mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Profile update.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-23 12:40:19 +01:00
parent 749859920e
commit 49bddc0382
Failed to generate hash of commit
11 changed files with 24 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/abstractions/gstreamer
View file

@ -44,6 +44,7 @@
#owner @{HOME}/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw,
/{usr/,}lib/frei0r-[0-9]/*.so mr, /{usr/,}lib/frei0r-[0-9]/*.so mr,
/{usr/,}lib/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr, /{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr,
/{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr, /{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr,

2
apparmor.d/abstractions/python.d/complete
View file

@ -13,4 +13,4 @@
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
# Silencer # Silencer
/{usr/,}lib/python3/** w, /{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w,

2
apparmor.d/abstractions/user-read
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r,
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r,

5
apparmor.d/groups/desktop/blueman
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/blueman-* @{exec_path} = /{usr/,}bin/blueman-*
profile blueman @{exec_path} { profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
include <abstractions/fonts> include <abstractions/fonts>
@ -78,6 +78,9 @@ profile blueman @{exec_path} {
@{run}/user/1000/gdm/Xauthority r, @{run}/user/1000/gdm/Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>

1
apparmor.d/groups/desktop/blueman-mechanism
View file

@ -13,6 +13,7 @@ profile blueman-mechanism @{exec_path} {
include <abstractions/python> include <abstractions/python>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability mknod,
capability net_admin, capability net_admin,
deny capability sys_nice, deny capability sys_nice,

12
apparmor.d/groups/desktop/xwayland
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/Xwayland @{exec_path} = /{usr/,}bin/Xwayland
profile xwayland @{exec_path} flags=(attach_disconnected) { profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -19,13 +21,9 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xkbcomp rPx, /{usr/,}bin/xkbcomp rPx,
/usr/share/drirc.d/{,*} r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/X11/xkb/rules/evdev r, /usr/share/X11/xkb/rules/evdev r,
/dev/dri/card[0-9]* rw,
/dev/dri/renderD[0-9]* rw,
# TMP files # TMP files
owner /tmp/server-[0-9]*.xkm rwk, owner /tmp/server-[0-9]*.xkm rwk,
@ -36,12 +34,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
# Needed for Mutter # Needed for Mutter
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
@{sys}/devices/pci[0-9]*/**/uevent r,
@{sys}/devices/pci[0-9]*/**/vendor r,
@{sys}/devices/pci[0-9]*/**/device r,
@{sys}/devices/pci[0-9]*/**/subsystem_vendor r,
@{sys}/devices/pci[0-9]*/**/subsystem_device r,
owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/cmdline r,
include if exists <local/xwayland> include if exists <local/xwayland>

3
apparmor.d/groups/glib/glib-pacrunner
View file

@ -17,5 +17,8 @@ profile glib-pacrunner @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/glib-pacrunner> include if exists <local/glib-pacrunner>
} }

2
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -25,6 +25,8 @@ profile gio-launch-desktop @{exec_path} {
# User files # User files
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

3
apparmor.d/profiles-a-l/child-pager
View file

@ -18,6 +18,9 @@ profile child-pager {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
capability dac_override,
capability dac_read_search,
signal (receive) set=(stop, cont, term, kill), signal (receive) set=(stop, cont, term, kill),
/{usr/,}bin/ r, /{usr/,}bin/ r,

9
apparmor.d/profiles-m-z/virt-manager
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -63,16 +64,16 @@ profile virt-manager @{exec_path} {
# User VM images # User VM images
owner @{user_share_dirs}/libvirt/{,**} rw, owner @{user_share_dirs}/libvirt/{,**} rw,
owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw,
#owner /media/*/VM/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/osinfo/{,**} r, /usr/share/osinfo/{,**} r,
/usr/share/gtksourceview-4/{,**} r, /usr/share/gtksourceview-4/{,**} r,
/usr/share/misc/pci.ids r, /usr/share/hwdata/*.ids r,
/var/lib/usbutils/usb.ids r, /usr/share/misc/*.ids r,
/var/lib/usbutils/*.ids r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/tunables/xdg-user-dirs.d/complete
View file

@ -49,4 +49,4 @@
# User build directories and output # User build directories and output
@{user_build_dirs}="/tmp/build" @{user_build_dirs}="/tmp/build"
@{user_pkg_dirs}="/tmp/pkg/" @{user_pkg_dirs}="/tmp/pkg/"
@{user_tmp_dirs}="/run/user/1000" "/tmp" @{user_tmp_dirs}="/run/user/@{uid}" "/tmp"