mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-07-04 22:22:48 +01:00
parent 8b8a81200a
commit 62e18d04d7
Failed to generate hash of commit
14 changed files with 24 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/freedesktop/colord
View file

@ -62,7 +62,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/video4linux/ r, @{sys}/class/video4linux/ r,
@{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/{vendor,model,type} r,
@{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r,
@{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/uevent r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

2
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -53,6 +53,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
@{MOUNTS}/**/ r, @{MOUNTS}/**/ r,
@{HOME}/**/ r, @{HOME}/**/ r,
owner @{MOUNTS}/autorun.inf r,
owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_config_dirs}/dconf/user r,
@{run}/mount/utab r, @{run}/mount/utab r,

2
apparmor.d/groups/systemd/systemd-networkd
View file

@ -50,6 +50,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
/etc/networkd-dispatcher/carrier.d/{,*} r, /etc/networkd-dispatcher/carrier.d/{,*} r,
/ r,
@{run}/systemd/network/ r, @{run}/systemd/network/ r,
@{run}/systemd/network/*.network r, @{run}/systemd/network/*.network r,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,

1
apparmor.d/groups/virt/virtstoraged
View file

@ -25,6 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
/etc/libvirt/**/ r,
/etc/libvirt/libvirt.conf r, /etc/libvirt/libvirt.conf r,
# For disk images # For disk images

15
apparmor.d/profiles-a-f/anyremote
View file

@ -46,14 +46,13 @@ profile anyremote @{exec_path} {
@{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/convert-im6.q16 rCx -> imagemagic,
@{bin}/killall rCx -> killall, @{bin}/killall rCx -> killall,
@{bin}/pgrep rCx -> pgrep, @{bin}/pgrep rCx -> pgrep,
@{lib}/qt5/bin/qdbus rCx -> qdbus,
@{bin}/pacmd rPx, @{bin}/pacmd rPx,
@{bin}/pactl rPx, @{bin}/pactl rPx,
@{bin}/wmctrl rPx,
@{bin}/qtchooser rPx,
@{bin}/ps rPx, @{bin}/ps rPx,
@{bin}/qtchooser rPx,
@{bin}/wmctrl rPx,
@{lib}/qt{5,6}/bin/qdbus rPx,
# Players # Players
@{bin}/smplayer rPx, @{bin}/smplayer rPx,
@ -128,14 +127,6 @@ profile anyremote @{exec_path} {
include if exists <local/anyremote_pgrep> include if exists <local/anyremote_pgrep>
} }
profile qdbus {
include <abstractions/base>
@{lib}/qt5/bin/qdbus mr,
include if exists <local/anyremote_qdbus>
}
include if exists <local/anyremote> include if exists <local/anyremote>
} }

4
apparmor.d/profiles-a-f/fusermount
View file

@ -23,7 +23,7 @@ profile fusermount @{exec_path} {
mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/,
mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/, mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/,
mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/, mount fstype={fuse,fuse.*} -> /tmp/.mount_*@{rand6}/,
umount @{HOME}/*/, umount @{HOME}/*/,
umount @{HOME}/*/*/, umount @{HOME}/*/*/,
@ -47,6 +47,8 @@ profile fusermount @{exec_path} {
owner @{user_cache_dirs}/**/ rw, owner @{user_cache_dirs}/**/ rw,
/tmp/.mount_*@{rand6}/ r,
@{run}/user/@{uid}/doc/ r, @{run}/user/@{uid}/doc/ r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,

1
apparmor.d/profiles-a-f/fwupd
View file

@ -113,6 +113,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/dev/bus/usb/ r, /dev/bus/usb/ r,
/dev/bus/usb/@{int}/@{int} rw, /dev/bus/usb/@{int}/@{int} rw,
/dev/cpu/@{int}/msr rw, /dev/cpu/@{int}/msr rw,
/dev/dri/card@{int} rw,
/dev/drm_dp_aux@{int} rw, /dev/drm_dp_aux@{int} rw,
/dev/gpiochip@{int} r, /dev/gpiochip@{int} r,
/dev/hidraw@{int} rw, /dev/hidraw@{int} rw,

2
apparmor.d/profiles-m-r/mount
View file

@ -14,7 +14,7 @@ profile mount @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-write> include <abstractions/disks-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability chown, capability chown,
capability dac_read_search, capability dac_read_search,
capability setgid, capability setgid,

1
apparmor.d/profiles-m-r/run-parts
View file

@ -30,7 +30,6 @@ profile run-parts @{exec_path} {
/etc/anacrontab r, /etc/anacrontab r,
/etc/conf.d/snapper{,**} r, /etc/conf.d/snapper{,**} r,
/etc/snapper/configs/root r, /etc/snapper/configs/root r,
# Crontab # Crontab
/etc/cron.{hourly,daily,weekly,monthly}/ r, /etc/cron.{hourly,daily,weekly,monthly}/ r,

2
apparmor.d/profiles-s-z/steam
View file

@ -266,7 +266,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
ptrace trace peer=steam//web, ptrace trace peer=steam//web,
signal receive set=kill peer=steam, signal receive set=(cont kill term) peer=steam,
unix receive type=stream, unix receive type=stream,

5
apparmor.d/profiles-s-z/strawberry
View file

@ -40,6 +40,8 @@ profile strawberry @{exec_path} {
@{open_path} rPx -> child-open-help, @{open_path} rPx -> child-open-help,
/etc/fstab r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
@ -50,6 +52,7 @@ profile strawberry @{exec_path} {
owner @{user_config_dirs}/strawberry/ rw, owner @{user_config_dirs}/strawberry/ rw,
owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int},
owner @{user_config_dirs}/strawberryrc r,
owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/ rw,
owner @{user_share_dirs}/strawberry/** rwk, owner @{user_share_dirs}/strawberry/** rwk,
@ -65,6 +68,8 @@ profile strawberry @{exec_path} {
owner @{tmp}/*= w, owner @{tmp}/*= w,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{hex16} rw,
owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w,
owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk,
owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int},
owner @{tmp}/strawberry*[0-9] w, owner @{tmp}/strawberry*[0-9] w,

4
apparmor.d/profiles-s-z/top
View file

@ -19,9 +19,9 @@ profile top @{exec_path} flags=(attach_disconnected) {
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
signal (send), signal send,
ptrace (read), ptrace read,
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/profiles-s-z/update-ca-trust
View file

@ -24,10 +24,7 @@ profile update-ca-trust @{exec_path} {
/ r, / r,
/usr/share/p11-kit/modules/{,*} r, /usr/share/p11-kit/modules/{,*} r,
/etc/ca-certificates/extracted/{tls,email,objsign}-ca-bundle.pem{,.*} w, /etc/ca-certificates/extracted/** rw,
/etc/ca-certificates/extracted/ca-bundle.trust.crt{,.*} w,
/etc/ca-certificates/extracted/cadir/{,*} rw,
/etc/ca-certificates/extracted/edk2-cacerts.bin{,.*} w,
/etc/ssl/certs/{,*} rw, /etc/ssl/certs/{,*} rw,
/etc/ssl/certs/java/cacerts{,.*} w, /etc/ssl/certs/java/cacerts{,.*} w,

2
apparmor.d/profiles-s-z/wireplumber
View file

@ -61,7 +61,7 @@ profile wireplumber @{exec_path} {
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/media/devices/ r, @{sys}/bus/media/devices/ r,
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
@{sys}/devices/**/device:*/**/path r, @{sys}/devices/**/device:*/{,**/}path r,
@{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/pcm_class r,
@{sys}/devices/**/sound/**/uevent r, @{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,