mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-20 17:05:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(profile): various fix & cleanup

Browse source
This commit is contained in:
Alexandre Pujol 2024-05-06 20:33:01 +01:00
parent e2c69f18fa
commit 4b4e14b1d6
Failed to generate hash of commit
12 changed files with 32 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
View file

@ -4,7 +4,7 @@
dbus send bus=system path=/fi/w1/wpa_supplicant1
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged},Set
member={GetAll,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}

1
apparmor.d/groups/_full/bwrap
View file

@ -14,7 +14,6 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/common/bwrap>
include <abstractions/common/app>
include <abstractions/dbus>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/fontconfig-cache-write>
capability dac_override,

4
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -21,7 +21,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{bin}/cut rix,
@{bin}/file rix,
@{bin}/head rix,
@{bin}/kbuildsycoca5 rPx,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@ -31,9 +30,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{bin}/which{,.debianutils} rix,
@{bin}/gio rPx,
@{bin}/kbuildsycoca5 rPx,
@{bin}/ktraderclient5 rPUx,
@{bin}/mimetype rPx,
@{bin}/xprop rPx,
@{bin}/ktraderclient5 rPUx,
/usr/share/terminfo/** r,

8
apparmor.d/groups/kde/kauth-kded-smart-helper
View file

@ -13,12 +13,12 @@ profile kauth-kded-smart-helper @{exec_path} {
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/nameservice-strict>
# dbus: own bus=system name=org.kde.kded.smart
#aa:dbus own bus=system name=org.kde.kded.smart
dbus send bus=system path=/
interface=org.kde.kf5auth
member=remoteSignal
peer=(name=org.freedesktop.DBus, label=kded5),
interface=org.kde.kf5auth
member=remoteSignal
peer=(name=org.freedesktop.DBus, label=kded5),
@{exec_path} mr,

12
apparmor.d/groups/kde/kbuildsycoca5
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Jeroen Rijken
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,20 +10,13 @@ include <tunables/global>
@{exec_path} = @{bin}/kbuildsycoca5
profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/usr/share/applications/kde-mimeapps.list r,
/usr/share/mime/mime.cache r,
/usr/share/mime/types r,
/var/lib/flatpak/exports/share/mime/types r,
owner @{user_cache_dirs}/ksycoca5_* l -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/ksycoca5_* rw,
owner @{user_config_dirs}/mimeapps.list r,
owner @{user_share_dirs}/applications/mimeapps.list r,
owner @{user_share_dirs}/mime/types r,
link owner @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int},
/dev/tty r,

38
apparmor.d/groups/kde/kded
View file

@ -15,7 +15,6 @@ profile kded @{exec_path} {
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/bus/org.bluez>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/graphics>
include <abstractions/gtk>
@ -34,40 +33,9 @@ profile kded @{exec_path} {
signal (send) set=hup peer=xsettingsd,
# dbus: own bus=system name=com.redhat.NewPrinterNotification
dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent
interface=org.freedesktop.NetworkManager.SecretAgent
member={GetSecrets,CancelGetSecrets}
peer=(label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,AccessPointAdded,AccessPointRemoved}
peer=(label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
interface=org.freedesktop.NetworkManager.AgentManager
peer=(label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
interface=org.freedesktop.NetworkManager.AgentManager
peer=(label=NetworkManager),
dbus send bus=system path=/org/freedesktop/bolt
interface=org.freedesktop.bolt1.Manager
member=ListDevices
peer=(name="{:*,org.freedesktop.bolt}", label=boltd),
dbus send bus=system path=/org/freedesktop/bolt{,/**}
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name="{:*,org.freedesktop.bolt}", label=boltd),
#aa:dbus own bus=system name=com.redhat.NewPrinterNotification
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
#aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
dbus receive bus=system path=/
interface=org.kde.kf5auth

4
apparmor.d/groups/kde/plasmashell
View file

@ -46,8 +46,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
@{lib}/libheif/ r,
@{lib}/libheif/{,**} mr,
@{lib}/kf5/kdesu{,d} rix,
@{bin}/dolphin rPUx, # TODO: rPx,
@{bin}/dolphin rPx,
@{bin}/ksysguardd rix,
@{bin}/plasma-discover rPUx,
@{bin}/xrdb rPx,

