mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): a the XDG_IMG_DIR and user_img_dirs variables

Browse source
This commit is contained in:
Alexandre Pujol 2023-02-07 23:15:18 +00:00
parent 11cc454fe2
commit 37dd97a875
Failed to generate hash of commit
29 changed files with 126 additions and 188 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/gvfs/gvfsd-archive
View file

@ -19,9 +19,7 @@ profile gvfsd-archive @{exec_path} {
owner @{MOUNTS}/**.{TAR,TAR.GZ,ZIP} r, owner @{MOUNTS}/**.{TAR,TAR.GZ,ZIP} r,
owner @{HOME}/**.{tar,tar.gz,zip} r, owner @{HOME}/**.{tar,tar.gz,zip} r,
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, owner @{user_img_dirs}/{,**} r,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
include if exists <local/gvfsd-archive> include if exists <local/gvfsd-archive>
} }

16
apparmor.d/profiles-a-f/blkid
View file

@ -19,23 +19,21 @@ profile blkid @{exec_path} {
/etc/blkid.conf r, /etc/blkid.conf r,
# When the system doesn't have the /run/ dir, the cache file is placed under /etc/
@{etc_rw}/blkid.tab{,-*} rw,
@{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab,
# Image files
@{user_img_dirs}/{,**} r,
# The standard location of the cache file # The standard location of the cache file
# Without owner here if this tool should be used as a regular user # Without owner here if this tool should be used as a regular user
@{run}/blkid/ rw, @{run}/blkid/ rw,
@{run}/blkid/blkid.tab{,-*} rw, @{run}/blkid/blkid.tab{,-*} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# When the system doesn't have the /run/ dir, the cache file is placed under /etc/
@{etc_rw}/blkid.tab{,-*} rw,
@{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab,
# For the EVALUATE=scan method # For the EVALUATE=scan method
@{PROC}/partitions r, @{PROC}/partitions r,
# Image files
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
include if exists <local/blkid> include if exists <local/blkid>
} }

5
apparmor.d/profiles-a-f/btrfs
View file

@ -33,10 +33,7 @@ profile btrfs @{exec_path} {
@{MOUNTS}/*/ext2_saved/image rw, @{MOUNTS}/*/ext2_saved/image rw,
# To be able to manage btrfs volumes # To be able to manage btrfs volumes
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For fsck of the btrfs filesystem directly from gparted # For fsck of the btrfs filesystem directly from gparted
owner /tmp/gparted-*/ rw, owner /tmp/gparted-*/ rw,

6
apparmor.d/profiles-a-f/btrfs-find-root
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,10 +15,7 @@ profile btrfs-find-root @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-find-root> include if exists <local/btrfs-find-root>
} }

10
apparmor.d/profiles-a-f/btrfs-image
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -13,13 +14,10 @@ profile btrfs-image @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# Image files # Image files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{PROC}/@{pid}/mounts r,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-image> include if exists <local/btrfs-image>
} }

6
apparmor.d/profiles-a-f/btrfs-map-logical
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,10 +15,7 @@ profile btrfs-map-logical @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-map-logical> include if exists <local/btrfs-map-logical>
} }

22
apparmor.d/profiles-a-f/cfdisk
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -15,23 +16,20 @@ profile cfdisk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/partitions r,
/etc/fstab r, /etc/fstab r,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# A place for backups # A place for backups
owner @{HOME}/**.{bak,back} rwk, owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk,
# A place for file images
owner @{user_img_dirs}/{,**} rwk,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/partitions r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/cfdisk> include if exists <local/cfdisk>
} }

6
apparmor.d/profiles-a-f/cgdisk
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -16,10 +17,7 @@ profile cgdisk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# A place for backups # A place for backups
owner @{HOME}/**.{bak,back} rwk, owner @{HOME}/**.{bak,back} rwk,

10
apparmor.d/profiles-a-f/dumpe2fs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,14 +15,11 @@ profile dumpe2fs @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Image files
owner @{user_img_dirs}/{,**} r,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# Image files
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
include if exists <local/dumpe2fs> include if exists <local/dumpe2fs>
} }

5
apparmor.d/profiles-a-f/e2fsck
View file

@ -25,10 +25,7 @@ profile e2fsck @{exec_path} {
/usr/share/file/misc/magic.mgc r, /usr/share/file/misc/magic.mgc r,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
@{run}/blkid/ rw, @{run}/blkid/ rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,

10
apparmor.d/profiles-a-f/e2image
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,14 +15,11 @@ profile e2image @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# A place for the metadata image file
owner @{user_img_dirs}/{,**} rwk,
@{PROC}/swaps r, @{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
# A place for the metadata image file
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/e2image> include if exists <local/e2image>
} }

14
apparmor.d/profiles-a-f/fdisk
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -21,19 +22,16 @@ profile fdisk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{PROC}/partitions r,
/etc/terminal-colors.d/fdisk.disable r, /etc/terminal-colors.d/fdisk.disable r,
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups # For backups
owner @{HOME}/**.{bak,back} rwk, owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk,
# For disk images
owner @{user_img_dirs}/{,**} rwk,
@{PROC}/partitions r,
include if exists <local/fdisk> include if exists <local/fdisk>
} }

6
apparmor.d/profiles-a-f/fsck-fat
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -15,10 +16,7 @@ profile fsck-fat @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{run}/systemd/fsck.progress rw, owner @{run}/systemd/fsck.progress rw,

34
apparmor.d/profiles-a-f/fuseiso
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,6 +12,11 @@ profile fuseiso @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# Be able to mount ISO images
mount fstype=fuse.fuseiso -> @{HOME}/*/,
mount fstype=fuse.fuseiso -> @{HOME}/*/*/,
mount fstype=fuse.fuseiso -> @{HOME}/.cache/**/,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount, /{usr/,}bin/fusermount{,3} rCx -> fusermount,
@ -20,22 +26,13 @@ profile fuseiso @{exec_path} {
owner @{HOME}/*/*/ rw, owner @{HOME}/*/*/ rw,
owner @{HOME}/.cache/**/ r, owner @{HOME}/.cache/**/ r,
# Be able to mount ISO images
mount fstype=fuse.fuseiso -> @{HOME}/*/,
mount fstype=fuse.fuseiso -> @{HOME}/*/*/,
mount fstype=fuse.fuseiso -> @{HOME}/.cache/**/,
# Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{HOME}/.mtab.fuseiso rwk, owner @{HOME}/.mtab.fuseiso rwk,
owner @{HOME}/.mtab.fuseiso.new rw, owner @{HOME}/.mtab.fuseiso.new rw,
/dev/fuse rw, # Image files to be mounted
owner @{user_img_dirs}/{,**} rwk,
/dev/fuse rw,
profile fusermount { profile fusermount {
include <abstractions/base> include <abstractions/base>
@ -46,23 +43,20 @@ profile fuseiso @{exec_path} {
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/,
mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/,
mount fstype={fuse,fuse.fuseiso} -> @{HOME}/.cache/**/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/.cache/**/,
/dev/fuse rw, /{usr/,}bin/fusermount{,3} mr,
/etc/fuse.conf r, /etc/fuse.conf r,
# Image files to be mounted
owner @{user_img_dirs}/{,**} r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
# Image files to be mounted /dev/fuse rw,
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
} }

10
apparmor.d/profiles-g-l/gdisk
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -22,15 +23,12 @@ profile gdisk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups # For backups
owner @{HOME}/**.{bak,back} rwk, owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk,
# For disk images
owner @{user_img_dirs}/{,**} rwk,
include if exists <local/gdisk> include if exists <local/gdisk>
} }

10
apparmor.d/profiles-g-l/hdparm
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -25,14 +26,11 @@ profile hdparm @{exec_path} flags=(complain) {
/etc/hdparm.conf r, /etc/hdparm.conf r,
# Image files
owner @{user_img_dirs}/{,**} r,
# for hdparm --fibmap # for hdparm --fibmap
@{PROC}/devices r, @{PROC}/devices r,
# Image files
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
include if exists <local/hdparm> include if exists <local/hdparm>
} }

18
apparmor.d/profiles-m-r/mke2fs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -24,20 +25,17 @@ profile mke2fs @{exec_path} {
/etc/mke2fs.conf r, /etc/mke2fs.conf r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For virt-resize # For virt-resize
owner /var/tmp/.guestfs-[0-9]*/** rwk, owner /var/tmp/.guestfs-[0-9]*/** rwk,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/mke2fs> include if exists <local/mke2fs>
} }

12
apparmor.d/profiles-m-r/mkfs-btrfs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -17,16 +18,13 @@ profile mkfs-btrfs @{exec_path} {
/dev/btrfs-control rw, /dev/btrfs-control rw,
# A place for file images
owner @{user_img_dirs}/{,**} rwk,
@{run}/blkid/blkid.* rw, @{run}/blkid/blkid.* rw,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r, @{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-btrfs> include if exists <local/mkfs-btrfs>
} }

10
apparmor.d/profiles-m-r/mkfs-fat
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,13 +15,10 @@ profile mkfs-fat @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{PROC}/@{pid}/mounts r,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-fat> include if exists <local/mkfs-fat>
} }

5
apparmor.d/profiles-m-r/mount
View file

@ -52,10 +52,7 @@ profile mount @{exec_path} flags=(complain) {
/media/cdrom[0-9]/ r, /media/cdrom[0-9]/ r,
# Mount iso/img files # Mount iso/img files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{run}/mount/ rw, owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab{,.*} rw,

6
apparmor.d/profiles-m-r/mtools
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -24,10 +25,7 @@ profile mtools @{exec_path} {
owner @{HOME}/.mtoolsrc r, owner @{HOME}/.mtoolsrc r,
# A place for file images # A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
/dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk,
/dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,

34
apparmor.d/profiles-m-r/parted
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -33,21 +34,17 @@ profile parted @{exec_path} {
/{usr/,}{s,}bin/dmidecode rPx, /{usr/,}{s,}bin/dmidecode rPx,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
@{PROC}/devices r,
/dev/mapper/ r,
/dev/mapper/control rw,
/etc/inputrc r, /etc/inputrc r,
# Image files # Image files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
@{PROC}/devices r,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
/dev/mapper/ r,
/dev/mapper/control rw,
profile udevadm { profile udevadm {
include <abstractions/base> include <abstractions/base>
@ -58,21 +55,18 @@ profile parted @{exec_path} {
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
# file_inherit # file_inherit
include <abstractions/disks-write> # lots of files in this abstraction get inherited include <abstractions/disks-write> # lots of files in this abstraction get inherited
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
} }

10
apparmor.d/profiles-m-r/resize2fs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -19,14 +20,11 @@ profile resize2fs @{exec_path} {
/ r, / r,
/.ismount-test-file rw, /.ismount-test-file rw,
# A place for file images
owner @{user_img_dirs}/{,**} rwk,
@{PROC}/swaps r, @{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/resize2fs> include if exists <local/resize2fs>
} }

10
apparmor.d/profiles-s-z/sfdisk
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -22,15 +23,12 @@ profile sfdisk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups # For backups
owner @{HOME}/**.{bak,back} rwk, owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk, owner @{MOUNTS}/*/**.{bak,back} rwk,
# For disk images
owner @{user_img_dirs}/{,**} rwk,
include if exists <local/sfdisk> include if exists <local/sfdisk>
} }

10
apparmor.d/profiles-s-z/sgdisk
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -22,15 +23,12 @@ profile sgdisk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups # For backups
owner @{HOME}/**.{bak,back} rwk, owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk,
# For disk images
owner @{user_img_dirs}/{,**} rwk,
include if exists <local/sgdisk> include if exists <local/sgdisk>
} }

16
apparmor.d/profiles-s-z/tune2fs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,27 +12,24 @@ profile tune2fs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/private-files-strict> include <abstractions/private-files-strict>
include <abstractions/user-download-strict>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
@{exec_path} mr, @{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
/.ismount-test-file rw, /.ismount-test-file rw,
# Image files
owner @{user_img_dirs}/{,**} rw,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# Image files @{PROC}/swaps r,
@{HOME}/**.{iso,img,bin,mdf,nrg} rw, owner @{PROC}/@{pid}/mounts r,
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} rw,
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw,
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rw,
include if exists <local/tune2fs> include if exists <local/tune2fs>
} }

5
apparmor.d/profiles-s-z/virt-manager
View file

@ -72,10 +72,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
# For disk images # For disk images
@{MOUNTS}/ r, @{MOUNTS}/ r,
@{HOME}/**.{iso,img,bin,mdf,nrg} r, @{user_img_dirs}/{,**} r,
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
# System VM images # System VM images
/var/lib/libvirt/images/{,**} rw, /var/lib/libvirt/images/{,**} rw,

2
apparmor.d/tunables/xdg-user-dirs
View file

@ -30,6 +30,7 @@
@{XDG_GAMES_DIR}=".games" @{XDG_GAMES_DIR}=".games"
@{XDG_VM_DIR}=".vm" @{XDG_VM_DIR}=".vm"
@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" @{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"
@{XDG_IMG_DIR}="images"
# User personal keyrings # User personal keyrings
@{XDG_SSH_DIR}=".ssh" @{XDG_SSH_DIR}=".ssh"
@ -55,6 +56,7 @@
@{user_build_dirs}="/tmp/" @{user_build_dirs}="/tmp/"
@{user_pkg_dirs}="/tmp/pkg/" @{user_pkg_dirs}="/tmp/pkg/"
@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}
# Other user directories # Other user directories
@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}

2
docs/variables.md
View file

@ -23,6 +23,7 @@ title: Variables References
| Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` |
| Vm | `@{XDG_VM_DIR}` | `.vm` | Vm | `@{XDG_VM_DIR}` | `.vm`
| Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` |
| Disk images | `@{XDG_IMG_DIR}` | `images` |
### Dotfiles ### Dotfiles
@ -67,6 +68,7 @@ title: Variables References
| Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | | Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` |
| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
| Password | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Password | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` |
| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` |
## System variables ## System variables