mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Profiles update.

Browse source
This commit is contained in:
Alexandre Pujol 2021-09-10 00:17:44 +01:00
parent 6583a7bfb2
commit 70b4fa665b
Failed to generate hash of commit
18 changed files with 80 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/desktop/colord
View file

@ -23,7 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
owner /var/lib/colord/** r, owner /var/lib/colord/** r,
owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/ rw,
owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/.cache/** rw,
owner /var/lib/colord/{mapping,storage}.db rwk, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
/var/lib/gdm/.local/share/icc/edid-*.icc r, /var/lib/gdm/.local/share/icc/edid-*.icc r,
/etc/udev/hwdb.bin r, /etc/udev/hwdb.bin r,

5
apparmor.d/groups/desktop/dconf-service
View file

@ -13,7 +13,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
# Needed? # Needed?
deny capability sys_nice, deny capability sys_nice,
signal (receive) set=term peer=gdm, signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mr, @{exec_path} mr,
@ -26,7 +26,8 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/dconf/ rw, owner @{user_cache_dirs}/dconf/ rw,
owner @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/dconf/user rw,
/var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/dconf/ rw,
/var/lib/gdm/.config/dconf/user rw,
/var/lib/gdm/.config/dconf/user.* rw, /var/lib/gdm/.config/dconf/user.* rw,
@{PROC}/cmdline r, @{PROC}/cmdline r,

4
apparmor.d/groups/gnome/gnome-music
View file

@ -13,8 +13,10 @@ profile gnome-music @{exec_path} {
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/python>
include <abstractions/ssl_certs>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,

3
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -44,6 +44,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/hardware-compatibility r,
/usr/share/gnome-session/sessions/*.session r, /usr/share/gnome-session/sessions/*.session r,
/var/lib/gdm/.config/gnome-session/ rw,
/var/lib/gdm/.config/gnome-session/saved-session/ rw,
owner @{user_config_dirs}/gnome-session/saved-session/ r, owner @{user_config_dirs}/gnome-session/saved-session/ r,
owner @{user_config_dirs}/gtk-3.0/bookmarks rw, owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw, owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -61,7 +61,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/var/lib/gdm/.config/pulse/ r,
/var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/client.conf r,
/var/lib/gdm/.config/pulse/cookie rw,
/var/lib/gdm/.local/share/gnome-shell/ rw,
/var/lib/gdm/.local/share/applications/{,**} r, /var/lib/gdm/.local/share/applications/{,**} r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

2
apparmor.d/groups/gnome/gsd-color
View file

@ -22,7 +22,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
/var/lib/gdm/.local/share/icc/ r, /var/lib/gdm/.local/share/icc/ rw,
/var/lib/gdm/.local/share/icc/edid-*.icc rw, /var/lib/gdm/.local/share/icc/edid-*.icc rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,

1
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -35,6 +35,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/recently-used.xbel{,.*} rw, owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
/var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/client.conf r,
/var/lib/gdm/.config/pulse/cookie rk,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,

2
apparmor.d/groups/gnome/gsd-sound
View file

@ -17,6 +17,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm/.local/share/sounds/ rw,
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,

1
apparmor.d/groups/gnome/nautilus
View file

@ -19,6 +19,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
/usr/share/nautilus/{,**} r, /usr/share/nautilus/{,**} r,
/usr/share/tracker3/{,**} r, /usr/share/tracker3/{,**} r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
owner @{user_share_dirs}/nautilus/{,**} rwk, owner @{user_share_dirs}/nautilus/{,**} rwk,

3
apparmor.d/groups/gnome/tracker-extract
View file

@ -20,6 +20,7 @@ profile tracker-extract @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
/usr/share/osinfo/{,**} r, /usr/share/osinfo/{,**} r,
/usr/share/poppler/{,**} r,
/usr/share/tracker3-miners/{,**} r, /usr/share/tracker3-miners/{,**} r,
/usr/share/tracker3/{,**} r, /usr/share/tracker3/{,**} r,
@ -40,7 +41,7 @@ profile tracker-extract @{exec_path} {
@{run}/udev/data/c235:* r, @{run}/udev/data/c235:* r,
@{run}/udev/data/c236:* r, @{run}/udev/data/c236:* r,
@{run}/udev/data/c510:* r, @{run}/udev/data/c51[0-9]:* r,
/dev/video[0-9]* rw, /dev/video[0-9]* rw,

27
apparmor.d/groups/pacman/pacman
View file

@ -41,17 +41,22 @@ profile pacman @{exec_path} {
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,ba}sh rix,
# Pacman hooks & install scripts # Pacman hooks & install scripts
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,ba}sh rix,
/{usr/,}bin/dot rix,
/{usr/,}bin/env rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/vercmp rix,
/{usr/,}lib/ghc-*/bin/ghc-pkg rix,
/{usr/,}bin/arch-audit rPx, /{usr/,}bin/arch-audit rPx,
/{usr/,}bin/bootctl rPx, /{usr/,}bin/bootctl rPx,
/{usr/,}bin/env rix,
/{usr/,}bin/fc-cache rPx, /{usr/,}bin/fc-cache rPx,
/{usr/,}bin/gdk-pixbuf-query-loaders rPx, /{usr/,}bin/gdk-pixbuf-query-loaders rPx,
/{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/glib-compile-schemas rPx,
/{usr/,}bin/gtk-query-immodules-3.0 rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
/{usr/,}bin/install-info rPx, /{usr/,}bin/install-info rPx,
/{usr/,}bin/killall rPx, /{usr/,}bin/killall rPx,
/{usr/,}bin/pacdiff rPx, /{usr/,}bin/pacdiff rPx,
@ -61,9 +66,7 @@ profile pacman @{exec_path} {
/{usr/,}bin/update-ca-trust rPx, /{usr/,}bin/update-ca-trust rPx,
/{usr/,}bin/update-desktop-database rPx, /{usr/,}bin/update-desktop-database rPx,
/{usr/,}bin/update-mime-database rPx, /{usr/,}bin/update-mime-database rPx,
/{usr/,}bin/vercmp rix,
/{usr/,}lib/dkms/alpm-hook rPx, /{usr/,}lib/dkms/alpm-hook rPx,
/{usr/,}lib/ghc-*/bin/ghc-pkg rix,
/{usr/,}lib/systemd/systemd-* rPx, /{usr/,}lib/systemd/systemd-* rPx,
/{usr/,}lib/vlc/vlc-cache-gen rPx, /{usr/,}lib/vlc/vlc-cache-gen rPx,
/usr/share/libalpm/scripts/* rPx, /usr/share/libalpm/scripts/* rPx,
@ -77,6 +80,17 @@ profile pacman @{exec_path} {
/usr/{,**} rwl, /usr/{,**} rwl,
/var/{,**} rwl, /var/{,**} rwl,
/bin/ rwl,
/home/ rw,
/lib/ rwl,
/lib64/ rwl,
/sbin/ rwl,
@{PROC}/ r,
@{run}/ r,
@{sys}/ r,
/mnt r,
# Read packages files # Read packages files
@{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
@ -116,5 +130,6 @@ profile pacman @{exec_path} {
owner /etc/pacman.d/gnupg/** rwkl, owner /etc/pacman.d/gnupg/** rwkl,
} }
include if exists <distribution/pacman.d>
include if exists <local/pacman> include if exists <local/pacman>
} }

3
apparmor.d/groups/pacman/pacman-hook-dkms
View file

@ -10,9 +10,12 @@ include <tunables/global>
profile pacman-hook-dkms @{exec_path} { profile pacman-hook-dkms @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability dac_read_search,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/kmod rPx, /{usr/,}bin/kmod rPx,
/{usr/,}bin/dkms rPx,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

1
apparmor.d/groups/pacman/pacman-key
View file

@ -15,6 +15,7 @@ profile pacman-key @{exec_path} {
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/gettext rix, /{usr/,}bin/gettext rix,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/grep rix,
/{usr/,}bin/pacman-conf rPx, /{usr/,}bin/pacman-conf rPx,
/{usr/,}bin/tput rix, /{usr/,}bin/tput rix,

17
apparmor.d/groups/systemd/systemd-escape Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-escape
profile systemd-escape @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@{exec_path} mr,
include if exists <local/systemd-escape>
}

6
apparmor.d/groups/systemd/systemd-logind
View file

@ -49,16 +49,16 @@ profile systemd-logind @{exec_path} flags=(complain) {
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+backlight:intel_backlight r, @{run}/udev/data/+backlight:intel_backlight r,
@{run}/systemd/seats/ r, @{run}/systemd/seats/ rw,
@{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/.#seat* rw,
@{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/seats/seat[0-9]* rw,
@{run}/systemd/inhibit/ r, @{run}/systemd/inhibit/ r,
@{run}/systemd/inhibit/[0-9]*{,.ref} rw, @{run}/systemd/inhibit/[0-9]*{,.ref} rw,
@{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/.#* rw,
@{run}/systemd/sessions/ r, @{run}/systemd/sessions/ rw,
@{run}/systemd/sessions/[0-9]*{,.ref} rw, @{run}/systemd/sessions/[0-9]*{,.ref} rw,
@{run}/systemd/sessions/.#* rw, @{run}/systemd/sessions/.#* rw,
@{run}/systemd/users/ r, @{run}/systemd/users/ rw,
@{run}/systemd/users/@{uid} rw, @{run}/systemd/users/@{uid} rw,
@{run}/systemd/users/.#* rw, @{run}/systemd/users/.#* rw,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,

3
apparmor.d/profiles-m-z/pulseaudio
View file

@ -83,6 +83,9 @@ profile pulseaudio @{exec_path} {
#owner @{HOME}/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw, #owner /tmp/orcexec.* mrw,
# For GDM
/var/lib/gdm/.config/pulse/ rw,
# For SDDM # For SDDM
owner /var/lib/sddm/.config/pulse/ rw, owner /var/lib/sddm/.config/pulse/ rw,
owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw, owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw,

22
apparmor.d/profiles-m-z/udisksd
View file

@ -44,8 +44,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
/{usr/,}{s,}bin/lvm rPUx, /{usr/,}{s,}bin/lvm rPUx,
/{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-escape rPx,
/{usr/,}bin/systemd-escape rCx -> systemd-escape,
# Allow mounting of removable devices # Allow mounting of removable devices
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/sd[a-z] -> @{MOUNTS}/*/*/, mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/sd[a-z] -> @{MOUNTS}/*/*/,
@ -131,24 +130,5 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/seats/seat[0-9]* r,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
profile systemd-escape {
include <abstractions/base>
ptrace (read),
/{usr/,}bin/systemd-escape mr,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/stat r,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
/dev/kmsg w,
}
include if exists <local/udisksd> include if exists <local/udisksd>
} }

12
apparmor.d/profiles-m-z/xdg-user-dirs-update
View file

@ -14,7 +14,17 @@ profile xdg-user-dirs-update @{exec_path} {
/etc/xdg/user-dirs.conf r, /etc/xdg/user-dirs.conf r,
/etc/xdg/user-dirs.defaults r, /etc/xdg/user-dirs.defaults r,
/var/lib/gdm/.config/user-dirs.dirs r,
/var/lib/gdm/.config/user-dirs.dirs{,*} rw,
/var/lib/gdm/.config/user-dirs.locale rw,
/var/lib/gdm/@{XDG_DESKTOP_DIR}/ rw,
/var/lib/gdm/@{XDG_DOCUMENTS_DIR}/ rw,
/var/lib/gdm/@{XDG_DOWNLOAD_DIR}/ rw,
/var/lib/gdm/@{XDG_MUSIC_DIR}/ rw,
/var/lib/gdm/@{XDG_PICTURES_DIR}/ rw,
/var/lib/gdm/@{XDG_PUBLICSHARE_DIR}/ rw,
/var/lib/gdm/@{XDG_TEMPLATES_DIR}/ rw,
/var/lib/gdm/@{XDG_VIDEOS_DIR}/ rw,
owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r,