mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
6756ca8138
commit
360230b2a5
@ -127,7 +127,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||||||
/var/crash/{,*.@{uid}.crash} rw,
|
/var/crash/{,*.@{uid}.crash} rw,
|
||||||
|
|
||||||
/var/lib/apt/extended_states{,.*} rw,
|
/var/lib/apt/extended_states{,.*} rw,
|
||||||
/var/lib/apt/lists/** rw,
|
/var/lib/apt/lists/{,**} rw,
|
||||||
/var/lib/apt/lists/lock rwk,
|
/var/lib/apt/lists/lock rwk,
|
||||||
/var/lib/apt/periodic/update-success-stamp rw,
|
/var/lib/apt/periodic/update-success-stamp rw,
|
||||||
/var/lib/dpkg/** r,
|
/var/lib/dpkg/** r,
|
||||||
|
|||||||
@ -25,6 +25,8 @@ profile evolution-source-registry @{exec_path} {
|
|||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
|
dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9],
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|||||||
@ -31,14 +31,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||||||
signal (send) set=hup peer=at-spi*,
|
signal (send) set=hup peer=at-spi*,
|
||||||
signal (send) set=hup peer=dbus-daemon,
|
signal (send) set=hup peer=dbus-daemon,
|
||||||
signal (send) set=hup peer=dbus-run-session,
|
signal (send) set=hup peer=dbus-run-session,
|
||||||
|
signal (send) set=hup peer=dconf-service,
|
||||||
signal (send) set=hup peer=gjs-console,
|
signal (send) set=hup peer=gjs-console,
|
||||||
signal (send) set=hup peer=gnome-*,
|
signal (send) set=hup peer=gnome-*,
|
||||||
signal (send) set=hup peer=gsd-*,
|
signal (send) set=hup peer=gsd-*,
|
||||||
signal (send) set=hup peer=ibus-*,
|
signal (send) set=hup peer=ibus-*,
|
||||||
|
signal (send) set=hup peer=tracker-miner,
|
||||||
|
signal (send) set=hup peer=xdg-permission-store,
|
||||||
signal (send) set=hup peer=xorg,
|
signal (send) set=hup peer=xorg,
|
||||||
signal (send) set=hup peer=xwayland,
|
signal (send) set=hup peer=xwayland,
|
||||||
signal (send) set=hup peer=xdg-permission-store,
|
|
||||||
signal (send) set=hup peer=tracker-miner,
|
|
||||||
signal (send) set=term peer=gdm-*-session,
|
signal (send) set=term peer=gdm-*-session,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|||||||
@ -39,6 +39,8 @@ profile gnome-extension-manager @{exec_path} {
|
|||||||
/usr/share/themes/{,**} r,
|
/usr/share/themes/{,**} r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
|
||||||
|
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||||
|
|
||||||
# Silencer
|
# Silencer
|
||||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
|
|||||||
@ -143,6 +143,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{bin}/gsettings-data-convert rix,
|
@{bin}/gsettings-data-convert rix,
|
||||||
@{bin}/mkdir rix,
|
@{bin}/mkdir rix,
|
||||||
@{bin}/session-migration rix,
|
@{bin}/session-migration rix,
|
||||||
|
@{bin}/touch rix,
|
||||||
@{bin}/xdg-user-dirs-gtk-update rix,
|
@{bin}/xdg-user-dirs-gtk-update rix,
|
||||||
@{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix,
|
@{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix,
|
||||||
@{lib}/at-spi-bus-launcher rPx,
|
@{lib}/at-spi-bus-launcher rPx,
|
||||||
|
|||||||
@ -11,14 +11,15 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl-nvidia>
|
include <abstractions/opencl-nvidia>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|||||||
@ -42,6 +42,9 @@ profile gvfsd-metadata @{exec_path} {
|
|||||||
|
|
||||||
/var/lib/gdm{3,}/.local/share/gvfs-metadata/{,*} rw,
|
/var/lib/gdm{3,}/.local/share/gvfs-metadata/{,*} rw,
|
||||||
|
|
||||||
|
owner @{HOME}/.local/ w,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/ w,
|
||||||
owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
|
owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
|
||||||
owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw,
|
owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw,
|
||||||
|
|
||||||
|
|||||||
@ -17,10 +17,19 @@ profile drkonqi @{exec_path} {
|
|||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
signal send set=(cont, stop) peer=/usr/bin/akonadiserver,
|
||||||
|
|
||||||
|
ptrace read peer=/usr/bin/akonadiserver,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/drkonqi/{,**} r,
|
/usr/share/drkonqi/{,**} r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||||
|
/usr/share/knotifications5/*.notifyrc r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/kcrash-metadata/* w,
|
||||||
|
|
||||||
|
owner /tmp/xauth_@{rand6} r,
|
||||||
|
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||||
|
|
||||||
|
|||||||
@ -16,18 +16,29 @@ profile kactivitymanagerd @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/xdg/menus/{,*/} r,
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||||
|
/usr/share/kservices5/{,**} r,
|
||||||
|
|
||||||
/etc/xdg/kdeglobals r,
|
/etc/xdg/kdeglobals r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kactivitymanagerdrc r,
|
owner @{user_config_dirs}/kactivitymanagerdrc r,
|
||||||
owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
|
owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/menus/ r,
|
||||||
|
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
|
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
|
||||||
|
owner @{user_share_dirs}/kservices5/{,**} r,
|
||||||
|
owner @{user_share_dirs}/RecentDocuments/ r,
|
||||||
owner @{user_share_dirs}/RecentDocuments/*.desktop w,
|
owner @{user_share_dirs}/RecentDocuments/*.desktop w,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|||||||
@ -45,6 +45,9 @@ profile kcminit @{exec_path} {
|
|||||||
owner /tmp/kcminit.@{rand6} rwl,
|
owner /tmp/kcminit.@{rand6} rwl,
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
|
|
||||||
|
owner /tmp/.touchpaddefaults wl,
|
||||||
|
owner /tmp/.touchpaddefaults.lock rwk,
|
||||||
|
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|||||||
@ -104,6 +104,7 @@ profile kded5 @{exec_path} {
|
|||||||
owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk,
|
owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk,
|
||||||
owner @{user_share_dirs}/kded5/{,**} rw,
|
owner @{user_share_dirs}/kded5/{,**} rw,
|
||||||
owner @{user_share_dirs}/kscreen/{,**} rwl,
|
owner @{user_share_dirs}/kscreen/{,**} rwl,
|
||||||
|
owner @{user_share_dirs}/kservices5/{,**} r,
|
||||||
owner @{user_share_dirs}/ktp/cache.db rwk,
|
owner @{user_share_dirs}/ktp/cache.db rwk,
|
||||||
owner @{user_share_dirs}/remoteview/ r,
|
owner @{user_share_dirs}/remoteview/ r,
|
||||||
owner @{user_share_dirs}/services5/{,**} r,
|
owner @{user_share_dirs}/services5/{,**} r,
|
||||||
|
|||||||
@ -46,12 +46,15 @@ profile kioslave5 @{exec_path} {
|
|||||||
/etc/xdg/kwinrc r,
|
/etc/xdg/kwinrc r,
|
||||||
/etc/xdg/menus/{,**} r,
|
/etc/xdg/menus/{,**} r,
|
||||||
|
|
||||||
|
owner @{MOUNTDIRS}/** r,
|
||||||
|
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r,
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||||
owner @{user_cache_dirs}/thumbnails/*/ r,
|
owner @{user_cache_dirs}/thumbnails/*/ r,
|
||||||
|
owner @{user_cache_dirs}/kio_http/* rwl,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||||
@ -61,6 +64,7 @@ profile kioslave5 @{exec_path} {
|
|||||||
owner @{user_share_dirs}/baloo/index-lock rwk,
|
owner @{user_share_dirs}/baloo/index-lock rwk,
|
||||||
owner @{user_share_dirs}/baloo/index rw,
|
owner @{user_share_dirs}/baloo/index rw,
|
||||||
|
|
||||||
|
@{run}/mount/utab r,
|
||||||
owner @{run}/user/@{uid}/#@{int} rw,
|
owner @{run}/user/@{uid}/#@{int} rw,
|
||||||
owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
|
owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||||
|
|||||||
@ -29,10 +29,14 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
include <abstractions/vulkan>
|
include <abstractions/vulkan>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
ptrace read peer=pinentry-qt,
|
||||||
|
|
||||||
signal (send),
|
signal (send),
|
||||||
|
|
||||||
dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*}
|
dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*}
|
||||||
@ -145,6 +149,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
|
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
|
||||||
owner @{user_share_dirs}/user-places.xbel r,
|
owner @{user_share_dirs}/user-places.xbel r,
|
||||||
|
|
||||||
|
@{run}/mount/utab r,
|
||||||
@{run}/user/@{uid}/gvfs/ r,
|
@{run}/user/@{uid}/gvfs/ r,
|
||||||
owner @{run}/user/@{uid}/#@{int} rw,
|
owner @{run}/user/@{uid}/#@{int} rw,
|
||||||
owner @{run}/user/@{uid}/kdesud_:1 w,
|
owner @{run}/user/@{uid}/kdesud_:1 w,
|
||||||
|
|||||||
@ -87,6 +87,8 @@ profile xdm-xsession @{exec_path} {
|
|||||||
owner /tmp/ssh-*/ rw,
|
owner /tmp/ssh-*/ rw,
|
||||||
owner /tmp/ssh-*/agent.* rw,
|
owner /tmp/ssh-*/agent.* rw,
|
||||||
|
|
||||||
|
@{PROC}/@{pids}/stat r,
|
||||||
|
@{PROC}/@{pids}/statm r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
|||||||
@ -118,7 +118,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
|
|||||||
/etc/iproute2/group r,
|
/etc/iproute2/group r,
|
||||||
/etc/iproute2/rt_tables.d/ r,
|
/etc/iproute2/rt_tables.d/ r,
|
||||||
/etc/iproute2/rt_tables rw,
|
/etc/iproute2/rt_tables rw,
|
||||||
/etc/iproute2/sed* rw,
|
/etc/iproute2/sed@{rand6} rw,
|
||||||
|
|
||||||
owner @{PROC}/sys/net/ipv{4,}/route/flush w,
|
owner @{PROC}/sys/net/ipv{4,}/route/flush w,
|
||||||
|
|
||||||
|
|||||||
@ -35,5 +35,7 @@ profile arch-audit @{exec_path} {
|
|||||||
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
|
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
|
||||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||||
|
|
||||||
|
/dev/pts/@{int} rw,
|
||||||
|
|
||||||
include if exists <local/arch-audit>
|
include if exists <local/arch-audit>
|
||||||
}
|
}
|
||||||
|
|||||||
@ -42,6 +42,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
|
|||||||
/var/{,**} r,
|
/var/{,**} r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
/dev/pts/@{int} rw,
|
||||||
|
|
||||||
# Inherit Silencer
|
# Inherit Silencer
|
||||||
deny /apparmor/.null rw,
|
deny /apparmor/.null rw,
|
||||||
|
|||||||
@ -7,8 +7,7 @@ abi <abi/3.0>,
|
|||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/udevadm
|
@{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd
|
||||||
@{exec_path} += @{lib}/systemd/systemd-udevd
|
|
||||||
profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
|
profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|||||||
@ -15,6 +15,11 @@ profile livepatch-notification @{exec_path} {
|
|||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/wayland>
|
include <abstractions/wayland>
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/a11y/bus
|
||||||
|
interface=org.a11y.Bus
|
||||||
|
member=GetAddress
|
||||||
|
peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|||||||
