mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (4)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:23:22 +01:00
parent 27daa7c9bb
commit 43b0f09b65
Failed to generate hash of commit
173 changed files with 909 additions and 916 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/profiles-a-f/aa-enabled
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aa-enabled
@{exec_path} = @{bin}/aa-enabled
profile aa-enabled @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-a-f/aa-log
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aa-log
@{exec_path} = @{bin}/aa-log
profile aa-log @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -15,7 +15,7 @@ profile aa-log @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/journalctl rix,
@{bin}/journalctl rix,
/etc/machine-id r,
/etc/nsswitch.conf r,

4
apparmor.d/profiles-a-f/aa-notify
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aa-notify
@{exec_path} = @{bin}/aa-notify
profile aa-notify @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@ -19,7 +19,7 @@ profile aa-notify @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/ r,
@{bin}/ r,
/etc/apparmor/*.conf r,
/etc/inputrc r,

2
apparmor.d/profiles-a-f/aa-status
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/aa-status /{usr/,}{s,}bin/apparmor_status
@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status
profile aa-status @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-a-f/acpi
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/acpi
@{exec_path} = @{bin}/acpi
profile acpi @{exec_path} flags=(complain) {
include <abstractions/base>

24
apparmor.d/profiles-a-f/acpi-powerbtn
View file

@ -11,20 +11,20 @@ profile acpi-powerbtn flags=(attach_disconnected) {
/etc/acpi/powerbtn-acpi-support.sh r,
/{usr/,}{s,}bin/killall5 rix,
/{usr/,}{s,}bin/shutdown rix,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{e,}grep rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/pgrep rix,
/{usr/,}bin/pinky rix,
/{usr/,}bin/sed rix,
@{bin}/{ba,da,}sh rix,
@{bin}/{e,}grep rix,
@{bin}/dbus-send rix,
@{bin}/killall5 rix,
@{bin}/pgrep rix,
@{bin}/pinky rix,
@{bin}/sed rix,
@{bin}/shutdown rix,
/etc/acpi/powerbtn.sh rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/ps rPx,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/ps rPx,
/{usr/,}bin/fgconsole rCx,
@{bin}/fgconsole rCx,
/usr/share/acpi-support/** r,
@ -40,7 +40,7 @@ profile acpi-powerbtn flags=(attach_disconnected) {
capability sys_tty_config,
/{usr/,}bin/fgconsole r,
@{bin}/fgconsole r,
/dev/tty rw,
owner /dev/tty[0-9]* rw,

6
apparmor.d/profiles-a-f/acpid
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/acpid
@{exec_path} = @{bin}/acpid
profile acpid @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -18,8 +18,8 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/logger rix,
@{bin}/{ba,da,}sh rix,
@{bin}/logger rix,
/etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn,

4
apparmor.d/profiles-a-f/adb
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/adb
@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
@{exec_path} = @{bin}/adb
@{exec_path} += @{lib}/android-sdk/platform-tools/adb
profile adb @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>

28
apparmor.d/profiles-a-f/adduser
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/add{user,group}
@{exec_path} = @{bin}/add{user,group}
profile adduser @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -20,21 +20,21 @@ profile adduser @{exec_path} {
capability fsetid,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
@{bin}/{,ba,da}sh rix,
@{bin}/find rix,
@{bin}/rm rix,
/{usr/,}{s,}bin/groupadd rPx,
/{usr/,}{s,}bin/groupdel rPx,
/{usr/,}{s,}bin/useradd rPx,
/{usr/,}{s,}bin/userdel rPx,
/{usr/,}{s,}bin/usermod rPx,
/{usr/,}bin/chage rPx,
/{usr/,}bin/chfn rPx,
/{usr/,}bin/gpasswd rPx,
/{usr/,}bin/passwd rPx,
@{bin}/chage rPx,
@{bin}/chfn rPx,
@{bin}/gpasswd rPx,
@{bin}/groupadd rPx,
@{bin}/groupdel rPx,
@{bin}/passwd rPx,
@{bin}/useradd rPx,
@{bin}/userdel rPx,
@{bin}/usermod rPx,
/etc/{group,passwd,shadow} r,
/etc/adduser.conf r,

45
apparmor.d/profiles-a-f/adequate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/adequate
@{exec_path} = @{bin}/adequate
profile adequate @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -16,25 +16,25 @@ profile adequate @{exec_path} flags=(complain) {
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}{s,}bin/ldconfig rix,
@{bin}/ldconfig rix,
# It wants to ldd all binaries/libs in packages.
/{usr/,}bin/ldd rCx -> ldd,
@{bin}/ldd rCx -> ldd,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/{usr/,}bin/pkg-config rCx -> pkg-config,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/pkg-config rCx -> pkg-config,
@{bin}/dpkg rPx -> child-dpkg,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
#
/{usr/,}bin/update-alternatives rPx,
@{bin}/update-alternatives rPx,
/var/lib/adequate/pending rwk,
@ -50,19 +50,18 @@ profile adequate @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ldd mr,
@{bin}/ldd mr,
/{usr/,}bin/* mr,
/{usr/,}{s,}bin/* mr,
@{bin}/* mr,
/usr/games/* mr,
/{usr/,}lib{,x}{,32,64}/** mr,
/{usr/,}lib/@{multiarch}/** mr,
@{lib}{,x}/** mr,
@{lib}/@{multiarch}/** mr,
/usr/share/** r,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
@{lib}/@{multiarch}/ld-*.so rix,
@{lib}{,x}32/ld-*.so rix,
}
@ -73,13 +72,13 @@ profile adequate @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/adequate rPx,
@{bin}/adequate rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@ -91,8 +90,8 @@ profile adequate @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
@ -103,7 +102,7 @@ profile adequate @{exec_path} flags=(complain) {
profile pkg-config flags=(complain) {
include <abstractions/base>
/{usr/,}bin/pkg-config mr,
@{bin}/pkg-config mr,
}

4
apparmor.d/profiles-a-f/agetty
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/agetty
@{exec_path} = @{bin}/agetty
profile agetty @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -21,7 +21,7 @@ profile agetty @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/login rPx,
@{bin}/login rPx,
/usr/share/subiquity/console-conf-wrapper rPx, # only:core22

2
apparmor.d/profiles-a-f/amixer
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/amixer
@{exec_path} = @{bin}/amixer
profile amixer @{exec_path} {
include <abstractions/base>
include <abstractions/audio>

6
apparmor.d/profiles-a-f/anacron
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/anacron
@{exec_path} = @{bin}/anacron
profile anacron @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/run-parts rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/run-parts rPx,
/ r,
/etc/anacrontab r,

40
apparmor.d/profiles-a-f/anki
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/anki
@{exec_path} = @{bin}/anki
profile anki @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
@ -35,18 +35,18 @@ profile anki @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig rix,
@{bin}/ldconfig rix,
/{usr/,}bin/ r,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/mpv rCx -> mpv,
@{bin}/ r,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
@{bin}/mpv rCx -> mpv,
# For recording sounds while creating decks
/{usr/,}bin/lame rCx -> lame,
@{bin}/lame rCx -> lame,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
@{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**/*.pak r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
@ -128,8 +128,8 @@ profile anki @{exec_path} {
/etc/mime.types r,
# SyncThread
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/uname rix,
/etc/ r,
/etc/debian_version r,
@ -141,7 +141,7 @@ profile anki @{exec_path} {
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile mpv {
@ -152,7 +152,7 @@ profile anki @{exec_path} {
signal (receive) set=(term, kill) peer=anki,
/{usr/,}bin/mpv mr,
@{bin}/mpv mr,
/etc/mpv/encoding-profiles.conf r,
@ -181,7 +181,7 @@ profile anki @{exec_path} {
profile lame {
include <abstractions/base>
/{usr/,}bin/lame mr,
@{bin}/lame mr,
owner @{user_share_dirs}/Anki{,2}/*/collection.media/rec.{mp3,wav} rw,
@ -191,19 +191,19 @@ profile anki @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

82
apparmor.d/profiles-a-f/anyremote
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/anyremote
@{exec_path} = @{bin}/anyremote
profile anyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -20,45 +20,45 @@ profile anyremote @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/head rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/find rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/rm rix,
@{bin}/{,e}grep rix,
@{bin}/cut rix,
@{bin}/id rix,
@{bin}/mv rix,
@{bin}/expr rix,
@{bin}/which{,.debianutils} rix,
@{bin}/head rix,
@{bin}/wc rix,
@{bin}/tr rix,
@{bin}/mkdir rix,
@{bin}/tail rix,
@{bin}/{m,g,}awk rix,
@{bin}/sed rix,
@{bin}/md5sum rix,
@{bin}/basename rix,
@{bin}/sleep rix,
@{bin}/find rix,
/{usr/,}bin/convert-im6.q16 rCx -> imagemagic,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}lib/qt5/bin/qdbus rCx -> qdbus,
/{usr/,}bin/curl rCx -> curl,
@{bin}/convert-im6.q16 rCx -> imagemagic,
@{bin}/killall rCx -> killall,
@{bin}/pgrep rCx -> pgrep,
@{lib}/qt5/bin/qdbus rCx -> qdbus,
@{bin}/curl rCx -> curl,
/{usr/,}bin/pacmd rPx,
/{usr/,}bin/pactl rPx,
/{usr/,}bin/wmctrl rPx,
/{usr/,}bin/qtchooser rPx,
/{usr/,}bin/ps rPx,
@{bin}/pacmd rPx,
@{bin}/pactl rPx,
@{bin}/wmctrl rPx,
@{bin}/qtchooser rPx,
@{bin}/ps rPx,
# Players
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/amarok rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/strawberry rPx,
@{bin}/smplayer rPx,
@{bin}/amarok rPx,
@{bin}/vlc rPx,
@{bin}/mpv rPx,
@{bin}/strawberry rPx,
owner /tmp/amarok_covers/ rw,
owner /tmp/*.png rw,
@ -80,7 +80,7 @@ profile anyremote @{exec_path} {
profile imagemagic {
include <abstractions/base>
/{usr/,}bin/convert-im6.q16 mr,
@{bin}/convert-im6.q16 mr,
/usr/share/ImageMagick-[0-9]/*.xml rw,
/etc/ImageMagick-[0-9]/*.xml r,
@ -107,7 +107,7 @@ profile anyremote @{exec_path} {
ptrace (read),
/{usr/,}bin/killall mr,
@{bin}/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@ -125,7 +125,7 @@ profile anyremote @{exec_path} {
signal (send) set=(term, kill),
/{usr/,}bin/pgrep mr,
@{bin}/pgrep mr,
# The /proc/ dir and the cmdline have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@ -143,14 +143,14 @@ profile anyremote @{exec_path} {
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
@{bin}/curl mr,
}
profile qdbus {
include <abstractions/base>
/{usr/,}lib/qt5/bin/qdbus mr,
@{lib}/qt5/bin/qdbus mr,
}

