mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update apparmor profiles

Browse Source
This commit is contained in:
Mikhail Morfikov 2020-12-09 10:30:52 +01:00
parent f73da4a046
commit 503cf496bf
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
218 changed files with 1445 additions and 1502 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apparmor.d/abstractions/libvirt-qemu
View File

@ -32,6 +32,9 @@
# only modify its comm value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/vm/overcommit_memory r,
# detect hardware capabilities via qemu_getauxval
owner @{PROC}/*/auxv r,
# For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r,
@ -166,6 +169,11 @@
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
# let qemu load old shared objects after upgrades (LP: #1847361)
/{var/,}run/qemu/*/*.so mr,
# but explicitly deny writing to these files
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
/{usr/,}bin/swtpm rmix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,

2
apparmor.d/adduser
View File

@ -38,7 +38,7 @@ profile adduser @{exec_path} {
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,

2
apparmor.d/adequate
View File

@ -80,7 +80,7 @@ profile adequate @{exec_path} flags=(complain) {
/{usr/,}bin/adequate rPx,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,

2
apparmor.d/amarok
View File

@ -61,7 +61,7 @@ profile amarok @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/amarokcollectionscanner rix,
/{usr/,}bin/kde4-config rix,

37
apparmor.d/android-studio
View File

@ -32,6 +32,7 @@ profile android-studio @{exec_path} {
#include <abstractions/dri-enumerate>
#include <abstractions/mesa>
#include <abstractions/audio>
#include <abstractions/python>
#include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@ -47,7 +48,9 @@ profile android-studio @{exec_path} {
signal (send) set=(term, kill) peer=android-studio//lsb-release,
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/which rix,
/{usr/,}bin/uname rix,
@ -91,6 +94,7 @@ profile android-studio @{exec_path} {
/media/*/ r,
/usr/ r,
/{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,
@{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix,
@ -120,13 +124,32 @@ profile android-studio @{exec_path} {
owner @{HOME}/AndroidStudio/DeviceExplorer/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/** rw,
owner @{HOME}/Android/ rw,
owner @{HOME}/Android/** mrwkix,
owner "@{HOME}/.config/Android Open Source Project/" rw,
owner "@{HOME}/.config/Android Open Source Project/**" rwk,
owner @{HOME}/.config/Google/ rw,
owner @{HOME}/.config/Google/** rwk,
owner @{HOME}/.cache/ rw,
owner "@{HOME}/.cache/Android Open Source Project/" rw,
owner "@{HOME}/.cache/Android Open Source Project/**" rw,
owner @{HOME}/.cache/Google/ rw,
owner @{HOME}/.cache/Google/** rwk,
# To remove the following error:
# Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp
# java.io.IOException: Cannot run program
# "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix,
#
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk,
owner @{HOME}/.cache/JNA/ rw,
owner @{HOME}/.cache/JNA/** rw,
owner @{HOME}/.gradle/ rw,
owner @{HOME}/.gradle/** mrwkix,
@ -135,8 +158,7 @@ profile android-studio @{exec_path} {
owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**,
owner @{HOME}/.local/share/Google/ rw,
owner @{HOME}/.local/share/Google/consentOptions/ rw,
owner @{HOME}/.local/share/Google/consentOptions/accepted rw,
owner @{HOME}/.local/share/Google/** rw,
owner @{HOME}/.local/share/kotlin/ rw,
owner @{HOME}/.local/share/kotlin/** rw,
@ -214,6 +236,9 @@ profile android-studio @{exec_path} {
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
}
profile lsb-release {
@ -250,7 +275,11 @@ profile android-studio @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,

6
apparmor.d/anki
View File

@ -120,7 +120,7 @@ profile anki @{exec_path} {
/etc/mime.types r,
# SyncThread
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/etc/ r,
/etc/debian_version r,
@ -185,6 +185,10 @@ profile anki @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

3
apparmor.d/anyremote
View File

@ -25,8 +25,7 @@ profile anyremote @{exec_path} {
@{exec_path} rm,
/{usr/,}bin/dash rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,

5
apparmor.d/apt
View File

@ -72,7 +72,7 @@ profile apt @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
@ -110,6 +110,7 @@ profile apt @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
@ -128,7 +129,7 @@ profile apt @{exec_path} flags=(complain) {
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r,

