mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-30 23:05:11 +01:00
Update profiles.
This commit is contained in:
Alexandre Pujol
parent
5cc6fd5c08
commit
79ab7e3eec
9 changed files with 14 additions and 12 deletions
|
|
@ -80,10 +80,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_share_dirs}/gnome-shell/{,**} rw,
|
owner @{user_share_dirs}/gnome-shell/{,**} rw,
|
||||||
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
|
||||||
|
owner @{user_cache_dirs}/gnome-photos/{,**} r,
|
||||||
|
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
|
||||||
owner @{user_cache_dirs}/libgweather/{,**} r,
|
owner @{user_cache_dirs}/libgweather/{,**} r,
|
||||||
owner @{user_cache_dirs}/media-art/{,**} r,
|
owner @{user_cache_dirs}/media-art/{,**} r,
|
||||||
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
|
|
||||||
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
|
|
||||||
|
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
|
|
@ -113,6 +114,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
@{run}/udev/data/+sound:card* r, # for sound
|
@{run}/udev/data/+sound:card* r, # for sound
|
||||||
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
|
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
|
||||||
@{run}/udev/data/+i2c:* r,
|
@{run}/udev/data/+i2c:* r,
|
||||||
|
@{run}/udev/data/+hid* r, # for HID-Compliant Keyboard
|
||||||
@{run}/udev/data/c10:[0-9]* r,
|
@{run}/udev/data/c10:[0-9]* r,
|
||||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ profile dirmngr @{exec_path} {
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
owner @{run}/user/@{uid}/gnupg/ rw,
|
||||||
owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
|
owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
|
||||||
@{run}/user/@{uid}/d.*/S.dirmngr rw,
|
owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,6 @@ profile pacman @{exec_path} {
|
||||||
/{usr/,}bin/gpgconf rCx -> gpg,
|
/{usr/,}bin/gpgconf rCx -> gpg,
|
||||||
/{usr/,}bin/gpgsm rCx -> gpg,
|
/{usr/,}bin/gpgsm rCx -> gpg,
|
||||||
|
|
||||||
|
|
||||||
# Pacman hooks & install scripts
|
# Pacman hooks & install scripts
|
||||||
/{usr/,}{s,}bin/ldconfig rix,
|
/{usr/,}{s,}bin/ldconfig rix,
|
||||||
/{usr/,}bin/{,ba}sh rix,
|
/{usr/,}bin/{,ba}sh rix,
|
||||||
|
|
@ -50,6 +49,7 @@ profile pacman @{exec_path} {
|
||||||
/{usr/,}bin/env rix,
|
/{usr/,}bin/env rix,
|
||||||
/{usr/,}bin/rm rix,
|
/{usr/,}bin/rm rix,
|
||||||
/{usr/,}bin/vercmp rix,
|
/{usr/,}bin/vercmp rix,
|
||||||
|
/{usr/,}bin/xmlcatalog rix,
|
||||||
/{usr/,}lib/ghc-*/bin/ghc-pkg rix,
|
/{usr/,}lib/ghc-*/bin/ghc-pkg rix,
|
||||||
/{usr/,}bin/arch-audit rPx,
|
/{usr/,}bin/arch-audit rPx,
|
||||||
/{usr/,}bin/bootctl rPx,
|
/{usr/,}bin/bootctl rPx,
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,8 @@ profile pacman-hook-dkms @{exec_path} {
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
|
unix (receive) type=stream,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/bash rix,
|
/{usr/,}bin/bash rix,
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
|
||||||
@{run}/systemd/seats/ rw,
|
@{run}/systemd/seats/ rw,
|
||||||
@{run}/systemd/seats/.#seat* rw,
|
@{run}/systemd/seats/.#seat* rw,
|
||||||
@{run}/systemd/seats/seat[0-9]* rw,
|
@{run}/systemd/seats/seat[0-9]* rw,
|
||||||
@{run}/systemd/inhibit/ r,
|
@{run}/systemd/inhibit/ rw,
|
||||||
@{run}/systemd/inhibit/[0-9]*{,.ref} rw,
|
@{run}/systemd/inhibit/[0-9]*{,.ref} rw,
|
||||||
@{run}/systemd/inhibit/.#* rw,
|
@{run}/systemd/inhibit/.#* rw,
|
||||||
@{run}/systemd/sessions/ rw,
|
@{run}/systemd/sessions/ rw,
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,7 @@ profile dkms @{exec_path} {
|
||||||
/{usr/,}lib/modules/*/updates/ rw,
|
/{usr/,}lib/modules/*/updates/ rw,
|
||||||
/{usr/,}lib/modules/*/updates/dkms/ rw,
|
/{usr/,}lib/modules/*/updates/dkms/ rw,
|
||||||
/{usr/,}lib/modules/*/updates/dkms/*.ko rw,
|
/{usr/,}lib/modules/*/updates/dkms/*.ko rw,
|
||||||
/{usr/,}lib/modules/*/kernel/drivers/{,*,*/,**.ko.xz} rw,
|
/{usr/,}lib/modules/*/kernel/drivers/{,*,*/,**.ko.xz,**.ko.zst} rw,
|
||||||
|
|
||||||
/var/lib/dkms/ r,
|
/var/lib/dkms/ r,
|
||||||
/var/lib/dkms/** rw,
|
/var/lib/dkms/** rw,
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {
|
||||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
|
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
|
||||||
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
|
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
|
||||||
|
|
||||||
/dev/dri/card[0-9]* rw,
|
/dev/dri/card[0-9]* rw,
|
||||||
|
|
||||||
include if exists <local/xdg-dbus-proxy>
|
include if exists <local/xdg-dbus-proxy>
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Extended systemd directories definition
|
# Extended system directories definition
|
||||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ bootctl complain
|
||||||
borg complain
|
borg complain
|
||||||
cfdisk complain
|
cfdisk complain
|
||||||
cgdisk complain
|
cgdisk complain
|
||||||
chrome-gnome-shell complain
|
|
||||||
dbus-daemon-launch-helper complain
|
dbus-daemon-launch-helper complain
|
||||||
dbus-run-session complain
|
dbus-run-session complain
|
||||||
dkms complain
|
dkms complain
|
||||||
|
|
@ -40,7 +40,6 @@ glib-genmarshal complain
|
||||||
glib-gettextize complain
|
glib-gettextize complain
|
||||||
glib-mkenums complain
|
glib-mkenums complain
|
||||||
gnome-calculator-search-provider complain
|
gnome-calculator-search-provider complain
|
||||||
gnome-calendar complain
|
|
||||||
gnome-contacts complain
|
gnome-contacts complain
|
||||||
gnome-contacts-search-provider complain
|
gnome-contacts-search-provider complain
|
||||||
gnome-control-center attach_disconnected,complain
|
gnome-control-center attach_disconnected,complain
|
||||||
|
|
@ -73,8 +72,6 @@ gsd-screensaver-proxy attach_disconnected,complain
|
||||||
gtk-query-immodules complain
|
gtk-query-immodules complain
|
||||||
gvfsd-dav complain
|
gvfsd-dav complain
|
||||||
hostnamectl complain
|
hostnamectl complain
|
||||||
htop complain
|
|
||||||
ibus-daemon attach_disconnected,complain
|
|
||||||
install-info complain
|
install-info complain
|
||||||
kernel-install complain
|
kernel-install complain
|
||||||
kmod complain
|
kmod complain
|
||||||
|
|
@ -92,7 +89,6 @@ ntfs-3g-probe complain
|
||||||
obex-folder-listing complain
|
obex-folder-listing complain
|
||||||
obexautofs complain
|
obexautofs complain
|
||||||
obexctl complain
|
obexctl complain
|
||||||
obexd complain
|
|
||||||
obexfs complain
|
obexfs complain
|
||||||
obexpush-atd complain
|
obexpush-atd complain
|
||||||
obexpushd complain
|
obexpushd complain
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue