From 35a281d0454846e0985dd76ba8b8049e0fe2149e Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Sun, 24 Apr 2022 11:52:42 +0200 Subject: [PATCH] update apparmor profiles Signed-off-by: Alexandre Pujol --- apparmor.d/abstractions/libvirt-qemu | 11 +++++--- apparmor.d/groups/apps/android-studio | 12 ++++++++- apparmor.d/groups/apt/apt-forktracer | 19 ++++++-------- apparmor.d/groups/apt/apt-methods-gpgv | 5 ++-- apparmor.d/groups/apt/debsums | 1 + apparmor.d/groups/apt/dpkg | 3 +++ apparmor.d/groups/apt/querybts | 3 +++ apparmor.d/groups/apt/reportbug | 2 ++ apparmor.d/groups/bus/dbus-daemon | 2 +- apparmor.d/groups/gpg/gpg | 2 +- apparmor.d/profiles-a-f/appstreamcli | 5 ++++ apparmor.d/profiles-a-f/atftpd | 5 ++-- apparmor.d/profiles-a-f/atril | 26 +++++++++++------- apparmor.d/profiles-a-f/conky | 1 + apparmor.d/profiles-a-f/ffplay | 6 +++++ apparmor.d/profiles-g-l/gajim | 4 ++- apparmor.d/profiles-g-l/gparted | 1 + apparmor.d/profiles-g-l/gpartedbin | 1 + apparmor.d/profiles-g-l/i3lock | 4 ++- apparmor.d/profiles-m-r/mkinitramfs | 1 + apparmor.d/profiles-m-r/mkvmerge | 1 + apparmor.d/profiles-m-r/mkvtoolnix-gui | 1 + apparmor.d/profiles-m-r/mtr | 29 +++++++++++++++++++++ apparmor.d/profiles-m-r/mtr-packet | 27 +++++++++++++++++++ apparmor.d/profiles-s-z/update-alternatives | 2 ++ apparmor.d/profiles-s-z/uscan | 3 +++ apparmor.d/profiles-s-z/vsftpd | 6 ++--- apparmor.d/profiles-s-z/yt-dlp | 2 +- 28 files changed, 147 insertions(+), 38 deletions(-) create mode 100644 apparmor.d/profiles-m-r/mtr create mode 100644 apparmor.d/profiles-m-r/mtr-packet diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index 104bc073..d238fc24 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -79,13 +79,13 @@ # access to firmware's etc /usr/share/AAVMF/** r, /usr/share/bochs/** r, - /usr/share/edk2-ovmf/** r, + /usr/share/edk2-ovmf/** rk, /usr/share/kvm/** r, /usr/share/misc/sgabios.bin r, /usr/share/openbios/** r, /usr/share/openhackware/** r, - /usr/share/OVMF/** r, - /usr/share/ovmf/** r, + /usr/share/OVMF/** rk, + /usr/share/ovmf/** rk, /usr/share/proll/** r, /usr/share/qemu-efi/** r, /usr/share/qemu-kvm/** r, @@ -247,4 +247,9 @@ / r, # harmless on any lsb compliant system /sys/bus/nd/devices/{,**/} r, + # required for QEMU accessing UEFI nvram variables + owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, + owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, + + # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index 1c246fcd..f4c7913d 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -33,10 +33,14 @@ profile android-studio @{exec_path} { signal (send) set=(term, kill) peer=android-studio//lsb-release, + ptrace (read) peer=android-studio//*, + network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, + network inet raw, + network inet6 raw, network netlink raw, @{exec_path} r, @@ -129,6 +133,9 @@ profile android-studio @{exec_path} { owner "@{user_cache_dirs}/Android Open Source Project/" rw, owner "@{user_cache_dirs}/Android Open Source Project/**" rw, + owner @{user_cache_dirs}/main.kts.compiled.cache/ rw, + owner @{user_cache_dirs}/main.kts.compiled.cache/** rw, + owner @{user_cache_dirs}/Google/ rw, owner @{user_cache_dirs}/Google/** rwk, # To remove the following error: @@ -178,11 +185,12 @@ profile android-studio @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pids}/task/ r, owner @{PROC}/@{pids}/task/@{tid}/status r, - owner @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/stat r, @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @@ -201,6 +209,8 @@ profile android-studio @{exec_path} { /usr/share/hwdata/pnp.ids r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 8983c93d..0641c9bc 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -1,13 +1,6 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2021 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,7 +15,8 @@ profile apt-forktracer @{exec_path} { @{exec_path} mr, /{usr/,}bin/ r, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/apt-cache rPx, /usr/share/apt-forktracer/{,**} r, @@ -38,5 +32,8 @@ profile apt-forktracer @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + /etc/dpkg/origins/debian r, + /etc/debian_version r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index c638f261..aa8b7ad1 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -35,6 +35,7 @@ profile apt-methods-gpgv @{exec_path} { /{usr/,}bin/find rix, /{usr/,}bin/gpgv rix, + /{usr/,}bin/head rix, /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, /{usr/,}bin/cmp rix, @@ -79,8 +80,8 @@ profile apt-methods-gpgv @{exec_path} { @{PROC}/@{pid}/fd/ r, # Local keyring storage - /etc/keyrings/ r, - /etc/keyrings/*.{gpg,asc} r, + /etc/apt/keyrings/ r, + /etc/apt/keyrings/*.{gpg,asc} r, # Extrepo keyring storage /var/lib/extrepo/keys/*.