mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
Profiles update.
This commit is contained in:
Alexandre Pujol
parent
16dddf16dc
commit
44aca3ba51
24 changed files with 88 additions and 65 deletions
|
|
@ -11,6 +11,3 @@
|
||||||
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
|
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
|
||||||
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
|
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
|
||||||
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
|
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
|
||||||
|
|
||||||
# Silencer
|
|
||||||
/{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w,
|
|
||||||
|
|
|
||||||
|
|
@ -25,8 +25,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/nvidia>
|
|
||||||
include <abstractions/opencl-intel>
|
include <abstractions/opencl-intel>
|
||||||
|
include <abstractions/opencl-nvidia>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
|
|
@ -138,6 +138,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
owner @{PROC}/@{pid}/comm r,
|
||||||
deny owner @{PROC}/@{pid}/stat r,
|
deny owner @{PROC}/@{pid}/stat r,
|
||||||
deny owner @{PROC}/@{pids}/cmdline r,
|
deny owner @{PROC}/@{pids}/cmdline r,
|
||||||
deny owner @{PROC}/@{pids}/environ r,
|
deny owner @{PROC}/@{pids}/environ r,
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/opencl-nvidia>
|
||||||
|
include <abstractions/vulkan>
|
||||||
|
|
||||||
signal (receive) set=(term hup) peer=gdm*,
|
signal (receive) set=(term hup) peer=gdm*,
|
||||||
signal (receive) set=(term hup) peer=gnome-shell,
|
signal (receive) set=(term hup) peer=gnome-shell,
|
||||||
|
|
@ -22,20 +24,19 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/xkbcomp rPx,
|
/{usr/,}bin/xkbcomp rPx,
|
||||||
|
|
||||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/X11/xkb/rules/evdev r,
|
/usr/share/X11/xkb/rules/evdev r,
|
||||||
|
|
||||||
# TMP files
|
|
||||||
owner /tmp/server-[0-9]*.xkm rwk,
|
owner /tmp/server-[0-9]*.xkm rwk,
|
||||||
|
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
|
||||||
|
|
||||||
|
@{sys}/bus/pci/devices/ r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pids}/cmdline r,
|
||||||
|
owner @{PROC}/@{pids}/comm r,
|
||||||
|
|
||||||
# Display Xserver on a specific TTY
|
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
# Needed for Mutter
|
|
||||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pids}/cmdline r,
|
|
||||||
|
|
||||||
include if exists <local/xwayland>
|
include if exists <local/xwayland>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = /{usr/,}lib/evolution-data-server/evolution-alarm-notify
|
@{exec_path} = /{usr/,}lib/evolution-data-server/evolution-alarm-notify
|
||||||
profile evolution-alarm-notify @{exec_path} {
|
profile evolution-alarm-notify @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/gnome>
|
include <abstractions/gnome>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/gdm
|
@{exec_path} = /{usr/,}bin/gdm
|
||||||
profile gdm @{exec_path} {
|
profile gdm @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/wutmp>
|
include <abstractions/wutmp>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
@ -36,6 +36,7 @@ profile gdm @{exec_path} {
|
||||||
/var/{lib,log}/gdm/ rw,
|
/var/{lib,log}/gdm/ rw,
|
||||||
|
|
||||||
@{run}/gdm/ rw,
|
@{run}/gdm/ rw,
|
||||||
|
@{run}/gdm/custom.conf r,
|
||||||
@{run}/gdm/gdm.pid rw,
|
@{run}/gdm/gdm.pid rw,
|
||||||
@{run}/gdm/greeter/ rw,
|
@{run}/gdm/greeter/ rw,
|
||||||
@{run}/systemd/seats/seat[0-9]* r,
|
@{run}/systemd/seats/seat[0-9]* r,
|
||||||
|
|
|
||||||
|
|
@ -55,6 +55,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/wayland-sessions/*.desktop r,
|
/usr/share/wayland-sessions/*.desktop r,
|
||||||
|
|
||||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||||
|
@{run}/gdm/custom.conf r,
|
||||||
@{run}/systemd/sessions/[0-9]*.ref rw,
|
@{run}/systemd/sessions/[0-9]*.ref rw,
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
@{run}/utmp rwk,
|
@{run}/utmp rwk,
|
||||||
|
|
|
||||||
|
|
@ -39,6 +39,8 @@ profile gdm-wayland-session @{exec_path} {
|
||||||
/usr/share/gdm/gdm.schemas r,
|
/usr/share/gdm/gdm.schemas r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
|
@{run}/gdm/custom.conf r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/loginuid r,
