diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index f04637ae..47c22d72 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -15,7 +15,7 @@ profile avahi-browse @{exec_path} { include dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser + interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} peer=(name=:*, label=avahi-daemon), diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index fbe4288a..f616df6c 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -26,7 +26,7 @@ profile msedge @{exec_path} { @{lib_dirs}/xdg-mime rix, #-> xdg-mime, @{lib_dirs}/xdg-settings rix, #-> xdg-settings, - + @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, @{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 7e7299bc..0a8d7bda 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -16,10 +16,10 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=ibus-daemon, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 7db10924..7c57f946 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -74,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 5ebedca6..f462894b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -128,7 +128,7 @@ profile gnome-software @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, - + deny owner @{user_share_dirs}/gvfs-metadata/* r, profile gpg { diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 136ebabb..9c6107f6 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -39,7 +39,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, - + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index c6dda71a..50827e77 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -22,7 +22,7 @@ profile iwd @{exec_path} { network netlink dgram, network alg seqpacket, - @{exec_path} mr, + @{exec_path} mr, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index fd43bc33..8dc29f56 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -48,9 +48,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/cache/mullvad-vpn/{,*} rw, owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, - + + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, - @{run}/NetworkManager/resolv.conf r, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 34b1ea1d..237a5ff7 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} { include dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=SetEnvironment - peer=(name=org.freedesktop.systemd1), + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index c59284e7..05655d30 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -67,8 +67,8 @@ profile bootctl @{exec_path} { @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, - @{PROC}/sys/kernel/random/poolsize r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/kernel/random/poolsize r, + owner @{PROC}/@{pid}/cgroup r, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 2a38680b..4130d9cd 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -12,7 +12,7 @@ profile systemcheck-canary @{exec_path} { include @{exec_path} mr, - + @{bin}/sleep rix, @{bin}/grep rix, @{bin}/whoami rix, diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf index b6e6d59a..7782ecb1 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -21,7 +21,7 @@ profile cups-backend-pdf @{exec_path} { unix peer=(label=cupsd), @{exec_path} mr, - + @{sh_path} rix, @{bin}/cp rix, @{bin}/gs rix, diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp index 35f0392d..5badd529 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -16,7 +16,7 @@ profile cups-backend-snmp @{exec_path} { network netlink raw, @{exec_path} mr, - + /etc/cups/snmp.conf r, /etc/papersize r, diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index e22b2f6a..3f9b15dc 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -17,7 +17,7 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, @{exec_path} mr, - + owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner @{tmp}/cups-dbus-notifier-lockfile rwk, diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto index 0df4984d..e69afb07 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-mailto +++ b/apparmor.d/profiles-a-f/cups-notifier-mailto @@ -11,7 +11,7 @@ profile cups-notifier-mailto @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss index 129cb8d6..99339291 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-rss +++ b/apparmor.d/profiles-a-f/cups-notifier-rss @@ -11,7 +11,7 @@ profile cups-notifier-rss @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index af1f3400..8f5067b7 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -40,23 +40,23 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { include include include - + capability audit_write, capability mknod, capability setgid, capability sys_ptrace, - + ptrace read peer=gamemoded, - + network netlink raw, - + @{bin}/pkexec mr, - + @{lib}/gamemode/{,**} r, @{lib}/gamemode/cpugovctl ix, @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - + /etc/security/limits.d/ r, /etc/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @@ -66,15 +66,15 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/cpu@{int}/cpufreq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, - + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/split_lock_mitigate rw, - + include if exists } - + include if exists } diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index c800267c..aac25b81 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -85,7 +85,7 @@ profile ifup @{exec_path} { /etc/network/if-up.d/ r, /etc/network/if-up.d/*resolvconf rPUx, - /etc/network/if-up.d/resolved rPUx, + /etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 4d579764..0e18eab1 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -13,38 +13,38 @@ include @{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq profile linuxqq @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include + include + include + include + include + include - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, - @{exec_path} mrix, + @{exec_path} mrix, - @{sh_path} r, - @{bin}/grep rix, - @{lib_dirs}/chrome_crashpad_handler ix, - @{lib_dirs}/resources/app/{,**} m, - @{open_path} rPx -> child-open-strict, + @{sh_path} r, + @{bin}/grep rix, + @{lib_dirs}/chrome_crashpad_handler ix, + @{lib_dirs}/resources/app/{,**} m, + @{open_path} rPx -> child-open-strict, - /etc/machine-id r, + /etc/machine-id r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/utmp r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mounts r, - /dev/tty rw, + /dev/tty rw, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 4e218a8a..6a96796a 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -27,14 +27,14 @@ profile mutt @{exec_path} { # There are countless programs that can be executed from the mailcap. # This profile includes only the most basic. @{sh_path} rix, - + @{lib}/{,sendmail/}sendmail rPUx, @{bin}/ispell rPUx, @{bin}/abook rPUx, @{bin}/mutt_dotlock rix, # Misc mutt scripts @{lib}/mutt/* rix, - + @{bin}/w3m rCx -> html-renderer, @{bin}/lynx rCx -> html-renderer, @{editor_path} rCx -> editor, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index b60b5f48..75b15004 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -26,7 +26,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { /boot/intel-ucode.img r, /boot/early_ucode.cpio r, - + @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 97c81ebd..a5fcbb91 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -42,7 +42,7 @@ profile qbittorrent @{exec_path} { interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member=Activate @@ -52,12 +52,12 @@ profile qbittorrent @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member=ItemsPropertiesUpdated peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/MenuBar interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 81cf4301..5129f203 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -51,7 +51,7 @@ profile qbittorrent-nox @{exec_path} { /dev/disk/by-label/ r, /dev/shm/#@{int} rw, - + deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use include if exists diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index b781ae1d..e3eca4e2 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} { capability syslog, @{exec_path} rm, - + @{bin}/kmod rCx -> kmod, @{bin}/perl r, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index d088bb0b..98b194fb 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -28,7 +28,7 @@ profile session-desktop @{exec_path} { network netlink raw, @{exec_path} mrix, - + @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 6883e48f..64ab228b 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -83,7 +83,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, - + include if exists } diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw index 2c0f5352..b7e5f0c7 100644 --- a/apparmor.d/profiles-s-z/ufw +++ b/apparmor.d/profiles-s-z/ufw @@ -9,54 +9,54 @@ include @{exec_path} = @{bin}/ufw profile ufw @{exec_path} flags=(attach_disconnected) { - include - include - include - include + include + include + include + include - capability dac_read_search, - capability net_admin, - capability net_raw, - capability sys_ptrace, + capability dac_read_search, + capability net_admin, + capability net_raw, + capability sys_ptrace, - network inet dgram, - network inet raw, - network inet6 dgram, - network inet6 raw, - network netlink raw, + network inet dgram, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, - ptrace read, + ptrace read, - @{exec_path} mr, + @{exec_path} mr, - @{bin}/ r, - @{bin}/cat ix, - @{bin}/env r, - @{bin}/python3.@{int} ix, - @{bin}/sysctl ix, - @{bin}/xtables-legacy-multi ix, - @{bin}/xtables-nft-multi ix, - @{lib}/ufw/ufw-init ix, + @{bin}/ r, + @{bin}/cat ix, + @{bin}/env r, + @{bin}/python3.@{int} ix, + @{bin}/sysctl ix, + @{bin}/xtables-legacy-multi ix, + @{bin}/xtables-nft-multi ix, + @{lib}/ufw/ufw-init ix, - /etc/default/ufw rw, - /etc/ufw/ rw, - /etc/ufw/** rwk, + /etc/default/ufw rw, + /etc/ufw/ rw, + /etc/ufw/** rwk, - @{run}/xtables.lock rwk, - owner @{run}/ufw.lock rwk, + @{run}/xtables.lock rwk, + owner @{run}/ufw.lock rwk, - owner @{tmp}/@{word8} rw, - owner @{tmp}/tmp@{word8} rw, - owner /var/tmp/@{word8} rw, - owner /var/tmp/tmp@{word8} rw, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8} rw, + owner /var/tmp/@{word8} rw, + owner /var/tmp/tmp@{word8} rw, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/@{pid}/stat r, - @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/sys/kernel/modprobe r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index 3d07f75d..d2e36ead 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -38,7 +38,7 @@ profile update-pciids @{exec_path} { /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, - # For shell pwd + # For shell pwd /root/ r, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 31a7f7cd..9d563111 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -13,48 +13,48 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include + include + include + include + include + include + include + include - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, - @{exec_path} mrix, + @{exec_path} mrix, - @{sh_path} rix, - @{lib}/wechat-universal/common.sh ix, - @{bin}/sed ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/lsblk Px, - @{bin}/bwrap rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{lib}/wechat-universal/common.sh ix, + @{bin}/sed ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/lsblk Px, + @{bin}/bwrap rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} rPx -> child-open-strict, - /etc/lsb-release r, + /etc/lsb-release r, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, - owner @{HOME}/.xwechat/{,**} rwk, - owner @{HOME}/.sys1og.conf rw, + owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{HOME}/.xwechat/{,**} rwk, + owner @{HOME}/.sys1og.conf rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/utmp r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp r, - @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/route r, - /dev/tty rw, + /dev/tty rw, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index bbc871f6..861908a6 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -10,54 +10,53 @@ include @{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include + include + include + include + include + include + include + include + include + include + include - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, - @{exec_path} mr, + @{exec_path} mr, - @{sh_path} r, - @{bin}/basename rix, - @{bin}/bwrap rix, - @{bin}/id rix, - @{bin}/mkdir rix, - /opt/wemeet/bin/** rix, + @{sh_path} r, + @{bin}/basename rix, + @{bin}/bwrap rix, + @{bin}/id rix, + @{bin}/mkdir rix, + /opt/wemeet/bin/** rix, - /etc/machine-id r, - /var/cache/ w, + /etc/machine-id r, + /var/cache/ w, - owner @{user_share_dirs}/wemeetapp/ rw, - owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**, + owner @{user_share_dirs}/wemeetapp/ rw, + owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**, - @{PROC}/ r, - @{PROC}/asound/ r, - @{PROC}/@{pid}/net/route r, - @{PROC}/@{pid}/net/wireless r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/statm r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/ r, + @{PROC}/asound/ r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, - /dev/ r, - /dev/tty rw, - /dev/shm/ r, - - include if exists + /dev/ r, + /dev/tty rw, + /dev/shm/ r, + include if exists } # vim:syntax=apparmor