mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profiles): add some missing dbus, MOUNTS and dconf rules.
This commit is contained in:
parent
50a18aac08
commit
6898bac12f
@ -12,6 +12,7 @@ include <tunables/global>
|
||||
profile telegram-desktop @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/opencl-intel>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} {
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
# Needed when saving files as, or otherwise the app crashes
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
|
@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
|
||||
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
|
||||
|
||||
# For pendrives
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/**/ r,
|
||||
@{MOUNTS}/*/.disk/info r,
|
||||
@{MOUNTS}/*/dists/**/binary-*/Packages{,.gz} r,
|
||||
@{MOUNTS}/*/dists/**/i18n/Translation-en{,.gz} r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/**/ r,
|
||||
@{MOUNTS}/.disk/info r,
|
||||
@{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
|
||||
@{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,
|
||||
|
||||
/var/lib/apt/lists/** rw,
|
||||
|
||||
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||
@{exec_path} += @{libexec}/ibus-x11
|
||||
profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
@ -22,16 +23,12 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = @{libexec}/xdg-desktop-portal
|
||||
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
@ -9,6 +9,8 @@ include <tunables/global>
|
||||
@{exec_path} = @{libexec}/gdm-x-session
|
||||
profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
signal (receive) set=term peer=gdm{,-session-worker},
|
||||
# signal (send) set=term peer=unconfined,
|
||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = @{libexec}/gnome-control-center-print-renderer
|
||||
profile gnome-control-center-print-renderer @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
@ -34,6 +35,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
||||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
@ -21,7 +21,7 @@ profile gnome-disk-image-mounter @{exec_path} {
|
||||
|
||||
# Allow to mount user files
|
||||
owner @{HOME}/{,**} r,
|
||||
owner @{MOUNTS}/*/{,**} r,
|
||||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
@ -39,7 +39,7 @@ profile gnome-music @{exec_path} {
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r,
|
||||
owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r,
|
||||
owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/gnome-music/{,**} rwk,
|
||||
owner @{user_cache_dirs}/media-art/album-*.jpeg rw,
|
||||
|
@ -16,7 +16,7 @@ profile gnome-photos-thumbnailer @{exec_path} {
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
|
||||
owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r,
|
||||
owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/babl/{,**} r,
|
||||
owner @{user_cache_dirs}/gegl-*/{,**} r,
|
||||
|
@ -14,7 +14,6 @@ profile gnome-shell-hotplug-sniffer @{exec_path} {
|
||||
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
owner @{MOUNTS}/*/ r,
|
||||
owner @{MOUNTS}/**/ r,
|
||||
owner @{MOUNTS}/** r,
|
||||
|
||||
|
@ -9,7 +9,8 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}bin/gnome-system-monitor
|
||||
profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@ -35,8 +36,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/doc/ rw,
|
||||
|
||||
@{run}/systemd/sessions/* r,
|
||||
|
@ -40,7 +40,7 @@ profile tracker-extract @{exec_path} {
|
||||
|
||||
# Allow to search user files
|
||||
owner @{HOME}/{,**} r,
|
||||
owner @{MOUNTS}/*/{,**} r,
|
||||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||
|
@ -44,7 +44,7 @@ profile tracker-miner @{exec_path} {
|
||||
|
||||
# Allow to search user files
|
||||
owner @{HOME}/{,**} r,
|
||||
owner @{MOUNTS}/*/{,**} r,
|
||||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner @{user_config_dirs}/tracker3/{,**} rwk,
|
||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}bin/light-locker
|
||||
profile light-locker @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/X>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
@ -27,10 +28,6 @@ profile light-locker @{exec_path} {
|
||||
# when locking the screen and switching/closing sessions
|
||||
@{run}/systemd/sessions/* r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/uevent r,
|
||||
@{sys}/devices/pci[0-9]*/**/vendor r,
|
||||
@{sys}/devices/pci[0-9]*/**/device r,
|
||||
|
Loading…
Reference in New Issue
Block a user