mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update apparmor profiles

Browse Source
This commit is contained in:
Mikhail Morfikov 2020-12-09 10:30:52 +01:00
parent f73da4a046
commit 503cf496bf
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
218 changed files with 1445 additions and 1502 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apparmor.d/abstractions/libvirt-qemu
View File

@ -32,6 +32,9 @@
# only modify its comm value or those in its thread group. # only modify its comm value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/cap_last_cap r, @{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/vm/overcommit_memory r,
# detect hardware capabilities via qemu_getauxval
owner @{PROC}/*/auxv r,
# For hostdev access. The actual devices will be added dynamically # For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r, /sys/bus/usb/devices/ r,
@ -166,6 +169,11 @@
/usr/{lib,lib64}/qemu/*.so mr, /usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr,
# let qemu load old shared objects after upgrades (LP: #1847361)
/{var/,}run/qemu/*/*.so mr,
# but explicitly deny writing to these files
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm # swtpm
/{usr/,}bin/swtpm rmix, /{usr/,}bin/swtpm rmix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/{lib,lib64}/libswtpm_libtpms.so mr,

24
apparmor.d/adduser
View File

@ -38,19 +38,19 @@ profile adduser @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}sbin/useradd rPx, /{usr/,}sbin/useradd rPx,
/{usr/,}sbin/userdel rPx, /{usr/,}sbin/userdel rPx,
/{usr/,}sbin/groupdel rPx, /{usr/,}sbin/groupdel rPx,
/{usr/,}sbin/groupadd rPx, /{usr/,}sbin/groupadd rPx,
/{usr/,}sbin/usermod rPx, /{usr/,}sbin/usermod rPx,
/{usr/,}bin/passwd rPx, /{usr/,}bin/passwd rPx,
/{usr/,}bin/gpasswd rPx, /{usr/,}bin/gpasswd rPx,
/{usr/,}bin/chfn rPx, /{usr/,}bin/chfn rPx,
/{usr/,}bin/chage rPx, /{usr/,}bin/chage rPx,
/etc/{group,passwd,shadow} r, /etc/{group,passwd,shadow} r,

8
apparmor.d/adequate
View File

@ -78,11 +78,11 @@ profile adequate @{exec_path} flags=(complain) {
/usr/share/debconf/frontend r, /usr/share/debconf/frontend r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/{usr/,}bin/adequate rPx, /{usr/,}bin/adequate rPx,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix, /{usr/,}bin/stty rix,
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,
/etc/debconf.conf r, /etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,

2
apparmor.d/amarok
View File

@ -61,7 +61,7 @@ profile amarok @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/amarokcollectionscanner rix, /{usr/,}bin/amarokcollectionscanner rix,
/{usr/,}bin/kde4-config rix, /{usr/,}bin/kde4-config rix,

37
apparmor.d/android-studio
View File

@ -32,6 +32,7 @@ profile android-studio @{exec_path} {
#include <abstractions/dri-enumerate> #include <abstractions/dri-enumerate>
#include <abstractions/mesa> #include <abstractions/mesa>
#include <abstractions/audio> #include <abstractions/audio>
#include <abstractions/python>
#include <abstractions/deny-root-dir-access> #include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@ -47,7 +48,9 @@ profile android-studio @{exec_path} {
signal (send) set=(term, kill) peer=android-studio//lsb-release, signal (send) set=(term, kill) peer=android-studio//lsb-release,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
@ -91,6 +94,7 @@ profile android-studio @{exec_path} {
/media/*/ r, /media/*/ r,
/usr/ r, /usr/ r,
/{usr/,}lib/ r, /{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,
@{AS_LIBDIR}/ rw, @{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix, @{AS_LIBDIR}/** mrwkix,
@ -120,13 +124,32 @@ profile android-studio @{exec_path} {
owner @{HOME}/AndroidStudio/DeviceExplorer/ rw, owner @{HOME}/AndroidStudio/DeviceExplorer/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/** rw, owner @{HOME}/AndroidStudio/DeviceExplorer/** rw,
owner @{HOME}/Android/ rw,
owner @{HOME}/Android/** mrwkix,
owner "@{HOME}/.config/Android Open Source Project/" rw, owner "@{HOME}/.config/Android Open Source Project/" rw,
owner "@{HOME}/.config/Android Open Source Project/**" rwk, owner "@{HOME}/.config/Android Open Source Project/**" rwk,
owner @{HOME}/.config/Google/ rw,
owner @{HOME}/.config/Google/** rwk,
owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/ rw,
owner "@{HOME}/.cache/Android Open Source Project/" rw, owner "@{HOME}/.cache/Android Open Source Project/" rw,
owner "@{HOME}/.cache/Android Open Source Project/**" rw, owner "@{HOME}/.cache/Android Open Source Project/**" rw,
owner @{HOME}/.cache/Google/ rw,
owner @{HOME}/.cache/Google/** rwk,
# To remove the following error:
# Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp
# java.io.IOException: Cannot run program
# "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix,
#
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk,
owner @{HOME}/.cache/JNA/ rw,
owner @{HOME}/.cache/JNA/** rw,
owner @{HOME}/.gradle/ rw, owner @{HOME}/.gradle/ rw,
owner @{HOME}/.gradle/** mrwkix, owner @{HOME}/.gradle/** mrwkix,
@ -135,8 +158,7 @@ profile android-studio @{exec_path} {
owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**, owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**,
owner @{HOME}/.local/share/Google/ rw, owner @{HOME}/.local/share/Google/ rw,
owner @{HOME}/.local/share/Google/consentOptions/ rw, owner @{HOME}/.local/share/Google/** rw,
owner @{HOME}/.local/share/Google/consentOptions/accepted rw,
owner @{HOME}/.local/share/kotlin/ rw, owner @{HOME}/.local/share/kotlin/ rw,
owner @{HOME}/.local/share/kotlin/** rw, owner @{HOME}/.local/share/kotlin/** rw,
@ -214,6 +236,9 @@ profile android-studio @{exec_path} {
/{usr/,}bin/gpg mr, /{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
} }
profile lsb-release { profile lsb-release {
@ -250,7 +275,11 @@ profile android-studio @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/spacefm rPx, /{usr/,}bin/spacefm rPx,

8
apparmor.d/anki
View File

@ -120,8 +120,8 @@ profile anki @{exec_path} {
/etc/mime.types r, /etc/mime.types r,
# SyncThread # SyncThread
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/etc/ r, /etc/ r,
/etc/debian_version r, /etc/debian_version r,
@ -185,6 +185,10 @@ profile anki @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,

41
apparmor.d/anyremote
View File

@ -25,27 +25,26 @@ profile anyremote @{exec_path} {
@{exec_path} rm, @{exec_path} rm,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/bash rix, /{usr/,}bin/cat rix,
/{usr/,}bin/cat rix, /{usr/,}bin/rm rix,
/{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/cut rix,
/{usr/,}bin/cut rix, /{usr/,}bin/id rix,
/{usr/,}bin/id rix, /{usr/,}bin/mv rix,
/{usr/,}bin/mv rix, /{usr/,}bin/expr rix,
/{usr/,}bin/expr rix, /{usr/,}bin/which rix,
/{usr/,}bin/which rix, /{usr/,}bin/head rix,
/{usr/,}bin/head rix, /{usr/,}bin/wc rix,
/{usr/,}bin/wc rix, /{usr/,}bin/tr rix,
/{usr/,}bin/tr rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/tail rix,
/{usr/,}bin/tail rix, /{usr/,}bin/gawk rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sed rix, /{usr/,}bin/md5sum rix,
/{usr/,}bin/md5sum rix, /{usr/,}bin/basename rix,
/{usr/,}bin/basename rix, /{usr/,}bin/sleep rix,
/{usr/,}bin/sleep rix, /{usr/,}bin/find rix,
/{usr/,}bin/find rix,
/{usr/,}bin/convert-im6.q16 rCx -> imagemagic, /{usr/,}bin/convert-im6.q16 rCx -> imagemagic,
/{usr/,}bin/killall rCx -> killall, /{usr/,}bin/killall rCx -> killall,

9
apparmor.d/apt
View File

@ -72,9 +72,9 @@ profile apt @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix, /{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg rPx,
@ -110,6 +110,7 @@ profile apt @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/apt.conf.* rw, owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw, owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw, owner /tmp/apt-dpkg-install-*/ rw,
@ -128,7 +129,7 @@ profile apt @{exec_path} flags=(complain) {
/{usr/,}bin/sensible-editor mr, /{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix, /{usr/,}bin/vim.* mrix,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r, owner @{HOME}/.selected_editor r,

3
apparmor.d/apt-file
View File

@ -34,6 +34,9 @@ profile apt-file @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
# file_inherit # file_inherit
/var/log/cron-apt/temp w, /var/log/cron-apt/temp w,

18
apparmor.d/apt-get
View File

@ -71,9 +71,9 @@ profile apt-get @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix, /{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg rPx,
@ -114,6 +114,7 @@ profile apt-get @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/apt-tmp-index.* rw, owner /tmp/apt-tmp-index.* rw,
owner /tmp/apt-dpkg-install-*/ rw, owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
@ -134,16 +135,21 @@ profile apt-get @{exec_path} flags=(complain) {
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr, /{usr/,}bin/sensible-pager mr,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/less rix, /{usr/,}bin/less rix,
owner @{HOME}/.less* rw, owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r, owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
} }
profile dpkg-source flags=(complain) { profile dpkg-source flags=(complain) {

43
apparmor.d/apt-key
View File

@ -20,25 +20,25 @@ profile apt-key @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix, /{usr/,}bin/cmp rix,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix, /{usr/,}bin/chmod rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/sort rix, /{usr/,}bin/sort rix,
/{usr/,}bin/comm rix, /{usr/,}bin/comm rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix, /{usr/,}bin/id rix,
/{usr/,}bin/tr rix, /{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix, /{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix, /{usr/,}bin/wc rix,
/{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
@ -46,10 +46,15 @@ profile apt-key @{exec_path} {
/{usr/,}bin/dpkg-query rPx, /{usr/,}bin/dpkg-query rPx,
/{usr/,}bin/apt-config rPx, /{usr/,}bin/apt-config rPx,
# For shell pwd
/ r, / r,
/etc/ r,
/root/ r,
/etc/apt/trusted.gpg r, /etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r, /etc/apt/trusted.gpg.d/{,*.gpg} r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/{,**} rw, owner /tmp/apt-key-gpghome.*/{,**} rw,

8
apparmor.d/apt-listbugs
View File

@ -26,11 +26,11 @@ profile apt-listbugs @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix, /{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logname rix, /{usr/,}bin/logname rix,
/{usr/,}bin/apt-config rPx, /{usr/,}bin/apt-config rPx,
/{usr/,}bin/dpkg-query rPx, /{usr/,}bin/dpkg-query rPx,
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,

1
apparmor.d/apt-listbugs-aptcleanup
View File

@ -16,6 +16,7 @@
@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup @{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} { profile apt-listbugs-aptcleanup @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ruby> #include <abstractions/ruby>
@{exec_path} r, @{exec_path} r,

1
apparmor.d/apt-listbugs-migratepins
View File

@ -16,6 +16,7 @@
@{exec_path} = /usr/libexec/apt-listbugs/migratepins @{exec_path} = /usr/libexec/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} { profile apt-listbugs-migratepins @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ruby> #include <abstractions/ruby>
@{exec_path} r, @{exec_path} r,

3
apparmor.d/apt-listbugs-prefclean
View File

@ -16,6 +16,7 @@
@{exec_path} = /usr/libexec/apt-listbugs/prefclean @{exec_path} = /usr/libexec/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} { profile apt-listbugs-prefclean @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ruby> #include <abstractions/ruby>
@{exec_path} r, @{exec_path} r,
@ -27,6 +28,8 @@ profile apt-listbugs-prefclean @{exec_path} {
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/ r,
owner /var/spool/apt-listbugs/lastprefclean rw, owner /var/spool/apt-listbugs/lastprefclean rw,
#include if exists <local/apt-listbugs-prefclean> #include if exists <local/apt-listbugs-prefclean>

20
apparmor.d/apt-listchanges
View File

@ -26,7 +26,7 @@ profile apt-listchanges @{exec_path} {
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix, /{usr/,}bin/tar rix,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rPx,
@ -38,6 +38,10 @@ profile apt-listchanges @{exec_path} {
/usr/share/apt-listchanges/{,**} r, /usr/share/apt-listchanges/{,**} r,
/etc/apt/listchanges.conf r, /etc/apt/listchanges.conf r,
/etc/apt/listchanges.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
@ -47,8 +51,11 @@ profile apt-listchanges @{exec_path} {
/var/lib/apt/listchanges{,-new}.db rw, /var/lib/apt/listchanges{,-new}.db rw,
/var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db, /var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db,
/var/cache/apt/archives/ r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/* rw, owner /tmp/* rw,
owner /tmp/apt-listchanges*/ rw, owner /tmp/apt-listchanges*/ rw,
owner /tmp/apt-listchanges*/**/ rw, owner /tmp/apt-listchanges*/**/ rw,
@ -79,12 +86,17 @@ profile apt-listchanges @{exec_path} {
/{usr/,}bin/sensible-pager mr, /{usr/,}bin/sensible-pager mr,
/{usr/,}bin/dash rix, /{usr/,}bin/ r,
/{usr/,}bin/which rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/less rix, /{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw, owner @{HOME}/.less* rw,
# For shell pwd
/root/ r,
/tmp/ r,
owner /tmp/apt-listchanges-tmp*.txt r, owner /tmp/apt-listchanges-tmp*.txt r,
} }

5
apparmor.d/apt-methods-cdrom
View File

@ -38,6 +38,11 @@ profile apt-methods-cdrom @{exec_path} {
owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw, owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building # For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

5
apparmor.d/apt-methods-copy
View File

@ -38,6 +38,11 @@ profile apt-methods-copy @{exec_path} {
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,

5
apparmor.d/apt-methods-file
View File

@ -38,6 +38,11 @@ profile apt-methods-file @{exec_path} {
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,

5
apparmor.d/apt-methods-ftp
View File

@ -38,6 +38,11 @@ profile apt-methods-ftp @{exec_path} {
owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw, owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building # For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

8
apparmor.d/apt-methods-gpgv
View File

@ -55,6 +55,11 @@ profile apt-methods-gpgv @{exec_path} {
/{usr/,}bin/sort rix, /{usr/,}bin/sort rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg r,
@ -64,6 +69,7 @@ profile apt-methods-gpgv @{exec_path} {
/etc/apt/trusted.gpg.d/{,*.gpg} r, /etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg r, /etc/apt/trusted.gpg r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw, owner /tmp/apt.{conf,sig,data}.* rw,
@ -79,8 +85,6 @@ profile apt-methods-gpgv @{exec_path} {
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
/ r,
# For package building # For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

7
apparmor.d/apt-methods-http
View File

@ -39,8 +39,12 @@ profile apt-methods-http @{exec_path} {
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/apt-helper rix,
/etc/apt/auth.conf.d/{,*} r, # For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/auth.conf.d/{,*} r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,
@ -55,6 +59,7 @@ profile apt-methods-http @{exec_path} {
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
# For the aptitude interactive mode # For the aptitude interactive mode
/tmp/ r,
owner /tmp/aptitude-root.*/aptitude-download-* rw, owner /tmp/aptitude-root.*/aptitude-download-* rw,
owner /tmp/apt-changelog-*/*.changelog rw, owner /tmp/apt-changelog-*/*.changelog rw,

5
apparmor.d/apt-methods-mirror
View File

@ -38,6 +38,11 @@ profile apt-methods-mirror @{exec_path} {
owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw, owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building # For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

5
apparmor.d/apt-methods-rred
View File

@ -38,6 +38,11 @@ profile apt-methods-rred @{exec_path} {
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,

5
apparmor.d/apt-methods-rsh
View File

@ -38,6 +38,11 @@ profile apt-methods-rsh @{exec_path} {
owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw, owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building # For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

6
apparmor.d/apt-methods-store
View File

@ -38,6 +38,11 @@ profile apt-methods-store @{exec_path} {
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,
@ -50,6 +55,7 @@ profile apt-methods-store @{exec_path} {
/usr/share/doc/*/changelog.* r, /usr/share/doc/*/changelog.* r,
/tmp/ r,
owner /tmp/apt-changelog-*/*.changelog{,.*} rw, owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
# For package building # For package building

17
apparmor.d/aptitude
View File

@ -73,9 +73,9 @@ profile aptitude @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix, /{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg rPx,
@ -127,6 +127,7 @@ profile aptitude @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/aptitude-*.@{pid}:*/ rw, owner /tmp/aptitude-*.@{pid}:*/ rw,
owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw, owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw,
/tmp/aptitude-*.@{pid}:*/pkgstates* r, /tmp/aptitude-*.@{pid}:*/pkgstates* r,
@ -172,16 +173,20 @@ profile aptitude @{exec_path} flags=(complain) {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/consoles> #include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr, /{usr/,}bin/sensible-pager mr,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/less rix, /{usr/,}bin/less rix,
owner @{HOME}/.less* rw, owner @{HOME}/.less* rw,
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
# For shell pwd
/root/ r,
} }
#include if exists <local/aptitude> #include if exists <local/aptitude>

10
apparmor.d/aptitude-create-state-bundle
View File

@ -20,12 +20,12 @@ profile aptitude-create-state-bundle @{exec_path} {
#include <abstractions/nameservice-strict> #include <abstractions/nameservice-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/bash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/tar rix, /{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix, /{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/gzip rix,
# Files included in the bundle # Files included in the bundle
owner @{HOME}/.aptitude/{,*} r, owner @{HOME}/.aptitude/{,*} r,

10
apparmor.d/aptitude-run-state-bundle
View File

@ -21,12 +21,12 @@ profile aptitude-run-state-bundle @{exec_path} {
#include <abstractions/user-download-strict> #include <abstractions/user-download-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/bash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix, /{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix, /{usr/,}bin/bzip2 rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/aptitude-curses rPx, /{usr/,}bin/aptitude-curses rPx,

47
apparmor.d/atom
View File

@ -48,32 +48,29 @@ profile atom @{exec_path} {
deny /{usr/,}local/bin/ r, deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/ r, deny /{usr/,}bin/ r,
#/{usr/,}bin/bash rix, #/{usr/,}bin/{,ba,da}sh rix,
#/{usr/,}bin/zsh rix, #/{usr/,}bin/zsh rix,
#/{usr/,}bin/env rix, #/{usr/,}bin/env rix,
#/{usr/,}bin/rmdir rix, #/{usr/,}bin/rmdir rix,
#/{usr/,}bin/{,e}grep rix, #/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/ls rix, #/{usr/,}bin/ls rix,
#/{usr/,}bin/gawk rix, #/{usr/,}bin/gawk rix,
#/{usr/,}bin/tty rix, #/{usr/,}bin/tty rix,
#/{usr/,}bin/dircolors rix, #/{usr/,}bin/dircolors rix,
#/{usr/,}bin/cut rix, #/{usr/,}bin/cut rix,
#/{usr/,}bin/xwininfo rix, #/{usr/,}bin/xwininfo rix,
#/{usr/,}bin/date rix, #/{usr/,}bin/date rix,
# The expr and uname tools are needed or Atom won't start with the following error: # The expr and uname tools are needed or Atom won't start with the following error:
# Your platform () is not supported. # Your platform () is not supported.
/{usr/,}bin/expr rix, /{usr/,}bin/expr rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
# The following also are needed to start Atom # The following also are needed to start Atom
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/nohup rix, /{usr/,}bin/nohup rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
# The dash shell is needed to install packages. If you don't want to install any, coment the
# following line out.
#/{usr/,}bin/dash rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
@ -194,6 +191,10 @@ profile atom @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/bin.ping
View File

@ -21,7 +21,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
network inet raw, network inet raw,
network inet6 raw, network inet6 raw,
/{,usr/}bin/{,iputils-}ping mixr, /{usr/,}bin/{,iputils-}ping mixr,
/etc/modules.conf r, /etc/modules.conf r,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.

4
apparmor.d/birdtray
View File

@ -83,6 +83,10 @@ profile birdtray @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,

5
apparmor.d/brave
View File

@ -209,8 +209,11 @@ profile brave @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
# Allowed apps to open owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

12
apparmor.d/brave-browser
View File

@ -24,13 +24,13 @@ profile brave-browser @{exec_path} {
#include <abstractions/deny-root-dir-access> #include <abstractions/deny-root-dir-access>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/bash r, /{usr/,}bin/{,ba,da}sh rix,
/usr/bin/readlink rix, /{usr/,}bin/readlink rix,
/usr/bin/dirname rix, /{usr/,}bin/dirname rix,
/usr/bin/which rix, /{usr/,}bin/which rix,
/usr/bin/mkdir rix, /{usr/,}bin/mkdir rix,
/usr/bin/cat rix, /{usr/,}bin/cat rix,
@{BRAVE_INSTALLDIR}/brave rPx, @{BRAVE_INSTALLDIR}/brave rPx,

8
apparmor.d/calibre
View File

@ -63,7 +63,7 @@ profile calibre @{exec_path} {
#/{usr/,}bin/ r, #/{usr/,}bin/ r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ldconfig rix, /{usr/,}sbin/ldconfig rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}bin/file rix, /{usr/,}bin/file rix,
@ -183,7 +183,11 @@ profile calibre @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, /{usr/,}lib/firefox/firefox rPx,

6
apparmor.d/cawbird
View File

@ -28,7 +28,7 @@ profile cawbird @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open, /{usr/,}bin/exo-open rCx -> open,
@ -76,6 +76,10 @@ profile cawbird @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,

12
apparmor.d/check-bios-nx
View File

@ -23,15 +23,15 @@ profile check-bios-nx @{exec_path} {
capability dac_override, capability dac_override,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix, /{usr/,}bin/getopt rix,
/{usr/,}bin/kmod rCx -> kmod, /{usr/,}bin/kmod rCx -> kmod,
/{usr/,}sbin/rdmsr rPx, /{usr/,}sbin/rdmsr rPx,
owner @{PROC}/@{pid}/fd/2 w, owner @{PROC}/@{pid}/fd/2 w,

5
apparmor.d/check-support-status
View File

@ -19,10 +19,11 @@ profile check-support-status @{exec_path} flags=(complain) {
#include <abstractions/consoles> #include <abstractions/consoles>
@{exec_path} rix, @{exec_path} rix,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/etc/debian_version r, /etc/debian_version r,
/{usr/,}bin/ r,
/{usr/,}bin/gettext.sh r, /{usr/,}bin/gettext.sh r,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
@ -57,9 +58,11 @@ profile check-support-status @{exec_path} flags=(complain) {
owner /tmp/debian-security-support.*/{,**} rw, owner /tmp/debian-security-support.*/{,**} rw,
/tmp/debian-security-support.postinst.*/output w, /tmp/debian-security-support.postinst.*/output w,
/var/lib/debian-security-support/ r,
owner /var/lib/debian-security-support/security-support.semaphore rw, owner /var/lib/debian-security-support/security-support.semaphore rw,
owner /var/lib/debian-security-support/tmp.* rw, owner /var/lib/debian-security-support/tmp.* rw,
/usr/share/debian-security-support/ r,
/usr/share/debian-security-support/* r, /usr/share/debian-security-support/* r,

34
apparmor.d/check-support-status-hook
View File

@ -20,14 +20,15 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
#include <abstractions/nameservice-strict> #include <abstractions/nameservice-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/getent rix, /{usr/,}bin/ r,
/{usr/,}bin/mkdir rix, /{usr/,}bin/getent rix,
/{usr/,}bin/chown rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/stat rix, /{usr/,}bin/chown rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/stat rix,
/{usr/,}bin/rm rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}sbin/adduser rPx, /{usr/,}sbin/adduser rPx,
/{usr/,}bin/check-support-status rPx, /{usr/,}bin/check-support-status rPx,
@ -40,9 +41,17 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,
# For shell pwd
/ r,
/root/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/ rw, owner /tmp/debian-security-support.postinst.*/ rw,
owner /tmp/debian-security-support.postinst.*/output rw, owner /tmp/debian-security-support.postinst.*/output rw,
/var/lib/ r,
/var/lib/debian-security-support/ r,
profile debconf-escape flags=(complain) { profile debconf-escape flags=(complain) {
#include <abstractions/base> #include <abstractions/base>
@ -52,6 +61,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/{usr/,}bin/debconf-escape r, /{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output r, owner /tmp/debian-security-support.postinst.*/output r,
} }
@ -65,11 +75,12 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/usr/share/debconf/frontend r, /usr/share/debconf/frontend r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/usr/share/debian-security-support/ r,
/usr/share/debian-security-support/check-support-status.hook rPx, /usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix, /{usr/,}bin/stty rix,
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,
/etc/debconf.conf r, /etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@ -106,7 +117,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/{usr/,}sbin/runuser mr, /{usr/,}sbin/runuser mr,
/{usr/,}bin/bash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/check-support-status rPx, /{usr/,}bin/check-support-status rPx,
@ -115,6 +126,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/etc/security/limits.d/ r, /etc/security/limits.d/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output w, owner /tmp/debian-security-support.postinst.*/output w,
} }

3
apparmor.d/child-lsb_release
View File

@ -38,8 +38,7 @@ profile child-lsb_release {
# /etc/lsb-release r, # /etc/lsb-release r,
# /etc/lsb-release.d/ r, # /etc/lsb-release.d/ r,
# /{usr/,}bin/bash ixr, # /{usr/,}bin/{,ba,da}sh rix,
# /{usr/,}bin/dash ixr,
# /{usr/,}bin/basename ixr, # /{usr/,}bin/basename ixr,
# /{usr/,}bin/getopt ixr, # /{usr/,}bin/getopt ixr,

4
apparmor.d/child-pager
View File

@ -26,11 +26,15 @@ profile child-pager {
signal (receive) set=(stop, cont, term, kill), signal (receive) set=(stop, cont, term, kill),
/{usr/,}bin/ r,
/{usr/,}bin/pager mr, /{usr/,}bin/pager mr,
/{usr/,}bin/less mr, /{usr/,}bin/less mr,
/{usr/,}bin/more mr, /{usr/,}bin/more mr,
owner @{HOME}/.lesshs* rw, owner @{HOME}/.lesshs* rw,
# For shell pwd
/root/ r,
#include if exists <local/child-pager> #include if exists <local/child-pager>
} }

20
apparmor.d/chromium
View File

@ -27,16 +27,16 @@ profile chromium @{exec_path} {
@{CHROMIUM_INSTALLDIR}/chromium rPx, @{CHROMIUM_INSTALLDIR}/chromium rPx,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/expr rix, /{usr/,}bin/expr rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/tr rix, /{usr/,}bin/tr rix,
/{usr/,}bin/ls rix, /{usr/,}bin/ls rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
# For chromium -g # For chromium -g
/{usr/,}bin/gdb rPUx, /{usr/,}bin/gdb rPUx,

6
apparmor.d/chromium-chromium
View File

@ -190,7 +190,11 @@ profile chromium-chromium @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/smplayer rPx, /{usr/,}bin/smplayer rPx,

16
apparmor.d/claws-mail
View File

@ -30,21 +30,21 @@ profile claws-mail @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg,
# For Orage integration # For Orage integration
/{usr/,}bin/orage rPUx, /{usr/,}bin/orage rPUx,
# For sending local mails # For sending local mails
/{usr/,}sbin/exim4 rPUx, /{usr/,}sbin/exim4 rPUx,
# For editing in an external editor # For editing in an external editor
/{usr/,}bin/geany rPUx, /{usr/,}bin/geany rPUx,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.claws-mail/ rw, owner @{HOME}/.claws-mail/ rw,

5
apparmor.d/code
View File

@ -44,9 +44,8 @@ profile code @{exec_path} {
# The bash shell is needed only when you want to start code via bin/code. Also the shells are # The bash shell is needed only when you want to start code via bin/code. Also the shells are
# needed if you plan to operate on the built in terminal. If you don't need the built in terminal # needed if you plan to operate on the built in terminal. If you don't need the built in terminal
# and want to use the linux one, the following three lines can be commented out. # and want to use the linux one, the following three lines can be commented out.
# /{usr/,}bin/bash rix, #/{usr/,}bin/{,ba,da}sh rix,
# /{usr/,}bin/zsh rix, # /{usr/,}bin/zsh rix,
# /{usr/,}bin/dash rix,
#/{usr/,}bin/dirname rix, #/{usr/,}bin/dirname rix,
#/{usr/,}bin/{,e}grep rix, #/{usr/,}bin/{,e}grep rix,

31
apparmor.d/conky
View File

@ -28,21 +28,20 @@ profile conky @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Needed tools to render conky output # Needed tools to render conky output
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/bash rix, /{usr/,}bin/cp rix,
/{usr/,}bin/cp rix, /{usr/,}bin/rm rix,
/{usr/,}bin/rm rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sed rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/gawk rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/tr rix,
/{usr/,}bin/tr rix, /{usr/,}bin/uniq rix,
/{usr/,}bin/uniq rix, /{usr/,}bin/head rix,
/{usr/,}bin/head rix, /{usr/,}bin/cut rix,
/{usr/,}bin/cut rix, /{usr/,}bin/date rix,
/{usr/,}bin/date rix, /{usr/,}bin/cat rix,
/{usr/,}bin/cat rix, /{usr/,}bin/wc rix,
/{usr/,}bin/wc rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sed rix,
# To remove the following error: # To remove the following error:
# .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied # .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied
@ -154,7 +153,7 @@ profile conky @{exec_path} {
/{usr/,}bin/lynx mr, /{usr/,}bin/lynx mr,
/{usr/,}bin/w3m mr, /{usr/,}bin/w3m mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/etc/mime.types r, /etc/mime.types r,
/etc/mailcap r, /etc/mailcap r,

2
apparmor.d/convertall
View File

@ -29,7 +29,7 @@ profile convertall @{exec_path} {
#include <abstractions/deny-root-dir-access> #include <abstractions/deny-root-dir-access>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix, /{usr/,}bin/python3.[0-9]* rix,

6
apparmor.d/cpupower
View File

@ -26,9 +26,9 @@ profile cpupower @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/kmod rCx -> kmod, /{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/man rPx, /{usr/,}bin/man rPx,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r, @{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,

6
apparmor.d/cron
View File

@ -28,9 +28,9 @@ profile cron @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix, /{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix, /{usr/,}bin/ionice rix,
/etc/crontab r, /etc/crontab r,

14
apparmor.d/cron-apt
View File

@ -23,7 +23,7 @@ profile cron-apt @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dotlockfile rix, /{usr/,}bin/dotlockfile rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
@ -61,10 +61,13 @@ profile cron-apt @{exec_path} {
/etc/cron-apt/refrain r, /etc/cron-apt/refrain r,
/etc/cron-apt/action.d/[0-9]-* r, /etc/cron-apt/action.d/[0-9]-* r,
/var/lib/cron-apt/{,**/} w, # For shell pwd
/var/lib/cron-apt/.lk@{pid}* rw, / r,
/var/lib/cron-apt/lockfile rwl -> /var/lib/cron-apt/.lk@{pid}*, /etc/ r,
/var/lib/cron-apt/_-_etc_-_cron-apt_-_config/mailchanges/[0-9]-*-[0-9a-f]* rw, /root/ r,
/var/lib/cron-apt/ rw,
/var/lib/cron-apt/** rwl -> /var/lib/cron-apt/**,
# Logs # Logs
/var/log/cron-apt/ r, /var/log/cron-apt/ r,
@ -77,6 +80,7 @@ profile cron-apt @{exec_path} {
/{usr/,}lib/locale/locale-archive r, /{usr/,}lib/locale/locale-archive r,
# TMP # TMP
/tmp/ r,
owner /tmp/cron-apt.*/ rw, owner /tmp/cron-apt.*/ rw,
owner /tmp/cron-apt.*/difftemp rw, owner /tmp/cron-apt.*/difftemp rw,
owner /tmp/cron-apt.*/lockfile rw, owner /tmp/cron-apt.*/lockfile rw,

14
apparmor.d/cron-apt-listbugs
View File

@ -18,7 +18,7 @@ profile cron-apt-listbugs @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean, /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
@ -30,12 +30,12 @@ profile cron-apt-listbugs @{exec_path} {
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr, /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/var/spool/apt-listbugs/lastprefclean rw, /var/spool/apt-listbugs/lastprefclean rw,

5
apparmor.d/cron-apt-show-versions
View File

@ -18,9 +18,12 @@ profile cron-apt-show-versions @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/apt-show-versions rPx, /{usr/,}bin/apt-show-versions rPx,
# For shell pwd
/ r,
#include if exists <local/cron-apt-show-versions> #include if exists <local/cron-apt-show-versions>
} }

14
apparmor.d/cron-apt-xapian-index
View File

@ -18,16 +18,20 @@ profile cron-apt-xapian-index @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/nice rix, /{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix, /{usr/,}bin/ionice rix,
/{usr/,}sbin/ r,
/{usr/,}sbin/update-apt-xapian-index rPx, /{usr/,}sbin/update-apt-xapian-index rPx,
/{usr/,}sbin/on_ac_power rPx, /{usr/,}sbin/on_ac_power rPx,
# For shell pwd
/ r,
#include if exists <local/cron-apt-xapian-index> #include if exists <local/cron-apt-xapian-index>
} }

22
apparmor.d/cron-aptitude
View File

@ -18,20 +18,20 @@ profile cron-aptitude @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/{usr/,}bin/savelog rix, /{usr/,}bin/savelog rix,
/{usr/,}bin/cmp rix, /{usr/,}bin/cmp rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/gzip rix,
/var/lib/aptitude/pkgstates r, /var/lib/aptitude/pkgstates r,

20
apparmor.d/cron-debsums
View File

@ -19,20 +19,24 @@ profile cron-debsums @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/true rix, /{usr/,}bin/true rix,
/{usr/,}bin/logger rix, /{usr/,}bin/logger rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ionice rix, /{usr/,}bin/ionice rix,
/{usr/,}bin/debsums rPx, /{usr/,}bin/debsums rPx,
/{usr/,}bin/tee rCx -> tee, /{usr/,}bin/tee rCx -> tee,
/etc/ r,
/etc/default/debsums r, /etc/default/debsums r,
/etc/debsums-ignore r, /etc/debsums-ignore r,
# For shell pwd
/ r,
profile tee { profile tee {
#include <abstractions/base> #include <abstractions/base>

2
apparmor.d/cron-dlocate
View File

@ -18,7 +18,7 @@ profile cron-dlocate @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/update-dlocatedb rPx, /{usr/,}sbin/update-dlocatedb rPx,

5
apparmor.d/cron-ipset-autoban-save
View File

@ -19,10 +19,9 @@ profile cron-ipset-autoban-save @{exec_path} {
#include <abstractions/consoles> #include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/bash rix, /{usr/,}sbin/ipset rix,
/{usr/,}sbin/ipset rix,
/etc/peerblock/autoban rw, /etc/peerblock/autoban rw,

5
apparmor.d/cron-logrotate
View File

@ -18,11 +18,14 @@ profile cron-logrotate @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/logrotate rPx, /{usr/,}sbin/logrotate rPx,
/{usr/,}bin/logger rix, /{usr/,}bin/logger rix,
# For shell pwd
/ r,
#include if exists <local/cron-logrotate> #include if exists <local/cron-logrotate>
} }

14
apparmor.d/cron-mlocate
View File

@ -19,14 +19,14 @@ profile cron-mlocate @{exec_path} {
#include <abstractions/consoles> #include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/bash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/true rix, /{usr/,}bin/true rix,
/{usr/,}bin/flock rix, /{usr/,}bin/flock rix,
/{usr/,}bin/nocache rix, /{usr/,}bin/nocache rix,
/{usr/,}bin/ionice rix, /{usr/,}bin/ionice rix,
/{usr/,}bin/nice rix, /{usr/,}bin/nice rix,
/{usr/,}bin/updatedb.mlocate rPx, /{usr/,}bin/updatedb.mlocate rPx,
/{usr/,}sbin/on_ac_power rPx, /{usr/,}sbin/on_ac_power rPx,

56
apparmor.d/cron-popularity-contest
View File

@ -18,33 +18,39 @@ profile cron-popularity-contest @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx, /{usr/,}sbin/popularity-contest rPx,
/{usr/,}bin/logger rix, /{usr/,}bin/logger rix,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/setsid rix, /{usr/,}bin/setsid rix,
# To send reports via TOR # To send reports via TOR
/{usr/,}bin/torify rix, /{usr/,}bin/torify rix,
/{usr/,}bin/torsocks rix, /{usr/,}bin/torsocks rix,
/{usr/,}sbin/getcap rix, /{usr/,}sbin/getcap rix,
/usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
/{usr/,}sbin/runuser rCx -> runuser, /{usr/,}sbin/runuser rCx -> runuser,
/{usr/,}bin/savelog rCx -> savelog, /{usr/,}bin/savelog rCx -> savelog,
/usr/share/popularity-contest/ r,
/usr/share/popularity-contest/default.conf r, /usr/share/popularity-contest/default.conf r,
/etc/popularity-contest.conf r, /etc/popularity-contest.conf r,
# For shell pwd
/ r,
/root/ r,
/var/log/ r,
/var/log/popularity-contest{,.new} rw, /var/log/popularity-contest{,.new} rw,
/var/log/popularity-contest{,.new}.gpg rw, /var/log/popularity-contest{,.new}.gpg rw,
@ -64,16 +70,16 @@ profile cron-popularity-contest @{exec_path} {
/{usr/,}bin/savelog mr, /{usr/,}bin/savelog mr,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/gzip rix,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/var/log/ r, /var/log/ r,
/var/log/popularity-contest.[0-9]*.gz rw, /var/log/popularity-contest.[0-9]*.gz rw,
@ -93,7 +99,7 @@ profile cron-popularity-contest @{exec_path} {
/{usr/,}sbin/runuser mr, /{usr/,}sbin/runuser mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx, /{usr/,}sbin/popularity-contest rPx,

4
apparmor.d/crontab
View File

@ -24,7 +24,7 @@ profile crontab @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
# When editing the crontab file # When editing the crontab file
/{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/sensible-editor rCx -> editor,
@ -45,7 +45,7 @@ profile crontab @{exec_path} {
/{usr/,}bin/sensible-editor mr, /{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix, /{usr/,}bin/vim.* mrix,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r, owner @{HOME}/.selected_editor r,

4
apparmor.d/ddclient
View File

@ -24,8 +24,8 @@ profile ddclient @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix, /{usr/,}bin/logger rix,
/etc/ddclient.conf r, /etc/ddclient.conf r,

6
apparmor.d/debconf-apt-progress
View File

@ -39,9 +39,9 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
/{usr/,}bin/debconf-apt-progress rPx, /{usr/,}bin/debconf-apt-progress rPx,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix, /{usr/,}bin/stty rix,
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend. # The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx, /{usr/,}bin/whiptail rPx,

6
apparmor.d/debsecan
View File

@ -25,11 +25,11 @@ profile debsecan @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
# Send results using email # Send results using email
/{usr/,}sbin/exim4 rPx, /{usr/,}sbin/exim4 rPx,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,

36
apparmor.d/debsign
View File

@ -20,28 +20,28 @@ profile debsign @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/head rix, /{usr/,}bin/head rix,
/{usr/,}bin/cu rix, /{usr/,}bin/cu rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/stty rix, /{usr/,}bin/stty rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/getopt rix, /{usr/,}bin/getopt rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/cmp rix, /{usr/,}bin/cmp rix,
/{usr/,}bin/md5sum rix, /{usr/,}bin/md5sum rix,
/{usr/,}bin/sha{1,256,512}sum rix, /{usr/,}bin/sha{1,256,512}sum rix,
/{usr/,}bin/perl rix, /{usr/,}bin/perl rix,
/etc/devscripts.conf r, /etc/devscripts.conf r,
owner @{HOME}/.devscripts r, owner @{HOME}/.devscripts r,

7
apparmor.d/debsums
View File

@ -23,8 +23,8 @@ profile debsums @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/gawk rix,
/etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg r,
@ -37,6 +37,9 @@ profile debsums @{exec_path} {
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert,
# For shell pwd
/ r,
# Scanning files # Scanning files
/{usr/,}bin/{,*} r, /{usr/,}bin/{,*} r,
/{usr/,}sbin/{,*} r, /{usr/,}sbin/{,*} r,

49
apparmor.d/debuild
View File

@ -1,49 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/debuild
profile debuild @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/pwd rix,
/{usr/,}bin/tee rix,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/dpkg-buildpackage rPx,
/{usr/,}bin/debsign rPx,
/usr/share/lintian/bin/lintian rPx,
/{usr/,}bin/lintian rPx,
/etc/devscripts.conf r,
/etc/dpkg/origins/debian r,
# For package building
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
#include if exists <local/debuild>
}

12
apparmor.d/deluser
View File

@ -29,15 +29,15 @@ profile deluser @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/userdel rPx, /{usr/,}sbin/userdel rPx,
/{usr/,}sbin/groupdel rPx, /{usr/,}sbin/groupdel rPx,
/{usr/,}bin/gpasswd rPx, /{usr/,}bin/gpasswd rPx,
/{usr/,}bin/crontab rPx, /{usr/,}bin/crontab rPx,
/{usr/,}bin/mount rCx -> mount, /{usr/,}bin/mount rCx -> mount,
/etc/adduser.conf r, /etc/adduser.conf r,
/etc/deluser.conf r, /etc/deluser.conf r,

114
apparmor.d/dh
View File

@ -1,114 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dh
@{exec_path} += /{usr/,}bin/dh_*
profile dh @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dh_* rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/make rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/dpkg-vendor rPx,
/usr/share/python/pyversions.py rCx -> python,
/usr/share/python3/py3versions.py rCx -> python,
/usr/share/dh-python/* rCx -> python,
# What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#)
owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules,
owner @{BUILD_DIR}/** rcx -> debian-rules,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
/etc/dpkg/origins/debian r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner @{HOME}/.config/dpkg/buildflags.conf r,
/usr/share/dpkg/* r,
profile debian-rules flags=(complain) {
#include <abstractions/base>
owner @{BUILD_DIR}/**/debian/rules rix,
owner @{BUILD_DIR}/** rix,
owner @{BUILD_DIR}/** rwkl -> /media/debuilder/*/**,
/{usr/,}bin/dash rix,
/{usr/,}bin/make rix,
# Don't strip env here
/{usr/,}bin/* rpux,
/usr/share/dpkg/* r,
/ r,
/usr/include/{,**} r,
# Key to sign the kernel and its modules
/etc/kernel_key/* r,
owner /tmp/cpiolist.* rw,
}
profile python flags=(complain) {
#include <abstractions/base>
#include <abstractions/python>
/usr/share/python/pyversions.py mr,
/usr/share/python3/py3versions.py mr,
/usr/share/dh-python/* mr,
/{usr/,}bin/python2.[0-9]* rix,
/{usr/,}bin/python3.[0-9]* rix,
/usr/share/python/ r,
/usr/share/python/debian_defaults r,
/usr/share/python3/ r,
/usr/share/python3/debian_defaults r,
/usr/share/dh-python/ r,
/usr/share/dh-python/** r,
/{usr/,}bin/which rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/git rPx,
owner /media/debuilder/** r,
owner /media/debuilder/**/.pybuild/ rw,
owner /media/debuilder/**/.pybuild/** rw,
owner @{PROC}/@{pid}/fd/ r,
}
#include if exists <local/dh>
}

15
apparmor.d/dhclient-script
View File

@ -25,16 +25,17 @@ profile dhclient-script @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash mrix, /{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/ping rPx, /{usr/,}bin/ping rPx,
/{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/run-parts rCx -> run-parts,
# To remove the following error: # To remove the following error:
# /sbin/dhclient-script: 133: hostname: Permission denied # /sbin/dhclient-script: 133: hostname: Permission denied
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rPx,
# To read scripts # To read scripts
/etc/dhcp/ r,
/etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r, /etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
# For debug script # For debug script
@ -43,9 +44,9 @@ profile dhclient-script @{exec_path} {
owner /tmp/dhclient-script.debug rw, owner /tmp/dhclient-script.debug rw,
# For ddclient script # For ddclient script
/{usr/,}sbin/ddclient rPx, /{usr/,}sbin/ddclient rPx,
/etc/default/ddclient r, /etc/default/ddclient r,
/{usr/,}bin/logger rix, /{usr/,}bin/logger rix,
# For samba script # For samba script
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,

