mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profiles): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-09-12 22:59:07 +01:00
parent 6c397882ad
commit 6db83003c7
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
33 changed files with 98 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/groups/browsers/firefox-glxtest
View File

@ -30,5 +30,7 @@ profile firefox-glxtest @{exec_path} {
@{sys}/bus/pci/devices/ r,
@{sys}/devices/@{pci}/class r,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/firefox-glxtest>
}

3
apparmor.d/groups/browsers/firefox-pingsender
View File

@ -18,6 +18,9 @@ profile firefox-pingsender @{exec_path} {
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet stream,
network inet6 stream,
signal (receive) set=(term, kill) peer=firefox,
@{exec_path} mr,

3
apparmor.d/groups/children/child-open
View File

@ -63,6 +63,7 @@ profile child-open {
# Others
@{bin}/*Foliate rPUx,
@{bin}/blueman-tray rPx,
@{bin}/discord{,-ptb} rPx,
@{bin}/draw.io rPUx,
@{bin}/dropbox rPx,
@ -90,7 +91,7 @@ profile child-open {
@{bin}/viewnior rPUx,
@{bin}/vlc rPUx,
@{bin}/xarchiver rPx,
@{bin}/xbrlapi rPx,
@{bin}/xbrlapi rPx,
@{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
include if exists <usr/child-open.d>

6
apparmor.d/groups/freedesktop/pipewire
View File

@ -64,7 +64,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/pipewire/pipewire.conf r,
owner /tmp/librnnoise-[0-9]*.so rm,
owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@ -79,11 +80,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
@{sys}/class/ r,
@{sys}/devices/**/device:*/**/path r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/media@{int} rw,
/dev/video@{int} rw,
include if exists <local/pipewire>
}

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View File

@ -141,6 +141,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
@{run}/mount/utab r,
owner @{PROC}/@{pid}/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/ r,
owner @{PROC}/@{pid}/task/@{tid}/status r,

1
apparmor.d/groups/gnome/gdm-wayland-session
View File

@ -70,6 +70,7 @@ profile gdm-wayland-session @{exec_path} {
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/im-config/{,**} r,
/usr/share/libdebuginfod-common/debuginfod.sh r,
/usr/share/xsessions/gnome.desktop r,
@{etc_ro}/profile.d/{,*} r,

4
apparmor.d/groups/gnome/gnome-software
View File

@ -46,7 +46,7 @@ profile gnome-software @{exec_path} {
/usr/share/app-info/{,**} r,
/usr/share/appdata/{,**} r,
/usr/share/metainfo/{,**} r,
/usr/share/swcatalog/xml/{,**} r,
/usr/share/swcatalog/{,**} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/xml/iso-codes/{,**} r,
@ -110,6 +110,8 @@ profile gnome-software @{exec_path} {
@{PROC}/@{pids}/mounts r,
@{PROC}/sys/fs/pipe-max-size r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
/dev/fuse rw,

4
apparmor.d/groups/gnome/kgx
View File

@ -12,12 +12,15 @@ profile kgx @{exec_path} {
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/nvidia>
include <abstractions/vulkan>
include <abstractions/X-strict>
capability sys_ptrace,
@ -38,7 +41,6 @@ profile kgx @{exec_path} {
@{lib}/gio-launch-desktop rPx -> child-open,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
owner /tmp/#@{int} rw,

8
apparmor.d/groups/gnome/mutter-x11-frames
View File

@ -20,10 +20,16 @@ profile mutter-x11-frames @{exec_path} {
include <abstractions/nvidia>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
@{exec_path} mr,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm/.config/dconf/user r,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/mutter-x11-frames>
}

1
apparmor.d/groups/gnome/nautilus
View File

@ -98,6 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/net/wireless r,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,

