mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
@{HOME}/.local/share -> @{user_share_dirs}
This commit is contained in:
Alexandre Pujol
parent
7f6ea8d44d
commit
54ac285b7d
@ -9,9 +9,9 @@
|
||||
/var/lib/flatpak/exports/share/{,**} r,
|
||||
/var/lib/flatpak/app/**/export/share/applications/{,*.desktop} r,
|
||||
|
||||
owner @{HOME}/.local/share/flatpak/exports/share/{,**} r,
|
||||
owner @{HOME}/.local/share/flatpak/app/{,**.desktop} r,
|
||||
deny owner @{HOME}/.local/share/flatpak/** w,
|
||||
owner @{user_share_dirs}/flatpak/exports/share/{,**} r,
|
||||
owner @{user_share_dirs}/flatpak/app/{,**.desktop} r,
|
||||
deny owner @{user_share_dirs}/flatpak/** w,
|
||||
|
||||
# Snap
|
||||
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
|
||||
|
||||
@ -36,7 +36,7 @@
|
||||
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
|
||||
|
||||
# For Google Fonts downloaded via font-manager
|
||||
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid" r,
|
||||
deny "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w,
|
||||
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid" r,
|
||||
deny "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,
|
||||
owner "@{user_share_dirs}/fonts/Google Fonts/.uuid" r,
|
||||
deny "@{user_share_dirs}/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w,
|
||||
owner "@{user_share_dirs}/fonts/Google Fonts/**/.uuid" r,
|
||||
deny "@{user_share_dirs}/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,
|
||||
|
||||
@ -20,8 +20,8 @@
|
||||
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
|
||||
|
||||
# For Google Fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
|
||||
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw,
|
||||
link "@{HOME}/.local/share/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*",
|
||||
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw,
|
||||
link "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*",
|
||||
owner "@{user_share_dirs}/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw,
|
||||
link "@{user_share_dirs}/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*",
|
||||
owner "@{user_share_dirs}/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw,
|
||||
link "@{user_share_dirs}/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*",
|
||||
|
||||
|
||||
@ -35,9 +35,9 @@
|
||||
|
||||
# For bookmarks
|
||||
#/{usr/,}bin/keditbookmarks rPUx,
|
||||
#owner @{HOME}/.local/share/kfile/ rw,
|
||||
#owner @{HOME}/.local/share/kfile/#[0-9]*[0-9] rw,
|
||||
#owner @{HOME}/.local/share/kfile/bookmarks.xml* rwl -> @{HOME}/.local/share/kfile/#[0-9]*[0-9],
|
||||
#owner @{user_share_dirs}/kfile/ rw,
|
||||
#owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw,
|
||||
#owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9],
|
||||
|
||||
# Common cache files
|
||||
#owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
@ -38,11 +38,11 @@
|
||||
owner @{user_cache_dirs}/tracker/ontologies.gvdb r,
|
||||
owner @{user_config_dirs}/totem/ rwk,
|
||||
owner @{user_config_dirs}/totem/** rwk,
|
||||
owner @{HOME}/.local/share/grilo-plugins/ rwk,
|
||||
owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
|
||||
owner @{HOME}/.local/share/gvfs-metadata/** r,
|
||||
owner @{HOME}/.local/share/totem/ rwk,
|
||||
owner @{HOME}/.local/share/tracker/data/tracker-store.journal rwk,
|
||||
owner @{user_share_dirs}/grilo-plugins/ rwk,
|
||||
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||
owner @{user_share_dirs}/totem/ rwk,
|
||||
owner @{user_share_dirs}/tracker/data/tracker-store.journal rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/{mountinfo,status} r,
|
||||
|
||||
|
||||
@ -13,14 +13,14 @@
|
||||
owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
|
||||
|
||||
# Home trash location
|
||||
owner @{HOME}/.local/share/Trash/ rw,
|
||||
owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw,
|
||||
owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9],
|
||||
owner @{HOME}/.local/share/Trash/files/{,**} rw,
|
||||
owner @{HOME}/.local/share/Trash/info/ rw,
|
||||
owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw,
|
||||
owner @{HOME}/.local/share/Trash/expunged/ rw,
|
||||
owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw,
|
||||
owner @{user_share_dirs}/Trash/ rw,
|
||||
owner @{user_share_dirs}/Trash/#[0-9]*[0-9] rw,
|
||||
owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl -> @{user_share_dirs}/Trash/#[0-9]*[0-9],
|
||||
owner @{user_share_dirs}/Trash/files/{,**} rw,
|
||||
owner @{user_share_dirs}/Trash/info/ rw,
|
||||
owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw,
|
||||
owner @{user_share_dirs}/Trash/expunged/ rw,
|
||||
owner @{user_share_dirs}/Trash/expunged/[0-9]* rw,
|
||||
|
||||
# Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
|
||||
owner /media/*/.Trash/ rw,
|
||||
|
||||
@ -157,14 +157,14 @@ profile android-studio @{exec_path} {
|
||||
owner @{HOME}/.android/ rw,
|
||||
owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**,
|
||||
|
||||
owner @{HOME}/.local/share/Google/ rw,
|
||||
owner @{HOME}/.local/share/Google/** rw,
|
||||
owner @{user_share_dirs}/Google/ rw,
|
||||
owner @{user_share_dirs}/Google/** rw,
|
||||
|
||||
owner @{HOME}/.local/share/kotlin/ rw,
|
||||
owner @{HOME}/.local/share/kotlin/** rw,
|
||||
owner @{user_share_dirs}/kotlin/ rw,
|
||||
owner @{user_share_dirs}/kotlin/** rw,
|
||||
|
||||
owner "@{HOME}/.local/share/Android Open Source Project/" rw,
|
||||
owner "@{HOME}/.local/share/Android Open Source Project/**" rwk,
|
||||
owner "@{user_share_dirs}/Android Open Source Project/" rw,
|
||||
owner "@{user_share_dirs}/Android Open Source Project/**" rwk,
|
||||
|
||||
owner @{HOME}/.java/ rw,
|
||||
owner @{HOME}/.java/fonts/ rw,
|
||||
|
||||
@ -89,9 +89,9 @@ profile calibre @{exec_path} {
|
||||
owner @{user_config_dirs}/calibre/ rw,
|
||||
owner @{user_config_dirs}/calibre/** rwk,
|
||||
|
||||
owner @{HOME}/.local/share/calibre-ebook.com/ rw,
|
||||
owner @{HOME}/.local/share/calibre-ebook.com/calibre/ rw,
|
||||
owner @{HOME}/.local/share/calibre-ebook.com/calibre/** rwk,
|
||||
owner @{user_share_dirs}/calibre-ebook.com/ rw,
|
||||
owner @{user_share_dirs}/calibre-ebook.com/calibre/ rw,
|
||||
owner @{user_share_dirs}/calibre-ebook.com/calibre/** rwk,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/calibre/ rw,
|
||||
|
||||
@ -89,7 +89,7 @@ profile freetube @{exec_path} {
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner @{HOME}/.local/share r,
|
||||
owner @{user_share_dirs} r,
|
||||
|
||||
deny @{sys}/devices/virtual/tty/tty0/active r,
|
||||
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
||||
|
||||
@ -52,7 +52,7 @@ profile okular @{exec_path} {
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
|
||||
owner @{HOME}/.local/share/okular/{,**} rw,
|
||||
owner @{user_share_dirs}/okular/{,**} rw,
|
||||
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
/usr/share/qt5ct/** r,
|
||||
|
||||
@ -211,7 +211,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
|
||||
# firefox >= 58
|
||||
owner @{HOME}/.mozilla/firefox/*/cert9.db r,
|
||||
|
||||
owner @{HOME}/.local/share/user-places.xbel r,
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
# there is abstractions/gnupg but that's just for gpg1...
|
||||
profile gpg flags=(complain) {
|
||||
@ -259,10 +259,10 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
|
||||
owner @{user_cache_dirs}/qt_compose_cache_{little,big}_endian_* r,
|
||||
|
||||
# TODO: use recent-documents-write abstraction when it is available
|
||||
owner @{HOME}/.local/share/RecentDocuments/** r,
|
||||
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
|
||||
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
|
||||
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
|
||||
owner @{user_share_dirs}/RecentDocuments/** r,
|
||||
owner @{user_share_dirs}/RecentDocuments/*.desktop rwl -> @{user_share_dirs}/RecentDocuments/#[0-9]*,
|
||||
owner @{user_share_dirs}/RecentDocuments/#[0-9]* rw,
|
||||
owner @{user_share_dirs}/RecentDocuments/*.lock rwk,
|
||||
|
||||
# TODO: use kde-globals-write abstraction when it is available
|
||||
owner @{user_config_dirs}/kdeglobals rw,
|
||||
|
||||
@ -100,7 +100,7 @@ profile vlc @{exec_path} {
|
||||
owner @{HOME}/ r,
|
||||
owner @{user_config_dirs}/vlc/ rw,
|
||||
owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9],
|
||||
owner @{HOME}/.local/share/vlc/{,*} rw,
|
||||
owner @{user_share_dirs}/vlc/{,*} rw,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/vlc/{,**} rw,
|
||||
|
||||
@ -154,7 +154,7 @@ profile brave @{exec_path} {
|
||||
/dev/bus/usb/[0-9]*/[0-9]* rw,
|
||||
|
||||
# For downloading files
|
||||
owner @{HOME}/.local/share/.org.chromium.Chromium.* rw,
|
||||
owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
@ -88,7 +88,7 @@ profile chromium-chromium @{exec_path} {
|
||||
owner @{CHROMIUM_HOMEDIR}/** rwk,
|
||||
owner @{CHROMIUM_HOMEDIR}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw,
|
||||
|
||||
owner @{HOME}/.local/share/.org.chromium.Chromium.* rw,
|
||||
owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
|
||||
|
||||
# Cache files
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
||||
@ -122,8 +122,8 @@ profile firefox @{exec_path} {
|
||||
# Set default browser
|
||||
/{usr/,}bin/update-mime-database rPUx,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
||||
owner @{HOME}/.local/share/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
|
||||
owner @{HOME}/.local/share/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
|
||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
|
||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
|
||||
|
||||
# KDE system keyring
|
||||
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
|
||||
|
||||
@ -84,7 +84,7 @@ profile google-chrome-chrome @{exec_path} {
|
||||
# Flashplayer
|
||||
owner @{CHROME_HOMEDIR}/PepperFlash/**/libpepflashplayer.so mr,
|
||||
|
||||
owner @{HOME}/.local/share/.com.google.Chrome.* rw,
|
||||
owner @{user_share_dirs}/.com.google.Chrome.* rw,
|
||||
|
||||
# Cache files
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
||||
@ -75,7 +75,7 @@ profile opera @{exec_path} {
|
||||
owner @{OPERA_HOMEDIR}/ rw,
|
||||
owner @{OPERA_HOMEDIR}/** rwk,
|
||||
|
||||
owner @{HOME}/.local/share/.org.chromium.Chromium.* rw,
|
||||
owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
|
||||
|
||||
# Cache files
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
||||
@ -24,7 +24,7 @@ profile gio-launch-desktop @{exec_path} {
|
||||
|
||||
# User files
|
||||
owner @{user_config_dirs}/mimeapps.list r,
|
||||
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
||||
owner @{user_share_dirs}/applications/{,*.desktop} r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# file_inherit
|
||||
|
||||
@ -38,8 +38,8 @@ profile gpg @{exec_path} {
|
||||
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
|
||||
|
||||
# For ToR Browser
|
||||
owner @{HOME}/.local/share/torbrowser/gnupg_homedir/ r,
|
||||
owner @{HOME}/.local/share/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/.local/share/torbrowser/gnupg_homedir/**,
|
||||
owner @{user_share_dirs}/torbrowser/gnupg_homedir/ r,
|
||||
owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
|
||||
|
||||
# For spamassassin
|
||||
owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
|
||||
|
||||
@ -16,8 +16,8 @@ profile gvfsd-metadata @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.local/share/gvfs-metadata/ rw,
|
||||
owner @{HOME}/.local/share/gvfs-metadata/** rw,
|
||||
owner @{user_share_dirs}/gvfs-metadata/ rw,
|
||||
owner @{user_share_dirs}/gvfs-metadata/** rw,
|
||||
|
||||
include if exists <local/gvfsd-metadata>
|
||||
}
|
||||
|
||||
@ -13,7 +13,7 @@ profile gvfsd-recent @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.local/share/recently-used.xbel r,
|
||||
owner @{user_share_dirs}/recently-used.xbel r,
|
||||
|
||||
include if exists <local/gvfsd-recent>
|
||||
}
|
||||
|
||||
@ -112,7 +112,7 @@ profile amarok @{exec_path} {
|
||||
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw,
|
||||
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw,
|
||||
|
||||
owner @{HOME}/.local/share/user-places.xbel rw,
|
||||
owner @{user_share_dirs}/user-places.xbel rw,
|
||||
|
||||
owner @{user_config_dirs}/Trolltech.conf rwk,
|
||||
|
||||
|
||||
@ -57,8 +57,8 @@ profile anki @{exec_path} {
|
||||
|
||||
/usr/share/javascript/**/*.js r,
|
||||
|
||||
owner @{HOME}/.local/share/Anki{,2}/ rw,
|
||||
owner @{HOME}/.local/share/Anki{,2}/** rwk,
|
||||
owner @{user_share_dirs}/Anki{,2}/ rw,
|
||||
owner @{user_share_dirs}/Anki{,2}/** rwk,
|
||||
|
||||
# To remove the following error:
|
||||
# Error initializing NSS with a persistent database
|
||||
@ -144,10 +144,10 @@ profile anki @{exec_path} {
|
||||
owner /tmp/mpv.* rw,
|
||||
|
||||
# For playing sets' sounds
|
||||
owner @{HOME}/.local/share/Anki{,2}/*/collection.media/ r,
|
||||
owner @{HOME}/.local/share/Anki{,2}/*/collection.media/*.{mp3,wav} r,
|
||||
owner @{HOME}/.local/share/Anki{,2}/pulse/ r,
|
||||
owner @{HOME}/.local/share/Anki{,2}/pulse/cookie rk,
|
||||
owner @{user_share_dirs}/Anki{,2}/*/collection.media/ r,
|
||||
owner @{user_share_dirs}/Anki{,2}/*/collection.media/*.{mp3,wav} r,
|
||||
owner @{user_share_dirs}/Anki{,2}/pulse/ r,
|
||||
owner @{user_share_dirs}/Anki{,2}/pulse/cookie rk,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
@ -168,7 +168,7 @@ profile anki @{exec_path} {
|
||||
|
||||
/{usr/,}bin/lame mr,
|
||||
|
||||
owner @{HOME}/.local/share/Anki{,2}/*/collection.media/rec.{mp3,wav} rw,
|
||||
owner @{user_share_dirs}/Anki{,2}/*/collection.media/rec.{mp3,wav} rw,
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -32,7 +32,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
||||
owner /tmp/appstream/ rw,
|
||||
owner /tmp/appstream/appcache-*.mdb rw,
|
||||
|