3
apparmor.d/apt-file
View File

@ -34,6 +34,9 @@ profile apt-file @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
# file_inherit
/var/log/cron-apt/temp w,

10
apparmor.d/apt-get
View File

@ -71,7 +71,7 @@ profile apt-get @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
@ -114,6 +114,7 @@ profile apt-get @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/apt-tmp-index.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
@ -134,16 +135,21 @@ profile apt-get @{exec_path} flags=(complain) {
capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
}
profile dpkg-source flags=(complain) {

7
apparmor.d/apt-key
View File

@ -20,7 +20,7 @@ profile apt-key @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cp rix,
@ -46,10 +46,15 @@ profile apt-key @{exec_path} {
/{usr/,}bin/dpkg-query rPx,
/{usr/,}bin/apt-config rPx,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/{,**} rw,

2
apparmor.d/apt-listbugs
View File

@ -26,7 +26,7 @@ profile apt-listbugs @{exec_path} {
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logname rix,
/{usr/,}bin/apt-config rPx,

1
apparmor.d/apt-listbugs-aptcleanup
View File

@ -16,6 +16,7 @@
@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ruby>
@{exec_path} r,

1
apparmor.d/apt-listbugs-migratepins
View File

@ -16,6 +16,7 @@
@{exec_path} = /usr/libexec/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ruby>
@{exec_path} r,

3
apparmor.d/apt-listbugs-prefclean
View File

@ -16,6 +16,7 @@
@{exec_path} = /usr/libexec/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ruby>
@{exec_path} r,
@ -27,6 +28,8 @@ profile apt-listbugs-prefclean @{exec_path} {
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/ r,
owner /var/spool/apt-listbugs/lastprefclean rw,
#include if exists <local/apt-listbugs-prefclean>

16
apparmor.d/apt-listchanges
View File

@ -26,7 +26,7 @@ profile apt-listchanges @{exec_path} {
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/hostname rPx,
@ -38,6 +38,10 @@ profile apt-listchanges @{exec_path} {
/usr/share/apt-listchanges/{,**} r,
/etc/apt/listchanges.conf r,
/etc/apt/listchanges.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
@ -47,8 +51,11 @@ profile apt-listchanges @{exec_path} {
/var/lib/apt/listchanges{,-new}.db rw,
/var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db,
/var/cache/apt/archives/ r,
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/apt-listchanges*/ rw,
owner /tmp/apt-listchanges*/**/ rw,
@ -79,12 +86,17 @@ profile apt-listchanges @{exec_path} {
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
# For shell pwd
/root/ r,
/tmp/ r,
owner /tmp/apt-listchanges-tmp*.txt r,
}

5
apparmor.d/apt-methods-cdrom
View File

@ -38,6 +38,11 @@ profile apt-methods-cdrom @{exec_path} {
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

5
apparmor.d/apt-methods-copy
View File

@ -38,6 +38,11 @@ profile apt-methods-copy @{exec_path} {
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,

5
apparmor.d/apt-methods-file
View File

@ -38,6 +38,11 @@ profile apt-methods-file @{exec_path} {
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,

5
apparmor.d/apt-methods-ftp
View File

@ -38,6 +38,11 @@ profile apt-methods-ftp @{exec_path} {
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

8
apparmor.d/apt-methods-gpgv
View File

@ -55,6 +55,11 @@ profile apt-methods-gpgv @{exec_path} {
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
@ -64,6 +69,7 @@ profile apt-methods-gpgv @{exec_path} {
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw,
@ -79,8 +85,6 @@ profile apt-methods-gpgv @{exec_path} {
@{PROC}/@{pid}/fd/ r,
/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

7
apparmor.d/apt-methods-http
View File

@ -39,8 +39,12 @@ profile apt-methods-http @{exec_path} {
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
/etc/apt/auth.conf.d/{,*} r,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/auth.conf.d/{,*} r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
@ -55,6 +59,7 @@ profile apt-methods-http @{exec_path} {
/var/cache/apt/** rwk,
# For the aptitude interactive mode
/tmp/ r,
owner /tmp/aptitude-root.*/aptitude-download-* rw,
owner /tmp/apt-changelog-*/*.changelog rw,

5
apparmor.d/apt-methods-mirror
View File

@ -38,6 +38,11 @@ profile apt-methods-mirror @{exec_path} {
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

5
apparmor.d/apt-methods-rred
View File

@ -38,6 +38,11 @@ profile apt-methods-rred @{exec_path} {
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,

5
apparmor.d/apt-methods-rsh
View File

@ -38,6 +38,11 @@ profile apt-methods-rsh @{exec_path} {
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

6
apparmor.d/apt-methods-store
View File

@ -38,6 +38,11 @@ profile apt-methods-store @{exec_path} {
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
@ -50,6 +55,7 @@ profile apt-methods-store @{exec_path} {
/usr/share/doc/*/changelog.* r,
/tmp/ r,
owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
# For package building

9
apparmor.d/aptitude
View File

@ -73,7 +73,7 @@ profile aptitude @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
@ -127,6 +127,7 @@ profile aptitude @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/aptitude-*.@{pid}:*/ rw,
owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw,
/tmp/aptitude-*.@{pid}:*/pkgstates* r,
@ -172,8 +173,9 @@ profile aptitude @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
@ -182,6 +184,9 @@ profile aptitude @{exec_path} flags=(complain) {
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
# For shell pwd
/root/ r,
}
#include if exists <local/aptitude>

2
apparmor.d/aptitude-create-state-bundle
View File

@ -20,7 +20,7 @@ profile aptitude-create-state-bundle @{exec_path} {
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/bash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/tar rix,

2
apparmor.d/aptitude-run-state-bundle
View File

@ -21,7 +21,7 @@ profile aptitude-run-state-bundle @{exec_path} {
#include <abstractions/user-download-strict>
@{exec_path} r,
/{usr/,}bin/bash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,

9
apparmor.d/atom
View File

@ -48,7 +48,7 @@ profile atom @{exec_path} {
deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/ r,
#/{usr/,}bin/bash rix,
#/{usr/,}bin/{,ba,da}sh rix,
#/{usr/,}bin/zsh rix,
#/{usr/,}bin/env rix,
#/{usr/,}bin/rmdir rix,
@ -71,9 +71,6 @@ profile atom @{exec_path} {
/{usr/,}bin/mkdir rix,
/{usr/,}bin/nohup rix,
/{usr/,}bin/cat rix,
# The dash shell is needed to install packages. If you don't want to install any, coment the
# following line out.
#/{usr/,}bin/dash rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
@ -194,6 +191,10 @@ profile atom @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/bin.ping
View File

@ -21,7 +21,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
network inet raw,
network inet6 raw,
/{,usr/}bin/{,iputils-}ping mixr,
/{usr/,}bin/{,iputils-}ping mixr,
/etc/modules.conf r,
# Site-specific additions and overrides. See local/README for details.

4
apparmor.d/birdtray
View File

@ -83,6 +83,10 @@ profile birdtray @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

5
apparmor.d/brave
View File

@ -209,8 +209,11 @@ profile brave @{exec_path} {
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,

12
apparmor.d/brave-browser
View File

@ -24,13 +24,13 @@ profile brave-browser @{exec_path} {
#include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/bash r,
/{usr/,}bin/{,ba,da}sh rix,
/usr/bin/readlink rix,
/usr/bin/dirname rix,
/usr/bin/which rix,
/usr/bin/mkdir rix,
/usr/bin/cat rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/which rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cat rix,
@{BRAVE_INSTALLDIR}/brave rPx,

8
apparmor.d/calibre
View File

@ -63,7 +63,7 @@ profile calibre @{exec_path} {
#/{usr/,}bin/ r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/file rix,
@ -183,7 +183,11 @@ profile calibre @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

6
apparmor.d/cawbird
View File

@ -28,7 +28,7 @@ profile cawbird @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
@ -76,6 +76,10 @@ profile cawbird @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/check-bios-nx
View File

@ -23,7 +23,7 @@ profile check-bios-nx @{exec_path} {
capability dac_override,
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,

5
apparmor.d/check-support-status
View File

@ -19,10 +19,11 @@ profile check-support-status @{exec_path} flags=(complain) {
#include <abstractions/consoles>
@{exec_path} rix,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/etc/debian_version r,
/{usr/,}bin/ r,
/{usr/,}bin/gettext.sh r,
/{usr/,}bin/cat rix,
/{usr/,}bin/{,e}grep rix,
@ -57,9 +58,11 @@ profile check-support-status @{exec_path} flags=(complain) {
owner /tmp/debian-security-support.*/{,**} rw,
/tmp/debian-security-support.postinst.*/output w,
/var/lib/debian-security-support/ r,
owner /var/lib/debian-security-support/security-support.semaphore rw,
owner /var/lib/debian-security-support/tmp.* rw,
/usr/share/debian-security-support/ r,
/usr/share/debian-security-support/* r,

18
apparmor.d/check-support-status-hook
View File

@ -20,8 +20,9 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/getent rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/chown rix,
@ -40,9 +41,17 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/usr/share/debconf/confmodule r,
# For shell pwd
/ r,
/root/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/ rw,
owner /tmp/debian-security-support.postinst.*/output rw,
/var/lib/ r,
/var/lib/debian-security-support/ r,
profile debconf-escape flags=(complain) {
#include <abstractions/base>
@ -52,6 +61,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output r,
}
@ -65,9 +75,10 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/usr/share/debian-security-support/ r,
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@ -106,7 +117,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/{usr/,}sbin/runuser mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/check-support-status rPx,
@ -115,6 +126,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/etc/security/limits.d/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output w,
}

3
apparmor.d/child-lsb_release
View File

@ -38,8 +38,7 @@ profile child-lsb_release {
# /etc/lsb-release r,
# /etc/lsb-release.d/ r,
# /{usr/,}bin/bash ixr,
# /{usr/,}bin/dash ixr,
# /{usr/,}bin/{,ba,da}sh rix,
# /{usr/,}bin/basename ixr,
# /{usr/,}bin/getopt ixr,

4
apparmor.d/child-pager
View File

@ -26,11 +26,15 @@ profile child-pager {
signal (receive) set=(stop, cont, term, kill),
/{usr/,}bin/ r,
/{usr/,}bin/pager mr,
/{usr/,}bin/less mr,
/{usr/,}bin/more mr,
owner @{HOME}/.lesshs* rw,
# For shell pwd
/root/ r,
#include if exists <local/child-pager>
}

2
apparmor.d/chromium
View File

@ -27,7 +27,7 @@ profile chromium @{exec_path} {
@{CHROMIUM_INSTALLDIR}/chromium rPx,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/expr rix,

6
apparmor.d/chromium-chromium
View File

@ -190,7 +190,11 @@ profile chromium-chromium @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}bin/smplayer rPx,

2
apparmor.d/claws-mail
View File

@ -30,7 +30,7 @@ profile claws-mail @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/gpg rCx -> gpg,

3
apparmor.d/code
View File

@ -44,9 +44,8 @@ profile code @{exec_path} {
# The bash shell is needed only when you want to start code via bin/code. Also the shells are
# needed if you plan to operate on the built in terminal. If you don't need the built in terminal
# and want to use the linux one, the following three lines can be commented out.
# /{usr/,}bin/bash rix,
#/{usr/,}bin/{,ba,da}sh rix,
# /{usr/,}bin/zsh rix,
# /{usr/,}bin/dash rix,
#/{usr/,}bin/dirname rix,
#/{usr/,}bin/{,e}grep rix,

5
apparmor.d/conky
View File

@ -28,8 +28,7 @@ profile conky @{exec_path} {
@{exec_path} mr,
# Needed tools to render conky output
/{usr/,}bin/dash rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
@ -154,7 +153,7 @@ profile conky @{exec_path} {
/{usr/,}bin/lynx mr,
/{usr/,}bin/w3m mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/etc/mime.types r,
/etc/mailcap r,

2
apparmor.d/convertall
View File

@ -29,7 +29,7 @@ profile convertall @{exec_path} {
#include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,

2
apparmor.d/cpupower
View File

@ -26,7 +26,7 @@ profile cpupower @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/man rPx,

2
apparmor.d/cron
View File

@ -28,7 +28,7 @@ profile cron @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,

14
apparmor.d/cron-apt
View File

@ -23,7 +23,7 @@ profile cron-apt @{exec_path} {
@{exec_path} r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dotlockfile rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/mktemp rix,
@ -61,10 +61,13 @@ profile cron-apt @{exec_path} {
/etc/cron-apt/refrain r,
/etc/cron-apt/action.d/[0-9]-* r,
/var/lib/cron-apt/{,**/} w,
/var/lib/cron-apt/.lk@{pid}* rw,
/var/lib/cron-apt/lockfile rwl -> /var/lib/cron-apt/.lk@{pid}*,
/var/lib/cron-apt/_-_etc_-_cron-apt_-_config/mailchanges/[0-9]-*-[0-9a-f]* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/var/lib/cron-apt/ rw,
/var/lib/cron-apt/** rwl -> /var/lib/cron-apt/**,
# Logs
/var/log/cron-apt/ r,
@ -77,6 +80,7 @@ profile cron-apt @{exec_path} {
/{usr/,}lib/locale/locale-archive r,
# TMP
/tmp/ r,
owner /tmp/cron-apt.*/ rw,
owner /tmp/cron-apt.*/difftemp rw,
owner /tmp/cron-apt.*/lockfile rw,

4
apparmor.d/cron-apt-listbugs
View File

@ -18,7 +18,7 @@ profile cron-apt-listbugs @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
@ -30,7 +30,7 @@ profile cron-apt-listbugs @{exec_path} {
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,

5
apparmor.d/cron-apt-show-versions
View File

@ -18,9 +18,12 @@ profile cron-apt-show-versions @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/apt-show-versions rPx,
# For shell pwd
/ r,
#include if exists <local/cron-apt-show-versions>
}

6
apparmor.d/cron-apt-xapian-index
View File

@ -18,7 +18,7 @@ profile cron-apt-xapian-index @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/{,e}grep rix,
@ -26,8 +26,12 @@ profile cron-apt-xapian-index @{exec_path} {
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
/{usr/,}sbin/ r,
/{usr/,}sbin/update-apt-xapian-index rPx,
/{usr/,}sbin/on_ac_power rPx,
# For shell pwd
/ r,
#include if exists <local/cron-apt-xapian-index>
}

2
apparmor.d/cron-aptitude
View File

@ -18,7 +18,7 @@ profile cron-aptitude @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,

6
apparmor.d/cron-debsums
View File

@ -19,7 +19,7 @@ profile cron-debsums @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/true rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/sed rix,
@ -30,9 +30,13 @@ profile cron-debsums @{exec_path} {
/{usr/,}bin/debsums rPx,
/{usr/,}bin/tee rCx -> tee,
/etc/ r,
/etc/default/debsums r,
/etc/debsums-ignore r,
# For shell pwd
/ r,
profile tee {
#include <abstractions/base>

2
apparmor.d/cron-dlocate
View File

@ -18,7 +18,7 @@ profile cron-dlocate @{exec_path} {
#include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/update-dlocatedb rPx,

3
apparmor.d/cron-ipset-autoban-save
View File

@ -19,8 +19,7 @@ profile cron-ipset-autoban-save @{exec_path} {
#include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ipset rix,

5
apparmor.d/cron-logrotate
View File

@ -18,11 +18,14 @@ profile cron-logrotate @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/logrotate rPx,
/{usr/,}bin/logger rix,
# For shell pwd
/ r,
#include if exists <local/cron-logrotate>
}

2
apparmor.d/cron-mlocate
View File

@ -19,7 +19,7 @@ profile cron-mlocate @{exec_path} {
#include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/true rix,

12
apparmor.d/cron-popularity-contest
View File

@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,
@ -41,10 +41,16 @@ profile cron-popularity-contest @{exec_path} {
/{usr/,}sbin/runuser rCx -> runuser,
/{usr/,}bin/savelog rCx -> savelog,
/usr/share/popularity-contest/ r,
/usr/share/popularity-contest/default.conf r,
/etc/popularity-contest.conf r,
# For shell pwd
/ r,
/root/ r,
/var/log/ r,
/var/log/popularity-contest{,.new} rw,
/var/log/popularity-contest{,.new}.gpg rw,
@ -73,7 +79,7 @@ profile cron-popularity-contest @{exec_path} {
/{usr/,}bin/touch rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/var/log/ r,
/var/log/popularity-contest.[0-9]*.gz rw,
@ -93,7 +99,7 @@ profile cron-popularity-contest @{exec_path} {
/{usr/,}sbin/runuser mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,

4
apparmor.d/crontab
View File

@ -24,7 +24,7 @@ profile crontab @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
# When editing the crontab file
/{usr/,}bin/sensible-editor rCx -> editor,
@ -45,7 +45,7 @@ profile crontab @{exec_path} {
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r,

2
apparmor.d/ddclient
View File

@ -24,7 +24,7 @@ profile ddclient @{exec_path} {
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix,
/etc/ddclient.conf r,

