mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(profiles): use the new hex variable.
This commit is contained in:
Alexandre Pujol
parent
5d0c521e44
commit
3b56d3ff0f
@ -7,8 +7,8 @@
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/ rw,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/index rw,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
||||
@{sys}/devices/pci[0-9]*/**/config r,
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
|
||||
owner @{HOME}/.cache/qtshadercache/ rw,
|
||||
owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{HOME}/.cache/qtshadercache/@{hex} rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw,
|
||||
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
@ -129,7 +129,7 @@ profile atom @{exec_path} {
|
||||
# The irq file is needed to render pages.
|
||||
deny @{sys}/devices/pci[0-9]*/**/irq r,
|
||||
|
||||
owner /tmp/atom-[0-9a-f]*.sock rw,
|
||||
owner /tmp/atom-@{hex}.sock rw,
|
||||
owner "/tmp/Atom Crashes/" rw,
|
||||
owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw,
|
||||
owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw,
|
||||
|
||||
@ -91,9 +91,9 @@ profile calibre @{exec_path} {
|
||||
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
|
||||
|
||||
@ -109,8 +109,8 @@ profile code @{exec_path} {
|
||||
owner "/tmp/VSCode Crashes/" rw,
|
||||
owner /tmp/vscode-typescript[0-9]*/ rw,
|
||||
|
||||
owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
|
||||
owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw,
|
||||
owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
|
||||
owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw,
|
||||
|
||||
owner /tmp/vscode-ipc-@{uuid}.sock rw,
|
||||
# For installing extensions
|
||||
|
||||
@ -54,7 +54,7 @@ profile flameshot @{exec_path} {
|
||||
|
||||
owner /tmp/.*/{,s} rw,
|
||||
owner /tmp/*= rw,
|
||||
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
|
||||
owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
|
||||
|
||||
deny owner @{PROC}/@{pid}/cmdline r,
|
||||
deny @{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
@ -51,7 +51,7 @@ profile geany @{exec_path} {
|
||||
|
||||
owner @{user_config_dirs}/geany/{,**} rw,
|
||||
|
||||
owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw,
|
||||
owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw,
|
||||
|
||||
# To read/write files in the system. The read permission is granted for all files, the write
|
||||
# permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in
|
||||
@ -110,7 +110,7 @@ profile geany @{exec_path} {
|
||||
/{usr/,}bin/dbus-daemon rPUx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
