mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
ef1776b8d5
commit
6a81d335f8
10 changed files with 19 additions and 45 deletions
|
|
@ -12,22 +12,16 @@
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/dbus-session>
|
include <abstractions/dbus-session>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
|
include <abstractions/desktop>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/graphics>
|
||||||
include <abstractions/dri-enumerate>
|
|
||||||
include <abstractions/gnome-strict>
|
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/mesa>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl-intel>
|
|
||||||
include <abstractions/opencl-mesa>
|
|
||||||
include <abstractions/opencl-nvidia>
|
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/video>
|
include <abstractions/video>
|
||||||
include <abstractions/vulkan>
|
|
||||||
|
|
||||||
/usr/** r,
|
/usr/** r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,20 +16,15 @@
|
||||||
|
|
||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/desktop>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/graphics-full>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/gtk>
|
|
||||||
include <abstractions/mesa>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl>
|
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/user-read>
|
include <abstractions/user-read>
|
||||||
include <abstractions/vulkan>
|
|
||||||
include <abstractions/wayland>
|
|
||||||
|
|
||||||
# userns,
|
# userns,
|
||||||
|
|
||||||
|
|
@ -97,7 +92,6 @@
|
||||||
/usr/share/chromium/extensions/{,**} r,
|
/usr/share/chromium/extensions/{,**} r,
|
||||||
/usr/share/egl/{,**} r,
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/hwdata/pnp.ids r,
|
/usr/share/hwdata/pnp.ids r,
|
||||||
/usr/share/libdrm/*.ids r,
|
|
||||||
/usr/share/mozilla/extensions/{,**} r,
|
/usr/share/mozilla/extensions/{,**} r,
|
||||||
/usr/share/qt{5,}/translations/*.qm r,
|
/usr/share/qt{5,}/translations/*.qm r,
|
||||||
/usr/share/webext/{,**} r,
|
/usr/share/webext/{,**} r,
|
||||||
|
|
@ -105,7 +99,6 @@
|
||||||
/etc/@{name}/{,**} r,
|
/etc/@{name}/{,**} r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/igfx_user_feature{,_next}.txt w,
|
/etc/igfx_user_feature{,_next}.txt w,
|
||||||
/etc/libva.conf r,
|
|
||||||
/etc/opensc.conf r,
|
/etc/opensc.conf r,
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
@ -119,10 +112,7 @@
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ rw,
|
|
||||||
owner @{user_config_dirs}/ r,
|
|
||||||
owner @{user_config_dirs}/gtk-3.0/servers r,
|
owner @{user_config_dirs}/gtk-3.0/servers r,
|
||||||
owner @{user_share_dirs}/ r,
|
|
||||||
owner @{user_share_dirs}/.@{domain}.* rw,
|
owner @{user_share_dirs}/.@{domain}.* rw,
|
||||||
|
|
||||||
owner @{config_dirs}/ rw,
|
owner @{config_dirs}/ rw,
|
||||||
|
|
@ -182,20 +172,16 @@
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/**/devices/ r,
|
@{sys}/bus/**/devices/ r,
|
||||||
@{sys}/class/ r,
|
|
||||||
@{sys}/class/**/ r,
|
@{sys}/class/**/ r,
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
||||||
@{sys}/devices/@{pci}/boot_vga r,
|
@{sys}/devices/@{pci}/boot_vga r,
|
||||||
@{sys}/devices/@{pci}/{resource,irq} r,
|
|
||||||
@{sys}/devices/@{pci}/report_descriptor r,
|
@{sys}/devices/@{pci}/report_descriptor r,
|
||||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
|
|
||||||
@{sys}/devices/system/cpu/kernel_max r,
|
@{sys}/devices/system/cpu/kernel_max r,
|
||||||
@{sys}/devices/system/cpu/present r,
|
|
||||||
@{sys}/devices/virtual/**/report_descriptor r,
|
@{sys}/devices/virtual/**/report_descriptor r,
|
||||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
@{sys}/devices/virtual/tty/tty[0-9]/active r,
|
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
/dev/hidraw@{int} rw,
|
/dev/hidraw@{int} rw,
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@
|
||||||
#owner /tmp/orcexec.* mrw,
|
#owner /tmp/orcexec.* mrw,
|
||||||
#owner @{HOME}/orcexec.* mrw,
|
#owner @{HOME}/orcexec.* mrw,
|
||||||
|
|
||||||
@{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
|
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||||
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
|
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
|
||||||
|
|
||||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,6 @@
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# new user; change to 'c'
|
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
|
||||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
|
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,20 +16,14 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/dbus-session>
|
include <abstractions/dbus-session>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/desktop>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/graphics>
|
||||||
include <abstractions/dri-enumerate>
|
|
||||||
include <abstractions/gnome-strict>
|
|
||||||
include <abstractions/mesa>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl-intel>
|
|
||||||
include <abstractions/opencl-mesa>
|
|
||||||
include <abstractions/opencl-nvidia>
|
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/video>
|
include <abstractions/video>
|
||||||
include <abstractions/vulkan>
|
|
||||||
include <abstractions/zsh>
|
include <abstractions/zsh>
|
||||||
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/xdg-user-dirs-update
|
@{exec_path} = @{bin}/xdg-user-dirs-update
|
||||||
profile xdg-user-dirs-update @{exec_path} {
|
profile xdg-user-dirs-update @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/xdg-desktop>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -39,7 +40,6 @@ profile xdg-user-dirs-update @{exec_path} {
|
||||||
/var/lib/sddm/@{XDG_TEMPLATES_DIR}/ rw,
|
/var/lib/sddm/@{XDG_TEMPLATES_DIR}/ rw,
|
||||||
/var/lib/sddm/@{XDG_VIDEOS_DIR}/ rw,
|
/var/lib/sddm/@{XDG_VIDEOS_DIR}/ rw,
|
||||||
|
|
||||||
# new user; change to 'c'
|
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
|
||||||
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w,
|
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w,
|
||||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
|
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
|
||||||
|
|
@ -48,7 +48,6 @@ profile xdg-user-dirs-update @{exec_path} {
|
||||||
owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ w,
|
owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ w,
|
||||||
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w,
|
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w,
|
||||||
owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
|
owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
|
||||||
owner @{user_config_dirs}/ w,
|
|
||||||
|
|
||||||
owner @{user_config_dirs}/user-dirs.dirs rw,
|
owner @{user_config_dirs}/user-dirs.dirs rw,
|
||||||
owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw,
|
owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw,
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/gnome-music
|
@{exec_path} = @{bin}/gnome-music
|
||||||
profile gnome-music @{exec_path} {
|
profile gnome-music @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
|
@ -48,6 +48,7 @@ profile gnome-music @{exec_path} {
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
|
||||||
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
||||||
|
owner /var/tmp/etilqs_@{hex} rw,
|
||||||
|
|
||||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus-accessibility>
|
include <abstractions/bus-accessibility>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/com.canonical.Unity.LauncherEntry>
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/bus/org.freedesktop.hostname1>
|
include <abstractions/bus/org.freedesktop.hostname1>
|
||||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||||
|
|
@ -69,11 +70,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
||||||
member=Print
|
member=Print
|
||||||
peer=(name=:*, label=nautilus),
|
peer=(name=:*, label=nautilus),
|
||||||
|
|
||||||
dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
|
|
||||||
interface=com.canonical.Unity.LauncherEntry
|
|
||||||
member=Update
|
|
||||||
peer=(name=org.freedesktop.DBus, label=gnome-shell),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member=ListActivatableNames
|
member=ListActivatableNames
|
||||||
|
|
|
||||||
|
|
@ -22,9 +22,9 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/etc/netplan/{,*} r,
|
/etc/netplan/{,*} r,
|
||||||
|
|
||||||
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} w,
|
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
|
||||||
@{run}/NetworkManager/system-connections/ r,
|
@{run}/NetworkManager/system-connections/ r,
|
||||||
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} w,
|
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
|
||||||
@{run}/systemd/system/ r,
|
@{run}/systemd/system/ r,
|
||||||
@{run}/systemd/system/netplan-* rw,
|
@{run}/systemd/system/netplan-* rw,
|
||||||
@{run}/systemd/system/systemd-networkd.service.wants/ r,
|
@{run}/systemd/system/systemd-networkd.service.wants/ r,
|
||||||
|
|
@ -51,8 +51,12 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
|
capability net_admin,
|
||||||
|
|
||||||
@{bin}/systemctl mr,
|
@{bin}/systemctl mr,
|
||||||
|
|
||||||
|
owner @{run}/systemd/private rw,
|
||||||
|
|
||||||
include if exists <local/netplan.script_systemctl>
|
include if exists <local/netplan.script_systemctl>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile irqbalance @{exec_path} flags=(attach_disconnected) {
|
profile irqbalance @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
|
capability net_admin,
|
||||||
capability setpcap,
|
capability setpcap,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue