feat(profile): general update.

This commit is contained in:
Alexandre Pujol 2024-02-28 17:17:20 +00:00
parent 1c999ca921
commit 555b5e3c3f
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
43 changed files with 142 additions and 124 deletions

View File

@ -4,7 +4,7 @@
dbus send bus=system path=/org/freedesktop/Accounts dbus send bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts interface=org.freedesktop.Accounts
member=FindUserByName member={FindUserByName,ListCachedUsers}
peer=(name=:*, label=accounts-daemon), peer=(name=:*, label=accounts-daemon),
dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}} dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
@ -17,6 +17,11 @@
member=*Changed member=*Changed
peer=(name=:*, label=accounts-daemon), peer=(name=:*, label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member=UserAdded
peer=(name=:*, label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=*Changed member=*Changed

View File

@ -47,6 +47,11 @@
member=CheckPermissions member=CheckPermissions
peer=(name=:*, label=NetworkManager), peer=(name=:*, label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=CheckPermissions
peer=(name=:*, label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager interface=org.freedesktop.NetworkManager
member={DeviceAdded,DeviceRemoved,StateChanged} member={DeviceAdded,DeviceRemoved,StateChanged}

View File

@ -15,6 +15,10 @@
interface=org.freedesktop.PolicyKit1.Authority interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization member=CheckAuthorization
peer=(name=:*, label=polkitd), peer=(name=:*, label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1),
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority interface=org.freedesktop.PolicyKit1.Authority

View File

@ -5,6 +5,10 @@
dbus send bus=system path=/org/freedesktop/locale1 dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name="{:*,org.freedesktop.locale1}", label=systemd-localed), peer=(name=:*, label=systemd-localed),
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.locale1),
include if exists <abstractions/bus/org.freedesktop.locale1.d> include if exists <abstractions/bus/org.freedesktop.locale1.d>

View File

@ -18,7 +18,7 @@ profile dbus-broker @{exec_path} flags=(attach_disconnected) {
network bluetooth stream, network bluetooth stream,
network bluetooth seqpacket, network bluetooth seqpacket,
signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(cont, term) peer=@{systemd_user},
dbus bus=accessibility, dbus bus=accessibility,
dbus bus=session, dbus bus=session,
@ -41,5 +41,7 @@ profile dbus-broker @{exec_path} flags=(attach_disconnected) {
/dev/dri/card@{int} rw, /dev/dri/card@{int} rw,
/dev/input/event@{int} rw, /dev/input/event@{int} rw,
@{PROC}/sys/kernel/cap_last_cap r,
include if exists <local/dbus-broker> include if exists <local/dbus-broker>
} }

View File

@ -17,7 +17,7 @@ profile dbus-broker-launch @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/dbus-broker rPUx, @{bin}/dbus-broker rPx,
/usr/share/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r,
/usr/share/defaults/**.conf r, /usr/share/defaults/**.conf r,

View File

@ -17,6 +17,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network netlink raw, network netlink raw,
# dbus: own bus=system name=org.freedesktop.ColorManager # dbus: own bus=system name=org.freedesktop.ColorManager
@ -61,6 +63,9 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/uevent r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
@{PROC}/sys/dev/parport/ r,
@{PROC}/sys/dev/parport/parport@{int}/base-addr r,
@{PROC}/sys/dev/parport/parport@{int}/irq r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

View File

@ -30,6 +30,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/ r, @{run}/udev/data/ r,
@{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, @{run}/udev/data/+pci:* r,
@{run}/udev/data/+platform:* r, @{run}/udev/data/+platform:* r,

View File

@ -18,14 +18,11 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home> include <abstractions/deny-sensitive-home>
include <abstractions/dri>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/nvidia>
include <abstractions/user-download> include <abstractions/user-download>
include <abstractions/vulkan>
network unix stream, network unix stream,
@ -68,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
@{bin}/* r, @{bin}/* r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/thumbnailers/{,**} r,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
@ -75,6 +73,9 @@ profile xdg-desktop-portal-gnome @{exec_path} {
owner @{HOME}/*/{,**} rw, owner @{HOME}/*/{,**} rw,
owner /tmp/.goutputstream-@{rand6} rw,
owner /tmp/@{rand6} rw,
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/ r,

View File

@ -23,6 +23,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{bin}/head rix, @{bin}/head rix,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/uname rix, @{bin}/uname rix,

