mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

chore: enforce indentation consistency across profile.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-10-16 23:36:13 +01:00
parent 6e2d817805
commit 37bafddc80
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
30 changed files with 181 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/groups/avahi/avahi-browse
View File

@ -15,7 +15,7 @@ profile avahi-browse @{exec_path} {
include <abstractions/consoles>
dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
interface=org.freedesktop.Avahi.ServiceTypeBrowser
interface=org.freedesktop.Avahi.ServiceTypeBrowser
member={ItemNew,AllForNow,CacheExhausted}
peer=(name=:*, label=avahi-daemon),

2
apparmor.d/groups/browsers/msedge
View File

@ -26,7 +26,7 @@ profile msedge @{exec_path} {
@{lib_dirs}/xdg-mime rix, #-> xdg-mime,
@{lib_dirs}/xdg-settings rix, #-> xdg-settings,
@{lib_dirs}/microsoft-edge{,beta,-dev} rPx,
@{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler,

8
apparmor.d/groups/bus/ibus-memconf
View File

@ -16,10 +16,10 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term) peer=ibus-daemon,
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

2
apparmor.d/groups/cron/cron
View File

@ -74,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/#@{int} rw,
include if exists <local/cron_run-parts>
include if exists <local/cron_run-parts>
}
include if exists <local/cron>

2
apparmor.d/groups/gnome/gnome-software
View File

@ -128,7 +128,7 @@ profile gnome-software @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/fuse rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
profile gpg {

2
apparmor.d/groups/hyprland/hyprland
View File

@ -39,7 +39,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
@{run}/systemd/sessions/@{int} r,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+dmi:id r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs

2
apparmor.d/groups/network/iwd
View File

@ -22,7 +22,7 @@ profile iwd @{exec_path} {
network netlink dgram,
network alg seqpacket,
@{exec_path} mr,
@{exec_path} mr,
/etc/iwd/{,**} r,
/var/lib/iwd/{,**} rw,

4
apparmor.d/groups/network/mullvad-daemon
View File

@ -48,9 +48,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
owner /var/cache/mullvad-vpn/{,*} rw,
owner /var/log/mullvad-vpn/{,*} rw,
owner /var/log/private/mullvad-vpn/*.log rw,
@{run}/NetworkManager/resolv.conf r,
owner @{run}/mullvad-vpn rw,
@{run}/NetworkManager/resolv.conf r,
@{sys}/fs/cgroup/net_cls/ w,
@{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w,

12
apparmor.d/groups/ssh/ssh-agent-launch
View File

@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} {
include <abstractions/bus-session>
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus, label=dbus-session),
interface=org.freedesktop.DBus
member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus, label=dbus-session),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=SetEnvironment
peer=(name=org.freedesktop.systemd1),
interface=org.freedesktop.systemd1.Manager
member=SetEnvironment
peer=(name=org.freedesktop.systemd1),
@{bin}/dbus-update-activation-environment mr,

4
apparmor.d/groups/systemd/bootctl
View File

@ -67,8 +67,8 @@ profile bootctl @{exec_path} {
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r,
@{PROC}/sys/kernel/random/poolsize r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/sys/kernel/random/poolsize r,
owner @{PROC}/@{pid}/cgroup r,
# Inherit silencer
deny network inet6 stream,

2
apparmor.d/groups/whonix/systemcheck-canary
View File

@ -12,7 +12,7 @@ profile systemcheck-canary @{exec_path} {
include <abstractions/nameservice-strict>
@{exec_path} mr,
@{bin}/sleep rix,
@{bin}/grep rix,
@{bin}/whoami rix,

2
apparmor.d/profiles-a-f/cups-backend-pdf
View File

@ -21,7 +21,7 @@ profile cups-backend-pdf @{exec_path} {
unix peer=(label=cupsd),
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cp rix,
@{bin}/gs rix,

2
apparmor.d/profiles-a-f/cups-backend-snmp
View File

@ -16,7 +16,7 @@ profile cups-backend-snmp @{exec_path} {
network netlink raw,
@{exec_path} mr,
/etc/cups/snmp.conf r,
/etc/papersize r,

2
apparmor.d/profiles-a-f/cups-notifier-dbus
View File

@ -17,7 +17,7 @@ profile cups-notifier-dbus @{exec_path} {
signal (receive) set=(term) peer=cupsd,
@{exec_path} mr,
owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
owner @{tmp}/cups-dbus-notifier-lockfile rwk,

2
apparmor.d/profiles-a-f/cups-notifier-mailto
View File

@ -11,7 +11,7 @@ profile cups-notifier-mailto @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/cups-notifier-mailto>
}

2
apparmor.d/profiles-a-f/cups-notifier-rss
View File

@ -11,7 +11,7 @@ profile cups-notifier-rss @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/cups-notifier-rss>
}

18
apparmor.d/profiles-g-l/gamemoded
View File

@ -40,23 +40,23 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
capability audit_write,
capability mknod,
capability setgid,
capability sys_ptrace,
ptrace read peer=gamemoded,
network netlink raw,
@{bin}/pkexec mr,
@{lib}/gamemode/{,**} r,
@{lib}/gamemode/cpugovctl ix,
@{lib}/gamemode/gpuclockctl ix,
@{lib}/gamemode/procsysctl ix,
/etc/security/limits.d/ r,
/etc/security/limits.d/@{int}-gamemode.conf r,
/etc/shells r,
@ -66,15 +66,15 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/cpu@{int}/cpufreq r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
@{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/split_lock_mitigate rw,
include if exists <local/gamemoded_pkexec>
}
include if exists <local/gamemoded>
}

2
apparmor.d/profiles-g-l/ifup
View File

@ -85,7 +85,7 @@ profile ifup @{exec_path} {
/etc/network/if-up.d/ r,
/etc/network/if-up.d/*resolvconf rPUx,
/etc/network/if-up.d/resolved rPUx,
/etc/network/if-up.d/resolved rPUx,
/etc/network/if-up.d/chrony rPUx,
/etc/network/if-up.d/ethtool rPUx,
/etc/network/if-up.d/ifenslave rPUx,

48
apparmor.d/profiles-g-l/linuxqq
View File

@ -13,38 +13,38 @@ include <tunables/global>
@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq
profile linuxqq @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/common/electron>
include <abstractions/fontconfig-cache-read>
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/common/electron>
include <abstractions/fontconfig-cache-read>
network netlink raw,
network netlink dgram,
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
network netlink raw,
network netlink dgram,
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
@{exec_path} mrix,
@{exec_path} mrix,
@{sh_path} r,
@{bin}/grep rix,
@{lib_dirs}/chrome_crashpad_handler ix,
@{lib_dirs}/resources/app/{,**} m,
@{open_path} rPx -> child-open-strict,
@{sh_path} r,
@{bin}/grep rix,
@{lib_dirs}/chrome_crashpad_handler ix,
@{lib_dirs}/resources/app/{,**} m,
@{open_path} rPx -> child-open-strict,
/etc/machine-id r,
/etc/machine-id r,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp r,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mounts r,
/dev/tty rw,
/dev/tty rw,
include if exists <local/linuxqq>
include if exists <local/linuxqq>
}
# vim:syntax=apparmor

4
apparmor.d/profiles-m-r/mutt
View File

@ -27,14 +27,14 @@ profile mutt @{exec_path} {
# There are countless programs that can be executed from the mailcap.
# This profile includes only the most basic.
@{sh_path} rix,
@{lib}/{,sendmail/}sendmail rPUx,
@{bin}/ispell rPUx,
@{bin}/abook rPUx,
@{bin}/mutt_dotlock rix,
# Misc mutt scripts
@{lib}/mutt/* rix,
@{bin}/w3m rCx -> html-renderer,
@{bin}/lynx rCx -> html-renderer,
@{editor_path} rCx -> editor,

2
apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
View File

@ -26,7 +26,7 @@ profile needrestart-iucode-scan-versions @{exec_path} {
/boot/intel-ucode.img r,
/boot/early_ucode.cpio r,
@{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r,
/dev/tty rw,

6
apparmor.d/profiles-m-r/qbittorrent
View File

@ -42,7 +42,7 @@ profile qbittorrent @{exec_path} {
interface=org.kde.StatusNotifierItem
member={NewToolTip,NewIcon}
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
@ -52,12 +52,12 @@ profile qbittorrent @{exec_path} {
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member=ItemsPropertiesUpdated
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}

2
apparmor.d/profiles-m-r/qbittorrent-nox
View File

@ -51,7 +51,7 @@ profile qbittorrent-nox @{exec_path} {
/dev/disk/by-label/ r,
/dev/shm/#@{int} rw,
deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use
include if exists <local/qbittorrent-nox>

2
apparmor.d/profiles-s-z/sensors-detect
View File

@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} {
capability syslog,
@{exec_path} rm,
@{bin}/kmod rCx -> kmod,
@{bin}/perl r,
@{bin}/systemctl rCx -> systemctl,

2
apparmor.d/profiles-s-z/session-desktop
View File

@ -28,7 +28,7 @@ profile session-desktop @{exec_path} {
network netlink raw,
@{exec_path} mrix,
@{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr,
@{open_path} rPx -> child-open-strict,

2
apparmor.d/profiles-s-z/totem
View File

@ -83,7 +83,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/task/@{tid}/comm w,
/dev/ r,
include if exists <local/totem_bwrap>
}

76
apparmor.d/profiles-s-z/ufw
View File

@ -9,54 +9,54 @@ include <tunables/global>
@{exec_path} = @{bin}/ufw
profile ufw @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/nameservice-strict>
include <abstractions/python>
capability dac_read_search,
capability net_admin,
capability net_raw,
capability sys_ptrace,
capability dac_read_search,
capability net_admin,
capability net_raw,
capability sys_ptrace,
network inet dgram,
network inet raw,
network inet6 dgram,
network inet6 raw,
network netlink raw,
network inet dgram,
network inet raw,
network inet6 dgram,
network inet6 raw,
network netlink raw,
ptrace read,
ptrace read,
@{exec_path} mr,
@{exec_path} mr,
@{bin}/ r,
@{bin}/cat ix,
@{bin}/env r,
@{bin}/python3.@{int} ix,
@{bin}/sysctl ix,
@{bin}/xtables-legacy-multi ix,
@{bin}/xtables-nft-multi ix,
@{lib}/ufw/ufw-init ix,
@{bin}/ r,
@{bin}/cat ix,
@{bin}/env r,
@{bin}/python3.@{int} ix,
@{bin}/sysctl ix,
@{bin}/xtables-legacy-multi ix,
@{bin}/xtables-nft-multi ix,
@{lib}/ufw/ufw-init ix,
/etc/default/ufw rw,
/etc/ufw/ rw,
/etc/ufw/** rwk,
/etc/default/ufw rw,
/etc/ufw/ rw,
/etc/ufw/** rwk,
@{run}/xtables.lock rwk,
owner @{run}/ufw.lock rwk,
@{run}/xtables.lock rwk,
owner @{run}/ufw.lock rwk,
owner @{tmp}/@{word8} rw,
owner @{tmp}/tmp@{word8} rw,
owner /var/tmp/@{word8} rw,
owner /var/tmp/tmp@{word8} rw,
owner @{tmp}/@{word8} rw,
owner @{tmp}/tmp@{word8} rw,
owner /var/tmp/@{word8} rw,
owner /var/tmp/tmp@{word8} rw,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/net/ip_tables_names r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/net/ipv{4,6}/** rw,
@{PROC}/sys/kernel/modprobe r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/net/ip_tables_names r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/net/ipv{4,6}/** rw,
@{PROC}/sys/kernel/modprobe r,
include if exists <local/ufw>
include if exists <local/ufw>
}
# vim:syntax=apparmor

2
apparmor.d/profiles-s-z/update-pciids
View File

@ -38,7 +38,7 @@ profile update-pciids @{exec_path} {
/usr/share/misc/ r,
/usr/share/misc/* rwl -> /usr/share/misc/*,
# For shell pwd
# For shell pwd
/root/ r,

66
apparmor.d/profiles-s-z/wechat-universal
View File

@ -13,48 +13,48 @@ include <tunables/global>
@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
profile wechat-universal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/common/electron>
include <abstractions/common/bwrap>
include <abstractions/fontconfig-cache-read>
include <abstractions/app/bus>
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/common/electron>
include <abstractions/common/bwrap>
include <abstractions/fontconfig-cache-read>
include <abstractions/app/bus>
network netlink raw,
network netlink dgram,
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
network netlink raw,
network netlink dgram,
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
@{exec_path} mrix,
@{exec_path} mrix,
@{sh_path} rix,
@{lib}/wechat-universal/common.sh ix,
@{bin}/sed ix,
@{bin}/ln ix,
@{bin}/mkdir ix,
@{bin}/lsblk Px,
@{bin}/bwrap rix,
@{bin}/xdg-user-dir rix,
@{lib_dirs}/crashpad_handler ix,
@{open_path} rPx -> child-open-strict,
@{sh_path} rix,
@{lib}/wechat-universal/common.sh ix,
@{bin}/sed ix,
@{bin}/ln ix,
@{bin}/mkdir ix,
@{bin}/lsblk Px,
@{bin}/bwrap rix,
@{bin}/xdg-user-dir rix,
@{lib_dirs}/crashpad_handler ix,
@{open_path} rPx -> child-open-strict,
/etc/lsb-release r,
/etc/lsb-release r,
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
owner @{HOME}/.xwechat/{,**} rwk,
owner @{HOME}/.sys1og.conf rw,
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
owner @{HOME}/.xwechat/{,**} rwk,
owner @{HOME}/.sys1og.conf rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp r,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp r,
@{PROC}/@{pid}/net/route r,
@{PROC}/@{pid}/net/route r,
/dev/tty rw,
/dev/tty rw,
include if exists <local/wechat-universal>
include if exists <local/wechat-universal>
}
# vim:syntax=apparmor

79
apparmor.d/profiles-s-z/wemeet
View File

@ -10,54 +10,53 @@ include <tunables/global>
@{exec_path} += /opt/wemeet/bin/wemeetapp
@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
profile wemeet @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/nameservice-strict>
include <abstractions/common/bwrap>
include <abstractions/common/chromium>
include <abstractions/graphics>
include <abstractions/desktop>
include <abstractions/ssl_certs>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio-client>
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/common/bwrap>
include <abstractions/common/chromium>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network netlink raw,
network netlink dgram,
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
network netlink raw,
network netlink dgram,
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
@{exec_path} mr,
@{exec_path} mr,
@{sh_path} r,
@{bin}/basename rix,
@{bin}/bwrap rix,
@{bin}/id rix,
@{bin}/mkdir rix,
/opt/wemeet/bin/** rix,
@{sh_path} r,
@{bin}/basename rix,
@{bin}/bwrap rix,
@{bin}/id rix,
@{bin}/mkdir rix,
/opt/wemeet/bin/** rix,
/etc/machine-id r,
/var/cache/ w,
/etc/machine-id r,
/var/cache/ w,
owner @{user_share_dirs}/wemeetapp/ rw,
owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
owner @{user_share_dirs}/wemeetapp/ rw,
owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
@{PROC}/ r,
@{PROC}/asound/ r,
@{PROC}/@{pid}/net/route r,
@{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/ r,
@{PROC}/asound/ r,
@{PROC}/@{pid}/net/route r,
@{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/cmdline r,
/dev/ r,
/dev/tty rw,
/dev/shm/ r,
include if exists <local/wemeet>
/dev/ r,
/dev/tty rw,
/dev/shm/ r,
include if exists <local/wemeet>
}
# vim:syntax=apparmor