2
apparmor.d/profiles-a-f/aplay
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aplay
@{exec_path} = @{bin}/aplay
profile aplay @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/audio>

24
apparmor.d/profiles-a-f/apparmor.systemd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
@{exec_path} = @{lib}/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -15,18 +15,18 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}{s,}bin/aa-status rPx,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/xargs rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/aa-status rPx,
@{bin}/apparmor_parser rPx,
@{bin}/getconf rix,
@{bin}/ls rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/systemd-detect-virt rPx,
@{bin}/xargs rix,
/{usr/,}lib/apparmor/rc.apparmor.functions r,
@{lib}/apparmor/rc.apparmor.functions r,
/etc/apparmor.d/ r,

2
apparmor.d/profiles-a-f/apparmor_parser
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/apparmor_parser
@{exec_path} = @{bin}/apparmor_parser
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

10
apparmor.d/profiles-a-f/appstreamcli
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/appstreamcli
@{exec_path} = @{bin}/appstreamcli
profile appstreamcli @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -18,9 +18,9 @@ profile appstreamcli @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/curl rCx -> curl,
/{usr/,}bin/gzip rix,
/{usr/,}bin/tar rix,
@{bin}/curl rCx -> curl,
@{bin}/gzip rix,
@{bin}/tar rix,
/usr/share/app-info/{,**} r,
/usr/share/appdata/ r,
@ -68,7 +68,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
@{bin}/curl mr,
include if exists <local/appstreamcli_curl>
}

8
apparmor.d/profiles-a-f/arandr
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arandr
@{exec_path} = @{bin}/arandr
profile arandr @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
@ -18,10 +18,10 @@ profile arandr @{exec_path} {
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/xrandr rPx,
@{bin}/ r,
@{bin}/xrandr rPx,
owner @{HOME}/.screenlayout/ rw,

6
apparmor.d/profiles-a-f/archivemount
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/archivemount
@{exec_path} = @{bin}/archivemount
profile archivemount @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/fusermount{,3} rCx -> fusermount,
/**.{tar,tar.gz,zip} r,
/**.{TAR,TAR.GZ,ZIP} r,
@ -36,7 +36,7 @@ profile archivemount @{exec_path} {
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/,
mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/,

42
apparmor.d/profiles-a-f/arduino
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino
@{exec_path} = @{bin}/arduino
profile arduino @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -29,22 +29,22 @@ profile arduino @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/id rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/groups rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/avrdude rix,
@{bin}/{,ba,da}sh rix,
@{bin}/id rix,
@{bin}/{,e}grep rix,
@{bin}/groups rix,
@{bin}/sed rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/avrdude rix,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/arduino-builder rPx,
@{bin}/dpkg-architecture rPx,
@{bin}/arduino-builder rPx,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
@{lib}/jvm/java-[0-9]*-openjdk-*/bin/java rix,
@{lib}/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
/usr/share/java/*.jar r,
/etc/java-[0-9]*-openjdk/** r,
/etc/ssl/certs/java/cacerts r,
@ -113,20 +113,20 @@ profile arduino @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/spacefm rPUx,
@{lib}/firefox/firefox rPUx,
@{bin}/spacefm rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

36
apparmor.d/profiles-a-f/arduino-builder
View file

@ -6,30 +6,30 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino-builder
@{exec_path} = @{bin}/arduino-builder
profile arduino-builder @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/avr-g++ rix,
/{usr/,}bin/avr-gcc rix,
/{usr/,}bin/avr-gcc-ar rix,
/{usr/,}bin/avr-size rix,
/{usr/,}bin/avrdude rix,
/{usr/,}lib/gcc/avr/[0-9]*/cc1plus rix,
/{usr/,}lib/gcc/avr/[0-9]*/cc1 rix,
/{usr/,}lib/gcc/avr/[0-9]*/collect2 rix,
/{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix,
/{usr/,}lib/gcc/avr/[0-9]*/lto1 rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}lib/avr/bin/as rix,
/{usr/,}lib/avr/bin/ar rix,
/{usr/,}lib/avr/bin/ld rix,
/{usr/,}lib/avr/bin/objcopy rix,
@{bin}/ r,
@{bin}/avr-g++ rix,
@{bin}/avr-gcc rix,
@{bin}/avr-gcc-ar rix,
@{bin}/avr-size rix,
@{bin}/avrdude rix,
@{lib}/gcc/avr/[0-9]*/cc1plus rix,
@{lib}/gcc/avr/[0-9]*/cc1 rix,
@{lib}/gcc/avr/[0-9]*/collect2 rix,
@{lib}/gcc/avr/[0-9]*/lto-wrapper rix,
@{lib}/gcc/avr/[0-9]*/lto1 rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{lib}/avr/bin/as rix,
@{lib}/avr/bin/ar rix,
@{lib}/avr/bin/ld rix,
@{lib}/avr/bin/objcopy rix,
/{usr/,}bin/arduino-ctags rPx,
@{bin}/arduino-ctags rPx,
/usr/share/arduino/{,**} r,
/usr/share/arduino-builder/{,**} r,