@ -32,11 +32,13 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
mount fstype=overlayfs overlay -> /var/lib/docker/overlay2/*/merged/,
|
||||||
mount options=(rw, bind) -> /run/docker/netns/*,
|
mount options=(rw, bind) -> /run/docker/netns/*,
|
||||||
mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
|
mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
|
||||||
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
|
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
|
||||||
mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
|
mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
|
||||||
mount options=(rw, rslave) -> /,
|
mount options=(rw, rslave) -> /,
|
||||||
|
|
||||||
umount /.pivot_root[0-9]*/,
|
umount /.pivot_root[0-9]*/,
|
||||||
umount /run/docker/netns/*,
|
umount /run/docker/netns/*,
|
||||||
umount /var/lib/docker/overlay*/**/,
|
umount /var/lib/docker/overlay*/**/,
|
||||||
|
|||||||
@ -15,16 +15,25 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
|
|||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
ptrace (read) peer=virtqemud,
|
ptrace (read) peer=virtqemud,
|
||||||
|
ptrace (read) peer=unconfined,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/dnsmasq rPx,
|
@{bin}/dnsmasq rPx,
|
||||||
|
|
||||||
@{run}/utmp rk,
|
/etc/libvirt/libvirt.conf r,
|
||||||
|
|
||||||
|
owner /var/lib/libvirt/dnsmasq/*.macs* rw,
|
||||||
|
|
||||||
|
@{run}/libvirt/network/default.pid r,
|
||||||
@{run}/systemd/inhibit/*.ref rw,
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
|
@{run}/utmp rk,
|
||||||
|
owner @{run}/libvirt/common/system.token rwk,
|
||||||
|
owner @{run}/libvirt/network/{,**} rwk,
|
||||||
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
|
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
|
||||||
owner @{run}/user/@{uid}/libvirt/network/{,**} rwk,
|
owner @{run}/user/@{uid}/libvirt/network/{,**} rwk,
|
||||||
owner @{run}/user/@{uid}/libvirt/virtnetworkd* rwk,
|
owner @{run}/user/@{uid}/libvirt/virtnetworkd* rwk,
|
||||||
|
owner @{run}/virtnetworkd.pid w,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|||||||
@ -15,22 +15,33 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
|
capability net_admin,
|
||||||
|
capability sys_admin,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
ptrace (read) peer=virtqemud,
|
ptrace (read) peer=virtqemud,
|
||||||
|
ptrace (read) peer=unconfined,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/mdevctl rPx,
|
@{bin}/mdevctl rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
|
/usr/share/pci.ids r,
|
||||||
|
|
||||||
|
/etc/libvirt/libvirt.conf r,
|
||||||
|
/etc/libvirt/virtnodedevd.conf r,
|
||||||
/etc/mdevctl.d/{,**} r,
|
/etc/mdevctl.d/{,**} r,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/*.ref rw,
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
|
owner @{run}/libvirt/common/system.token rwk,
|
||||||
|
owner @{run}/libvirt/nodedev/ rw,
|
||||||
|
owner @{run}/libvirt/nodedev/driver.pid wk,
|
||||||
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
|
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
|
||||||
owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk,
|
owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk,
|
||||||
owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk,
|
owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk,
|
||||||
|
owner @{run}/virtnodedevd.pid wk,
|
||||||
|
|
||||||
@{run}/utmp rk,
|
@{run}/utmp rk,
|
||||||
|
|
||||||
@ -49,9 +60,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{run}/udev/data/c1:[0-9]* r, # For RAM disk
