mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-24 03:48:13 +01:00
feat(profile): general update
This commit is contained in:
parent
e41c5f6055
commit
693259d8c1
22 changed files with 42 additions and 25 deletions
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/apt-extracttemplates
|
||||
@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates
|
||||
profile apt-extracttemplates @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
@ -34,6 +34,7 @@ profile dpkg-preconfigure @{exec_path} {
|
|||
@{bin}/dpkg rPx -> child-dpkg,
|
||||
@{bin}/apt-extracttemplates rPx,
|
||||
@{bin}/whiptail rPx,
|
||||
@{lib}/apt/apt-extracttemplates rPx,
|
||||
|
||||
/usr/share/debconf/confmodule r,
|
||||
|
||||
|
|
|
@ -46,6 +46,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/ r,
|
||||
@{att}/ r,
|
||||
owner @{att}// r,
|
||||
owner @{att}/.flatpak-info r,
|
||||
|
||||
owner @{user_config_dirs}/pipewire/{,**} r,
|
||||
|
|
|
@ -28,6 +28,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{att}/@{HOME}/.var/app/** r,
|
||||
owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
|
||||
owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,
|
||||
|
||||
|
|
|
@ -77,11 +77,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{gdm_config_dirs}/dconf/user r,
|
||||
owner @{gdm_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
|
||||
@{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/xdg-desktop-portal/* r,
|
||||
|
||||
owner @{tmp}/icon* rw,
|
||||
owner @{tmp}/icon@{rand6} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/flatpak/db/ rw,
|
||||
owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
|
||||
owner @{user_share_dirs}/flatpak/db/background rw,
|
||||
owner @{user_share_dirs}/flatpak/db/desktop-used-apps r,
|
||||
owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw,
|
||||
owner @{user_share_dirs}/flatpak/db/devices rw,
|
||||
owner @{user_share_dirs}/flatpak/db/documents rw,
|
||||
owner @{user_share_dirs}/flatpak/db/notifications rw,
|
||||
|
|
|
@ -107,6 +107,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{user_cache_dirs}/ w,
|
||||
|
||||
@{run}/cockpit/active.issue r,
|
||||
@{run}/cockpit/inactive.motd r,
|
||||
owner @{run}/systemd/seats/seat@{int} r,
|
||||
owner @{run}/user/@{uid}/keyring/control rw,
|
||||
|
|
|
@ -74,8 +74,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/konsole.@{rand6} rw,
|
||||
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw,
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
|
|
|
@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} {
|
|||
|
||||
owner @{tmp}/xauth_@{rand6} r,
|
||||
|
||||
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
include if exists <local/xembedsniproxy>
|
||||
|
|
|
@ -99,6 +99,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/update-grub rPx,
|
||||
@{bin}/update-mime-database rPx,
|
||||
@{bin}/vercmp rix,
|
||||
@{bin}/which rix,
|
||||
@{bin}/xmlcatalog rix,
|
||||
@{lib}/systemd/systemd-* rPx,
|
||||
@{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix,
|
||||
|
@ -198,6 +199,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
|
|||
signal receive set=winch peer=makepkg//sudo,
|
||||
|
||||
@{pager_path} rPx -> child-pager,
|
||||
@{bin}/systemd-tty-ask-password-agent rPx,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
|
|
|
@ -46,7 +46,7 @@ profile pacman-hook-systemd @{exec_path} {
|
|||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
signal send set=term peer=systemd-tty-ask-password-agent,
|
||||
signal send set=(cont, term) peer=systemd-tty-ask-password-agent,
|
||||
|
||||
@{bin}/systemd-tty-ask-password-agent Px,
|
||||
|
||||
|
|
|
@ -6,8 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/openssh/sftp-server
|
||||
@{exec_path} += @{lib}/ssh/sftp-server
|
||||
@{exec_path} = @{lib}/{openssh,ssh}/sftp-server
|
||||
profile sftp-server @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-fsck
|
||||
profile systemd-fsck @{exec_path} {
|
||||
profile systemd-fsck @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-read>
|
||||
|
|
|
@ -51,12 +51,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/networkd-dispatcher/carrier.d/{,*} r,
|
||||
|
||||
@{att}/ r,
|
||||
@{att}/@{run}/systemd/notify rw,
|
||||
|
||||
owner @{att}/var/lib/systemd/network/ r,
|
||||
|
||||
@{run}/systemd/network/ r,
|
||||
@{run}/systemd/network/*.network r,
|
||||
@{run}/systemd/notify rw,
|
||||
owner @{run}/systemd/netif/** rw,
|
||||
|
||||
@{run}/udev/data/n@{int} r,
|
||||
|
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-rfkill
|
||||
profile systemd-rfkill @{exec_path} {
|
||||
profile systemd-rfkill @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
|
|
|
@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/motd.d/ r,
|
||||
/etc/shells r,
|
||||
|
||||
@{att}/@{run}/systemd/sessions/*.ref rw,
|
||||
|
||||
@{run}/cockpit/active.motd r,
|
||||
@{run}/cockpit/inactive.motd r,
|
||||
@{run}/faillock/@{user} rwk,
|
||||
@{run}/motd.d/{,*} r,
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/utmp rwk,
|
||||
|
||||
/var/log/btmp rw,
|
||||
|
|
|
@ -9,9 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/cockpit/cockpit-ws
|
||||
profile cockpit-ws @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{lib}/cockpit/cockpit-session rPx,
|
||||
|
||||
/usr/share/cockpit/{,**} r,
|
||||
|
|
|
@ -33,15 +33,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
mount /tmp/containerd-mount@{int}/,
|
||||
mount /var/lib/docker/buildkit/**/,
|
||||
mount /var/lib/docker/overlay2/**/,
|
||||
mount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
|
||||
mount /var/lib/docker/**/,
|
||||
mount options=(rw bind) -> /run/docker/netns/*,
|
||||
mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
|
||||
mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
|
||||
mount options=(rw rprivate) -> /.pivot_root@{int}/,
|
||||
mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
|
||||
mount options=(rw rslave) -> /,
|
||||
|
||||
remount /tmp/containerd-mount@{int10}/,
|
||||
|
@ -90,6 +84,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
owner /var/lib/docker/{,**} rwk,
|
||||
owner /var/lib/docker/tmp/qemu-check@{int}/check rix,
|
||||
|
||||
/tmp/build/ w,
|
||||
/tmp/containerd-mount@{int10}/{,**} rw,
|
||||
|
||||
owner @{run}/docker/ rw,
|
||||
owner @{run}/docker/** rwlk,
|
||||
owner @{run}/docker.pid rw,
|
||||
|
|
|
@ -13,9 +13,11 @@ profile mullvad-setup @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
|
||||
|
||||
@{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
|
|
@ -20,9 +20,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
|||
capability kill,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
ptrace read,
|
||||
|
||||
mqueue (r,getattr) type=posix /,
|
||||
mqueue r type=posix /,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
@ -43,6 +43,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/needrestart/* rPx,
|
||||
/usr/share/debconf/frontend rix,
|
||||
|
||||
@{att}/@{lib}/python3.@{int}/** r,
|
||||
|
||||
/usr/share/needrestart/{,**} r,
|
||||
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
|
||||
|
||||
|
@ -60,6 +62,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
|||
owner /var/lib/juju/agents/{,**} r,
|
||||
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
|
||||
|
||||
/tmp/@{word10}/ rw,
|
||||
|
||||
owner @{run}/sshd.pid r,
|
||||
|
||||
@{PROC}/ r,
|
||||
|
|
|
@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_override,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/* w,
|
||||
|
|
|
@ -31,7 +31,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} rix,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/python3.@{int} r,
|
||||
@{bin}/python3.@{int} rix,
|
||||
@{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w,
|
||||
|
||||
@{bin}/ r,
|
||||
|
|
Loading…
Reference in a new issue