mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-27 07:27:24 +01:00
feat(tunable): add the new version variable.
This commit is contained in:
parent
a93400280e
commit
35dcde9d90
13 changed files with 25 additions and 19 deletions
|
@ -14,7 +14,7 @@ include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/gio
|
@{exec_path} = @{bin}/gio
|
||||||
@{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
|
@{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
|
||||||
@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
|
@{exec_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
|
||||||
profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
|
profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app-launcher-user>
|
include <abstractions/app-launcher-user>
|
||||||
|
|
|
@ -59,8 +59,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
@{lib}/gnome-session-check-accelerated-gles-helper rix,
|
@{lib}/gnome-session-check-accelerated-gles-helper rix,
|
||||||
@{lib}/gnome-session-failed rix,
|
@{lib}/gnome-session-failed rix,
|
||||||
|
|
||||||
@{lib}/gio-launch-desktop rCx -> open,
|
@{lib}/gio-launch-desktop rCx -> open,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
|
||||||
|
|
||||||
/usr/share/dconf/profile/gdm r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/gdm/greeter-dconf-defaults r,
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
|
@ -112,7 +112,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{bin}/env rix,
|
@{bin}/env rix,
|
||||||
@{sh_path} r,
|
@{sh_path} r,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
|
||||||
@{lib}/gio-launch-desktop mr,
|
@{lib}/gio-launch-desktop mr,
|
||||||
|
|
||||||
@{lib}/** PUx,
|
@{lib}/** PUx,
|
||||||
|
|
|
@ -184,9 +184,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{lib}/mutter-x11-frames rPx,
|
@{lib}/mutter-x11-frames rPx,
|
||||||
#aa:exec polkit-agent-helper
|
#aa:exec polkit-agent-helper
|
||||||
|
|
||||||
@{sh_path} rCx -> shell,
|
@{sh_path} rCx -> shell,
|
||||||
@{lib}/gio-launch-desktop rCx -> open,
|
@{lib}/gio-launch-desktop rCx -> open,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
|
||||||
|
|
||||||
# nm-openvpn-auth-dialog
|
# nm-openvpn-auth-dialog
|
||||||
@{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
|
@{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
|
||||||
|
@ -409,7 +409,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network unix stream,
|
network unix stream,
|
||||||
|
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
|
||||||
@{lib}/gio-launch-desktop mr,
|
@{lib}/gio-launch-desktop mr,
|
||||||
|
|
||||||
@{lib}/** PUx,
|
@{lib}/** PUx,
|
||||||
|
|
|
@ -20,7 +20,7 @@ profile xfce-panel @{exec_path} {
|
||||||
@{bin}/exo-open rix,
|
@{bin}/exo-open rix,
|
||||||
@{bin}/xfce4-mime-helper rix,
|
@{bin}/xfce4-mime-helper rix,
|
||||||
@{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix,
|
@{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rix,
|
||||||
@{lib}/gio-launch-desktop rix,
|
@{lib}/gio-launch-desktop rix,
|
||||||
|
|
||||||
@{bin}/sudo rCx -> root,
|
@{bin}/sudo rCx -> root,
|
||||||
|
|
|
@ -19,10 +19,10 @@ profile exo-open @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx,
|
@{lib}/@{multiarch}/xfce4/exo-@{version}/exo-helper-@{version} rPx,
|
||||||
|
|
||||||
# It looks like gio-launch-desktop decides what app should be opened
|
# It looks like gio-launch-desktop decides what app should be opened
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rPx,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
