mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update apparmor profiles

Browse Source
This commit is contained in:
Mikhail Morfikov 2021-03-13 09:47:36 +01:00
parent 0f64093e46
commit 5b12c89dba
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
48 changed files with 755 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apparmor.d/abstractions/fontconfig-cache-read
View File

@ -41,3 +41,9 @@
deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w, deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
/usr/share/**/.uuid r, /usr/share/**/.uuid r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
# For Google Fonts downloaded via font-manager
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid" r,
deny "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w,
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid" r,
deny "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,

7
apparmor.d/abstractions/fontconfig-cache-write
View File

@ -25,3 +25,10 @@
link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*, link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r, /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
# For Google Fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw,
link "@{HOME}/.local/share/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*",
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw,
link "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*",

6
apparmor.d/abstractions/trash
View File

@ -26,6 +26,8 @@
owner @{HOME}/.local/share/Trash/files/{,**} rw, owner @{HOME}/.local/share/Trash/files/{,**} rw,
owner @{HOME}/.local/share/Trash/info/ rw, owner @{HOME}/.local/share/Trash/info/ rw,
owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw, owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw,
owner @{HOME}/.local/share/Trash/expunged/ rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw,
# Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /media/*/.Trash/ rw, owner /media/*/.Trash/ rw,
@ -35,6 +37,8 @@
owner /media/*/.Trash/[0-9]*/files/{,**} rw, owner /media/*/.Trash/[0-9]*/files/{,**} rw,
owner /media/*/.Trash/[0-9]*/info/ rw, owner /media/*/.Trash/[0-9]*/info/ rw,
owner /media/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw, owner /media/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash/[0-9]*/expunged/ rw,
owner /media/*/.Trash/[0-9]*/expunged/[0-9]* rw,
# Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /media/*/.Trash-[0-9]*/ rw, owner /media/*/.Trash-[0-9]*/ rw,
@ -43,3 +47,5 @@
owner /media/*/.Trash-[0-9]*/files/{,**} rw, owner /media/*/.Trash-[0-9]*/files/{,**} rw,
owner /media/*/.Trash-[0-9]*/info/ rw, owner /media/*/.Trash-[0-9]*/info/ rw,
owner /media/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw, owner /media/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash-[0-9]*/expunged/ rw,
owner /media/*/.Trash-[0-9]*/expunged/[0-9]* rw,

2
apparmor.d/android-studio
View File

@ -211,7 +211,7 @@ profile android-studio @{exec_path} {
@{PROC}/vmstat r, @{PROC}/vmstat r,
@{PROC}/loadavg r, @{PROC}/loadavg r,
@{sys}/fs/cgroup/*/** r, @{sys}/fs/cgroup/{,**} r,
/var/tmp/ r, /var/tmp/ r,
/tmp/ r, /tmp/ r,

2
apparmor.d/appstreamcli
View File

@ -36,6 +36,8 @@ profile appstreamcli @{exec_path} flags=(complain) {
owner /var/cache/app-info/{,**} rw, owner /var/cache/app-info/{,**} rw,
owner /tmp/appstream-cache-*.mdb rw, owner /tmp/appstream-cache-*.mdb rw,
owner /tmp/appstream/ rw,
owner /tmp/appstream/appcache-*.mdb rw,
owner @{HOME}/.local/share/mime/mime.cache r, owner @{HOME}/.local/share/mime/mime.cache r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,

2
apparmor.d/arduino
View File

@ -109,7 +109,7 @@ profile arduino @{exec_path} {
/etc/avrdude.conf r, /etc/avrdude.conf r,
@{sys}/fs/cgroup/** r, @{sys}/fs/cgroup/{,**} r,
@{sys}/class/tty/ r, @{sys}/class/tty/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r,

2
apparmor.d/calibre
View File

@ -111,7 +111,7 @@ profile calibre @{exec_path} {
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner /tmp/calibre_*_tmp_*/{,**} rw, owner /tmp/calibre_*_tmp_*/{,**} rw,
owner /tmp/calibre-*/{,**} rw, owner /tmp/calibre-*/{,**} rw,

2
apparmor.d/cawbird
View File

@ -42,7 +42,7 @@ profile cawbird @{exec_path} {
owner @{HOME}/.cache/cawbird-* rw, owner @{HOME}/.cache/cawbird-* rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

2
apparmor.d/colord
View File

@ -27,6 +27,8 @@ profile colord @{exec_path} {
/usr/libexec/colord-sane rPx, /usr/libexec/colord-sane rPx,
owner /var/lib/colord/** r, owner /var/lib/colord/** r,
owner /var/lib/colord/.cache/ rw,
owner /var/lib/colord/.cache/** rw,
owner /var/lib/colord/{mapping,storage}.db rwk, owner /var/lib/colord/{mapping,storage}.db rwk,
/etc/udev/hwdb.bin r, /etc/udev/hwdb.bin r,

64
apparmor.d/dino-im Normal file
View File

@ -0,0 +1,64 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dino-im
profile dino-im @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ w,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{HOME}/.local/share/dino/ rw,
owner @{HOME}/.local/share/dino/** rwk,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/fd/ r,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
}
include if exists <local/dino-im>
}

7
apparmor.d/engrampa
View File

@ -23,7 +23,6 @@ profile engrampa @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
@{exec_path} mr, @{exec_path} mr,
@ -45,12 +44,17 @@ profile engrampa @{exec_path} {
/{usr/,}bin/bzip2 rix, /{usr/,}bin/bzip2 rix,
/{usr/,}bin/cpio rix, /{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/gzip rix,
/{usr/,}bin/zstd rix,
# For deb packages # For deb packages
/{usr/,}bin/dpkg-deb rix, /{usr/,}bin/dpkg-deb rix,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/engrampa/ rw, owner @{HOME}/.config/engrampa/ rw,
/ r, / r,
@ -69,6 +73,7 @@ profile engrampa @{exec_path} {
owner @{HOME}/.config/mimeapps.list{,.*} rw, owner @{HOME}/.config/mimeapps.list{,.*} rw,
owner @{HOME}/.local/share/ r, owner @{HOME}/.local/share/ r,
owner @{HOME}/.local/share/gvfs-metadata/** r,
/usr/share/engrampa/{,**} r, /usr/share/engrampa/{,**} r,

6
apparmor.d/f3read
View File

@ -22,10 +22,12 @@ profile f3read @{exec_path} {
# USB drive mount locations # USB drive mount locations
/media/*/ r, /media/*/ r,
/media/*/*/ r, /media/*/*/ r,
/mnt/ r,
# To be able to read h2w files # To be able to read h2w files
/media/*/[0-9]*.h2w r, owner /media/*/[0-9]*.h2w r,
/media/*/*/[0-9]*.h2w r, owner /media/*/*/[0-9]*.h2w r,
owner /mnt/[0-9]*.h2w r,
include if exists <local/f3read> include if exists <local/f3read>
} }

2
apparmor.d/f3write
View File

@ -26,10 +26,12 @@ profile f3write @{exec_path} {
# USB drive mount locations # USB drive mount locations
/media/*/ r, /media/*/ r,
/media/*/*/ r, /media/*/*/ r,
/mnt/ r,
# To be able to write h2w files # To be able to write h2w files
owner /media/*/[0-9]*.h2w w, owner /media/*/[0-9]*.h2w w,
owner /media/*/*/[0-9]*.h2w w, owner /media/*/*/[0-9]*.h2w w,
owner /mnt/[0-9]*.h2w w,
include if exists <local/f3write> include if exists <local/f3write>
} }

2
apparmor.d/firefox
View File

@ -96,7 +96,7 @@ profile firefox @{exec_path} {
owner @{MOZ_CACHEDIR}/** rwk, owner @{MOZ_CACHEDIR}/** rwk,
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
deny @{sys}/devices/system/cpu/present r, deny @{sys}/devices/system/cpu/present r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,

86
apparmor.d/font-manager Normal file
View File

@ -0,0 +1,86 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/font-manager
profile font-manager @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-write>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix,
/{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/font-manager/ rw,
owner @{HOME}/.cache/font-manager/* rwk,
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{HOME}/.config/font-manager/ rw,
owner @{HOME}/.config/font-manager/* rw,
owner @{HOME}/.config/fontconfig/ rw,
owner @{HOME}/.config/fontconfig/conf.d/ rw,
owner @{HOME}/.config/fontconfig/conf.d/* rw,
owner @{HOME}/.local/share/fonts/ rw,
owner "@{HOME}/.local/share/fonts/Google Fonts/" rw,
owner "@{HOME}/.local/share/fonts/Google Fonts/**" rw,
owner @{HOME}/.local/share/ r,
owner @{HOME}/.local/share/gvfs-metadata/** r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/smaps r,
@{PROC}zoneinfo r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/devices/system/node/ r,
@{sys}/fs/cgroup/{,**} r,
/dev/ r,
/dev/dri/ r,
include <abstractions/dconf>
@{run}/user/[0-9]*/dconf/ rw,
@{run}/user/[0-9]*/dconf/user rw,
# Silencer
owner /var/cache/fontconfig/ w,
deny /var/cache/fontconfig/ w,
include if exists <local/font-manager>
}

