mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(full): add bwrap-app abstraction.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-11-26 23:08:02 +00:00
parent d8ff8c8cd6
commit 3da0ad2572
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
1 changed files with 115 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
apparmor.d/abstractions/bwrap-app Normal file
View File

@ -0,0 +1,115 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Common rules for applications sandboxed using bwrap.
include <abstractions/audio>
include <abstractions/consoles>
include <abstractions/dbus-session>
include <abstractions/deny-sensitive-home>
include <abstractions/devices-usb>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gnome>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/video>
include <abstractions/vulkan>
/usr/** r,
/etc/** r,
/etc/igfx_user_feature*.txt rw,
/etc/shells rw,
/ r,
/.* r,
/*/ r,
owner /@{uuid}/ w,
owner /_@{int}_/ w,
# Full access to user's data
/ r,
/*/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rwl,
owner @{HOME}/.var/app/** rmix,
owner @{HOME}/{,**} rwlk,
owner @{run}/user/@{uid}/{,**} rw,
owner @{user_config_dirs}/** rwkl,
owner @{user_share_dirs}/** rwkl,
@{user_games_dirs}/{,**} rm,
owner /tmp/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**,
@{run}/cups/cups.sock rw, # Allow access to cups printing socket.
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
@{run}/host/{,**} r,
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
owner @{run}/user/@{uid}/orcexec.@{rand6} rwm,
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/bus/pci/devices/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/@{pci}/{class,numa_node,local_cpus,irq,carrier} r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/class r,
@{sys}/devices/@{pci}/config r,
@{sys}/devices/@{pci}/net/{,**} r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/power_supply/** r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/** r,
@{sys}/devices/system/cpu/** r,
@{sys}/devices/virtual/dmi/id/{,**} r,
@{sys}/devices/virtual/net/{,**} r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.* r,
@{PROC}/ r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/net/** r,
@{PROC}/@{pid}/smaps r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/task/@{tid}/stat r,
@{PROC}/driver/** r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/uptime r,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/comm rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fd/@{int} rw,
owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/status r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/pts/ptmx rw,
/dev/tty rw,
include if exists <abstractions/bwrap-app.d>