||||
@ -85,7 +85,7 @@ profile okular @{exec_path} {
|
||||
|
||||
# Print to pdf
|
||||
/{usr/,}bin/ps2pdf rPUx,
|
||||
owner /tmp/[0-9a-f]* rw,
|
||||
owner /tmp/@{hex} rw,
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
|
||||
|
||||
|
||||
@ -67,7 +67,7 @@ profile spotify @{exec_path} {
|
||||
|
||||
/usr/share/X11/XErrorDB r,
|
||||
|
||||
owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
owner /tmp/@{hex}-@{hex}-@{hex}-@{hex} rw,
|
||||
|
||||
# What's this for?
|
||||
#owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,
|
||||
|
||||
@ -59,8 +59,8 @@ profile telegram-desktop @{exec_path} {
|
||||
# Autostart
|
||||
owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
|
||||
|
||||
owner /tmp/[0-9a-f]*-* rwk,
|
||||
owner @{run}/user/@{uid}/[0-9a-f]*-* rwk,
|
||||
owner /tmp/@{hex}-* rwk,
|
||||
owner @{run}/user/@{uid}/@{hex}-* rwk,
|
||||
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
|
||||
|
||||
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
|
||||
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}}
|
||||
interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PackageKit
|
||||
|
||||
@ -170,7 +170,7 @@ profile synaptic @{exec_path} {
|
||||
/{usr/,}bin/dbus-daemon rPUx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
||||
@ -118,7 +118,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
||||
@ -39,8 +39,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw,
|
||||
|
||||
owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw,
|
||||
@ -53,7 +53,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
owner /tmp/[0-9a-f]*.{dmp,extra} rw,
|
||||
owner /tmp/@{hex}.{dmp,extra} rw,
|
||||
owner /tmp/firefox/.parentlock w,
|
||||
|
||||
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
|
||||
|
||||
@ -22,14 +22,14 @@ profile firefox-minidump-analyzer @{exec_path} {
|
||||
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
|
||||
|
||||
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw,
|
||||
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,
|
||||
|
||||
owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r,
|
||||
|
||||
owner /tmp/[0-9a-f]*.{dmp,extra} rw,
|
||||
owner /tmp/@{hex}.{dmp,extra} rw,
|
||||
owner /tmp/firefox/.parentlock w,
|
||||
|
||||
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
|
||||
|
||||
@ -24,10 +24,10 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/dconf/db/ibus r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
|
||||
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9]* r,
|
||||
|
||||
/var/lib/gdm/.cache/dconf/ w,
|
||||
/var/lib/gdm/.cache/dconf/user rw,
|
||||
|
||||
@ -19,8 +19,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9] r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} {
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
|
||||
|
||||
include if exists <local/ibus-memconf>
|
||||
}
|
||||
@ -26,7 +26,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/var/lib/gdm/.config/ibus/bus/ r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
/dev/null rw,
|
||||
|
||||
@ -23,10 +23,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
@ -69,7 +69,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -61,7 +61,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
||||
@ -64,7 +64,7 @@ profile xdg-settings @{exec_path} {
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
||||
@ -150,13 +150,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm{3,}/.cache/ w,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/.config/ibus/ rw,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ rw,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
|
||||
/var/lib/gdm{3,}/.config/pulse/ r,
|
||||
/var/lib/gdm{3,}/.config/pulse/client.conf r,
|
||||
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
|
||||
|
||||
@ -41,7 +41,7 @@ profile tracker-miner @{exec_path} {
|
||||
/var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
# Allow to search user files
|
||||
owner @{HOME}/{,**} r,
|
||||
|
||||
@ -25,53 +25,53 @@ profile gpg-agent @{exec_path} {
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
|
||||
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
|
||||
|
||||
owner /var/lib/*/.gnupg/ rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/.gnupg/sshcontrol r,
|
||||
|
||||
owner /var/lib/*/gnupg/ rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/gnupg/sshcontrol r,
|
||||
|
||||
owner /tmp/tmp.*/gnupg/ rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
|
||||
owner /tmp/tmp.*/gnupg/sshcontrol r,
|
||||
|
||||
|
||||
@ -21,9 +21,9 @@ profile gpg-connect-agent @{exec_path} {
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
||||
|
||||
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw,
|
||||
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw,
|
||||
owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
|
||||
owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
|
||||
|
||||
include if exists <local/gpg-connect-agent>
|
||||
}
|
||||
|
||||
@ -24,11 +24,11 @@ profile bootctl @{exec_path} {
|
||||
|
||||
/{boot,efi}/ r,
|
||||
/{boot,efi}/EFI/{,**} r,
|
||||
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
|
||||
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
|
||||
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
|
||||
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
|
||||
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
|
||||
/{boot,efi}/EFI/systemd/systemd-boot*.efi w,
|
||||
/{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
|
||||
/{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
|
||||
/{boot,efi}/loader/.#entries.srel* w,
|
||||
/{boot,efi}/loader/{,**} r,
|
||||
/{boot,efi}/loader/entries.srel w,
|
||||
@ -47,7 +47,7 @@ profile bootctl @{exec_path} {
|
||||
@{sys}/firmware/dmi/entries/*/raw r,
|
||||
@{sys}/firmware/efi/efivars/ r,
|
||||
@{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
|
||||
|
||||
@ -26,13 +26,13 @@ profile coredumpctl @{exec_path} flags=(complain) {
|
||||
|
||||
owner /var/tmp/coredump-* rw,
|
||||
|
||||
/var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r,
|
||||
/var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/1/cgroup r,
|
||||
|
||||
@ -34,12 +34,12 @@ profile journalctl @{exec_path} {
|
||||
/var/lib/systemd/catalog/.#database* rw,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
|
||||
owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
|
||||
owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
|
||||
owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*,
|
||||
owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw,
|
||||
owner /var/tmp/#[0-9]* rw,
|
||||
|
||||
@{run}/host/container-manager r,
|
||||
|
||||
@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
|
||||
# To be able to read logs
|
||||
@{run}/log/ r,
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
|
||||
|
||||
@{run}/systemd/netif/links/[0-9]* r,
|
||||
@{run}/systemd/netif/state r,
|
||||
|
||||
@ -30,11 +30,11 @@ profile systemd-journald @{exec_path} {
|
||||
|
||||
@{run}/log/ rw,
|
||||
/{run,var}/log/journal/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/fss rw,
|
||||
/{run,var}/log/journal/@{hex}/ rw,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/fss rw,
|
||||
|
||||
owner @{run}/systemd/journal/{,**} rw,
|
||||
owner @{run}/systemd/notify rw,
|
||||
|
||||
@ -31,12 +31,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
||||
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
|
||||
mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||
mount -> /tmp/ctd-volume[0-9]*/,
|
||||
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
|
||||
|
||||
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
||||
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
|
||||
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||
umount /tmp/ctd-volume[0-9]*/,
|
||||
umount @{run}/netns/cni-@{uuid},
|
||||
|
||||
@ -22,8 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
|
||||
ptrace (read) peer=containerd,
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
|
||||
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
|
||||
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
|
||||
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@ -34,12 +34,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
|
||||
/tmp/pty[0-9]*/pty.sock rw,
|
||||
|
||||
@{run}/containerd/{,containerd.sock.ttrpc} rw,
|
||||
@{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
|
||||
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw,
|
||||
@{run}/containerd/s/{,[0-9a-f]*} rw,
|
||||
@{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/[0-9]*/@{hex}-{stdin,stdout,stderr} rw,
|
||||
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/@{hex}/{,*} rw,
|
||||
@{run}/containerd/s/{,@{hex}} rw,
|
||||
|
||||
@{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/@{hex}/@{hex}-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/@{hex}/init-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/daemon/io.containerd.*/{,**} rw,
|
||||
@{run}/secrets/kubernetes.io/serviceaccount/*/token w,
|
||||
|
||||
|
||||
@ -61,7 +61,7 @@ profile k3s @{exec_path} {
|
||||
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
|
||||
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
|
||||
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
|
||||
/var/lib/rancher/k3s/data/@{hex}/bin/* rix,
|
||||
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
|
||||
/usr/share/mime/globs2 r,
|
||||
@ -145,7 +145,7 @@ profile k3s @{exec_path} {
|
||||
|
||||
@{sys}/devices/virtual/block/*/** r,
|
||||
@{sys}/devices/virtual/dmi/id/* r,
|
||||
@{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
|
||||
@{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r,
|
||||
@{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
|
||||
|
||||
@{sys}/fs/cgroup/{,*,*/} r,
|
||||
|
||||
@ -29,9 +29,9 @@ profile aa-log @{exec_path} {
|
||||
/etc/machine-id r,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/user-@{uid}.journal r,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/sys/kernel/cap_last_cap r,
|
||||
|
||||
@ -55,9 +55,9 @@ profile anki @{exec_path} {
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
/usr/share/anki/{,**} r,
|
||||
|
||||
|
||||
@ -43,8 +43,8 @@ profile claws-mail @{exec_path} flags=(complain) {
|
||||
owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**,
|
||||
|
||||
owner /tmp/claws-mail-[0-9]*/ rw,
|
||||
owner /tmp/claws-mail-[0-9]*/[0-9a-f]* rw,
|
||||
owner /tmp/claws-mail-[0-9]*/[0-9a-f]*.lock rwk,
|
||||
owner /tmp/claws-mail-[0-9]*/@{hex} rw,
|
||||
owner /tmp/claws-mail-[0-9]*/@{hex}.lock rwk,
|
||||
|
||||
owner /var/mail/* rwk,
|
||||
|
||||
|
||||
@ -49,10 +49,10 @@ profile deltachat-desktop @{exec_path} {
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner /tmp/[0-9a-f]*/ rw,
|
||||
owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw,
|
||||
owner /tmp/[0-9a-f]*/db.sqlite rwk,
|
||||
owner /tmp/[0-9a-f]*/db.sqlite-journal rw,
|
||||
owner /tmp/@{hex}/ rw,
|
||||
owner /tmp/@{hex}/db.sqlite-blobs/ rw,
|
||||
owner /tmp/@{hex}/db.sqlite rwk,
|
||||
owner /tmp/@{hex}/db.sqlite-journal rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
@ -40,7 +40,7 @@ profile gpo @{exec_path} {
|
||||
|
||||
/etc/inputrc r,
|
||||
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
include if exists <local/gpo>
|
||||
}
|
||||
|
||||
@ -46,7 +46,7 @@ profile gpodder @{exec_path} {
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
/etc/mime.types r,
|
||||
|
||||
|
||||
@ -76,7 +76,7 @@ profile gsmartcontrol @{exec_path} {
|
||||
/{usr/,}bin/dbus-daemon rPUx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
||||
@ -132,10 +132,10 @@ profile hw-probe @{exec_path} {
|
||||
|
||||
@{run}/log/ rw,
|
||||
/{run,var}/log/journal/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/ rw,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
|
||||
@ -51,7 +51,7 @@ profile jdownloader @{exec_path} {
|
||||
owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw,
|
||||
owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
|
||||
|
||||
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
|
||||
owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
|
||||
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
|
||||
owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
|
||||
owner @{HOME}/.java/fonts/[0-9]*/ rw,
|
||||
|
||||
@ -48,7 +48,7 @@ profile jdownloader-install @{exec_path} {
|
||||
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/*.so mrw,
|
||||
owner @{JD_SH_PATH}/install4jError[0-9]*.log rw,
|
||||
|
||||
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
|
||||
owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
|
||||
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
|
||||
owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
|
||||
owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,
|
||||
|
||||
@ -43,9 +43,9 @@ profile kscreenlocker-greet @{exec_path} {
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
|
||||
|
||||
|
||||
@ -103,7 +103,7 @@ profile linssid @{exec_path} {
|
||||
/{usr/,}bin/dbus-daemon rPUx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
||||
@ -59,7 +59,7 @@ profile lxappearance @{exec_path} {
|
||||
/{usr/,}bin/dbus-daemon rPUx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
||||
@ -60,9 +60,9 @@ profile minitube @{exec_path} {
|
||||
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
@ -80,7 +80,7 @@ profile mkvtoolnix-gui @{exec_path} {
|
||||
owner @{user_cache_dirs}/bunkus.org/ rw,
|
||||
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/ rw,
|
||||
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw,
|
||||
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/[0-9a-f]* rw,
|
||||
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw,
|
||||
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
/usr/share/qt5ct/** r,
|
||||
|
||||
@ -35,7 +35,7 @@ profile openbox @{exec_path} {
|
||||
owner @{user_config_dirs}/openbox/ r,
|
||||
owner @{user_config_dirs}/openbox/* r,
|
||||
|
||||
owner @{user_config_dirs}/obmenu-generator/icons/[0-9a-f]*.png r,
|
||||
owner @{user_config_dirs}/obmenu-generator/icons/@{hex}.png r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/openbox/ rw,
|
||||
|
||||
@ -82,7 +82,7 @@ profile psi @{exec_path} {
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],
|
||||
|
||||
@ -82,7 +82,7 @@ profile psi-plus @{exec_path} {
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],
|
||||
|
||||
@ -225,7 +225,7 @@ profile qbittorrent @{exec_path} {
|
||||
|
||||
# file_inherit
|
||||
owner @{MOUNTS}/torrent/** r,
|
||||
owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw,
|
||||
owner @{MOUNTS}/torrent/**.@{hex}.parts rw,
|
||||
owner "@{MOUNTS}/torrent/**.!qB" rw,
|
||||
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
@ -109,7 +109,7 @@ profile qnapi @{exec_path} {
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw,
|
||||
owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9],
|
||||
owner /tmp/[0-9a-f]*.@{qnapi_txt_ext} rw,
|
||||
owner /tmp/@{hex}.@{qnapi_txt_ext} rw,
|
||||
owner /tmp/*.@{qnapi_txt_ext} rw,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
@ -75,7 +75,7 @@ profile qpdfview @{exec_path} {
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
||||
# Print
|
||||
owner /tmp/[0-9a-f]* rw,
|
||||
owner /tmp/@{hex} rw,
|
||||
|
||||
# Save as
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
|
||||
@ -60,7 +60,7 @@ profile qtox @{exec_path} {
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
|
||||
owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
|
||||
|
||||
@{sys}/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
|
||||
|
||||
@ -58,9 +58,9 @@ profile rpi-imager @{exec_path} {
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
@ -29,7 +29,7 @@ profile scrcpy @{exec_path} {
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
|
||||
include if exists <local/scrcpy>
|
||||
}
|
||||
@ -193,10 +193,10 @@ profile sddm @{exec_path} {
|
||||
owner @{HOME}/.Xauthority-n rw,
|
||||
owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n,
|
||||
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w,
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c,
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw,
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n,
|
||||
owner @{run}/sddm/\{@{uuid}\}-c w,
|
||||
owner @{run}/sddm/\{@{uuid}\}-l wl -> @{run}/sddm/\{@{uuid}\}-c,
|
||||
owner @{run}/sddm/\{@{uuid}\}-n rw,
|
||||
owner @{run}/sddm/\{@{uuid}\} rwl -> @{run}/sddm/\{@{uuid}\}-n,
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -131,7 +131,7 @@ profile steam @{exec_path} {
|
||||
|
||||
owner /dev/shm/#[0-9]* rw,
|
||||
owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
|
||||
owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
|
||||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||
owner /dev/shm/ValveIPCSHM_@{uid} rw,
|
||||
|
||||
|
||||
@ -162,7 +162,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner /dev/shm/#[0-9]* rw,
|
||||
owner /dev/shm/mono.* rw,
|
||||
owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
|
||||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||
owner /dev/shm/ValveIPCSHM_@{uid} rw,
|
||||
owner /dev/shm/wine-*-fsync rw,
|
||||
|
||||
@ -41,7 +41,7 @@ profile steam-gameoverlayui @{exec_path} {
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
|
||||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,
|
||||
owner /dev/shm/ValveIPCSHM_@{uid} rw,
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ profile steam-reaper @{exec_path} {
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
|
||||
|
||||
owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
|
||||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||
|
||||
include if exists <local/steam-reaper>
|
||||
|
||||
@ -89,7 +89,7 @@ profile strawberry @{exec_path} {
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/*= w,
|
||||
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
@ -28,7 +28,7 @@ profile tint2 @{exec_path} {
|
||||
# Tint2 cache files
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/tint2/ rw,
|
||||
owner @{user_cache_dirs}/tint2/[0-9a-f]*.png w,
|
||||
owner @{user_cache_dirs}/tint2/@{hex}.png w,
|
||||
owner @{user_cache_dirs}/tint2/icon.cache rwk,
|
||||
|
||||
# Launcher config files
|
||||
|
||||
@ -28,7 +28,7 @@ profile tint2conf @{exec_path} {
|
||||
owner @{user_config_dirs}/tint2/ r,
|
||||
owner @{user_config_dirs}/tint2/* rw,
|
||||
|
||||
owner @{user_cache_dirs}/tint2/[0-9a-f]*.png r,
|
||||
owner @{user_cache_dirs}/tint2/@{hex}.png r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
@ -40,7 +40,7 @@ profile update-ca-certificates @{exec_path} {
|
||||
/etc/ca-certificates.conf r,
|
||||
/etc/ssl/certs/ca-certificates.crt{,.new} rw,
|
||||
/etc/ssl/certs/*.pem rw,
|
||||
/etc/ssl/certs/[0-9a-f]*.[0-9] rw,
|
||||
/etc/ssl/certs/@{hex}.[0-9] rw,
|
||||
|
||||
/{usr/,}lib/locale/locale-archive r,
|
||||
|
||||
|
||||
@ -88,9 +88,9 @@ profile vidcutter @{exec_path} {
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
/usr/share/qt5ct/** r,
|
||||
@ -107,7 +107,7 @@ profile vidcutter @{exec_path} {
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
|
||||
owner /tmp/vidcutter-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]* w,
|
||||
owner /tmp/vidcutter-@{uuid} w,
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9],
|
||||
owner /tmp/vidcutter/{,*} rw,
|
||||
|
||||
@ -7,10 +7,10 @@
|
||||
# All apparmor profiles should always use the variables defined here.
|
||||
|
||||
# Universally unique identifier
|
||||
@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
|
||||
@{uuid}=[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*
|
||||
|
||||
# Hexadecimal
|
||||
@{hex}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]
|
||||
@{hex}=[0-9a-fA-F]*
|
||||
|
||||
# @{MOUNTDIRS} is a space-separated list of where user mount directories
|
||||
# are stored, for programs that must enumerate all mount directories on a
|
||||
|
||||
Loading…
Reference in New Issue
Block a user