mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-24 03:48:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

chore(profile): remove trailing whitespace in profiles.
Some checks are pending
Ubuntu / build (default, ubuntu-22.04) (push) Waiting to run
Details
Ubuntu / build (default, ubuntu-24.04) (push) Waiting to run
Details
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Waiting to run
Details
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Waiting to run
Details
Ubuntu / tests (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-22 20:03:24 +01:00
parent 88b362f7fb
commit 38b973c596
Failed to generate hash of commit
143 changed files with 184 additions and 181 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/app/sudo
View file

@ -46,7 +46,7 @@
/etc/machine-id r,
/var/db/sudo/lectured/ r,
owner /var/lib/sudo/ts/ rw,
owner /var/lib/sudo/ts/ rw,
owner /var/lib/sudo/ts/@{uid} rwk,
owner /var/log/sudo.log wk,

2
apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
View file

@ -18,7 +18,7 @@
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll

2
apparmor.d/abstractions/common/bwrap
View file

@ -2,7 +2,7 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# A minimal set of rules for sandboxed programs using bwrap.
# A minimal set of rules for sandboxed programs using bwrap.
# A profile using this abstraction still needs to set:
# - the flag: attach_disconnected
# - bwrap execution: '@{bin}/bwrap rix,'

4
apparmor.d/abstractions/common/electron
View file

@ -2,8 +2,8 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Minimal set of rules for all electron based UI application. It works as a
# *function* and requires some variables to be provided as *arguments* and set
# Minimal set of rules for all electron based UI application. It works as a
# *function* and requires some variables to be provided as *arguments* and set
# in the header of the calling profile. Example:
#
# @{name} = spotify

2
apparmor.d/abstractions/common/steam-game
View file

@ -23,7 +23,7 @@
owner @{share_dirs}/logs/* rwk,
owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
owner @{share_dirs}/steamapps/ r,
owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,

2
apparmor.d/abstractions/desktop
View file

@ -21,7 +21,7 @@
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
/usr/{local/,}share/ r,

2
apparmor.d/abstractions/dri
View file

@ -3,7 +3,7 @@
# SPDX-License-Identifier: GPL-2.0-only
# The Direct Rendering Infrastructure (DRI) is the framework comprising the modern
# Linux graphics stack which allows unprivileged user-space programs to issue
# Linux graphics stack which allows unprivileged user-space programs to issue
# commands to graphics hardware without conflicting with other programs.
abi <abi/4.0>,

2
apparmor.d/abstractions/gnome-strict
View file

@ -13,7 +13,7 @@
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
/usr/share/desktop-base/{,**} r,

3
apparmor.d/abstractions/gstreamer
View file

@ -9,7 +9,6 @@
@{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
@{lib}/frei0r-@{int}/*.so mr,
# FIXME: not compatible with FSP mode due conflicting x modifiers
@{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
@{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
@{lib}/gstreamer-1.0/gst-plugin-scanner rix,
@ -40,7 +39,7 @@
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c189:@{int} r, # For USB serial converters
@{run}/udev/data/c189:@{int} r, # For USB serial converters
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{sys}/bus/ r,

2
apparmor.d/abstractions/lxqt
View file

@ -18,7 +18,7 @@
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/lxqt/** r,
owner @{HOME}/.Xdefaults r,
owner @{user_cache_dirs}/lxqt-notificationd/* r,

6
apparmor.d/abstractions/uim
View file

@ -6,12 +6,12 @@
abi <abi/4.0>,
/usr/share/uim/* r,
/var/lib/uim/* r,
owner @{HOME}/.uim.d/customs/* r,
owner @{HOME}/.XCompose r,
owner @{run}/user/@{uid}/uim/socket/uim-helper rw,
include if exists <abstractions/uim.d>

2
apparmor.d/groups/akonadi/akonadi_followupreminder_agent
View file

@ -22,7 +22,7 @@ profile akonadi_followupreminder_agent @{exec_path} {
owner @{user_config_dirs}/akonadi_followupreminder_agentrc r,
owner @{user_config_dirs}/akonadi/ rw,
owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
/dev/tty r,
include if exists <local/akonadi_followupreminder_agent>

2
apparmor.d/groups/akonadi/akonadi_ical_resource
View file

@ -22,7 +22,7 @@ profile akonadi_ical_resource @{exec_path} {
owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
owner @{user_share_dirs}/apps/korganizer/{,**} rw,
/dev/tty r,
include if exists <local/akonadi_ical_resource>

2
apparmor.d/groups/akonadi/akonadi_mailfilter_agent
View file

@ -34,7 +34,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
owner @{user_config_dirs}/emailidentities* rwl,
owner @{user_config_dirs}/kmail2rc r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/akonadi_mailfilter_agent.* rwl,

2
apparmor.d/groups/akonadi/akonadi_migration_agent
View file

@ -20,7 +20,7 @@ profile akonadi_migration_agent @{exec_path} {
owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw,
/dev/tty r,
include if exists <local/akonadi_migration_agent>

2
apparmor.d/groups/apt/apt-helper
View file

@ -22,7 +22,7 @@ profile apt-helper @{exec_path} {
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
capability net_admin,
include if exists <local/apt-helper_systemctl>

4
apparmor.d/groups/apt/apt-key
View file

@ -78,7 +78,7 @@ profile apt-key @{exec_path} {
@{bin}/gpg-connect-agent rix,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
@ -96,7 +96,7 @@ profile apt-key @{exec_path} {
owner @{tmp}/apt-key-gpghome.*/ rw,
owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/apt/debsign
View file

@ -34,7 +34,7 @@ profile debsign @{exec_path} {
@{bin}/stty rix,
@{bin}/gpg{,2} rCx -> gpg,
/etc/devscripts.conf r,
owner @{HOME}/.devscripts r,

2
apparmor.d/groups/apt/reportbug
View file

@ -108,7 +108,7 @@ profile reportbug @{exec_path} {
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/reportbug_systemctl>
}

2
apparmor.d/groups/browsers/torbrowser-launcher
View file

@ -37,7 +37,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) {
@{bin}/tail ix,
@{lib_dirs}/execdesktop ix,
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
@{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix,
/usr/share/file/** r,

2
apparmor.d/groups/browsers/torbrowser-tor
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor
@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor
profile torbrowser-tor @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/bus/dbus-system
View file

@ -4,7 +4,7 @@
# Profile for system dbus, regardless of the dbus implementation used.
# It does not specify an attachment path as it would be the same than
# "dbus-session". It is intended to be used only via "Px ->" or via
# "dbus-session". It is intended to be used only via "Px ->" or via
# systemd drop-in AppArmorProfile= setting.
abi <abi/4.0>,

2
apparmor.d/groups/bus/ibus-memconf
View file

@ -18,7 +18,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

2
apparmor.d/groups/children/child-modprobe-nvidia
View file

@ -9,7 +9,7 @@
# and load the the nvidia kernel module.
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions
# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions
# from other profiles.
abi <abi/4.0>,

2
apparmor.d/groups/children/child-open-any
View file

@ -31,7 +31,7 @@ profile child-open-any flags=(attach_disconnected) {
/ r,
/usr/ r,
/usr/local/bin/ r,
/dev/tty rw,
include if exists <usr/child-open-any.d>

2
apparmor.d/groups/cron/cron-cracklib
View file

@ -12,7 +12,7 @@ profile cron-cracklib @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
@{sh_path} rix,
@{bin}/logger rix,
@{bin}/update-cracklib rPx,

2
apparmor.d/groups/cron/cron-etckeeper
View file

@ -12,7 +12,7 @@ profile cron-etckeeper @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
@{sh_path} rix,
@{bin}/rm rix,
@{bin}/find rix,

2
apparmor.d/groups/cron/cron-sysstat
View file

@ -12,7 +12,7 @@ profile cron-sysstat @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
@{sh_path} rix,
@{lib}/sysstat/sa2 rPx,

2
apparmor.d/groups/display-manager/lightdm-xsession
View file

@ -32,7 +32,7 @@ profile lightdm-xsession @{exec_path} {
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
owner @{HOME}/.xsession-errors w,
include if exists <local/lightdm-xsession_systemctl>

2
apparmor.d/groups/display-manager/x11-xsession
View file

@ -68,7 +68,7 @@ profile x11-xsession @{exec_path} {
profile ssh-agent {
include <abstractions/base>
@{bin}/ssh-agent mr,
@{sh_path} rix,

2
apparmor.d/groups/display-manager/xdm-xsession
View file

@ -106,7 +106,7 @@ profile xdm-xsession @{exec_path} {
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/xdm-xsession_systemctl>
}

2
apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
View file

@ -41,7 +41,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk,
owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**,
owner @{user_cache_dirs}/qtshadercache-*/* r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
# owner /tmp/xauth_@{rand6} r,

2
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -84,7 +84,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
/dev/fuse rw,
@{att}/dev/tty@{int} rw,
include if exists <local/xdg-document-portal_fusermount>
}

2
apparmor.d/groups/gnome/deja-dup-monitor
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/deja-dup/deja-dup-monitor
@{exec_path} = @{lib}/deja-dup/deja-dup-monitor
profile deja-dup-monitor @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>

2
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -51,7 +51,7 @@ profile evolution-addressbook-factory @{exec_path} {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

2
apparmor.d/groups/gnome/gdm-xsession
View file

@ -73,7 +73,7 @@ profile gdm-xsession @{exec_path} {
peer=(name=org.freedesktop.systemd1),
@{bin}/dbus-update-activation-environment mr,
owner @{HOME}/.xsession-errors w,
/dev/tty rw,

2
apparmor.d/groups/gnome/gnome-boxes
View file

@ -78,7 +78,7 @@ profile gnome-boxes @{exec_path} {
@{bin}/virsh mr,
@{bin}/pkttyagent r,
owner @{run}/user/@{uid}/libvirt/ r,
owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,

2
apparmor.d/groups/gnome/gnome-calendar
View file

@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} {
#aa:dbus own bus=session name=org.gnome.Calendar
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry

2
apparmor.d/groups/gnome/gnome-control-center
View file

@ -186,7 +186,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
include <abstractions/common/bwrap>
@{bin}/bwrap mr,
include if exists <local/gnome-control-center_bwrap>
}

2
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -70,7 +70,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
include <abstractions/common/bwrap>
@{bin}/bwrap mr,
include if exists <local/gnome-control-center-goa-helper_bwrap>
}

2
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -37,7 +37,7 @@ profile gnome-extension-ding @{exec_path} {
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=org.freedesktop.DBus, label=dbus-session),
dbus send bus=session path=/org/freedesktop/DBus

2
apparmor.d/groups/gnome/gnome-session
View file

@ -66,7 +66,7 @@ profile gnome-session @{exec_path} {
include <abstractions/consoles>
@{bin}/flatpak mr,
/dev/tty@{int} rw,
include if exists <local/gnome-session_flatpak>

8
apparmor.d/groups/gnome/gnome-shell
View file

@ -315,7 +315,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{run}/udev/data/n@{int} r,
@{sys}/**/uevent r,
@ -374,13 +374,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
profile shell flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
capability sys_ptrace,
ptrace (read),
@{sh_path} mr,
@{bin}/pmap rix,
@{bin}/grep rix,
@ -414,7 +414,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
deny @{user_share_dirs}/gvfs-metadata/* r,

2
apparmor.d/groups/gnome/gnome-shell-calendar-server
View file

@ -30,7 +30,7 @@ profile gnome-shell-calendar-server @{exec_path} {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

4
apparmor.d/groups/gnome/gnome-software
View file

@ -154,10 +154,10 @@ profile gnome-software @{exec_path} {
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/gnome-software_gpg>
}

2
apparmor.d/groups/gnome/gsd-disk-utility-notify
View file

@ -17,7 +17,7 @@ profile gsd-disk-utility-notify @{exec_path} {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

2
apparmor.d/groups/gnome/tracker-extract
View file

@ -79,7 +79,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
/dev/media@{int} r,
/dev/video@{int} rw,
# file_inherit
owner /dev/tty@{int} rw,

2
apparmor.d/groups/gnome/yelp
View file

@ -34,7 +34,7 @@ profile yelp @{exec_path} {
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,

2
apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
View file

@ -16,7 +16,7 @@ profile gvfs-afc-volume-monitor @{exec_path} {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

2
apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
View file

@ -16,7 +16,7 @@ profile gvfs-goa-volume-monitor @{exec_path} {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/OnlineAccounts

2
apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
View file

@ -20,7 +20,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

2
apparmor.d/groups/gvfs/gvfsd-metadata
View file

@ -21,7 +21,7 @@ profile gvfsd-metadata @{exec_path} {
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

2
apparmor.d/groups/gvfs/gvfsd-recent
View file

@ -46,7 +46,7 @@ profile gvfsd-recent @{exec_path} {
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{run}/mount/utab r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/gvfsd-recent>

2
apparmor.d/groups/hyprland/hyprland
View file

@ -51,7 +51,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{sys}/bus/ r,
@{sys}/class/input/ r,

2
apparmor.d/groups/hyprland/hyprpicker
View file

@ -17,7 +17,7 @@ profile hyprpicker @{exec_path} {
owner @{run}/user/@{uid}/.hyprpicker* rw,
owner /dev/shm/wlroots-@{rand6} r,
owner /dev/tty@{int} rw,
include if exists <local/hyprpicker>

2
apparmor.d/groups/kde/baloo
View file

@ -12,7 +12,7 @@ profile baloo @{exec_path} {
include <abstractions/base>
include <abstractions/deny-sensitive-home>
include <abstractions/disks-read>
include <abstractions/fontconfig-cache-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/kde/kwin_wayland
View file

@ -94,7 +94,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
owner @{user_config_dirs}/kxkbrc r,
owner @{user_config_dirs}/menus/{,applications-merged/} r,
owner @{user_config_dirs}/plasmarc r,
owner @{user_config_dirs}/session/* r,
owner @{user_config_dirs}/session/* r,
owner @{user_share_dirs}/kscreen/* r,
owner @{user_share_dirs}/kwin/scripts/{,**} r,

2
apparmor.d/groups/kde/okular
View file

@ -81,7 +81,7 @@ profile okular @{exec_path} {
owner @{tmp}/#@{int} rw,
owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int},
owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},
owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment,
owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

2
apparmor.d/groups/kde/sddm
View file

@ -199,7 +199,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/sddm_systemctl>
}

2
apparmor.d/groups/network/dhcpcd
View file

@ -27,7 +27,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
network inet6 raw,
network netlink raw,
network packet raw,
@{exec_path} mr,
@{sh_path} rix,

2
apparmor.d/groups/network/mullvad-daemon
View file

@ -13,7 +13,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict>
capability dac_override,
capability net_admin,
capability fowner,
capability fsetid,

2
apparmor.d/groups/network/mullvad-gui
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{name} = Mullvad?VPN
@{lib_dirs} = /opt/@{name}
@{lib_dirs} = /opt/@{name}
@{config_dirs} = @{user_config_dirs}/@{name}
@{cache_dirs} = @{user_cache_dirs}/@{name}

2
apparmor.d/groups/network/nm-online
View file

@ -16,7 +16,7 @@ profile nm-online @{exec_path} {
interface=org.freedesktop.NetworkManager.Connection.Active
member=StateChanged
peer=(name=:*, label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings

2
apparmor.d/groups/network/tailscaled
View file

@ -79,7 +79,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
capability mknod,
capability net_admin,
network netlink raw,
/dev/net/tun rw,

2
apparmor.d/groups/pacman/arch-audit
View file

@ -21,7 +21,7 @@ profile arch-audit @{exec_path} {
network netlink raw,
@{exec_path} mr,
/etc/arch-audit/settings.toml r,
/usr/share/terminfo/** r,

2
apparmor.d/groups/pacman/makepkg
View file

@ -80,7 +80,7 @@ profile makepkg @{exec_path} {
ptrace read,
signal send set=winch peer=pacman,
signal send set=winch peer=pacman,
signal send set=winch peer=pacman//systemctl,
@{bin}/pacman Px,

2
apparmor.d/groups/pacman/pacman-conf
View file

@ -16,7 +16,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
/etc/pacman.conf r,
/etc/pacman.d/mirrorlist r,
/etc/pacman.d/*-mirrorlist r,
/dev/tty@{int} rw,
# Inherit Silencer

4
apparmor.d/groups/pacman/pacman-hook-mkinitcpio
View file

@ -55,11 +55,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
@{bin}/pacman mr,
@{bin}/gpg rix,
@{bin}/gpgconf rix,
@{bin}/gpgsm rix,
/etc/pacman.conf r,
/etc/pacman.d/{,**} r,
/etc/pacman.d/gnupg/** rwkl,

2
apparmor.d/groups/pacman/pacman-key
View file

@ -35,7 +35,7 @@ profile pacman-key @{exec_path} {
/usr/share/terminfo/** r,
/etc/pacman.d/gnupg/* rw,
/dev/tty rw,
profile gpg {

