mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-14 00:07:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

chore: enforce indentation consistency across profile.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-16 23:36:13 +01:00
parent 6e2d817805
commit 37bafddc80
Failed to generate hash of commit
30 changed files with 181 additions and 182 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/avahi/avahi-browse
View file

@ -15,7 +15,7 @@ profile avahi-browse @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
interface=org.freedesktop.Avahi.ServiceTypeBrowser interface=org.freedesktop.Avahi.ServiceTypeBrowser
member={ItemNew,AllForNow,CacheExhausted} member={ItemNew,AllForNow,CacheExhausted}
peer=(name=:*, label=avahi-daemon), peer=(name=:*, label=avahi-daemon),

2
apparmor.d/groups/browsers/msedge
View file

@ -26,7 +26,7 @@ profile msedge @{exec_path} {
@{lib_dirs}/xdg-mime rix, #-> xdg-mime, @{lib_dirs}/xdg-mime rix, #-> xdg-mime,
@{lib_dirs}/xdg-settings rix, #-> xdg-settings, @{lib_dirs}/xdg-settings rix, #-> xdg-settings,
@{lib_dirs}/microsoft-edge{,beta,-dev} rPx, @{lib_dirs}/microsoft-edge{,beta,-dev} rPx,
@{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler, @{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler,

8
apparmor.d/groups/bus/ibus-memconf
View file

@ -16,10 +16,10 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term) peer=ibus-daemon, signal (receive) set=(term) peer=ibus-daemon,
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/cron/cron
View file

@ -74,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
include if exists <local/cron_run-parts> include if exists <local/cron_run-parts>
} }
include if exists <local/cron> include if exists <local/cron>

2
apparmor.d/groups/gnome/gnome-software
View file

@ -128,7 +128,7 @@ profile gnome-software @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/fuse rw, /dev/fuse rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_share_dirs}/gvfs-metadata/* r,
profile gpg { profile gpg {

2
apparmor.d/groups/hyprland/hyprland
View file

@ -39,7 +39,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
@{run}/systemd/sessions/@{int} r, @{run}/systemd/sessions/@{int} r,
@{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+dmi:id r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs

2
apparmor.d/groups/network/iwd
View file

@ -22,7 +22,7 @@ profile iwd @{exec_path} {
network netlink dgram, network netlink dgram,
network alg seqpacket, network alg seqpacket,
@{exec_path} mr, @{exec_path} mr,
/etc/iwd/{,**} r, /etc/iwd/{,**} r,
/var/lib/iwd/{,**} rw, /var/lib/iwd/{,**} rw,

4
apparmor.d/groups/network/mullvad-daemon
View file

@ -48,9 +48,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
owner /var/cache/mullvad-vpn/{,*} rw, owner /var/cache/mullvad-vpn/{,*} rw,
owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/mullvad-vpn/{,*} rw,
owner /var/log/private/mullvad-vpn/*.log rw, owner /var/log/private/mullvad-vpn/*.log rw,
@{run}/NetworkManager/resolv.conf r,
owner @{run}/mullvad-vpn rw, owner @{run}/mullvad-vpn rw,
@{run}/NetworkManager/resolv.conf r,
@{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/ w,
@{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w,

12
apparmor.d/groups/ssh/ssh-agent-launch
View file

@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member=UpdateActivationEnvironment member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus, label=dbus-session), peer=(name=org.freedesktop.DBus, label=dbus-session),
dbus send bus=session path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member=SetEnvironment member=SetEnvironment
peer=(name=org.freedesktop.systemd1), peer=(name=org.freedesktop.systemd1),
@{bin}/dbus-update-activation-environment mr, @{bin}/dbus-update-activation-environment mr,

4
apparmor.d/groups/systemd/bootctl
View file

@ -67,8 +67,8 @@ profile bootctl @{exec_path} {
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/fw_platform_size r,
@{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/poolsize r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/whonix/systemcheck-canary
View file

@ -12,7 +12,7 @@ profile systemcheck-canary @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@{bin}/sleep rix, @{bin}/sleep rix,
@{bin}/grep rix, @{bin}/grep rix,
@{bin}/whoami rix, @{bin}/whoami rix,

2
apparmor.d/profiles-a-f/cups-backend-pdf
View file

@ -21,7 +21,7 @@ profile cups-backend-pdf @{exec_path} {
unix peer=(label=cupsd), unix peer=(label=cupsd),
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/cp rix, @{bin}/cp rix,
@{bin}/gs rix, @{bin}/gs rix,

2
apparmor.d/profiles-a-f/cups-backend-snmp
View file

@ -16,7 +16,7 @@ profile cups-backend-snmp @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/etc/cups/snmp.conf r, /etc/cups/snmp.conf r,
/etc/papersize r, /etc/papersize r,

2
apparmor.d/profiles-a-f/cups-notifier-dbus
View file

@ -17,7 +17,7 @@ profile cups-notifier-dbus @{exec_path} {
signal (receive) set=(term) peer=cupsd, signal (receive) set=(term) peer=cupsd,
@{exec_path} mr, @{exec_path} mr,
owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
owner @{tmp}/cups-dbus-notifier-lockfile rwk, owner @{tmp}/cups-dbus-notifier-lockfile rwk,

2
apparmor.d/profiles-a-f/cups-notifier-mailto
View file

@ -11,7 +11,7 @@ profile cups-notifier-mailto @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
include if exists <local/cups-notifier-mailto> include if exists <local/cups-notifier-mailto>
} }

2
apparmor.d/profiles-a-f/cups-notifier-rss
View file

@ -11,7 +11,7 @@ profile cups-notifier-rss @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
include if exists <local/cups-notifier-rss> include if exists <local/cups-notifier-rss>
} }

18
apparmor.d/profiles-g-l/gamemoded
View file

@ -40,23 +40,23 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability audit_write, capability audit_write,
capability mknod, capability mknod,
capability setgid, capability setgid,
capability sys_ptrace, capability sys_ptrace,
ptrace read peer=gamemoded, ptrace read peer=gamemoded,
network netlink raw, network netlink raw,
@{bin}/pkexec mr, @{bin}/pkexec mr,
@{lib}/gamemode/{,**} r, @{lib}/gamemode/{,**} r,
@{lib}/gamemode/cpugovctl ix, @{lib}/gamemode/cpugovctl ix,
@{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/gpuclockctl ix,
@{lib}/gamemode/procsysctl ix, @{lib}/gamemode/procsysctl ix,
/etc/security/limits.d/ r, /etc/security/limits.d/ r,
/etc/security/limits.d/@{int}-gamemode.conf r, /etc/security/limits.d/@{int}-gamemode.conf r,
/etc/shells r, /etc/shells r,
@ -66,15 +66,15 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/cpu@{int}/cpufreq r, @{sys}/devices/system/cpu/cpu@{int}/cpufreq r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
@{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/split_lock_mitigate rw, @{PROC}/sys/kernel/split_lock_mitigate rw,
include if exists <local/gamemoded_pkexec> include if exists <local/gamemoded_pkexec>
} }
include if exists <local/gamemoded> include if exists <local/gamemoded>
} }

2
apparmor.d/profiles-g-l/ifup
View file

@ -85,7 +85,7 @@ profile ifup @{exec_path} {
/etc/network/if-up.d/ r, /etc/network/if-up.d/ r,
/etc/network/if-up.d/*resolvconf rPUx, /etc/network/if-up.d/*resolvconf rPUx,
/etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/resolved rPUx,
/etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/chrony rPUx,
/etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ethtool rPUx,
/etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/ifenslave rPUx,

48
apparmor.d/profiles-g-l/linuxqq
View file

@ -13,38 +13,38 @@ include <tunables/global>
@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq @{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq
profile linuxqq @{exec_path} flags=(attach_disconnected) { profile linuxqq @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/attached/consoles> include <abstractions/attached/consoles>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/common/electron> include <abstractions/common/electron>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
network netlink raw, network netlink raw,
network netlink dgram, network netlink dgram,
network inet stream, network inet stream,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet6 stream, network inet6 stream,
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} r, @{sh_path} r,
@{bin}/grep rix, @{bin}/grep rix,
@{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/chrome_crashpad_handler ix,
@{lib_dirs}/resources/app/{,**} m, @{lib_dirs}/resources/app/{,**} m,
@{open_path} rPx -> child-open-strict, @{open_path} rPx -> child-open-strict,
/etc/machine-id r, /etc/machine-id r,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp r, @{run}/utmp r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/dev/tty rw, /dev/tty rw,
include if exists <local/linuxqq> include if exists <local/linuxqq>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

4
apparmor.d/profiles-m-r/mutt
View file

@ -27,14 +27,14 @@ profile mutt @{exec_path} {
# There are countless programs that can be executed from the mailcap. # There are countless programs that can be executed from the mailcap.
# This profile includes only the most basic. # This profile includes only the most basic.
@{sh_path} rix, @{sh_path} rix,
@{lib}/{,sendmail/}sendmail rPUx, @{lib}/{,sendmail/}sendmail rPUx,
@{bin}/ispell rPUx, @{bin}/ispell rPUx,
@{bin}/abook rPUx, @{bin}/abook rPUx,
@{bin}/mutt_dotlock rix, @{bin}/mutt_dotlock rix,
# Misc mutt scripts # Misc mutt scripts
@{lib}/mutt/* rix, @{lib}/mutt/* rix,
@{bin}/w3m rCx -> html-renderer, @{bin}/w3m rCx -> html-renderer,
@{bin}/lynx rCx -> html-renderer, @{bin}/lynx rCx -> html-renderer,
@{editor_path} rCx -> editor, @{editor_path} rCx -> editor,

2
apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
View file

@ -26,7 +26,7 @@ profile needrestart-iucode-scan-versions @{exec_path} {
/boot/intel-ucode.img r, /boot/intel-ucode.img r,
/boot/early_ucode.cpio r, /boot/early_ucode.cpio r,
@{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r,
/dev/tty rw, /dev/tty rw,

6
apparmor.d/profiles-m-r/qbittorrent
View file

@ -42,7 +42,7 @@ profile qbittorrent @{exec_path} {
interface=org.kde.StatusNotifierItem interface=org.kde.StatusNotifierItem
member={NewToolTip,NewIcon} member={NewToolTip,NewIcon}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/StatusNotifierItem dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem interface=org.kde.StatusNotifierItem
member=Activate member=Activate
@ -52,12 +52,12 @@ profile qbittorrent @{exec_path} {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*), peer=(name=:*),
dbus send bus=session path=/MenuBar dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu interface=com.canonical.dbusmenu
member=ItemsPropertiesUpdated member=ItemsPropertiesUpdated
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/MenuBar dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}

2
apparmor.d/profiles-m-r/qbittorrent-nox
View file

@ -51,7 +51,7 @@ profile qbittorrent-nox @{exec_path} {
/dev/disk/by-label/ r, /dev/disk/by-label/ r,
/dev/shm/#@{int} rw, /dev/shm/#@{int} rw,
deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use
include if exists <local/qbittorrent-nox> include if exists <local/qbittorrent-nox>

2
apparmor.d/profiles-s-z/sensors-detect
View file

@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} {
capability syslog, capability syslog,
@{exec_path} rm, @{exec_path} rm,
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{bin}/perl r, @{bin}/perl r,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,

2
apparmor.d/profiles-s-z/session-desktop
View file

@ -28,7 +28,7 @@ profile session-desktop @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,
@{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr, @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr,
@{open_path} rPx -> child-open-strict, @{open_path} rPx -> child-open-strict,

2
apparmor.d/profiles-s-z/totem
View file

@ -83,7 +83,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/comm w,
/dev/ r, /dev/ r,
include if exists <local/totem_bwrap> include if exists <local/totem_bwrap>
} }

76
apparmor.d/profiles-s-z/ufw
View file

@ -9,54 +9,54 @@ include <tunables/global>
@{exec_path} = @{bin}/ufw @{exec_path} = @{bin}/ufw
profile ufw @{exec_path} flags=(attach_disconnected) { profile ufw @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/attached/consoles> include <abstractions/attached/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
capability dac_read_search, capability dac_read_search,
capability net_admin, capability net_admin,
capability net_raw, capability net_raw,
capability sys_ptrace, capability sys_ptrace,
network inet dgram, network inet dgram,
network inet raw, network inet raw,
network inet6 dgram, network inet6 dgram,
network inet6 raw, network inet6 raw,
network netlink raw, network netlink raw,
ptrace read, ptrace read,
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,
@{bin}/cat ix, @{bin}/cat ix,
@{bin}/env r, @{bin}/env r,
@{bin}/python3.@{int} ix, @{bin}/python3.@{int} ix,
@{bin}/sysctl ix, @{bin}/sysctl ix,
@{bin}/xtables-legacy-multi ix, @{bin}/xtables-legacy-multi ix,
@{bin}/xtables-nft-multi ix, @{bin}/xtables-nft-multi ix,
@{lib}/ufw/ufw-init ix, @{lib}/ufw/ufw-init ix,
/etc/default/ufw rw, /etc/default/ufw rw,
/etc/ufw/ rw, /etc/ufw/ rw,
/etc/ufw/** rwk, /etc/ufw/** rwk,
@{run}/xtables.lock rwk, @{run}/xtables.lock rwk,
owner @{run}/ufw.lock rwk, owner @{run}/ufw.lock rwk,
owner @{tmp}/@{word8} rw, owner @{tmp}/@{word8} rw,
owner @{tmp}/tmp@{word8} rw, owner @{tmp}/tmp@{word8} rw,
owner /var/tmp/@{word8} rw, owner /var/tmp/@{word8} rw,
owner /var/tmp/tmp@{word8} rw, owner /var/tmp/tmp@{word8} rw,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/net/ip_tables_names r, @{PROC}/@{pid}/net/ip_tables_names r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/net/ipv{4,6}/** rw,
@{PROC}/sys/kernel/modprobe r, @{PROC}/sys/kernel/modprobe r,
include if exists <local/ufw> include if exists <local/ufw>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/profiles-s-z/update-pciids
View file

@ -38,7 +38,7 @@ profile update-pciids @{exec_path} {
/usr/share/misc/ r, /usr/share/misc/ r,
/usr/share/misc/* rwl -> /usr/share/misc/*, /usr/share/misc/* rwl -> /usr/share/misc/*,
# For shell pwd # For shell pwd
/root/ r, /root/ r,

66
apparmor.d/profiles-s-z/wechat-universal
View file

@ -13,48 +13,48 @@ include <tunables/global>
@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
profile wechat-universal @{exec_path} flags=(attach_disconnected) { profile wechat-universal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/attached/consoles> include <abstractions/attached/consoles>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/common/electron> include <abstractions/common/electron>
include <abstractions/common/bwrap> include <abstractions/common/bwrap>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/app/bus> include <abstractions/app/bus>
network netlink raw, network netlink raw,
network netlink dgram, network netlink dgram,
network inet stream, network inet stream,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet6 stream, network inet6 stream,
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} rix, @{sh_path} rix,
@{lib}/wechat-universal/common.sh ix, @{lib}/wechat-universal/common.sh ix,
@{bin}/sed ix, @{bin}/sed ix,
@{bin}/ln ix, @{bin}/ln ix,
@{bin}/mkdir ix, @{bin}/mkdir ix,
@{bin}/lsblk Px, @{bin}/lsblk Px,
@{bin}/bwrap rix, @{bin}/bwrap rix,
@{bin}/xdg-user-dir rix, @{bin}/xdg-user-dir rix,
@{lib_dirs}/crashpad_handler ix, @{lib_dirs}/crashpad_handler ix,
@{open_path} rPx -> child-open-strict, @{open_path} rPx -> child-open-strict,
/etc/lsb-release r, /etc/lsb-release r,
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk,
owner @{HOME}/.sys1og.conf rw, owner @{HOME}/.sys1og.conf rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp r, @{run}/utmp r,
@{PROC}/@{pid}/net/route r, @{PROC}/@{pid}/net/route r,
/dev/tty rw, /dev/tty rw,
include if exists <local/wechat-universal> include if exists <local/wechat-universal>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

79
apparmor.d/profiles-s-z/wemeet
View file

@ -10,54 +10,53 @@ include <tunables/global>
@{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/wemeetapp
@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
profile wemeet @{exec_path} flags=(attach_disconnected) { profile wemeet @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/attached/consoles> include <abstractions/attached/consoles>
include <abstractions/nameservice-strict> include <abstractions/audio-client>
include <abstractions/common/bwrap> include <abstractions/common/bwrap>
include <abstractions/common/chromium> include <abstractions/common/chromium>
include <abstractions/graphics> include <abstractions/desktop>
include <abstractions/desktop> include <abstractions/fontconfig-cache-read>
include <abstractions/ssl_certs> include <abstractions/graphics>
include <abstractions/fontconfig-cache-read> include <abstractions/nameservice-strict>
include <abstractions/audio-client> include <abstractions/ssl_certs>
network netlink raw, network netlink raw,
network netlink dgram, network netlink dgram,
network inet stream, network inet stream,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet6 stream, network inet6 stream,
@{exec_path} mr, @{exec_path} mr,
@{sh_path} r, @{sh_path} r,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/bwrap rix, @{bin}/bwrap rix,
@{bin}/id rix, @{bin}/id rix,
@{bin}/mkdir rix, @{bin}/mkdir rix,
/opt/wemeet/bin/** rix, /opt/wemeet/bin/** rix,
/etc/machine-id r, /etc/machine-id r,
/var/cache/ w, /var/cache/ w,
owner @{user_share_dirs}/wemeetapp/ rw, owner @{user_share_dirs}/wemeetapp/ rw,
owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**, owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/asound/ r, @{PROC}/asound/ r,
@{PROC}/@{pid}/net/route r, @{PROC}/@{pid}/net/route r,
@{PROC}/@{pid}/net/wireless r, @{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r, @{PROC}/@{pid}/statm r,
@{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
/dev/ r, /dev/ r,
/dev/tty rw, /dev/tty rw,
/dev/shm/ r, /dev/shm/ r,
include if exists <local/wemeet>
include if exists <local/wemeet>
} }
# vim:syntax=apparmor # vim:syntax=apparmor