Profile update.

This commit is contained in:
Alexandre Pujol 2022-03-02 18:22:57 +00:00
parent 683da55bb9
commit 60cb62334b
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
12 changed files with 28 additions and 25 deletions

View File

@ -43,9 +43,10 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/uid_map w,
ptrace (trace) peer=@{profile_name}, ptrace (trace) peer=@{profile_name},
ptrace (read) peer=xdg-settings, ptrace (read) peer=browserpass,
ptrace (read) peer=keepassxc-proxy, ptrace (read) peer=keepassxc-proxy,
ptrace (read) peer=lsb_release, ptrace (read) peer=lsb_release,
ptrace (read) peer=xdg-settings,
signal (send) set=(term, kill) peer=keepassxc-proxy, signal (send) set=(term, kill) peer=keepassxc-proxy,
signal (receive) peer=chromium-chrome-crashpad-handler, signal (receive) peer=chromium-chrome-crashpad-handler,

View File

@ -31,7 +31,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/gnome-shell/{,**} r, /usr/share/gnome-shell/{,**} r,
/usr/share/themes/*/gtk-3.0/{,**} r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
/var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/dconf/user r,

View File

@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{PROC}/zoneinfo r, @{PROC}/zoneinfo r,
/dev/ r, /dev/ r,
/dev/media[0-9]* r,
/dev/video[0-9]* rw, /dev/video[0-9]* rw,
include if exists <local/gnome-control-center> include if exists <local/gnome-control-center>

View File

@ -20,9 +20,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
@ -30,6 +27,9 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
/usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/ rw,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,

View File

@ -13,6 +13,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/trash>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
@ -27,11 +28,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
# Full access to user's data # Full access to user's data
/ r, / r,
owner @{HOME}/{,**} rw, owner @{HOME}/{,**} rw,
owner @{MOUNTS}/{,**} r, owner @{MOUNTS}/{,**} rw,
owner @{run}/user/@{uid}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw,
owner /tmp/{,**} rw, owner /tmp/{,**} rw,
# Silencer for non user's data # Silence non user's data
deny owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, deny owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
deny /boot rw, deny /boot rw,
deny /opt rw, deny /opt rw,

View File

@ -80,6 +80,8 @@ profile git @{exec_path} {
owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**,
owner @{user_cache_dirs}/**/.SRCINFO r,
owner @{user_cache_dirs}/**/.git/** r,
owner /tmp/** rwkl -> /tmp/**, owner /tmp/** rwkl -> /tmp/**,
owner /tmp/**/bin/* rCx -> exec, owner /tmp/**/bin/* rCx -> exec,
@ -96,6 +98,7 @@ profile git @{exec_path} {
owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature
owner /tmp/git-commit-msg-.txt rw, # For android studio owner /tmp/git-commit-msg-.txt rw, # For android studio
deny @{user_share_dirs}/gvfs-metadata/* r,
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>

View File

@ -42,9 +42,9 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/modules/*/modules.* rw, /{usr/,}lib/modules/*/modules.* rw,
/var/lib/dkms/**/module/*.ko r, /tmp/**/*.ko{,.zst} r,
/usr/src/*/*.ko r, /usr/src/*/*.ko r,
/var/lib/dkms/**/module/*.ko r,
/var/tmp/dracut.*/{,**} rw, /var/tmp/dracut.*/{,**} rw,
@{sys}/module/{,**} r, @{sys}/module/{,**} r,

View File

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov # Copyright (C) 2015-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-media-session @{exec_path} = /{usr/,}bin/pipewire-media-session
profile pipewire-media-session @{exec_path} { profile pipewire-media-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -21,25 +22,19 @@ profile pipewire-media-session @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/alsa-card-profile/{,**} r, /usr/share/alsa-card-profile/{,**} r,
/usr/share/alsa/{,**} r,
/usr/share/pipewire/*.conf r, /usr/share/pipewire/*.conf r,
/usr/share/pipewire/media-session.d/{,**} r, /usr/share/pipewire/media-session.d/{,**} r,
/usr/share/spa-*/bluez[0-9]*/{,*} r, /usr/share/spa-*/bluez[0-9]*/{,*} r,
/etc/alsa/{,**} r,
/etc/pipewire/*.conf r, /etc/pipewire/*.conf r,
/etc/pipewire/media-session.d/*.conf r, /etc/pipewire/media-session.d/*.conf r,
/etc/pulse/{,**} r,
owner @{HOME}/.local/state/ rw, owner @{HOME}/.local/state/ rw,
owner @{HOME}/.local/state/pipewire/{,**} rw, owner @{HOME}/.local/state/pipewire/{,**} rw,
owner @{user_config_dirs}/pipewire/ rw, owner @{user_config_dirs}/pipewire/ rw,
owner @{user_config_dirs}/pipewire/** rw, owner @{user_config_dirs}/pipewire/** rw,
owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/cookie rwk,
owner @{run}/user/@{uid}/pulse/ rw,
@{run}/shm/ r,
@{run}/udev/data/+sound:card[0-9]* r, # For sound @{run}/udev/data/+sound:card[0-9]* r, # For sound
@{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c116:[0-9]* r, # for ALSA
@ -54,10 +49,6 @@ profile pipewire-media-session @{exec_path} {
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
/dev/shm/ r,
/dev/snd/controlC[0-9]* rw,
/dev/snd/pcmC[0-9]*D[0-9]*p rw,
/dev/snd/pcmC[0-9]*D[0-9]*c rw,
/dev/video[0-9]* rw, /dev/video[0-9]* rw,
include if exists <local/pipewire-media-session> include if exists <local/pipewire-media-session>

View File

@ -34,7 +34,6 @@ profile usbguard-applet-qt @{exec_path} {
owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw, owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,

View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/xdg-desktop-portal @{exec_path} = /{usr/,}lib/xdg-desktop-portal
profile xdg-desktop-portal @{exec_path} { profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -22,6 +22,9 @@ profile xdg-desktop-portal @{exec_path} {
/{usr/,}lib/x r, /{usr/,}lib/x r,
/ r,
/.flatpak-info r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,
/usr/share/xdg-desktop-portal/portals/{,*.portal} r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r,

View File

@ -17,7 +17,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,

View File

@ -15,20 +15,26 @@ profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/user-download> include <abstractions/user-download>
include <abstractions/user-write>
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,
/ r, / r,
owner @{HOME}/ r,
owner @{HOME}/.* r,
owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{HOME}/@{XDG_DATA_HOME}/ r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
@{run}/mount/utab r,
owner @{PROC}/@{uid}/mountinfo r,
include if exists <local/xdg-desktop-portal-gtk> include if exists <local/xdg-desktop-portal-gtk>
} }