79
apparmor.d/fritzing Normal file
View File

@ -0,0 +1,79 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fritzing{,.real}
profile fritzing @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/qt5-settings-write>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mrix,
owner @{HOME}/.config/Fritzing/ rw,
owner @{HOME}/.config/Fritzing/** rwkl -> @{HOME}/.config/Fritzing/**,
owner @{HOME}/Documents/Fritzing/ rw,
owner @{HOME}/Documents/Fritzing/** rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/fritzing/{,**} r,
/usr/share/hwdata/pnp.ids r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/debian_version r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/tty/ r,
@{sys}/devices/**/tty*/uevent r,
@{sys}/devices/**/tty/**/uevent r,
@{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]*
@{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]*
/dev/ttyS[0-9]* rw,
/dev/ttyACM[0-9]* rw,
owner @{run}/lock/LCK..ttyACM[0-9]* rwk,
include if exists <local/fritzing>
}

4
apparmor.d/fusermount
View File

@ -41,11 +41,15 @@ profile fusermount @{exec_path} {
# For MTP # For MTP
mount -> /, mount -> /,
# For GVFS
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
# Be able to unmount the ISO images # Be able to unmount the ISO images
umount /home/*/*/, umount /home/*/*/,
umount /home/*/*/*/, umount /home/*/*/*/,
umount /home/*/.cache/**/, umount /home/*/.cache/**/,
umount /media/*/, umount /media/*/,
umount @{run}/user/[0-9]*/**/,
# Image files to be mounted # Image files to be mounted
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,

4
apparmor.d/geany
View File

@ -29,8 +29,8 @@ profile geany @{exec_path} {
deny capability sys_nice, deny capability sys_nice,
# network inet stream, network inet stream,
# network inet6 stream, network inet6 stream,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/gparted
View File

@ -30,6 +30,7 @@ profile gparted @{exec_path} {
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/gawk rix,
/{usr/,}lib/udisks2/udisks2-inhibit rix, /{usr/,}lib/udisks2/udisks2-inhibit rix,
/usr/libexec/udisks2/udisks2-inhibit rix, /usr/libexec/udisks2/udisks2-inhibit rix,

24
apparmor.d/gvfs-afc-volume-monitor Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfs-afc-volume-monitor
@{exec_path} += /usr/libexec/gvfs-afc-volume-monitor
profile gvfs-afc-volume-monitor @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfs-afc-volume-monitor>
}

24
apparmor.d/gvfs-goa-volume-monitor Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfs-goa-volume-monitor
@{exec_path} += /usr/libexec/gvfs-goa-volume-monitor
profile gvfs-goa-volume-monitor @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfs-goa-volume-monitor>
}

35
apparmor.d/gvfs-gphoto2-volume-monitor Normal file
View File

@ -0,0 +1,35 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfs-gphoto2-volume-monitor
@{exec_path} += /usr/libexec/gvfs-gphoto2-volume-monitor
profile gvfs-gphoto2-volume-monitor @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/class/scsi_generic/ r,
/etc/fstab r,
include if exists <local/gvfs-gphoto2-volume-monitor>
}

27
apparmor.d/gvfs-mtp-volume-monitor Normal file
View File

@ -0,0 +1,27 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfs-mtp-volume-monitor
@{exec_path} += /usr/libexec/gvfs-mtp-volume-monitor
profile gvfs-mtp-volume-monitor @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
include if exists <local/gvfs-mtp-volume-monitor>
}

