mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
Update profile from #25 (2).
This commit is contained in:
parent
2f77653cba
commit
810985a0cd
@ -68,6 +68,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm/.local/share/icc/ r,
|
||||
/var/lib/gdm/.local/share/icc/edid-*.icc r,
|
||||
|
||||
# Extra rules for Flatpak
|
||||
/var/lib/flatpak/exports/share/dbus-1/{,**} r,
|
||||
/var/lib/flatpak/app/**/export/share/dbus-1/services/{,**} r,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/input/event[0-9]* rw,
|
||||
|
||||
|
@ -27,6 +27,7 @@ profile at-spi-bus-launcher @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
/{usr/,}bin/dbus-broker-launch rPUx,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
@ -20,15 +20,23 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
||||
/{usr/,}lib/colord/colord-sane rPx,
|
||||
@{libexec}/colord-sane rPx,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/udev/hwdb.bin r,
|
||||
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/color/icc/{,**} r,
|
||||
|
||||
owner /var/lib/colord/** r,
|
||||
owner /var/lib/colord/.cache/ rw,
|
||||
owner /var/lib/colord/.cache/** rw,
|
||||
owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
/var/lib/gdm/.local/share/icc/edid-*.icc r,
|
||||
|
||||
/etc/udev/hwdb.bin r,
|
||||
@{user_share_dirs}/icc/edid-*.icc r,
|
||||
|
||||
/usr/share/color/icc/{,**} r,
|
||||
@{run}/systemd/sessions/[0-9]* r,
|
||||
|
||||
@{sys}/class/drm/ r,
|
||||
@{sys}/class/video4linux/ r,
|
||||
@ -39,11 +47,5 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
@{user_share_dirs}/icc/edid-*.icc r,
|
||||
|
||||
@{run}/systemd/sessions/[0-9]* r,
|
||||
|
||||
include if exists <local/colord>
|
||||
}
|
||||
|
@ -24,6 +24,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/plymouth rPUx,
|
||||
/{usr/,}lib/gdm-session-worker rPx,
|
||||
|
||||
/usr/share/gdm/gdm.schemas r,
|
||||
|
@ -22,6 +22,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_nice,
|
||||
capability sys_resource,
|
||||
capability sys_tty_config,
|
||||
|
||||
signal (receive) set=term peer=gdm,
|
||||
|
@ -33,8 +33,9 @@ profile gdm-wayland-session @{exec_path} {
|
||||
/{usr/,}bin/flatpak rPUx,
|
||||
/{usr/,}lib/gnome-session-binary rPx,
|
||||
|
||||
/etc/shells r,
|
||||
/etc/gdm/custom.conf r,
|
||||
/etc/machine-id r,
|
||||
/etc/shells r,
|
||||
|
||||
/usr/share/gdm/gdm.schemas r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
@ -25,6 +25,9 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
||||
/usr/share/pixmaps/{,**} r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
|
@ -34,15 +34,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/{usr/,}bin/aa-notify rPx,
|
||||
/{usr/,}bin/blueman-applet rPx,
|
||||
/{usr/,}bin/firewall-applet rPUx,
|
||||
/{usr/,}bin/gnome-keyring-daemon rPx,
|
||||
/{usr/,}bin/gnome-shell rPx,
|
||||
/{usr/,}bin/pkcs11-register rPx,
|
||||
/{usr/,}bin/start-pulseaudio-x11 rPx,
|
||||
/{usr/,}bin/xbrlapi rPx,
|
||||
/{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
|
||||
/{usr/,}lib/gsd-* rPx,
|
||||
|
||||
/{usr/,}bin/pkcs11-register rPx,
|
||||
/{usr/,}bin/start-pulseaudio-x11 rPx,
|
||||
|
||||
/usr/share/applications/org.gnome.Shell.desktop r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
@ -68,7 +68,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
/var/lib/gdm/.config/pulse/ r,
|
||||
/var/lib/gdm/.config/pulse/client.conf r,
|
||||
/var/lib/gdm/.config/pulse/cookie rw,
|
||||
/var/lib/gdm/.config/pulse/cookie rwk,
|
||||
/var/lib/gdm/.local/share/applications/{,**} r,
|
||||
/var/lib/gdm/.local/share/gnome-shell/ rw,
|
||||
|
||||
@ -106,6 +106,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
||||
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
||||
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/systemd/seats/seat[0-9]* r,
|
||||
@{run}/systemd/sessions/ r,
|
||||
|
@ -30,6 +30,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/gnome-system-monitor/{,**} r,
|
||||
/usr/share/pixmaps/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
|
@ -25,6 +25,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/var/lib/gdm/.local/share/icc/ rw,
|
||||
/var/lib/gdm/.local/share/icc/edid-*.icc rw,
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
|
@ -20,6 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
|
||||
@{exec_path} mr,
|
||||
/{usr/,}lib/gsd-printer rPx,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
@ -35,6 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
|
||||
@{run}/systemd/sessions/[0-9]* r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
|
||||
# Mount points
|
||||
@{MOUNTS}/*/ r,
|
||||
|
@ -37,6 +37,7 @@ profile gvfsd-fuse @{exec_path} {
|
||||
umount @{run}/user/@{uid}/**/,
|
||||
|
||||
/etc/fuse.conf r,
|
||||
/etc/machine-id r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
|
@ -10,8 +10,8 @@ include <tunables/global>
|
||||
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
@ -35,6 +35,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
||||
/{usr/,}bin/resolvconf rPx,
|
||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||
/{usr/,}lib/nm-dhcp-helper rPx,
|
||||
/{usr/,}lib/nm-dispatcher rPx,
|
||||
/{usr/,}lib/nm-iface-helper rPx,
|
||||
@ -43,9 +47,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||
/{usr/,}lib/nm-openvpn-service rPx,
|
||||
/{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
|
||||
|
||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
||||
/dev/rfkill rw,
|
||||
|
||||
/ r,
|
||||
|
@ -34,8 +34,10 @@ profile bootctl @{exec_path} {
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
|
||||
|
||||
@{sys}/firmware/dmi/entries/*/raw r,
|
||||
@{sys}/firmware/efi/efivars/ r,
|
||||
@{sys}/firmware/efi/efivars/Boot[0-9A-F]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
|
||||
@{sys}/firmware/efi/efivars/BootOrder-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
|
||||
|
@ -32,6 +32,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/var/lib/systemd/coredump/ r,
|
||||
/var/lib/systemd/coredump/** rwl,
|
||||
/var/lib/systemd/coredump/#[0-9]* rwl,
|
||||
|
||||
owner @{PROC}/@{pid}/setgroups r,
|
||||
@{PROC}/@{pids}/comm r,
|
||||
|
@ -16,6 +16,7 @@ profile systemd-makefs @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}{s,}bin/mkswap rPx,
|
||||
/{usr/,}bin/mkfs.* rPx,
|
||||
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/** r,
|
||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}lib/systemd/systemd-oomd
|
||||
profile systemd-oomd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability dac_override,
|
||||
capability kill,
|
||||
@ -17,11 +18,9 @@ profile systemd-oomd @{exec_path} {
|
||||
|
||||
/etc/systemd/oomd.conf r,
|
||||
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/cmdline r,
|
||||
@{sys}/fs/cgroup/cgroup.controllers r,
|
||||
|
||||
@{PROC}/pressure/{cpu,io,memory} r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
include if exists <local/systemd-oomd>
|
||||
}
|
@ -24,6 +24,8 @@ profile systemd-user-runtime-dir @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
@{run}/user/@{uid}/{,**} rw,
|
||||
|
||||
@{PROC}/1/environ r,
|
||||
|
@ -18,12 +18,15 @@ profile zram-generator @{exec_path} {
|
||||
|
||||
/etc/systemd/zram-generator.conf r,
|
||||
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset} rw,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset,comp_algorithm} rw,
|
||||
@{sys}/block/zram[0-9]*/{disksize,reset} rw,
|
||||
|
||||
owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
|
||||
owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw,
|
||||
owner @{run}/systemd/generator/dev-zram[0-9]*.swap rw,
|
||||
owner @{run}/systemd/generator/swap.target.wants/{,dev-zram[0-9]*.swap} rw,
|
||||
owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
|
||||
|
||||
@{PROC}/crypto r,
|
||||
|
||||
include if exists <local/zram-generator>
|
||||
}
|
@ -18,6 +18,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/apparmor.d/{,**} r,
|
||||
/etc/apparmor.d/cache.d/{,**} rw,
|
||||
|
||||
/usr/share/apparmor/{,**} r,
|
||||
|
||||
owner /var/cache/apparmor/{,**} rw,
|
||||
owner /var/lib/docker/tmp/docker-default[0-9]* r,
|
||||
|
||||
|
@ -32,7 +32,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/applications/*.desktop r,
|
||||
|
||||
@{user_share_dirs}/applications/ r,
|
||||
@{user_share_dirs}/applications/*.desktop r,
|
||||
@{user_share_dirs}/applications/*.desktop rw,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
|
@ -41,6 +41,7 @@ profile fusermount @{exec_path} {
|
||||
umount @{run}/user/@{uid}/gvfs/,
|
||||
|
||||
/etc/fuse.conf r,
|
||||
/etc/machine-id r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
|
@ -14,5 +14,7 @@ profile id @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
include if exists <local/id>
|
||||
}
|
||||
|
@ -29,7 +29,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
unix (receive) type=stream,
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/sysctl rPx,
|
||||
|
||||
/{usr/,}lib/modprobe.d/{,*.conf} r,
|
||||
/etc/modprobe.d/{,*.conf} r,
|
||||
|
@ -19,8 +19,9 @@ profile pipewire @{exec_path} {
|
||||
|
||||
/usr/share/pipewire/pipewire.conf r,
|
||||
|
||||
/etc/pipewire/pipewire.conf r,
|
||||
/etc/machine-id r,
|
||||
/etc/pipewire/client.conf r,
|
||||
/etc/pipewire/pipewire.conf r,
|
||||
|
||||
owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
|
||||
|
||||
|
@ -18,6 +18,8 @@ profile pipewire-pulse @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/etc/pipewire/client.conf r,
|
||||
/etc/pipewire/pipewire-pulse.conf r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
|
@ -29,6 +29,8 @@ profile polkitd @{exec_path} {
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
# System rules
|
||||
/etc/polkit-1/rules.d/ r,
|
||||
/etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
|
||||
|
@ -24,7 +24,7 @@ profile power-profiles-daemon @{exec_path} {
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/devices/**/power_supply/*/uevent r,
|
||||
@{sys}/devices/system/cpu/*_pstate/no_turbo r,
|
||||
@{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
|
||||
@{sys}/devices/system/cpu/cpufreq/ r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw,
|
||||
|
||||
|
@ -9,17 +9,22 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}sbin/resolvconf
|
||||
profile resolvconf @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/flock rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/run-parts rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
|
||||
/usr/lib/resolvconf/{,**} r,
|
||||
|
||||
/etc/resolv.conf rw,
|
||||
/etc/resolvconf/update.d/libc mr,
|
||||
|
||||
owner @{run}/resolvconf/{,**} rw,
|
||||
|
@ -20,10 +20,14 @@ profile wireplumber @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/usr/share/alsa-card-profile/{,**} r,
|
||||
/usr/share/spa-*/bluez[0-9]*/{,*} r,
|
||||
/usr/share/wireplumber/{,**} r,
|
||||
|
||||
/var/lib/gdm/.local/state/wireplumber/{,**} r,
|
||||
|
||||
owner @{HOME}/.local/state/ w,
|
||||
owner @{HOME}/.local/state/wireplumber/{,**} rw,
|
||||
|
||||
|
@ -16,6 +16,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {
|
||||
|
||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
||||
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
|
||||
|
||||
|
@ -11,18 +11,27 @@ profile xdg-desktop-portal @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/x r,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
owner @{run}/user/@{uid}/.flatpak/*/* r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
|
@ -14,6 +14,7 @@ profile xdg-document-portal @{exec_path} {
|
||||
|
||||
/{usr/,}bin/fusermount rPx,
|
||||
|
||||
owner @{user_share_dirs}/flatpak/db/documents r,
|
||||
owner @{run}/user/@{uid}/doc/ rw,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
@ -16,6 +16,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
||||
@{exec_path} mr,
|
||||
|
||||
@{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
|
||||
@{user_share_dirs}/flatpak/db/background r,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
|
@ -16,7 +16,6 @@ dpkg-trigger complain
|
||||
dpkg-vendor complain
|
||||
ifup complain
|
||||
macchanger complain
|
||||
resolvconf complain
|
||||
run-parts complain
|
||||
unattended-upgrade complain
|
||||
unattended-upgrade-shutdown attach_disconnected,complain
|
||||
|
@ -102,6 +102,7 @@ pass complain
|
||||
pass-import complain
|
||||
pinentry-gtk-2 complain
|
||||
podman attach_disconnected,complain
|
||||
resolvconf complain
|
||||
run-parts complain
|
||||
runuser complain
|
||||
s3fs complain
|
||||
|
Loading…
Reference in New Issue
Block a user