|
@{run}/udev/data/c1:[0-9]* r, # For RAM disk
|
||||||
@{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features
|
@{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features
|
||||||
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
|
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
|
||||||
|
@{run}/udev/data/c21:[0-9]* r, # Generic SCSI access
|
||||||
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
|
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
|
||||||
@{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash
|
@{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash
|
||||||
@{run}/udev/data/c116:[0-9]* r, # For ALSA
|
@{run}/udev/data/c116:[0-9]* r, # For ALSA
|
||||||
|
@{run}/udev/data/c202:[0-9]* r, # CPU model-specific registers
|
||||||
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]*
|
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]*
|
||||||
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
|
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
|
||||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
||||||
@ -62,6 +75,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{run}/udev/data/n[0-9]* r,
|
@{run}/udev/data/n[0-9]* r,
|
||||||
|
|
||||||
@{sys}/**/ r,
|
@{sys}/**/ r,
|
||||||
|
@{sys}/devices/@{pci}/vpd r,
|
||||||
@{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r,
|
@{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r,
|
||||||
@{sys}/devices/**/{config,device,vendor} r,
|
@{sys}/devices/**/{config,device,vendor} r,
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@ -71,13 +85,14 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/devices/pci[0-9]*/**/sriov_totalvfs r,
|
@{sys}/devices/pci[0-9]*/**/sriov_totalvfs r,
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
@{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
|
@{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
|
||||||
@{sys}/devices/virtual/net/{,**} r,
|
@{sys}/devices/virtual/net/{,**} r,
|
||||||
@{sys}/kernel/iommu_groups/ r,
|
@{sys}/kernel/iommu_groups/ r,
|
||||||
@{sys}/kernel/iommu_groups/@{int}/devices/ r,
|
@{sys}/kernel/iommu_groups/@{int}/devices/ r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
owner @{PROC}/mtrr w,
|
||||||
|
|
||||||
include if exists <local/virtnodedevd>
|
include if exists <local/virtnodedevd>
|
||||||
}
|
}
|
||||||
@ -14,15 +14,32 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
ptrace (read) peer=virtqemud,
|
ptrace (read) peer=virtqemud,
|
||||||
|
ptrace (read) peer=unconfined,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
|
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
|
||||||
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
|
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
|
||||||
|
|
||||||
|
/etc/libvirt/libvirt.conf r,
|
||||||
|
|
||||||
|
# For disk images
|
||||||
|
@{MOUNTS}/ r,
|
||||||
|
@{user_img_dirs}/{,**} r,
|
||||||
|
|
||||||
|
# System VM images
|
||||||
|
/var/lib/libvirt/images/{,**} rw,
|
||||||
|
|
||||||
|
# User VM images
|
||||||
|
owner @{user_share_dirs}/ r,
|
||||||
|
owner @{user_share_dirs}/libvirt/{,**} rw,
|
||||||
|
owner @{user_vm_dirs}/{,**} rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/libvirt/storage/{,**} rw,
|
owner @{user_config_dirs}/libvirt/storage/{,**} rw,
|
||||||
|
|
||||||
owner @{user_share_dirs}/gnome-boxes/images/{,*} rw,
|
owner @{user_share_dirs}/gnome-boxes/images/{,*} rw,
|
||||||
@ -34,6 +51,10 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk,
|
owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk,
|
||||||
owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk,
|
owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk,
|
||||||
|
|
||||||
|
owner @{run}/libvirt/common/system.token rwk,
|
||||||
|
owner @{run}/libvirt/storage/{,**} rwk,
|
||||||
|
owner @{run}/virtstoraged.pid rwk,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
@{run}/utmp rwk,
|
@{run}/utmp rwk,
|
||||||
|
|
||||||
|
|||||||
@ -24,8 +24,6 @@ profile multipath @{exec_path} {
|
|||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/ r,
|
|
||||||
@{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/** r,
|
|
||||||
|
|
||||||
@{PROC}/devices r,
|
@{PROC}/devices r,
|
||||||
@{PROC}/sys/fs/nr_open r,
|
@{PROC}/sys/fs/nr_open r,
|
||||||
|
|||||||
@ -99,12 +99,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{bin}/touch rix,
|
@{bin}/touch rix,
|
||||||
|
|
||||||
@{bin}/appstreamcli rPx,
|
@{bin}/appstreamcli rPx,
|
||||||
@{bin}/arch-audit rPx,
|
@{bin}/arch-audit rPx, # only: arch
|
||||||
@{bin}/dpkg rPx -> child-dpkg,
|
@{bin}/dpkg rPx -> child-dpkg, # only: dpkg
|
||||||
@{bin}/glib-compile-schemas rPx,
|
@{bin}/glib-compile-schemas rPx,
|
||||||
@{bin}/systemd-inhibit rPx,
|
@{bin}/systemd-inhibit rPx,
|
||||||
@{bin}/update-desktop-database rPx,
|
@{bin}/update-desktop-database rPx,
|
||||||
@{lib}/apt/methods/* rPx,
|
@{lib}/apt/methods/* rPx, # only: dpkg
|
||||||
@{lib}/cnf-update-db rPx,
|
@{lib}/cnf-update-db rPx,
|
||||||
@{lib}/update-notifier/update-motd-updates-available rPx,
|
@{lib}/update-notifier/update-motd-updates-available rPx,
|
||||||
@{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
|
@{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
|
||||||
@ -126,6 +126,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{run}/zypp.pid rwk, # only: opensuse
|
@{run}/zypp.pid rwk, # only: opensuse
|
||||||
owner @{run}/systemd/users/@{uid} r,
|
owner @{run}/systemd/users/@{uid} r,
|
||||||
owner @{run}/zypp-rpm.pid rwk, # only: opensuse
|
owner @{run}/zypp-rpm.pid rwk, # only: opensuse
|
||||||
|
owner @{run}/zypp/packages/ r, # only: opensuse
|
||||||
|
|
||||||
owner /dev/shm/AP_0x@{rand6}/{,**} rw,
|
owner /dev/shm/AP_0x@{rand6}/{,**} rw,
|
||||||
owner /dev/shm/ r,
|
owner /dev/shm/ r,
|
||||||
|
|||||||
@ -1,5 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
@ -9,32 +10,43 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/pinentry-qt
|
@{exec_path} = @{bin}/pinentry-qt
|
||||||
profile pinentry-qt @{exec_path} {
|
profile pinentry-qt @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/X>
|
|
||||||
include <abstractions/gtk>
|
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/fontconfig-cache-read>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/gtk>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
|
include <abstractions/qt5>
|
||||||
|
include <abstractions/vulkan>
|
||||||
|
include <abstractions/X>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||||
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
|
|
||||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
|
||||||
/usr/share/qt5ct/** r,
|
/usr/share/qt5ct/** r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/#@{int} rw,
|
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/xdg/kdeglobals r,
|
||||||
|
/etc/xdg/kwinrc r,
|
||||||
|
|
||||||
/dev/shm/#@{int} rw,
|
owner @{user_cache_dirs}/#@{int} rw,
|
||||||
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/kwinrc r,
|
||||||
|
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||||
