mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-05-30 21:03:39 +01:00
parent 16f30007e7
commit 3f688be7a0
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
11 changed files with 122 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apparmor.d/groups/freedesktop/xdg-permission-store
View File

@ -28,11 +28,11 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
@{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,
owner @{desktop_share_dirs}/flatpak/ w,
audit owner @{desktop_share_dirs}/flatpak/db/ rw,
audit owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
audit owner @{desktop_share_dirs}/flatpak/db/background rw,
audit owner @{desktop_share_dirs}/flatpak/db/devices r,
audit owner @{desktop_share_dirs}/flatpak/db/notifications rw,
owner @{desktop_share_dirs}/flatpak/db/ rw,
owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
owner @{desktop_share_dirs}/flatpak/db/background rw,
owner @{desktop_share_dirs}/flatpak/db/devices r,
owner @{desktop_share_dirs}/flatpak/db/notifications rw,
owner @{user_share_dirs}/flatpak/ w,
owner @{user_share_dirs}/flatpak/db/ rw,

2
apparmor.d/groups/gnome/gdm-session-worker
View File

@ -59,7 +59,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{bin}/gnome-keyring-daemon rPx,
@{etc_ro}/X11/xdm/Xstartup rPUx,
@{lib}/{,gdm/}gdm-{x,wayland}-session rPx -> gdm-session,
@{lib}/{,gdm/}gdm-{x,wayland}-session rpx -> gdm-session,
/etc/gdm{3,}/{Pre,Post}Session/Default rix,
/etc/gdm{3,}/PostLogin/Default rix,
/etc/gdm{3,}/PrimeOff/Default rix,

4
apparmor.d/groups/gnome/gjs-console
View File

@ -51,8 +51,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/ r,
@{bin}/* rPUx,
@{lib}/** rPUx,
@{bin}/* PUx,
@{lib}/** PUx,
/usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx,
@{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx,

5
apparmor.d/groups/gnome/gnome-calculator-search-provider
View File

@ -17,10 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} {
signal (send) set=kill peer=unconfined,
dbus bind bus=session name=org.gnome.Calculator.SearchProvider,
dbus receive bus=session path=/org/gnome/Calculator/SearchProvider
interface=org.gnome.Shell.SearchProvider2
peer=(name=:*, label=gnome-shell),
#aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2
@{exec_path} mrix,

5
apparmor.d/groups/gnome/gnome-characters
View File

@ -15,10 +15,7 @@ profile gnome-characters @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
#aa:dbus own bus=session name=org.gnome.Characters
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
peer=(name=:*, label=gnome-shell),
#aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2
@{exec_path} mr,

2
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View File

@ -21,6 +21,8 @@ profile gnome-control-center-print-renderer @{exec_path} {
/usr/share/pixmaps/{,**} r,
/ r,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/gnome-control-center-print-renderer>

55
apparmor.d/groups/gnome/gnome-shell
View File

@ -175,10 +175,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{exec_path} mr,
@{bin}/Xwayland rPx,
@{lib}/polkit-1/polkit* rPx,
@{lib}/* rPUx,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,
@{bin}/unzip rix,
@{bin}/gjs-console rPx,
@{bin}/glib-compile-schemas rPx,
@{bin}/ibus-daemon rPx,
@{bin}/Xwayland rPx,
@{lib}/mutter-x11-frames rPx,
#aa:exec polkit-agent-helper
@{sh_path} rCx -> shell,
@{lib}/gio-launch-desktop rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
@ -363,5 +371,44 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/dev/media@{int} rw,
/dev/tty@{int} rw,
profile shell flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
capability sys_ptrace,
ptrace (read),
@{sh_path} mr,
@{bin}/pmap rix,
@{bin}/grep rix,
@{sys}/devices/system/node/ r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
/dev/tty rw,
include if exists <local/gnome-shell_shell>
}
profile open flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/app-launcher-user>
@{lib}/gio-launch-desktop mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{lib}/* PUx,
/usr/games/* PUx,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/gnome-shell_open>
}
include if exists <local/gnome-shell>
}

7
apparmor.d/groups/gvfs/gvfsd-wsdd
View File

@ -10,7 +10,14 @@ include <tunables/global>
profile gvfsd-wsdd @{exec_path} {
include <abstractions/base>
network netlink raw,
@{exec_path} mr,
@{bin}/wsdd rPx,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
include if exists <local/gvfsd-wsdd>
}

84
apparmor.d/profiles-a-f/anyremote
View File

@ -22,31 +22,32 @@ profile anyremote @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cat rix,
@{bin}/rm rix,
@{bin}/{,e}grep rix,
@{bin}/cut rix,
@{bin}/id rix,
@{bin}/mv rix,
@{bin}/expr rix,
@{bin}/which{,.debianutils} rix,
@{bin}/head rix,
@{bin}/wc rix,
@{bin}/tr rix,
@{bin}/mkdir rix,
@{bin}/tail rix,
@{bin}/{m,g,}awk rix,
@{bin}/sed rix,
@{bin}/md5sum rix,
@{bin}/basename rix,
@{bin}/sleep rix,
@{bin}/cat rix,
@{bin}/curl rix,
@{bin}/cut rix,
@{bin}/expr rix,
@{bin}/find rix,
@{bin}/head rix,
@{bin}/id rix,
@{bin}/md5sum rix,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sleep rix,
@{bin}/tail rix,
@{bin}/tr rix,
@{bin}/wc rix,
@{bin}/which{,.debianutils} rix,
@{bin}/convert-im6.q16 rCx -> imagemagic,
@{bin}/killall rCx -> killall,
@{bin}/pgrep rCx -> pgrep,
@{lib}/qt5/bin/qdbus rCx -> qdbus,
@{bin}/curl rCx -> curl,
@{bin}/pacmd rPx,
@{bin}/pactl rPx,
@ -61,34 +62,30 @@ profile anyremote @{exec_path} {
@{bin}/mpv rPx,
@{bin}/strawberry rPx,
owner @{tmp}/amarok_covers/ rw,
owner @{tmp}/*.png rw,
# For shell pwd
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,**} rw,
owner @{HOME}/.anyRemote/imdb-mf.sh rix,
/usr/share/anyremote/{,**} r,
/usr/share/anyremote/cfg-data/Utils/*.sh rix,
deny @{PROC}/sys/kernel/osrelease r,
owner @{HOME}/ r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.anyRemote/{,**} rw,
owner @{HOME}/.anyRemote/imdb-mf.sh rix,
owner @{tmp}/amarok_covers/ rw,
owner @{tmp}/*.png rw,
deny @{PROC}/sys/kernel/osrelease r,
profile imagemagic {
include <abstractions/base>
@{bin}/convert-im6.q16 mr,
/usr/share/anyremote/cfg-data/Icons/common/*.png r,
/usr/share/ImageMagick-[0-9]/*.xml rw,
/etc/ImageMagick-[0-9]/*.xml r,
/usr/share/anyremote/cfg-data/Icons/common/*.png r,
owner @{HOME}/.anyRemote/*.png rw,
owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r,
/tmp/ r,
@ -96,6 +93,7 @@ profile anyremote @{exec_path} {
owner @{tmp}/amarok_covers/* rw,
owner @{tmp}/magick-* rw,
include if exists <local/anyremote_imagemagic>
}
profile killall {
@ -118,40 +116,24 @@ profile anyremote @{exec_path} {
# file_inherit
owner @{HOME}/.anyRemote/anyremote.stdout w,
include if exists <local/anyremote_killall>
}
profile pgrep {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app/pgrep>
signal (send) set=(term, kill),
@{bin}/pgrep mr,
# The /proc/ dir and the cmdline have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
deny @{PROC}/sys/kernel/osrelease r,
# file_inherit
owner @{HOME}/.anyRemote/anyremote.stdout w,
include if exists <local/anyremote_pgrep>
}
profile curl {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@{bin}/curl mr,
}
profile qdbus {
profile qdbus {
include <abstractions/base>
@{lib}/qt5/bin/qdbus mr,
include if exists <local/anyremote_qdbus>
}
include if exists <local/anyremote>

38
apparmor.d/profiles-g-l/ganyremote
View File

@ -11,14 +11,12 @@ include <tunables/global>
profile ganyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
network inet stream,
network inet6 stream,
@ -52,23 +50,18 @@ profile ganyremote @{exec_path} {
@{bin}/mpv rPUx,
@{bin}/strawberry rPUx,
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw,
/usr/share/anyremote/{,**} r,
deny @{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/usr/share/doc/anyremote{,-data}/{,**} r,
/etc/fstab r,
# Doc dirs
deny /usr/local/share/ r,
deny /usr/share/ r,
deny /usr/share/doc/ r,
/usr/share/doc/anyremote{,-data}/ r,
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/sys/kernel/osrelease r,
profile killall {
include <abstractions/base>
@ -87,21 +80,16 @@ profile ganyremote @{exec_path} {
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
include if exists <local/ganyremote_killall>
}
profile pgrep {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
deny @{PROC}/sys/kernel/osrelease r,
include <abstractions/app/pgrep>
/usr/share/anyremote/{,**} r,
include if exists <local/ganyremote_pgrep>
}
include if exists <local/ganyremote>

6
apparmor.d/profiles-s-z/spotify
View File

@ -41,9 +41,15 @@ profile spotify @{exec_path} {
owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw,
@{PROC}/pressure/* r,
/dev/tty rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
deny @{sys}/class/*/ r,
deny owner @{PROC}/@{pid}/clear_refs w,
include if exists <local/spotify>
}