9
apparmor.d/groups/kde/sddm-xsession
View file

@ -58,21 +58,20 @@ profile sddm-xsession @{exec_path} {
#@{bin}/openbox-session rPx,
#@{bin}/openbox rPx,
@{system_share_dirs}/im-config/data/{,*} r,
@{system_share_dirs}/im-config/xinputrc.common r,
/etc/default/{,*} r,
/etc/X11/{,**} r,
owner @{HOME}/.xinputrc r,
owner @{HOME}/.xsession-errors rw,
@{HOME}/tmp.* rw,
@{system_share_dirs}/im-config/data/{,*} r,
@{system_share_dirs}/im-config/xinputrc.common r,
owner @{user_share_dirs}/sddm/xorg-session.log w,
owner @{tmp}/xsess-env-* rw,
owner @{tmp}/file* rw,
owner @{tmp}/tmp.* rw,
audit owner @{tmp}/tmp.* rw,
owner @{PROC}/@{pid}/loginuid r,

8
apparmor.d/groups/kde/startplasma
View file

@ -18,10 +18,7 @@ profile startplasma @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/env rix,
@{bin}/{,ba,da}sh rix,
@{sh_path} rix,
@{bin}/env rix,
@{bin}/grep rix,
@{bin}/kapplymousetheme rPUx,
@ -47,9 +44,6 @@ profile startplasma @{exec_path} {
/var/lib/flatpak/exports/share/mime/ r,
@{HOME}/ r,
@{HOME}/.xsession-errors w,
@{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/#@{int} rwk,
owner @{user_cache_dirs}/kcrash-metadata/ rw,

10
apparmor.d/groups/kde/systemsettings
View file

@ -21,9 +21,10 @@ profile systemsettings @{exec_path} {
@{bin}/kcminit rPx,
/usr/share/kglobalaccel/org.kde.krunner.desktop r,
/usr/share/kcmkeys/{,*.kksrc} r,
/usr/share/kcm_networkmanagement/{,**} r,
/usr/share/kcmkeys/{,*.kksrc} r,
/usr/share/kglobalaccel/* r,
/usr/share/kinfocenter/{,**} r,
/usr/share/kinfocenter/{,**} r,
/usr/share/kpackage/{,**} r,
/usr/share/kservices{5,6}/{,**} r,
@ -31,11 +32,8 @@ profile systemsettings @{exec_path} {
/usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r,
/usr/share/plasma/{,**} r,
/usr/share/sddm/themes/{,**} r,
/usr/share/systemsettings/{,**} r,
/usr/share/kinfocenter/{,**} r,
/usr/share/sddm/themes/{,**} r,
/var/lib/flatpak/exports/share/mime/ r,
/usr/share/systemsettings/{,**} r,
/etc/fstab r,
/etc/machine-id r,

15
apparmor.d/groups/network/nm-dispatcher
View file

@ -23,9 +23,9 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.nm_dispatcher
dbus send bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=NetworkManager),
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=NetworkManager),
@{exec_path} mr,
@ -58,13 +58,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
/etc/NetworkManager/dispatcher.d/** rix,
/etc/dhcp/dhclient-exit-hooks.d/ntp r,
# chown
/ r,
/usr/share/tlp/{,**} rw,
/etc/sysconfig/network/config r,
/etc/fstab r,
/etc/ntp.conf r,
/etc/sysconfig/network/config r,
/ r,
@{run}/chrony-dhcp/ rw,
@{run}/ntp.conf.dhcp rw,
@ -72,7 +72,6 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/notify rw,
@{run}/tlp/{,*} rw,
owner @{run}/ntp.conf.dhcp.@{rand6} rw,
owner /etc/ntp.conf r,
@{sys}/class/net/ r,

2
apparmor.d/profiles-s-z/usbguard
View file

@ -22,7 +22,7 @@ profile usbguard @{exec_path} {
unix (send, receive, connect) type=stream peer=(label="usbguard-daemon",addr=@@{int}),
# dbus: own bus=system name=org.usbguard1
#aa:dbus own bus=system name=org.usbguard1
@{exec_path} mr,