63
apparmor.d/gvfs-udisks2-volume-monitor Normal file
View File

@ -0,0 +1,63 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfs-udisks2-volume-monitor
@{exec_path} += /usr/libexec/gvfs-udisks2-volume-monitor
profile gvfs-udisks2-volume-monitor @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/disks-read>
include <abstractions/devices-usb>
network inet stream,
network inet6 stream,
network netlink raw,
signal (send) set=(term, kill) peer=mount,
@{exec_path} mr,
/{usr/,}bin/lsof rix,
/{usr/,}bin/mount rPx,
/{usr/,}bin/umount rPx,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ w,
owner @{run}/user/[0-9]*/dconf/user rw,
/etc/fstab r,
# Mount points
/media/*/ r,
/media/*/*/ r,
@{HOME}/*/*/ r,
@{HOME}/*/*/**/ r,
owner @{HOME}/.local/share/mime/treemagic r,
/usr/share/mime/treemagic r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{run}/mount/utab r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r,
include if exists <local/gvfs-udisks2-volume-monitor>
}

72
apparmor.d/gvfsd Normal file
View File

@ -0,0 +1,72 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd
@{exec_path} += /usr/libexec/gvfsd
profile gvfsd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
# Don't strip env here.
/{usr/,}lib/gvfs/gvfsd-* rcx -> backends,
/usr/libexec/gvfsd-* rcx -> backends,
/usr/share/gvfs/{,**} r,
owner @{run}/user/[0-9]*/gvfs/ rw,
owner @{PROC}/@{pid}/fd/ r,
profile backends {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/freedesktop.org>
include <abstractions/trash>
include <abstractions/disks-read>
include <abstractions/user-download-strict>
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
/{usr/,}lib/gvfs/gvfsd-* mr,
/usr/libexec/gvfsd-* mr,
/{usr/,}bin/ssh rPx,
/usr/bin/fusermount{,3} rPx,
/dev/ptmx rw,
/dev/fuse rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{run}/samba/ rw,
@{run}/mount/utab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
}
include if exists <local/gvfsd>
}

30
apparmor.d/gvfsd-metadata Normal file
View File

@ -0,0 +1,30 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-metadata
@{exec_path} += /usr/libexec/gvfsd-metadata
profile gvfsd-metadata @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
network netlink raw,
@{exec_path} mr,
owner @{HOME}/.local/share/gvfs-metadata/ rw,
owner @{HOME}/.local/share/gvfs-metadata/** rw,
include if exists <local/gvfsd-metadata>
}

2
apparmor.d/hardinfo
View File

@ -155,7 +155,7 @@ profile hardinfo @{exec_path} {
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/coredump_filter rw,
@{sys}/fs/cgroup/** r, @{sys}/fs/cgroup/{,**} r,
owner /tmp/hsperfdata_*/ rw, owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw, owner /tmp/hsperfdata_*/@{pid} rw,

30
apparmor.d/hypnotix
View File

@ -52,10 +52,10 @@ profile hypnotix @{exec_path} {
/{usr/,}sbin/ldconfig rix, /{usr/,}sbin/ldconfig rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/xdg-screensaver rPx, /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
/{usr/,}bin/youtube-dl rPx,
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}bin/youtube-dl rPx,
/{usr/,}lib/firefox/firefox rPx,
# Which files hypnotix should be able to open # Which files hypnotix should be able to open
/ r, / r,
@ -94,5 +94,29 @@ profile hypnotix @{exec_path} {
# Silencer # Silencer
/{usr/,}lib/hypnotix/** w, /{usr/,}lib/hypnotix/** w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/hypnotix> include if exists <local/hypnotix>
} }

27
apparmor.d/minitube
View File

@ -97,10 +97,10 @@ profile minitube @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
# Be able to turn off the screensaver while playing movies # Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rPUx, /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -129,5 +129,28 @@ profile minitube @{exec_path} {
} }
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/minitube> include if exists <local/minitube>
} }

5
apparmor.d/mount
View File

@ -30,6 +30,11 @@ profile mount @{exec_path} flags=(complain) {
mount, mount,
network inet stream,
network inet6 stream,
signal (receive) set=(term, kill),
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ntfs-3g rPx, /{usr/,}bin/ntfs-3g rPx,

28
apparmor.d/mpv
View File

@ -126,6 +126,8 @@ profile mpv @{exec_path} {
##include <abstractions/nvidia> ##include <abstractions/nvidia>
/etc/vdpau_wrapper.cfg r, /etc/vdpau_wrapper.cfg r,
#/etc/samba/smb.conf r,
# What's this for? (since v0.30.0) # What's this for? (since v0.30.0)
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/class/ r, @{sys}/class/ r,
@ -144,7 +146,7 @@ profile mpv @{exec_path} {
@{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c116:[0-9]* r, # for ALSA
# Be able to turn off the screensaver while playing movies # Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rPUx, /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
# External apps # External apps
/{usr/,}bin/youtube-dl rPUx, /{usr/,}bin/youtube-dl rPUx,
@ -153,5 +155,29 @@ profile mpv @{exec_path} {
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/mpv> include if exists <local/mpv>
} }

2
apparmor.d/quiterss
View File

@ -61,7 +61,7 @@ profile quiterss @{exec_path} {
owner @{HOME}/.cache/QuiteRss/** rwl -> @{HOME}/.cache/QuiteRss/**, owner @{HOME}/.cache/QuiteRss/** rwl -> @{HOME}/.cache/QuiteRss/**,
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/sys/kernel/random/boot_id r, deny @{PROC}/sys/kernel/random/boot_id r,

2
apparmor.d/smtube
View File

@ -62,7 +62,7 @@ profile smtube @{exec_path} {
owner @{HOME}/.cache/smtube/* rwk, owner @{HOME}/.cache/smtube/* rwk,
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,

3
apparmor.d/spacefm
View File

@ -57,8 +57,7 @@ profile spacefm @{exec_path} {
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/fs/cgroup/**/cpu.cfs_quota_us r, @{sys}/fs/cgroup/{,**} r,
@{sys}/fs/cgroup/**/cpu.cfs_period_us r,
# To read/write files in the system. The read permission is granted for all files, the write # To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in

40
apparmor.d/ssh Normal file
View File

@ -0,0 +1,40 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ssh
profile ssh @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
network inet stream,
network inet6 stream,
@{exec_path} mr,
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.ssh/ r,
owner @{HOME}/.ssh/config r,
owner @{HOME}/.ssh/known_hosts r,
owner @{HOME}/.ssh/*_rsa{,.pub} r,
owner @{HOME}/.ssh/*_ed25519{,.pub} r,
/etc/ssh/ssh_config r,
/etc/ssh/ssh_config.d/ r,
include if exists <local/ssh>
}

2
apparmor.d/strawberry
View File

@ -69,7 +69,7 @@ profile strawberry @{exec_path} {
owner @{HOME}/.cache/strawberry/** rwl -> @{HOME}/.cache/strawberry/networkcache/prepared/#[0-9]*[0-9], owner @{HOME}/.cache/strawberry/** rwl -> @{HOME}/.cache/strawberry/networkcache/prepared/#[0-9]*[0-9],
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{HOME}/.cache/xine-lib/ rw, owner @{HOME}/.cache/xine-lib/ rw,
owner @{HOME}/.cache/xine-lib/plugins.cache{,.new} rw, owner @{HOME}/.cache/xine-lib/plugins.cache{,.new} rw,

2
apparmor.d/strawberry-tagreader
View File

@ -33,7 +33,7 @@ profile strawberry-tagreader @{exec_path} {
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner @{HOME}/.anyRemote/anyremote.stdout w, owner @{HOME}/.anyRemote/anyremote.stdout w,
owner @{HOME}/.cache/gstreamer-*/registry.x86_64.bin.tmp* rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
include if exists <local/strawberry-tagreader> include if exists <local/strawberry-tagreader>
} }

2
apparmor.d/systemd-analyze
View File

@ -40,7 +40,7 @@ profile systemd-analyze @{exec_path} {
/etc/systemd/** r, /etc/systemd/** r,
/{usr/,}lib/systemd/** r, /{usr/,}lib/systemd/** r,
@{sys}/fs/cgroup/{systemd,unified}/** r, @{sys}/fs/cgroup/{,**} r,
@{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw,
@{sys}/firmware/acpi/tables/FPDT r, @{sys}/firmware/acpi/tables/FPDT r,

2
apparmor.d/tint2
View File

@ -56,7 +56,7 @@ profile tint2 @{exec_path} {
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/power_supply/**/* r,
@{sys}/fs/cgroup/** r, @{sys}/fs/cgroup/{,**} r,
/dev/shm/#[0-9]*[0-9] rw, /dev/shm/#[0-9]*[0-9] rw,

2
apparmor.d/umount
View File

@ -33,6 +33,8 @@ profile umount @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}sbin/umount.udisks2 rPx,
# Mount points # Mount points
/media/*/ r, /media/*/ r,
/media/*/*/ r, /media/*/*/ r,

23
apparmor.d/umount.udisks2 Normal file
View File

@ -0,0 +1,23 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/umount.udisks2
profile umount.udisks2 @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/umount.udisks2>
}

0
apparmor.d/usr.sbin.tcpdump → apparmor.d/usr.bin.tcpdump
View File

17
apparmor.d/usr.sbin.apt-cacher-ng
View File

@ -2,13 +2,13 @@
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng @{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
include <tunables/global> #include <tunables/global>
profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) { profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
include <abstractions/base> #include <abstractions/base>
include <abstractions/nameservice> #include <abstractions/nameservice>
include <abstractions/openssl> #include <abstractions/openssl>
include <abstractions/user-tmp> #include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r, /etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r, /etc/apt-cacher-ng/** r,
@ -30,6 +30,9 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
/usr/lib/apt-cacher-ng/acngtool ixr, /usr/lib/apt-cacher-ng/acngtool ixr,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
include <local/usr.sbin.apt-cacher-ng> #include <local/usr.sbin.apt-cacher-ng>
} }

2
apparmor.d/virt-manager
View File

@ -59,7 +59,7 @@ profile virt-manager @{exec_path} {
owner @{HOME}/.cache/virt-manager/** rw, owner @{HOME}/.cache/virt-manager/** rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
# For disk images # For disk images
/media/ r, /media/ r,

26
apparmor.d/vlc
View File

@ -141,7 +141,7 @@ profile vlc @{exec_path} {
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
# Be able to turn off the screensaver while playing movies # Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rPUx, /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
# Silencer # Silencer
deny /{usr/,}lib/@{multiarch}/vlc/{,**} w, deny /{usr/,}lib/@{multiarch}/vlc/{,**} w,
@ -150,5 +150,29 @@ profile vlc @{exec_path} {
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
owner @{HOME}/.anyRemote/anyremote.stdout w, owner @{HOME}/.anyRemote/anyremote.stdout w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/vlc> include if exists <local/vlc>
} }

5
apparmor.d/xarchiver
View File

@ -44,11 +44,16 @@ profile xarchiver @{exec_path} {
/{usr/,}bin/bzip2 rix, /{usr/,}bin/bzip2 rix,
/{usr/,}bin/cpio rix, /{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/gzip rix,
/{usr/,}bin/zstd rix,
# For deb packages # For deb packages
/{usr/,}bin/{,@{multiarch}-}ar rix, /{usr/,}bin/{,@{multiarch}-}ar rix,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/xarchiver/ rw, owner @{HOME}/.config/xarchiver/ rw,
owner @{HOME}/.config/xarchiver/xarchiverrc{,.*} rw, owner @{HOME}/.config/xarchiver/xarchiverrc{,.*} rw,

35
apparmor.d/xdg-screensaver
View File

@ -31,14 +31,14 @@ profile xdg-screensaver @{exec_path} {
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/xprop rPx, /{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xset rPx, /{usr/,}bin/xset rPx,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rPx,
/{usr/,}bin/xautolock rCx -> xautolock,
/{usr/,}bin/dbus-send rCx -> dbus,
/dev/dri/card[0-9] rw, /dev/dri/card[0-9] rw,
owner @{HOME}/ r, owner @{HOME}/ r,
@ -47,34 +47,5 @@ profile xdg-screensaver @{exec_path} {
owner @{run}/user/[0-9]*/ r, owner @{run}/user/[0-9]*/ r,
# file_inherit
owner @{HOME}/.xsession-errors w,
/dev/dri/card[0-9]* rw,
profile xautolock {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xautolock mr,
# file_inherit
/dev/dri/card[0-9]* rw,
owner @{HOME}/.Xauthority r,
}
profile dbus {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/dbus-send mr,
# file_inherit
/dev/dri/card[0-9]* rw,
}
include if exists <local/xdg-screensaver> include if exists <local/xdg-screensaver>
} }

4
apparmor.d/xfconfd
View File

@ -20,7 +20,9 @@ profile xfconfd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-notifyd.xml{,.new} rw, /etc/xdg/xfce4/xfconf/*/*.xml r,
owner @{HOME}/.config/xfce4/xfconf/*/*.xml{,.new} rw,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,