2
apparmor.d/profiles-a-f/arduino-ctags
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino-ctags
@{exec_path} = @{bin}/arduino-ctags
profile arduino-ctags @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/aspell
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aspell
@{exec_path} = @{bin}/aspell
profile aspell @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>

36
apparmor.d/profiles-a-f/aspell-autobuildhash
View file

@ -6,25 +6,25 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/aspell-autobuildhash
@{exec_path} = @{bin}/aspell-autobuildhash
profile aspell-autobuildhash @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/precat rix,
/{usr/,}bin/zcat rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/prezip-bin rix,
@{bin}/{,ba,da}sh rix,
@{bin}/basename rix,
@{bin}/gzip rix,
@{bin}/precat rix,
@{bin}/prezip-bin rix,
@{bin}/which{,.debianutils} rix,
@{bin}/zcat rix,
/{usr/,}bin/dpkg-trigger rPx,
/{usr/,}bin/aspell rPx,
@{bin}/dpkg-trigger rPx,
@{bin}/aspell rPx,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
@ -46,13 +46,13 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}sbin/aspell-autobuildhash rPx,
@{bin}/aspell-autobuildhash rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@ -63,8 +63,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

6
apparmor.d/profiles-a-f/atd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/atd
@{exec_path} = @{bin}/atd
profile atd @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>
@ -26,8 +26,8 @@ profile atd @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/sendmail rPUx,
@{bin}/{,ba,da}sh rix,
@{bin}/sendmail rPUx,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/ r,

2
apparmor.d/profiles-a-f/atftpd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/atftpd
@{exec_path} = @{bin}/atftpd
profile atftpd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>

12
apparmor.d/profiles-a-f/atril
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/atril{,-*}
@{exec_path} = @{bin}/atril{,-*}
profile atril @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -64,12 +64,12 @@ profile atril @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/atril-previewer rPx,
@{bin}/atril-previewer rPx,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
/usr/share/atril/{,**} r,
/usr/share/poppler/{,**} r,
@ -110,7 +110,7 @@ profile atril @{exec_path} {
include if exists <local/atril>
}
profile /{usr/,}bin/atril-previewer {
profile @{bin}/atril-previewer {
include <abstractions/base>
include if exists <local/atril-previewer>

2
apparmor.d/profiles-a-f/atrild
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/atril/atrild
@{exec_path} = @{lib}/atril/atrild
profile atrild @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>

2
apparmor.d/profiles-a-f/auditctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/auditctl
@{exec_path} = @{bin}/auditctl
profile auditctl @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/auditd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/auditd
@{exec_path} = @{bin}/auditd
profile auditd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

20
apparmor.d/profiles-a-f/augenrules
View file

@ -6,22 +6,22 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/augenrules
@{exec_path} = @{bin}/augenrules
profile augenrules @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/auditctl rPx,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
@{bin}/auditctl rPx,
@{bin}/chmod rix,
@{bin}/cmp rix,
@{bin}/cp rix,
@{bin}/gawk rix,
@{bin}/grep rix,
@{bin}/ls rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
/etc/audit/audit.rules rw,
/etc/audit/rules.d/ r,

2
apparmor.d/profiles-a-f/badblocks
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/badblocks
@{exec_path} = @{bin}/badblocks
profile badblocks @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/biosdecode
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/biosdecode
@{exec_path} = @{bin}/biosdecode
profile biosdecode @{exec_path} {
include <abstractions/base>

18
apparmor.d/profiles-a-f/birdtray
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/birdtray
@{exec_path} = @{bin}/birdtray
profile birdtray @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -28,9 +28,9 @@ profile birdtray @{exec_path} {
@{exec_path} mr,
# To be able to start Thunderbird
/{usr/,}bin/thunderbird rPx,
@{bin}/thunderbird rPx,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
/usr/share/ulduzsoft/birdtray/{,**} r,
@ -76,19 +76,19 @@ profile birdtray @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

16
apparmor.d/profiles-a-f/blkdeactivate
View file

@ -7,20 +7,20 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/blkdeactivate
@{exec_path} = @{bin}/blkdeactivate
profile blkdeactivate @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} rm,
/{usr/,}{s,}bin/multipathd rPx,
/{usr/,}{s,}bin/dmsetup rPUx,
/{usr/,}{s,}bin/lvm rPx,
/{usr/,}bin/grep rix,
/{usr/,}bin/lsblk rPx,
/{usr/,}bin/sort rix,
/{usr/,}bin/umount rPx,
@{bin}/dmsetup rPUx,
@{bin}/grep rix,
@{bin}/lsblk rPx,
@{bin}/lvm rPx,
@{bin}/multipathd rPx,
@{bin}/sort rix,
@{bin}/umount rPx,
@{sys}/devices/virtual/block/*/holders/ r,

2
apparmor.d/profiles-a-f/blkid
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/blkid
@{exec_path} = @{bin}/blkid
profile blkid @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-a-f/blockdev
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/blockdev
@{exec_path} = @{bin}/blockdev
profile blockdev @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

34
apparmor.d/profiles-a-f/blueman
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/blueman-*
@{exec_path} = @{bin}/blueman-*
profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
@ -31,11 +31,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{b,d}ash rix,
/{usr/,}lib/gio-launch-desktop rix,
@{bin}/{b,d}ash rix,
@{lib}/gio-launch-desktop rix,
/{usr/,}bin/blueman-tray rPx,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/blueman-tray rPx,
@{bin}/xdg-open rCx -> open,
/usr/share/blueman/{,**} r,
/usr/share/X11/xkb/{,**} r,
@ -75,21 +75,21 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/file rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/mimetype rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xprop rix,
@{bin}/{,ba,da}sh rix,
@{bin}/basename rix,
@{bin}/dbus-send rix,
@{bin}/file rix,
@{bin}/{m,g,}awk rix,
@{bin}/mimetype rix,
@{bin}/readlink rix,
@{bin}/uname rix,
@{bin}/xprop rix,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
@{lib}/firefox/firefox rPx,
@{bin}/spacefm rPx,
/usr/share/perl5/** r,

14
apparmor.d/profiles-a-f/blueman-mechanism
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/blueman-mechanism
@{exec_path} += /{usr/,}lib/blueman/blueman-mechanism
@{exec_path} = @{lib}/blueman-mechanism
@{exec_path} += @{lib}/blueman/blueman-mechanism
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/python>
@ -23,7 +23,7 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{libexec}/ r,
@{lib}/ r,
/var/lib/blueman/network.state rw,
@ -33,10 +33,10 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
/dev/rfkill rw,
# For network AP
#/{usr/,}bin/ip rix,
#/{usr/,}{s,}bin/xtables-nft-multi rix,
#/{usr/,}{s,}bin/dnsmasq rPx,
#/{usr/,}{s,}bin/dhclient rPx,
#@{bin}/ip rix,
#@{bin}/xtables-nft-multi rix,
#@{bin}/dnsmasq rPx,
#@{bin}/dhclient rPx,
# @{PROC}/sys/net/ipv4/ip_forward w,
# @{PROC}/sys/net/ipv4/conf/ r,
# @{PROC}/sys/net/ipv4/conf/*/forwarding w,

4
apparmor.d/profiles-a-f/blueman-rfcomm-watcher
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/blueman-rfcomm-watcher
@{exec_path} = @{lib}/blueman-rfcomm-watcher
profile blueman-rfcomm-watcher @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
@{libexec}/ r,
@{lib}/ r,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/profiles-a-f/bluemoon
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/bluemoon
@{exec_path} = @{bin}/bluemoon
profile bluemoon @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/bluetoothctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/bluetoothctl
@{exec_path} = @{bin}/bluetoothctl
profile bluetoothctl @{exec_path} {
include <abstractions/base>

4
apparmor.d/profiles-a-f/bluetoothd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/bluetooth/bluetoothd
@{exec_path} = @{lib}/bluetooth/bluetoothd
profile bluetoothd @{exec_path} {
include <abstractions/base>
@ -23,7 +23,7 @@ profile bluetoothd @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/bluetooth/plugins/*.so mr,
@{lib}/@{multiarch}/bluetooth/plugins/*.so mr,
/etc/bluetooth/{,*.conf} r,

2
apparmor.d/profiles-a-f/bmon
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/bmon
@{exec_path} = @{bin}/bmon
profile bmon @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/boltd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/boltd
@{exec_path} = @{lib}/boltd
profile boltd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

32
apparmor.d/profiles-a-f/borg
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/borg
@{exec_path} = @{bin}/borg
profile borg @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@ -22,18 +22,18 @@ profile borg @{exec_path} {
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/ r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/uname rix,
/{usr/,}bin/cat rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,@{multiarch}-}ld.bfd rix,
@{bin}/{,@{multiarch}-}ld.bfd rix,
@{bin}/cat rix,
@{bin}/ldconfig rix,
@{bin}/uname rix,
/{usr/,}bin/pass rPUx,
/{usr/,}bin/ssh rPx,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/pass rPUx,
@{bin}/ssh rPx,
@{bin}/ccache rCx -> ccache,
@{bin}/fusermount{,3} rCx -> fusermount,
mount fstype=fuse -> @{MOUNTS}/,
mount fstype=fuse -> @{MOUNTS}/*/,
@ -91,11 +91,11 @@ profile borg @{exec_path} {
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
@{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
@ -110,7 +110,7 @@ profile borg @{exec_path} {
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
/etc/fuse.conf r,

6
apparmor.d/profiles-a-f/browserpass
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/browserpass
@{exec_path} = @{bin}/browserpass
profile browserpass @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -15,7 +15,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/gpg{2,} rCx -> gpg,
@{bin}/gpg{2,} rCx -> gpg,
owner @{HOME}/.password-store/{,**} r,
owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,
@ -45,7 +45,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

2
apparmor.d/profiles-a-f/btrfs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{btrfs,btrfsck}
@{exec_path} = @{bin}/{btrfs,btrfsck}
profile btrfs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/btrfs-convert
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-convert
@{exec_path} = @{bin}/btrfs-convert
profile btrfs-convert @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/btrfs-find-root
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-find-root
@{exec_path} = @{bin}/btrfs-find-root
profile btrfs-find-root @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-a-f/btrfs-image
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-image
@{exec_path} = @{bin}/btrfs-image
profile btrfs-image @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/btrfs-map-logical
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-map-logical
@{exec_path} = @{bin}/btrfs-map-logical
profile btrfs-map-logical @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-a-f/btrfs-select-super
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-select-super
@{exec_path} = @{bin}/btrfs-select-super
profile btrfs-select-super @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/btrfstune
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfstune
@{exec_path} = @{bin}/btrfstune
profile btrfstune @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

20
apparmor.d/profiles-a-f/cawbird
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cawbird
@{exec_path} = @{bin}/cawbird
profile cawbird @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -28,10 +28,10 @@ profile cawbird @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
@{bin}/xdg-open rCx -> open,
@{bin}/exo-open rCx -> open,
owner @{user_config_dirs}/cawbird/ rw,
owner @{user_config_dirs}/cawbird/** rwk,
@ -51,19 +51,19 @@ profile cawbird @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

2
apparmor.d/profiles-a-f/cc-remote-login-helper
View file

@ -5,7 +5,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/cc-remote-login-helper
@{exec_path} = @{lib}/cc-remote-login-helper
profile cc-remote-login-helper @{exec_path} {
include <abstractions/base>

4
apparmor.d/profiles-a-f/ccze
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ccze
@{exec_path} = @{bin}/ccze
profile ccze @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -14,7 +14,7 @@ profile ccze @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/ccze/*.so mr,
@{lib}/@{multiarch}/ccze/*.so mr,
/etc/cczerc r,

4
apparmor.d/profiles-a-f/cert-sync
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cert-sync
@{exec_path} = @{bin}/cert-sync
profile cert-sync @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/mono-sgen rPx,
@{bin}/mono-sgen rPx,
include if exists <local/cert-sync>
}

2
apparmor.d/profiles-a-f/cfdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cfdisk
@{exec_path} = @{bin}/cfdisk
profile cfdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/cgdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cgdisk
@{exec_path} = @{bin}/cgdisk
profile cgdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/cgrulesengd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cgrulesengd
@{exec_path} = @{bin}/cgrulesengd
profile cgrulesengd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-a-f/chage
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/chage
@{exec_path} = @{bin}/chage
profile chage @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

14
apparmor.d/profiles-a-f/changestool
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/changestool
@{exec_path} = @{bin}/changestool
profile changestool @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
owner @{PROC}/@{pid}/fd/ r,
@ -25,9 +25,9 @@ profile changestool @{exec_path} {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
owner @{HOME}/@{XDG_GPG_DIR}/ r,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

22
apparmor.d/profiles-a-f/check-bios-nx
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/check-bios-nx
@{exec_path} = @{bin}/check-bios-nx
profile check-bios-nx @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -16,15 +16,15 @@ profile check-bios-nx @{exec_path} {
capability dac_override,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix,
@{bin}/uname rix,
@{bin}/{,e}grep rix,
@{bin}/getopt rix,
/{usr/,}bin/kmod rCx -> kmod,
@{bin}/kmod rCx -> kmod,
/{usr/,}{s,}bin/rdmsr rPx,
@{bin}/rdmsr rPx,
owner @{PROC}/@{pid}/fd/2 w,
@ -32,13 +32,13 @@ profile check-bios-nx @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
/{usr/,}lib/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r,
/{usr/,}lib/modules/*/modules.* r,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
@{lib}/modules/*/modules.* r,
@{PROC}/cmdline r,

60
apparmor.d/profiles-a-f/check-support-status
View file

@ -6,46 +6,46 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/check-support-status
@{exec_path} = @{bin}/check-support-status
profile check-support-status @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/gettext.sh r,
/{usr/,}bin/cat rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/fold rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/find rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/head rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/envsubst rix,
/{usr/,}bin/dirname rix,
@{bin}/ r,
@{bin}/gettext.sh r,
@{bin}/cat rix,
@{bin}/{,e}grep rix,
@{bin}/cut rix,
@{bin}/date rix,
@{bin}/getopt rix,
@{bin}/fold rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/comm rix,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/find rix,
@{bin}/wc rix,
@{bin}/basename rix,
@{bin}/{m,g,}awk rix,
@{bin}/sort rix,
@{bin}/head rix,
@{bin}/gettext rix,
@{bin}/sed rix,
@{bin}/envsubst rix,
@{bin}/dirname rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/debconf-escape rCx -> debconf-escape,
@{bin}/debconf-escape rCx -> debconf-escape,
/etc/debian_version r,
@ -69,8 +69,8 @@ profile check-support-status @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
/{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r,
@{bin}/debconf-escape r,
@{bin}/perl r,
owner /tmp/debian-security-support.postinst.*/output r,

46
apparmor.d/profiles-a-f/check-support-status-hook
View file

@ -13,20 +13,20 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/getent rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
@{bin}/ r,
@{bin}/getent rix,
@{bin}/mkdir rix,
@{bin}/chown rix,
@{bin}/stat rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
/{usr/,}sbin/adduser rPx,
/{usr/,}bin/check-support-status rPx,
/{usr/,}bin/debconf-escape rCx -> debconf-escape,
/{usr/,}sbin/runuser rCx -> runuser,
@{bin}/adduser rPx,
@{bin}/check-support-status rPx,
@{bin}/debconf-escape rCx -> debconf-escape,
@{bin}/runuser rCx -> runuser,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
@ -51,8 +51,8 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/consoles>
include <abstractions/perl>
/{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r,
@{bin}/debconf-escape r,
@{bin}/perl r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output r,
@ -66,14 +66,14 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/usr/share/debian-security-support/ r,
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@ -84,8 +84,8 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
@ -110,11 +110,11 @@ profile check-support-status-hook @{exec_path} {
# To write records to the kernel auditing log.
capability audit_write,
/{usr/,}sbin/runuser mr,
@{bin}/runuser mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/check-support-status rPx,
@{bin}/check-support-status rPx,
owner @{PROC}/@{pids}/loginuid r,
@{PROC}/1/limits r,

2
apparmor.d/profiles-a-f/chfn
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/chfn
@{exec_path} = @{bin}/chfn
profile chfn @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-a-f/chronyd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/chronyd
@{exec_path} = @{bin}/chronyd
profile chronyd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-a-f/chsh
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/chsh
@{exec_path} = @{bin}/chsh
profile chsh @{exec_path} {
include <abstractions/base>
include <abstractions/wutmp>

24
apparmor.d/profiles-a-f/claws-mail
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/claws-mail
@{exec_path} = @{bin}/claws-mail
profile claws-mail @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/audio>
@ -23,16 +23,16 @@ profile claws-mail @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
/{usr/,}bin/orage rPUx,
/{usr/,}{s,}bin/exim4 rPUx,
/{usr/,}bin/geany rPUx,
@{bin}/orage rPUx,
@{bin}/exim4 rPUx,
@{bin}/geany rPUx,
/usr/share/publicsuffix/*.dafsa r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
@ -60,9 +60,9 @@ profile claws-mail @{exec_path} flags=(complain) {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpgconf mr,
@{bin}/gpg{,2} mr,
@{bin}/gpgsm mr,
@{bin}/gpgconf mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

12
apparmor.d/profiles-a-f/code-askpass
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh
@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh
profile code-askpass @{exec_path} {
include <abstractions/base>
@ -15,11 +15,11 @@ profile code-askpass @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}lib/electron[0-9]*/electron rUx,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{lib}/electron[0-9]*/electron rUx,
/usr/share/terminfo/x/xterm-256color r,

6
apparmor.d/profiles-a-f/code-git-editor
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/code/extensions/git/dist/git-editor.sh
@{exec_path} = @{lib}/code/extensions/git/dist/git-editor.sh
profile code-git-editor @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/electron[0-9]*/electron rUx,
@{bin}/{,ba,da}sh rix,
@{lib}/electron[0-9]*/electron rUx,
/dev/tty rw,

2
apparmor.d/profiles-a-f/compton
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/compton
@{exec_path} = @{bin}/compton
profile compton @{exec_path} {
include <abstractions/base>

64
apparmor.d/profiles-a-f/conky
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/conky
@{exec_path} = @{bin}/conky
profile conky @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -32,36 +32,36 @@ profile conky @{exec_path} {
@{exec_path} mr,
# Needed tools to render conky output
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/head rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sleep rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cp rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/tr rix,
@{bin}/uniq rix,
@{bin}/head rix,
@{bin}/cut rix,
@{bin}/date rix,
@{bin}/cat rix,
@{bin}/wc rix,
@{bin}/sed rix,
@{bin}/sleep rix,
# For external IP address
#/{usr/,}bin/dig rix,
#@{bin}/dig rix,
#owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# To remove the following error:
# .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied
/{usr/,}bin/pgrep rix,
@{bin}/pgrep rix,
@{PROC}/sys/kernel/osrelease r,
# Browsers to fetch remote content
/{usr/,}bin/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse,
/{usr/,}bin/w3m rCx -> browse,
@{bin}/wget rCx -> browse,
@{bin}/curl rCx -> browse,
@{bin}/lynx rCx -> browse,
@{bin}/w3m rCx -> browse,
# Conky home files
owner @{HOME}/ r,
@ -69,13 +69,13 @@ profile conky @{exec_path} {
owner @{HOME}/.conky/** rw,
# Display images (graphic) inside of the conky window
/{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr,
@{lib}/@{multiarch}/imlib2/loaders/*.so mr,
# Get the PRETTY_NAME name from /etc/os-release link
/etc/ r,
# Get the kernel version and its architecture via "uname -r"
/{usr/,}bin/uname rix,
@{bin}/uname rix,
# Display machine's hostname
/etc/hostname r,
@ -127,17 +127,17 @@ profile conky @{exec_path} {
/dev/shm/#[0-9]*[0-9] rw,
# Temperatures and Fans
/{usr/,}bin/sensors rPUx,
@{bin}/sensors rPUx,
@{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_input r,
@{sys}/devices/**/hwmon/hwmon[0-9]*/temp[0-9]*_input r,
@{sys}/class/hwmon/ r,
@{PROC}/acpi/ibm/fan r,
# Display network data transfer status
/{usr/,}bin/vnstat rPUx,
@{bin}/vnstat rPUx,
# Display Secure Boot status
/{usr/,}bin/mokutil rPUx,
@{bin}/mokutil rPUx,
@{PROC}/@{pid}/net/route r,
@ -163,12 +163,12 @@ profile conky @{exec_path} {
network inet6 stream,
network netlink raw,
/{usr/,}bin/wget mr,
/{usr/,}bin/curl mr,
/{usr/,}bin/lynx mr,
/{usr/,}bin/w3m mr,
@{bin}/wget mr,
@{bin}/curl mr,
@{bin}/lynx mr,
@{bin}/w3m mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/etc/mime.types r,
/etc/mailcap r,

6
apparmor.d/profiles-a-f/convertall
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/convertall /usr/share/convertall/convertall.py
@{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py
profile convertall @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -21,9 +21,9 @@ profile convertall @{exec_path} {
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,
@{bin}/python3.[0-9]* rix,
owner @{HOME}/.convertall rw,

2
apparmor.d/profiles-a-f/cppw-cpgr
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cp{pw,gr}
@{exec_path} = @{bin}/cp{pw,gr}
profile cppw-cpgr @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cpuid
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cpuid
@{exec_path} = @{bin}/cpuid
profile cpuid @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cracklib-packer
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cracklib-packer
@{exec_path} = @{bin}/cracklib-packer
profile cracklib-packer @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/crda
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/crda
@{exec_path} = @{bin}/crda
profile crda @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-beh
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/beh
@{exec_path} = @{lib}/cups/backend/beh
profile cups-backend-beh @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-brf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-brf
@{exec_path} = @{lib}/cups/backend/cups-brf
profile cups-backend-brf @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-dnssd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/dnssd
@{exec_path} = @{lib}/cups/backend/dnssd
profile cups-backend-dnssd @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-implicitclass
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/implicitclass
@{exec_path} = @{lib}/cups/backend/implicitclass
profile cups-backend-implicitclass @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-ipp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/ipp
@{exec_path} = @{lib}/cups/backend/ipp
profile cups-backend-ipp @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-lpd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/lpd
@{exec_path} = @{lib}/cups/backend/lpd
profile cups-backend-lpd @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-parallel
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/parallel
@{exec_path} = @{lib}/cups/backend/parallel
profile cups-backend-parallel @{exec_path} {
include <abstractions/base>

12
apparmor.d/profiles-a-f/cups-backend-pdf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf
@{exec_path} = @{lib}/cups/backend/cups-pdf
profile cups-backend-pdf @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
@ -22,11 +22,11 @@ profile cups-backend-pdf @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/gs rix,
/{usr/,}bin/gsc rix,
/{usr/,}lib/ghostscript/** mr,
@{bin}/{,ba,da}sh rix,
@{bin}/cp rix,
@{bin}/gs rix,
@{bin}/gsc rix,
@{lib}/ghostscript/** mr,
/usr/share/ghostscript/{,**} r,

2
apparmor.d/profiles-a-f/cups-backend-serial
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/serial
@{exec_path} = @{lib}/cups/backend/serial
profile cups-backend-serial @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-snmp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/snmp
@{exec_path} = @{lib}/cups/backend/snmp
profile cups-backend-snmp @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-socket
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/socket
@{exec_path} = @{lib}/cups/backend/socket
profile cups-backend-socket @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/cups-backend-usb
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/usb
@{exec_path} = @{lib}/cups/backend/usb
profile cups-backend-usb @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>

2
apparmor.d/profiles-a-f/cups-browsed
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cups-browsed
@{exec_path} = @{bin}/cups-browsed
profile cups-browsed @{exec_path} {
include <abstractions/base>
include <abstractions/cups-client>

4
apparmor.d/profiles-a-f/cups-pk-helper-mechanism
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism
@{exec_path} = @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism
@{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism
profile cups-pk-helper-mechanism @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>

48
apparmor.d/profiles-a-f/cupsd
View file

@ -4,7 +4,7 @@
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cupsd
@{exec_path} = @{bin}/cupsd
profile cupsd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
@ -46,29 +46,29 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gsc rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/ippfind rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/printenv rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/smbspool rPx,
/{usr/,}bin/touch rix,
/{usr/,}bin/xz rix,
/{usr/,}lib/cups/backend/* rPx,
/{usr/,}lib/cups/cgi-bin/*.cgi rix,
/{usr/,}lib/cups/daemon/* rix,
/{usr/,}lib/cups/driver/* rix,
/{usr/,}lib/cups/filter/* rix,
/{usr/,}lib/cups/monitor/* rix,
/{usr/,}lib/cups/notifier/* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cp rix,
@{bin}/grep rix,
@{bin}/gsc rix,
@{bin}/hostname rix,
@{bin}/ippfind rix,
@{bin}/mktemp rix,
@{bin}/printenv rix,
@{bin}/python3.[0-9]* rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/smbspool rPx,
@{bin}/touch rix,
@{bin}/xz rix,
@{lib}/cups/backend/* rPx,
@{lib}/cups/cgi-bin/*.cgi rix,
@{lib}/cups/daemon/* rix,
@{lib}/cups/driver/* rix,
@{lib}/cups/filter/* rix,
@{lib}/cups/monitor/* rix,
@{lib}/cups/notifier/* rix,
/usr/share/cups/{,**} r,
/usr/share/ppd/{,**} r,

2
apparmor.d/profiles-a-f/curl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/curl
@{exec_path} = @{bin}/curl
profile curl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-a-f/czkawka-cli
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/czkawka_cli
@{exec_path} = @{bin}/czkawka_cli
profile czkawka-cli @{exec_path} {
include <abstractions/base>

22
apparmor.d/profiles-a-f/czkawka-gui
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/czkawka_gui
@{exec_path} = @{bin}/czkawka_gui
profile czkawka-gui @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -17,7 +17,7 @@ profile czkawka-gui @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
@ -41,22 +41,22 @@ profile czkawka-gui @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
#/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
#@{lib}/firefox/firefox rPx,
@{bin}/smplayer rPx,
@{bin}/geany rPx,
@{bin}/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

8
apparmor.d/profiles-a-f/ddclient
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ddclient
@{exec_path} = @{bin}/ddclient
profile ddclient @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@ -15,10 +15,10 @@ profile ddclient @{exec_path} {
include <abstractions/ssl_certs>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix,
@{bin}/{,ba,da}sh rix,
@{bin}/logger rix,
/etc/ddclient.conf r,

Some files were not shown because too many files have changed in this diff Show more