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,8 +20,9 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/gdm/gdm.schemas r,
|
/usr/share/gdm/gdm.schemas r,
|
||||||
/var/lib/gdm/.cache/gdm/Xauthority rw,
|
/var/lib/gdm/.cache/gdm/Xauthority rw,
|
||||||
|
|
||||||
@{run}/user/@{uid}/gdm/ w,
|
owner @{run}/user/@{uid}/gdm/ w,
|
||||||
@{run}/user/@{uid}/gdm/Xauthority rw,
|
owner @{run}/user/@{uid}/gdm/Xauthority rw,
|
||||||
|
@{run}/gdm/custom.conf r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@ profile gdm-xsession @{exec_path} {
|
||||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||||
/{usr/,}bin/xhost rPx,
|
/{usr/,}bin/xhost rPx,
|
||||||
/{usr/,}lib/gnome-session-binary rPx,
|
/{usr/,}lib/gnome-session-binary rPx,
|
||||||
|
/{usr/,}bin/flatpak rPUx,
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/etc/X11/{,**} r,
|
/etc/X11/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/gnome>
|
include <abstractions/gnome>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/opencl-nvidia>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
|
@ -98,6 +99,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/comm r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
|
||||||
|
|
@ -11,8 +11,9 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/gtk>
|
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/opencl-nvidia>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -32,6 +33,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/comm r,
|
||||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||||
|
|
||||||
include if exists <local/gnome-control-center-print-renderer>
|
include if exists <local/gnome-control-center-print-renderer>
|
||||||
|
|
|
||||||
|
|
@ -16,8 +16,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/gnome>
|
include <abstractions/gnome>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/opencl-nvidia>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
include <abstractions/thumbnails-cache-read>
|
||||||
|
|
||||||
capability sys_nice,
|
capability sys_nice,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
@ -41,6 +43,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/usr/share/backgrounds/{,**} r,
|
/usr/share/backgrounds/{,**} r,
|
||||||
/usr/share/desktop-directories/{,*.directory} r,
|
/usr/share/desktop-directories/{,*.directory} r,
|
||||||
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/gdm/greeter-dconf-defaults r,
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
/usr/share/gdm/greeter/applications/{,**} r,
|
/usr/share/gdm/greeter/applications/{,**} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
@ -65,8 +68,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
/var/lib/gdm/.local/share/gnome-shell/ rw,
|
/var/lib/gdm/.local/share/gnome-shell/ rw,
|
||||||
/var/lib/gdm/.local/share/applications/{,**} r,
|
/var/lib/gdm/.local/share/applications/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
|
||||||
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
||||||
|
owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r,
|
||||||
|
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/.goutputstream{,*} rw,
|
owner @{user_config_dirs}/.goutputstream{,*} rw,
|
||||||
owner @{user_config_dirs}/ibus/* r,
|
owner @{user_config_dirs}/ibus/* r,
|
||||||
|
|
@ -139,11 +143,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
|
||||||
owner @{PROC}/@{pid}/attr/current r,
|
owner @{PROC}/@{pid}/attr/current r,
|
||||||
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
owner @{PROC}/@{pid}/comm r,
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
@{PROC}/@{pid}/stat r,
|
@{PROC}/@{pid}/stat r,
|
||||||
@{PROC}/@{pid}/task/@{tid}/stat r,
|
@{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
@{PROC}/@{pid}/net/* r,
|
@{PROC}/@{pid}/net/* r,
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
|
|
||||||
signal (receive) set=(term, hup) peer=gdm*,
|
signal (receive) set=(term, hup) peer=gdm*,
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
|
|
||||||
signal (receive) set=(term, hup) peer=gdm*,
|
signal (receive) set=(term, hup) peer=gdm*,
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@ profile pacman @{exec_path} {
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability fowner,
|
capability fowner,
|
