mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-12-17 23:47:16 +00:00
parent f362975ce7
commit 4032ead9b4
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
21 changed files with 40 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apparmor.d/groups/apt/apt
View File

@ -45,10 +45,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=system path=/org/freedesktop/DBus/Bus
dbus send bus=system
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
peer=(name="{:*,org.freedesktop.DBus}"),
@{exec_path} mr,

2
apparmor.d/groups/freedesktop/plymouthd
View File

@ -39,7 +39,7 @@ profile plymouthd @{exec_path} {
@{run}/plymouth/{,**} rw,
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*

2
apparmor.d/groups/freedesktop/xorg
View File

@ -108,7 +108,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+dmi* r, # for ?
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad

2
apparmor.d/groups/gnome/gdm
View File

@ -68,7 +68,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*

2
apparmor.d/groups/gnome/gsd-power
View File

@ -58,7 +58,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/greeter-dconf-defaults r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+drm:card* r,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+leds:* r,
@{run}/systemd/inhibit/[0-9]*.ref rw,

3
apparmor.d/groups/gnome/nautilus
View File

@ -97,8 +97,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{bin}/net rPUx,
@{bin}/tracker3 rPUx,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{open_path} rPx -> child-open,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/libdrm/*.ids r,

4
apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
View File

@ -27,9 +27,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
@{bin}/gjs-console r,
@{bin}/xdg-open rPx -> child-open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{open_path} rPx -> child-open,
/usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r,

4
apparmor.d/groups/gnome/tracker-miner
View File

@ -78,9 +78,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
@{run}/blkid/blkid.tab r,
@{run}/mount/utab r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{PROC}/@{pid}/cmdline r,
@{PROC}/sys/fs/fanotify/max_user_marks r,

17
apparmor.d/groups/network/netplan.script
View File

@ -16,20 +16,21 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
@{lib}/netplan/generate rix,
@{bin}/udevadm rCx -> udevadm,
@{bin}/systemctl rCx -> systemctl,
/usr/share/netplan/{,**} r,
/etc/netplan/{,*} r,
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf w,
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} w,
@{run}/NetworkManager/system-connections/ r,
@{run}/NetworkManager/system-connections/netplan-*.nmconnection w,
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} w,
@{run}/systemd/system/ r,
@{run}/systemd/system/netplan-* rw,
@{run}/systemd/system/systemd-networkd.service.wants/ r,
@{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
@{run}/udev/rules.d/ r,
@{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,
profile udevadm {
include <abstractions/base>
@ -39,11 +40,21 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
/etc/udev/udev.conf r,
@{run}/udev/control rw,
@{run}/udev/rules.d/90-netplan.rules rw,
@{run}/udev/rules.d/90-netplan.rules.@{rand6} rw,
include if exists <local/netplan.script_udevadm>
}
profile systemctl {
include <abstractions/base>
include <abstractions/systemd-common>
@{bin}/systemctl mr,
include if exists <local/netplan.script_systemctl>
}
include if exists <local/netplan.script>
}

5
apparmor.d/groups/network/nm-online
View File

@ -12,6 +12,11 @@ profile nm-online @{exec_path} {
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.NetworkManager>
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
interface=org.freedesktop.NetworkManager.Connection.Active
member=StateChanged
peer=(name=:*, label=NetworkManager),
@{exec_path} mr,
include if exists <local/nm-online>

2
apparmor.d/groups/systemd/systemd-logind
View File

@ -66,7 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
@{run}/udev/static_node-tags/uaccess/ r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features

2
apparmor.d/groups/ubuntu/subiquity-console-conf
View File

@ -56,7 +56,7 @@ profile subiquity-console-conf @{exec_path} {
@{run}/udev/data/+acpi:* r,
@{run}/udev/data/+dmi* r,
@{run}/udev/data/+drm* r,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r,

3
apparmor.d/groups/ubuntu/update-manager
View File

@ -59,6 +59,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
/etc/gtk-3.0/settings.ini r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
/etc/ubuntu-advantage/uaclient.conf r,
/etc/update-manager/{,**} r,
/boot/ r,
@ -78,9 +79,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/*.ref w,
@{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/mountinfo r,
/dev/ptmx rw,
/dev/shm/ r,

2
apparmor.d/groups/virt/libvirtd
View File

@ -162,7 +162,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+dmi:id r,
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r,
@{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,

2
apparmor.d/groups/virt/virtnodedevd
View File

@ -48,7 +48,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+dmi:id r,
@{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # for screen outputs
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r,

1
apparmor.d/profiles-a-f/cups-notifier-dbus
View File

@ -10,6 +10,7 @@ include <tunables/global>
profile cups-notifier-dbus @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/nameservice-strict>
signal (receive) set=(term) peer=cupsd,

1
apparmor.d/profiles-a-f/dleyna-server-service
View File

@ -14,6 +14,7 @@ profile dleyna-server-service @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,

2
apparmor.d/profiles-g-l/labwc
View File

@ -45,7 +45,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/**/uevent r,
@{run}/udev/data/+acpi:* r, # for ?
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # for screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+pci:* r, # for VGA compatible controller

2
apparmor.d/profiles-m-r/nvtop
View File

@ -27,7 +27,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/nvtop/{,**} rw,
@{run}/systemd/inhibit/*.ref r,
@{run}/udev/data/+drm:card[0-9]-* r,
@{run}/udev/data/+drm:card@{int}-* r, # for screen outputs
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

2
apparmor.d/profiles-s-z/switcheroo-control
View File

@ -19,7 +19,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # for screen outputs
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*

2
apparmor.d/profiles-s-z/thunderbird
View File

@ -50,7 +50,7 @@ profile thunderbird @{exec_path} {
ptrace peer=@{profile_name},
dbus bind bus=session name=org.mozilla.thunderbird.*,
# dbus: own bus=session name=org.mozilla.thunderbird
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager