mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(abs): update some abstractions.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-08-21 23:21:14 +01:00
parent 310f36f433
commit 5dbc42aaab
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
8 changed files with 51 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor.d/abstractions/X-strict
View File

@ -23,9 +23,10 @@
# Xauthority files required for X connections, per user # Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner /tmp/xauth_@{rand6} r,
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/X11/Xauthority r, owner @{run}/user/@{uid}/X11/Xauthority r,
@{run}/user/@{uid}/xauth_* rl, owner @{run}/user/@{uid}/xauth_@{rand6} rl,
# Xwayland # Xwayland
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,

12
apparmor.d/abstractions/app-launcher-root
View File

@ -6,11 +6,11 @@
abi <abi/3.0>, abi <abi/3.0>,
# Root app location # Root app location
/ r, @{bin}/ r,
/usr/ r, @{bin}/[a-z0-9]* rPUx,
@{bin}/ r, / r,
@{bin}/[a-z0-9]* rPUx, /usr/ r,
/usr/local/{s,}bin/ r, /usr/local/{s,}bin/ r,
/usr/local/{s,}bin/[a-zA-Z0-9]* rPUx, /usr/local/{s,}bin/[a-z0-9]* rPUx,
include if exists <abstractions/app-launcher-root.d> include if exists <abstractions/app-launcher-root.d>

2
apparmor.d/abstractions/app-launcher-user
View File

@ -7,9 +7,9 @@
# User app location # User app location
/ r, / r,
/usr/ r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/[a-zA-Z0-9]* rPUx, /{usr/,}bin/[a-zA-Z0-9]* rPUx,
/usr/ r,
/usr/local/bin/ r, /usr/local/bin/ r,
/usr/local/bin/[a-zA-Z0-9]* rPUx, /usr/local/bin/[a-zA-Z0-9]* rPUx,

6
apparmor.d/abstractions/dbus-session-strict.d/complete
View File

@ -2,10 +2,10 @@
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-????????", unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-??????????",
unix (bind, listen) type=stream addr="@/tmp/dbus-????????", unix (bind, listen) type=stream addr="@/tmp/dbus-??????????",
unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-????????"), unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-??????????"),
owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/at-spi/bus rw,

42
apparmor.d/abstractions/deny-sensitive-home
View File

@ -11,22 +11,32 @@
# Use in this project: file browser and search engine # Use in this project: file browser and search engine
deny @{HOME}/.*_history rwlk, deny @{HOME}/.*.bak mrwkl,
deny @{HOME}/.*age*{,/{,**}} rwlk, deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*aws*{,/{,**}} rwkl, deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*cert*{,/{,**}} rwlk, deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*key*{,/{,**}} rwlk, deny @{HOME}/.*age*{,/{,**}} mrwkl,
deny @{HOME}/.*pass*{,/{,**}} rwlk, deny @{HOME}/.*aws*{,/{,**}} mrwkl,
deny @{HOME}/.*pki*{,/{,**}} rwlk, deny @{HOME}/.*cert*{,/{,**}} mrwkl,
deny @{HOME}/.*private*{,/{,**}} rwlk, deny @{HOME}/.*history mrwkl,
deny @{HOME}/.*secret*{,/{,**}} rwlk, deny @{HOME}/.*key*{,/{,**}} mrwkl,
deny @{HOME}/.*yubi*{,/{,**}} rwlk, deny @{HOME}/.*pass*{,/{,**}} mrwkl,
deny @{HOME}/.lesshst* rwlk, deny @{HOME}/.*pki*{,/{,**}} mrwkl,
deny @{HOME}/.wget-hsts rwlk, deny @{HOME}/.*private*{,/{,**}} mrwkl,
deny @{HOME}/@{XDG_GPG_DIR}/{,**} rwlk, deny @{HOME}/.*secret*{,/{,**}} mrwkl,
deny @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk, deny @{HOME}/.*yubi*{,/{,**}} mrwkl,
deny @{user_config_dirs}/*-store/{,**} rwlk, deny @{HOME}/.fetchmail* mrwkl,
deny @{user_password_store_dirs}/{,**} rwlk, deny @{HOME}/.lesshst* mrwkl,
deny @{HOME}/.mozilla/{,**} mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.thunderbird mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.wget-hsts mrwkl,
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
deny @{user_config_dirs}/*-store/{,**} mrwkl,
deny @{user_config_dirs}/chromium/{,**} mrwkl,
deny @{user_password_store_dirs}/{,**} mrwkl,
# Deny executable mapping in writable space as allowed in abstractions/fonts # Deny executable mapping in writable space as allowed in abstractions/fonts
deny @{HOME}/.{,cache/}fontconfig/ rw, deny @{HOME}/.{,cache/}fontconfig/ rw,

6
apparmor.d/abstractions/mesa.d/complete
View File

@ -6,6 +6,6 @@
/var/lib/gdm/.cache/ w, /var/lib/gdm/.cache/ w,
/var/lib/gdm/.cache/mesa_shader_cache/ rw, /var/lib/gdm/.cache/mesa_shader_cache/ rw,
/var/lib/gdm/.cache/mesa_shader_cache/index rw, /var/lib/gdm/.cache/mesa_shader_cache/index rw,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/ rw,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,

2
apparmor.d/abstractions/nvidia.d/complete
View File

@ -8,4 +8,4 @@
/etc/nvidia/nvidia-application-profiles* r, /etc/nvidia/nvidia-application-profiles* r,
/dev/char/195:@{int} rw, /dev/char/195:@{int} rw, # Nvidia graphics devices

16
apparmor.d/abstractions/zsh
View File

@ -1,19 +1,19 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# This abstraction is only required when an interactive shell is started.
# Classic bash scripts do not need it.
abi <abi/3.0>, abi <abi/3.0>,
@{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr,
/usr/share/zsh/{,**} r, /usr/share/zsh/{,**} r,
/usr/local/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r,
@{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, /etc/zsh/* r,
/etc/zsh/zshenv r,
/etc/zsh/zshrc r,
/etc/zsh/zprofile r,
/etc/zsh/zlogin r,
owner @{HOME}/.zshrc r, owner @{HOME}/.zshrc r,
owner @{HOME}/.zshenv r, owner @{HOME}/.zshenv r,
@ -24,6 +24,8 @@
owner @{HOME}/.oh-my-zsh/log/update.lock/ w, owner @{HOME}/.oh-my-zsh/log/update.lock/ w,
owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zcompdump-* rw,
owner @{user_config_dirs}/zsh/.zcompdump-* rw,
owner @{user_config_dirs}/zsh/{,**} r, owner @{user_config_dirs}/zsh/{,**} r,
include if exists <abstractions/zsh.d> include if exists <abstractions/zsh.d>