mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-24 11:58:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update

Browse source
This commit is contained in:
Alexandre Pujol 2025-01-20 21:23:31 +01:00
parent e41c5f6055
commit 693259d8c1
Failed to generate hash of commit
22 changed files with 42 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt-extracttemplates
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/apt-extracttemplates @{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates
profile apt-extracttemplates @{exec_path} { profile apt-extracttemplates @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

1
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -34,6 +34,7 @@ profile dpkg-preconfigure @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/apt-extracttemplates rPx, @{bin}/apt-extracttemplates rPx,
@{bin}/whiptail rPx, @{bin}/whiptail rPx,
@{lib}/apt/apt-extracttemplates rPx,
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,

1
apparmor.d/groups/freedesktop/pipewire
View file

@ -46,6 +46,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
/ r, / r,
@{att}/ r, @{att}/ r,
owner @{att}// r,
owner @{att}/.flatpak-info r, owner @{att}/.flatpak-info r,
owner @{user_config_dirs}/pipewire/{,**} r, owner @{user_config_dirs}/pipewire/{,**} r,

1
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -28,6 +28,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
owner @{att}/@{HOME}/.var/app/** r,
owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,

3
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -77,11 +77,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{gdm_config_dirs}/user-dirs.dirs r,
@{user_config_dirs}/kioslaverc r, @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/xdg-desktop-portal/* r, owner @{user_config_dirs}/xdg-desktop-portal/* r,
owner @{tmp}/icon* rw, owner @{tmp}/icon@{rand6} rw,
owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r,

2
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -43,7 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/ rw,
owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
owner @{user_share_dirs}/flatpak/db/background rw, owner @{user_share_dirs}/flatpak/db/background rw,
owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw,
owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/devices rw,
owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/documents rw,
owner @{user_share_dirs}/flatpak/db/notifications rw, owner @{user_share_dirs}/flatpak/db/notifications rw,

1
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -107,6 +107,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/ w,
@{run}/cockpit/active.issue r,
@{run}/cockpit/inactive.motd r, @{run}/cockpit/inactive.motd r,
owner @{run}/systemd/seats/seat@{int} r, owner @{run}/systemd/seats/seat@{int} r,
owner @{run}/user/@{uid}/keyring/control rw, owner @{run}/user/@{uid}/keyring/control rw,

7
apparmor.d/groups/kde/konsole
View file

@ -74,8 +74,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/konsole.@{rand6} rw, owner @{tmp}/konsole.@{rand6} rw,
@{PROC}/@{pid}/cmdline r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cgroup r,
/dev/ptmx rw, /dev/ptmx rw,

2
apparmor.d/groups/kde/xembedsniproxy
View file

@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} {
owner @{tmp}/xauth_@{rand6} r, owner @{tmp}/xauth_@{rand6} r,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
@{run}/user/@{uid}/xauth_@{rand6} rl, @{run}/user/@{uid}/xauth_@{rand6} rl,
include if exists <local/xembedsniproxy> include if exists <local/xembedsniproxy>

2
apparmor.d/groups/pacman/pacman
View file

@ -99,6 +99,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
@{bin}/update-grub rPx, @{bin}/update-grub rPx,
@{bin}/update-mime-database rPx, @{bin}/update-mime-database rPx,
@{bin}/vercmp rix, @{bin}/vercmp rix,
@{bin}/which rix,
@{bin}/xmlcatalog rix, @{bin}/xmlcatalog rix,
@{lib}/systemd/systemd-* rPx, @{lib}/systemd/systemd-* rPx,
@{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix,
@ -198,6 +199,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
signal receive set=winch peer=makepkg//sudo, signal receive set=winch peer=makepkg//sudo,
@{pager_path} rPx -> child-pager, @{pager_path} rPx -> child-pager,
@{bin}/systemd-tty-ask-password-agent rPx,
/etc/machine-id r, /etc/machine-id r,

2
apparmor.d/groups/pacman/pacman-hook-systemd
View file

@ -46,7 +46,7 @@ profile pacman-hook-systemd @{exec_path} {
capability net_admin, capability net_admin,
capability sys_resource, capability sys_resource,
signal send set=term peer=systemd-tty-ask-password-agent, signal send set=(cont, term) peer=systemd-tty-ask-password-agent,
@{bin}/systemd-tty-ask-password-agent Px, @{bin}/systemd-tty-ask-password-agent Px,

3
apparmor.d/groups/ssh/sftp-server
View file

@ -6,8 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/openssh/sftp-server @{exec_path} = @{lib}/{openssh,ssh}/sftp-server
@{exec_path} += @{lib}/ssh/sftp-server
profile sftp-server @{exec_path} { profile sftp-server @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

2
apparmor.d/groups/systemd/systemd-fsck
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-fsck @{exec_path} = @{lib}/systemd/systemd-fsck
profile systemd-fsck @{exec_path} { profile systemd-fsck @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>

2
apparmor.d/groups/systemd/systemd-networkd
View file

@ -51,12 +51,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
/etc/networkd-dispatcher/carrier.d/{,*} r, /etc/networkd-dispatcher/carrier.d/{,*} r,
@{att}/ r, @{att}/ r,
@{att}/@{run}/systemd/notify rw,
owner @{att}/var/lib/systemd/network/ r, owner @{att}/var/lib/systemd/network/ r,
@{run}/systemd/network/ r, @{run}/systemd/network/ r,
@{run}/systemd/network/*.network r, @{run}/systemd/network/*.network r,
@{run}/systemd/notify rw,
owner @{run}/systemd/netif/** rw, owner @{run}/systemd/netif/** rw,
@{run}/udev/data/n@{int} r, @{run}/udev/data/n@{int} r,

2
apparmor.d/groups/systemd/systemd-rfkill
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-rfkill @{exec_path} = @{lib}/systemd/systemd-rfkill
profile systemd-rfkill @{exec_path} { profile systemd-rfkill @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/systemd> include <abstractions/common/systemd>

3
apparmor.d/groups/virt/cockpit-session
View file

@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
/etc/motd.d/ r, /etc/motd.d/ r,
/etc/shells r, /etc/shells r,
@{att}/@{run}/systemd/sessions/*.ref rw,
@{run}/cockpit/active.motd r, @{run}/cockpit/active.motd r,
@{run}/cockpit/inactive.motd r, @{run}/cockpit/inactive.motd r,
@{run}/faillock/@{user} rwk, @{run}/faillock/@{user} rwk,
@{run}/motd.d/{,*} r, @{run}/motd.d/{,*} r,
@{run}/systemd/sessions/*.ref rw,
@{run}/utmp rwk, @{run}/utmp rwk,
/var/log/btmp rw, /var/log/btmp rw,

2
apparmor.d/groups/virt/cockpit-ws
View file

@ -9,9 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/cockpit/cockpit-ws @{exec_path} = @{lib}/cockpit/cockpit-ws
profile cockpit-ws @{exec_path} { profile cockpit-ws @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{lib}/cockpit/cockpit-session rPx, @{lib}/cockpit/cockpit-session rPx,
/usr/share/cockpit/{,**} r, /usr/share/cockpit/{,**} r,

11
apparmor.d/groups/virt/dockerd
View file

@ -33,15 +33,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
mount /tmp/containerd-mount@{int}/, mount /tmp/containerd-mount@{int}/,
mount /var/lib/docker/buildkit/**/, mount /var/lib/docker/**/,
mount /var/lib/docker/overlay2/**/,
mount /var/lib/docker/tmp/buildkit-mount@{int}/,
mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
mount options=(rw bind) -> /run/docker/netns/*, mount options=(rw bind) -> /run/docker/netns/*,
mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
mount options=(rw rprivate) -> /.pivot_root@{int}/, mount options=(rw rprivate) -> /.pivot_root@{int}/,
mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
mount options=(rw rslave) -> /, mount options=(rw rslave) -> /,
remount /tmp/containerd-mount@{int10}/, remount /tmp/containerd-mount@{int10}/,
@ -90,6 +84,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/{,**} rwk,
owner /var/lib/docker/tmp/qemu-check@{int}/check rix, owner /var/lib/docker/tmp/qemu-check@{int}/check rix,
/tmp/build/ w,
/tmp/containerd-mount@{int10}/{,**} rw,
owner @{run}/docker/ rw, owner @{run}/docker/ rw,
owner @{run}/docker/** rwlk, owner @{run}/docker/** rwlk,
owner @{run}/docker.pid rw, owner @{run}/docker.pid rw,

6
apparmor.d/profiles-m-r/mullvad-setup
View file

@ -13,9 +13,11 @@ profile mullvad-setup @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
@{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,

8
apparmor.d/profiles-m-r/needrestart
View file

@ -20,9 +20,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
capability kill, capability kill,
capability sys_ptrace, capability sys_ptrace,
ptrace (read), ptrace read,
mqueue (r,getattr) type=posix /, mqueue r type=posix /,
@{exec_path} mrix, @{exec_path} mrix,
@ -43,6 +43,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{lib}/needrestart/* rPx, @{lib}/needrestart/* rPx,
/usr/share/debconf/frontend rix, /usr/share/debconf/frontend rix,
@{att}/@{lib}/python3.@{int}/** r,
/usr/share/needrestart/{,**} r, /usr/share/needrestart/{,**} r,
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
@ -60,6 +62,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
owner /var/lib/juju/agents/{,**} r, owner /var/lib/juju/agents/{,**} r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/tmp/@{word10}/ rw,
owner @{run}/sshd.pid r, owner @{run}/sshd.pid r,
@{PROC}/ r, @{PROC}/ r,

2
apparmor.d/profiles-s-z/update-alternatives
View file

@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
capability dac_override,
@{exec_path} mr, @{exec_path} mr,
@{bin}/* w, @{bin}/* w,

2
apparmor.d/profiles-s-z/virt-manager
View file

@ -31,7 +31,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
@{exec_path} rix, @{exec_path} rix,
@{sh_path} rix, @{sh_path} rix,
@{bin}/python3.@{int} r, @{bin}/python3.@{int} rix,
@{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w,
@{bin}/ r, @{bin}/ r,