mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source 
see #422
This commit is contained in:
Alexandre Pujol 2024-07-20 13:13:27 +01:00
parent 245898a9d2
commit 52a2ae8c23
Failed to generate hash of commit
19 changed files with 48 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/app-open
View file

@ -50,6 +50,9 @@
@{bin}/vlc rPUx,
@{bin}/xbrlapi rPx,
#aa:only opensuse
@{lib}/YaST2/** rPUx,
include if exists <abstractions/app-open.d>

9
apparmor.d/abstractions/app/firefox
View file

@ -100,6 +100,12 @@
owner @{tmp}/tmpaddon r,
owner @{tmp}/tmpaddon-@{int} r,
owner /dev/shm/org.chromium.@{rand6} rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
@{run}/mount/utab r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@ -144,9 +150,6 @@
/dev/hidraw@{int} rw,
/dev/tty rw,
/dev/video@{int} rw,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner /dev/tty@{int} rw, # File Inherit
# Silencer

2
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -54,6 +54,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r,
owner @{PROC}/@{pid}/cmdline r,
/dev/dri/card@{int} rw,
/dev/dri/renderD128 rw,

2
apparmor.d/groups/bus/dbus-session
View file

@ -54,6 +54,8 @@ profile dbus-session flags=(attach_disconnected) {
owner @{HOME}/.var/app/*/**/.ref rw,
owner @{HOME}/.var/app/*/**/logs/* rw,
owner @{user_share_dirs}/dbus-1/services/{,**} r,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dbus-1/ rw,
owner @{run}/user/@{uid}/dbus-1/services/ rw,

1
apparmor.d/groups/freedesktop/plymouthd
View file

@ -42,6 +42,7 @@ profile plymouthd @{exec_path} {
/etc/vconsole.conf r,
/var/lib/plymouth/{,**} rw,
/var/log/plymouth-*.log w,
@{run}/plymouth/{,**} rw,

12
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -17,9 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} {
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/gnome-strict>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
@ -32,10 +30,10 @@ profile gnome-extension-gsconnect @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/env rix,
@{bin}/gjs-console rix,
@{bin}/openssl rix,
@{sh_path} rix,
@{bin}/ssh-add rix,
@{bin}/ssh-keygen rPx,
@ -49,18 +47,12 @@ profile gnome-extension-gsconnect @{exec_path} {
@{share_dirs}/{,**} r,
@{share_dirs}/gsconnect-preferences rix,
/etc/machine-id r,
owner @{user_cache_dirs}/gsconnect/{,**} rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/gsconnect/{,**} rw,
owner @{user_config_dirs}/mimeapps.list w,
owner @{user_config_dirs}/mimeapps.list.@{rand6} rw,
owner @{user_share_dirs}/ r,
owner @{run}/user/@{uid}/gsconnect/ w,
@{sys}/devices/virtual/dmi/id/chassis_type r,

1
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -38,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
@{bin}/ssh-add rix,
@{bin}/ssh-agent rPx,
@{lib}/gcr-ssh-askpass rPUx,
/etc/gcrypt/hwf.deny r,

1
apparmor.d/groups/gnome/gnome-software
View file

@ -78,6 +78,7 @@ profile gnome-software @{exec_path} {
owner @{user_cache_dirs}/flatpak/{,**} rwl,
owner @{user_cache_dirs}/gnome-software/{,**} rw,
owner @{user_config_dirs}/flatpak/{,**} r,
owner @{user_config_dirs}/pulse/*.conf r,
owner @{user_share_dirs}/ r,

4
apparmor.d/groups/gnome/gnome-tweaks
View file

@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} {
include <abstractions/audio-client>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/python>
include <abstractions/thumbnails-cache-read>
@ -38,6 +39,9 @@ profile gnome-tweaks @{exec_path} {
owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
owner @{user_share_dirs}/recently-used.xbel* rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
owner @{PROC}/@{pid}/fd/ r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

2
apparmor.d/groups/gpg/gpg
View file

@ -65,6 +65,8 @@ profile gpg @{exec_path} {
owner /tmp/@{int}@{int} rw,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,

3
apparmor.d/groups/ssh/ssh
View file

@ -27,11 +27,10 @@ profile ssh @{exec_path} {
@{bin}/{c,k,tc,z}sh rix,
@{etc_ro}/ssh/ssh_config r,
@{etc_ro}/ssh/ssh_config.d/{,*} r,
@{etc_ro}/ssh/sshd_config r,
@{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/machine-id r,
/etc/ssh/ssh_config r,
/etc/ssh/ssh_config.d/{,*} r,
owner @{HOME}/@{XDG_SSH_DIR}/ r,
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,

2
apparmor.d/profiles-a-f/agetty
View file

@ -30,7 +30,7 @@ profile agetty @{exec_path} {
/{etc,run,lib,usr/lib}/issue.d/{,*} r,
/etc/inittab r,
/etc/login.defs r,
/etc/login.defs.d/ r,
/etc/login.defs.d/{,*} r,
/etc/os-release r,
/usr/etc/login.defs r,

1
apparmor.d/profiles-a-f/file-roller
View file

@ -25,6 +25,7 @@ profile file-roller @{exec_path} {
# Archivers
@{bin}/7z rix,
@{bin}/7zz rix,
@{bin}/ar rix,
@{bin}/bzip2 rix,
@{bin}/cpio rix,

4
apparmor.d/profiles-a-f/firewalld
View file

@ -61,9 +61,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
@{run}/xtables.lock rwk,
@{sys}/module/compression r,
@{sys}/module/crc32c_*/initstate r,
@{sys}/module/libcrc32c/initstate r,
@{sys}/module/nf_*/initstate r,
@{sys}/module/*/initstate r,
@{PROC}/sys/kernel/modprobe r,
@{PROC}/sys/net/ipv{4,6}/ip_forward rw,

3
apparmor.d/profiles-m-r/pcscd
View file

@ -16,12 +16,13 @@ profile pcscd @{exec_path} {
network netlink raw,
ptrace (read) peer=veracrypt,
ptrace (read) peer=@{p_systemd_user},
ptrace (read) peer=gsd-smartcard,
ptrace (read) peer=keepassxc,
ptrace (read) peer=pkcs11-register,
ptrace (read) peer=rngd,
ptrace (read) peer=scdaemon,
ptrace (read) peer=veracrypt,
@{exec_path} mr,

1
apparmor.d/profiles-m-r/power-profiles-daemon
View file

@ -28,6 +28,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
/var/lib/power-profiles-daemon/{,**} rw,
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply:* r,
@{sys}/bus/ r,
@{sys}/bus/platform/devices/ r,

6
apparmor.d/profiles-s-z/smartd
View file

@ -14,11 +14,9 @@ profile smartd @{exec_path} {
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
capability sys_rawio,
capability net_admin,
capability sys_admin,
# Needed?
audit capability net_admin,
capability sys_rawio,
@{exec_path} mr,

2
apparmor.d/profiles-s-z/su
View file

@ -26,6 +26,8 @@ profile su @{exec_path} {
@{bin}/@{shells} rUx,
@{bin}/nologin rPx,
@{etc_ro}/default/su r,
include if exists <local/su>
}

15
apparmor.d/profiles-s-z/w3m
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 valoq <valoq@mailbox.org>
# SPDX-License-Identifier: GPL-2.0-only
@ -9,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/w3m
profile w3m @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
@ -21,13 +23,20 @@ profile w3m @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{lib}/w3m/cgi-bin/* rix,
@{lib}/w3m/* rix,
/usr/share/terminfo/{,**} r,
/etc/mime.types r,
/etc/w3m/{,**} r,
owner @{HOME}/.w3m/{,**} r,
owner @{user_config_dirs}/w3m/{,**} r,
owner /tmp/@{rand6}/{,**} rw,
owner @{HOME}/.w3m/{,**} rw,
owner @{user_config_dirs}/w3m/{,**} rw,
owner @{tmp}/@{rand6}/{,**} rw,
include if exists <local/w3m>
}