mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Global profile update.

Browse Source
This commit is contained in:
Alexandre Pujol 2021-04-05 13:15:52 +01:00
parent 6aa99d3ec5
commit 64d8379375
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
9 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor.d/groups/browsers/chrome-gnome-shell
View File

@ -21,7 +21,10 @@ profile chrome-gnome-shell @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
owner @{user_lib_dirs}/python3.9/site-packages/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

2
apparmor.d/groups/gnome/gnome-keyring-daemon
View File

@ -16,6 +16,8 @@ profile gnome-keyring-daemon @{exec_path} {
# gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used # gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used
capability ipc_lock, capability ipc_lock,
signal (send) set=(term) peer=ssh-agent,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ssh-add rix, /{usr/,}bin/ssh-add rix,
/{usr/,}bin/ssh-agent rPx, /{usr/,}bin/ssh-agent rPx,

1
apparmor.d/groups/gnome/gsd-xsettings
View File

@ -38,6 +38,7 @@ profile gsd-xsettings @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/dri/ r, /dev/dri/ r,
/dev/dri/renderD[0-9]* rw,
/dev/tty rw, /dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,

7
apparmor.d/groups/network/NetworkManager
View File

@ -41,6 +41,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/ r,
/etc/ r, /etc/ r,
/etc/resolv.conf rw, /etc/resolv.conf rw,
/etc/resolv.conf.[0-9A-Z]* rw, /etc/resolv.conf.[0-9A-Z]* rw,
@ -70,9 +71,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+pci* r, @{run}/udev/data/+pci* r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/virtual/net/{,*} r, @{sys}/devices/virtual/net/{,**} r,
@{sys}/devices/pci[0-9]*/**/net/*/{,**} r, @{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
include if exists <local/NetworkManager> include if exists <local/NetworkManager>
} }

3
apparmor.d/groups/systemd/systemd-tmpfiles
View File

@ -13,6 +13,7 @@ profile systemd-tmpfiles @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
capability net_admin,
capability fsetid, capability fsetid,
capability mknod, capability mknod,
capability fowner, capability fowner,
@ -33,11 +34,13 @@ profile systemd-tmpfiles @{exec_path} {
# Where the tmpfiles can be created, # Where the tmpfiles can be created,
/{,*} rw, /{,*} rw,
/home/ rw,
/dev/{,**} rw, /dev/{,**} rw,
/var/{,**} rwk, /var/{,**} rwk,
/run/{,**} rw, /run/{,**} rw,
/tmp/{,**} rwk, /tmp/{,**} rwk,
/srv/{,**} rw, /srv/{,**} rw,
/etc/{,**} r,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,
@{sys}/devices/system/cpu/microcode/reload w, @{sys}/devices/system/cpu/microcode/reload w,

3
apparmor.d/profiles-a-l/browserpass
View File

@ -27,5 +27,8 @@ profile browserpass @{exec_path} {
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{user_share_dirs}/gvfs-metadata/home r,
@{user_share_dirs}/gvfs-metadata/home-*.log r,
include if exists <local/browserpass> include if exists <local/browserpass>
} }

2
apparmor.d/profiles-a-l/git
View File

@ -25,6 +25,7 @@ profile git @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,
@ -114,6 +115,7 @@ profile git @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw,
/{usr/,}bin/ssh mr, /{usr/,}bin/ssh mr,

2
apparmor.d/profiles-m-z/udisksd
View File

@ -124,7 +124,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{run}/udisks2/mounted-fs{,.*} rw, @{run}/udisks2/mounted-fs{,.*} rw,
@{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/seats/seat[0-9]* r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
profile systemd-escape { profile systemd-escape {
include <abstractions/base> include <abstractions/base>

3
apparmor.d/profiles-m-z/wpa-supplicant
View File

@ -25,9 +25,8 @@ profile wpa-supplicant @{exec_path} {
# remove this file before starting wpa_supplicant again. # remove this file before starting wpa_supplicant again.
capability chown, capability chown,
# Needed? (#FIXME#)
capability fsetid, capability fsetid,
audit deny capability sys_module, capability sys_module,
network packet raw, network packet raw,
network packet dgram, network packet dgram,