4
apparmor.d/groups/ssh/ssh-agent-launch
View file

@ -26,12 +26,12 @@ profile ssh-agent-launch @{exec_path} {
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=UpdateActivationEnvironment
member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus, label=dbus-session),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=SetEnvironment
member=SetEnvironment
peer=(name=org.freedesktop.systemd1),
@{bin}/dbus-update-activation-environment mr,

2
apparmor.d/groups/systemd/coredumpctl
View file

@ -62,7 +62,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
/etc/inputrc r,
/etc/gdb/** r,
owner /var/tmp/coredump-* rw,
@{PROC}/@{pids}/fd/ r,

2
apparmor.d/groups/systemd/systemd-cryptsetup
View file

@ -27,7 +27,7 @@ profile systemd-cryptsetup @{exec_path} {
@{run}/cryptsetup/ r,
@{run}/cryptsetup/* rwk,
@{run}/systemd/ask-password/* rw,
@{sys}/devices/virtual/bdi/*/read_ahead_kb r,
@{sys}/fs/ r,

2
apparmor.d/groups/systemd/systemd-generator-ostree
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator
@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator
profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

2
apparmor.d/groups/systemd/systemd-machine-id-setup
View file

@ -19,7 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
ptrace (read),
mount options=(rw rshared) -> /,
mount options=(rw rshared) -> /,
mount options=(rw rslave) -> /,
umount /etc/machine-id,

2
apparmor.d/groups/systemd/systemd-tty-ask-password-agent
View file

@ -27,7 +27,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
@{run}/utmp rk,
@{PROC}/@{pids}/stat r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/devices/virtual/tty/tty@{int}/active r,

2
apparmor.d/groups/systemd/userdbctl
View file

@ -18,7 +18,7 @@ profile userdbctl @{exec_path} {
signal send set=cont peer=child-pager,
@{exec_path} mr,
@{pager_path} rPx -> child-pager,
/etc/shadow r,

2
apparmor.d/groups/ubuntu/apport
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /usr/share/apport/apport
@{exec_path} = /usr/share/apport/apport
profile apport @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/apt>

2
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -102,7 +102,7 @@ profile apport-gtk @{exec_path} {
include <abstractions/python>
@{bin}/gdb mr,
@{bin}/iconv rix,
@{bin}/* r,

2
apparmor.d/groups/ubuntu/ubuntu-advantage
View file

@ -13,7 +13,7 @@ profile ubuntu-advantage @{exec_path} {
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/ssl_certs>
capability dac_read_search,
capability setgid,

4
apparmor.d/groups/virt/cni-bandwidth
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth
profile cni-bandwidth @{exec_path} {
include <abstractions/base>
network inet dgram,
network inet6 dgram,
network inet stream,
@ -17,7 +17,7 @@ profile cni-bandwidth @{exec_path} {
network netlink raw,
@{exec_path} mr,
include if exists <local/cni-bandwidth>
}

8
apparmor.d/groups/virt/cni-calico
View file

@ -25,15 +25,15 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
@{exec_path}-ipam rix,
/ r,
/etc/cni/net.d/{,**} r,
/var/lib/calico/{,**} r,
/var/log/calico/cni/ r,
/var/log/calico/cni/*.log rw,
/usr/share/mime/globs2 r,
@{run}/calico/ rw,
@{run}/calico/ipam.lock rwk,
@{run}/netns/cni-@{uuid} r,

2
apparmor.d/groups/virt/cni-loopback
View file

@ -21,7 +21,7 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) {
@{run}/netns/ r,
@{run}/netns/cni-@{uuid} rw,
include if exists <local/cni-loopback>
}

2
apparmor.d/groups/virt/cni-portmap
View file

@ -18,7 +18,7 @@ profile cni-portmap @{exec_path} {
@{bin}/xtables-nft-multi rPx -> cni-xtables-nft,
@{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw,
include if exists <local/cni-portmap>
}

2
apparmor.d/groups/virt/cockpit-bridge
View file

@ -76,7 +76,7 @@ profile cockpit-bridge @{exec_path} {
/etc/shadow r,
/etc/shells r,
/ r,
/ r,
@{HOME}/ r,
owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,

2
apparmor.d/groups/virt/cockpit-update-motd
View file

@ -26,7 +26,7 @@ profile cockpit-update-motd @{exec_path} {
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
capability net_admin,
capability sys_ptrace,

2
apparmor.d/groups/virt/virt-aa-helper
View file

@ -25,7 +25,7 @@ profile virt-aa-helper @{exec_path} {
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
/etc/libnl{,-3}/classid r, # Allow reading libnl's classid file
# System VM images
/var/lib/libvirt/images/{,**} r,
/var/lib/nova/instances/_base/* r,