2
apparmor.d/debconf-apt-progress
View File

@ -39,7 +39,7 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
/{usr/,}bin/debconf-apt-progress rPx,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,

2
apparmor.d/debsecan
View File

@ -26,7 +26,7 @@ profile debsecan @{exec_path} {
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
# Send results using email
/{usr/,}sbin/exim4 rPx,

2
apparmor.d/debsign
View File

@ -20,7 +20,7 @@ profile debsign @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/basename rix,

5
apparmor.d/debsums
View File

@ -23,7 +23,7 @@ profile debsums @{exec_path} {
@{exec_path} r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/etc/dpkg/dpkg.cfg.d/{,*} r,
@ -37,6 +37,9 @@ profile debsums @{exec_path} {
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert,
# For shell pwd
/ r,
# Scanning files
/{usr/,}bin/{,*} r,
/{usr/,}sbin/{,*} r,

49
apparmor.d/debuild
View File

@ -1,49 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/debuild
profile debuild @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/pwd rix,
/{usr/,}bin/tee rix,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/dpkg-buildpackage rPx,
/{usr/,}bin/debsign rPx,
/usr/share/lintian/bin/lintian rPx,
/{usr/,}bin/lintian rPx,
/etc/devscripts.conf r,
/etc/dpkg/origins/debian r,
# For package building
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
#include if exists <local/debuild>
}

2
apparmor.d/deluser
View File

@ -29,7 +29,7 @@ profile deluser @{exec_path} {
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/userdel rPx,
/{usr/,}sbin/groupdel rPx,

114
apparmor.d/dh
View File

@ -1,114 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dh
@{exec_path} += /{usr/,}bin/dh_*
profile dh @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dh_* rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/make rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/dpkg-vendor rPx,
/usr/share/python/pyversions.py rCx -> python,
/usr/share/python3/py3versions.py rCx -> python,
/usr/share/dh-python/* rCx -> python,
# What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#)
owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules,
owner @{BUILD_DIR}/** rcx -> debian-rules,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
/etc/dpkg/origins/debian r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner @{HOME}/.config/dpkg/buildflags.conf r,
/usr/share/dpkg/* r,
profile debian-rules flags=(complain) {
#include <abstractions/base>
owner @{BUILD_DIR}/**/debian/rules rix,
owner @{BUILD_DIR}/** rix,
owner @{BUILD_DIR}/** rwkl -> /media/debuilder/*/**,
/{usr/,}bin/dash rix,
/{usr/,}bin/make rix,
# Don't strip env here
/{usr/,}bin/* rpux,
/usr/share/dpkg/* r,
/ r,
/usr/include/{,**} r,
# Key to sign the kernel and its modules
/etc/kernel_key/* r,
owner /tmp/cpiolist.* rw,
}
profile python flags=(complain) {
#include <abstractions/base>
#include <abstractions/python>
/usr/share/python/pyversions.py mr,
/usr/share/python3/py3versions.py mr,
/usr/share/dh-python/* mr,
/{usr/,}bin/python2.[0-9]* rix,
/{usr/,}bin/python3.[0-9]* rix,
/usr/share/python/ r,
/usr/share/python/debian_defaults r,
/usr/share/python3/ r,
/usr/share/python3/debian_defaults r,
/usr/share/dh-python/ r,
/usr/share/dh-python/** r,
/{usr/,}bin/which rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/git rPx,
owner /media/debuilder/** r,
owner /media/debuilder/**/.pybuild/ rw,
owner /media/debuilder/**/.pybuild/** rw,
owner @{PROC}/@{pid}/fd/ r,
}
#include if exists <local/dh>
}

3
apparmor.d/dhclient-script
View File

@ -25,7 +25,7 @@ profile dhclient-script @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash mrix,
/{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/ping rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
@ -35,6 +35,7 @@ profile dhclient-script @{exec_path} {
/{usr/,}bin/hostname rPx,
# To read scripts
/etc/dhcp/ r,
/etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
# For debug script

8
apparmor.d/discord
View File

@ -49,7 +49,7 @@ profile discord @{exec_path} {
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
#/{usr/,}bin/lsb_release rCx -> lsb_release,
@ -143,7 +143,7 @@ profile discord @{exec_path} {
/{usr/,}bin/xdg-mime mr,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
@ -193,6 +193,10 @@ profile discord @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

3
apparmor.d/dkms
View File

@ -19,7 +19,7 @@ profile dkms @{exec_path} {
#include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/bash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/head rix,
/{usr/,}bin/ls rix,
@ -41,7 +41,6 @@ profile dkms @{exec_path} {
/{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/pwd rix,

5
apparmor.d/dkms-autoinstaller
View File

@ -19,7 +19,7 @@ profile dkms-autoinstaller @{exec_path} {
#include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
@ -29,6 +29,9 @@ profile dkms-autoinstaller @{exec_path} {
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rPx -> child-systemctl,
# For shell pwd
/ r,
profile run-parts {
#include <abstractions/base>

2
apparmor.d/dlocate
View File

@ -20,7 +20,7 @@ profile dlocate @{exec_path} {
#include <abstractions/nameservice-strict>
@{exec_path} rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/{,e}grep rix,

10
apparmor.d/dpkg
View File

@ -34,7 +34,7 @@ profile dpkg @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dpkg-query rPx,
@ -80,8 +80,12 @@ profile dpkg @{exec_path} {
/var/log/dpkg.log w,
# For shell pwd
/root/ r,
# Basically, dpkg needs R/W permissions to the following files since it installs them.
# It also needs the L permission when a package is reinstalled.
/ r,
/usr/ r,
/usr/** rwl -> /usr/**,
/lib/ r,
@ -115,6 +119,7 @@ profile dpkg @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/pager mr,
/{usr/,}bin/less mr,
/{usr/,}bin/more mr,
@ -125,6 +130,9 @@ profile dpkg @{exec_path} {
# Diff changed config files
/etc/** r,
# For shell pwd
/root/ r,
}
profile scripts {

117
apparmor.d/dpkg-buildpackage
View File

@ -1,117 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-buildpackage
profile dpkg-buildpackage @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/fakeroot-sysv rix,
/{usr/,}bin/faked-sysv rix,
/{usr/,}bin/dh rPx,
/{usr/,}bin/dpkg-buildflags rPx,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/dpkg-genbuildinfo rPx,
/{usr/,}bin/dpkg-genchanges rPx,
/{usr/,}bin/dpkg-checkbuilddeps rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#)
owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
/etc/dpkg/origins/debian r,
profile dpkg-source flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/{usr/,}bin/diff rix,
/{usr/,}bin/gpg rix,
/{usr/,}bin/gpgv rix,
/{usr/,}bin/gpg-agent rix,
/etc/dpkg/origins/debian r,
owner /tmp/** rwkl -> /tmp/**,
owner @{run}/user/[0-9]*/gnupg/** w,
@{PROC}/@{pid}/fd/ r,
/usr/share/dpkg/tupletable r,
/usr/share/dpkg/cputable r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
profile debian-rules flags=(complain) {
#include <abstractions/base>
owner @{BUILD_DIR}/**/debian/rules rix,
owner @{BUILD_DIR}/** rix,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/*/**,
/{usr/,}bin/dash rix,
/{usr/,}bin/make rix,
# Don't strip env here
/{usr/,}bin/* rpux,
/usr/share/dpkg/* r,
/ r,
/usr/include/{,**} r,
# Key to sign the kernel and its modules
/etc/kernel_key/* r,
owner /tmp/cpiolist.* rw,
}
#include if exists <local/dpkg-buildpackage>
}

4
apparmor.d/dpkg-divert
View File

@ -24,5 +24,9 @@ profile dpkg-divert @{exec_path} {
/usr/share/*/**.dpkg-divert.tmp w,
/var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw,
/var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
#include if exists <local/dpkg-divert>
}

2
apparmor.d/dpkg-preconfigure
View File

@ -25,7 +25,7 @@ profile dpkg-preconfigure @{exec_path} {
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/stty rix,

2
apparmor.d/dpkg-query
View File

@ -20,7 +20,7 @@ profile dpkg-query @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,

6
apparmor.d/dropbox
View File

@ -58,7 +58,7 @@ profile dropbox @{exec_path} {
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
@ -135,6 +135,10 @@ profile dropbox @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/e2fsck
View File

@ -22,7 +22,7 @@ profile e2fsck @{exec_path} {
@{exec_path} mr,
# To check for badblocks
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/badblocks rPx,
owner @{run}/blkid/blkid.tab{,-*} rw,

2
apparmor.d/eject
View File

@ -22,7 +22,7 @@ profile eject @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/eject/dmcrypt-get-device rPx,

6
apparmor.d/engrampa
View File

@ -28,7 +28,7 @@ profile engrampa @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
@ -96,6 +96,10 @@ profile engrampa @{exec_path} {
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,

2
apparmor.d/execute-dput
View File

@ -25,7 +25,7 @@ profile execute-dput @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,

2
apparmor.d/f3fix
View File

@ -32,7 +32,7 @@ profile f3fix @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/dmidecode rPx,

2
apparmor.d/fatresize
View File

@ -30,7 +30,7 @@ profile fatresize @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/dmidecode rPx,

2
apparmor.d/filezilla
View File

@ -28,7 +28,7 @@ profile filezilla @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
# When using SFTP protocol

6
apparmor.d/firefox
View File

@ -51,7 +51,7 @@ profile firefox @{exec_path} {
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
# Firefox files
@{MOZ_LIBDIR}/{,**} r,
@ -191,6 +191,10 @@ profile firefox @{exec_path} {
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}bin/vlc rPx,
/{usr/,}bin/qbittorrent rPx,

5
apparmor.d/flameshot
View File

@ -77,8 +77,11 @@ profile flameshot @{exec_path} {
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,

9
apparmor.d/freetube
View File

@ -48,8 +48,8 @@ profile freetube @{exec_path} {
@{FT_LIBDIR}/ r,
@{FT_LIBDIR}/** r,
@{FT_LIBDIR}/libffmpeg.so mr,
@{FT_LIBDIR}/swiftshader/libGLESv2.so mr,
@{FT_LIBDIR}/swiftshader/libEGL.so mr,
@{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
@{FT_LIBDIR}/{swiftshader/,}libEGL.so mr,
@{FT_LIBDIR}/chrome-sandbox rPx,
owner @{HOME}/ r,
@ -61,6 +61,7 @@ profile freetube @{exec_path} {
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
owner /tmp/.org.chromium.Chromium.*/SS w,
owner /tmp/.org.chromium.Chromium.* w,
owner /tmp/net-export/ rw,
/dev/shm/ r,
@ -123,6 +124,10 @@ profile freetube @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,

11
apparmor.d/frontend
View File

@ -25,7 +25,7 @@ profile frontend @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@ -113,8 +113,15 @@ profile frontend @{exec_path} flags=(complain) {
/usr/share/** r,
/usr/share/** rPUx,
/etc/ r,
/etc/** rw,
/var/cache/** rw,
/var/ r,
/var/** rw,
@{sys}/ r,
@{sys}/**/ r,
@{run}/ r,
@{run}/** r,
/tmp/ r,
owner /tmp/** rw,
}

2
apparmor.d/fsck-btrfs
View File

@ -19,7 +19,7 @@ profile fsck-btrfs @{exec_path} {
@{exec_path} r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/etc/fstab r,

2
apparmor.d/fzsftp
View File

@ -26,7 +26,7 @@ profile fzsftp @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash mrix,
/{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/ps rix,
/{usr/,}bin/ls rix,

2
apparmor.d/gajim
View File

@ -33,7 +33,7 @@ profile gajim @{exec_path} {
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}sbin/ldconfig rix,

2
apparmor.d/games-wesnoth-sh
View File

@ -19,7 +19,7 @@ profile games-wesnoth-sh @{exec_path} {
#include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/{,ba,da}sh rix,
/usr/games/wesnoth{,-[0-9]*} rPx,

3
apparmor.d/ganyremote
View File

@ -31,8 +31,7 @@ profile ganyremote @{exec_path} {
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/dash rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,

4
apparmor.d/git
View File

@ -44,7 +44,7 @@ profile git @{exec_path} {
/{usr/,}bin/envsubst rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/pager rPx -> child-pager,
@ -136,7 +136,7 @@ profile git @{exec_path} {
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r,

4
apparmor.d/google-chrome-chrome
View File

@ -186,6 +186,10 @@ profile google-chrome-chrome @{exec_path} {
/{usr/,}bin/xdg-open mr,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
# file_inherit

2
apparmor.d/google-chrome-google-chrome
View File

@ -24,7 +24,7 @@ profile google-chrome-google-chrome @{exec_path} {
#include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/bash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/which rix,

2
apparmor.d/gparted
View File

@ -18,7 +18,7 @@ profile gparted @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,

Some files were not shown because too many files have changed in this diff Show More