||||||
capability fsetid,
|
capability fsetid,
|
||||||
|
capability mknod,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
capability setfcap,
|
capability setfcap,
|
||||||
capability setgid,
|
capability setgid,
|
||||||
|
|
@ -98,7 +99,8 @@ profile pacman @{exec_path} {
|
||||||
|
|
||||||
owner /var/lib/pacman/{,**} rwl,
|
owner /var/lib/pacman/{,**} rwl,
|
||||||
owner /tmp/alpm_*/{,**} rw,
|
owner /tmp/alpm_*/{,**} rw,
|
||||||
owner /tmp/checkup-db-[0-9]*/sync/*.db.part rw,
|
owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw,
|
||||||
|
owner /tmp/checkup-db-[0-9]*/db.lck rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
|
||||||
|
|
@ -11,14 +11,16 @@ profile pacman-hook-dkms @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
capability mknod,
|
||||||
|
|
||||||
unix (receive) type=stream,
|
unix (receive) type=stream,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/bash rix,
|
/{usr/,}bin/bash rix,
|
||||||
/{usr/,}bin/kmod rPx,
|
|
||||||
/{usr/,}bin/dkms rPx,
|
/{usr/,}bin/dkms rPx,
|
||||||
|
/{usr/,}bin/kmod rPx,
|
||||||
|
/{usr/,}bin/nproc rix,
|
||||||
|
|
||||||
/usr/src/ r,
|
/usr/src/ r,
|
||||||
/usr/src/**.conf r,
|
/usr/src/**.conf r,
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,8 @@ profile bootctl @{exec_path} {
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
|
||||||
|
capability mknod,
|
||||||
|
|
||||||
signal (send) peer=child-pager,
|
signal (send) peer=child-pager,
|
||||||
|
|
||||||
ptrace (read) peer=unconfined,
|
ptrace (read) peer=unconfined,
|
||||||
|
|
|
||||||
|
|
@ -12,14 +12,23 @@ profile systemd-sleep @{exec_path} {
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
capability sys_admin,
|
||||||
capability sys_resource,
|
capability sys_resource,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
|
/{usr/,}bin/nvidia-sleep.sh rix,
|
||||||
|
/{usr/,}lib/systemd/system-sleep/nvidia rix,
|
||||||
|
|
||||||
/etc/systemd/sleep.conf r,
|
/etc/systemd/sleep.conf r,
|
||||||
/etc/systemd/sleep.conf.d/{,*} r,
|
/etc/systemd/sleep.conf.d/{,*} r,
|
||||||
|
|
||||||
@{sys}/power/state rw,
|
@{sys}/power/state rw,
|
||||||
|
|
||||||
|
@{PROC}/driver/nvidia/suspend w,
|
||||||
|
|
||||||
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <local/systemd-sleep>
|
include if exists <local/systemd-sleep>
|
||||||
}
|
}
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -92,6 +92,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
||||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
|
@{PROC}/devices r,
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -12,6 +13,9 @@ profile dig @{exec_path} {
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
|
|
|
||||||
|
|
@ -1,23 +1,18 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
# When "ip netns" is issued, the following error will be printed:
|
|
||||||
# "Failed name lookup - disconnected path" error=-13 profile="ip" name="".
|
|
||||||
@{exec_path} = /{usr/,}bin/ip
|
@{exec_path} = /{usr/,}bin/ip
|
||||||
profile ip @{exec_path} flags=(attach_disconnected) {
|
profile ip @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
# To be able to manage network interfaces.
|
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
capability sys_module,
|
||||||
# Needed?
|
|
||||||
#capability sys_admin,
|
|
||||||
audit deny capability sys_module,
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,8 @@ profile pass-import @{exec_path} {
|
||||||
/{usr/,}bin/python3.[0-9]* rix,
|
/{usr/,}bin/python3.[0-9]* rix,
|
||||||
/{usr/,}lib/gcc/**/collect2 rix,
|
/{usr/,}lib/gcc/**/collect2 rix,
|
||||||
|
|
||||||
|
/{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w,
|
||||||
|
|
||||||
/usr/share/file/misc/magic.mgc r,
|
/usr/share/file/misc/magic.mgc r,
|
||||||
|
|
||||||
owner @{HOME}/.password-store/{,**} rw,
|
owner @{HOME}/.password-store/{,**} rw,
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -10,22 +11,16 @@ include <tunables/global>
|
||||||
@{exec_path} += @{libexec}/udisks2/udisksd
|
@{exec_path} += @{libexec}/udisks2/udisksd
|
||||||
profile udisksd @{exec_path} flags=(attach_disconnected) {
|
profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
|
||||||
include <abstractions/disks-write>
|
include <abstractions/disks-write>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
