mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-29 22:35:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Use @{uid} instead of [0-9]* when it denotes the user id.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-18 19:00:15 +01:00
parent cd4ad5b09c
commit 4a35b7d804
Failed to generate hash of commit
137 changed files with 253 additions and 253 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/deny-dconf
View file

@ -9,7 +9,7 @@
# When this is blocked, expect lots of the following errors:
# dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
# dconf will not work properly.
deny owner @{run}/user/[0-9]*/dconf/{,**} rw,
deny owner @{run}/user/@{uid}/dconf/{,**} rw,
deny owner @{user_config_dirs}/dconf/{,**} rw,
deny owner @{user_cache_dirs}/dconf/{,**} rw,

2
apparmor.d/abstractions/gstreamer
View file

@ -39,7 +39,7 @@
# If one is blocked the next is used instead.
# The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec
# flag.
owner @{run}/user/[0-9]*/orcexec.* mrw,
owner @{run}/user/@{uid}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,

4
apparmor.d/abstractions/kde5-plasma5
View file

@ -21,8 +21,8 @@
# includes this abstraction)
#owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
#owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#[0-9]*[0-9],
#owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
#owner @{run}/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
#owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
#owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
# Common KDE config files
#owner @{user_config_dirs}/#[0-9]*[0-9] rw,

4
apparmor.d/abstractions/trash
View file

@ -10,8 +10,8 @@
owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
# Home trash location
owner @{user_share_dirs}/Trash/ rw,

4
apparmor.d/abstractions/wayland.d/complete
View file

@ -3,6 +3,6 @@
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
owner /dev/shm/wlroots-* rw,

2
apparmor.d/groups/apps/android-studio
View file

@ -278,7 +278,7 @@ profile android-studio @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,

2
apparmor.d/groups/apps/atom
View file

@ -191,7 +191,7 @@ profile atom @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/groups/apps/calibre
View file

@ -172,7 +172,7 @@ profile calibre @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

4
apparmor.d/groups/apps/code
View file

@ -125,8 +125,8 @@ profile code @{exec_path} {
owner "/tmp/VSCode Crashes/" rw,
owner /tmp/vscode-typescript[0-9]*/ rw,
owner @{run}/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
owner @{run}/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw,
owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw,
# For installing extensions

4
apparmor.d/groups/apps/discord
View file

@ -125,7 +125,7 @@ profile discord @{exec_path} {
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{run}/user/[0-9]*/discord-ipc-[0-9] rw,
owner @{run}/user/@{uid}/discord-ipc-[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -200,7 +200,7 @@ profile discord @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

4
apparmor.d/groups/apps/dropbox
View file

@ -110,7 +110,7 @@ profile dropbox @{exec_path} {
owner /tmp/#[0-9]*[0-9] rw,
owner /var/tmp/etilqs_* rw,
@{run}/systemd/users/[0-9]* r,
@{run}/systemd/users/@{uid} r,
deny @{sys}/module/apparmor/parameters/enabled r,
@ -135,7 +135,7 @@ profile dropbox @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/groups/apps/flameshot
View file

@ -84,7 +84,7 @@ profile flameshot @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open

4
apparmor.d/groups/apps/freetube
View file

@ -104,7 +104,7 @@ profile freetube @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# no new privs
/{usr/,}bin/xdg-settings rPx,
@ -131,7 +131,7 @@ profile freetube @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

2
apparmor.d/groups/apps/okular
View file

@ -109,7 +109,7 @@ profile okular @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/groups/apps/telegram-desktop
View file

@ -100,7 +100,7 @@ profile telegram-desktop @{exec_path} {
owner @{TELEGRAM_WORK_DIR}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

2
apparmor.d/groups/apps/thunderbird
View file

@ -254,7 +254,7 @@ profile thunderbird @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/groups/browsers/brave
View file

@ -209,7 +209,7 @@ profile brave @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open

4
apparmor.d/groups/browsers/chrome-gnome-shell
View file

@ -26,8 +26,8 @@ profile chrome-gnome-shell @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{PROC}/@{pid}/mounts r,

