICEauthority r,
|
||||
|
||||
# TCP wrap
|
||||
|
@ -30,6 +30,8 @@ profile top @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/uptime r,
|
||||
|
Loading…
Reference in New Issue
Block a user