mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general updtae.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-09-18 18:10:27 +01:00
parent cc139f1144
commit 7a53fc3a99
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
27 changed files with 158 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor.d/abstractions/app/sudo
View File

@ -57,7 +57,6 @@
@{PROC}/@{pid}/limits r,
@{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/kernel/ngroups_max r,
@{PROC}/sys/kernel/seccomp/actions_avail r,

7
apparmor.d/abstractions/gstreamer
View File

@ -45,7 +45,12 @@
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/video4linux/ r,
@{sys}/devices/@{pci}/{busnum,config,devnum,descriptors,speed,uevent} r,
@{sys}/devices/@{pci}/busnum r,
@{sys}/devices/@{pci}/config r,
@{sys}/devices/@{pci}/descriptors r,
@{sys}/devices/@{pci}/devnum r,
@{sys}/devices/@{pci}/speed r,
@{sys}/devices/@{pci}/uevent r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,

1
apparmor.d/abstractions/vulkan-strict
View File

@ -29,5 +29,4 @@
include if exists <abstractions/vulkan-strict.d>
# vim:syntax=apparmor

2
apparmor.d/groups/browsers/torbrowser-start
View File

@ -42,6 +42,8 @@ profile torbrowser-start @{exec_path} {
owner @{lib_dirs}/sed@{rand6} rw,
owner @{lib_dirs}/TorBrowser/Tor/tor r,
owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/sed@{rand6} rw,
owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/start-tor-browser.desktop rw,
owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw,
owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw,

20
apparmor.d/groups/bus/at-spi2-registryd
View File

@ -17,24 +17,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term) peer=gdm,
#aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=:*),
dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=:*),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus, label=dbus-accessibility),
#aa:dbus own bus=accessibility name=org.a11y.atspi
#aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable

20
apparmor.d/groups/freedesktop/xdg-desktop-portal
View File

@ -20,6 +20,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
capability sys_ptrace,
@ -34,19 +35,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
member=MakeThread*
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=CheckPermissions
peer=(name=:*, label=NetworkManager),
#aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=xdg-document-portal),
dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.portal.Documents
peer=(name=:*, label=xdg-document-portal),
#aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
@ -62,10 +53,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix,
@{bin}/nautilus rPx,
@{bin}/snap rPUx,
@{bin}/kreadconfig5 rPx,
@{lib}/xdg-desktop-portal-validate-icon rPUx,
@{bin}/kreadconfig{,5} rPx,
@{lib}/xdg-desktop-portal-validate-icon rPx,
@{open_path} rPx -> child-open,
/ r,
@ -76,7 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
/etc/sysconfig/proxy r,
/var/lib/gdm{,3}/greeter-dconf-defaults r,
@{GDM_HOME}/greeter-dconf-defaults r,
@{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/xdg-desktop-portal/* r,

32
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View File

@ -13,7 +13,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.Accounts>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
include <abstractions/bus/org.gnome.Shell.Introspect>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write>
@ -30,39 +29,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(hup term) peer=gdm-session-worker,
#aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome
dbus send bus=session path=/org/gnome/Shell/Screenshot
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Background
member=RunningApplicationsChanged
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Background
member=GetAppState
peer=(name=:*, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member=SettingChanged
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
dbus (send, receive) bus=session path=/org/gnome/Mutter/*
interface=org.gnome.Mutter.*
peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
dbus send bus=session path=/org/gnome/Mutter/*
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
#aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal
#aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
#aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell
@{exec_path} mr,
/ r,
@{bin}/ r,
@{bin}/* r,
/opt/*/* r,
/usr/share/dconf/profile/gdm r,
/usr/share/thumbnailers/{,**} r,

3
apparmor.d/groups/freedesktop/xdg-user-dir
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-user-dir
profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@ -18,8 +19,6 @@ profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/user-dirs.dirs r,
/dev/tty rw,
# Silencer
deny network inet stream,
deny network inet6 stream,

1
apparmor.d/groups/gpg/gpg-agent
View File

@ -62,6 +62,7 @@ profile gpg-agent @{exec_path} {
#aa:only pacman
owner /etc/pacman.d/gnupg/ rw,
owner /etc/pacman.d/gnupg/*.conf r,
owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw,
owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw,
owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,

6
apparmor.d/groups/gpg/scdaemon
View File

@ -19,12 +19,16 @@ profile scdaemon @{exec_path} {
@{exec_path} mr,
#aa:only pacman
owner /etc/pacman.d/gnupg/scdaemon.conf r,
owner /etc/pacman.d/gnupg/S.scdaemon rw,
owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r,
owner @{HOME}/@{XDG_GPG_DIR}common.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw,
owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
owner /var/tmp/zypp.*/PublicKey/S.scdaemon w,
owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w,

3
apparmor.d/groups/network/NetworkManager
View File

@ -90,9 +90,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
@{lib}/{,NetworkManager/}nm-openvpn-service rPx,
@{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
/usr/share/netplan/netplan.script rPx,
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
/usr/share/iproute2/{,**} r,
/ r,
/etc/ r,

3
apparmor.d/groups/pacman/makepkg
View File

@ -48,7 +48,10 @@ profile makepkg @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{user_cache_dirs}/makepkg/src/*.asc r,
owner @{tmp}/.git_vtag_tmp@{rand6} rw,
owner @{tmp}/tmp.@{rand10} rw,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/gnupg/ r,

2
apparmor.d/groups/pacman/yay
View File

@ -67,6 +67,8 @@ profile yay @{exec_path} {
include <abstractions/base>
include <abstractions/app/editor>
owner @{HOME}/**/ r, # For pwd
owner @{user_cache_dirs}/yay/*/** rw,
include if exists <local/yay_editor>

2
apparmor.d/groups/systemd/systemd-udevd
View File

@ -123,8 +123,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
# / r,
@{PROC}/sys/kernel/cap_last_cap r,
include if exists <local/systemd-udevd_systemctl>
}

36
apparmor.d/groups/virt/cni-xtables-nft
View File

@ -1,36 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/xtables-nft-multi
profile cni-xtables-nft {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability net_admin,
capability net_raw,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
@{bin}/xtables-legacy-multi mr,
/etc/libnl/classid r,
/etc/iptables/{,**} rw,
/etc/nftables.conf rw,
@{PROC}/@{pids}/net/ip_tables_names r,
}
# vim:syntax=apparmor

25
apparmor.d/groups/virt/cockpit-bridge
View File

@ -26,11 +26,11 @@ profile cockpit-bridge @{exec_path} {
ptrace read,
signal send set=term peer=cockpit-bridge//sudo,
signal send set=term peer=cockpit-pcp,
signal send set=term peer=dbus-daemon,
signal send set=term peer=journalctl,
signal send set=term peer=ssh-agent,
signal send set=term peer=sudo,
signal send set=term peer=unconfined,
@{exec_path} mr,
@ -41,24 +41,30 @@ profile cockpit-bridge @{exec_path} {
@{bin}/ip ix,
@{bin}/python3.@{int} ix,
@{bin}/test ix,
@{bin}/file ix,
@{bin}/chage Px,
@{bin}/dmidecode Px,
@{bin}/findmnt Px,
@{bin}/journalctl Px,
@{bin}/last Px,
@{bin}/lastlog Px,
@{bin}/lscpu Px,
@{bin}/passwd Px,
@{bin}/ssh-agent Px,
@{bin}/sudo Px, # TODO: rCx -> privilieged ? or rix?
@{bin}/sudo Cx -> sudo,
@{bin}/udevadm Cx -> udevadm,
@{bin}/virsh rPUx,
@{bin}/virt-install PUx, # TODO: rPx
@{lib}/cockpit/cockpit-pcp Px,
@{lib}/cockpit/cockpit-ssh Px,
@{bin}/virsh rPUx,
# The shell is not confined on purpose.
@{bin}/@{shells} Ux,
/usr/{,local/}share/ r,
/usr/share/cockpit/{,**} r,
/usr/share/file/** r,
/usr/share/iproute2/* r,
/etc/cockpit/{,**} r,
@ -71,6 +77,7 @@ profile cockpit-bridge @{exec_path} {
/etc/shells r,
/ r,
@{HOME}/ r,
owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
owner @{user_share_dirs}/ r,
@ -103,6 +110,18 @@ profile cockpit-bridge @{exec_path} {
/dev/ptmx rw,
profile sudo {
include <abstractions/base>
include <abstractions/app/sudo>
signal (send receive) set=term peer=cockpit-bridge,
@{bin}/cockpit-bridge Px,
@{lib}/cockpit/cockpit-askpass Px,
include if exists <local/cockpit-bridge_sudo>
}
profile udevadm {
include <abstractions/base>
include <abstractions/app/udevadm>

2
apparmor.d/groups/virt/cockpit-update-motd
View File

@ -30,8 +30,6 @@ profile cockpit-update-motd @{exec_path} {
capability net_admin,
capability sys_ptrace,
@{PROC}/sys/kernel/cap_last_cap r,
include if exists <local/cockpit-update-motd_systemctl>
}

43
apparmor.d/groups/virt/xtables Normal file
View File

@ -0,0 +1,43 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi
profile xtables {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability net_admin,
capability net_raw,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/usr/share/iproute2/{,**} r,
/etc/iproute2/{,**} r,
/etc/iptables/{,**} rw,
/etc/libnl/classid r,
/etc/nftables.conf rw,
@{run}/xtables.lock rwk,
@{PROC}/@{pids}/net/ip_tables_names r,
include if exists <local/xtables>
}
# vim:syntax=apparmor

2
apparmor.d/profiles-a-f/aa-log
View File

@ -27,8 +27,6 @@ profile aa-log @{exec_path} {
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/{,*} r,
@{PROC}/sys/kernel/cap_last_cap r,
/dev/tty@{int} rw,
include if exists <local/aa-log>

23
apparmor.d/profiles-a-f/convertall
View File

@ -10,35 +10,28 @@ include <tunables/global>
@{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py
profile convertall @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/python>
include <abstractions/qt5>
include <abstractions/qt5-compose-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/qt5-compose-cache-write>
@{exec_path} r,
@{sh_path} rix,
@{bin}/python3.@{int} rix,
owner @{HOME}/.convertall rw,
deny owner @{PROC}/@{pid}/cmdline r,
/usr/share/convertall/{,**} r,
/usr/share/doc/convertall/{,*} r,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.convertall rw,
deny owner @{PROC}/@{pid}/cmdline r,
include if exists <local/convertall>
}

76
apparmor.d/profiles-m-r/pass
View File

@ -15,47 +15,47 @@ profile pass @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/base64 rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cp rix,
@{bin}/diff rix,
@{bin}/dirname rix,
@{bin}/env rix,
@{bin}/find rix,
@{bin}/getopt rix,
@{bin}/grep rix,
@{bin}/head rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/rmdir rix,
@{bin}/sed rix,
@{bin}/shred rix,
@{bin}/sleep rix,
@{bin}/sort rix,
@{bin}/tail rix,
@{bin}/touch rix,
@{bin}/tr rix,
@{bin}/tree rix,
@{bin}/tty rix,
@{bin}/which rix,
@{bin}/base64 ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/cp ix,
@{bin}/diff ix,
@{bin}/dirname ix,
@{bin}/env r,
@{bin}/find ix,
@{bin}/getopt ix,
@{bin}/grep ix,
@{bin}/head ix,
@{bin}/mkdir ix,
@{bin}/mktemp ix,
@{bin}/mv ix,
@{bin}/rm ix,
@{bin}/rmdir ix,
@{bin}/sed ix,
@{bin}/shred ix,
@{bin}/sleep ix,
@{bin}/sort ix,
@{bin}/tail ix,
@{bin}/touch ix,
@{bin}/tr ix,
@{bin}/tree ix,
@{bin}/tty ix,
@{bin}/which ix,
@{bin}/git rCx -> git,
@{bin}/gpg{2,} rCx -> gpg,
@{bin}/pkill rCx -> pkill,
@{bin}/qdbus rCx -> qdbus,
@{editor_path} rCx -> editor,
@{lib}/git{,-core}/git rCx -> git,
@{bin}/wl-{copy,paste} rPx,
@{bin}/xclip rPx,
@{bin}/git Cx -> git,
@{bin}/gpg{2,} Cx -> gpg,
@{bin}/pkill Cx -> pkill,
@{bin}/qdbus Cx -> qdbus,
@{bin}/wl-{copy,paste} Px,
@{bin}/xclip Px,
@{editor_path} Cx -> editor,
@{lib}/git{,-core}/git Cx -> git,
# Pass extensions
@{bin}/oathtool rix, # pass-otp
@{bin}/python3.@{int} rPx -> pass-import, # pass-import, pass-audit
@{bin}/qrencode rPUx, # pass-otp
@{bin}/tomb rPUx, # pass-tomb
@{bin}/oathtool ix, # pass-otp
@{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit
@{bin}/qrencode PUx, # pass-otp
@{bin}/tomb PUx, # pass-tomb
/usr/share/terminfo/** r,

4
apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
View File

@ -7,8 +7,10 @@ abi <abi/3.0>,
include <tunables/global>
@{name} = signal-desktop{,-beta}
@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
@{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{lib_dirs}/chrome-sandbox
profile signal-desktop-chrome-sandbox @{exec_path} {
@ -19,7 +21,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
@{exec_path} mr,
@{lib_dirs}/signal-desktop{,-beta} rPx,
@{lib_dirs}/@{name} rPx,
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/oom_adj w,

1
apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
View File

@ -17,7 +17,6 @@ profile spice-client-glib-usb-acl-helper @{exec_path} {
@{exec_path} mr,
@{PROC}/sys/kernel/cap_last_cap r,
owner @{PROC}/@{pid}/stat r,
include if exists <local/spice-client-glib-usb-acl-helper>

2
apparmor.d/profiles-s-z/switcherooctl
View File

@ -12,7 +12,7 @@ profile switcherooctl @{exec_path} {
include <abstractions/bus-system>
include <abstractions/python>
#aa:dbus own bus=system name=net.hadess.SwitcherooControl
#aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
@{exec_path} mr,

3
apparmor.d/profiles-s-z/tomb
View File

@ -115,9 +115,10 @@ profile tomb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
capability sys_admin,
umount @{MOUNTS}/{,*/},
umount @{MOUNTS}/{,**/},
@{bin}/umount mr,

7
apparmor.d/profiles-s-z/udisksd
View File

@ -11,8 +11,6 @@ include <tunables/global>
profile udisksd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
@ -60,9 +58,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
umount @{run}/udisks2/temp-mount-*/,
umount /media/cdrom@{int}/,
signal (receive) set=(int) peer=@{p_systemd},
signal receive set=int peer=@{p_systemd},
#aa:dbus own bus=system name=org.freedesktop.UDisks2
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
@ -88,6 +88,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{bin}/sgdisk rPx,
@{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-escape rPx,
@{bin}/xfs_db rPUx,
/etc/crypttab r,
/etc/fstab r,

11
apparmor.d/profiles-s-z/wpa-gui
View File

@ -10,20 +10,13 @@ include <tunables/global>
@{exec_path} = @{bin}/wpa_gui
profile wpa-gui @{exec_path} {
include <abstractions/base>
include <abstractions/dri-enumerate>
include <abstractions/graphics>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/desktop>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/X>
@{exec_path} mr,
/usr/share/hwdata/pnp.ids r,
owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w,
owner /dev/shm/#@{int} rw,