6
apparmor.d/groups/browsers/chromium-chromium
View file

@ -194,8 +194,8 @@ profile chromium-chromium @{exec_path} {
/etc/opensc.conf r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
profile open {
include <abstractions/base>
@ -210,7 +210,7 @@ profile chromium-chromium @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/smplayer rPx,

6
apparmor.d/groups/browsers/firefox
View file

@ -201,8 +201,8 @@ profile firefox @{exec_path} {
@{user_share_dirs}/gvfs-metadata/home-*.log r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
profile open {
include <abstractions/base>
@ -219,7 +219,7 @@ profile firefox @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/vlc rPx,

2
apparmor.d/groups/browsers/google-chrome-chrome
View file

@ -192,7 +192,7 @@ profile google-chrome-chrome @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open

2
apparmor.d/groups/browsers/opera
View file

@ -189,7 +189,7 @@ profile opera @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open

6
apparmor.d/groups/desktop/at-spi-bus-launcher
View file

@ -32,13 +32,13 @@ profile at-spi-bus-launcher @{exec_path} {
owner @{HOME}/.Xauthority r,
/var/lib/lightdm/.Xauthority r,
@{run}/user/[0-9]*/gdm/Xauthority r,
@{run}/user/@{uid}/gdm/Xauthority r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

2
apparmor.d/groups/desktop/at-spi2-registryd
View file

@ -22,7 +22,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r,
/var/lib/lightdm/.Xauthority r,
@{run}/user/[0-9]*/gdm/Xauthority r,
@{run}/user/@{uid}/gdm/Xauthority r,
# file_inherit
owner @{HOME}/.xsession-errors w,

6
apparmor.d/groups/desktop/blueman
View file

@ -62,8 +62,8 @@ profile blueman @{exec_path} {
owner @{PROC}/@{pid}/cmdline r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -100,7 +100,7 @@ profile blueman @{exec_path} {
owner @{HOME}/ r,
owner @{HOME}/bluetooth*/* r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

6
apparmor.d/groups/desktop/dbus-daemon
View file

@ -51,9 +51,9 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/[0-9].ref rw,
@{run}/systemd/users/[0-9]* r,
owner @{run}/user/[0-9]*/dbus-1/ rw,
owner @{run}/user/[0-9]*/dbus-1/services/ rw,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dbus-1/ rw,
owner @{run}/user/@{uid}/dbus-1/services/ rw,
# Extra rules for GDM
/var/lib/gdm/.local/share/icc/ r,

4
apparmor.d/groups/desktop/dbus-run-session
View file

@ -24,8 +24,8 @@ profile dbus-run-session @{exec_path} {
/usr/share/gdm/greeter-dconf-defaults r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/desktop/dconf-editor
View file

@ -18,8 +18,8 @@ profile dconf-editor @{exec_path} {
@{exec_path} mr,
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# When GSETTINGS_BACKEND=keyfile
owner @{user_config_dirs}/glib-2.0/ rw,

4
apparmor.d/groups/desktop/dconf-service
View file

@ -15,8 +15,8 @@ profile dconf-service @{exec_path} {
@{exec_path} mr,
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

2
apparmor.d/groups/desktop/xwayland
View file

@ -34,7 +34,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
/dev/tty rw,
# Needed for Mutter
owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
@{sys}/devices/pci[0-9]*/**/uevent r,
@{sys}/devices/pci[0-9]*/**/vendor r,

4
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -27,8 +27,8 @@ profile evolution-addressbook-factory @{exec_path} {
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,

4
apparmor.d/groups/gnome/evolution-alarm-notify
View file

@ -18,8 +18,8 @@ profile evolution-alarm-notify @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/evolution-alarm-notify>
}

4
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -29,8 +29,8 @@ profile evolution-calendar-factory @{exec_path} {
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,

4
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -28,8 +28,8 @@ profile evolution-source-registry @{exec_path} {
owner @{user_cache_dirs}/evolution/{,**} rwk,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,

