mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update apparmor profiles

Browse Source
This commit is contained in:
Mikhail Morfikov 2021-03-14 18:57:00 +01:00
parent e1f16545e0
commit 4c0c878409
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
18 changed files with 41 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/apt-systemd-daily
View File

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily @{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} flags=(complain) { profile apt-systemd-daily @{exec_path} {
include <abstractions/base> include <abstractions/base>
# Needed to remove the following error: # Needed to remove the following error:

6
apparmor.d/bluetoothctl
View File

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2015-2020 Mikhail Morfikov # Copyright (C) 2015-2021 Mikhail Morfikov
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@ -21,5 +21,9 @@ profile bluetoothctl @{exec_path} {
/etc/inputrc r, /etc/inputrc r,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/.bluetoothctl_history rw,
owner @{HOME}/.cache/.bluetoothctl_history-@{pid}.tmp rw,
include if exists <local/bluetoothctl> include if exists <local/bluetoothctl>
} }

4
apparmor.d/bluetoothd
View File

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2015-2020 Mikhail Morfikov # Copyright (C) 2015-2021 Mikhail Morfikov
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@ -24,6 +24,8 @@ profile bluetoothd @{exec_path} {
network bluetooth raw, network bluetooth raw,
network bluetooth seqpacket, network bluetooth seqpacket,
network bluetooth stream,
network alg seqpacket,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/borg
View File

@ -29,6 +29,9 @@ profile borg @{exec_path} {
# #
capability fowner, capability fowner,
network inet dgram,
network inet6 dgram,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,

2
apparmor.d/chromium-chromium
View File

@ -53,7 +53,7 @@ profile chromium-chromium @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

3
apparmor.d/dbus-daemon
View File

@ -27,6 +27,9 @@ profile dbus-daemon @{exec_path} {
network netlink raw, network netlink raw,
network bluetooth stream,
network bluetooth seqpacket,
@{exec_path} mr, @{exec_path} mr,
/usr/libexec/* rPUx, /usr/libexec/* rPUx,

4
apparmor.d/font-manager
View File

@ -75,8 +75,8 @@ profile font-manager @{exec_path} {
/dev/dri/ r, /dev/dri/ r,
include <abstractions/dconf> include <abstractions/dconf>
@{run}/user/[0-9]*/dconf/ rw, owner @{run}/user/[0-9]*/dconf/ rw,
@{run}/user/[0-9]*/dconf/user rw, owner @{run}/user/[0-9]*/dconf/user rw,
# Silencer # Silencer
owner /var/cache/fontconfig/ w, owner /var/cache/fontconfig/ w,

4
apparmor.d/fuseiso
View File

@ -27,8 +27,8 @@ profile fuseiso @{exec_path} {
owner @{HOME}/*/*/ rw, owner @{HOME}/*/*/ rw,
# Be able to mount ISO images # Be able to mount ISO images
mount fstype=fuse.fuseiso -> /home/*/*/, mount fstype=fuse.fuseiso -> @{HOME}/*/,
mount fstype=fuse.fuseiso -> /home/*/*/*/, mount fstype=fuse.fuseiso -> @{HOME}/*/*/,
# Image files to be mounted # Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,

15
apparmor.d/fusermount
View File

@ -26,6 +26,9 @@ profile fusermount @{exec_path} {
# fusermount: mount failed: Permission denied # fusermount: mount failed: Permission denied
capability dac_read_search, capability dac_read_search,
# For obexfs
network bluetooth stream,
@{exec_path} mr, @{exec_path} mr,
# Where to mount ISO files # Where to mount ISO files
@ -34,9 +37,9 @@ profile fusermount @{exec_path} {
owner @{HOME}/.cache/**/ rw, owner @{HOME}/.cache/**/ rw,
# Be able to mount ISO images # Be able to mount ISO images
mount fstype={fuse,fuse.*} -> /home/*/*/, mount fstype={fuse,fuse.*} -> @{HOME}/*/,
mount fstype={fuse,fuse.*} -> /home/*/*/*/, mount fstype={fuse,fuse.*} -> @{HOME}/*/*/,
mount fstype={fuse,fuse.*} -> /home/*/.cache/**/, mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
mount fstype={fuse,fuse.*} -> /media/*/, mount fstype={fuse,fuse.*} -> /media/*/,
# For MTP # For MTP
mount -> /, mount -> /,
@ -45,9 +48,9 @@ profile fusermount @{exec_path} {
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
# Be able to unmount the ISO images # Be able to unmount the ISO images
umount /home/*/*/, umount @{HOME}/*/,
umount /home/*/*/*/, umount @{HOME}/*/*/,
umount /home/*/.cache/**/, umount @{HOME}/.cache/**/,
umount /media/*/, umount /media/*/,
umount @{run}/user/[0-9]*/**/, umount @{run}/user/[0-9]*/**/,

1
apparmor.d/gvfs-udisks2-volume-monitor
View File

@ -45,6 +45,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
/media/*/*/ r, /media/*/*/ r,
@{HOME}/*/*/ r, @{HOME}/*/*/ r,
@{HOME}/*/*/**/ r, @{HOME}/*/*/**/ r,
@{HOME}/bluetooth/ r,
owner @{HOME}/.local/share/mime/treemagic r, owner @{HOME}/.local/share/mime/treemagic r,
/usr/share/mime/treemagic r, /usr/share/mime/treemagic r,

1
apparmor.d/gvfsd
View File

@ -40,6 +40,7 @@ profile gvfsd @{exec_path} {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/trash> include <abstractions/trash>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/devices-usb>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,

3
apparmor.d/hciconfig
View File

@ -14,11 +14,10 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hciconfig @{exec_path} = /{usr/,}bin/hciconfig
profile hciconfig @{exec_path} flags=(complain) { profile hciconfig @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability net_raw, capability net_raw,
capability net_admin, capability net_admin,
network bluetooth raw, network bluetooth raw,

1
apparmor.d/id
View File

@ -16,6 +16,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/id @{exec_path} = /{usr/,}bin/id
profile id @{exec_path} { profile id @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/pulseaudio
View File

@ -29,6 +29,9 @@ profile pulseaudio @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
network bluetooth stream,
network bluetooth seqpacket,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,

2
apparmor.d/smplayer
View File

@ -88,7 +88,7 @@ profile smplayer @{exec_path} {
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
deny network inet6 stream, network inet6 stream,
deny network netlink dgram, deny network netlink dgram,
@{exec_path} mrix, @{exec_path} mrix,

1
apparmor.d/strawberry
View File

@ -30,6 +30,7 @@ profile strawberry @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=strawberry-tagreader, signal (send) set=(term, kill) peer=strawberry-tagreader,

4
apparmor.d/system-config-printer
View File

@ -65,8 +65,8 @@ profile system-config-printer @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
include <abstractions/dconf> include <abstractions/dconf>
@{run}/user/[0-9]*/dconf/ rw, owner @{run}/user/[0-9]*/dconf/ rw,
@{run}/user/[0-9]*/dconf/user rw, owner @{run}/user/[0-9]*/dconf/user rw,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

2
apparmor.d/xdg-mime
View File

@ -60,7 +60,7 @@ profile xdg-mime @{exec_path} {
/media/** rw, /media/** rw,
profile dbus flags=(complain) { profile dbus {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>