{gpg,asc} r, diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 5b1f6531..d8d01fcd 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -46,6 +46,7 @@ profile debsums @{exec_path} { /var/lib/{,**} r, /opt/{,**} r, /boot/{,**} r, + /lib*/{,**} r, include if exists } diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index c2c0ac72..77aa271b 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -89,6 +89,9 @@ profile dpkg @{exec_path} { /usr/** rwl -> /usr/**, /lib/ r, /lib/** rwl -> /lib/** , + # Fixme when more transitions will be available (#FIXME#) + /lib{,32,64,x64}/ r, + /lib{,32,64,x64}/** rwl, /bin/ r, /bin/* rwl -> /bin/*, /sbin/ r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 8d73a320..6dfc4f34 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -52,6 +52,9 @@ profile querybts @{exec_path} { /etc/fstab r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 1a9b4e37..ac196d38 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -93,6 +93,8 @@ profile reportbug @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, + /dev/ptmx rw, + owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw, owner /tmp/* rw, owner /var/tmp/*.bug{,~} rw, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 03583e58..b67f4c8a 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -61,7 +61,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, - owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 4032e4db..40bfaea5 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -70,7 +70,7 @@ profile gpg @{exec_path} { # APT upstream/user keyrings /usr/share/keyrings/*.{gpg,asc} r, - /etc/keyrings/*.{gpg,asc} r, + /etc/apt/keyrings/*.{gpg,asc} r, # APT repositories /var/lib/apt/lists/*_InRelease r, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index fd13cfc8..9197e59b 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -35,12 +35,17 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/lib/app-info/yaml/ r, /var/lib/app-info/yaml/*_Components-*.yml.gz w, + /var/lib/app-info/ w, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_Components-*.gz r, + /var/lib/swcatalog/ rw, + /var/lib/swcatalog/yaml/ rw, + /var/lib/swcatalog/yaml/*_Components-*.yml.gz w, /var/lib/flatpak/appstream/{,**} r, /var/cache/swcatalog/cache/{,**} rw, owner /var/cache/app-info/{,**} rw, + owner /var/cache/swcatalog/{,**} rw, owner /tmp/appstream-cache-*.mdb rw, owner /tmp/appstream/ rw, owner /tmp/appstream/appcache-*.mdb rw, diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index 309d2d6a..d6e5ca5e 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,6 +10,8 @@ include profile atftpd @{exec_path} { include include + # For libwrap (TCP Wrapper) support + include # to run atftpd daemon as nobody/nogroup capability setgid, @@ -21,8 +23,5 @@ profile atftpd @{exec_path} { /tftpboot/{,**} r, /srv/tftp/{,**} r, - # for libwrap (TCP Wrapper) support - /etc/hosts.{,allow,deny} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index a40ef1c3..3eb4b452 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -30,8 +30,12 @@ profile atril @{exec_path} { @{exec_path} mr, - /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess rix, - /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess rix, + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/atril-previewer rPx, + + /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, + /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, # Which media files atril should be able to open / r, @@ -52,6 +56,7 @@ profile atril @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/statm r, @@ -59,24 +64,25 @@ profile atril @{exec_path} { owner @{PROC}/@{pid}/cgroup r, @{PROC}/zoneinfo r, - /sys/firmware/acpi/pm_profile r, - /sys/devices/virtual/dmi/id/chassis_type r, - /sys/fs/cgroup/** r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/** r, /etc/fstab r, - /usr/share/poppler/** r, + /usr/share/poppler/{,**} r, - owner @{user_config_dirs}/atril/ rw, - owner @{user_config_dirs}/atril/* rw, + owner @{user_config_dirs}/atril/{,*} rw, - owner @{user_cache_dirs}/atril/ rw, - owner @{user_cache_dirs}/atril/** rw, + owner @{user_cache_dirs}/atril/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, owner /tmp/gtkprint_* rw, + owner /tmp/settings*.ini rw, + owner /tmp/settings*.ini.