||||
owner @{HOME}/.local/share/mime/mime.cache r,
|
||||
owner @{user_share_dirs}/mime/mime.cache r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
/usr/share/applications/{,*.desktop} r,
|
||||
|
||||
@ -33,8 +33,8 @@ profile dino-im @{exec_path} {
|
||||
owner @{run}/user/[0-9]*/dconf/ w,
|
||||
owner @{run}/user/[0-9]*/dconf/user rw,
|
||||
|
||||
owner @{HOME}/.local/share/dino/ rw,
|
||||
owner @{HOME}/.local/share/dino/** rwk,
|
||||
owner @{user_share_dirs}/dino/ rw,
|
||||
owner @{user_share_dirs}/dino/** rwk,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
|
||||
@ -65,8 +65,8 @@ profile engrampa @{exec_path} {
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
||||
|
||||
owner @{HOME}/.local/share/ r,
|
||||
owner @{HOME}/.local/share/gvfs-metadata/** r,
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||
|
||||
/usr/share/engrampa/{,**} r,
|
||||
|
||||
|
||||
@ -25,16 +25,16 @@ profile exo-helper @{exec_path} {
|
||||
/usr/share/xfce4/helpers/ r,
|
||||
/usr/share/xfce4/helpers/*.desktop r,
|
||||
/usr/local/share/ r,
|
||||
owner @{HOME}/.local/share/ r,
|
||||
owner @{HOME}/.local/share/xfce4/ r,
|
||||
owner @{HOME}/.local/share/xfce4/helpers/ r,
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/xfce4/ r,
|
||||
owner @{user_share_dirs}/xfce4/helpers/ r,
|
||||
|
||||
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
|
||||
|
||||
owner @{user_config_dirs}/xfce4/helpers.rc rw,
|
||||
owner @{user_config_dirs}/xfce4/helpers.rc.@{pid}.tmp rw,
|
||||
owner @{HOME}/.local/share/xfce4/helpers/*.desktop rw,
|
||||
owner @{HOME}/.local/share/xfce4/helpers/*.desktop.@{pid}.tmp rw,
|
||||
owner @{user_share_dirs}/xfce4/helpers/*.desktop rw,
|
||||
owner @{user_share_dirs}/xfce4/helpers/*.desktop.@{pid}.tmp rw,
|
||||
|
||||
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
||||
|
||||
|
||||
@ -43,12 +43,12 @@ profile font-manager @{exec_path} {
|
||||
owner @{user_config_dirs}/fontconfig/conf.d/ rw,
|
||||
owner @{user_config_dirs}/fontconfig/conf.d/* rw,
|
||||
|
||||
owner @{HOME}/.local/share/fonts/ rw,
|
||||
owner "@{HOME}/.local/share/fonts/Google Fonts/" rw,
|
||||
owner "@{HOME}/.local/share/fonts/Google Fonts/**" rw,
|
||||
owner @{user_share_dirs}/fonts/ rw,
|
||||
owner "@{user_share_dirs}/fonts/Google Fonts/" rw,
|
||||
owner "@{user_share_dirs}/fonts/Google Fonts/**" rw,
|
||||
|
||||
owner @{HOME}/.local/share/ r,
|
||||
owner @{HOME}/.local/share/gvfs-metadata/** r,
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
|
||||
@ -54,8 +54,8 @@ profile gajim @{exec_path} {
|
||||
# Gajim home files
|
||||
owner @{HOME}/ r,
|
||||
owner @{user_config_dirs}/gajim/{,**} rw,
|
||||
owner @{HOME}/.local/share/gajim/ rw,
|
||||
owner @{HOME}/.local/share/gajim/** rwk,
|
||||
owner @{user_share_dirs}/gajim/ rw,
|
||||
owner @{user_share_dirs}/gajim/** rwk,
|
||||
|
||||
# Cache
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
||||
@ -18,8 +18,8 @@ profile gnome-keyring-daemon @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
# Keyrings location
|
||||
owner @{HOME}/.local/share/keyrings/ rw,
|
||||
owner @{HOME}/.local/share/keyrings/* rwl,
|
||||
owner @{user_share_dirs}/keyrings/ rw,
|
||||
owner @{user_share_dirs}/keyrings/* rwl,
|
||||
|
||||
# Seahorse and SSH keys
|
||||
owner @{HOME}/.ssh/ r,
|
||||
|
||||
@ -76,8 +76,8 @@ profile inxi @{exec_path} {
|
||||
/var/log/Xorg.[0-9]*.log r,
|
||||
|
||||
/home/ r,
|
||||
@{HOME}/.local/share/xorg/ r,
|
||||
@{HOME}/.local/share/xorg/Xorg.[0-9]*.log r,
|
||||
@{user_share_dirs}/xorg/ r,
|
||||
@{user_share_dirs}/xorg/Xorg.[0-9]*.log r,
|
||||
|
||||
# For shell pwd
|
||||
/root/ r,
|
||||
|
||||
@ -60,8 +60,8 @@ profile jdownloader-install @{exec_path} {
|
||||
owner @{HOME}/.install4j rw,
|
||||
|
||||
# While creating the desktop icon
|
||||
owner @{HOME}/.local/share/applications/i4j[0-9]*.tmp rw,
|
||||
owner @{HOME}/.local/share/applications/JDownloader*.desktop rw,
|
||||
owner @{user_share_dirs}/applications/i4j[0-9]*.tmp rw,
|
||||
owner @{user_share_dirs}/applications/JDownloader*.desktop rw,
|
||||
|
||||
/tmp/ r,
|
||||
owner /tmp/_jdinstall/ rw,
|
||||
|
||||
@ -32,11 +32,11 @@ profile kwalletd5 @{exec_path} {
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{HOME}/.local/share/kwalletd/ rw,
|
||||
owner @{HOME}/.local/share/kwalletd/#[0-9]*[0-9] rw,
|
||||
owner @{HOME}/.local/share/kwalletd/*.salt rw,
|
||||
owner @{HOME}/.local/share/kwalletd/*.kwl rw,
|
||||
owner @{HOME}/.local/share/kwalletd/*.kwl.* rwl -> @{HOME}/.local/share/kwalletd/#[0-9]*[0-9],
|
||||
owner @{user_share_dirs}/kwalletd/ rw,
|
||||
owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw,
|
||||
owner @{user_share_dirs}/kwalletd/*.salt rw,
|
||||
owner @{user_share_dirs}/kwalletd/*.kwl rw,
|
||||
owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#[0-9]*[0-9],
|
||||
|
||||
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
@ -46,8 +46,8 @@ profile megasync @{exec_path} {
|
||||
|
||||
# Megasync home files
|
||||
owner @{HOME}/ r,
|
||||
owner "@{HOME}/.local/share/data/Mega Limited/" rw,
|
||||
owner "@{HOME}/.local/share/data/Mega Limited/**" rwkl -> "@{HOME}/.local/share/data/Mega Limited/MEGAsync/#[0-9]*[0-9]",
|
||||
owner "@{user_share_dirs}/data/Mega Limited/" rw,
|
||||
owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#[0-9]*[0-9]",
|
||||
|
||||
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
@ -101,7 +101,7 @@ profile megasync @{exec_path} {
|
||||
/{usr/,}bin/basename rix,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/" r,
|
||||
owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r,
|
||||
|
||||
owner @{run}/user/[0-9]*/ r,
|
||||
|
||||
@ -110,7 +110,7 @@ profile megasync @{exec_path} {
|
||||
/{usr/,}bin/spacefm rPx,
|
||||
|
||||
# file_inherit
|
||||
owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw,
|
||||
owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
}
|
||||
|
||||
@ -19,10 +19,10 @@ profile mimetype @{exec_path} {
|
||||
/usr/share/mime/aliases r,
|
||||
/usr/share/mime/magic r,
|
||||
|
||||
owner @{HOME}/.local/share/mime/**.xml r,
|
||||
owner @{HOME}/.local/share/mime/globs r,
|
||||
owner @{HOME}/.local/share/mime/aliases r,
|
||||
owner @{HOME}/.local/share/mime/magic r,
|
||||
owner @{user_share_dirs}/mime/**.xml r,
|
||||
owner @{user_share_dirs}/mime/globs r,
|
||||
owner @{user_share_dirs}/mime/aliases r,
|
||||
owner @{user_share_dirs}/mime/magic r,
|
||||
|
||||
# To read files
|
||||
/** r,
|
||||
|
||||
@ -37,9 +37,9 @@ profile minitube @{exec_path} {
|
||||
# Minitube home files
|
||||
owner "@{user_config_dirs}/Flavio Tordini/" rw,
|
||||
owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#[0-9]*[0-9]",
|
||||
owner "@{HOME}/.local/share/Flavio Tordini/" rw,
|
||||
owner "@{HOME}/.local/share/Flavio Tordini/Minitube/" rw,
|
||||
owner "@{HOME}/.local/share/Flavio Tordini/Minitube/*" rwk,
|
||||
owner "@{user_share_dirs}/Flavio Tordini/" rw,
|
||||
owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw,
|
||||
owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk,
|
||||
|
||||
# Snapshot
|
||||
owner @{HOME}/Pictures/*.png rw,
|
||||
|
||||
@ -42,8 +42,8 @@ profile mumble @{exec_path} {
|
||||
owner @{HOME}/ r,
|
||||
owner @{user_config_dirs}/Mumble/ rw,
|
||||
owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#[0-9]*[0-9],
|
||||
owner @{HOME}/.local/share/Mumble/ rw,
|
||||
owner @{HOME}/.local/share/Mumble/** rwk,
|
||||
owner @{user_share_dirs}/Mumble/ rw,
|
||||
owner @{user_share_dirs}/Mumble/** rwk,
|
||||
owner @{HOME}/.MumbleOverlayPipe rw,
|
||||
owner @{HOME}/.MumbleSocket rw,
|
||||
|
||||
|
||||
@ -28,8 +28,8 @@ profile orage @{exec_path} {
|
||||
owner @{user_config_dirs}/orage/ rw,
|
||||
owner @{user_config_dirs}/orage/* rw,
|
||||
|
||||
owner @{HOME}/.local/share/orage/ rw,
|
||||
owner @{HOME}/.local/share/orage/* rwk,
|
||||
owner @{user_share_dirs}/orage/ rw,
|
||||
owner @{user_share_dirs}/orage/* rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
@ -54,8 +54,8 @@ profile psi-plus @{exec_path} {
|
||||
owner @{user_config_dirs}/psi+/ rw,
|
||||
owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#[0-9]*[0-9],
|
||||
|
||||
owner @{HOME}/.local/share/psi+/ rw,
|
||||
owner @{HOME}/.local/share/psi+/** rwk,
|
||||
owner @{user_share_dirs}/psi+/ rw,
|
||||
owner @{user_share_dirs}/psi+/** rwk,
|
||||
|
||||
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
@ -45,8 +45,8 @@ profile qbittorrent @{exec_path} {
|
||||
# Qbittorrent home dirs
|
||||
owner @{user_config_dirs}/qBittorrent/ rw,
|
||||
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
|
||||
owner @{HOME}/.local/share/data/qBittorrent/ rw,
|
||||
owner @{HOME}/.local/share/data/qBittorrent/** rwl -> @{HOME}/.local/share/data/qBittorrent/**/#[0-9]*[0-9],
|
||||
owner @{user_share_dirs}/data/qBittorrent/ rw,
|
||||
owner @{user_share_dirs}/data/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
|
||||
|
||||
# Cache dir
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
@ -129,7 +129,7 @@ profile qbittorrent @{exec_path} {
|
||||
|
||||
/{usr/,}bin/python3.[0-9]* r,
|
||||
|
||||
owner @{HOME}/.local/share/data/qBittorrent/nova[0-9]/{,**} rw,
|
||||
owner @{user_share_dirs}/data/qBittorrent/nova[0-9]/{,**} rw,
|
||||
|
||||
# Used while searching for torrents
|
||||
owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9],
|
||||
|
||||
@ -28,8 +28,8 @@ profile qbittorrent-nox @{exec_path} {
|
||||
# Qbittorrent home dirs
|
||||
owner @{user_config_dirs}/qBittorrent/ rw,
|
||||
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
|
||||
owner @{HOME}/.local/share/data/qBittorrent/ rw,
|
||||
owner @{HOME}/.local/share/data/qBittorrent/** rwl -> @{HOME}/.local/share/data/qBittorrent/**/#[0-9]*[0-9],
|
||||
owner @{user_share_dirs}/data/qBittorrent/ rw,
|
||||
owner @{user_share_dirs}/data/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
|
||||
|
||||
# Cache dir
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
@ -56,8 +56,8 @@ profile qbittorrent-nox @{exec_path} {
|
||||
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/mime/types r,
|
||||
owner @{HOME}/.local/share/mime/mime.cache r,
|
||||
owner @{HOME}/.local/share/mime/types r,
|
||||
owner @{user_share_dirs}/mime/mime.cache r,
|
||||
owner @{user_share_dirs}/mime/types r,
|
||||
|
||||
# TMP
|
||||
owner /tmp/qtsingleapp-qBitto-* rw,
|
||||
|
||||
@ -52,8 +52,8 @@ profile qpdfview @{exec_path} {
|
||||
owner @{user_config_dirs}/qpdfview/ rw,
|
||||
owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9],
|
||||
|
||||
owner @{HOME}/.local/share/qpdfview/ rw,
|
||||
owner @{HOME}/.local/share/qpdfview/** rwk,
|
||||
owner @{user_share_dirs}/qpdfview/ rw,
|
||||
owner @{user_share_dirs}/qpdfview/** rwk,
|
||||
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
/usr/share/qt5ct/** r,
|
||||
|
||||
@ -48,8 +48,8 @@ profile quiterss @{exec_path} {
|
||||
/usr/share/quiterss/** r,
|
||||
owner @{user_config_dirs}/QuiteRss/ rw,
|
||||
owner @{user_config_dirs}/QuiteRss/** rwkl -> @{user_config_dirs}/QuiteRss/**,
|
||||
owner @{HOME}/.local/share/QuiteRss/ rw,
|
||||
owner @{HOME}/.local/share/QuiteRss/** rwkl -> @{HOME}/.local/share/QuiteRss/QuiteRss/**,
|
||||
owner @{user_share_dirs}/QuiteRss/ rw,
|
||||
owner @{user_share_dirs}/QuiteRss/** rwkl -> @{user_share_dirs}/QuiteRss/QuiteRss/**,
|
||||
owner @{user_cache_dirs}/QuiteRss/ rw,
|
||||
owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**,
|
||||
|
||||
|
||||
@ -90,9 +90,9 @@ profile sddm @{exec_path} {
|
||||
#/usr/share/sddm/scripts/Xsession rCx -> sddm-scripts,
|
||||
|
||||
# Create kwallet dirs and files
|
||||
owner @{HOME}/.local/share/kwalletd/ rw,
|
||||
owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw,
|
||||
@{HOME}/.local/share/kwalletd/kdewallet.salt r,
|
||||
owner @{user_share_dirs}/kwalletd/ rw,
|
||||
owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
|
||||
@{user_share_dirs}/kwalletd/kdewallet.salt r,
|
||||
owner @{run}/user/[0-9]*/kwallet5.socket rw,
|
||||
|
||||
# Themes
|
||||
@ -134,8 +134,8 @@ profile sddm @{exec_path} {
|
||||
# Creating the dir structure is needed when a new user is logging in for the very first time
|
||||
# using SDDM.
|
||||
owner @{HOME}/.local/ w,
|
||||
owner @{HOME}/.local/share/ w,
|
||||
owner @{HOME}/.local/share/sddm/ w,
|
||||
owner @{user_share_dirs}/ w,
|
||||
owner @{user_share_dirs}/sddm/ w,
|
||||
|
||||
/{usr/,}lib/@{multiarch}/ld-*.so mr,
|
||||
|
||||
|
||||
@ -65,7 +65,7 @@ profile sddm-xsession @{exec_path} {
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
# Xsession logs
|
||||
owner @{HOME}/.local/share/sddm/xorg-session.log w,
|
||||
owner @{user_share_dirs}/sddm/xorg-session.log w,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
/etc/zsh/* r,
|
||||
|
||||
@ -61,8 +61,8 @@ profile strawberry @{exec_path} {
|
||||
owner @{user_config_dirs}/strawberry/ rw,
|
||||
owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#[0-9]*[0-9],
|
||||
|
||||
owner @{HOME}/.local/share/strawberry/ rw,
|
||||
owner @{HOME}/.local/share/strawberry/** rwk,
|
||||
owner @{user_share_dirs}/strawberry/ rw,
|
||||
owner @{user_share_dirs}/strawberry/** rwk,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/strawberry/ rw,
|
||||
|
||||
@ -36,14 +36,14 @@ include <tunables/global>
|
||||
|
||||
deny ptrace,
|
||||
deny capability sys_ptrace,
|
||||
deny @{HOME}/.local/share/applications/wine/ r,
|
||||
deny @{user_share_dirs}/applications/wine/ r,
|
||||
|
||||
owner @{HOME}/.purple/ rw,
|
||||
owner @{HOME}/.purple/** rwk,
|
||||
owner @{HOME}/.purple/plugins/*.so m,
|
||||
owner @{user_config_dirs}/indicators/ rw,
|
||||
owner @{user_config_dirs}/indicators/** rw,
|
||||
owner @{HOME}/.local/share/applications/ r,
|
||||
owner @{user_share_dirs}/applications/ r,
|
||||
|
||||
# Uncomment the two following lines if you want to allow Pidgin to update
|
||||
# any DConf setting:
|
||||
|
||||
@ -66,9 +66,9 @@ profile virt-manager @{exec_path} {
|
||||
#owner /var/lib/libvirt/images/ r,
|
||||
|
||||
# User VM images
|
||||
#owner @{HOME}/.local/share/libvirt/ rw,
|
||||
#owner @{HOME}/.local/share/libvirt/images/ rw,
|
||||
#owner @{HOME}/.local/share/libvirt/images/* rw,
|
||||
#owner @{user_share_dirs}/libvirt/ rw,
|
||||
#owner @{user_share_dirs}/libvirt/images/ rw,
|
||||
#owner @{user_share_dirs}/libvirt/images/* rw,
|
||||
|
||||
#owner /media/*/VM/ r,
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
|
||||
/{usr/,}bin/update-desktop-database rPx,
|
||||
|
||||
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw,
|
||||
owner @{HOME}/.local/share/applications/chrome-*.desktop rw,
|
||||
owner @{user_share_dirs}/applications/chrome-*.desktop rw,
|
||||
owner @{HOME}/.gnome/apps/chrome-*.desktop rw,
|
||||
|
||||
/usr/share/applications/*.desktop rw,
|
||||
|
||||
@ -35,8 +35,8 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
|
||||
|
||||
owner /tmp/.com.google.Chrome.*/chrome-*.png r,
|
||||
|
||||
owner @{HOME}/.local/share/icons/**/apps/chrome-*.png rw,
|
||||
owner @{HOME}/.local/share/icons/**/.xdg-icon-resource-dummy rw,
|
||||
owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw,
|
||||
owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw,
|
||||
/opt/**/*.png r,
|
||||
|
||||
include if exists <local/xdg-icon-resource>
|
||||
|
||||
@ -40,7 +40,7 @@ profile xdg-open @{exec_path} {
|
||||
deny /{usr/,}bin/dbus-send rx,
|
||||
|
||||
/usr/share/applications/*.desktop r,
|
||||
owner @{HOME}/.local/share/applications/ r,
|
||||
owner @{user_share_dirs}/applications/ r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ profile xkbcomp @{exec_path} {
|
||||
owner /dev/tty[0-9]* rw,
|
||||
deny /var/log/Xorg.[0-9]*.log w,
|
||||
deny /dev/input/event[0-9]* rw,
|
||||
owner @{HOME}/.local/share/xorg/Xorg.[0-9].log w,
|
||||
owner @{user_share_dirs}/xorg/Xorg.[0-9].log w,
|
||||
owner /var/log/lightdm/x-[0-9]*.log w,
|
||||
/dev/dri/card[0-9]* rw,
|
||||
|
||||
|
||||
@ -80,9 +80,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
owner /var/log/Xorg.[0-9].log{,.old} rw,
|
||||
owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.local/share/xorg/ rw,
|
||||
owner @{HOME}/.local/share/xorg/Xorg.[0-9].log{,.old} rw,
|
||||
owner @{HOME}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
|
||||
owner @{user_share_dirs}/xorg/ rw,
|
||||
owner @{user_share_dirs}/xorg/Xorg.[0-9].log{,.old} rw,
|
||||
owner @{user_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
# TMP files
|
||||
|
||||
Loading…
Reference in New Issue
Block a user