2
apparmor.d/groups/gnome/gdm
View file

@ -41,7 +41,7 @@ profile gdm @{exec_path} {
@{run}/systemd/sessions/[0-9] r,
@{run}/systemd/sessions/[0-9].ref r,
@{run}/systemd/userdb/ r,
@{run}/systemd/users/[0-9]* r,
@{run}/systemd/users/@{uid} r,
@{sys}/devices/virtual/tty/tty[0-9]*/active r,

2
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -51,7 +51,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/systemd/sessions/[0-9].ref rw,
@{run}/systemd/users/[0-9]* r,
@{run}/systemd/users/@{uid} r,
@{run}/utmp rwk,
owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -42,8 +42,8 @@ profile gdm-wayland-session @{exec_path} {
owner @{PROC}/@{pid}/loginuid r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# file_inherit
/dev/tty[0-9]* rw,

6
apparmor.d/groups/gnome/gjs-console
View file

@ -49,10 +49,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/stat r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{run}/user/[0-9]*/gdm/Xauthority r,
@{run}/user/@{uid}/gdm/Xauthority r,
/dev/ r,
/dev/tty rw,

6
apparmor.d/groups/gnome/gnome-calendar
View file

@ -22,10 +22,10 @@ profile gnome-calendar @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/[0-9]*/gdm/Xauthority r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
include if exists <local/gnome-calendar>
}

4
apparmor.d/groups/gnome/gnome-contacts
View file

@ -28,8 +28,8 @@ profile gnome-contacts @{exec_path} {
owner @{user_share_dirs}/folks/relationships.ini r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/gnome-contacts>
}

6
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -30,9 +30,9 @@ profile gnome-keyring-daemon @{exec_path} {
# Seahorse and SSH keys
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
owner @{run}/user/[0-9]*/keyring/ rw,
owner @{run}/user/[0-9]*/keyring/* rw,
owner @{run}/user/[0-9]*/ssh-askpass.[0-9A-Z]*/{,*} rw,
owner @{run}/user/@{uid}/keyring/ rw,
owner @{run}/user/@{uid}/keyring/* rw,
owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
@{PROC}/[0-9]*/fd/ r,

12
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -57,21 +57,21 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
# Dconf
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
# Temp files
/tmp/.ICE-unix/[0-9]* rw,
owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/[0-9]*/gnome-session-leader-fifo rw,
owner @{run}/user/[0-9]*/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/[0-9] r,
@{run}/systemd/sessions/[0-9].ref rw,
@{run}/systemd/users/[0-9]* r,
@{run}/systemd/users/@{uid} r,
@{sys}/devices/**/{vendor,device} r,

2
apparmor.d/groups/gnome/gnome-session-ctl
View file

@ -12,7 +12,7 @@ profile gnome-session-ctl @{exec_path} {
@{exec_path} mr,
owner @{run}/user/[0-9]*/gnome-session-leader-fifo r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo r,
include if exists <local/gnome-session-ctl>
}

16
apparmor.d/groups/gnome/gnome-shell
View file

@ -74,18 +74,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner @{run}/user/[0-9]*/gnome-shell/{,**} rw,
owner @{run}/user/[0-9]*/gnome-shell-disable-extensions rw,
owner @{run}/user/[0-9]*/wayland-[0-9].lock rwk,
owner @{run}/user/[0-9]*/gdm/Xauthority r,
owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
@{run}/systemd/users/[0-9]* r,
@{run}/systemd/users/@{uid} r,
@{run}/systemd/sessions/ r,
@{run}/systemd/sessions/[0-9] r,
@{run}/systemd/inhibit/[0-9]*.ref rw,

4
apparmor.d/groups/gnome/gnome-shell-calendar-server
View file

@ -16,8 +16,8 @@ profile gnome-shell-calendar-server @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/gnome-shell-calendar-server>
}

4
apparmor.d/groups/gnome/goa-daemon
View file

@ -27,8 +27,8 @@ profile goa-daemon @{exec_path} {
owner @{user_config_dirs}/goa-1.0/accounts.conf r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/goa-daemon>
}

4
apparmor.d/groups/gnome/gsd-a11y-settings
View file

@ -18,8 +18,8 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/gnome/gsd-color
View file