* rw, + owner /tmp/atril-@{pid}/ rw, owner /tmp/atril-@{pid}/*/ rw, owner /tmp/atril-@{pid}/*/mimetype rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index eae5f2a6..c412fb54 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -46,6 +46,7 @@ profile conky @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/wc rix, /{usr/,}bin/sed rix, + /{usr/,}bin/sleep rix, # For external IP address #/{usr/,}bin/dig rix, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 9305b255..1f51d4f7 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -43,9 +43,15 @@ profile ffplay @{exec_path} { include include include + include include include + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, # Which media files ffplay should be able to open diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1bca6d89..8fe3789b 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -98,7 +98,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - + deny /usr/lib/python3/dist-packages/** w, profile ccache { include @@ -117,6 +117,8 @@ profile gajim @{exec_path} { /media/ccache/*/** rw, + owner @{run}/user/@{uid}/ccache-tmp/ rw, + /etc/debian_version r, } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index c90ef474..9201def6 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -15,6 +15,7 @@ profile gparted @{exec_path} { /{usr/,}{s,}bin/ r, /{usr/,}{s,}bin/gpartedbin rPx, + @{libexec}/gpartedbin rPx, /{usr/,}bin/ r, /{usr/,}bin/{,e}grep rix, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 2a83e894..6db45327 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,6 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/gpartedbin +@{exec_path} += @{libexec}/gpartedbin profile gpartedbin @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index 7e67b755..be43f574 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -19,10 +19,12 @@ profile i3lock @{exec_path} { @{exec_path} mr, - /usr/sbin/unix_chkpwd rPx, + /{usr/,}sbin/unix_chkpwd rPx, owner @{HOME}/.Xauthority r, + owner @{PROC}/@{pid}/fd/ r, + # For background image. owner @{HOME}/*.png r, owner @{HOME}/*/*.png r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 164d445f..fc03477e 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -79,6 +79,7 @@ profile mkinitramfs @{exec_path} { /boot/ r, owner /boot/initrd.img-*.new rw, + owner /boot/config-* r, /var/tmp/ r, owner /var/tmp/mkinitramfs_*/ rw, diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 6516468c..253e7b01 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -36,6 +36,7 @@ include @{mkvmerge_ext} += [sS][rR][tT] @{mkvmerge_ext} += [tT][xX][tT] @{mkvmerge_ext} += [sS][uU][bB] +@{mkvmerge_ext} += [mM][kK][sS] @{exec_path} = /{usr/,}bin/mkvmerge profile mkvmerge @{exec_path} { diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index faae0775..48d55c09 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -36,6 +36,7 @@ include @{mkvtoolnix_ext} += [sS][rR][tT] @{mkvtoolnix_ext} += [tT][xX][tT] @{mkvtoolnix_ext} += [sS][uU][bB] +@{mkvtoolnix_ext} += [mM][kK][sS] @{exec_path} = /{usr/,}bin/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr new file mode 100644 index 00000000..1cfbfa6e --- /dev/null +++ b/apparmor.d/profiles-m-r/mtr @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/mtr +profile mtr @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + signal (send) set=(term, kill) peer=mtr-packet, + + @{exec_path} mr, + + /{usr/,}bin/mtr-packet rPx, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet new file mode 100644 index 00000000..9c1ccb38 --- /dev/null +++ b/apparmor.d/profiles-m-r/mtr-packet @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/mtr-packet +profile mtr-packet @{exec_path} { + include + + capability net_raw, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + + signal (receive) set=(kill, term) peer=mtr, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index f72127ef..ef7a31f1 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -28,5 +28,7 @@ profile update-alternatives @{exec_path} { /usr/** rw, + /lib/firmware/* rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/uscan b/apparmor.d/profiles-s-z/uscan index 6d5e26f5..78e3ef26 100644 --- a/apparmor.d/profiles-s-z/uscan +++ b/apparmor.d/profiles-s-z/uscan @@ -28,10 +28,13 @@ profile uscan @{exec_path} { /{usr/,}bin/pwd rix, /{usr/,}bin/find rix, /{usr/,}bin/file rix, + /{usr/,}bin/getconf rix, /{usr/,}bin/tar rix, /{usr/,}bin/gzip rix, /{usr/,}bin/bzip2 rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/xz rix, /{usr/,}bin/uupdate rPUx, diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index d549f7bf..06c40fdd 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -15,6 +15,9 @@ profile vsftpd @{exec_path} { # Only for local users authentication include + # For libwrap (TCP Wrapper) support (tcp_wrappers=YES) + include + # To be able to listen on ports < 1024 capability net_bind_service, @@ -48,9 +51,6 @@ profile vsftpd @{exec_path} { # List of users disallowed FTP access /etc/ftpusers r, - # For libwrap (TCP Wrapper) support (tcp_wrappers=YES) - /etc/hosts.{allow,deny} r, - # vsftpd config files /etc/vsftpd.conf r, /etc/vsftpd/**/ r, diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index 43e6294a..a1e34ac7 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -65,7 +65,7 @@ profile yt-dlp @{exec_path} { # Which files yt-dlp should be able to open owner /media/**/ r, - owner /media/**.@{ytdlp_ext} rw, + owner /media/**.@{ytdlp_ext} rwk, owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/yt-dlp/ rw,