18
apparmor.d/discord
View File

@ -49,7 +49,7 @@ profile discord @{exec_path} {
owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/uid_map w,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
#/{usr/,}bin/lsb_release rCx -> lsb_release, #/{usr/,}bin/lsb_release rCx -> lsb_release,
@ -143,12 +143,12 @@ profile discord @{exec_path} {
/{usr/,}bin/xdg-mime mr, /{usr/,}bin/xdg-mime mr,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/gawk rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix, /{usr/,}bin/head rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
# file_inherit # file_inherit
/usr/share/discord/** r, /usr/share/discord/** r,
@ -193,6 +193,10 @@ profile discord @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, /{usr/,}lib/firefox/firefox rPx,

53
apparmor.d/dkms
View File

@ -19,34 +19,33 @@ profile dkms @{exec_path} {
#include <abstractions/consoles> #include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/bash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/head rix, /{usr/,}bin/head rix,
/{usr/,}bin/ls rix, /{usr/,}bin/ls rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}bin/nproc rix, /{usr/,}bin/nproc rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/diff rix, /{usr/,}bin/diff rix,
/{usr/,}bin/wc rix, /{usr/,}bin/wc rix,
/{usr/,}bin/rmdir rix, /{usr/,}bin/rmdir rix,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/gawk rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/ln rix, /{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/{usr/,}bin/dash rix, /{usr/,}bin/cat rix,
/{usr/,}bin/cat rix, /{usr/,}bin/echo rix,
/{usr/,}bin/echo rix, /{usr/,}bin/pwd rix,
/{usr/,}bin/pwd rix, /{usr/,}bin/getconf rix,
/{usr/,}bin/getconf rix, /{usr/,}bin/xargs rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/make rix, /{usr/,}bin/make rix,
/{usr/,}bin/{,@{multiarch}-}* rix, /{usr/,}bin/{,@{multiarch}-}* rix,

15
apparmor.d/dkms-autoinstaller
View File

@ -19,15 +19,18 @@ profile dkms-autoinstaller @{exec_path} {
#include <abstractions/consoles> #include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix, /{usr/,}bin/tput rix,
/{usr/,}sbin/dkms rPx, /{usr/,}sbin/dkms rPx,
/{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemctl rPx -> child-systemctl,
# For shell pwd
/ r,
profile run-parts { profile run-parts {

2
apparmor.d/dlocate
View File

@ -20,7 +20,7 @@ profile dlocate @{exec_path} {
#include <abstractions/nameservice-strict> #include <abstractions/nameservice-strict>
@{exec_path} rix, @{exec_path} rix,
/{usr/,}bin/bash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/getopt rix, /{usr/,}bin/getopt rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,

10
apparmor.d/dpkg
View File

@ -34,7 +34,7 @@ profile dpkg @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/dpkg-query rPx, /{usr/,}bin/dpkg-query rPx,
@ -80,8 +80,12 @@ profile dpkg @{exec_path} {
/var/log/dpkg.log w, /var/log/dpkg.log w,
# For shell pwd
/root/ r,
# Basically, dpkg needs R/W permissions to the following files since it installs them. # Basically, dpkg needs R/W permissions to the following files since it installs them.
# It also needs the L permission when a package is reinstalled. # It also needs the L permission when a package is reinstalled.
/ r,
/usr/ r, /usr/ r,
/usr/** rwl -> /usr/**, /usr/** rwl -> /usr/**,
/lib/ r, /lib/ r,
@ -115,6 +119,7 @@ profile dpkg @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/consoles> #include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/pager mr, /{usr/,}bin/pager mr,
/{usr/,}bin/less mr, /{usr/,}bin/less mr,
/{usr/,}bin/more mr, /{usr/,}bin/more mr,
@ -125,6 +130,9 @@ profile dpkg @{exec_path} {
# Diff changed config files # Diff changed config files
/etc/** r, /etc/** r,
# For shell pwd
/root/ r,
} }
profile scripts { profile scripts {

117
apparmor.d/dpkg-buildpackage
View File

@ -1,117 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-buildpackage
profile dpkg-buildpackage @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/fakeroot-sysv rix,
/{usr/,}bin/faked-sysv rix,
/{usr/,}bin/dh rPx,
/{usr/,}bin/dpkg-buildflags rPx,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/dpkg-genbuildinfo rPx,
/{usr/,}bin/dpkg-genchanges rPx,
/{usr/,}bin/dpkg-checkbuilddeps rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#)
owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
/etc/dpkg/origins/debian r,
profile dpkg-source flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/{usr/,}bin/diff rix,
/{usr/,}bin/gpg rix,
/{usr/,}bin/gpgv rix,
/{usr/,}bin/gpg-agent rix,
/etc/dpkg/origins/debian r,
owner /tmp/** rwkl -> /tmp/**,
owner @{run}/user/[0-9]*/gnupg/** w,
@{PROC}/@{pid}/fd/ r,
/usr/share/dpkg/tupletable r,
/usr/share/dpkg/cputable r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
profile debian-rules flags=(complain) {
#include <abstractions/base>
owner @{BUILD_DIR}/**/debian/rules rix,
owner @{BUILD_DIR}/** rix,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/*/**,
/{usr/,}bin/dash rix,
/{usr/,}bin/make rix,
# Don't strip env here
/{usr/,}bin/* rpux,
/usr/share/dpkg/* r,
/ r,
/usr/include/{,**} r,
# Key to sign the kernel and its modules
/etc/kernel_key/* r,
owner /tmp/cpiolist.* rw,
}
#include if exists <local/dpkg-buildpackage>
}

4
apparmor.d/dpkg-divert
View File

@ -24,5 +24,9 @@ profile dpkg-divert @{exec_path} {
/usr/share/*/**.dpkg-divert.tmp w, /usr/share/*/**.dpkg-divert.tmp w,
/var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw,
/var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
#include if exists <local/dpkg-divert> #include if exists <local/dpkg-divert>
} }

6
apparmor.d/dpkg-preconfigure
View File

@ -25,9 +25,9 @@ profile dpkg-preconfigure @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,
/{usr/,}bin/stty rix, /{usr/,}bin/stty rix,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-extracttemplates rPx, /{usr/,}bin/apt-extracttemplates rPx,

8
apparmor.d/dpkg-query
View File

@ -20,11 +20,11 @@ profile dpkg-query @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager,
/var/lib/dpkg/** r, /var/lib/dpkg/** r,

14
apparmor.d/dropbox
View File

@ -58,11 +58,11 @@ profile dropbox @{exec_path} {
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw, owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw, owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}sbin/ldconfig rix, /{usr/,}sbin/ldconfig rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}bin/{,@{multiarch}-}objdump rix,
@ -135,6 +135,10 @@ profile dropbox @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/e2fsck
View File

@ -22,7 +22,7 @@ profile e2fsck @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# To check for badblocks # To check for badblocks
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/badblocks rPx, /{usr/,}sbin/badblocks rPx,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-*} rw,

2
apparmor.d/eject
View File

@ -22,7 +22,7 @@ profile eject @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/eject/dmcrypt-get-device rPx, /{usr/,}lib/eject/dmcrypt-get-device rPx,

14
apparmor.d/engrampa
View File

@ -28,11 +28,11 @@ profile engrampa @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ls rix, /{usr/,}bin/ls rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
# Archivers # Archivers
/{usr/,}bin/7z rix, /{usr/,}bin/7z rix,
@ -96,6 +96,10 @@ profile engrampa @{exec_path} {
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/engrampa rPx, /{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx, /{usr/,}bin/geany rPx,

10
apparmor.d/execute-dput
View File

@ -25,13 +25,13 @@ profile execute-dput @{exec_path} flags=(complain) {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg,
/usr/share/dput/{,**} r, /usr/share/dput/{,**} r,

4
apparmor.d/f3fix
View File

@ -32,11 +32,11 @@ profile f3fix @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/dmidecode rPx, /{usr/,}sbin/dmidecode rPx,
/{usr/,}bin/udevadm rCx -> udevadm, /{usr/,}bin/udevadm rCx -> udevadm,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r, @{PROC}/swaps r,

2
apparmor.d/fatresize
View File

@ -30,7 +30,7 @@ profile fatresize @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/dmidecode rPx, /{usr/,}sbin/dmidecode rPx,

2
apparmor.d/filezilla
View File

@ -28,7 +28,7 @@ profile filezilla @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
# When using SFTP protocol # When using SFTP protocol

6
apparmor.d/firefox
View File

@ -51,7 +51,7 @@ profile firefox @{exec_path} {
owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/uid_map w,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
# Firefox files # Firefox files
@{MOZ_LIBDIR}/{,**} r, @{MOZ_LIBDIR}/{,**} r,
@ -191,6 +191,10 @@ profile firefox @{exec_path} {
/{usr/,}bin/exo-open mr, /{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/vlc rPx, /{usr/,}bin/vlc rPx,
/{usr/,}bin/qbittorrent rPx, /{usr/,}bin/qbittorrent rPx,

5
apparmor.d/flameshot
View File

@ -77,8 +77,11 @@ profile flameshot @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
# Allowed apps to open owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

9
apparmor.d/freetube
View File

@ -48,8 +48,8 @@ profile freetube @{exec_path} {
@{FT_LIBDIR}/ r, @{FT_LIBDIR}/ r,
@{FT_LIBDIR}/** r, @{FT_LIBDIR}/** r,
@{FT_LIBDIR}/libffmpeg.so mr, @{FT_LIBDIR}/libffmpeg.so mr,
@{FT_LIBDIR}/swiftshader/libGLESv2.so mr, @{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
@{FT_LIBDIR}/swiftshader/libEGL.so mr, @{FT_LIBDIR}/{swiftshader/,}libEGL.so mr,
@{FT_LIBDIR}/chrome-sandbox rPx, @{FT_LIBDIR}/chrome-sandbox rPx,
owner @{HOME}/ r, owner @{HOME}/ r,
@ -61,6 +61,7 @@ profile freetube @{exec_path} {
owner /tmp/.org.chromium.Chromium.*/ rw, owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie w, owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
owner /tmp/.org.chromium.Chromium.*/SS w, owner /tmp/.org.chromium.Chromium.*/SS w,
owner /tmp/.org.chromium.Chromium.* w,
owner /tmp/net-export/ rw, owner /tmp/net-export/ rw,
/dev/shm/ r, /dev/shm/ r,
@ -123,6 +124,10 @@ profile freetube @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, /{usr/,}lib/firefox/firefox rPx,

15
apparmor.d/frontend
View File

@ -25,9 +25,9 @@ profile frontend @{exec_path} flags=(complain) {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix, /{usr/,}bin/stty rix,
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,
# debconf apps # debconf apps
/{usr/,}bin/adequate rPx, /{usr/,}bin/adequate rPx,
@ -113,8 +113,15 @@ profile frontend @{exec_path} flags=(complain) {
/usr/share/** r, /usr/share/** r,
/usr/share/** rPUx, /usr/share/** rPUx,
/etc/ r,
/etc/** rw, /etc/** rw,
/var/cache/** rw, /var/ r,
/var/** rw,
@{sys}/ r,
@{sys}/**/ r,
@{run}/ r,
@{run}/** r,
/tmp/ r,
owner /tmp/** rw, owner /tmp/** rw,
} }

2
apparmor.d/fsck-btrfs
View File

@ -19,7 +19,7 @@ profile fsck-btrfs @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/etc/fstab r, /etc/fstab r,

6
apparmor.d/fzsftp
View File

@ -26,9 +26,9 @@ profile fzsftp @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dash mrix, /{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/ps rix, /{usr/,}bin/ps rix,
/{usr/,}bin/ls rix, /{usr/,}bin/ls rix,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/uptime r, @{PROC}/uptime r,

14
apparmor.d/gajim
View File

@ -32,17 +32,17 @@ profile gajim @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}sbin/ldconfig rix, /{usr/,}sbin/ldconfig rix,
# To play sounds # To play sounds
/{usr/,}bin/aplay rCx -> audio, /{usr/,}bin/aplay rCx -> audio,
/{usr/,}bin/pacat rCx -> audio, /{usr/,}bin/pacat rCx -> audio,
# Needed for GPG/PGP support # Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
# External apps # External apps
/{usr/,}bin/xdg-settings rPUx, /{usr/,}bin/xdg-settings rPUx,

6
apparmor.d/games-wesnoth-sh
View File

@ -19,13 +19,13 @@ profile games-wesnoth-sh @{exec_path} {
#include <abstractions/deny-root-dir-access> #include <abstractions/deny-root-dir-access>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash r, /{usr/,}bin/{,ba,da}sh rix,
/usr/games/wesnoth{,-[0-9]*} rPx, /usr/games/wesnoth{,-[0-9]*} rPx,
# For the editor # For the editor
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

19
apparmor.d/ganyremote
View File

@ -30,16 +30,15 @@ profile ganyremote @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/bash rix, /{usr/,}bin/rm rix,
/{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/cut rix,
/{usr/,}bin/cut rix, /{usr/,}bin/id rix,
/{usr/,}bin/id rix, /{usr/,}bin/which rix,
/{usr/,}bin/which rix, /{usr/,}bin/tr rix,
/{usr/,}bin/tr rix, /{usr/,}bin/gawk rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/anyremote rPx, /{usr/,}bin/anyremote rPx,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,

4
apparmor.d/git
View File

@ -44,7 +44,7 @@ profile git @{exec_path} {
/{usr/,}bin/envsubst rix, /{usr/,}bin/envsubst rix,
/{usr/,}bin/gettext rix, /{usr/,}bin/gettext rix,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/pager rPx -> child-pager,
@ -136,7 +136,7 @@ profile git @{exec_path} {
/{usr/,}bin/sensible-editor mr, /{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix, /{usr/,}bin/vim.* mrix,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r, owner @{HOME}/.selected_editor r,

4
apparmor.d/google-chrome-chrome
View File

@ -186,6 +186,10 @@ profile google-chrome-chrome @{exec_path} {
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open # Allowed apps to open
# file_inherit # file_inherit

12
apparmor.d/google-chrome-google-chrome
View File

@ -24,13 +24,13 @@ profile google-chrome-google-chrome @{exec_path} {
#include <abstractions/deny-root-dir-access> #include <abstractions/deny-root-dir-access>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/bash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
@{CHROME_INSTALLDIR}/chrome rPx, @{CHROME_INSTALLDIR}/chrome rPx,

14
apparmor.d/gparted
View File

@ -18,14 +18,14 @@ profile gparted @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/dash rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/id rix, /{usr/,}bin/id rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}lib/udisks2/udisks2-inhibit rix, /{usr/,}lib/udisks2/udisks2-inhibit rix,
/usr/libexec/udisks2/udisks2-inhibit rix, /usr/libexec/udisks2/udisks2-inhibit rix,

Some files were not shown because too many files have changed in this diff Show More