View File

@ -56,6 +56,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/language-tools/language2locale rix, /usr/share/language-tools/language2locale rix,
/usr/share/language-tools/language-options rPUx, /usr/share/language-tools/language-options rPUx,
/opt/**/share/icons/{,**} r,
/snap/*/@{int}/**.png r, /snap/*/@{int}/**.png r,
/usr/share/backgrounds/{,**} r, /usr/share/backgrounds/{,**} r,
/usr/share/cups/data/testprint r, /usr/share/cups/data/testprint r,
@ -71,11 +72,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,
/usr/share/thumbnailers/{,*} r, /usr/share/thumbnailers/{,*} r,
/usr/share/wallpapers/{,**} r, /usr/share/wallpapers/{,**} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/xml/iso-codes/{,**} r,
/etc/cups/client.conf r, /etc/cups/client.conf r,
/etc/machine-info r, /etc/machine-info r,
/etc/pipewire/client.conf.d/ r, /etc/pipewire/client.conf.d/{,**} r,
/etc/rygel.conf r, /etc/rygel.conf r,
/etc/security/pwquality.conf r, /etc/security/pwquality.conf r,
/etc/security/pwquality.conf.d/{,**} r, /etc/security/pwquality.conf.d/{,**} r,
@ -92,14 +93,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.cert/nm-openvpn/*.pem r, owner @{HOME}/.cert/nm-openvpn/*.pem r,
owner @{HOME}/.face r, owner @{HOME}/.face r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw,
owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
owner @{user_games_dirs}/**.png r, owner @{user_games_dirs}/**.png r,
owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/gnome-remote-desktop/ w, owner @{user_share_dirs}/gnome-remote-desktop/ w,
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
@ -108,15 +113,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{run}/cups/cups.sock rw, @{run}/cups/cups.sock rw,
@{run}/samba/ rw, @{run}/samba/ rw,
@{run}/systemd/sessions/ r, @{run}/systemd/sessions/ r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
@{run}/udev/data/+dmi:* r, @{run}/udev/data/+dmi:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad

View File

@ -18,7 +18,7 @@ profile gnome-session-ctl @{exec_path} {
dbus send bus=session path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member={StartUnit,StopUnit} member={StartUnit,StopUnit}
peer=(name=org.freedesktop.systemd1, label="@{systemd}"), peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
dbus send bus=session path=/org/gnome/SessionManager dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager interface=org.gnome.SessionManager

View File

@ -63,6 +63,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
network unix stream, network unix stream,
ptrace (read), ptrace (read),
ptrace (readby) peer=pipewire,
signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(cont, term) peer=systemd-user,
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
@ -178,7 +179,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
dbus receive bus=session path=/org/freedesktop/systemd1 dbus receive bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member=JobRemoved member=JobRemoved
peer=(name=:*, label="@{systemd}"), peer=(name=:*, label="@{systemd_user}"),
dbus send bus=session path=/MenuBar dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu interface=com.canonical.dbusmenu
@ -213,19 +214,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
/opt/**/share/icons/{,**} r,
/opt/*/**/*.png r, /opt/*/**/*.png r,
/snap/*/@{uid}/**.png r, /snap/*/@{uid}/**.png r,
/usr/share/{,zoneinfo-}icu/{,**} r, /usr/share/{,zoneinfo-}icu/{,**} r,
/usr/share/**.{png,jpg,svg} r, /usr/share/**.{png,jpg,svg} r,
/usr/share/app-info/icons/{,**} r, /usr/share/**/icons/{,**} r,
/usr/share/backgrounds/{,**} r, /usr/share/backgrounds/{,**} r,
/usr/share/byobu/desktop/byobu* r, /usr/share/byobu/desktop/byobu* r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/desktop-base/** r, /usr/share/desktop-base/** r,
/usr/share/desktop-directories/{,*.directory} r, /usr/share/desktop-directories/{,*.directory} r,
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/evolution-data-server/icons/{,**} r,
/usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
/usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/applications/{,**} r,
@ -238,7 +238,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,
/usr/share/wallpapers/** r, /usr/share/wallpapers/** r,
/usr/share/wayland-sessions/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/xml/iso-codes/{,**} r,
/.flatpak-info r, /.flatpak-info r,
/etc/fstab r, /etc/fstab r,
@ -340,7 +340,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+sound:card@{int} r, # for sound @{run}/udev/data/+sound:card@{int} r, # for sound
@{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/+i2c:* r, @{run}/udev/data/+i2c:* r,
@{run}/udev/data/+hid:* r , # for HID-Compliant Keyboard @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**

View File

@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref r, @{run}/systemd/sessions/*.ref r,
@{run}/mount/utab r,
@{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/collisions r,
@{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,

View File

@ -39,7 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/a*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,

View File

@ -61,6 +61,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{sys}/devices/i2c-@{int}/name r, @{sys}/devices/i2c-@{int}/name r,
@{sys}/devices/platform/*/i2c-@{int}/name r, @{sys}/devices/platform/*/i2c-@{int}/name r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,

View File

@ -67,6 +67,8 @@ profile kioslave5 @{exec_path} {
deny /tmp/.* rw, deny /tmp/.* rw,
deny /tmp/.*/{,**} rw, deny /tmp/.*/{,**} rw,
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int},
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/kio_http/* rwl, owner @{user_cache_dirs}/kio_http/* rwl,
owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_cache_dirs}/ksycoca5_* r,

View File

@ -17,7 +17,6 @@ profile ksplashqml @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/plasma/** r, /usr/share/plasma/** r,
/usr/share/qt/translations/*.qm r,
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksplash/ rw, owner @{user_cache_dirs}/ksplash/ rw,

View File

@ -128,6 +128,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/kwalletrc r,
owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/plasma* rwlk, owner @{user_config_dirs}/plasma* rwlk,
owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/cookie rwk, owner @{user_config_dirs}/pulse/cookie rwk,
owner @{user_config_dirs}/trashrc r, owner @{user_config_dirs}/trashrc r,

View File

@ -17,15 +17,21 @@ profile networkd-dispatcher @{exec_path} {
dbus receive bus=system path=/org/freedesktop/network1{,/link/*} dbus receive bus=system path=/org/freedesktop/network1{,/link/*}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=PropertiesChanged member=PropertiesChanged
peer=(name=:*), peer=(name=:*, label=systemd-networkd),
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,
@{bin}/networkctl rPx, @{bin}/networkctl rPx,
@{bin}/ls rix,
@{bin}/sed rix,
@{lib}/networkd-dispatcher/routable.d/postfix rix,
/etc/networkd-dispatcher/{,**} r, /etc/networkd-dispatcher/{,**} r,
/var/spool/postfix/pid/master.pid r,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

View File

@ -18,7 +18,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
ptrace (read) peer=unconfined, ptrace (read) peer=@{systemd},
# dbus: own bus=system name=org.freedesktop.nm_dispatcher # dbus: own bus=system name=org.freedesktop.nm_dispatcher
@ -73,7 +73,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
/etc/network/if-*.d/* rPUx, /etc/network/if-*.d/* rPUx,
/etc/wpa_supplicant/ifupdown.sh rPUx, /etc/wpa_supplicant/ifupdown.sh rPUx,
include if exists <local/anacron_run_parts> include if exists <local/nm-dispatcher_run-parts>
} }
include if exists <local/nm-dispatcher> include if exists <local/nm-dispatcher>

View File

@ -7,9 +7,10 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/paccache @{exec_path} = @{bin}/paccache
profile paccache @{exec_path} { profile paccache @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -20,8 +21,11 @@ profile paccache @{exec_path} {
@{bin}/bash rix, @{bin}/bash rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/gettext rix, @{bin}/gettext rix,
@{bin}/pacman rPx, @{bin}/gpg{,2} rix,
@{bin}/pacman-conf rPx, @{bin}/gpgconf rix,
@{bin}/gpgsm rix,
@{bin}/pacman rix,
@{bin}/pacman-conf rix,
@{bin}/pacsort rix, @{bin}/pacsort rix,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/stat rix, @{bin}/stat rix,
@ -31,7 +35,11 @@ profile paccache @{exec_path} {
/usr/share/makepkg/util/*.sh r, /usr/share/makepkg/util/*.sh r,
/usr/share/terminfo/** r, /usr/share/terminfo/** r,
/etc/pacman.conf r,
/etc/pacman.d/{,**} r,
/var/cache/pacman/pkg/{,*} rw, /var/cache/pacman/pkg/{,*} rw,
/var/lib/pacman/{,**} r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

View File

@ -56,7 +56,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession} member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
peer=(name=org.freedesktop.login1, label=systemd-logind), peer=(name=org.freedesktop.login1, label=systemd-logind),
@{exec_path} mrix, @{exec_path} mrix,

View File

@ -14,10 +14,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
capability sys_module, capability sys_module,
# Needed? (#FIXME#)
audit capability sys_resource, audit capability sys_resource,
ptrace (read) peer=@{systemd},
signal send peer=child-pager, signal send peer=child-pager,
network inet dgram, network inet dgram,
@ -44,10 +44,13 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
/{run,var}/log/journal/@{md5}/system.journal* r, /{run,var}/log/journal/@{md5}/system.journal* r,
/{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
@{run}/systemd/netif/leases/@{int} r,
@{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/links/@{int} r,
@{run}/systemd/netif/state r, @{run}/systemd/netif/state r,
@{run}/systemd/notify w, @{run}/systemd/notify w,
@{run}/udev/data/n@{int} r,
@{sys}/devices/**/net/**/uevent r, @{sys}/devices/**/net/**/uevent r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,

View File

@ -27,7 +27,7 @@ profile systemd-backlight @{exec_path} {
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/backlight/ r, @{sys}/class/backlight/ r,
@{sys}/devices/pci[0-9]*/*:@{int}.@{int}/**/ r, @{sys}/devices/@{pci}/*:@{int}.@{int}/**/ r,
@{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/ r,
@{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r,
@{sys}/devices/@{pci}/backlight/**/{uevent,type} r, @{sys}/devices/@{pci}/backlight/**/{uevent,type} r,

View File

@ -20,6 +20,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{run}/host/container-manager r, @{run}/host/container-manager r,
@{run}/systemd/notify w,
@{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r,

View File

@ -18,6 +18,11 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
# dbus: own bus=system name=org.freedesktop.hostname1 # dbus: own bus=system name=org.freedesktop.hostname1
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
@{exec_path} mr, @{exec_path} mr,
@{etc_rw}/.#hostname* rw, @{etc_rw}/.#hostname* rw,

View File

@ -27,6 +27,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
network netlink raw, network netlink raw,
# mqueue r type=posix /,
# dbus: own bus=system name=org.freedesktop.login1 # dbus: own bus=system name=org.freedesktop.login1
# dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"

View File

@ -29,6 +29,15 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
# dbus: own bus=system name=org.freedesktop.network1 # dbus: own bus=system name=org.freedesktop.network1
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.hostname1
member=SetHostname
peer=(name=org.freedesktop.hostname1),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.hostname1
member=SetHostname
peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed),
@{exec_path} mr, @{exec_path} mr,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,

View File

@ -17,6 +17,8 @@ profile ubuntu-report @{exec_path} {
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
signal (receive) set=(cont term) peer=@{systemd_user},
@{exec_path} mr, @{exec_path} mr,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,

View File

@ -70,10 +70,10 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=unconfined,
ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=@{profile_name},
ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=libvirt-*, ptrace (read,trace) peer=libvirt-@{uuid},
ptrace (read,trace) peer=virt-manager, ptrace (read,trace) peer=virt-manager,
signal (read,send) peer=libvirt-*, signal (read,send) peer=libvirt-@{uuid},
signal (read,send) peer=unconfined, signal (read,send) peer=unconfined,
signal (send) peer=dnsmasq, signal (send) peer=dnsmasq,
signal (send) set=(kill, term) peer=virtiofsd, signal (send) set=(kill, term) peer=virtiofsd,
@ -246,16 +246,17 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/cpu/@{int}/msr r,
/dev/dri/ r, /dev/dri/ r,
/dev/hugepages/{,**} w, /dev/hugepages/{,**} w,
/dev/kvm rw, /dev/kvm rw,
/dev/mapper/ r, /dev/mapper/ r,
/dev/mapper/control rw, /dev/mapper/control rw,
/dev/net/tun rw, /dev/net/tun rw,
/dev/ptmx rw,
/dev/shm/libvirt/{,**} rw, /dev/shm/libvirt/{,**} rw,
/dev/vfio/@{int} rwk, /dev/vfio/@{int} rwk,
/dev/vhost-net rw, /dev/vhost-net rw,
/dev/ptmx rw,
# Force the use of virt-aa-helper # Force the use of virt-aa-helper
audit deny @{bin}/apparmor_parser rwxl, audit deny @{bin}/apparmor_parser rwxl,

View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/qemu/virtiofsd @{bin}/virtiofsd @{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd
profile virtiofsd @{exec_path} { profile virtiofsd @{exec_path} {
include <abstractions/base> include <abstractions/base>

View File

@ -23,17 +23,19 @@ profile btop @{exec_path} {
owner @{user_config_dirs}/btop/{,**} rw, owner @{user_config_dirs}/btop/{,**} rw,
@{sys}/class/power_supply/ r,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r,
@{sys}/devices/@{pci}/net/*/address r,
@{sys}/devices/@{pci}/net/*/statistics/{rx,tx}_bytes r,
@{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r,
@{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
@{sys}/devices/virtual/**/net/*/address r,
@{sys}/devices/virtual/**/net/*/statistics/{rx,tx}_bytes r,
@{sys}/devices/virtual/block/dm-@{int}/stat r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/ r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/{,*} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/{,*} r,
@{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r,
@{sys}/devices/virtual/block/dm-@{int}/stat r,
@{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r,
@{sys}/devices/{pci[0-9]*,virtual}/{,**/}net/*/statistics/{rx,tx}_bytes r,
@{sys}/devices/{pci[0-9]*,virtual}/{,**/}net/*/address r,
@{sys}/devices/pci[0-9]*/*/*/usb@{int}/**/power_supply/hidpp_battery_[@{int}/{,hwmon@{int}/} r,
@{PROC} r, @{PROC} r,
@{PROC}/loadavg r, @{PROC}/loadavg r,

View File

@ -61,7 +61,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix,
@{lib}/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
@{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/scripts/** rix,
@{lib}/modules/*/build/tools/objtool/objtool rix, @{lib}/modules/*/build/tools/** rix,
/var/lib/dkms/**/build/* rix, /var/lib/dkms/**/build/* rix,
/var/lib/dkms/**/configure rix, /var/lib/dkms/**/configure rix,
@ -125,6 +125,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
owner /tmp/tmp.* r, owner /tmp/tmp.* r,
@{sys}/module/compression r,
deny /apparmor/.null rw, deny /apparmor/.null rw,
include if exists <local/dkms_kmod> include if exists <local/dkms_kmod>

View File

@ -9,11 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/flatpak @{exec_path} = @{bin}/flatpak
profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.Accounts> include <abstractions/bus/org.freedesktop.Accounts>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/freedesktop.org> include <abstractions/gnome-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -44,7 +44,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
@{bin}/gpgsm rCx -> gpg, @{bin}/gpgsm rCx -> gpg,
@{lib}/revokefs-fuse rix, @{lib}/revokefs-fuse rix,
/usr/share/gvfs/remote-volume-monitors/*.monitor r,
/usr/share/flatpak/{,**} r, /usr/share/flatpak/{,**} r,
/etc/flatpak/{,**} r, /etc/flatpak/{,**} r,

View File

@ -24,16 +24,16 @@ profile fsck @{exec_path} {
/etc/fstab r, /etc/fstab r,
# When a mount dir is passed to fsck as an argument. # When a mount dir is passed to fsck as an argument.
@{HOME}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
/boot/ r, /boot/ r,
/home/ r,
owner @{run}/fsck/ rw,
owner @{run}/fsck/*.lock rwk,
owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/systemd/fsck.progress rw, @{run}/systemd/fsck.progress rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/fsck/ rw,
owner @{run}/fsck/*.lock rwk,
@{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mountinfo r,
@{PROC}/partitions r, @{PROC}/partitions r,

View File

@ -35,6 +35,7 @@ profile initd-kexec @{exec_path} {
/etc/default/kexec.d/ r, /etc/default/kexec.d/ r,
include if exists <local/initd-kexec_run-parts>
} }
profile systemctl { profile systemctl {

View File

@ -10,10 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/kerneloops-applet @{exec_path} = @{bin}/kerneloops-applet
profile kerneloops-applet @{exec_path} { profile kerneloops-applet @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/desktop>
@{exec_path} mr, @{exec_path} mr,
@ -21,14 +19,8 @@ profile kerneloops-applet @{exec_path} {
owner @{HOME}/.kerneloops rw, owner @{HOME}/.kerneloops rw,
owner @{HOME}/.Xauthority r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
# When found a kernel OOPS make a tmp file and fill it with the OOPS message # When found a kernel OOPS make a tmp file and fill it with the OOPS message
/tmp/kerneloops.* rw, /tmp/kerneloops.* rw,
# Fonts
/usr/share/poppler/cMap/Adobe-Japan2/ r,
include if exists <local/kerneloops-applet> include if exists <local/kerneloops-applet>
} }

View File

@ -15,6 +15,7 @@ profile landscape-sysinfo.wrapper @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/bc rix, @{bin}/bc rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cut rix, @{bin}/cut rix,
@{bin}/date rix, @{bin}/date rix,
@{bin}/find rix, @{bin}/find rix,

View File

@ -16,6 +16,7 @@ profile pass @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/base64 rix, @{bin}/base64 rix,
@{bin}/basename rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/cp rix, @{bin}/cp rix,
@{bin}/diff rix, @{bin}/diff rix,
@ -52,7 +53,7 @@ profile pass @{exec_path} {
# Pass extensions # Pass extensions
@{bin}/oathtool rix, # pass-otp @{bin}/oathtool rix, # pass-otp
@{bin}/python3.@{int} rPx -> pass-import, # pass-import @{bin}/python3.@{int} rPx -> pass-import, # pass-import, pass-audit
@{bin}/qrencode rPUx, # pass-otp @{bin}/qrencode rPUx, # pass-otp
@{bin}/tomb rPUx, # pass-tomb @{bin}/tomb rPUx, # pass-tomb
@ -138,6 +139,7 @@ profile pass @{exec_path} {
capability dac_read_search, capability dac_read_search,
@{bin}/gpg{,2} mr, @{bin}/gpg{,2} mr,
@{bin}/gpg-agent rPx,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

View File

@ -1,53 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /opt/SPFlashTool/flash_tool{,.sh}
profile spflashtool @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@{exec_path} mrix,
# SPFlashTool installation files
/opt/SPFlashTool/{,**} r,
/opt/SPFlashTool/lib*.so mr,
/opt/SPFlashTool/lib/lib*.so.[0-9]* mr,
/opt/SPFlashTool/*.ini rk,
# Session logs
owner /tmp/SP_FT_Logs/ rw,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ rw,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*1/QT_FLASH_TOOL.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/BROM_DLL_V[0-9]*.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/GLB_[0-9]*-[0-9]*_[0-9]*.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/QT_FLASH_TOOL.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w,
# For reading the scatter.txt file
owner /**/scatter.txt r,
owner @{user_config_dirs}/Trolltech.conf rwk,
owner @{user_config_dirs}/MTK/ rw,
owner @{user_config_dirs}/MTK/Clipper.conf rwk,
/dev/ r,
# For reading/writing from/to phone flash memory
/dev/ttyACM[0-9]* rw,
@{sys}/devices/@{pci}/{idVendor,idProduct} r,
# Silence the noise
/opt/SPFlashTool/** w,
include if exists <local/spflashtool>
}

View File

@ -29,7 +29,8 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/{pci[0-9]*,virtual}/**/uevent r, @{sys}/devices/@{pci}/uevent r,
@{sys}/devices/virtual/**/uevent r,
include if exists <local/switcheroo-control> include if exists <local/switcheroo-control>
} }

View File

@ -78,9 +78,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{bin}/fsck.fat rPx, @{bin}/fsck.fat rPx,
@{bin}/lvm rPUx, @{bin}/lvm rPUx,
@{bin}/mke2fs rPx, @{bin}/mke2fs rPx,
@{bin}/mkfs.btrfs rPx, @{bin}/mkfs.* rPx,
@{bin}/mkfs.ext{2,3,4} rPx,
@{bin}/mkfs.fat rPx,
@{bin}/mount.exfat-fuse rPUx, @{bin}/mount.exfat-fuse rPUx,
@{bin}/ntfs-3g rPx, @{bin}/ntfs-3g rPx,
@{bin}/ntfsfix rPx, @{bin}/ntfsfix rPx,
@ -94,7 +92,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
/etc/fstab r, /etc/fstab r,
/etc/crypttab r, /etc/crypttab r,
/var/lib/udisks2/ r, /var/lib/udisks2/{,**} r,
/var/lib/udisks2/mounted-fs{,*} rw, /var/lib/udisks2/mounted-fs{,*} rw,
# Be able to create/delete dirs for removable media # Be able to create/delete dirs for removable media
@ -113,7 +111,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+pci:* r, @{run}/udev/data/+pci:* r,
@{run}/udev/data/+platform:* r, @{run}/udev/data/+platform:* r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r, @{sys}/bus/ r,