mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(fix): remove upstreamed extra abstraction for ubuntu.

Browse source
This commit is contained in:
Alexandre Pujol 2022-05-21 17:29:15 +01:00
parent d3d9277978
commit 63b5ecd123
Failed to generate hash of commit
7 changed files with 0 additions and 427 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
dists/ubuntu/abstractions/dbus-network-manager-strict
View file

@ -1,45 +0,0 @@
# vim:syntax=apparmor
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member={GetDevices,ListConnections}
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(name=org.freedesktop.NetworkManager),
include if exists <abstractions/dbus-network-manager-strict.d>

74
dists/ubuntu/abstractions/exo-open
View file

@ -1,74 +0,0 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/exo-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/exo-open rPx -> foo//exo-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//exo-open {
# include <abstractions/exo-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
# }
include <abstractions/X>
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/gnome>
# Main executables
/usr/bin/exo-open rix,
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
# Other executables
/{,usr/}bin/which rix,
# Deny DBus
# for GTK error message dialog, not required exo-open to work.
deny dbus send
bus=session
path=/org/gtk/vfs/mounttracker,
# System files
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
/usr/share/sounds/freedesktop/** r, # for message box alert sound
/usr/share/xfce4/helpers/*.desktop r,
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
# User files
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.config/xfce4/helpers.rc r,
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
# Include additions to the abstraction
include if exists <abstractions/exo-open.d>

57
dists/ubuntu/abstractions/gio-open
View file

@ -1,57 +0,0 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gio directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gio rPx -> foo//gio-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gio-open {
# include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
include <abstractions/base>
include <abstractions/dbus-session-strict>
# Main executables
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# System files
/etc/gnome/defaults.list r,
/usr/share/mime/* r,
/usr/share/{,*/}applications/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/applications/{,**} r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/gio-open.d>

46
dists/ubuntu/abstractions/gvfs-open
View file

@ -1,46 +0,0 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gvfs-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gvfs-open {
# include <abstractions/gvfs-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri>
include <abstractions/gio-open>
# Main executables
/usr/bin/gvfs-open r,
/{,usr/}bin/dash mr,
# Include additions to the abstraction
include if exists <abstractions/gvfs-open.d>

17
dists/ubuntu/abstractions/hosts_access
View file

@ -1,17 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/hosts.deny r,
/etc/hosts.allow r,
include if exists <abstractions/hosts_access.d>

104
dists/ubuntu/abstractions/kde-open5
View file

@ -1,104 +0,0 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/kde-open5 directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//kde-open5 {
# include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/kde-icon-cache-write>
include <abstractions/kde>
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
include <abstractions/openssl>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/X>
# Main executables
/usr/bin/kde-open5 rix,
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
dbus
bus=session
interface=org.kde.KLauncher
member=start_service_by_desktop_path
peer=(name=org.kde.klauncher5),
# Denied system files
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9]*[0-9] m,
# System files
/dev/tty r,
/etc/xdg/accept-languages.codes r,
/etc/xdg/menus/{,*/} r,
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
/usr/share/mime/ r,
/usr/share/mime/generic-icons r,
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction
include if exists <abstractions/kde-open5.d>

84
dists/ubuntu/abstractions/xdg-open
View file

@ -1,84 +0,0 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via xdg-open helper. xdg-open abstraction
# will allow to use gio-open, kde-open5 and other helpers of the different
# desktop environments.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/xdg-open rPx -> foo//xdg-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//xdg-open {
# include <abstractions/xdg-open>
#
# # Enable a11y support if considered required by
# # profile author for (rare) error message boxes.
# include <abstractions/dbus-accessibility>
#
# # Enable gstreamer support if considered required by
# # profile author for (rare) error message boxes.
# include if exists <abstractions/gstreamer>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/base>
# for openin with `exo-open`
include <abstractions/exo-open>
# for opening with `gio open <uri>`
include <abstractions/gio-open>
# for opening with gvfs-open (deprecated)
include <abstractions/gvfs-open>
# for opening with kde-open5
include <abstractions/kde-open5>
# Main executables
/{,usr/}bin/{b,d}ash mr,
/usr/bin/xdg-open r,
# Additional executables
/usr/bin/xdg-mime rix,
/{,usr/}bin/cut rix, # for xdg-mime
/{,usr/}bin/head rix, # for xdg-mime
/{,usr/}bin/sed rix, # for xdg-open
/{,usr/}bin/tr rix, # for xdg-mime
/{,usr/}bin/which rix, # for xdg-open
/{,usr/}bin/{grep,egrep} rix, # for xdg-open
# System files
/dev/pts/[0-9]* rw,
/dev/tty w,
/etc/gnome/defaults.list r, # for grep
/usr/share/applications/mimeinfo.cache r, # for grep
/usr/share/terminfo/s/screen r, # for bash on openSUSE
/usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
/var/lib/menu-xdg/applications/ r, # for xdg-mime
# Usr files
owner @{HOME}/.local/share/applications/{,*.desktop} r,
# Include additions to the abstraction
include if exists <abstractions/xdg-open.d>