mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
feat(profiles): general update.
This commit is contained in:
parent
19331acaa9
commit
75ef5ef6ad
@ -82,18 +82,20 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||||||
/etc/apt/apt.conf.d/{,**} r,
|
/etc/apt/apt.conf.d/{,**} r,
|
||||||
/etc/debian_version r,
|
/etc/debian_version r,
|
||||||
/etc/default/grub.d/* r,
|
/etc/default/grub.d/* r,
|
||||||
/etc/dpkg/origins/{debian,ubuntu,} r,
|
/etc/dpkg/origins/{,debian,ubuntu} r,
|
||||||
|
/etc/fwupd/{,**} r,
|
||||||
/etc/grub.d/* r,
|
/etc/grub.d/* r,
|
||||||
/etc/issue{.net,} r,
|
/etc/issue{.net,} r,
|
||||||
/etc/kernel/*.d/*grub* r,
|
/etc/kernel/*.d/*grub* r,
|
||||||
/etc/legal r,
|
/etc/legal r,
|
||||||
/etc/lsb-release r,
|
/etc/lsb-release r,
|
||||||
/etc/profile.d/* r,
|
|
||||||
/etc/update-manager/{,**} r,
|
|
||||||
/etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
|
|
||||||
/etc/update-motd.d/* r,
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/pki/fwupd-metadata/{,**} r,
|
||||||
|
/etc/pki/fwupd/{,**} r,
|
||||||
|
/etc/profile.d/* r,
|
||||||
|
/etc/security/capability.conf r,
|
||||||
|
/etc/update-manager/{,**} r,
|
||||||
|
/etc/update-motd.d/* r,
|
||||||
|
|
||||||
/var/log/unattended-upgrades/{,**} rw,
|
/var/log/unattended-upgrades/{,**} rw,
|
||||||
|
|
||||||
|
@ -164,22 +164,24 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||||||
# As a temporary solution - see issue #128
|
# As a temporary solution - see issue #128
|
||||||
@{bin}/keepassxc-proxy rix,
|
@{bin}/keepassxc-proxy rix,
|
||||||
|
|
||||||
|
/usr/share/@{firefox_name}/{,**} r,
|
||||||
/usr/share/doc/{,**} r,
|
/usr/share/doc/{,**} r,
|
||||||
/usr/share/egl/{,**} r,
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/@{firefox_name}/{,**} r,
|
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||||
/usr/share/libdrm/*.ids r,
|
/usr/share/libdrm/*.ids r,
|
||||||
/usr/share/mozilla/extensions/{,**} r,
|
/usr/share/mozilla/extensions/{,**} r,
|
||||||
/usr/share/webext/{,**} r,
|
/usr/share/webext/{,**} r,
|
||||||
/usr/share/xul-ext/kwallet5/* r,
|
/usr/share/xul-ext/kwallet5/* r,
|
||||||
|
|
||||||
/etc/@{firefox_name}/{,**} r,
|
/etc/@{firefox_name}/{,**} r,
|
||||||
/etc/fstab r,
|
|
||||||
/etc/cups/client.conf r,
|
/etc/cups/client.conf r,
|
||||||
|
/etc/fstab r,
|
||||||
/etc/igfx_user_feature{,_next}.txt w,
|
/etc/igfx_user_feature{,_next}.txt w,
|
||||||
/etc/libva.conf r,
|
/etc/libva.conf r,
|
||||||
/etc/mailcap r,
|
/etc/mailcap r,
|
||||||
/etc/mime.types r,
|
/etc/mime.types r,
|
||||||
/etc/opensc.conf r,
|
/etc/opensc.conf r,
|
||||||
|
/etc/xdg/* r,
|
||||||
/etc/xul-ext/kwallet5.js r,
|
/etc/xul-ext/kwallet5.js r,
|
||||||
|
|
||||||
/var/lib/nscd/services r,
|
/var/lib/nscd/services r,
|
||||||
@ -193,6 +195,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
|
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
|
||||||
owner @{user_config_dirs}/ibus/bus/ r,
|
owner @{user_config_dirs}/ibus/bus/ r,
|
||||||
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/kioslaverc r,
|
||||||
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
|
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
|
||||||
|
|
||||||
owner @{user_share_dirs}/ r,
|
owner @{user_share_dirs}/ r,
|
||||||
|
@ -18,13 +18,16 @@ profile firefox-vaapitest @{exec_path} {
|
|||||||
include <abstractions/nvidia>
|
include <abstractions/nvidia>
|
||||||
include <abstractions/vulkan>
|
include <abstractions/vulkan>
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/igfx_user_feature{,_next}.txt w,
|
/etc/igfx_user_feature{,_next}.txt w,
|
||||||
/etc/libva.conf r,
|
/etc/libva.conf r,
|
||||||
|
|
||||||
owner @{firefox_config_dirs}/firefox/*/.parentlock rw,
|
deny owner @{firefox_config_dirs}/firefox/*/.parentlock rw,
|
||||||
owner @{firefox_config_dirs}/firefox/*/startupCache/*Cache* r,
|
deny owner @{firefox_config_dirs}/firefox/*/startupCache/** r,
|
||||||
|
deny owner @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
|
||||||
|
|
||||||
owner /tmp/firefox/.parentlock rw,
|
owner /tmp/firefox/.parentlock rw,
|
||||||
|
|
||||||
|
@ -9,13 +9,14 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/plymouth-set-default-theme
|
@{exec_path} = @{bin}/plymouth-set-default-theme
|
||||||
profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
|
profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/{,ba,da}sh rix,
|
||||||
@{bin}/{m,g,}awk rix,
|
@{bin}/{m,g,}awk rix,
|
||||||
@{bin}/grep rix,
|
@{bin}/grep rix,
|
||||||
@{bin}/plymouth rPx,
|
@{bin}/plymouth rPx,
|
||||||
@{bin}/{,ba,da}sh rix,
|
|
||||||
|
|
||||||
/etc/plymouth/{,*} r,
|
/etc/plymouth/{,*} r,
|
||||||
|
|
||||||
|
@ -50,9 +50,13 @@ profile polkit-kde-authentication-agent @{exec_path} {
|
|||||||
|
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
|
owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
|
||||||
|
owner /tmp/xauth_@{rand6} r,
|
||||||
|
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
||||||
|
@{sys}/devices/system/node/ r,
|
||||||
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/cgroup r,
|
@{PROC}/@{pid}/cgroup r,
|
||||||
@{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pid}/cmdline r,
|
||||||
@{PROC}/@{pid}/fd/ r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2017-2021 Mikhail Morfikov
|
# Copyright (C) 2017-2021 Mikhail Morfikov
|
||||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
@ -12,6 +12,8 @@ profile xrdb @{exec_path} {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/{,*-}cpp-[0-9]* rix,
|
@{bin}/{,*-}cpp-[0-9]* rix,
|
||||||
|
@ -19,10 +19,14 @@ profile xsetroot @{exec_path} {
|
|||||||
|
|
||||||
/etc/X11/cursors/*.theme r,
|
/etc/X11/cursors/*.theme r,
|
||||||
|
|
||||||
|
owner @{HOME}/.icons/** r,
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
owner @{HOME}/.xsession-errors w,
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
|
||||||
owner @{user_share_dirs}/sddm/xorg-session.log w,
|
owner @{user_share_dirs}/sddm/xorg-session.log w,
|
||||||
|
|
||||||
|
owner /tmp/xauth_@{rand6} r,
|
||||||
|
|
||||||
@{run}/sddm/\{@{uuid}\} r,
|
@{run}/sddm/\{@{uuid}\} r,
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||||
@{run}/sddm/xauth_@{rand6} r,
|
@{run}/sddm/xauth_@{rand6} r,
|
||||||
|
@ -15,13 +15,13 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl>
|
include <abstractions/opencl>
|
||||||
include <abstractions/vulkan>
|
include <abstractions/vulkan>
|
||||||
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
signal (receive) set=(term hup) peer=gdm*,
|
signal (receive) set=(term hup) peer=gdm*,
|
||||||
signal (receive) set=(term hup) peer=gnome-shell,
|
signal (receive) set=(term hup) peer=gnome-shell,
|
||||||
signal (receive) set=(term hup) peer=kwin_wayland,
|
signal (receive) set=(term hup) peer=kwin_wayland,
|
||||||
signal (receive) set=(term hup) peer=login,
|
signal (receive) set=(term hup) peer=login,
|
||||||
|
|
||||||
unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
|
||||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
@ -33,7 +33,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||||||
/usr/share/fonts/{,**} r,
|
/usr/share/fonts/{,**} r,
|
||||||
/usr/share/ghostscript/fonts/{,**} r,
|
/usr/share/ghostscript/fonts/{,**} r,
|
||||||
/usr/share/libdrm/*.ids r,
|
/usr/share/libdrm/*.ids r,
|
||||||
/usr/share/X11/xkb/rules/evdev r,
|
|
||||||
|
|
||||||
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||||
|
|
||||||
|
@ -55,6 +55,7 @@ profile gnome-music @{exec_path} {
|
|||||||
|
|
||||||
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
||||||
|
|
||||||
|
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
|
@ -19,6 +19,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/fontconfig-cache-write>
|
include <abstractions/fontconfig-cache-write>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/gnome>
|
include <abstractions/gnome>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/ibus>
|
include <abstractions/ibus>
|
||||||
@ -478,6 +479,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
/opt/*/**/*.png r,
|
/opt/*/**/*.png r,
|
||||||
/snap/*/@{uid}/**.png r,
|
/snap/*/@{uid}/**.png r,
|
||||||
/usr/share/{,zoneinfo-}icu/{,**} r,
|
/usr/share/{,zoneinfo-}icu/{,**} r,
|
||||||
|
/usr/share/**.{png,jpg,svg} r,
|
||||||
/usr/share/app-info/icons/{,**} r,
|
/usr/share/app-info/icons/{,**} r,
|
||||||
/usr/share/backgrounds/{,**} r,
|
/usr/share/backgrounds/{,**} r,
|
||||||
/usr/share/byobu/desktop/byobu* r,
|
/usr/share/byobu/desktop/byobu* r,
|
||||||
@ -498,15 +500,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
/usr/share/libinput*/libinput/ r,
|
/usr/share/libinput*/libinput/ r,
|
||||||
/usr/share/libwacom/{,*.stylus,*.tablet} r,
|
/usr/share/libwacom/{,*.stylus,*.tablet} r,
|
||||||
/usr/share/pipewire/client.conf r,
|
/usr/share/pipewire/client.conf r,
|
||||||
/usr/share/plymouth/*.png r,
|
|
||||||
/usr/share/wallpapers/** r,
|
/usr/share/wallpapers/** r,
|
||||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||||
|
|
||||||
# freedesktop.org-strict
|
|
||||||
/usr/share/*ubuntu/applications/{,**} r,
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
|
||||||
|
|
||||||
/.flatpak-info r,
|
/.flatpak-info r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/udev/hwdb.bin r,
|
/etc/udev/hwdb.bin r,
|
||||||
@ -547,12 +544,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
||||||
owner @{HOME}/.var/app/**/ r,
|
owner @{HOME}/.var/app/**/ r,
|
||||||
owner @{HOME}/.var/app/**.{png,jpg} r,
|
owner @{HOME}/.var/app/**.{png,jpg,svg} r,
|
||||||
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
|
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
|
||||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||||
|
|
||||||
owner @{user_games_dirs}/**/*.{png,jpg} r,
|
owner @{user_games_dirs}/**.{png,jpg,svg} r,
|
||||||
owner @{user_music_dirs}/**/*.{png,jpg} r,
|
owner @{user_music_dirs}/**.{png,jpg,svg} r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
|
owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
|
||||||
owner @{user_config_dirs}/ibus/ w,
|
owner @{user_config_dirs}/ibus/ w,
|
||||||
@ -627,9 +624,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/devices/**/power_supply/{,**} r,
|
@{sys}/devices/**/power_supply/{,**} r,
|
||||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||||
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
|
@{sys}/devices/pci[0-9]*/**/input@{int}/{properties,name} r,
|
||||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||||
@{sys}/devices/platform/**/input[0-9]*/{properties,name} r,
|
@{sys}/devices/platform/**/input@{int}/{properties,name} r,
|
||||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||||
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
|
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||||
|
|
||||||
|
@ -185,8 +185,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
|
||||||
owner /dev/tty@{int} rw,
|
|
||||||
|
|
||||||
@{run}/udev/data/+sound:card@{int} r, # For sound
|
@{run}/udev/data/+sound:card@{int} r, # For sound
|
||||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||||
@{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/**
|
@{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/**
|
||||||
@ -199,5 +197,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
