mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(opensuse): desktop integration.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-02-04 23:43:18 +00:00
parent ff76602843
commit 35fcb6fc71
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
16 changed files with 75 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/abstractions/gnome.d/complete
View File

@ -3,3 +3,5 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
include <abstractions/gtk> include <abstractions/gtk>
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,

4
apparmor.d/abstractions/nameservice-strict
View File

@ -16,6 +16,10 @@
@{etc_ro}/resolv.conf r, @{etc_ro}/resolv.conf r,
@{etc_ro}/services r, @{etc_ro}/services r,
/var/lib/nscd/group r,
/var/lib/nscd/passwd r,
@{run}/nscd/db* r,
@{run}/systemd/resolve/stub-resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r,
# NSS records from systemd-userdbd.service # NSS records from systemd-userdbd.service

3
apparmor.d/groups/freedesktop/accounts-daemon
View File

@ -57,11 +57,12 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
/etc/default/locale r, /etc/default/locale r,
/etc/gdm{3,}/ r, /etc/gdm{3,}/ r,
/etc/gdm{3,}/daemon.conf{,.??????} rw,
/etc/gdm{3,}/custom.conf{,.??????} rw, /etc/gdm{3,}/custom.conf{,.??????} rw,
/etc/gdm{3,}/daemon.conf{,.??????} rw,
/etc/machine-id r, /etc/machine-id r,
/etc/shadow r, /etc/shadow r,
/etc/shells r, /etc/shells r,
/etc/sysconfig/displaymanager r,
owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw, owner /var/lib/AccountsService/** rw,

5
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View File

@ -21,8 +21,11 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/freedesktop/colord
View File

@ -7,8 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord @{exec_path} = @{libexec}/{,colord/}colord
@{exec_path} += @{libexec}/colord
profile colord @{exec_path} flags=(attach_disconnected) { profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

4
apparmor.d/groups/freedesktop/colord-session
View File

@ -1,13 +1,13 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session @{exec_path} = @{libexec}/{,colord/}colord-session
@{exec_path} += @{libexec}/colord-session
profile colord-session @{exec_path} flags=(complain) { profile colord-session @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>

9
apparmor.d/groups/freedesktop/plymouthd
View File

@ -20,12 +20,15 @@ profile plymouthd @{exec_path} {
signal (send) peer=unconfined, signal (send) peer=unconfined,
ptrace (read) peer=plymouth,
unix type=stream addr="@/org/freedesktop/plymouthd", unix type=stream addr="@/org/freedesktop/plymouthd",
unix type=stream peer=(addr="@/org/freedesktop/plymouthd"), unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),
@{exec_path} mr, @{exec_path} mr,
/usr/share/plymouth/{,**} r, /usr/share/plymouth/{,**} r,
/usr/share/pixmaps/distribution-logos/* r,
/etc/default/keyboard r, /etc/default/keyboard r,
/etc/plymouth/plymouthd.conf r, /etc/plymouth/plymouthd.conf r,
@ -43,13 +46,17 @@ profile plymouthd @{exec_path} {
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/graphics/ r, @{sys}/class/graphics/ r,
@{sys}/devices/pci[0-9]*/**/{,uevent,vendor.device} r,
@{sys}/devices/pci[0-9]*/**/{,uevent} r, @{sys}/devices/pci[0-9]*/**/{,uevent} r,
@{sys}/devices/virtual/graphics/fbcon/uevent r, @{sys}/devices/virtual/graphics/fbcon/uevent r,
@{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/acpi/bgrt/{,*} r, @{sys}/firmware/acpi/bgrt/{,*} r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/1/cmdline r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
/dev/ptmx rw, /dev/ptmx rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,

5
apparmor.d/groups/freedesktop/polkitd
View File

@ -41,6 +41,7 @@ profile polkitd @{exec_path} {
/etc/polkit-1/rules.d/[0-9][0-9]-*.rules r, /etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
/etc/polkit-1/localauthority/{,**} r, /etc/polkit-1/localauthority/{,**} r,
/etc/polkit-1/localauthority.conf.d/{,**} r, /etc/polkit-1/localauthority.conf.d/{,**} r,
/etc/polkit-1/actions/{,*.policy} r,
# Vendor rules # Vendor rules
/usr/share/polkit-1/rules.d/ r, /usr/share/polkit-1/rules.d/ r,
@ -51,8 +52,8 @@ profile polkitd @{exec_path} {
/usr/share/polkit-1/actions/*.policy r, /usr/share/polkit-1/actions/*.policy r,
/usr/share/polkit-1/actions/*.policy.choice r, /usr/share/polkit-1/actions/*.policy.choice r,
owner /var/lib/polkit-1/.cache/ rw, owner /var/lib/polkit{,-1}/.cache/ rw,
/var/lib/polkit-1/localauthority/{,**} r, /var/lib/polkit{,-1}/localauthority/{,**} r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View File

@ -121,6 +121,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
/etc/gnome/defaults.list r, /etc/gnome/defaults.list r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r,
owner @{HOME}/*/{,**} rw, owner @{HOME}/*/{,**} rw,

2
apparmor.d/groups/freedesktop/xdg-icon-resource
View File

@ -25,7 +25,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
/{usr/,}bin/gtk-update-icon-cache rPx, /{usr/,}bin/gtk{,4}-update-icon-cache rPx,
/usr/share/**/icons/**.png r, /usr/share/**/icons/**.png r,
/usr/share/icons/**.png rw, /usr/share/icons/**.png rw,

5
apparmor.d/groups/freedesktop/xorg
View File

@ -66,8 +66,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/var/lib/xkb/server-[0-9]*.xkm rw, /var/lib/xkb/server-[0-9]*.xkm rw,
/usr/share/egl/{,**} rw, /usr/share/egl/{,**} rw,
/usr/share/libinput/ r, /usr/share/libinput*/ r,
/usr/share/libinput/[0-9][0-9]-*.quirks r, /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
/usr/share/libinput*/libinput/ r,
/etc/X11/{,**} r, /etc/X11/{,**} r,

5
apparmor.d/groups/freedesktop/xwayland
View File

@ -13,7 +13,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia> include <abstractions/opencl>
include <abstractions/vulkan> include <abstractions/vulkan>
signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gdm*,
@ -28,7 +28,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/xkbcomp rPx, /{usr/,}bin/xkbcomp rPx,
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/fonts/X11/{,**} r, /usr/share/fonts/{,**} r,
/usr/share/ghostscript/fonts/{,**} r,
/usr/share/libdrm/*.ids r, /usr/share/libdrm/*.ids r,
/usr/share/X11/xkb/rules/evdev r, /usr/share/X11/xkb/rules/evdev r,

1
apparmor.d/groups/network/ModemManager
View File

@ -12,6 +12,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
network qipcrtr dgram,
network netlink raw, network netlink raw,
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus

9
apparmor.d/groups/network/NetworkManager
View File

@ -119,18 +119,19 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/rfkill/ r,
@{sys}/class/net/ r, @{sys}/class/net/ r,
@{sys}/class/net/rfkill/ r, @{sys}/class/net/rfkill/ r,
@{sys}/class/rfkill/ r,
@{run}/network/ifstate r, @{run}/network/ifstate r,
@{run}/NetworkManager/{,**} rw, @{run}/NetworkManager/{,**} rw,
@{run}/nscd/db* rwl,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{run}/udev/data/n[0-9]* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+platform* r,
@{run}/udev/data/+pci* r, @{run}/udev/data/+pci* r,
@{run}/udev/data/+platform* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/n[0-9]* r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/virtual/net/{,**} r, @{sys}/devices/virtual/net/{,**} r,

20
apparmor.d/groups/network/nm-daemon-helper Normal file
View File

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/nm-daemon-helper
profile nm-daemon-helper @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
include if exists <local/nm-daemon-helper>
}

17
apparmor.d/groups/network/nm-dispatcher
View File

@ -27,24 +27,37 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/chronyc rPUx,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/gawk rix,
/{usr/,}bin/grep rix, /{usr/,}bin/grep rix,
/{usr/,}bin/id rix, /{usr/,}bin/id rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/nmcli rix, /{usr/,}bin/nmcli rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/run-parts rPx, /{usr/,}bin/run-parts rPx,
/{usr/,}bin/sed rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-cat rPx,
/{usr/,}bin/tr rix,
/usr/share/tlp/tlp-readconfs rPUx, /usr/share/tlp/tlp-readconfs rPUx,
/usr/share/tlp/{,**} rw, /{usr/,}lib/NetworkManager/dispatcher.d/ r,
/{usr/,}lib/NetworkManager/dispatcher.d/* rix,
/etc/NetworkManager/dispatcher.d/ r, /etc/NetworkManager/dispatcher.d/ r,
/etc/NetworkManager/dispatcher.d/** rix, /etc/NetworkManager/dispatcher.d/** rix,
/usr/share/tlp/{,**} rw,
/etc/sysconfig/network/config r,
/etc/fstab r,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
@{run}/tlp/{,*} rw, @{run}/tlp/{,*} rw,
@{run}/chrony-dhcp/ rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,