|
|
||||||
|
owner /tmp/xauth_@{rand6} r,
|
||||||
|
owner /dev/shm/#@{int} rw,
|
||||||
|
|
||||||
|
@{sys}/devices/system/node/ r,
|
||||||
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|
||||||
include if exists <local/pinentry-qt>
|
include if exists <local/pinentry-qt>
|
||||||
}
|
}
|
||||||
|
|||||||
@ -32,6 +32,8 @@ profile sbctl @{exec_path} {
|
|||||||
|
|
||||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
|
|
||||||
|
/dev/pts/@{int} rw,
|
||||||
|
|
||||||
# File Inherit
|
# File Inherit
|
||||||
deny network inet stream,
|
deny network inet stream,
|
||||||
deny network inet6 stream,
|
deny network inet6 stream,
|
||||||
|
|||||||
@ -30,5 +30,7 @@ profile sfdisk @{exec_path} {
|
|||||||
# For disk images
|
# For disk images
|
||||||
owner @{user_img_dirs}/{,**} rwk,
|
owner @{user_img_dirs}/{,**} rwk,
|
||||||
|
|
||||||
|
owner @{sys}/devices/pci[0-9]*/**/model r,
|
||||||
|
|
||||||
include if exists <local/sfdisk>
|
include if exists <local/sfdisk>
|
||||||
}
|
}
|
||||||
|
|||||||
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd
|
@{exec_path} = @{lib}/snapd/snapd /snap/snapd@{lib}/snapd/snapd
|
||||||
profile snapd @{exec_path} {
|
profile snapd @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/authentication>
|
include <abstractions/authentication>
|
||||||
|
|||||||
@ -33,6 +33,11 @@ profile spice-vdagent @{exec_path} {
|
|||||||
member=EventListenerDeregistered
|
member=EventListenerDeregistered
|
||||||
peer=(name=:*, label=at-spi2-registryd),
|
peer=(name=:*, label=at-spi2-registryd),
|
||||||
|
|
||||||
|
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=Set
|
||||||
|
peer=(name=:*, label=at-spi2-registryd),
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||||
interface=org.a11y.atspi.Registry
|
interface=org.a11y.atspi.Registry
|
||||||
member=GetRegisteredEvents
|
member=GetRegisteredEvents
|
||||||
|
|||||||
@ -45,6 +45,7 @@ profile su @{exec_path} {
|
|||||||
|
|
||||||
@{bin}/{,b,d,rb}ash rUx,
|
@{bin}/{,b,d,rb}ash rUx,
|
||||||
@{bin}/{c,k,tc,z}sh rUx,
|
@{bin}/{c,k,tc,z}sh rUx,
|
||||||
|
|
||||||
@{bin}/nologin rPx,
|
@{bin}/nologin rPx,
|
||||||
|
|
||||||
@{etc_ro}/default/su r,
|
@{etc_ro}/default/su r,
|
||||||
|
|||||||
@ -51,12 +51,11 @@ profile sudo @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/sudo/** mr,
|
|
||||||
|
|
||||||
@{bin}/{,b,d,rb}ash rUx,
|
@{bin}/{,b,d,rb}ash rUx,
|
||||||
@{bin}/{c,k,tc,z}sh rUx,
|
@{bin}/{c,k,tc,z}sh rUx,
|
||||||
@{lib}/cockpit/cockpit-askpass rPx,
|
|
||||||
@{lib}/molly-guard/molly-guard rPx,
|
@{lib}/** rPUx,
|
||||||
|
@{lib}/sudo/** mr,
|
||||||
/snap/snapd/@{int}/usr/bin/snap rPx,
|
/snap/snapd/@{int}/usr/bin/snap rPx,
|
||||||
|
|
||||||
@{etc_ro}/environment r,
|
@{etc_ro}/environment r,
|
||||||
|
|||||||
@ -58,6 +58,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||||||
/usr/share/ladspa/rdf/{,ladspa.rdfs} r,
|
/usr/share/ladspa/rdf/{,ladspa.rdfs} r,
|
||||||
/usr/share/misc/*.ids r,
|
/usr/share/misc/*.ids r,
|
||||||
/usr/share/osinfo/{,**} r,
|
/usr/share/osinfo/{,**} r,
|
||||||
|
/usr/share/pci.ids r,
|
||||||
/usr/share/virt-manager/{,**} r,
|
/usr/share/virt-manager/{,**} r,
|
||||||
/usr/share/virtio/{,*} r,
|
/usr/share/virtio/{,*} r,
|
||||||
/var/lib/usbutils/*.ids r,
|
/var/lib/usbutils/*.ids r,
|
||||||
|
|||||||
@ -16,8 +16,8 @@ profile xclip @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Mutt
|
|
||||||
owner /tmp/mutt-* rw,
|
owner /tmp/mutt-* rw,
|
||||||
|
owner /tmp/xauth_@{rand6} r,
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user