10
apparmor.d/groups/gnome/tracker-extract
View File

@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/disks-read>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gstreamer>
@ -82,6 +83,8 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/drirc.d/{,*.conf} r,
/usr/share/gvfs/remote-volume-monitors/{,*} r,
/usr/share/hwdata/*.ids r,
/usr/share/ladspa/rdf/{,**} r,
/usr/share/mime/mime.cache r,
@ -89,15 +92,11 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
/usr/share/poppler/{,**} r,
/usr/share/tracker3-miners/{,**} r,
/usr/share/tracker3/{,**} r,
/usr/share/gvfs/remote-volume-monitors/{,*} r,
/etc/blkid.conf r,
/etc/fstab r,
/etc/libva.conf r,
# dri-common-strict
/usr/share/drirc.d/{,*.conf} r,
/var/lib/gdm{3,}/.cache/ rw,
/var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
@ -134,9 +133,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
@{run}/mount/utab r,
@{sys}/devices/pci[0-9]*/*/vendor r,
@{sys}/devices/pci[0-9]*/*/device r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

5
apparmor.d/groups/kde/dolphin
View File

@ -10,6 +10,7 @@ include <tunables/global>
profile dolphin @{exec_path} {
include <abstractions/base>
include <abstractions/deny-sensitive-home>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -30,6 +31,7 @@ profile dolphin @{exec_path} {
/usr/share/kf5/kmoretools/{,**} r,
/usr/share/kio/{,**} r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/{,**} r,
/usr/share/mime/ r,
/etc/fstab r,
@ -55,8 +57,7 @@ profile dolphin @{exec_path} {
owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/dolphinrc.lock rwk,
owner @{user_config_dirs}/kde.org/#@{int} rw,
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf rw,
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.@{rand6} rwlk -> @{user_config_dirs}/kde.org/#@{int},
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwlk -> @{user_config_dirs}/kde.org/#@{int},
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk,
owner @{user_config_dirs}/session/ rw,

1
apparmor.d/groups/kde/kioslave5
View File

@ -66,6 +66,7 @@ profile kioslave5 @{exec_path} {
# Silence non user's data
deny /boot/{,**} r,
deny /etc/{,**} r,
deny /opt/{,**} r,
deny /root/{,**} r,
deny /tmp/.* rw,

5
apparmor.d/groups/kde/sddm
View File

@ -36,9 +36,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
network netlink raw,
ptrace (trace) peer=@{profile_name},
ptrace (read) peer=kwalletd5,
ptrace (read) peer=unconfined,
ptrace (trace) peer=@{profile_name},
signal (send) set=term peer=kwin_wayland,
signal (send) set=(kill, term) peer=startplasma,
signal (send) set=term peer=startplasma-wayland,

5
apparmor.d/groups/network/NetworkManager
View File

@ -80,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus (send eceive) bus=system path=/fi/w1/wpa_supplicant1{,/**}
interface={fi.w1.wpa_supplicant1.Interface,org.freedesktop.DBus.Properties}
member=PropertiesChanged
peer=(name=:*, label=wpa-supplicant),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,

7
apparmor.d/groups/pacman/mkinitcpio
View File

@ -76,6 +76,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
/etc/lvm/lvm.conf r,
/etc/mkinitcpio.conf r,
/etc/mkinitcpio.d/{,**} r,
/etc/mkinitcpio.conf.d/{,**} r,
/etc/modprobe.d/{,*} r,
/etc/plymouth/plymouthd.conf r,
/etc/vconsole.conf r,
@ -96,13 +97,15 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
# Manage /boot
/ r,
/boot/ r,
/boot/initramfs-*.img* rw,
/boot/vmlinuz-* r,
# Temp files
owner @{run}/initramfs/{,**} rw,
owner @{run}/mkinitcpio.*/{,**} rw,
owner /tmp/mkinitcpio.*/{,**} rw,
owner @{run}/mkinitcpio.@{rand6}/{,**} rw,
owner /tmp/mkinitcpio.@{rand6} rw,
owner /tmp/mkinitcpio.@{rand6}/{,**} rw,
@{sys}/class/block/ r,
@{sys}/devices/{,**} r,

3
apparmor.d/groups/pacman/pacman-hook-code
View File

@ -15,11 +15,12 @@ profile pacman-hook-code @{exec_path} {
@{exec_path} mr,
@{bin}/env r,
@{bin}/python3.[0-9]* rix,
@{lib}/code/product.json rw,
/usr/share/code-{features,marketplace}/* r,
/usr/share/code-{features,marketplace}/{,*} r,
/usr/share/code-{features,marketplace}/cache.json rw,
include if exists <local/pacman-hook-code>

1
apparmor.d/groups/systemd/systemd-detect-virt
View File

@ -26,6 +26,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/firmware/dmi/entries/*/raw r,
# Inherit silencer
deny /apparmor/.null rw,

3
apparmor.d/groups/systemd/systemd-modules-load
View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -18,9 +19,9 @@ profile systemd-modules-load @{exec_path} {
@{sys}/module/*/initstate r,
/etc/modules r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
/etc/modules r,
/etc/modules-load.d/ r,
/etc/modules-load.d/*.conf r,

13
apparmor.d/groups/systemd/systemd-sysctl
View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -17,16 +18,16 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
capability sys_admin,
capability sys_ptrace,
capability sys_rawio,
# capability sys_resource,
@{exec_path} mr,
@{PROC}/sys/** rw,
/etc/sysctl.d/ r,
/etc/sysctl.d/*.conf r,
# Config file locations
@{run}/sysctl.d/{,*.conf} r,
/etc/sysctl.conf r,
/etc/sysctl.d/{,*.conf} r,
/usr/lib/sysctl.d/{,*.conf} r,
@{PROC}/sys/** rw,
# Inherit Silencer
deny /apparmor/.null rw,

2
apparmor.d/profiles-a-f/aa-enforce
View File

@ -26,7 +26,7 @@ profile aa-enforce @{exec_path} {
/etc/inputrc r,
owner /snap/core[0-9]*/@{int}/etc/apparmor.d/{,**} rw,
owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
owner /var/lib/snapd/apparmor/{,**} rw,
owner @{PROC}/@{pid}/fd r,

5
apparmor.d/profiles-a-f/boltd
View File

@ -28,6 +28,11 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=Changed
peer=(name=:*, label=polkitd),
dbus receive bus=system path=/org/freedesktop/bolt
interface=org.freedesktop.bolt1.Manager
member=ListDevices,

15
apparmor.d/profiles-a-f/chpasswd
View File

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <tunables/global>
@ -17,16 +18,16 @@ profile chpasswd @{exec_path} {
/etc/.pwd.lock wk,
/etc/login.defs r,
/etc/shadow rw,
/etc/shadow.@{int} w,
/etc/shadow.lock w, # change to 'd'
/etc/shadow.lock l -> /etc/shadow.@{int},
/etc/shadow- w,
/etc/shadow+ rw,
/etc/passwd rw,
/etc/passwd.@{int} w,
/etc/passwd.lock w, # change to 'd'
/etc/passwd.lock l -> /etc/passwd.@{int},
/etc/passwd.lock w,
/etc/shadow rw,
/etc/shadow- w,
/etc/shadow.@{int} w,
/etc/shadow.lock l -> /etc/shadow.@{int},
/etc/shadow.lock w,
/etc/shadow+ rw,
include if exists <local/chpasswd>
}

2
apparmor.d/profiles-a-f/dkms
View File

@ -56,7 +56,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{bin}/{,g,m}awk rix,
@{bin}/update-secureboot-policy rPUx,
@{lib}/gcc/@{multiarch}/@{int}/* rix,
@{lib}/gcc/@{multiarch}/@{int}*/* rix,
@{lib}/linux-kbuild-*/scripts/** rix,
@{lib}/linux-kbuild-*/tools/objtool/objtool rix,
@{lib}/llvm-[0-9]*/bin/clang rix,

5
apparmor.d/profiles-g-l/groups
View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -16,6 +17,10 @@ profile groups @{exec_path} {
/etc/group r,
/etc/nsswitch.conf r,
@{run}/systemd/userdb r,
@{PROC}/sys/kernel/random/boot_id r,
/dev/tty@{int} rw,
include if exists <local/groups>

2
apparmor.d/profiles-g-l/lspci
View File

@ -32,7 +32,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
@{sys}/bus/pci/devices/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/@{int}/address r,
@{sys}/bus/pci/slots/@{int}-@{int}/address r,
@{sys}/devices/pci[0-9]*/** r,
@{PROC}/cmdline r,

2
apparmor.d/profiles-s-z/smartctl
View File

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,

1
apparmor.d/profiles-s-z/spotify
View File

@ -59,6 +59,7 @@ profile spotify @{exec_path} {
owner @{cache_dirs}/ rw,
owner @{cache_dirs}/** rwk -> @{cache_dirs}/**,
owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
owner @{run}/user/@{uid}/pulse/ r,

21
apparmor.d/profiles-s-z/thermald
View File

@ -49,10 +49,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
@{sys}/class/hwmon/ r,
@{sys}/class/thermal/ r,
@{sys}/devices/platform/{,*} r,
@{sys}/devices/platform/**/path r,
@{sys}/devices/platform/**/available_uuids r,
@{sys}/devices/platform/**/current_uuid rw,
@{sys}/devices/platform/ r,
@{sys}/devices/platform/** r,
@{sys}/devices/system/cpu/present r,
@{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
@ -65,6 +63,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmax_us r,
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmin_us r,
@{sys}/devices/**/hwmon@{int}/ r,
@{sys}/devices/**/hwmon@{int}/name r,
@{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
@{sys}/devices/**/path r,
@ -86,13 +85,13 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw,
@{sys}/devices/virtual/thermal/cooling_device@{int}/max_state r,
@{sys}/devices/virtual/powercap/intel-rapl/ r,
@{sys}/devices/virtual/powercap/intel-rapl/**/name r,
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/ r,
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/* r,
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/constraint_* w,
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/enabled w,
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/ r,
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/**/name r,
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/ r,
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/* r,
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/constraint_* w,
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/enabled w,
@{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
/dev/acpi_thermal_rel rw,
/dev/input/ r,

4
apparmor.d/profiles-s-z/thunderbird-glxtest
View File

@ -19,6 +19,7 @@ profile thunderbird-glxtest @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/vulkan>
include <abstractions/X-strict>
@{exec_path} mr,
@ -26,11 +27,10 @@ profile thunderbird-glxtest @{exec_path} {
owner /tmp/thunderbird/.parentlock rw,
owner @{run}/user/@{uid}/xauth_@{rand6} r,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/class r,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/thunderbird-glxtest>
}

4
apparmor.d/profiles-s-z/thunderbird-vaapitest
View File

@ -25,8 +25,8 @@ profile thunderbird-vaapitest @{exec_path} {
/etc/igfx_user_feature{,_next}.txt w,
/etc/libva.conf r,
owner @{thunderbird_config_dirs}/*/.parentlock rw,
owner @{thunderbird_config_dirs}/*/startupCache/*Cache* r,
deny owner @{thunderbird_config_dirs}/*/.parentlock rw,
deny owner @{thunderbird_config_dirs}/*/startupCache/** r,
owner /tmp/thunderbird/.parentlock rw,

2
apparmor.d/profiles-s-z/udisksd
View File

@ -152,8 +152,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mounts r,
/dev/loop-control rw,
/dev/mapper/ r,
/dev/mapper/control rw,
/dev/null.[0-9]* rw,
include if exists <local/udisksd>

3
apparmor.d/profiles-s-z/wpa-supplicant
View File

@ -44,10 +44,11 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
/var/log/wpa_supplicant.log rw,
@{HOME}/.cat_installer/*.pem r,
@{user_config_dirs}/cat_installer/*.pem r,
owner @{run}/wpa_supplicant/{,**} rw,
@{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
@{sys}/devices/pci[0-9]*/**/ieee*/phy@{int}/name r,
@{PROC}/sys/net/ipv{4,6}/conf/p2p*/drop_* rw,
@{PROC}/sys/net/ipv{4,6}/conf/wlan*/drop_* rw,