mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(profiles): new definition for MOUNTs, add MOUNTDIRS.
This commit is contained in:
Alexandre Pujol
parent
9493e783ce
commit
779853dc7f
62 changed files with 198 additions and 203 deletions
|
|
@ -7,8 +7,8 @@
|
|||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
|
||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
|
||||
|
||||
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r,
|
||||
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
|
||||
owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/ r,
|
||||
owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/** rwkl,
|
||||
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl,
|
||||
|
|
|
|||
|
|
@ -9,10 +9,10 @@
|
|||
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
|
||||
|
||||
owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/@{XDG_DOCUMENTS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/@{XDG_VIDEOS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/@{XDG_BOOKS_DIR}/{,**} rwl,
|
||||
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
|
||||
|
|
|
|||
|
|
@ -6,8 +6,8 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{AS_LIBDIR} = @{MOUNTS}/*/android-studio
|
||||
@{AS_SDKDIR} = @{MOUNTS}/*/SDK
|
||||
@{AS_LIBDIR} = @{MOUNTS}/android-studio
|
||||
@{AS_SDKDIR} = @{MOUNTS}/SDK
|
||||
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
|
||||
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects
|
||||
|
||||
|
|
|
|||
|
|
@ -87,9 +87,9 @@ profile atom @{exec_path} {
|
|||
# Git dirs
|
||||
/ r,
|
||||
@{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/*/ r,
|
||||
owner @{MOUNTS}/*/atom/ r,
|
||||
owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**,
|
||||
owner @{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r,
|
||||
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**,
|
||||
|
||||
owner @{user_config_dirs}/git/config r,
|
||||
|
||||
|
|
|
|||
|
|
@ -78,9 +78,9 @@ profile calibre @{exec_path} {
|
|||
owner @{HOME}/@{XDG_BOOKS_DIR} rw,
|
||||
owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,
|
||||
|
||||
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
|
||||
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
|
||||
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,
|
||||
owner @{MOUNTS}/@{XDG_BOOKS_DIR}/ r,
|
||||
owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/ rw,
|
||||
owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/@{XDG_BOOKS_DIR}*/**,
|
||||
|
||||
owner @{user_config_dirs}/calibre/ rw,
|
||||
owner @{user_config_dirs}/calibre/** rwk,
|
||||
|
|
|
|||
|
|
@ -66,9 +66,8 @@ profile code @{exec_path} {
|
|||
# Git dirs
|
||||
/ r,
|
||||
@{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/*/ r,
|
||||
owner @{MOUNTS}/*/code/ r,
|
||||
owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
|
||||
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r,
|
||||
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
|
|
|
|||
|
|
@ -56,8 +56,8 @@ profile filezilla @{exec_path} {
|
|||
/{usr/,}lib/firefox/firefox rPUx,
|
||||
|
||||
# FTP share folder
|
||||
owner @{MOUNTS}/*/ftp/ r,
|
||||
owner @{MOUNTS}/*/ftp/** rw,
|
||||
owner @{MOUNTS}/ftp/ r,
|
||||
owner @{MOUNTS}/ftp/** rw,
|
||||
|
||||
# Silencer
|
||||
/ r,
|
||||
|
|
|
|||
|
|
@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
|
|||
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
|
||||
|
||||
# For pendrives
|
||||
@{MOUNTS}/*/*/ r,
|
||||
@{MOUNTS}/*/*/**/ r,
|
||||
@{MOUNTS}/*/*/.disk/info r,
|
||||
@{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r,
|
||||
@{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/**/ r,
|
||||
@{MOUNTS}/*/.disk/info r,
|
||||
@{MOUNTS}/*/dists/**/binary-*/Packages{,.gz} r,
|
||||
@{MOUNTS}/*/dists/**/i18n/Translation-en{,.gz} r,
|
||||
|
||||
/var/lib/apt/lists/** rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -29,11 +29,11 @@ profile dirmngr @{exec_path} {
|
|||
owner @{HOME}/@{XDG_GPG_DIR}/crls.d/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw,
|
||||
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/ rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ profile gpg @{exec_path} {
|
|||
|
||||
# Verify files
|
||||
owner @{HOME}/** r,
|
||||
owner @{MOUNTS}/*/** r,
|
||||
owner @{MOUNTS}/** r,
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
|
|
|||
|
|
@ -29,12 +29,12 @@ profile gpg-agent @{exec_path} {
|
|||
owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ profile gvfsd-archive @{exec_path} {
|
|||
owner @{HOME}/**.{tar,tar.gz,zip} r,
|
||||
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
|
||||
include if exists <local/gvfsd-archive>
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ profile gvfsd-mtp @{exec_path} {
|
|||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner @{HOME}/{,**} rw,
|
||||
owner @{MOUNTS}/*/{,**} rw,
|
||||
owner @{MOUNTS}/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ profile gvfsd-recent @{exec_path} {
|
|||
|
||||
# Full access to user's data
|
||||
owner @{HOME}/{,**} rw,
|
||||
owner @{MOUNTS}/*/{,**} rw,
|
||||
owner @{MOUNTS}/{,**} rw,
|
||||
|
||||
owner @{HOME}/.zshenv r,
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} {
|
|||
|
||||
# Can restore all user files
|
||||
owner @{HOME}/{,**} rw,
|
||||
owner @{MOUNTS}/*/{,**} rw,
|
||||
owner @{MOUNTS}/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/ rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ profile badblocks @{exec_path} {
|
|||
|
||||
# A place for a list of already existing known bad blocks
|
||||
@{HOME}/* rwk,
|
||||
@{MOUNTS}/*/** rwk,
|
||||
@{MOUNTS}/** rwk,
|
||||
|
||||
include if exists <local/badblocks>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,9 +31,9 @@ profile blkid @{exec_path} {
|
|||
|
||||
# Image files
|
||||
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
|
||||
include if exists <local/blkid>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,10 +35,10 @@ profile borg @{exec_path} {
|
|||
/{usr/,}bin/ccache rCx -> ccache,
|
||||
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
|
||||
|
||||
mount fstype=fuse -> @{MOUNTS}/,
|
||||
mount fstype=fuse -> @{MOUNTS}/*/,
|
||||
mount fstype=fuse -> @{MOUNTS}/*/*/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
|
|
@ -114,8 +114,8 @@ profile borg @{exec_path} {
|
|||
|
||||
/etc/fuse.conf r,
|
||||
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
||||
|
|
|
|||
|
|
@ -33,18 +33,18 @@ profile btrfs @{exec_path} {
|
|||
/var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,
|
||||
|
||||
# Saved metadata
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/ext2_saved/ rw,
|
||||
@{MOUNTS}/ext2_saved/image rw,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/ext2_saved/ rw,
|
||||
@{MOUNTS}/*/ext2_saved/image rw,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
@{MOUNTS}/*/*/ext2_saved/ rw,
|
||||
@{MOUNTS}/*/*/ext2_saved/image rw,
|
||||
|
||||
# To be able to manage btrfs volumes
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
/dev/btrfs-control rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,9 +15,9 @@ profile btrfs-find-root @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/btrfs-find-root>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,9 +17,9 @@ profile btrfs-image @{exec_path} {
|
|||
|
||||
# Image files
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/btrfs-image>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,9 +15,9 @@ profile btrfs-map-logical @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/btrfs-map-logical>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,13 +25,13 @@ profile cfdisk @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# A place for backups
|
||||
owner @{HOME}/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/*/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/**.{bak,back} rwk,
|
||||
|
||||
include if exists <local/cfdisk>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,13 +17,13 @@ profile cgdisk @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# A place for backups
|
||||
owner @{HOME}/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/*/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/**.{bak,back} rwk,
|
||||
|
||||
include if exists <local/cgdisk>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,9 +19,9 @@ profile dumpe2fs @{exec_path} {
|
|||
|
||||
# Image files
|
||||
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
|
||||
include if exists <local/dumpe2fs>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,9 +28,9 @@ profile e2fsck @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/e2fsck>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,9 +19,9 @@ profile e2image @{exec_path} {
|
|||
|
||||
# A place for the metadata image file
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/e2image>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,14 +13,14 @@ profile f3read @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
# USB drive mount locations
|
||||
@{MOUNTDIRS} r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
/mnt/ r,
|
||||
|
||||
# To be able to read h2w files
|
||||
owner @{MOUNTDIRS}/[0-9]*.h2w r,
|
||||
owner @{MOUNTS}/[0-9]*.h2w r,
|
||||
owner @{MOUNTS}/*/[0-9]*.h2w r,
|
||||
owner @{MOUNTS}/*/*/[0-9]*.h2w r,
|
||||
owner /mnt/[0-9]*.h2w r,
|
||||
|
||||
include if exists <local/f3read>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,14 +17,14 @@ profile f3write @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
# USB drive mount locations
|
||||
@{MOUNTDIRS} r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
/mnt/ r,
|
||||
|
||||
# To be able to write h2w files
|
||||
owner @{MOUNTDIRS}/[0-9]*.h2w w,
|
||||
owner @{MOUNTS}/[0-9]*.h2w w,
|
||||
owner @{MOUNTS}/*/[0-9]*.h2w w,
|
||||
owner @{MOUNTS}/*/*/[0-9]*.h2w w,
|
||||
owner /mnt/[0-9]*.h2w w,
|
||||
|
||||
include if exists <local/f3write>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,13 +27,13 @@ profile fdisk @{exec_path} {
|
|||
|
||||
# For disk images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# For backups
|
||||
owner @{HOME}/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/*/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/**.{bak,back} rwk,
|
||||
|
||||
include if exists <local/fdisk>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ profile fsck @{exec_path} {
|
|||
/etc/fstab r,
|
||||
|
||||
# When a mount dir is passed to fsck as an argument.
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/ r,
|
||||
/boot/ r,
|
||||
/home/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,9 +16,9 @@ profile fsck-fat @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
owner @{run}/systemd/fsck.progress rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -27,9 +27,9 @@ profile fuseiso @{exec_path} {
|
|||
|
||||
# Image files to be mounted
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
owner @{HOME}/.mtab.fuseiso rwk,
|
||||
owner @{HOME}/.mtab.fuseiso.new rw,
|
||||
|
|
@ -60,9 +60,9 @@ profile fuseiso @{exec_path} {
|
|||
|
||||
# Image files to be mounted
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -24,13 +24,13 @@ profile gdisk @{exec_path} {
|
|||
|
||||
# For disk images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# For backups
|
||||
owner @{HOME}/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/*/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/**.{bak,back} rwk,
|
||||
|
||||
include if exists <local/gdisk>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -153,8 +153,8 @@ profile gpartedbin @{exec_path} {
|
|||
mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/,
|
||||
|
||||
mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/,
|
||||
mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
|
||||
mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
|
||||
mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r,
|
||||
|
|
@ -176,8 +176,8 @@ profile gpartedbin @{exec_path} {
|
|||
umount /tmp/gparted-*/,
|
||||
|
||||
umount /boot/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
|
|
|
|||
|
|
@ -30,9 +30,9 @@ profile hdparm @{exec_path} flags=(complain) {
|
|||
|
||||
# Image files
|
||||
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
|
||||
include if exists <local/hdparm>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile keepassxc-proxy @{exec_path} {
|
|||
#
|
||||
deny owner @{HOME}/.mozilla/** rw,
|
||||
deny owner @{user_cache_dirs}/mozilla/** rw,
|
||||
deny owner @{MOUNTS}/*/.mozilla/** rw,
|
||||
deny owner @{MOUNTS}/.mozilla/** rw,
|
||||
deny owner /tmp/firefox*/.parentlock rw,
|
||||
deny owner /tmp/tmp-*.xpi rw,
|
||||
deny owner /tmp/tmpaddon r,
|
||||
|
|
|
|||
|
|
@ -6,8 +6,6 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage
|
||||
|
||||
@{exec_path} = /{usr/,}bin/megasync
|
||||
profile megasync @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
|
@ -55,11 +53,8 @@ profile megasync @{exec_path} {
|
|||
owner @{user_config_dirs}/QtProject.conf r,
|
||||
|
||||
# Sync folder
|
||||
#/ r,
|
||||
#@{MOUNTS}/ r,
|
||||
#@{MOUNTS}/*/ r,
|
||||
owner @{SYNC_FOLDER}/ r,
|
||||
owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**,
|
||||
owner @{user_sync_dirs}/ r,
|
||||
owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**,
|
||||
|
||||
# Proc filesystem
|
||||
deny owner @{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -30,9 +30,9 @@ profile mke2fs @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# For virt-resize
|
||||
owner /var/tmp/.guestfs-[0-9]*/** rwk,
|
||||
|
|
|
|||
|
|
@ -24,9 +24,9 @@ profile mkfs-btrfs @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/mkfs-btrfs>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/mkfs-fat>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,9 +45,9 @@ profile mount @{exec_path} flags=(complain) {
|
|||
|
||||
# Mount iso/img files
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# The special /dev/loop-control file can be used to create and destroy loop devices or to find
|
||||
# the first available loop device.
|
||||
|
|
|
|||
|
|
@ -30,19 +30,18 @@ profile mount-cifs @{exec_path} flags=(complain) {
|
|||
owner @{HOME}/.smbcredentials r,
|
||||
|
||||
# Mount points
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
|
||||
# Allow to mount smb/cifs disks only under the /media/ dirs
|
||||
mount fstype=cifs -> @{MOUNTDIRS}/,
|
||||
mount fstype=cifs -> @{MOUNTS}/,
|
||||
mount fstype=cifs -> @{MOUNTS}/*/,
|
||||
mount fstype=cifs -> @{MOUNTS}/*/*/,
|
||||
mount fstype=cifs -> /mnt/,
|
||||
mount fstype=cifs -> /mnt/*/,
|
||||
|
||||
umount @{MOUNTDIRS}/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
umount /mnt/,
|
||||
umount /mnt/*/,
|
||||
|
||||
include if exists <local/mount-cifs>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,21 +45,20 @@ profile mount-nfs @{exec_path} flags=(complain) {
|
|||
owner @{run}/rpc.statd.lock wk,
|
||||
|
||||
# Mount points
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
|
||||
# Allow to mount smb/cifs disks only under the /media/ dirs
|
||||
mount fstype=nfs -> @{MOUNTDIRS}/,
|
||||
mount fstype=nfs -> @{MOUNTS}/,
|
||||
mount fstype=nfs -> @{MOUNTS}/*/,
|
||||
mount fstype=nfs -> @{MOUNTS}/*/*/,
|
||||
mount fstype=nfs -> /mnt/,
|
||||
mount fstype=nfs -> /mnt/*/,
|
||||
mount fstype=nfs -> /,
|
||||
mount fstype=nfs -> /*/,
|
||||
|
||||
umount @{MOUNTDIRS}/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
umount /mnt/,
|
||||
umount /mnt/*/,
|
||||
umount /,
|
||||
umount /*/,
|
||||
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ profile mtools @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/mtools>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,36 +23,35 @@ profile ntfs-3g @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
/{usr/,}bin/kmod rPx, # To load the fuse kernel module
|
||||
|
||||
# Mount points
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
|
||||
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
|
||||
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/,
|
||||
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
|
||||
|
||||
# Allow to mount encrypted partition
|
||||
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/,
|
||||
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/,
|
||||
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
|
||||
|
||||
umount @{MOUNTDIRS}/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
@{PROC}/swaps r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
# Mount points
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
|
||||
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/,
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/*/,
|
||||
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
|
||||
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
|
||||
|
||||
# Allow to mount encrypted partition
|
||||
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
|
||||
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/,
|
||||
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/,
|
||||
|
||||
umount @{MOUNTS}/*/,
|
||||
umount /mnt/*/,
|
||||
|
||||
# kmod is used to load the fuse kernel module
|
||||
/{usr/,}bin/kmod rPx,
|
||||
|
||||
include if exists <local/ntfs-3g>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile ntfsclone @{exec_path} {
|
|||
|
||||
# A place for backups
|
||||
@{HOME}/* rwk,
|
||||
@{MOUNTS}/*/** rwk,
|
||||
@{MOUNTS}/** rwk,
|
||||
|
||||
include if exists <local/ntfsclone>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,8 +16,8 @@ profile obex-folder-listing @{exec_path} {
|
|||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/**/ r,
|
||||
owner @{MOUNTS}/*/ r,
|
||||
owner @{MOUNTS}/*/**/ r,
|
||||
owner @{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/**/ r,
|
||||
|
||||
include if exists <local/obex-folder-listing>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,9 +70,9 @@ profile parted @{exec_path} {
|
|||
# file_inherit
|
||||
include <abstractions/disks-write> # lots of files in this abstraction get inherited
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{TORRENT_DIR} = @{MOUNTS}/*/torrent
|
||||
@{TORRENT_DIR} = @{MOUNTS}/torrent
|
||||
|
||||
@{exec_path} = /{usr/,}bin/qbittorrent
|
||||
profile qbittorrent @{exec_path} {
|
||||
|
|
@ -241,9 +241,9 @@ profile qbittorrent @{exec_path} {
|
|||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
# file_inherit
|
||||
owner @{MOUNTS}/*/torrent/** r,
|
||||
owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw,
|
||||
owner "@{MOUNTS}/*/torrent/**.!qB" rw,
|
||||
owner @{MOUNTS}/torrent/** r,
|
||||
owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw,
|
||||
owner "@{MOUNTS}/torrent/**.!qB" rw,
|
||||
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
|
|
@ -291,7 +291,7 @@ profile qbittorrent @{exec_path} {
|
|||
owner /tmp/tmp* rw,
|
||||
|
||||
# file_inherit
|
||||
owner @{MOUNTS}/*/torrent/** r,
|
||||
owner @{MOUNTS}/torrent/** r,
|
||||
deny /dev/dri/card[0-9]* rw,
|
||||
|
||||
include if exists <local/qbittorrent_python3>
|
||||
|
|
|
|||
|
|
@ -74,11 +74,10 @@ profile qnapi @{exec_path} {
|
|||
|
||||
# Movie dirs
|
||||
@{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/*/ r,
|
||||
owner @{MOUNTS}/*/** r,
|
||||
owner @{MOUNTS}/*/**#[0-9]*[0-9] rw,
|
||||
owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r,
|
||||
owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9],
|
||||
owner @{MOUNTS}/** r,
|
||||
owner @{MOUNTS}/**#[0-9]*[0-9] rw,
|
||||
owner @{MOUNTS}/**.@{qnapi_vid_ext} r,
|
||||
owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9],
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{user_config_dirs}/qnapi.ini rw,
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile qtox @{exec_path} {
|
|||
|
||||
# For importing old profile
|
||||
owner @{HOME}/**.tox r,
|
||||
owner @{MOUNTS}/*/**.tox r,
|
||||
owner @{MOUNTS}/**.tox r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{user_cache_dirs}/qTox/ rw,
|
||||
|
|
|
|||
|
|
@ -24,9 +24,9 @@ profile resize2fs @{exec_path} {
|
|||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
include if exists <local/resize2fs>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ profile s3fs @{exec_path} {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=fuse.s3fs -> @{MOUNTS}/,
|
||||
mount fstype=fuse.s3fs -> @{MOUNTS}/*/,
|
||||
mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -31,8 +31,8 @@ profile s3fs @{exec_path} {
|
|||
|
||||
owner @{HOME}/.passwd-s3fs r,
|
||||
|
||||
owner @{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/*/ r,
|
||||
owner @{MOUNTS}/*/*/ r,
|
||||
owner /tmp/* rw,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
|
@ -50,14 +50,14 @@ profile s3fs @{exec_path} {
|
|||
|
||||
/etc/fuse.conf r,
|
||||
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
|
||||
mount fstype=fuse.s3fs -> @{MOUNTS}/,
|
||||
mount fstype=fuse.s3fs -> @{MOUNTS}/*/,
|
||||
mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/,
|
||||
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
|
||||
owner /tmp/s3fstmp.* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -24,9 +24,9 @@ profile sfdisk @{exec_path} {
|
|||
|
||||
# For disk images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# For backups
|
||||
owner @{HOME}/**.{bak,back} rwk,
|
||||
|
|
|
|||
|
|
@ -24,13 +24,13 @@ profile sgdisk @{exec_path} {
|
|||
|
||||
# For disk images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
# For backups
|
||||
owner @{HOME}/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/*/**.{bak,back} rwk,
|
||||
owner @{MOUNTS}/**.{bak,back} rwk,
|
||||
|
||||
include if exists <local/sgdisk>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{MEDIA_LIB} = @{MOUNTS}/*/mp3/
|
||||
@{MEDIA_LIB} = @{MOUNTS}/mp3/
|
||||
|
||||
@{exec_path} = /{usr/,}bin/strawberry
|
||||
profile strawberry @{exec_path} {
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{MEDIA_LIB} = @{MOUNTS}/*/mp3/
|
||||
@{MEDIA_LIB} = @{MOUNTS}/mp3/
|
||||
|
||||
@{exec_path} = /{usr/,}bin/strawberry-tagreader
|
||||
profile strawberry-tagreader @{exec_path} {
|
||||
|
|
|
|||
|
|
@ -29,9 +29,9 @@ profile tune2fs @{exec_path} {
|
|||
|
||||
# Image files
|
||||
@{HOME}/**.{iso,img,bin,mdf,nrg} rw,
|
||||
@{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw,
|
||||
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} rw,
|
||||
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw,
|
||||
@{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw,
|
||||
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rw,
|
||||
|
||||
include if exists <local/tune2fs>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={ReleaseName,GetConnectionUnixUser},
|
||||
member={ReleaseName,GetConnectionUnixUser,RequestName},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login[0-9].Manager
|
||||
|
|
@ -71,26 +71,26 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/systemd-escape rPx,
|
||||
|
||||
# Allow mounting of removable devices
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/,
|
||||
# Allow mounting of loop devices (ISO files)
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
|
||||
# Allow mounting of cdrom
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
|
||||
mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/,
|
||||
# Allow mounting od sd cards
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/,
|
||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
|
||||
# Allow unmounting
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
umount /media/cdrom[0-9]/,
|
||||
|
||||
# Be able to create/delete dirs for removable media
|
||||
@{MOUNTS}/ rw,
|
||||
@{MOUNTS}/*/ rw,
|
||||
@{MOUNTS}/*/*/ rw,
|
||||
/media/cdrom[0-9]/ rw,
|
||||
|
||||
# Udisks2 config files
|
||||
|
|
|
|||
|
|
@ -73,11 +73,10 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# For disk images
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
|
||||
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
|
||||
|
||||
# System VM images
|
||||
/var/lib/libvirt/images/{,**} rw,
|
||||
|
|
@ -86,7 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/libvirt/{,**} rw,
|
||||
owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
|
||||
owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw,
|
||||
owner @{MOUNTS}/@{XDG_VM_DIR}/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
||||
@{run}/mount/utab r,
|
||||
|
|
|
|||
|
|
@ -9,8 +9,14 @@
|
|||
# Universally unique identifier
|
||||
@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
|
||||
|
||||
# Common mountpoints
|
||||
@{MOUNTS}=/media/ @{run}/media /mnt
|
||||
|
||||
# @{MOUNTDIRS} is a space-separated list of where user mount directories
|
||||
# are stored, for programs that must enumerate all mount directories on a
|
||||
# system.
|
||||
@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/
|
||||
|
||||
# @{MOUNTS} is a space-separated list of all user mounted directories.
|
||||
@{MOUNTS}=@{MOUNTDIRS}/*/
|
||||
|
||||
# Libexec path. Different in some distribution
|
||||
@{libexec}=/{usr/,}lib # Archlinux
|
||||
|
|
|
|||
Loading…
Reference in a new issue