mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profile): general update.
This commit is contained in:
parent
437bef18ca
commit
77945674a5
@ -46,6 +46,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
||||
@{lib}/systemd/systemd-executor rix,
|
||||
@{sh_path} rix, # Should be handled by default profile?
|
||||
@{bin}/grep rix,
|
||||
@{bin}/sleep rix,
|
||||
|
||||
@{bin}/** Px,
|
||||
@{lib}/** Px,
|
||||
|
@ -13,6 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.gnome.SessionManager>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
# dbus: own bus=accessibility name=org.a11y.atspi.{R,r}egistry
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
|
@ -13,7 +13,7 @@ include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/dbus-run-session
|
||||
@{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch
|
||||
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper
|
||||
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
|
||||
profile dbus-session flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
@ -25,8 +25,8 @@ profile dbus-session flags=(attach_disconnected) {
|
||||
signal (receive) set=(term hup) peer=gdm-session,
|
||||
signal (receive) set=(term hup) peer=gdm,
|
||||
signal (send) set=(term hup kill) peer=dbus-accessibility,
|
||||
signal (send) set=(term hup kill) peer=dconf-service,
|
||||
signal (send) set=(term hup kill) peer=xdg-permission-store,
|
||||
signal (send) set=(hup) peer=dconf-service,
|
||||
|
||||
dbus bus=session,
|
||||
|
||||
|
@ -12,9 +12,10 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/dbus-broker @{bin}/dbus-broker-launch
|
||||
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper
|
||||
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
|
||||
profile dbus-system flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@ -22,6 +23,7 @@ profile dbus-system flags=(attach_disconnected) {
|
||||
capability net_admin,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_resource,
|
||||
|
||||
network netlink raw,
|
||||
network bluetooth stream,
|
||||
@ -59,6 +61,7 @@ profile dbus-system flags=(attach_disconnected) {
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||
|
||||
/dev/dri/card@{int} rw,
|
||||
/dev/input/event@{int} rw,
|
||||
|
@ -36,6 +36,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/etc/geoclue/{,**} r,
|
||||
/etc/sysconfig/proxy r,
|
||||
|
||||
/var/lib/nscd/services r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
@ -13,6 +13,7 @@ profile plymouthd @{exec_path} {
|
||||
include <abstractions/dri-common>
|
||||
|
||||
capability checkpoint_restore,
|
||||
capability dac_override,
|
||||
capability net_admin,
|
||||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
|
@ -19,13 +19,19 @@ profile DiscoverNotifier @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/metainfo/{,**} r,
|
||||
|
||||
/etc/flatpak/remotes.d/ r,
|
||||
|
||||
/var/lib/flatpak/repo/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/appstream/ r,
|
||||
owner @{user_cache_dirs}/appstream/** r,
|
||||
owner @{user_cache_dirs}/flatpak/{,**} rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/PlasmaDiscoverUpdates r,
|
||||
|
||||
owner @{user_share_dirs}/flatpak/{,**} rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
@ -9,13 +9,18 @@ include <tunables/global>
|
||||
@{exec_path} = @{lib}/drkonqi-coredump-processor
|
||||
profile drkonqi-coredump-processor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/qt5>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/@{md5}/ r,
|
||||
/{run,var}/log/journal/@{md5}/system.journal r,
|
||||
/{run,var}/log/journal/@{md5}/system@@{hex}.journal r,
|
||||
/{run,var}/log/journal/@{md5}/user-@{uid}.journal r,
|
||||
/{run,var}/log/journal/@{md5}/user-@{uid}@@{hex}.journal r,
|
||||
|
||||
|
@ -13,6 +13,7 @@ profile kconf_update @{exec_path} {
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/python>
|
||||
|
||||
@ -93,7 +94,6 @@ profile kconf_update @{exec_path} {
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{sys}/kernel/random/boot_id r,
|
||||
@{PROC}/tty/drivers r,
|
||||
@{PROC}/uptime r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
@ -12,6 +12,8 @@ profile kde-systemd-start-condition @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/xdg/baloofilerc r,
|
||||
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
owner @{user_config_dirs}/plasma-welcomerc r,
|
||||
|
||||
|
@ -74,10 +74,12 @@ profile kscreenlocker-greet @{exec_path} {
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
|
||||
owner @{user_cache_dirs}/kscreenlocker_greet/** rwl,
|
||||
owner @{user_cache_dirs}/ksvg-elements r,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
|
||||
|
||||
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
|
@ -38,9 +38,9 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_cache_dirs}/#@{int} rwlk,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/ r,
|
||||
owner @{user_cache_dirs}/ksmserver-logout-greeter/qmlcache/{,*} r,
|
||||
owner @{user_cache_dirs}/plasma_theme_breeze-dark_v5.114.0.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements r,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} l -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
|
@ -40,14 +40,18 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||
/usr/share/kservices{5,6}/{,**} r,
|
||||
/usr/share/kservicetypes5/{,*.desktop} r,
|
||||
/usr/share/kwin/{,**} r,
|
||||
/usr/share/libinput-*/{,**} r,
|
||||
/usr/share/libinput/{,**} r,
|
||||
/usr/share/plasma/desktoptheme/default/** r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/plasma/desktoptheme/** r,
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/menus/{,applications.menu} r,
|
||||
/etc/pipewire/client.conf.d/ r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
/etc/xdg/kscreenlockerrc r,
|
||||
/etc/xdg/menus/{,applications.menu} r,
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
/etc/xdg/plasmarc r,
|
||||
|
||||
owner /var/lib/sddm/.cache/#@{int} rwk,
|
||||
owner /var/lib/sddm/.cache/fontconfig/* rwk,
|
||||
@ -70,7 +74,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw,
|
||||
owner @{user_cache_dirs}/kwin/ w,
|
||||
owner @{user_cache_dirs}/kwin/qmlcache/ w,
|
||||
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rwl,
|
||||
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int},
|
||||
owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
|
@ -20,23 +20,29 @@ profile systemsettings @{exec_path} {
|
||||
|
||||
@{bin}/kcminit rPx,
|
||||
|
||||
/usr/share/kcm_networkmanagement/{,**} r,
|
||||
/usr/share/kinfocenter/{,**} r,
|
||||
/usr/share/kpackage/{,**} r,
|
||||
/usr/share/kservices{5,6}/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
/usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r,
|
||||
/usr/share/plasma/{,**} r,
|
||||
/usr/share/systemsettings/{,**} r,
|
||||
/usr/share/kinfocenter/{,**} r,
|
||||
/usr/share/sddm/themes/{,**} r,
|
||||
/usr/share/systemsettings/{,**} r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/menus/ r,
|
||||
/etc/xdg/ui/ui_standards.rc r,
|
||||
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kinfocenter/{,**} rwl,
|
||||
owner @{user_cache_dirs}/ksvg-elements rw,
|
||||
owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/systemsettings/ rw,
|
||||
owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**,
|
||||
|
||||
|
@ -53,11 +53,9 @@ profile xdm-xsession @{exec_path} {
|
||||
@{HOME}/.xinitrc rPix,
|
||||
@{lib}/xinit/xinitrc rix,
|
||||
|
||||
/usr/share/bash-completion/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/mc/mc.sh r,
|
||||
|
||||
@{etc_ro}/profile.d/{,*} r,
|
||||
@{etc_ro}/X11/xdm/scripts/{,*} r,
|
||||
@{etc_ro}/X11/xim r,
|
||||
@{etc_ro}/X11/xim.d/none r,
|
||||
@ -71,8 +69,6 @@ profile xdm-xsession @{exec_path} {
|
||||
/etc/sysconfig/* r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.alias r,
|
||||
owner @{HOME}/.i18n r,
|
||||
|
||||
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||
|
||||
|
@ -70,22 +70,15 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
/ r,
|
||||
capability net_admin,
|
||||
|
||||
@{etc_ro}/ r,
|
||||
@{etc_ro}/systemd/ r,
|
||||
@{etc_ro}/systemd/system/ r,
|
||||
@{etc_ro}/systemd/system/ntp.service r,
|
||||
|
||||
owner @{run}/systemd/private rw,
|
||||
@{run}/utmp k,
|
||||
|
||||
/dev r,
|
||||
|
||||
include if exists <local/nm-dispatcher_systemctl>
|
||||
}
|
||||
|
||||
|
@ -15,6 +15,7 @@ profile systemd-cat @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/cat rix,
|
||||
@{bin}/echo rix,
|
||||
|
||||
include if exists <local/systemd-cat>
|
||||
}
|
||||
|
@ -36,6 +36,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
|
||||
/opt/** r,
|
||||
|
||||
/etc/systemd/coredump.conf r,
|
||||
/etc/systemd/coredump.conf.d/{,**} r,
|
||||
|
||||
/var/lib/systemd/coredump/{,**} rwl,
|
||||
|
||||
|
@ -32,10 +32,12 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
|
||||
@{run}/blkid/blkid.tab{,-@{rand6}} rw,
|
||||
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
@{run}/cloud-init/ds-identify.log w, # file_inherit
|
||||
|
||||
# For the EVALUATE=scan method
|
||||
@{PROC}/partitions r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/blkid>
|
||||
}
|
||||
|
@ -11,6 +11,7 @@ include <tunables/global>
|
||||
profile blueman @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
@ -26,18 +27,16 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
ptrace (read) peer=gjs-console,
|
||||
|
||||
# dbus: own bus=session name=org.blueman.Applet
|
||||
# dbus: own bus=session name=org.blueman.Manager
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
||||
@{bin}/blueman-tray rPx,
|
||||
@{open_path} rPx -> child-open,
|
||||
@{open_path} rix,
|
||||
|
||||
/usr/share/blueman/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/lib/blueman/network.state r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
@ -53,9 +52,9 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_cache_dirs}/obexd/ rw,
|
||||
owner @{user_cache_dirs}/obexd/* rw,
|
||||
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
|
||||
/dev/dri/card@{int} rw,
|
||||
/dev/rfkill r,
|
||||
|
@ -133,8 +133,9 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
||||
@{bin}/gpg{,2} mr,
|
||||
@{bin}/gpgconf mr,
|
||||
@{bin}/gpgsm mr,
|
||||
@{bin}/gpg-agent mrix,
|
||||
@{lib}/gnupg/scdaemon rix,
|
||||
|
||||
@{bin}/gpg-agent rix,
|
||||
@{lib}/{,gnupg/}scdaemon rix,
|
||||
|
||||
owner /var/lib/fwupd/gnupg/ rw,
|
||||
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
|
||||
|
@ -68,7 +68,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/fc-cache rPx,
|
||||
@{bin}/glib-compile-schemas rPx,
|
||||
@{bin}/install-info rPx,
|
||||
@{bin}/rpmdb2solv rPx, # only: opensuse
|
||||
@{bin}/rpmdb2solv rPUx, # only: opensuse
|
||||
@{bin}/systemd-inhibit rPx,
|
||||
@{bin}/update-desktop-database rPx,
|
||||
@{lib}/apt/methods/* rPx, # only: dpkg
|
||||
|
@ -15,6 +15,7 @@ profile pcscd @{exec_path} {
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read) peer=gsd-smartcard,
|
||||
ptrace (read) peer=pkcs11-register,
|
||||
ptrace (read) peer=rngd,
|
||||
ptrace (read) peer=scdaemon,
|
||||
|
Loading…
Reference in New Issue
Block a user