|
||||||
|
owner /dev/tty@{int} rw,
|
||||||
|
|
||||||
include if exists <local/gsd-media-keys>
|
include if exists <local/gsd-media-keys>
|
||||||
}
|
}
|
||||||
|
@ -187,7 +187,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
@{run}/udev/data/+backlight:* r,
|
@{run}/udev/data/+backlight:* r,
|
||||||
@{run}/udev/data/+drm:card* r,
|
@{run}/udev/data/+drm:card* r,
|
||||||
@{run}/udev/data/+leds:*backlight* r,
|
@{run}/udev/data/+leds:* r,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
|
||||||
|
@ -121,12 +121,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
@{run}/blkid/blkid.tab r,
|
@{run}/blkid/blkid.tab r,
|
||||||
|
|
||||||
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
|
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
|
||||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
@{run}/udev/data/c24[0-9]:@{int} r,
|
||||||
@{run}/udev/data/c25[0-4]:[0-9]* r,
|
@{run}/udev/data/c25[0-4]:@{int} r,
|
||||||
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511
|
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
|
||||||
@{run}/udev/data/c4[0-9]*:[0-9]* r,
|
@{run}/udev/data/c4[0-9]*:@{int} r,
|
||||||
@{run}/udev/data/c5[0-9]*:[0-9]* r,
|
@{run}/udev/data/c5[0-9]*:@{int} r,
|
||||||
|
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
|
|
||||||
|
@ -39,7 +39,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{bin}/nmcli rix,
|
@{bin}/nmcli rix,
|
||||||
@{bin}/readlink rix,
|
@{bin}/readlink rix,
|
||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
@{bin}/run-parts rPx,
|
@{bin}/run-parts rCx -> run-parts,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/systemctl rPx -> child-systemctl,
|
@{bin}/systemctl rPx -> child-systemctl,
|
||||||
@{bin}/systemd-cat rPx,
|
@{bin}/systemd-cat rPx,
|
||||||
@ -66,5 +66,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
profile run-parts {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
/{usr/,}bin/run-parts mr,
|
||||||
|
|
||||||
|
include if exists <local/anacron_run_parts>
|
||||||
|
}
|
||||||
|
|
||||||
include if exists <local/nm-dispatcher>
|
include if exists <local/nm-dispatcher>
|
||||||
}
|
}
|
||||||
|
@ -54,6 +54,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{bin}/systemctl rCx -> systemctl,
|
@{bin}/systemctl rCx -> systemctl,
|
||||||
|
|
||||||
/etc/iproute2/rt_tables r,
|
/etc/iproute2/rt_tables r,
|
||||||
|
/etc/apt/sources.list.d/tailscale.list r,
|
||||||
|
|
||||||
@{etc_rw}/resolv.*.conf rw,
|
@{etc_rw}/resolv.*.conf rw,
|
||||||
@{etc_rw}/resolv.conf rw,
|
@{etc_rw}/resolv.conf rw,
|
||||||
|
@ -49,8 +49,6 @@ profile pacman @{exec_path} {
|
|||||||
@{bin}/gpgconf rCx -> gpg,
|
@{bin}/gpgconf rCx -> gpg,
|
||||||
@{bin}/gpgsm rCx -> gpg,
|
@{bin}/gpgsm rCx -> gpg,
|
||||||
|
|
||||||
@{bin}/sync mrix,
|
|
||||||
|
|
||||||
# Pacman hooks & install scripts
|
# Pacman hooks & install scripts
|
||||||
@{bin}/{,ba}sh rix,
|
@{bin}/{,ba}sh rix,
|
||||||
@{bin}/appstreamcli rPx,
|
@{bin}/appstreamcli rPx,
|
||||||
@ -101,16 +99,17 @@ profile pacman @{exec_path} {
|
|||||||
@{bin}/sbctl rPx,
|
@{bin}/sbctl rPx,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/setcap rix,
|
@{bin}/setcap rix,
|
||||||
|
@{bin}/sync rix,
|
||||||
@{bin}/sysctl rPx,
|
@{bin}/sysctl rPx,
|
||||||
@{bin}/systemctl rPx -> child-systemctl,
|
@{bin}/systemctl rPx -> child-systemctl,
|
||||||
@{bin}/systemd-* rPx,
|
@{bin}/systemd-* rPx,
|
||||||
@{bin}/touch rix,
|
@{bin}/touch rix,
|
||||||
@{bin}/tput rix,
|
@{bin}/tput rix,
|
||||||
@{bin}/update-ca-trust rPx,
|
|
||||||
@{bin}/uname rPx,
|
@{bin}/uname rPx,
|
||||||
|
@{bin}/update-ca-trust rPx,
|
||||||
@{bin}/update-desktop-database rPx,
|
@{bin}/update-desktop-database rPx,
|
||||||
@{bin}/update-mime-database rPx,
|
|
||||||
@{bin}/update-grub rPx,
|
@{bin}/update-grub rPx,
|
||||||
|
@{bin}/update-mime-database rPx,
|
||||||
@{bin}/vercmp rix,
|
@{bin}/vercmp rix,
|
||||||
@{bin}/xmlcatalog rix,
|
@{bin}/xmlcatalog rix,
|
||||||
@{lib}/ghc-*/bin/ghc-pkg rix,
|
@{lib}/ghc-*/bin/ghc-pkg rix,
|
||||||
@ -189,6 +188,8 @@ profile pacman @{exec_path} {
|
|||||||
|
|
||||||
deny network inet stream,
|
deny network inet stream,
|
||||||
deny network inet6 stream,
|
deny network inet6 stream,
|
||||||
|
|
||||||
|
include if exists <local/pacman_gpg>
|
||||||
}
|
}
|
||||||
|
|
||||||
include if exists <usr/pacman.d>
|
include if exists <usr/pacman.d>
|
||||||
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/systemd-cgtop
|
@{exec_path} = @{bin}/systemd-cgtop
|
||||||
profile systemd-cgtop @{exec_path} {
|
profile systemd-cgtop @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} {
|
|||||||
@{run}/udev/data/+usb-serial:* r,
|
@{run}/udev/data/+usb-serial:* r,
|
||||||
@{run}/udev/data/+usb:* r,
|
@{run}/udev/data/+usb:* r,
|
||||||
@{run}/udev/data/+virtio:* r,
|
@{run}/udev/data/+virtio:* r,
|
||||||
|
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
|
||||||
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
||||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||||
|
@ -84,21 +84,22 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||||||
|
|
||||||
@{run}/udev/data/+backlight:* r,
|
@{run}/udev/data/+backlight:* r,
|
||||||
@{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
|
@{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
|
||||||
@{run}/udev/data/+input* r, # For mouse, keyboard, touchpad
|
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||||
@{run}/udev/data/+pci* r,
|
@{run}/udev/data/+pci:* r,
|
||||||
@{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features
|
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||||
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
|
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
|
||||||
@{run}/udev/data/c14:[0-9]* r, # Open Sound System (OSS)
|
@{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
|
||||||
@{run}/udev/data/c21:[0-9]* r, # Generic SCSI access
|
@{run}/udev/data/c21:@{int} r, # Generic SCSI access
|
||||||
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
|
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
|
||||||
@{run}/udev/data/c116:[0-9]* r, # For ALSA
|
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||||
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card*
|
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||||
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
|
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
|
||||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
|
||||||
@{run}/udev/data/c25[0-4]:[0-9]* r,
|
@{run}/udev/data/c24[0-9]:@{int} r,
|
||||||
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511
|
@{run}/udev/data/c25[0-4]:@{int} r,
|
||||||
@{run}/udev/data/c4[0-9]*:[0-9]* r,
|
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
|
||||||
@{run}/udev/data/c5[0-9]*:[0-9]* r,
|
@{run}/udev/data/c4[0-9]*:@{int} r,
|
||||||
|
@{run}/udev/data/c5[0-9]*:@{int} r,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/ rw,
|
@{run}/systemd/inhibit/ rw,
|
||||||
@{run}/systemd/inhibit/.#* rw,
|
@{run}/systemd/inhibit/.#* rw,
|
||||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{lib}/systemd/systemd-portabled
|
@{exec_path} = @{lib}/systemd/systemd-portabled
|
||||||
profile systemd-portabled @{exec_path} {
|
profile systemd-portabled @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
|
@ -49,6 +49,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/kernel/security/ r,
|
@{sys}/kernel/security/ r,
|
||||||
@{sys}/kernel/security/{,**} rw,
|
@{sys}/kernel/security/{,**} rw,
|
||||||
|
|
||||||
|
@{sys}/class/net/ r,
|
||||||
@{sys}/devices/system/cpu/microcode/reload w,
|
@{sys}/devices/system/cpu/microcode/reload w,
|
||||||
|
|
||||||
@{PROC}/@{pid}/net/unix r,
|
@{PROC}/@{pid}/net/unix r,
|
||||||
|
@ -23,6 +23,8 @@ profile apt-esm-json-hook @{exec_path} {
|
|||||||
|
|
||||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
|
|
||||||
|
@{run}/cloud-init/cloud-id-nocloud r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
include if exists <local/apt-esm-json-hook>
|
include if exists <local/apt-esm-json-hook>
|
||||||
|
@ -32,7 +32,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
mount fstype=overlayfs overlay -> /var/lib/docker/overlay2/*/merged/,
|
mount fstype=overlayfs -> /var/lib/docker/overlay2/*/merged/,
|
||||||
mount options=(rw, bind) -> /run/docker/netns/*,
|
mount options=(rw, bind) -> /run/docker/netns/*,
|
||||||
mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
|
mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
|
||||||
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
|
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
|
||||||
|
@ -23,18 +23,18 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
/etc/audit/{,**} r,
|
/etc/audit/{,**} r,
|
||||||
|
|
||||||
/var/log/audit/{,**} rw,
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
/var/log/audit/{,**} rw,
|
||||||
|
|
||||||
|
@{run}/systemd/journal/dev-log w,
|
||||||
owner @{run}/auditd.pid rwl,
|
owner @{run}/auditd.pid rwl,
|
||||||
owner @{run}/auditd.state rw,
|
owner @{run}/auditd.state rw,
|
||||||
@{run}/systemd/journal/dev-log w,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/attr/current r,
|
owner @{PROC}/@{pid}/attr/current r,
|
||||||
owner @{PROC}/@{pid}/loginuid r,
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
owner @{PROC}/@{pid}/sessionid r,
|
|
||||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||||
|
owner @{PROC}/@{pid}/sessionid r,
|
||||||
|
|
||||||
include if exists <local/auditd>
|
include if exists <local/auditd>
|
||||||
}
|
}
|
||||||
|
@ -25,7 +25,7 @@ profile augenrules @{exec_path} {
|
|||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
|
|
||||||
/etc/audit/audit.rules rw,
|
/etc/audit/audit.rules rw,
|
||||||
/etc/audit/rules.d/ r,
|
/etc/audit/rules.d/{,*} r,
|
||||||
|
|
||||||
owner /tmp/aurules.* rw,
|
owner /tmp/aurules.* rw,
|
||||||
|
|
||||||
|
@ -15,18 +15,6 @@ profile fusermount @{exec_path} {
|
|||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
||||||
@{exec_path} mr,
|
|
||||||
|
|
||||||
/etc/fuse.conf r,
|
|
||||||
/etc/machine-id r,
|
|
||||||
|
|
||||||
# Where to mount ISO files
|
|
||||||
owner @{HOME}/*/ rw,
|
|
||||||
owner @{HOME}/*/*/ rw,
|
|
||||||
owner @{user_cache_dirs}/**/ rw,
|
|
||||||
@{run}/user/@{uid}/doc/ r,
|
|
||||||
/var/tmp/flatpak-cache-*/*/ r,
|
|
||||||
|
|
||||||
# Be able to mount ISO images
|
# Be able to mount ISO images
|
||||||
mount fstype={fuse,fuse.*} -> @{HOME}/*/,
|
mount fstype={fuse,fuse.*} -> @{HOME}/*/,
|
||||||
mount fstype={fuse,fuse.*} -> @{HOME}/*/*/,
|
mount fstype={fuse,fuse.*} -> @{HOME}/*/*/,
|
||||||
@ -45,6 +33,21 @@ profile fusermount @{exec_path} {
|
|||||||
umount @{run}/user/@{uid}/*/,
|
umount @{run}/user/@{uid}/*/,
|
||||||
umount /var/tmp/flatpak-cache-*/*/,
|
umount /var/tmp/flatpak-cache-*/*/,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/fuse.conf r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
/var/tmp/flatpak-cache-*/*/ r,
|
||||||
|
|
||||||
|
# Where to mount ISO files
|
||||||
|
owner @{HOME}/*/ rw,
|
||||||
|
owner @{HOME}/*/*/ rw,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/**/ rw,
|
||||||
|
|
||||||
|
@{run}/user/@{uid}/doc/ r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/mounts r,
|
@{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
/dev/fuse rw,
|
/dev/fuse rw,
|
||||||
|
@ -33,10 +33,13 @@ profile git @{exec_path} {
|
|||||||
# the most similar commands, which it thinks can be used instead. Git binaries are all under
|
# the most similar commands, which it thinks can be used instead. Git binaries are all under
|
||||||
# /usr/bin/ , so allow only this location.
|
# /usr/bin/ , so allow only this location.
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
deny /{usr/,}sbin/ r,
|
deny @{bin}/*/ r,
|
||||||
deny /usr/local/{s,}bin/ r,
|
|
||||||
deny /usr/games/ r,
|
deny /usr/games/ r,
|
||||||
|
deny /usr/local/{s,}bin/ r,
|
||||||
deny /usr/local/games/ r,
|
deny /usr/local/games/ r,
|
||||||
|
deny /var/lib/flatpak/exports/bin/ r,
|
||||||
|
deny owner @{HOME}/.go/bin/ r,
|
||||||
|
deny owner @{user_bin_dirs}/ r,
|
||||||
|
|
||||||
# These are needed for "git submodule update"
|
# These are needed for "git submodule update"
|
||||||
@{bin}/{,ba,da}sh rix,
|
@{bin}/{,ba,da}sh rix,
|
||||||
@ -97,7 +100,7 @@ profile git @{exec_path} {
|
|||||||
owner /tmp/* rw,
|
owner /tmp/* rw,
|
||||||
owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator
|
owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator
|
||||||
owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**,
|
owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**,
|
||||||
owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature
|
owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
|
||||||
owner /tmp/git-commit-msg-.txt rw, # For android studio
|
owner /tmp/git-commit-msg-.txt rw, # For android studio
|
||||||
|
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
@ -112,7 +115,7 @@ profile git @{exec_path} {
|
|||||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||||
|
|
||||||
owner /tmp/.git_vtag_tmp* r,
|
owner /tmp/.git_vtag_tmp@{rand6} r,
|
||||||
|
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
|
@ -35,6 +35,8 @@ profile hugo @{exec_path} {
|
|||||||
owner @{user_projects_dirs}/**/.hugo_build.lock rwk,
|
owner @{user_projects_dirs}/**/.hugo_build.lock rwk,
|
||||||
owner @{user_projects_dirs}/**/go.{mod,sum} rwk,
|
owner @{user_projects_dirs}/**/go.{mod,sum} rwk,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/hugo_cache/{,**} rwkl,
|
||||||
|
|
||||||
owner /tmp/hugo_cache/{,**} rwkl,
|
owner /tmp/hugo_cache/{,**} rwkl,
|
||||||
owner /tmp/go-codehost-[0-9]* rw,
|
owner /tmp/go-codehost-[0-9]* rw,
|
||||||
|
|
||||||
|
@ -20,6 +20,7 @@ profile im-launch @{exec_path} {
|
|||||||
@{bin}/true rix,
|
@{bin}/true rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/dpkg-query rpx,
|
@{bin}/dpkg-query rpx,
|
||||||
|
@{bin}/uim-toolbar-gtk3 rPUx,
|
||||||
|
|
||||||
/usr/share/im-config/{,**} r,
|
/usr/share/im-config/{,**} r,
|
||||||
|
|
||||||
|
@ -58,6 +58,12 @@ profile keepassxc @{exec_path} {
|
|||||||
owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
|
owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
|
||||||
owner @{HOME}/@{XDG_SSH_DIR}/ r,
|
owner @{HOME}/@{XDG_SSH_DIR}/ r,
|
||||||
owner @{HOME}/@{XDG_SSH_DIR}/* r,
|
owner @{HOME}/@{XDG_SSH_DIR}/* r,
|
||||||
|
|
||||||
|
owner @{user_password_store_dirs}/ r,
|
||||||
|
owner @{user_password_store_dirs}/*.csv rw,
|
||||||
|
owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int},
|
||||||
|
owner @{user_password_store_dirs}/#@{int} rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||||
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||||
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||||
@ -68,10 +74,6 @@ profile keepassxc @{exec_path} {
|
|||||||
owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int},
|
owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int},
|
||||||
owner @{user_config_dirs}/keepassxc/ rw,
|
owner @{user_config_dirs}/keepassxc/ rw,
|
||||||
owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int},
|
owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int},
|
||||||
owner @{user_password_store_dirs}/ r,
|
|
||||||
owner @{user_password_store_dirs}/*.csv rw,
|
|
||||||
owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int},
|
|
||||||
owner @{user_password_store_dirs}/#@{int} rw,
|
|
||||||
|
|
||||||
owner /tmp/.[a-zA-Z]*/{,s} rw,
|
owner /tmp/.[a-zA-Z]*/{,s} rw,
|
||||||
owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
|
owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
|
||||||
|
@ -21,6 +21,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
|||||||
capability sys_module,
|
capability sys_module,
|
||||||
capability syslog,
|
capability syslog,
|
||||||
|
|
||||||
|
network inet raw,
|
||||||
|
|
||||||
unix (receive) type=stream,
|
unix (receive) type=stream,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
@ -43,7 +45,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
|||||||
/var/lib/dkms/**/module/*.ko r,
|
/var/lib/dkms/**/module/*.ko r,
|
||||||
/var/lib/dpkg/triggers/* r,
|
/var/lib/dpkg/triggers/* r,
|
||||||
/var/lib/ebtables/lock r,
|
/var/lib/ebtables/lock r,
|
||||||
/var/tmp/dracut.*/{,**} rw,
|
|
||||||
|
owner /var/tmp/*modules*/{,**} rw,
|
||||||
|
owner /var/tmp/dracut.*/{,**} rw,
|
||||||
|
|
||||||
owner /boot/System.map-* r,
|
owner /boot/System.map-* r,
|
||||||
owner /tmp/mkinitcpio.*/{,**} rw,
|
owner /tmp/mkinitcpio.*/{,**} rw,
|
||||||
|
|
||||||
|
@ -10,16 +10,20 @@ include <tunables/global>
|
|||||||
profile locale-gen @{exec_path} {
|
profile locale-gen @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/perl>
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/{,ba}sh rix,
|
@{bin}/{,ba}sh rix,
|
||||||
|
@{bin}/cat rix,
|
||||||
@{bin}/gzip rix,
|
@{bin}/gzip rix,
|
||||||
@{bin}/localedef rix,
|
@{bin}/localedef rix,
|
||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
|
@{bin}/sort rix,
|
||||||
|
|
||||||
@{lib}/locale/locale-archive rwl,
|
@{lib}/locale/locale-archive rwl,
|
||||||
@{lib}/locale/locale-archive* rw,
|
@{lib}/locale/locale-archive* rw,
|
||||||
|
@ -105,8 +105,9 @@ profile mkinitramfs @{exec_path} {
|
|||||||
@{lib}/initramfs-tools/bin/* mr,
|
@{lib}/initramfs-tools/bin/* mr,
|
||||||
|
|
||||||
@{lib}/@{multiarch}/ld-*.so* rix,
|
@{lib}/@{multiarch}/ld-*.so* rix,
|
||||||
@{lib}{,x}32/ld-*.so{,.2} rix,
|
@{lib}/ld-*.so{,.2} rix,
|
||||||
|
|
||||||
|
include if exists <local/mkinitramfs_ldd>
|
||||||
}
|
}
|
||||||
|
|
||||||
profile ldconfig {
|
profile ldconfig {
|
||||||
@ -133,6 +134,7 @@ profile mkinitramfs @{exec_path} {
|
|||||||
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw,
|
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw,
|
||||||
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw,
|
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw,
|
||||||
|
|
||||||
|
include if exists <local/mkinitramfs_ldconfig>
|
||||||
}
|
}
|
||||||
|
|
||||||
profile find {
|
profile find {
|
||||||
@ -151,6 +153,7 @@ profile mkinitramfs @{exec_path} {
|
|||||||
|
|
||||||
owner /var/tmp/mkinitramfs_*/{,**/} r,
|
owner /var/tmp/mkinitramfs_*/{,**/} r,
|
||||||
|
|
||||||
|
include if exists <local/mkinitramfs_find>
|
||||||
}
|
}
|
||||||
|
|
||||||
profile kmod {
|
profile kmod {
|
||||||
@ -169,9 +172,11 @@ profile mkinitramfs @{exec_path} {
|
|||||||
|
|
||||||
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
|
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
|
||||||
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,
|
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,
|
||||||
|
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r,
|
||||||
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r,
|
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r,
|
||||||
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r,
|
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r,
|
||||||
|
|
||||||
|
include if exists <local/mkinitramfs_kmod>
|
||||||
}
|
}
|
||||||
|
|
||||||
include if exists <local/mkinitramfs>
|
include if exists <local/mkinitramfs>
|
||||||
|
@ -50,7 +50,7 @@ profile pass @{exec_path} {
|
|||||||
|
|
||||||
# Pass extensions
|
# Pass extensions
|
||||||
@{bin}/oathtool rix, # pass-otp
|
@{bin}/oathtool rix, # pass-otp
|
||||||
@{bin}/python3.[0-9]* rPx -> pass-import, # pass-import
|
@{bin}/python3.@{int} rPx -> pass-import, # pass-import
|
||||||
@{bin}/qrencode rPUx, # pass-otp
|
@{bin}/qrencode rPUx, # pass-otp
|
||||||
@{bin}/tomb rPUx, # pass-tomb
|
@{bin}/tomb rPUx, # pass-tomb
|
||||||
|
|
||||||
@ -59,8 +59,8 @@ profile pass @{exec_path} {
|
|||||||
owner @{user_password_store_dirs}/{,**} rw,
|
owner @{user_password_store_dirs}/{,**} rw,
|
||||||
owner /dev/shm/pass.*/{,*} rw,
|
owner /dev/shm/pass.*/{,*} rw,
|
||||||
|
|
||||||
@{PROC}/@{pids}/cmdline r,
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
|
@{PROC}/@{pids}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
@{PROC}/uptime r,
|
@{PROC}/uptime r,
|
||||||
|
|
||||||
@ -122,7 +122,7 @@ profile pass @{exec_path} {
|
|||||||
owner @{user_password_store_dirs}/ rw,
|
owner @{user_password_store_dirs}/ rw,
|
||||||
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
|
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
|
||||||
|
|
||||||
owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature
|
owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
|
||||||
|
|
||||||
include if exists <local/pass_git>
|
include if exists <local/pass_git>
|
||||||
}
|
}
|
||||||
@ -141,6 +141,9 @@ profile pass @{exec_path} {
|
|||||||
owner @{user_password_store_dirs}/ rw,
|
owner @{user_password_store_dirs}/ rw,
|
||||||
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
|
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
|
||||||
owner /dev/shm/pass.*/{,*} rw,
|
owner /dev/shm/pass.*/{,*} rw,
|
||||||
|
owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
|
||||||
|
|
||||||
|
owner /dev/pts/@{int} rw,
|
||||||
|
|
||||||
include if exists <local/pass_gpg>
|
include if exists <local/pass_gpg>
|
||||||
}
|
}
|
||||||
|
@ -29,7 +29,7 @@ profile passwd @{exec_path} {
|
|||||||
/etc/nshadow rw,
|
/etc/nshadow rw,
|
||||||
/etc/shadow rw,
|
/etc/shadow rw,
|
||||||
/etc/shadow- rw,
|
/etc/shadow- rw,
|
||||||
/etc/shadow.[0-9]* rw,
|
/etc/shadow.@{int} rw,
|
||||||
/etc/shadow.lock rwl,
|
/etc/shadow.lock rwl,
|
||||||
/etc/shadow+ rw,
|
/etc/shadow+ rw,
|
||||||
|
|
||||||
|
@ -19,10 +19,10 @@ profile pwck @{exec_path} {
|
|||||||
/etc/login.defs r,
|
/etc/login.defs r,
|
||||||
/etc/.pwd.lock wk,
|
/etc/.pwd.lock wk,
|
||||||
/etc/passwd rw,
|
/etc/passwd rw,
|
||||||
/etc/passwd.[0-9]* rw,
|
/etc/passwd.@{int} rw,
|
||||||
/etc/passwd.lock wl,
|
/etc/passwd.lock wl,
|
||||||
/etc/shadow rw,
|
/etc/shadow rw,
|
||||||
/etc/shadow.[0-9]* rw,
|
/etc/shadow.@{int} rw,
|
||||||
/etc/shadow.lock wl,
|
/etc/shadow.lock wl,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
@ -51,7 +51,7 @@ profile repo @{exec_path} {
|
|||||||
|
|
||||||
/usr/share/git-core/{,**} r,
|
/usr/share/git-core/{,**} r,
|
||||||
|
|
||||||
owner /tmp/.git_vtag_tmp* rw,
|
owner /tmp/.git_vtag_tmp@{rand6} rw,
|
||||||
owner /tmp/ssh-*/ rw,
|
owner /tmp/ssh-*/ rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
@ -82,7 +82,7 @@ profile repo @{exec_path} {
|
|||||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||||
owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**,
|
owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**,
|
||||||
|
|
||||||
owner /tmp/.git_vtag_tmp* r,
|
owner /tmp/.git_vtag_tmp@{rand6} r,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -13,13 +13,13 @@ profile ssserver @{exec_path} {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
|
||||||
|
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/shadowsocks-rust/server/*/ss.json{,5} r,
|
/etc/shadowsocks-rust/server/*/ss.json{,5} r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/shadowsocks-rust/server/*/ss.json{,5} r,
|
owner @{user_config_dirs}/shadowsocks-rust/server/*/ss.json{,5} r,
|
||||||
|
@ -181,9 +181,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
|||||||
@{sys}/class/input/ r,
|
@{sys}/class/input/ r,
|
||||||
@{sys}/class/net/ r,
|
@{sys}/class/net/ r,
|
||||||
@{sys}/class/sound/ r,
|
@{sys}/class/sound/ r,
|
||||||
@{sys}/devices/**/input[0-9]*/ r,
|
@{sys}/devices/**/input@{int}/ r,
|
||||||
@{sys}/devices/**/input[0-9]*/capabilities/* r,
|
@{sys}/devices/**/input@{int}/capabilities/* r,
|
||||||
@{sys}/devices/**/input/input[0-9]*/ r,
|
@{sys}/devices/**/input/input@{int}/ r,
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/pci[0-9]*/**/class r,
|
@{sys}/devices/pci[0-9]*/**/class r,
|
||||||
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/report_descriptor r,
|
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/report_descriptor r,
|
||||||
|
@ -83,7 +83,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
|
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
|
||||||
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
|
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
|
||||||
@{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
|
@{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
|
||||||
@{lib}exec/steam-runtime-tools*/* mrix,
|
@{lib}/steam-runtime-tools*/* mrix,
|
||||||
|
|
||||||
@{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
|
@{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
|
||||||
@{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,
|
@{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,
|
||||||
@ -189,14 +189,14 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner /tmp/miles_image_* mr,
|
owner /tmp/miles_image_* mr,
|
||||||
owner /tmp/pressure-vessel-*/{,**} rwl,
|
owner /tmp/pressure-vessel-*/{,**} rwl,
|
||||||
|
|
||||||
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||||
@{run}/udev/data/+sound* r,
|
@{run}/udev/data/+sound* r,
|
||||||
|
|
||||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||||
@{run}/udev/data/c116:[0-9]* r, # for ALSA
|
@{run}/udev/data/c116:@{int} r, # for ALSA
|
||||||
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
|
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
|
||||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
@{run}/udev/data/c24[0-9]:@{int} r,
|
||||||
@{run}/udev/data/c25[0-4]:[0-9]* r,
|
@{run}/udev/data/c25[0-4]:@{int} r,
|
||||||
|
|
||||||
@{sys}/ r,
|
@{sys}/ r,
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@ -204,10 +204,10 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/class/hidraw/ r,
|
@{sys}/class/hidraw/ r,
|
||||||
@{sys}/class/input/ r,
|
@{sys}/class/input/ r,
|
||||||
@{sys}/class/sound/ r,
|
@{sys}/class/sound/ r,
|
||||||
@{sys}/devices/**/input[0-9]*/ r,
|
@{sys}/devices/**/input@{int}/ r,
|
||||||
@{sys}/devices/**/input[0-9]*/**/{vendor,product} r,
|
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
|
||||||
@{sys}/devices/**/input[0-9]*/capabilities/* r,
|
@{sys}/devices/**/input@{int}/capabilities/* r,
|
||||||
@{sys}/devices/**/input/input[0-9]*/ r,
|
@{sys}/devices/**/input/input@{int}/ r,
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/pci[0-9]*/**/sound/card[0-9]*/** r,
|
@{sys}/devices/pci[0-9]*/**/sound/card[0-9]*/** r,
|
||||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
|
@{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
|
||||||
|
@ -25,19 +25,18 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||||||
member={RequestName,ReleaseName}
|
member={RequestName,ReleaseName}
|
||||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||||
|
|
||||||
dbus (bind) bus=system
|
dbus (bind) bus=system name=org.freedesktop.thermald,
|
||||||
name=org.freedesktop.thermald,
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/thermald/thermal-conf.xml r,
|
||||||
|
/etc/thermald/thermal-cpu-cdev-order.xml r,
|
||||||
|
|
||||||
owner @{run}/thermald/ rw,
|
owner @{run}/thermald/ rw,
|
||||||
owner @{run}/thermald/thd_preference.conf rw,
|
owner @{run}/thermald/thd_preference.conf rw,
|
||||||
owner @{run}/thermald/thd_preference.conf.save w,
|
owner @{run}/thermald/thd_preference.conf.save w,
|
||||||
owner @{run}/thermald/thermald.pid rwk,
|
owner @{run}/thermald/thermald.pid rwk,
|
||||||
|
|
||||||
/etc/thermald/thermal-conf.xml r,
|
|
||||||
/etc/thermald/thermal-cpu-cdev-order.xml r,
|
|
||||||
|
|
||||||
@{sys}/class/hwmon/ r,
|
@{sys}/class/hwmon/ r,
|
||||||
@{sys}/class/thermal/ r,
|
@{sys}/class/thermal/ r,
|
||||||
@{sys}/devices/platform/{,*} r,
|
@{sys}/devices/platform/{,*} r,
|
||||||
@ -51,10 +50,10 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/devices/system/cpu/intel_pstate/status r,
|
@{sys}/devices/system/cpu/intel_pstate/status r,
|
||||||
|
|
||||||
@{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
|
@{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
|
||||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_max_uw r,
|
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_max_uw r,
|
||||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_min_uw r,
|
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_min_uw r,
|
||||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r,
|
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmax_us r,
|
||||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r,
|
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmin_us r,
|
||||||
|
|
||||||
@{sys}/devices/**/hwmon@{int}/name r,
|
@{sys}/devices/**/hwmon@{int}/name r,
|
||||||
@{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
|
@{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
|
||||||
@ -65,26 +64,25 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
@{sys}/devices/virtual/thermal/**/{type,temp} r,
|
@{sys}/devices/virtual/thermal/**/{type,temp} r,
|
||||||
|
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/mode rw,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/mode rw,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/policy rw,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/policy rw,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_temp rw,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_type r,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_hyst r,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_hyst r,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/cdev[0-9]*_trip_point r,
|
||||||
|
|
||||||
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
|
@{sys}/devices/virtual/thermal/cooling_device[@{int}/ r,
|
||||||
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,
|
@{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw,
|
||||||
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r,
|
@{sys}/devices/virtual/thermal/cooling_device@{int}/max_state r,
|
||||||
|
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/ r,
|
@{sys}/devices/virtual/powercap/intel-rapl/ r,
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/**/name r,
|
@{sys}/devices/virtual/powercap/intel-rapl/**/name r,
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/ r,
|
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/ r,
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/* r,
|
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/* r,
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_time_window_us w,
|
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/constraint_* w,
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_power_limit_uw w,
|
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/enabled w,
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/enabled w,
|
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
|
||||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
|
|
||||||
|
|
||||||
/dev/acpi_thermal_rel rw,
|
/dev/acpi_thermal_rel rw,
|
||||||
/dev/input/ r,
|
/dev/input/ r,
|
||||||
|
@ -208,8 +208,8 @@ profile thunderbird @{exec_path} {
|
|||||||
deny @{thunderbird_config_dirs}/*.*/pepmda/** rwklmx,
|
deny @{thunderbird_config_dirs}/*.*/pepmda/** rwklmx,
|
||||||
deny @{thunderbird_lib_dirs}/** w,
|
deny @{thunderbird_lib_dirs}/** w,
|
||||||
deny /dev/ r,
|
deny /dev/ r,
|
||||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
|
||||||
deny /dev/urandom w,
|
deny /dev/urandom w,
|
||||||
|
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
include if exists <local/thunderbird>
|
include if exists <local/thunderbird>
|
||||||
}
|
}
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
@ -20,6 +21,9 @@ profile update-alternatives @{exec_path} {
|
|||||||
/var/lib/dpkg/alternatives/ r,
|
/var/lib/dpkg/alternatives/ r,
|
||||||
/var/lib/dpkg/alternatives/* rw,
|
/var/lib/dpkg/alternatives/* rw,
|
||||||
|
|
||||||
|
owner /var/lib/alternatives/ r,
|
||||||
|
owner /var/lib/alternatives/* rw,
|
||||||
|
|
||||||
@{bin}/* w,
|
@{bin}/* w,
|
||||||
@{bin}/*.dpkg-tmp rw,
|
@{bin}/*.dpkg-tmp rw,
|
||||||
|
|
||||||
@ -28,7 +32,7 @@ profile update-alternatives @{exec_path} {
|
|||||||
|
|
||||||
/usr/** rw,
|
/usr/** rw,
|
||||||
|
|
||||||
/lib/firmware/* rw,
|
@{lib}/firmware/* rw,
|
||||||
|
|
||||||
include if exists <local/update-alternatives>
|
include if exists <local/update-alternatives>
|
||||||
}
|
}
|
||||||
|
@ -60,11 +60,6 @@ profile vidcutter @{exec_path} {
|
|||||||
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int},
|
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int},
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ rw,
|
owner @{user_cache_dirs}/ rw,
|
||||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
|
|
||||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
|
|
||||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
|
||||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
|
|
||||||
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
|
|
||||||
|
|
||||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||||
|
|
||||||
|
@ -15,6 +15,9 @@ profile vlc-cache-gen @{exec_path} {
|
|||||||
|
|
||||||
@{lib}/vlc/plugins/{,*} rw,
|
@{lib}/vlc/plugins/{,*} rw,
|
||||||
|
|
||||||
|
@{sys}/devices/system/node/ r,
|
||||||
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|
||||||
# Inherit silencer
|
# Inherit silencer
|
||||||
deny network inet6 stream,
|
deny network inet6 stream,
|
||||||
deny network inet stream,
|
deny network inet stream,
|
||||||
|
@ -24,12 +24,12 @@ profile wireplumber @{exec_path} {
|
|||||||
/opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
|
/opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
|
||||||
/opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
|
/opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
|
||||||
|
|
||||||
/etc/machine-id r,
|
|
||||||
|
|
||||||
/usr/share/alsa-card-profile/{,**} r,
|
/usr/share/alsa-card-profile/{,**} r,
|
||||||
/usr/share/spa-*/bluez[0-9]*/{,*} r,
|
/usr/share/spa-*/bluez[0-9]*/{,*} r,
|
||||||
/usr/share/wireplumber/{,**} r,
|
/usr/share/wireplumber/{,**} r,
|
||||||
|
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
|
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
|
||||||
|
|
||||||
owner @{user_state_dirs}/ w,
|
owner @{user_state_dirs}/ w,
|
||||||
|
Loading…
Reference in New Issue
Block a user