# To remove the following errors:
|
|
||||||
# udisksd[]: Error probing device: Error sending ATA command IDENTIFY DEVICE to '/dev/sda':
|
|
||||||
# SGIO v3 ioctl failed (v4 not supported): Operation not permitted (g-io-error-quark, 14)
|
|
||||||
capability sys_rawio,
|
|
||||||
|
|
||||||
# To allow users to mount volumes
|
|
||||||
# Error mounting /dev/sd*: GDBus.Error:org.freedesktop.UDisks2.Error.Failed:
|
|
||||||
# Error mounting /dev/sd* at /media/*/*: Operation not permitted.
|
|
||||||
capability sys_admin,
|
|
||||||
|
|
||||||
capability chown,
|
capability chown,
|
||||||
capability dac_read_search,
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
|
capability sys_admin,
|
||||||
|
capability sys_rawio,
|
||||||
|
capability setuid,
|
||||||
|
capability setgid,
|
||||||
|
|
||||||
# Needed?
|
# Needed?
|
||||||
deny capability sys_nice,
|
deny capability sys_nice,
|
||||||
|
|
@ -37,28 +32,27 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/umount rix,
|
/{usr/,}bin/umount rix,
|
||||||
|
|
||||||
/{usr/,}bin/eject rPx,
|
|
||||||
/{usr/,}{s,}bin/dumpe2fs rPx,
|
|
||||||
/{usr/,}{s,}bin/dmidecode rPx,
|
/{usr/,}{s,}bin/dmidecode rPx,
|
||||||
|
/{usr/,}{s,}bin/dumpe2fs rPx,
|
||||||
/{usr/,}{s,}bin/lvm rPUx,
|
/{usr/,}{s,}bin/lvm rPUx,
|
||||||
|
/{usr/,}bin/eject rPx,
|
||||||
|
/{usr/,}bin/ntfs-3g rPx,
|
||||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||||
/{usr/,}bin/systemd-escape rPx,
|
/{usr/,}bin/systemd-escape rPx,
|
||||||
|
|
||||||
# Allow mounting of removable devices
|
# Allow mounting of removable devices
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/,
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
|
||||||
# Allow mounting of loop devices (ISO files)
|
# Allow mounting of loop devices (ISO files)
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> @{MOUNTS}/*/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/*/,
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
|
||||||
# Allow mounting of cdrom
|
# Allow mounting of cdrom
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
|
||||||
mount fstype={iso9660,udf} /dev/sr[0-9]* -> /media/cdrom[0-9]/,
|
mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/,
|
||||||
# Allow mounting od sd cards
|
# Allow mounting od sd cards
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/,
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
|
||||||
# Allow unmounting
|
# Allow unmounting
|
||||||
umount @{MOUNTS}/*/,
|
umount @{MOUNTS}/*/,
|
||||||
umount @{MOUNTS}/*/*/,
|
umount @{MOUNTS}/*/*/,
|
||||||
|
|
@ -73,11 +67,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||||
/etc/udisks2/ r,
|
/etc/udisks2/ r,
|
||||||
/etc/udisks2/udisks2.conf r,
|
/etc/udisks2/udisks2.conf r,
|
||||||
|
|
||||||
# For mounting NTFS disks
|
|
||||||
capability setuid,
|
|
||||||
capability setgid,
|
|
||||||
/{usr/,}bin/ntfs-3g rPx,
|
|
||||||
|
|
||||||
/etc/libblockdev/conf.d/ r,
|
/etc/libblockdev/conf.d/ r,
|
||||||
/etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r,
|
/etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -28,10 +28,10 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
|
||||||
|
|
||||||
/{usr/,}bin/gtk-update-icon-cache rPx,
|
/{usr/,}bin/gtk-update-icon-cache rPx,
|
||||||
|
|
||||||
|
/usr/share/**/icons/**.png r,
|
||||||
/usr/share/icons/**.png rw,
|
/usr/share/icons/**.png rw,
|
||||||
/usr/share/icons/*/.xdg-icon-resource-dummy rw,
|
/usr/share/icons/*/.xdg-icon-resource-dummy rw,
|
||||||
|
/usr/share/terminfo/x/xterm-256color r,
|
||||||
/usr/share/**/icons/**.png r,
|
|
||||||
|
|
||||||
owner /tmp/.com.google.Chrome.*/chrome-*.png r,
|
owner /tmp/.com.google.Chrome.*/chrome-*.png r,
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue