mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (6)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:46:56 +01:00
parent fcedbbfd95
commit 7c2c806ffa
Failed to generate hash of commit
156 changed files with 828 additions and 791 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/profiles-m-r/macchanger
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/macchanger
@{exec_path} = @{bin}/macchanger
profile macchanger @{exec_path} {
include <abstractions/base>

76
apparmor.d/profiles-m-r/man
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/man
@{exec_path} = @{bin}/man
profile man @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -19,30 +19,30 @@ profile man @{exec_path} {
# Use a special profile when man calls anything groff-related. We only include
# the programs that actually parse input data in a non-trivial way, not
# wrappers such as groff and nroff, since they would need a broader profile.
/{usr/,}bin/eqn rCx -> man_groff,
/{usr/,}bin/grap rCx -> man_groff,
/{usr/,}bin/pic rCx -> man_groff,
/{usr/,}bin/preconv rCx -> man_groff,
/{usr/,}bin/refer rCx -> man_groff,
/{usr/,}bin/tbl rCx -> man_groff,
/{usr/,}bin/troff rCx -> man_groff,
/{usr/,}bin/vgrind rCx -> man_groff,
@{bin}/eqn rCx -> man_groff,
@{bin}/grap rCx -> man_groff,
@{bin}/pic rCx -> man_groff,
@{bin}/preconv rCx -> man_groff,
@{bin}/refer rCx -> man_groff,
@{bin}/tbl rCx -> man_groff,
@{bin}/troff rCx -> man_groff,
@{bin}/vgrind rCx -> man_groff,
# Use a special profile when man calls decompressors and other simple filters.
/{usr/,}bin/bzip2 rCx -> man_filter,
/{usr/,}bin/gzip rCx -> man_filter,
/{usr/,}bin/col rCx -> man_filter,
/{usr/,}bin/compress rCx -> man_filter,
/{usr/,}bin/iconv rCx -> man_filter,
/{usr/,}bin/lzip.lzip rCx -> man_filter,
/{usr/,}bin/tr rCx -> man_filter,
/{usr/,}bin/xz rCx -> man_filter,
@{bin}/bzip2 rCx -> man_filter,
@{bin}/gzip rCx -> man_filter,
@{bin}/col rCx -> man_filter,
@{bin}/compress rCx -> man_filter,
@{bin}/iconv rCx -> man_filter,
@{bin}/lzip.lzip rCx -> man_filter,
@{bin}/tr rCx -> man_filter,
@{bin}/xz rCx -> man_filter,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
/{usr/,}bin/locale rix,
@{bin}/locale rix,
/usr/share/groff/{,**} r,
@ -64,16 +64,16 @@ profile man_groff {
signal peer=man,
/{usr/,}bin/eqn mr,
/{usr/,}bin/grap mr,
/{usr/,}bin/pic mr,
/{usr/,}bin/preconv mr,
/{usr/,}bin/refer mr,
/{usr/,}bin/tbl mr,
/{usr/,}bin/troff mr,
/{usr/,}bin/vgrind mr,
@{bin}/eqn mr,
@{bin}/grap mr,
@{bin}/pic mr,
@{bin}/preconv mr,
@{bin}/refer mr,
@{bin}/tbl mr,
@{bin}/troff mr,
@{bin}/vgrind mr,
/{usr/,}lib/groff/site-tmac/** r,
@{lib}/groff/site-tmac/** r,
/usr/share/groff/** r,
/etc/groff/** r,
@ -91,14 +91,14 @@ profile man_filter {
signal peer=man,
/{usr/,}bin/bzip2 mr,
/{usr/,}bin/gzip mr,
/{usr/,}bin/col mr,
/{usr/,}bin/compress mr,
/{usr/,}bin/iconv mr,
/{usr/,}bin/lzip.lzip mr,
/{usr/,}bin/tr mr,
/{usr/,}bin/xz mr,
@{bin}/bzip2 mr,
@{bin}/gzip mr,
@{bin}/col mr,
@{bin}/compress mr,
@{bin}/iconv mr,
@{bin}/lzip.lzip mr,
@{bin}/tr mr,
@{bin}/xz mr,
# Manual pages can be more or less anywhere, especially with "man -l", and
# there's no harm in allowing wide read access here since the worst it can

2
apparmor.d/profiles-m-r/mandb
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mandb
@{exec_path} = @{bin}/mandb
profile mandb @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-m-r/mdevctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mdevctl
@{exec_path} = @{bin}/mdevctl
profile mdevctl @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-m-r/mediainfo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mediainfo
@{exec_path} = @{bin}/mediainfo
profile mediainfo @{exec_path} {
include <abstractions/base>
include <abstractions/user-download-strict>

16
apparmor.d/profiles-m-r/mediainfo-gui
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mediainfo-gui
@{exec_path} = @{bin}/mediainfo-gui
profile mediainfo-gui @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -19,7 +19,7 @@ profile mediainfo-gui @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
owner @{user_music_dirs}/** r,
owner @{user_videos_dirs}/** r,
@ -28,14 +28,14 @@ profile mediainfo-gui @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
/{usr/,}lib/firefox/firefox rPx,
@{lib}/firefox/firefox rPx,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,

32
apparmor.d/profiles-m-r/megasync
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/megasync
@{exec_path} = @{bin}/megasync
profile megasync @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -32,14 +32,14 @@ profile megasync @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
/{usr/,}bin/xrdb rPx,
/{usr/,}bin/xdg-mime rPx,
@{bin}/xrdb rPx,
@{bin}/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Megasync home files
owner @{HOME}/ r,
@ -76,8 +76,8 @@ profile megasync @{exec_path} {
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
@{lib}/firefox/firefox rPx,
@{bin}/spacefm rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -87,12 +87,12 @@ profile megasync @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r,
@ -100,8 +100,8 @@ profile megasync @{exec_path} {
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
@{lib}/firefox/firefox rPx,
@{bin}/spacefm rPx,
# file_inherit
owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw,

2
apparmor.d/profiles-m-r/memtester
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/memtester
@{exec_path} = @{bin}/memtester
profile memtester @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-m-r/merkaartor
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/merkaartor
@{exec_path} = @{bin}/merkaartor
profile merkaartor @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

2
apparmor.d/profiles-m-r/mimetype
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mimetype
@{exec_path} = @{bin}/mimetype
profile mimetype @{exec_path} {
include <abstractions/base>
include <abstractions/perl>

38
apparmor.d/profiles-m-r/minitube
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/minitube
@{exec_path} = @{bin}/minitube
profile minitube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -86,13 +86,13 @@ profile minitube @{exec_path} {
owner /tmp/qtsingleapp-minitu-* rw,
owner /tmp/qtsingleapp-minitu-*-lockfile rwk,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
@{bin}/xdg-screensaver rCx -> xdg-screensaver,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -102,19 +102,19 @@ profile minitube @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
@ -125,16 +125,16 @@ profile minitube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
@{bin}/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xset rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r,

2
apparmor.d/profiles-m-r/mission-control
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,telepathy/}mission-control-5
@{exec_path} = @{lib}/{,telepathy/}mission-control-5
profile mission-control @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf-write>

6
apparmor.d/profiles-m-r/mke2fs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4}
@{exec_path} = @{bin}/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4}
profile mke2fs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@ -18,8 +18,8 @@ profile mke2fs @{exec_path} {
@{exec_path} mr,
# To check for badblocks
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/badblocks rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/badblocks rPx,
/usr/share/file/misc/magic.mgc r,

2
apparmor.d/profiles-m-r/mkfs-btrfs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mkfs.btrfs
@{exec_path} = @{bin}/mkfs.btrfs
profile mkfs-btrfs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/mkfs-fat
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs}
@{exec_path} = @{bin}/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs}
profile mkfs-fat @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

102
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mkinitramfs
@{exec_path} = @{bin}/mkinitramfs
profile mkinitramfs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -19,49 +19,49 @@ profile mkinitramfs @{exec_path} {
capability fsetid,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}{s,}bin/ r,
/{usr/,}lib/ r,
/{usr/,}lib64/ r,
@{bin}/ r,
@{lib}/ r,
@{lib}64/ r,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/env rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/bzip2 rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cp rix,
@{bin}/cpio rix,
@{bin}/dirname rix,
@{bin}/env rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/id rix,
@{bin}/ln rix,
@{bin}/lzma rix,
@{bin}/lzop rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/rmdir rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/touch rix,
@{bin}/tr rix,
@{bin}/tsort rix,
@{bin}/xargs rix,
@{bin}/xz rix,
@{bin}/zstd rix,
/{usr/,}bin/ldd rCx -> ldd,
/{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd,
/{usr/,}sbin/ldconfig rCx -> ldconfig,
/{usr/,}bin/find rCx -> find,
/{usr/,}bin/kmod rCx -> kmod,
@{bin}/find rCx -> find,
@{bin}/kmod rCx -> kmod,
@{bin}/ldconfig rCx -> ldconfig,
@{bin}/ldd rCx -> ldd,
@{lib}/ld-linux.so.2 rCx -> ldd,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/linux-version rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/linux-version rPx,
# What to do with it? (#FIXME#)
/usr/share/initramfs-tools/hooks/* rPUx,
@ -98,14 +98,14 @@ profile mkinitramfs @{exec_path} {
include <abstractions/consoles>
include <abstractions/nameservice-strict>
/{usr/,}bin/ldd mr,
@{bin}/ldd mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/kmod mr,
/{usr/,}lib/initramfs-tools/bin/* mr,
@{bin}/{,ba,da}sh rix,
@{bin}/kmod mr,
@{lib}/initramfs-tools/bin/* mr,
/{usr/,}lib/@{multiarch}/ld-*.so* rix,
/{usr/,}lib{,x}32/ld-*.so{,.2} rix,
@{lib}/@{multiarch}/ld-*.so* rix,
@{lib}{,x}32/ld-*.so{,.2} rix,
}
@ -115,10 +115,10 @@ profile mkinitramfs @{exec_path} {
capability sys_chroot,
/{usr/,}{s,}bin/ldconfig mr,
@{bin}/ldconfig mr,
/{usr/,}{s,}bin/ldconfig.real rix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
@{bin}/ldconfig.real rix,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
@ -139,7 +139,7 @@ profile mkinitramfs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/find mr,
@{bin}/find mr,
# pwd dir
/ r,
@ -158,7 +158,7 @@ profile mkinitramfs @{exec_path} {
include <abstractions/consoles>
include <abstractions/openssl>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{PROC}/cmdline r,

2
apparmor.d/profiles-m-r/mkntfs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{mkntfs,mkfs.ntfs}
@{exec_path} = @{bin}/{mkntfs,mkfs.ntfs}
profile mkntfs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/mkswap
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mkswap
@{exec_path} = @{bin}/mkswap
profile mkswap @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/mkvmerge
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mkvmerge
@{exec_path} = @{bin}/mkvmerge
profile mkvmerge @{exec_path} {
include <abstractions/base>
include <abstractions/user-download-strict>

6
apparmor.d/profiles-m-r/mkvtoolnix-gui
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mkvtoolnix-gui
@{exec_path} = @{bin}/mkvtoolnix-gui
profile mkvtoolnix-gui @{exec_path} {
include <abstractions/base>
include <abstractions/dri-enumerate>
@ -28,8 +28,8 @@ profile mkvtoolnix-gui @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/mkvmerge rPx,
/{usr/,}bin/mediainfo-gui rPx,
@{bin}/mkvmerge rPx,
@{bin}/mediainfo-gui rPx,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,

2
apparmor.d/profiles-m-r/mlocate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mlocate
@{exec_path} = @{bin}/mlocate
profile mlocate @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

30
apparmor.d/profiles-m-r/modprobed-db
View file

@ -6,27 +6,27 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/modprobed-db
@{exec_path} = @{bin}/modprobed-db
profile modprobed-db @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/getent rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/logname rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/cp rix,
@{bin}/cut rix,
@{bin}/gawk rix,
@{bin}/getent rix,
@{bin}/grep rix,
@{bin}/logname rix,
@{bin}/md5sum rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/uniq rix,
@{bin}/wc rix,
/usr/share/terminfo/x/xterm-256color r,

16
apparmor.d/profiles-m-r/molly-guard
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/molly-guard/molly-guard
@{exec_path} = @{lib}/molly-guard/molly-guard
profile molly-guard @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -17,13 +17,13 @@ profile molly-guard @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/{,e,p}grep rix,
/{usr/,}bin/run-parts rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/tr rix,
/{usr/,}bin/tty rix,
@{bin}/{,ba,da}sh rix,
@{bin}/hostname rix,
@{bin}/{,e,p}grep rix,
@{bin}/run-parts rix,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/tr rix,
@{bin}/tty rix,
/etc/molly-guard/{,**} r,
/etc/molly-guard/run.d/* rix,

30
apparmor.d/profiles-m-r/monitorix
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/monitorix
@{exec_path} = @{bin}/monitorix
profile monitorix @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@ -33,20 +33,20 @@ profile monitorix @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/df rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/free rix,
/{usr/,}bin/ss rix,
/{usr/,}bin/who rix,
/{usr/,}sbin/lvm rix,
/{usr/,}sbin/xtables-nft-multi rix,
/{usr/,}bin/sensors rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/ps rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/df rix,
@{bin}/cat rix,
@{bin}/tail rix,
@{bin}/{m,g,}awk rix,
@{bin}/free rix,
@{bin}/ss rix,
@{bin}/who rix,
@{bin}/lvm rix,
@{bin}/xtables-nft-multi rix,
@{bin}/sensors rix,
@{bin}/getconf rix,
@{bin}/ps rix,
/etc/monitorix/monitorix.conf r,
/etc/monitorix/conf.d/ r,

6
apparmor.d/profiles-m-r/mono-sgen
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mono-sgen
@{exec_path} = @{bin}/mono-sgen
profile mono-sgen @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -26,9 +26,9 @@ profile mono-sgen @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/ r,
@{bin}/ r,
/{usr/,}local/bin/ r,
/{usr/,}bin/* rPUx,
@{bin}/* rPUx,
/usr/share/.mono/{,**} rw,

10
apparmor.d/profiles-m-r/mount
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount
@{exec_path} = @{bin}/mount
profile mount @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -33,10 +33,10 @@ profile mount @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}{s,}bin/lowntfs-3g rPx,
/{usr/,}{s,}bin/mount.* rPx,
/{usr/,}bin/ntfs-3g rPx,
/{usr/,}bin/sshfs rPx,
@{bin}/lowntfs-3g rPx,
@{bin}/mount.* rPx,
@{bin}/ntfs-3g rPx,
@{bin}/sshfs rPx,
/etc/fstab r,

4
apparmor.d/profiles-m-r/mount-cifs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount.cifs
@{exec_path} = @{bin}/mount.cifs
profile mount-cifs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -24,7 +24,7 @@ profile mount-cifs @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/systemd-ask-password rPUx,
@{bin}/systemd-ask-password rPUx,
/etc/fstab r,

8
apparmor.d/profiles-m-r/mount-nfs
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount.nfs
@{exec_path} = @{bin}/mount.nfs
profile mount-nfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -27,9 +27,9 @@ profile mount-nfs @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}{s,}bin/start-statd rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flock rix,
@{bin}/{,ba,da}sh rix,
@{bin}/flock rix,
@{bin}/start-statd rix,
/usr/bin/systemctl rPx -> child-systemctl,

2
apparmor.d/profiles-m-r/mount-zfs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount.zfs
@{exec_path} = @{bin}/mount.zfs
profile mount-zfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>

18
apparmor.d/profiles-m-r/mpsyt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mpsyt
@{exec_path} = @{bin}/mpsyt
profile mpsyt @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@ -24,16 +24,16 @@ profile mpsyt @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/tset rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/uname rix,
@{bin}/ r,
@{bin}/ldconfig rix,
@{bin}/tset rix,
@{bin}/uname rix,
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/ffprobe rPUx,
@{bin}/mpv rPUx,
@{bin}/ffmpeg rPUx,
@{bin}/ffprobe rPUx,
# MPV config files
/etc/mpv/* r,

28
apparmor.d/profiles-m-r/mpv
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mpv
@{exec_path} = @{bin}/mpv
profile mpv @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -36,10 +36,10 @@ profile mpv @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
@{bin}/xdg-screensaver rCx -> xdg-screensaver,
/{usr/,}bin/youtube-dl rPx,
/{usr/,}bin/yt-dlp rPx,
@{bin}/youtube-dl rPx,
@{bin}/yt-dlp rPx,
/etc/mpv/* r,
/etc/samba/smb.conf r,
@ -90,17 +90,17 @@ profile mpv @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
@{bin}/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/xscreensaver-command rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xset rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
@{bin}/xscreensaver-command rix,
owner @{HOME}/.Xauthority r,

2
apparmor.d/profiles-m-r/mtools
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
@{exec_path} = @{bin}/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
profile mtools @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-m-r/mtr
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mtr
@{exec_path} = @{bin}/mtr
profile mtr @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -23,7 +23,7 @@ profile mtr @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/mtr-packet rPx,
@{bin}/mtr-packet rPx,
include if exists <local/mtr>
}

2
apparmor.d/profiles-m-r/mtr-packet
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mtr-packet
@{exec_path} = @{bin}/mtr-packet
profile mtr-packet @{exec_path} {
include <abstractions/base>

20
apparmor.d/profiles-m-r/mumble
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mumble
@{exec_path} = @{bin}/mumble
profile mumble @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -34,8 +34,8 @@ profile mumble @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
# Mumble home files
owner @{HOME}/ r,
@ -71,7 +71,7 @@ profile mumble @{exec_path} {
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -81,19 +81,19 @@ profile mumble @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

10
apparmor.d/profiles-m-r/mumble-overlay
View file

@ -6,18 +6,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mumble-overlay
@{exec_path} = @{bin}/mumble-overlay
profile mumble-overlay @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/file rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/file rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/glxgears rPx,
@{bin}/glxgears rPx,
/etc/magic r,

34
apparmor.d/profiles-m-r/needrestart
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/needrestart
@{exec_path} = @{bin}/needrestart
profile needrestart @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -23,23 +23,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/fail2ban-server rPx,
/{usr/,}bin/locale rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/systemctl rPx,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/udevadm rPx,
/{usr/,}bin/whiptail rPx,
/{usr/,}bin/who rix,
/{usr/,}lib/needrestart/iucode-scan-versions rPx,
/usr/share/debconf/frontend rix,
@{bin}/{,ba,da}sh rix,
@{bin}/dpkg-query rpx,
@{bin}/fail2ban-server rPx,
@{bin}/locale rix,
@{bin}/python3.[0-9]* rix,
@{bin}/sed rix,
@{bin}/stty rix,
@{bin}/systemctl rPx,
@{bin}/systemd-detect-virt rPx,
@{bin}/udevadm rPx,
@{bin}/whiptail rPx,
@{bin}/who rix,
@{lib}/needrestart/iucode-scan-versions rPx,
/usr/share/debconf/frontend rix,
/{usr/,}bin/networkd-dispatcher r,
/{usr/,}bin/gettext.sh r,
@{bin}/networkd-dispatcher r,
@{bin}/gettext.sh r,
/usr/share/needrestart/{,**} r,
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,

10
apparmor.d/profiles-m-r/needrestart-apt-pinvoke
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/needrestart/apt-pinvoke
@{exec_path} = @{lib}/needrestart/apt-pinvoke
profile needrestart-apt-pinvoke @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -14,10 +14,10 @@ profile needrestart-apt-pinvoke @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/needrestart rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/rm rix,
@{bin}/{,ba,da}sh rix,
@{bin}/dbus-send rix,
@{bin}/needrestart rPx,
@{bin}/rm rix,
@{run}/needrestart/{,**} rw,

8
apparmor.d/profiles-m-r/needrestart-dpkg-status
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/needrestart/dpkg-status
@{exec_path} = @{lib}/needrestart/dpkg-status
profile needrestart-dpkg-status @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -15,9 +15,9 @@ profile needrestart-dpkg-status @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/touch rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mkdir rix,
@{bin}/touch rix,
@{run}/needrestart/{,**} rw,

12
apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions
@{exec_path} = @{lib}/needrestart/iucode-scan-versions
profile needrestart-iucode-scan-versions @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}{s,}bin/iucode_tool rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/bsdtar rix,
/{usr/,}bin/cat rix,
@{bin}/iucode_tool rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/bsdtar rix,
@{bin}/cat rix,
/usr/share/misc/ r,
/usr/share/misc/intel-microcode* r,

6
apparmor.d/profiles-m-r/nemo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/nemo
@{exec_path} = @{bin}/nemo
profile nemo @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -32,9 +32,9 @@ profile nemo @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/nemo/** mrix,
@{lib}/@{multiarch}/nemo/** mrix,
/usr/libexec/gvfsd-* rPx,
@{lib}/gvfsd-* rPx,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/profiles-m-r/netcap
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/netcap
@{exec_path} = @{bin}/netcap
profile netcap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-m-r/nethogs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/nethogs
@{exec_path} = @{bin}/nethogs
profile nethogs @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-m-r/netstat
View file

@ -9,7 +9,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/netstat
@{exec_path} = @{bin}/netstat
profile netstat @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-m-r/newgidmap
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/newgidmap
@{exec_path} = @{bin}/newgidmap
profile newgidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

6
apparmor.d/profiles-m-r/newgrp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/newgrp
@{exec_path} = @{bin}/newgrp
profile newgrp @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -27,8 +27,8 @@ profile newgrp @{exec_path} {
@{exec_path} mr,
# Shells to use
/{usr/,}bin/{,b,d,rb}ash rPUx,
/{usr/,}bin/{c,k,tc,z}sh rPUx,
@{bin}/{,b,d,rb}ash rPUx,
@{bin}/{c,k,tc,z}sh rPUx,
/etc/{passwd,group,shadow,gshadow} r,

2
apparmor.d/profiles-m-r/newuidmap
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/newuidmap
@{exec_path} = @{bin}/newuidmap
profile newuidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

16
apparmor.d/profiles-m-r/nfsdcld Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/nfsdcld
profile nfsdcld @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/nfsdcld>
}

2
apparmor.d/profiles-m-r/nft
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/nft
@{exec_path} = @{bin}/nft
profile nft @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-m-r/nmap
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/nmap
@{exec_path} = @{bin}/nmap
profile nmap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-m-r/nologin
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/nologin
@{exec_path} = @{bin}/nologin
profile nologin @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

6
apparmor.d/profiles-m-r/ntfs-3g
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{low,}ntfs{,-3g}
@{exec_path} += /{usr/,}{s,}bin/mount.{low,}ntfs{,-3g}
@{exec_path} = @{bin}/{low,}ntfs{,-3g}
@{exec_path} += @{bin}/mount.{low,}ntfs{,-3g}
profile ntfs-3g @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@ -23,7 +23,7 @@ profile ntfs-3g @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/kmod rPx, # To load the fuse kernel module
@{bin}/kmod rPx, # To load the fuse kernel module
# Mount points
@{MOUNTDIRS}/ r,

2
apparmor.d/profiles-m-r/ntfs-3g-probe
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfs-3g.probe
@{exec_path} = @{bin}/ntfs-3g.probe
profile ntfs-3g-probe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfscat
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfscat
@{exec_path} = @{bin}/ntfscat
profile ntfscat @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfsclone
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfsclone
@{exec_path} = @{bin}/ntfsclone
profile ntfsclone @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfscluster
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfscluster
@{exec_path} = @{bin}/ntfscluster
profile ntfscluster @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfscmp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfscmp
@{exec_path} = @{bin}/ntfscmp
profile ntfscmp @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfscp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfscp
@{exec_path} = @{bin}/ntfscp
profile ntfscp @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfsdecrypt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsdecrypt
@{exec_path} = @{bin}/ntfsdecrypt
profile ntfsdecrypt @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfsfallocate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsfallocate
@{exec_path} = @{bin}/ntfsfallocate
profile ntfsfallocate @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfsfix
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsfix
@{exec_path} = @{bin}/ntfsfix
profile ntfsfix @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfsinfo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsinfo
@{exec_path} = @{bin}/ntfsinfo
profile ntfsinfo @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfslabel
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfslabel
@{exec_path} = @{bin}/ntfslabel
profile ntfslabel @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfsls
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsls
@{exec_path} = @{bin}/ntfsls
profile ntfsls @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfsmove
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsmove
@{exec_path} = @{bin}/ntfsmove
profile ntfsmove @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfsrecover
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsrecover
@{exec_path} = @{bin}/ntfsrecover
profile ntfsrecover @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfsresize
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfsresize
@{exec_path} = @{bin}/ntfsresize
profile ntfsresize @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfssecaudit
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfssecaudit
@{exec_path} = @{bin}/ntfssecaudit
profile ntfssecaudit @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfstruncate
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfstruncate
@{exec_path} = @{bin}/ntfstruncate
profile ntfstruncate @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-m-r/ntfsundelete
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfsundelete
@{exec_path} = @{bin}/ntfsundelete
profile ntfsundelete @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfsusermap
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsusermap
@{exec_path} = @{bin}/ntfsusermap
profile ntfsusermap @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

2
apparmor.d/profiles-m-r/ntfswipe
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfswipe
@{exec_path} = @{bin}/ntfswipe
profile ntfswipe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

4
apparmor.d/profiles-m-r/nullmailer-send
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/nullmailer-send
@{exec_path} = @{bin}/nullmailer-send
profile nullmailer-send @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -14,7 +14,7 @@ profile nullmailer-send @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/nullmailer/smtp rix,
@{lib}/nullmailer/smtp rix,
/etc/mailname r,
/etc/nullmailer/{,*} r,

2
apparmor.d/profiles-m-r/numlockx
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/numlockx
@{exec_path} = @{bin}/numlockx
profile numlockx @{exec_path} {
include <abstractions/base>

25
apparmor.d/profiles-m-r/nvidia-settings Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/nvidia-settings
profile nvidia-settings @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/opencl-nvidia>
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/mime/mime.cache r,
/usr/share/pixmaps/{,**} r,
/usr/share/X11/xkb/{,**} r,
include if exists <local/nvidia-settings>
}

2
apparmor.d/profiles-m-r/nvtop
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/nvtop
@{exec_path} = @{bin}/nvtop
profile nvtop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

6
apparmor.d/profiles-m-r/obamenu
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obamenu
@{exec_path} = @{bin}/obamenu
profile obamenu @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* rix,
@{bin}/python3.[0-9]* rix,
/{usr/,}bin/ r,
@{bin}/ r,
/usr/share/*/*.desktop r,

2
apparmor.d/profiles-m-r/obconf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obconf
@{exec_path} = @{bin}/obconf
profile obconf @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>

2
apparmor.d/profiles-m-r/obex-folder-listing
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obex-folder-listing
@{exec_path} = @{bin}/obex-folder-listing
profile obex-folder-listing @{exec_path} {
include <abstractions/base>
include <abstractions/private-files-strict>

6
apparmor.d/profiles-m-r/obexautofs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obexautofs
@{exec_path} = @{bin}/obexautofs
profile obexautofs @{exec_path} {
include <abstractions/base>
@ -17,7 +17,7 @@ profile obexautofs @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/fusermount{,3} rCx -> fusermount,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
@ -47,7 +47,7 @@ profile obexautofs @{exec_path} {
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
/etc/fuse.conf r,

2
apparmor.d/profiles-m-r/obexctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obexctl
@{exec_path} = @{bin}/obexctl
profile obexctl @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-m-r/obexd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/bluetooth/obexd
@{exec_path} = @{lib}/bluetooth/obexd
profile obexd @{exec_path} {
include <abstractions/base>
include <abstractions/user-download-strict>

6
apparmor.d/profiles-m-r/obexfs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obexfs
@{exec_path} = @{bin}/obexfs
profile obexfs @{exec_path} {
include <abstractions/base>
@ -16,7 +16,7 @@ profile obexfs @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/fusermount{,3} rCx -> fusermount,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
@ -36,7 +36,7 @@ profile obexfs @{exec_path} {
network bluetooth stream,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
/etc/fuse.conf r,

2
apparmor.d/profiles-m-r/obexpush-atd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obexpush_atd
@{exec_path} = @{bin}/obexpush_atd
profile obexpush-atd @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-m-r/obexpushd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obexpushd
@{exec_path} = @{bin}/obexpushd
profile obexpushd @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-m-r/obxprop
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obxprop
@{exec_path} = @{bin}/obxprop
profile obxprop @{exec_path} {
include <abstractions/base>

8
apparmor.d/profiles-m-r/on-ac-power
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/on_ac_power
@{exec_path} = @{bin}/on_ac_power
profile on-ac-power @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cat rix,
@{bin}/{m,g,}awk rix,
@{bin}/cat rix,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/**/{online,type} r,

4
apparmor.d/profiles-m-r/onefetch
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/onefetch
@{exec_path} = @{bin}/onefetch
profile onefetch @{exec_path} {
include <abstractions/base>
include <abstractions/openssl>
@ -14,7 +14,7 @@ profile onefetch @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/git rPx,
@{bin}/git rPx,
owner @{user_config_dirs}/git/{,**} r,
owner @{user_projects_dirs}/{,**} r,

32
apparmor.d/profiles-m-r/openbox
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/openbox
@{exec_path} = @{bin}/openbox
profile openbox @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
@ -18,14 +18,13 @@ profile openbox @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart,
@{lib}/@{multiarch}/openbox-autostart rCx -> autostart,
# Apps allowed to run
/{usr/,}sbin/* rPUx,
/{usr/,}bin/* rPUx,
/usr/local/bin/* rPUx,
@{libexec}/* rPUx,
/{usr/,}lib/@{multiarch}/*/** rPUx,
@{bin}/* rPUx,
@{lib}/@{multiarch}/*/** rPUx,
@{lib}/* rPUx,
/usr/local/bin/* rPUx,
/usr/share/themes/*/openbox-3/themerc r,
@ -54,18 +53,17 @@ profile openbox @{exec_path} {
profile autostart {
include <abstractions/base>
/{usr/,}lib/@{multiarch}/openbox-autostart mr,
/{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix,
@{lib}/@{multiarch}/openbox-autostart mr,
@{lib}/@{multiarch}/openbox-xdg-autostart rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/which{,.debianutils} rix,
# Apps allowed to run
/{usr/,}sbin/* rPUx,
/{usr/,}bin/* rPUx,
/usr/local/bin/* rPUx,
@{libexec}/* rPUx,
/{usr/,}lib/@{multiarch}/*/** rPUx,
@{bin}/* rPUx,
/usr/local/bin/* rPUx,
@{lib}/* rPUx,
@{lib}/@{multiarch}/*/** rPUx,
/usr/local/lib/python*/dist-packages/ r,
@ -76,7 +74,7 @@ profile openbox @{exec_path} {
/etc/xdg/autostart/{,*} r,
# Silencer
deny /{usr/,}lib/python3/** w,
deny @{lib}/python3/** w,
deny owner @{HOME}/.local/lib/python*/site-packages/ r,
# file_inherit

8
apparmor.d/profiles-m-r/openbox-session
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/openbox-session
@{exec_path} = @{bin}/openbox-session
profile openbox-session @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/openbox rPx,
@{bin}/xprop rPx,
@{bin}/openbox rPx,
/etc/xdg/openbox/environment r,
owner @{user_config_dirs}/openbox/environment r,

24
apparmor.d/profiles-m-r/orage
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/orage
@{exec_path} = @{bin}/orage
profile orage @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -18,11 +18,11 @@ profile orage @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/globaltime rPx,
@{bin}/globaltime rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{bin}/xdg-open rCx -> open,
@{bin}/exo-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
owner @{user_config_dirs}/orage/ rw,
owner @{user_config_dirs}/orage/* rw,
@ -37,7 +37,7 @@ profile orage @{exec_path} {
/etc/fstab r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -47,19 +47,19 @@ profile orage @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

54
apparmor.d/profiles-m-r/os-prober
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/os-prober
@{exec_path} = @{bin}/os-prober
profile os-prober @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -18,32 +18,32 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}{s,}bin/blkid rPx,
/{usr/,}{s,}bin/dmraid rPUx,
/{usr/,}{s,}bin/lvm rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{e,f,}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/find rix,
/{usr/,}bin/grub-mount rPx,
/{usr/,}bin/grub-probe rPx,
/{usr/,}bin/head rix,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/logger rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/lsblk rPx,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/udevadm rPx,
/{usr/,}bin/umount rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/newns rix,
/{usr/,}lib/os-prober/* rix,
/{usr/,}lib/os-probes/{,**} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{e,f,}grep rix,
@{bin}/blkid rPx,
@{bin}/cut rix,
@{bin}/dmraid rPUx,
@{bin}/find rix,
@{bin}/grub-mount rPx,
@{bin}/grub-probe rPx,
@{bin}/head rix,
@{bin}/kmod rPx,
@{bin}/logger rix,
@{bin}/ls rix,
@{bin}/lsblk rPx,
@{bin}/lvm rPx,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/rmdir rix,
@{bin}/sed rix,
@{bin}/udevadm rPx,
@{bin}/umount rix,
@{bin}/uname rix,
@{lib}/newns rix,
@{lib}/os-prober/* rix,
@{lib}/os-probes/{,**} rix,
/usr/share/os-prober/common.sh r,
/usr/share/terminfo/x/xterm-256color r,

60
apparmor.d/profiles-m-r/packagekitd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/packagekitd
@{exec_path} = @{lib}/packagekitd
profile packagekitd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -82,32 +82,32 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/repo2solv rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cp rix,
@{bin}/echo rix,
@{bin}/gdbus rix,
@{bin}/gzip rix,
@{bin}/ischroot rix,
@{bin}/ldconfig rix,
@{bin}/repo2solv rix,
@{bin}/tar rix,
@{bin}/test rix,
@{bin}/touch rix,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/arch-audit rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/glib-compile-schemas rPx,
/{usr/,}bin/systemd-inhibit rPx,
/{usr/,}bin/update-desktop-database rPx,
/{usr/,}lib/apt/methods/* rPx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/{usr/,}lib/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
@{bin}/appstreamcli rPx,
@{bin}/arch-audit rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/glib-compile-schemas rPx,
@{bin}/systemd-inhibit rPx,
@{bin}/update-desktop-database rPx,
@{lib}/apt/methods/* rPx,
@{lib}/cnf-update-db rPx,
@{lib}/update-notifier/update-motd-updates-available rPx,
@{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
/usr/share/libalpm/scripts/* rPx,
# Install/update packages
@ -146,12 +146,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/scdaemon rix,
@{bin}/gpg-agent rix,
@{bin}/scdaemon rix,
/etc/gcrypt/hwf.deny r,

2
apparmor.d/profiles-m-r/pacmd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pacmd
@{exec_path} = @{bin}/pacmd
profile pacmd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-m-r/pactl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pactl
@{exec_path} = @{bin}/pactl
profile pactl @{exec_path} {
include <abstractions/base>
include <abstractions/audio>

2
apparmor.d/profiles-m-r/pagesize
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pagesize
@{exec_path} = @{bin}/pagesize
profile pagesize @{exec_path} {
include <abstractions/base>

22
apparmor.d/profiles-m-r/pam-auth-update
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/pam-auth-update
@{exec_path} = @{bin}/pam-auth-update
profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
@{exec_path} mr,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/cp rix,
@{bin}/md5sum rix,
@{bin}/cp rix,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
@ -34,13 +34,13 @@ profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}{s,}bin/pam-auth-update rPx,
@{bin}/pam-auth-update rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@ -52,8 +52,8 @@ profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

12
apparmor.d/profiles-m-r/pam/mappings
View file

@ -21,8 +21,8 @@
/etc/default/su r,
@{etc_ro}/environment r,
@{HOMEDIRS}/.xauth* w,
/{usr/,}bin/{,b,d,rb}ash Px -> default_user,
/{usr/,}bin/{c,k,tc,z}sh Px -> default_user,
@{bin}/{,b,d,rb}ash Px -> default_user,
@{bin}/{c,k,tc,z}sh Px -> default_user,
}
# USER is a confined user. The hat contains only the permissions necessary
@ -37,8 +37,8 @@
capability setgid,
capability setuid,
/{usr/,}bin/{,b,d,rb}ash Px -> confined_user,
/{usr/,}bin/{c,k,tc,z}sh Px -> confined_user,
@{bin}/{,b,d,rb}ash Px -> confined_user,
@{bin}/{c,k,tc,z}sh Px -> confined_user,
/etc/default/su r,
@{etc_ro}/environment r,
@ -59,8 +59,8 @@
capability setgid,
capability setuid,
/{usr/,}bin/{,b,d,rb}ash Ux,
/{usr/,}bin/{c,k,tc,z}sh Ux,
@{bin}/{,b,d,rb}ash Ux,
@{bin}/{c,k,tc,z}sh Ux,
/etc/default/su r,
@{etc_ro}/environment r,

4
apparmor.d/profiles-m-r/pam_roles
View file

@ -23,7 +23,7 @@ profile default_user flags=(complain) {
deny capability sys_ptrace,
/{usr/,}bin/** Pixmr,
@{bin}/** Pixmr,
owner /** rkl,
@{PROC}/** r,
@ -43,7 +43,7 @@ profile confined_user flags=(complain) {
deny capability sys_ptrace,
/{usr/,}bin/** Pixmr,
@{bin}/** Pixmr,
owner @{HOMEDIRS}/bin/** ixmr,
owner @{user_bin_dirs}/** ixmr,

10
apparmor.d/profiles-m-r/parted
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/parted
@{exec_path} = @{bin}/parted
profile parted @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@ -28,11 +28,11 @@ profile parted @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/udevadm rCx -> udevadm,
@{bin}/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/dmidecode rPx,
@{bin}/dmidecode rPx,
/etc/inputrc r,
@ -51,7 +51,7 @@ profile parted @{exec_path} {
ptrace (read),
/{usr/,}bin/udevadm mr,
@{bin}/udevadm mr,
/etc/udev/udev.conf r,

Some files were not shown because too many files have changed in this diff Show more