|
|
@ -63,7 +63,7 @@ profile gsmartcontrol @{exec_path} {
|
||||||
# The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
|
# The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
|
||||||
# root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
|
# root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
|
||||||
# hence this behavior should be blocked.
|
# hence this behavior should be blocked.
|
||||||
deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,
|
deny @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rx,
|
||||||
|
|
||||||
|
|
||||||
profile dbus {
|
profile dbus {
|
||||||
|
|
|
@ -40,8 +40,8 @@ profile gtk-youtube-viewer @{exec_path} {
|
||||||
|
|
||||||
@{lib}/firefox/firefox rPx,
|
@{lib}/firefox/firefox rPx,
|
||||||
|
|
||||||
@{bin}/xdg-open rCx -> open,
|
@{bin}/xdg-open rCx -> open,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
|
||||||
|
|
||||||
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
|
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
|
||||||
|
|
||||||
|
|
|
@ -95,7 +95,7 @@ profile jdownloader @{exec_path} {
|
||||||
|
|
||||||
# To open a web browser for CAPTCHA
|
# To open a web browser for CAPTCHA
|
||||||
@{bin}/xdg-open rCx -> open,
|
@{bin}/xdg-open rCx -> open,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
|
||||||
|
|
||||||
|
|
||||||
profile open {
|
profile open {
|
||||||
|
@ -103,7 +103,7 @@ profile jdownloader @{exec_path} {
|
||||||
include <abstractions/xdg-open>
|
include <abstractions/xdg-open>
|
||||||
|
|
||||||
@{bin}/xdg-open mr,
|
@{bin}/xdg-open mr,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/{m,g,}awk rix,
|
@{bin}/{m,g,}awk rix,
|
||||||
|
|
|
@ -23,7 +23,7 @@ profile orage @{exec_path} {
|
||||||
|
|
||||||
@{bin}/xdg-open rCx -> open,
|
@{bin}/xdg-open rCx -> open,
|
||||||
@{bin}/exo-open rCx -> open,
|
@{bin}/exo-open rCx -> open,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
|
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
|
||||||
|
|
||||||
owner @{user_config_dirs}/orage/ rw,
|
owner @{user_config_dirs}/orage/ rw,
|
||||||
owner @{user_config_dirs}/orage/* rw,
|
owner @{user_config_dirs}/orage/* rw,
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
# Open
|
# Open
|
||||||
@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
|
@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
|
||||||
@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
|
@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
|
||||||
@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
|
@{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
|
||||||
|
|
||||||
# File explorers
|
# File explorers
|
||||||
@{file_explorers_path} = @{bin}/@{file_explorers_names}
|
@{file_explorers_path} = @{bin}/@{file_explorers_names}
|
||||||
|
|
|
@ -61,6 +61,9 @@
|
||||||
@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
|
@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
|
||||||
@{group}=@{user}
|
@{group}=@{user}
|
||||||
|
|
||||||
|
# Semantic version
|
||||||
|
@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},}
|
||||||
|
|
||||||
# Shortcut for PCI device
|
# Shortcut for PCI device
|
||||||
@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
|
@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
|
||||||
@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
|
@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
|
||||||
|
|
|
@ -135,5 +135,5 @@ title: Variables References
|
||||||
| Shells path | `@{shells_path}` | `@{bin}/@{shells}` |
|
| Shells path | `@{shells_path}` | `@{bin}/@{shells}` |
|
||||||
| Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) |
|
| Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) |
|
||||||
| Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` |
|
| Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` |
|
||||||
| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop`
|
| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop @{lib}/gio-launch-desktop`
|
||||||
| All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11)
|
| All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11)
|
||||||
|
|
|
@ -33,6 +33,7 @@ func DefaultTunables() *AppArmorProfileFile {
|
||||||
return &AppArmorProfileFile{
|
return &AppArmorProfileFile{
|
||||||
Preamble: Rules{
|
Preamble: Rules{
|
||||||
&Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
|
&Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
|
||||||
|
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
|
||||||
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
|
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
|
||||||
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
|
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
|
||||||
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
|
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
|
||||||
|
@ -40,11 +41,13 @@ func DefaultTunables() *AppArmorProfileFile {
|
||||||
&Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
|
&Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
|
||||||
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
|
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
|
||||||
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
|
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
|
||||||
|
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
|
||||||
&Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true},
|
&Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true},
|
||||||
&Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true},
|
&Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true},
|
||||||
&Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true},
|
&Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true},
|
||||||
&Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true},
|
&Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true},
|
||||||
&Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true},
|
&Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true},
|
||||||
|
&Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue