From 6b4ae79806ce743fa4ab1cee6765949d63111e71 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 27 May 2022 02:02:28 +0300 Subject: [PATCH] up to date version --- apparmor.d/groups/systemd/systemd-logind | 73 ++++++++++++------------ 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 230d56a4..e061471f 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -44,6 +44,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, + @{run}/udev/data/+backlight:intel_backlight r, + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci* r, @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @@ -55,61 +59,56 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+backlight:intel_backlight r, - @{run}/udev/data/+pci* r, - + @{run}/systemd/inhibit/ rw, + @{run}/systemd/inhibit/.#* rw, + @{run}/systemd/inhibit/[0-9]*{,.ref} rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/inhibit/ rw, - @{run}/systemd/inhibit/[0-9]*{,.ref} rw, - @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/ rw, @{run}/systemd/sessions/* rw, @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/users/ rw, - @{run}/systemd/users/@{uid} rw, - @{run}/systemd/users/.#* rw, @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{run}/systemd/notify w, + @{run}/systemd/users/ rw, + @{run}/systemd/users/.#* rw, + @{run}/systemd/users/@{uid} rw, - /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) - /dev/dri/card[0-9]* rw, - /dev/tty[0-9]* rw, - /dev/nvme* r, - /dev/shm/{,**/} r, - /dev/mqueue/ r, - - @{sys}/module/vt/parameters/default_utf8 r, - @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/fs/cgroup/memory.max r, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, - @{sys}/devices/**/{uevent,enabled,status} r, - @{sys}/devices/**/brightness rw, + @{run}/systemd/journal/socket rw, + @{run}/systemd/notify rw, @{sys}/class/drm/ r, - @{sys}/power/{state,resume_offset,resume,disk} r, - - @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/devices/**/{uevent,enabled,status} r, + @{sys}/devices/**/brightness rw, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, + @{sys}/fs/cgroup/memory.max r, + @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/module/vt/parameters/default_utf8 r, + @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cmdline r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, + /dev/dri/card[0-9]* rw, + /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/nvme* r, + /dev/shm/{,**/} rw, + /dev/tty[0-9]* rw, + # DBus - # all members for login related, specific for others + # all members for login-related, specific for others dbus send bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"),