mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-02-20 08:55:34 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
0b0d58ab03
commit
3ff8e3847d
37 changed files with 95 additions and 61 deletions
|
|
@ -77,6 +77,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/journal/socket rw,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
|
||||
include if exists <local/geoclue>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/class/ r,
|
||||
@{sys}/devices/**/device:*/**/path r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor} r,
|
||||
|
||||
/dev/media[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
|
||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-{system,user} rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw,
|
||||
|
|
|
|||
|
|
@ -33,11 +33,8 @@ profile evolution-addressbook-factory @{exec_path} {
|
|||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member={CheckPermissions,StateChanged},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved}
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path}-subprocess rix,
|
||||
|
|
|
|||
|
|
@ -29,7 +29,8 @@ profile evolution-calendar-factory @{exec_path} {
|
|||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member={CheckPermissions,StateChanged},
|
||||
member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved}
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
|
||||
interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*},
|
||||
|
|
|
|||
|
|
@ -21,6 +21,10 @@ profile evolution-source-registry @{exec_path} {
|
|||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
dbus (receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
|
|
|||
|
|
@ -22,8 +22,9 @@ profile gnome-contacts-search-provider @{exec_path} {
|
|||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{user_share_dirs}/folks/{,**/} rw,
|
||||
owner @{user_share_dirs}/folks/relationships.ini rw,
|
||||
owner @{user_share_dirs}/mime/mime.cache r,
|
||||
owner @{user_share_dirs}/folks/relationships.ini r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
|
|
|
|||
|
|
@ -505,11 +505,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
|
||||
/usr/share/libinput*/libinput/ r,
|
||||
/usr/share/libwacom/{,*.stylus,*.tablet} r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/plymouth/*.png r,
|
||||
/usr/share/wallpapers/** r,
|
||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/gnome-packagekit/icons/hicolor/{,**} r,
|
||||
|
||||
# freedesktop.org-strict
|
||||
/usr/share/*ubuntu/applications/{,**} r,
|
||||
|
|
@ -518,6 +518,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/.flatpak-info r,
|
||||
/etc/fstab r,
|
||||
/etc/udev/hwdb.bin r,
|
||||
/etc/pipewire/client.conf.d/{,**} r,
|
||||
/etc/xdg/menus/gnome-applications.menu r,
|
||||
|
||||
/var/lib/gdm{3,}/.cache/ w,
|
||||
|
|
@ -637,11 +638,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
|
||||
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/attr/current r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
|
@ -652,6 +648,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
|
||||
|
||||
/dev/input/event[0-9]* rw,
|
||||
/dev/media[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
|
|
|
|||
|
|
@ -99,6 +99,7 @@ profile tracker-extract @{exec_path} {
|
|||
owner @{user_cache_dirs}/ w,
|
||||
owner @{user_cache_dirs}/tracker3/ w,
|
||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||
|
||||
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||
|
||||
|
|
@ -116,8 +117,6 @@ profile tracker-extract @{exec_path} {
|
|||
/dev/dri/renderD128 rw,
|
||||
/dev/media[0-9]* r,
|
||||
/dev/video[0-9]* rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -105,8 +105,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner @{user_config_dirs}/tracker3/{,**} rwk,
|
||||
owner @{user_cache_dirs}/tracker3/ rw,
|
||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||
owner @{user_config_dirs}/tracker3/{,**} rwk,
|
||||
|
||||
@{run}/blkid/blkid.tab r,
|
||||
@{run}/mount/utab r,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/{,gvfs}/gvfs-afc-volume-monitor
|
||||
@{exec_path} = @{libexec}/{,gvfs/}gvfs-afc-volume-monitor
|
||||
profile gvfs-afc-volume-monitor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
|
|
|||
|
|
@ -26,5 +26,7 @@ profile gvfsd-http @{exec_path} {
|
|||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
|
||||
include if exists <local/gvfsd-http>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -109,14 +109,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/ r,
|
||||
/etc/ r,
|
||||
/etc/iproute2/* r,
|
||||
/etc/machine-id r,
|
||||
@{etc_rw}/resolv.conf rw,
|
||||
@{etc_rw}/resolv.conf.[0-9A-Z]* rw,
|
||||
/etc/network/interfaces r,
|
||||
/etc/network/interfaces.d/{,*} r,
|
||||
|
||||
/etc/NetworkManager/{,**} r,
|
||||
/etc/NetworkManager/system-connections/{,**} w,
|
||||
@{etc_rw}/resolv.conf rw,
|
||||
@{etc_rw}/resolv.conf.[0-9A-Z]* rw,
|
||||
|
||||
/var/lib/iwd/*open* rw,
|
||||
/var/lib/NetworkManager/{,**} rw,
|
||||
|
|
@ -129,6 +129,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/network/ifstate r,
|
||||
@{run}/NetworkManager/{,**} rw,
|
||||
@{run}/nm-*.pid rw,
|
||||
@{run}/nscd/db* rwl,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,9 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/pacman.d/mirrorlist r,
|
||||
/etc/pacman.d/*-mirrorlist r,
|
||||
|
||||
# Inherit Silencer
|
||||
deny network inet6 stream,
|
||||
deny network inet stream,
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/pacman-conf>
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ profile pacman-hook-dkms @{exec_path} {
|
|||
# Inherit Silencer
|
||||
deny network inet6 stream,
|
||||
deny network inet stream,
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/pacman-hook-dkms>
|
||||
}
|
||||
|
|
@ -41,5 +41,7 @@ profile ssh @{exec_path} {
|
|||
|
||||
owner @{run}/user/@{uid}/keyring/ssh rw,
|
||||
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
include if exists <local/ssh>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -66,14 +66,15 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}lib/openssh/sftp-server rPx,
|
||||
|
||||
/etc/legal r,
|
||||
/etc/shells r,
|
||||
/etc/default/locale r,
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*.conf} r,
|
||||
@{etc_rw}/motd r,
|
||||
/etc/default/locale r,
|
||||
/etc/gss/mech.d/{,*} r,
|
||||
/etc/issue.net r,
|
||||
@{etc_rw}/motd r,
|
||||
@{etc_ro}/security/limits.d/{,*.conf} r,
|
||||
/etc/legal r,
|
||||
/etc/machine-id r,
|
||||
/etc/shells r,
|
||||
|
||||
@{etc_ro}/ssh/sshd_config r,
|
||||
@{etc_ro}/ssh/sshd_config.d/{,*} r,
|
||||
|
|
|
|||
|
|
@ -49,6 +49,8 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
deny /apparmor/.null rw,
|
||||
deny network inet stream,
|
||||
deny network inet6 stream,
|
||||
|
||||
include if exists <local/systemd-journalctl>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,14 +12,8 @@ profile loginctl @{exec_path} {
|
|||
include <abstractions/dbus-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability sys_resource,
|
||||
capability net_admin,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/less rPx -> child-pager,
|
||||
/{usr/,}bin/more rPx -> child-pager,
|
||||
/{usr/,}bin/pager rPx -> child-pager,
|
||||
capability sys_resource,
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/login[0-9]*
|
||||
interface=org.freedesktop.login[0-9]*.Manager
|
||||
|
|
@ -31,5 +25,11 @@ profile loginctl @{exec_path} {
|
|||
member={Get,GetAll}
|
||||
peer=(name=org.freedesktop.login[0-9]*, label=systemd-logind),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/less rPx -> child-pager,
|
||||
/{usr/,}bin/more rPx -> child-pager,
|
||||
/{usr/,}bin/pager rPx -> child-pager,
|
||||
|
||||
include if exists <local/loginctl>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/systemd/systemd-coredump
|
||||
profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
|
||||
profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
|
|
|||
|
|
@ -49,12 +49,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/notify rw,
|
||||
@{run}/udev/data/+dmi:id r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_version r,
|
||||
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/product_version r,
|
||||
@{sys}/devices/virtual/dmi/id/ r,
|
||||
@{sys}/devices/virtual/dmi/id/{bios_vendor,bios_version,board_vendor,bios_date} r,
|
||||
@{sys}/devices/virtual/dmi/id/{product_name,product_version,chassis_type} r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/uevent r,
|
||||
@{sys}/firmware/dmi/entries/*/raw r,
|
||||
|
|
|
|||
|
|
@ -72,6 +72,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
@{run}/udev/data/n[0-9]* r,
|
||||
|
||||
@{sys}/devices/**/net/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/ r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/systemd/journal/socket w,
|
||||
|
||||
@{PROC}/sys/kernel/hostname r,
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
|
||||
include if exists <local/systemd-timesyncd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ profile subiquity-console-conf @{exec_path} {
|
|||
/{usr/,}bin/{,da,ba}sh rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/grep rix,
|
||||
/{usr/,}bin/ip rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/sleep rix,
|
||||
|
|
|
|||
|
|
@ -20,8 +20,13 @@ profile update-notifier @{exec_path} {
|
|||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
||||
dbus receive bus=session path=/org/ayatana/NotificationItem/*
|
||||
member={GetLayout,GetGroupProperties,GetAll,AboutToShow},
|
||||
dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
|
||||
interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus (send) bus=accessibility path=/org/a11y/atspi/registry{,/**}
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -21,9 +21,7 @@ profile aa-log @{exec_path} {
|
|||
/var/log/audit/* r,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/system*.journal r,
|
||||
/{run,var}/log/journal/@{hex}/user*.journal r,
|
||||
/{run,var}/log/journal/@{hex}/{,*} r,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
|
|
|
|||
|
|
@ -117,10 +117,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/depmod.d/{,*} r,
|
||||
|
||||
/{usr/,}lib/modules/*/modules.* rw,
|
||||
/var/lib/dkms/**/module/*.ko r,
|
||||
/var/lib/dkms/**/module/*.ko* r,
|
||||
|
||||
owner /boot/System.map-* r,
|
||||
|
||||
# Inherit silencer
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/dkms_kmod>
|
||||
}
|
||||
|
||||
include if exists <local/dkms>
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@ profile downloadhelper @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/ffmpeg rix,
|
||||
|
||||
/opt/ r,
|
||||
/opt/net.downloadhelper.coapp/ r,
|
||||
/opt/net.downloadhelper.coapp/bin/ r,
|
||||
|
|
|
|||
|
|
@ -53,8 +53,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
member=GetAll,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.fwupd
|
||||
member=Changed,
|
||||
interface=org.freedesktop.fwupd,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -23,13 +23,14 @@ profile netcap @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pid}/net/dev r,
|
||||
@{PROC}/@{pid}/net/packet r,
|
||||
@{PROC}/@{pid}/net/raw{,6} r,
|
||||
@{PROC}/@{pid}/net/tcp{,6} r,
|
||||
@{PROC}/@{pid}/net/udp{,6} r,
|
||||
@{PROC}/@{pid}/net/raw{,6} r,
|
||||
@{PROC}/@{pid}/net/packet r,
|
||||
@{PROC}/@{pid}/net/dev r,
|
||||
@{PROC}/@{pid}/net/udplite{,6} r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
|
||||
include if exists <local/netcap>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ profile netstat @{exec_path} {
|
|||
@{PROC}/@{pids}/net/unix r,
|
||||
@{PROC}/net r,
|
||||
@{PROC}/net/* r,
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
owner @{PROC}/@{pid}/attr/current r,
|
||||
|
||||
include if exists <local/netstat>
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
member={GetAll,PropertiesChanged}
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
|
|
|
|||
|
|
@ -131,7 +131,8 @@ profile run-parts @{exec_path} {
|
|||
/{usr/,}bin/sort rix,
|
||||
/{usr/,}bin/tr rix,
|
||||
/{usr/,}bin/uname rix,
|
||||
|
||||
|
||||
/{usr/,}bin/snap rPx,
|
||||
/{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd rPx,
|
||||
/{usr/,}lib/update-notifier/update-motd-fsck-at-reboot rPx,
|
||||
/{usr/,}lib/update-notifier/update-motd-reboot-required rix,
|
||||
|
|
|
|||
|
|
@ -32,5 +32,9 @@ profile sbctl @{exec_path} {
|
|||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
# File Inherit
|
||||
deny network inet stream,
|
||||
deny network inet6 stream,
|
||||
|
||||
include if exists <local/sbctl>
|
||||
}
|
||||
|
|
@ -89,6 +89,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/c4[0-9]*:[0-9]* r,
|
||||
@{run}/udev/data/c5[0-9]*:[0-9]* r,
|
||||
|
||||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/virtual/drm/ttm/uevent r,
|
||||
|
||||
|
|
|
|||
|
|
@ -50,9 +50,10 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
|
||||
|
||||
@{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw,
|
||||
@{PROC}/sys/net/ipv[4,6]/conf/wlo*/drop_* rw,
|
||||
@{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/p2p*/drop_* rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/wlan*/drop_* rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/wlo*/drop_* rw,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw,
|
||||
|
||||
/dev/rfkill rw,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue