mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-04-09 23:48:33 +01:00
parent 5873cbff95
commit 3c6102e919
Failed to generate hash of commit
10 changed files with 27 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
View file

@ -14,7 +14,12 @@
dbus send bus=system path=/org/freedesktop/RealtimeKit1 dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1 interface=org.freedesktop.RealtimeKit1
member=MakeThread* member={MakeThreadRealtime,MakeThreadHighPriority}
peer=(name="{:*,org.freedesktop.RealtimeKit1}", label=rtkit-daemon), peer=(name=:*, label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member={MakeThreadRealtime,MakeThreadHighPriority}
peer=(name=org.freedesktop.RealtimeKit1),
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d> include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>

2
apparmor.d/groups/freedesktop/dconf-editor
View file

@ -16,6 +16,8 @@ profile dconf-editor @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
# When GSETTINGS_BACKEND=keyfile # When GSETTINGS_BACKEND=keyfile
owner @{user_config_dirs}/glib-2.0/ rw, owner @{user_config_dirs}/glib-2.0/ rw,
owner @{user_config_dirs}/glib-2.0/settings/ rw, owner @{user_config_dirs}/glib-2.0/settings/ rw,

11
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -62,22 +62,11 @@ profile pulseaudio @{exec_path} {
member=GetManagedObjects member=GetManagedObjects
peer=(name=org.bluez), peer=(name=org.bluez),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/Client@{int}/ServiceResolver@{int} dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
interface=org.freedesktop.Avahi.ServiceResolver interface=org.freedesktop.Avahi.ServiceResolver
member={Found,Free} member={Found,Free}
peer=(name=org.freedesktop.Avahi, label=avahi-daemon), peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
# No label in rule
dbus send bus=system path=/org/freedesktop/RealtimeKit@{int}
interface=org.freedesktop.RealtimeKit@{int}
member=MakeThreadHighPriority
peer=(name=org.freedesktop.RealtimeKit@{int}),
@{exec_path} mrix, @{exec_path} mrix,
@{lib}/pulse/gsettings-helper rix, @{lib}/pulse/gsettings-helper rix,

1
apparmor.d/groups/gnome/loupe
View file

@ -34,6 +34,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

4
apparmor.d/groups/ubuntu/notify-reboot-required
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/update-notifier/notify-reboot-required @{exec_path} = /usr/share/{update,reboot}-notifier/notify-reboot-required
profile notify-reboot-required @{exec_path} { profile notify-reboot-required @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -17,7 +17,7 @@ profile notify-reboot-required @{exec_path} {
@{bin}/gettext rix, @{bin}/gettext rix,
@{bin}/snap rPUx, @{bin}/snap rPUx,
/usr/share/update-notifier/notify-reboot-required r, /usr/share/{update,reboot}-notifier/notify-reboot-required r,
@{run}/reboot-required rw, @{run}/reboot-required rw,
@{run}/reboot-required.pkgs rw, @{run}/reboot-required.pkgs rw,

3
apparmor.d/profiles-a-f/element-desktop
View file

@ -15,6 +15,9 @@ include <tunables/global>
profile element-desktop @{exec_path} { profile element-desktop @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/common/electron> include <abstractions/common/electron>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/video> include <abstractions/video>

6
apparmor.d/profiles-a-f/evince
View file

@ -12,7 +12,9 @@ profile evince @{exec_path} {
include <abstractions/bus-accessibility> include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/ibus> include <abstractions/ibus>
@ -26,7 +28,9 @@ profile evince @{exec_path} {
deny network inet, deny network inet,
deny network inet6, deny network inet6,
#aa:dbus own bus=session name=org.gnome.evince.Daemon #aa:dbus own bus=session name=org.gnome.evince
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys
dbus send bus=session path=/org/gtk/vfs/metadata dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata interface=org.gtk.vfs.Metadata

2
apparmor.d/profiles-s-z/syncthing
View file

@ -24,7 +24,7 @@ profile syncthing @{exec_path} {
@{open_path} rPx -> child-open, @{open_path} rPx -> child-open,
@{bin}/ip rix, @{bin}/ip rix,
/usr/share/mime/{,*} r, /usr/share/mime/{,**} r,
/etc/mime.types r, /etc/mime.types r,

3
apparmor.d/profiles-s-z/udisksd
View file

@ -101,8 +101,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{MOUNTS}/*/ rw, @{MOUNTS}/*/ rw,
@{run}/ r, @{run}/ r,
@{run}/mount/utab{,.*} rw, @{run}/mount/utab{,.*} rwk,
@{run}/mount/utab.lock rwk,
@{run}/udisks2/{,**} rw, @{run}/udisks2/{,**} rw,
@{run}/systemd/seats/seat@{int} r, @{run}/systemd/seats/seat@{int} r,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,

53
apparmor.d/profiles-s-z/vlc
View file

@ -15,6 +15,9 @@ profile vlc @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.ScreenSaver> include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.kde.kwalletd>
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -32,54 +35,8 @@ profile vlc @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
dbus bind bus=session name=org.kde.StatusNotifierItem-*, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc
#aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined
dbus bind bus=session name=org.mpris.MediaPlayer2.vlc*,
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
peer=(name="{org.freedesktop.DBus,:*}"), # all members
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.*
peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member={Get,RegisterStatusNotifierItem}
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(name=:*),
dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*),
dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={LayoutUpdated,ItemsPropertiesUpdated}
peer=(name=org.freedesktop.DBus),
dbus (send receive) bus=session path=/MenuBar
interface=com.canonical.dbusmenu
peer=(name=:*),
@{exec_path} mrix, @{exec_path} mrix,