@ -26,8 +26,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.local/share/icc/edid-*.icc r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/gnome/gsd-datetime
View file

@ -18,8 +18,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -23,8 +23,8 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/ r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -22,8 +22,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
/usr/share/X11/xkb/** r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

6
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -34,14 +34,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.config/pulse/client.conf r,
owner @{run}/user/[0-9]*/pulse/ r,
owner @{run}/user/@{uid}/pulse/ r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
/dev/shm/ r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

6
apparmor.d/groups/gnome/gsd-power
View file

@ -34,8 +34,8 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/pulse/cookie rk,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
@ -60,7 +60,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/user/[0-9]*/pulse/ r,
@{run}/user/@{uid}/pulse/ r,
@{PROC}/cmdline r,

4
apparmor.d/groups/gnome/gsd-sharing
View file

@ -18,8 +18,8 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -18,8 +18,8 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/gnome/gsd-sound
View file

@ -18,8 +18,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

4
apparmor.d/groups/gnome/gsd-usb-protection
View file

@ -15,8 +15,8 @@ profile gsd-usb-protection @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/gsd-usb-protection>
}

4
apparmor.d/groups/gnome/gsd-wacom
View file

@ -28,8 +28,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
/usr/share/X11/xkb/** r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,

6
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -33,12 +33,12 @@ profile gsd-xsettings @{exec_path} {
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
owner @{PROC}/@{pid}/fd/ r,

6
apparmor.d/groups/gnome/nautilus
View file

@ -25,7 +25,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
# Full access to user's data
/ r,
owner @{HOME}/{,**} rw,
owner @{run}/user/@{pid}/{,**} rw,
owner @{run}/user/@{uid}/{,**} rw,
owner /media/*/{,**} rw,
owner /mnt/*/{,**} rw,
owner /tmp/{,**} rw,
@ -37,8 +37,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
deny /tmp/.* rw,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,

4
apparmor.d/groups/gnome/seahorse
View file

@ -25,8 +25,8 @@ profile seahorse @{exec_path} {
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/[0-9]*/fd/ r,

4
apparmor.d/groups/gnome/tracker-extract
View file

@ -23,8 +23,8 @@ profile tracker-extract @{exec_path} {
owner @{user_share_dirs}/gvfs-metadata/** r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/tmp/tracker-extract-3-files.*/{,*} rw,

4
apparmor.d/groups/gnome/tracker-miner
View file

@ -35,8 +35,8 @@ profile tracker-miner @{exec_path} {
@{PROC}/sys/fs/inotify/max_user_watches r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/tracker-miner>
}

4
apparmor.d/groups/gpg/dirmngr
View file

@ -27,8 +27,8 @@ profile dirmngr @{exec_path} {
/usr/share/gnupg/sks-keyservers.netCA.pem r,
owner @{run}/user/[0-9]*/gnupg/ rw,
owner @{run}/user/[0-9]*/gnupg/S.dirmngr rw,
owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

2
apparmor.d/groups/gpg/gpg
View file

@ -60,7 +60,7 @@ profile gpg @{exec_path} {
owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
# Verify files
owner @{HOME}/** r,

2
apparmor.d/groups/gpg/gpg-agent
View file

@ -38,7 +38,7 @@ profile gpg-agent @{exec_path} {
# For debuild
owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,
owner @{run}/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
@{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/gpg/scdaemon
View file

@ -20,7 +20,7 @@ profile scdaemon @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/reader_0.status rw,
owner @{run}/user/[0-9]*/gnupg/S.scdaemon rw,
owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
@{PROC}/@{pid}/task/@{tid}/comm rw,

4
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -29,8 +29,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
/{usr/,}bin/umount rPx,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ w,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ w,
owner @{run}/user/@{uid}/dconf/user rw,
/etc/fstab r,

2
apparmor.d/groups/gvfs/gvfsd
View file

@ -21,7 +21,7 @@ profile gvfsd @{exec_path} {
/usr/share/gvfs/{,**} r,
owner @{run}/user/[0-9]*/gvfs/ rw,
owner @{run}/user/@{uid}/gvfs/ rw,
owner @{PROC}/@{pid}/fd/ r,

8
apparmor.d/groups/gvfs/gvfsd-dav
View file

@ -28,11 +28,11 @@ profile gvfsd-dav @{exec_path} {
/usr/share/mime/mime.cache r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
include if exists <local/gvfsd-dav>
}

4
apparmor.d/groups/gvfs/gvfsd-dnssd
View file

@ -14,8 +14,8 @@ profile gvfsd-dnssd @{exec_path} {
@{exec_path} mr,
owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
include if exists <local/gvfsd-dnssd>
}

4
apparmor.d/groups/gvfs/gvfsd-ftp
View file

@ -22,8 +22,8 @@ profile gvfsd-ftp @{exec_path} {
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

6
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -16,7 +16,7 @@ profile gvfsd-fuse @{exec_path} {
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
/dev/fuse rw,
@ -33,8 +33,8 @@ profile gvfsd-fuse @{exec_path} {
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
umount @{run}/user/[0-9]*/**/,
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
umount @{run}/user/@{uid}/**/,
/etc/fuse.conf r,

4
apparmor.d/groups/gvfs/gvfsd-mtp
View file

@ -19,8 +19,8 @@ profile gvfsd-mtp @{exec_path} {
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

8
apparmor.d/groups/gvfs/gvfsd-network
View file

@ -14,14 +14,14 @@ profile gvfsd-network @{exec_path} {
@{exec_path} mr,
owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/gvfsd-network>
}

4
apparmor.d/groups/gvfs/gvfsd-recent
View file

@ -27,8 +27,8 @@ profile gvfsd-recent @{exec_path} {
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_share_dirs}/recently-used.xbel r,
owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/sys/kernel/random/boot_id r,

4
apparmor.d/groups/gvfs/gvfsd-smb
View file

@ -21,8 +21,8 @@ profile gvfsd-smb @{exec_path} {
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

4
apparmor.d/groups/gvfs/gvfsd-smb-browse
View file

@ -21,8 +21,8 @@ profile gvfsd-smb-browse @{exec_path} {
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

4
apparmor.d/groups/gvfs/gvfsd-trash
View file

@ -26,8 +26,8 @@ profile gvfsd-trash @{exec_path} {
@{run}/mount/utab r,
owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
# Can restore all user files
owner @{HOME}/{,**} rw,

2
apparmor.d/groups/ssh/ssh-agent
View file

@ -31,7 +31,7 @@ profile ssh-agent @{exec_path} {
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r,
# When started via systemd
@{run}/user/[0-9]*/openssh_agent rw,
@{run}/user/@{uid}/openssh_agent rw,
# askpass apps
#/{usr/,}lib/ssh/x11-ssh-askpass rPUx,

2
apparmor.d/groups/systemd/systemd-logind
View file

@ -58,7 +58,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
@{run}/systemd/sessions/[0-9]*{,.ref} rw,
@{run}/systemd/sessions/.#* rw,
@{run}/systemd/users/ r,
@{run}/systemd/users/[0-9]* rw,
@{run}/systemd/users/@{uid} rw,
@{run}/systemd/users/.#* rw,
@{run}/systemd/userdb/ r,

2
apparmor.d/groups/systemd/systemd-tmpfiles
View file

@ -29,7 +29,7 @@ profile systemd-tmpfiles @{exec_path} {
@{run}/tmpfiles.d/{,*.conf} r,
/usr/lib/tmpfiles.d/{,*.conf} r,
@{user_config_dirs}/user-tmpfiles.d/{,*.conf} r,
@{run}/user/@{pid}/user-tmpfiles.d/{,*.conf} r,
@{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r,
@{user_share_dirs}/user-tmpfiles.d/{,*.conf} r,
/usr/share/user-tmpfiles.d/{,*.conf} r,

2
apparmor.d/groups/systemd/systemd-xdg-autostart-generator
View file

@ -17,7 +17,7 @@ profile systemd-xdg-autostart-generator @{exec_path} {
/etc/xdg/autostart/{,*.desktop} r,
owner @{user_config_dirs}/autostart/{,*.desktop} r,
owner @{run}/user/@{pid}/systemd/generator.late/{,**} rw,
owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,
owner @{PROC}/@{pid}/cgroup r,

2
apparmor.d/profiles-a-l/amarok
View file

@ -136,7 +136,7 @@ profile amarok @{exec_path} {
/usr/share/icons/*/index.theme rk,
@{run}/user/[0-9]*/ksocket-*/amarok*.slave-socket rw,
@{run}/user/@{uid}/ksocket-*/amarok*.slave-socket rw,
# What's this for?
deny /etc/mysql/** r,

2
apparmor.d/profiles-a-l/anki
View file

@ -185,7 +185,7 @@ profile anki @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

4
apparmor.d/profiles-a-l/arduino
View file

@ -52,7 +52,7 @@ profile arduino @{exec_path} {
owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/arduino/{,**} r,
/usr/share/arduino-builder/{,**} r,
@ -126,7 +126,7 @@ profile arduino @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/profiles-a-l/birdtray
View file

@ -87,7 +87,7 @@ profile birdtray @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

6
apparmor.d/profiles-a-l/cawbird
View file

@ -39,8 +39,8 @@ profile cawbird @{exec_path} {
# This is needed as cawbird stores its settings in the dconf database.
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -61,7 +61,7 @@ profile cawbird @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

6
apparmor.d/profiles-a-l/czkawka-gui
View file

@ -39,8 +39,8 @@ profile czkawka-gui @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
profile open {
@ -56,7 +56,7 @@ profile czkawka-gui @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
#/{usr/,}lib/firefox/firefox rPx,

4
apparmor.d/profiles-a-l/dino-im
View file

@ -30,8 +30,8 @@ profile dino-im @{exec_path} {
/{usr/,}bin/gpgsm rCx -> gpg,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ w,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ w,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_share_dirs}/dino/ rw,
owner @{user_share_dirs}/dino/** rwk,

6
apparmor.d/profiles-a-l/engrampa
View file

@ -45,8 +45,8 @@ profile engrampa @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/engrampa/ rw,
@ -106,7 +106,7 @@ profile engrampa @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/engrampa rPx,

4
apparmor.d/profiles-a-l/font-manager
View file

@ -60,8 +60,8 @@ profile font-manager @{exec_path} {
@{sys}/fs/cgroup/{,**} r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Silencer
owner /var/cache/fontconfig/ w,

8
apparmor.d/profiles-a-l/gajim
View file

@ -94,8 +94,8 @@ profile gajim @{exec_path} {
owner /tmp/* rw,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Silencer
deny /usr/share/gajim/** w,
@ -115,8 +115,8 @@ profile gajim @{exec_path} {
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
owner @{run}/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

2
apparmor.d/profiles-a-l/gpartedbin
View file

@ -217,7 +217,7 @@ profile gpartedbin @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open

2
apparmor.d/profiles-a-l/gpodder
View file

@ -84,7 +84,7 @@ profile gpodder @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/profiles-a-l/gtk-youtube-viewer
View file

@ -108,7 +108,7 @@ profile gtk-youtube-viewer @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/profiles-a-l/hardinfo
View file

@ -168,7 +168,7 @@ profile hardinfo @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

4
apparmor.d/profiles-a-l/hypnotix
View file

@ -61,8 +61,8 @@ profile hypnotix @{exec_path} {
# To be able to store settings
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/hypnotix/{,**} r,

2
apparmor.d/profiles-a-l/jdownloader
View file

@ -112,7 +112,7 @@ profile jdownloader @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

8
apparmor.d/profiles-a-l/keepassxc
View file

@ -89,10 +89,10 @@ profile keepassxc @{exec_path} {
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
owner @{run}/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
owner @{run}/user/[0-9]*/kpxc_server rw,
owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
owner @{run}/user/@{uid}/kpxc_server rw,
owner @{run}/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -122,7 +122,7 @@ profile keepassxc @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

Some files were not shown because too many files have changed in this diff Show more