2
apparmor.d/groups/whonix/msgdispatcher-dispatch
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x
@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x
profile msgdispatcher-dispatch @{exec_path} {
include <abstractions/base>
include <abstractions/python>

2
apparmor.d/groups/whonix/tor-bootstrap-check
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py
@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py
profile tor-bootstrap-check @{exec_path} {
include <abstractions/base>
include <abstractions/python>

6
apparmor.d/groups/whonix/torbrowser-wrapper
View file

@ -32,7 +32,7 @@ profile torbrowser-wrapper @{exec_path} {
@{bin}/tty ix,
@{bin}/whoami ix,
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
@{lib}/msgcollector/msgcollector Px,
@{lib}/open-link-confirmation/open-link-confirmation Px,
@ -44,11 +44,11 @@ profile torbrowser-wrapper @{exec_path} {
owner @{HOME}/.tb/{,**} rw,
owner @{HOME}/.xsession-errors rw,
owner @{tmp}/tmp.@{rand10} rw,
owner @{run}/mount/utab r,
owner @{PROC}/@{pid}/mountinfo r,
profile sudo {

2
apparmor.d/groups/xfce/startxfce
View file

@ -30,7 +30,7 @@ profile startxfce @{exec_path} {
profile systemctl flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/startxfce_systemctl>
}

2
apparmor.d/profiles-a-f/acpi-powerbtn
View file

@ -57,7 +57,7 @@ profile acpi-powerbtn flags=(attach_disconnected) {
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/acpi-powerbtn_systemctl>
}

4
apparmor.d/profiles-a-f/anyremote
View file

@ -80,10 +80,10 @@ profile anyremote @{exec_path} {
@{bin}/convert-im6.q16 mr,
/usr/share/anyremote/cfg-data/Icons/common/*.png r,
/usr/share/ImageMagick-[0-9]/*.xml rw,
/etc/ImageMagick-[0-9]/*.xml r,
owner @{HOME}/.anyRemote/*.png rw,
owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r,

2
apparmor.d/profiles-a-f/appstreamcli
View file

@ -47,7 +47,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
/var/log/cron-apt/temp w,
owner /var/cache/app-info/{,**} rw,
owner /var/cache/swcatalog/{,**} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/appstream-cache-*.mdb rw,
owner @{user_cache_dirs}/appstream/ rw,

2
apparmor.d/profiles-a-f/borg
View file

@ -111,7 +111,7 @@ profile borg @{exec_path} {
/etc/fuse.conf r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/ r,
@{PROC}/@{pids}/mounts r,

2
apparmor.d/profiles-a-f/briar-desktop-tor
View file

@ -14,7 +14,7 @@ profile briar-desktop-tor {
network netlink raw,
signal send set=term peer=briar-desktop-tor//obfs4proxy,
signal send set=term peer=briar-desktop-tor//snowflake,
signal send set=term peer=briar-desktop-tor//snowflake,
owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw,
owner @{HOME}/.briar/desktop/tor/.tor/lock k,

1
apparmor.d/profiles-a-f/btrfs
View file

@ -59,7 +59,6 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
/dev/btrfs-control rw,
/dev/pts/@{int} rw,
/dev/tty@{int} rw,
include if exists <local/btrfs>
}

2
apparmor.d/profiles-a-f/cups-notifier-dbus
View file

@ -21,7 +21,7 @@ profile cups-notifier-dbus @{exec_path} {
owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
owner @{tmp}/cups-dbus-notifier-lockfile rwk,
include if exists <local/cups-notifier-dbus>
}

2
apparmor.d/profiles-a-f/cupsd
View file

@ -95,7 +95,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{tmp}/*_latest_print_info w,
/dev/tty rw,

4
apparmor.d/profiles-a-f/dig
View file

@ -27,9 +27,9 @@ profile dig @{exec_path} {
owner @{HOME}/.digrc r,
owner @{HOME}/batch_mode.dig r,
owner @{HOME}/tsig.key r,
/tmp/batch_mode.dig r,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
include if exists <local/dig>

2
apparmor.d/profiles-a-f/discord
View file

@ -12,7 +12,7 @@ include <tunables/global>
@{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB}
@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB}
profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>

Some files were not shown because too many files have changed in this diff Show more