mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
671dcca38d
commit
63e5980d8d
33 changed files with 177 additions and 85 deletions
|
|
@ -24,6 +24,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
capability net_admin,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_nice,
|
||||
|
||||
signal (send) peer=apt-methods-*,
|
||||
|
||||
|
|
@ -60,9 +61,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
# Methods to use to download packages from the net
|
||||
/{usr/,}lib/apt/methods/* rPx,
|
||||
|
||||
/var/lib/apt/extended_states{,.*} rw,
|
||||
/var/lib/apt/lists/** rw,
|
||||
/var/lib/apt/lists/lock rwk,
|
||||
/var/lib/apt/extended_states{,.*} rw,
|
||||
/var/lib/apt/periodic/update-success-stamp rw,
|
||||
|
||||
/var/log/apt/eipp.log.xz w,
|
||||
/var/log/apt/{term,history}.log w,
|
||||
|
|
|
|||
|
|
@ -9,10 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/unattended-upgrade
|
||||
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
|
@ -78,6 +79,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
owner /tmp/#[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
||||
include if exists <local/unattended-upgrade>
|
||||
}
|
||||
|
|
@ -14,7 +14,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dbus>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/dbus-accessibility>
|
||||
# include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_write,
|
||||
|
|
@ -93,7 +92,5 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/input/event[0-9]* rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
unix type=stream addr="@/tmp/dbus-*",
|
||||
|
||||
include if exists <local/dbus-daemon>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -12,19 +13,18 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# Needed?
|
||||
deny capability sys_nice,
|
||||
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
/var/lib/lightdm/.Xauthority r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/at-spi2-registryd>
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -8,7 +9,7 @@ include <tunables/global>
|
|||
|
||||
@{exec_path} = /{usr/,}lib/colord/colord-sane
|
||||
@{exec_path} += @{libexec}/colord-sane
|
||||
profile colord-sane @{exec_path} flags=(complain) {
|
||||
profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
|
|
@ -16,17 +17,18 @@ profile colord-sane @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/sane.d/{,**} r,
|
||||
/usr/share/snmp/mibs/{,*} r,
|
||||
|
||||
/etc/sane.d/{,**} r,
|
||||
/etc/snmp/snmp.conf r,
|
||||
|
||||
/var/lib/snmp/{mib,cert}_indexes/ rw,
|
||||
/var/lib/snmp/mibs/{iana,ietf}/ r,
|
||||
/var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
|
||||
|
||||
/var/lib/snmp/{mib,cert}_indexes/ rw,
|
||||
/usr/share/snmp/mibs/{,*} r,
|
||||
@{run}/systemd/journal/socket rw,
|
||||
|
||||
@{sys}/bus/scsi/devices/ r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
|
||||
|
||||
@{PROC}/sys/dev/parport/ r,
|
||||
|
|
|
|||
|
|
@ -14,10 +14,11 @@ profile polkitd @{exec_path} {
|
|||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
audit deny capability net_admin,
|
||||
audit capability net_admin,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ profile upower @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
# Needed?
|
||||
deny capability sys_nice,
|
||||
audit capability sys_nice,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2018-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -17,30 +18,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
# UPower config file
|
||||
/etc/UPower/ r,
|
||||
/etc/UPower/UPower.conf r,
|
||||
|
||||
# The history data for the power device
|
||||
/var/lib/upower/ r,
|
||||
/var/lib/upower/history-*.dat{,.*} rw,
|
||||
|
||||
# Are all of these needed? (#FIXME#)
|
||||
/dev/input/event* r,
|
||||
@{sys}/bus/hid/devices/ r,
|
||||
@{sys}/class/leds/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/class/input/ r,
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/**/power_supply/**/* r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/**/capabilities/* r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
||||
@{sys}/devices/platform/**/leds/**/max_brightness r,
|
||||
@{sys}/devices/platform/**/leds/**/brightness rw,
|
||||
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
|
||||
|
||||
@{run}/udev/data/ r,
|
||||
@{run}/udev/data/+power_supply* r,
|
||||
@{run}/udev/data/+input* r,
|
||||
|
|
@ -49,5 +32,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
@{sys}/bus/hid/devices/ r,
|
||||
@{sys}/class/input/ r,
|
||||
@{sys}/class/leds/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/**/capabilities/* r,
|
||||
@{sys}/devices/**/power_supply/**/* r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/platform/**/leds/**/brightness rw,
|
||||
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
|
||||
@{sys}/devices/platform/**/leds/**/max_brightness r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
||||
/dev/input/event* r,
|
||||
|
||||
include if exists <local/upowerd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/pipewire/client.conf.d/ r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
|
@ -43,6 +42,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/ r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ include <tunables/global>
|
|||
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ include <tunables/global>
|
|||
profile xrdb @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term hup) peer=gdm*,
|
||||
signal (receive) set=(term hup) peer=gnome-shell,
|
||||
|
||||
unix (receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@ profile evolution-source-registry @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ profile gnome-extension-ding @{exec_path} {
|
|||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/thumbnailers/{,*.thumbnailer} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
|
|
@ -38,6 +37,7 @@ profile gnome-extension-ding @{exec_path} {
|
|||
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
|
||||
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -99,6 +99,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_config_dirs}/user-dirs.locale r,
|
||||
owner @{user_share_dirs}/applications/ r,
|
||||
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
||||
owner @{user_share_dirs}/session_migration-ubuntu r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
|
|
@ -107,6 +108,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
|
||||
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
|
||||
owner @{run}/user/@{uid}/systemd/notify w,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
|
|
|
|||
|
|
@ -39,6 +39,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
signal (send),
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -126,6 +129,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
|
||||
owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/systemd/notify rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
|
||||
|
||||
owner /dev/shm/.org.chromium.Chromium.* rw,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,8 @@ profile gnome-shell-calendar-server @{exec_path} {
|
|||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/zoneinfo-icu/{,**} r,
|
||||
|
||||
/etc/timezone r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -24,8 +24,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
/usr/share/ubuntu/applications/{,**} r,
|
||||
|
||||
owner @{user_share_dirs}/nautilus/{,**} rwk,
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
# Full access to user's data
|
||||
/ r,
|
||||
|
|
@ -42,6 +43,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
deny /tmp/.* rw,
|
||||
deny /tmp/.*/{,**} rw,
|
||||
|
||||
owner @{user_share_dirs}/nautilus/{,**} rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,12 @@ profile apt-esm-hook @{exec_path} {
|
|||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/ubuntu-advantage/messages/{,**} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
|
||||
include if exists <local/apt-esm-hook>
|
||||
}
|
||||
|
|
@ -10,13 +10,18 @@ include <tunables/global>
|
|||
profile check-new-release-gtk @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -25,17 +30,22 @@ profile check-new-release-gtk @{exec_path} {
|
|||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
|
||||
/usr/share/distro-info/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/ubuntu-release-upgrader/{,**} r,
|
||||
/usr/share/update-manager/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/etc/update-manager/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
||||
include if exists <local/check-new-release-gtk>
|
||||
}
|
||||
|
|
@ -10,16 +10,19 @@ include <tunables/global>
|
|||
profile livepatch-notification @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gtk>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
/usr/share/themes/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
include if exists <local/livepatch-notification>
|
||||
}
|
||||
|
|
@ -16,6 +16,9 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
|
|||
|
|
@ -11,16 +11,18 @@ profile ubuntu-advantage-notification @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gtk>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
/usr/share/themes/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
include if exists <local/ubuntu-advantage-notification>
|
||||
}
|
||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile ubuntu-report @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,28 +9,42 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available
|
||||
profile update-motd-updates-available @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/python3.[0-9]* r,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/apt-config rPx,
|
||||
/{usr/,}bin/chmod rix,
|
||||
/{usr/,}bin/dirname rix,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/ischroot rix,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}lib/update-notifier/apt_check.py rix,
|
||||
|
||||
/etc/apt/apt.conf.d/{,*} r,
|
||||
/etc/apt/sources.list r,
|
||||
/usr/share/distro-info/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/apt/lists/{,*} r,
|
||||
/var/lib/update-notifier/{,*} rw,
|
||||
|
||||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
||||
include if exists <local/update-motd-updates-available>
|
||||
}
|
||||
|
|
@ -18,33 +18,46 @@ profile update-notifier @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/ionice rix,
|
||||
/{usr/,}bin/ischroot rix,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/nice rix,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/pkexec rPx,
|
||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||
/{usr/,}bin/update-manager rPx,
|
||||
/{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk rPx,
|
||||
/{usr/,}lib/update-notifier/apt_check.py rix,
|
||||
/{usr/,}lib/update-notifier/list-oem-metapackages rPx,
|
||||
/{usr/,}lib/update-notifier/livepatch-notification rPx,
|
||||
/{usr/,}lib/update-notifier/package-system-locked rPx,
|
||||
/usr/share/apport/apport-checkreports rPx,
|
||||
/usr/share/apport/apport-gtk rPx,
|
||||
|
||||
/usr/share/applications/{,*.desktop} r,
|
||||
/usr/share/applications/{,**} r,
|
||||
/usr/share/dpkg/cputable r,
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/pixmaps/ r,
|
||||
/usr/share/ubuntu/applications/ r,
|
||||
/usr/share/update-notifier/{,**} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/gnome/defaults.list r,
|
||||
|
||||
/var/lib/snapd/desktop/applications/{,**} r,
|
||||
/var/lib/snapd/desktop/icons/ r,
|
||||
/var/lib/update-notifier/user.d/ r,
|
||||
/var/lib/snapd/desktop/applications/{,/mimeinfo.cache} r,
|
||||
|
||||
owner @{user_share_dirs}/applications/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/update-notifier.pid rwk,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2020-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -8,11 +8,12 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/fwupdmgr
|
||||
profile fwupdmgr @{exec_path} flags=(complain) {
|
||||
profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
signal (send),
|
||||
|
||||
|
|
@ -27,26 +28,22 @@ profile fwupdmgr @{exec_path} flags=(complain) {
|
|||
/{usr/,}bin/dbus-launch rCx -> dbus,
|
||||
/{usr/,}bin/pkttyagent rPx,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/fwupd/ rw,
|
||||
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw,
|
||||
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/fwupd/ rw,
|
||||
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
profile dbus {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -12,8 +12,7 @@ profile ifup @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
capability net_admin,
|
||||
# Needed?
|
||||
audit deny capability sys_module,
|
||||
audit capability sys_module,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}{s,}bin/logrotate
|
||||
profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
|
||||
profile logrotate @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
@ -71,16 +71,15 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
|
|||
/var/lib/logrotate.status rwk,
|
||||
/var/lib/logrotate.status.tmp rw,
|
||||
|
||||
/ r,
|
||||
/var/log{,.hdd}/ r,
|
||||
/var/log{,.hdd}/** rw,
|
||||
|
||||
# Needed to remove the following error:
|
||||
# logrotate[]: error: could not change directory to '.'
|
||||
/ r,
|
||||
@{run}/systemd/private rw,
|
||||
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||
|
||||
profile systemctl flags=(attach_disconnected, complain) {
|
||||
profile systemctl flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
|
|
|
|||
|
|
@ -7,28 +7,53 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}{s,}bin/needrestart
|
||||
profile needrestart @{exec_path} {
|
||||
profile needrestart @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability checkpoint_restore,
|
||||
capability dac_read_search,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/systemd-detect-virt rPx,
|
||||
/{usr/,}bin/who rix,
|
||||
/usr/share/debconf/frontend rix,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/dpkg-query rpx,
|
||||
/{usr/,}bin/locale rix,
|
||||
/{usr/,}bin/python3.[0-9]* rix,
|
||||
/{usr/,}bin/stty rix,
|
||||
/{usr/,}bin/systemctl rPx,
|
||||
/{usr/,}bin/systemd-detect-virt rPx,
|
||||
/{usr/,}bin/udevadm rPx,
|
||||
/{usr/,}bin/whiptail rPx,
|
||||
/{usr/,}bin/who rix,
|
||||
/{usr/,}lib/needrestart/iucode-scan-versions rPx,
|
||||
/usr/share/debconf/frontend rix,
|
||||
|
||||
/usr/share/needrestart/{,**} r,
|
||||
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
|
||||
|
||||
/etc/debconf.conf r,
|
||||
/etc/needrestart/{,**} r,
|
||||
/etc/needrestart/hook.d/* rix,
|
||||
/etc/needrestart/restart.d/* rix,
|
||||
/etc/shadow r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/environ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/environ r,
|
||||
@{PROC}/@{pids}/maps r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/**/ r,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ profile spice-vdagent @{exec_path} {
|
|||
include <abstractions/audio>
|
||||
include <abstractions/gtk>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ include <tunables/global>
|
|||
profile sysctl @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
capability mac_admin,
|
||||
capability net_admin,
|
||||
capability sys_admin,
|
||||
capability sys_resource,
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ profile update-command-not-found @{exec_path} {
|
|||
@{exec_path} r,
|
||||
|
||||
/{usr/,}bin/python3.[0-9]* r,
|
||||
/{usr/,}lib/ r,
|
||||
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}lib/apt/apt-helper rix,
|
||||
|
|
|
|||
Loading…
Reference in a new issue