mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): use the new audio-client abs in profiles.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-03-12 15:44:40 +00:00
parent e4c0f683d2
commit 81b9de3aff
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
11 changed files with 53 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apparmor.d/groups/browsers/firefox-kmozillahelper
View File

@ -9,12 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/mozilla/kmozillahelper
profile firefox-kmozillahelper @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/thumbnails-cache-read>
@ -29,10 +28,7 @@ profile firefox-kmozillahelper @{exec_path} {
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications{5,6}/*.notifyrc r,
/usr/share/kservices{5,6}/{,**} r,
/usr/share/sounds/{,**} r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,*} r,
/etc/xdg/kdeglobals r,
/etc/xdg/kwinrc r,
/etc/xdg/menus/ r,
@ -51,10 +47,8 @@ profile firefox-kmozillahelper @{exec_path} {
owner @{user_config_dirs}/kmozillahelperrc r,
owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/pulse/cookie rk,
owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl,
owner @{run}/user/@{uid}/pulse/ r,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**

9
apparmor.d/groups/kde/kalendarac
View File

@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/kalendarac
profile kalendarac @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@ -20,11 +21,8 @@ profile kalendarac @{exec_path} {
/usr/share/akonadi/firstrun/{,*} r,
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
/usr/share/knotifications{5,6}/{,**} r,
/usr/share/sounds/{,**} r,
/etc/machine-id r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
@ -37,9 +35,6 @@ profile kalendarac @{exec_path} {
owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
owner @{user_config_dirs}/kalendaracrc.lock rwk,
owner @{user_config_dirs}/kmail2rc r,
owner @{user_config_dirs}/pulse/cookie rk,
owner @{run}/user/@{uid}/pulse/ r,
@{PROC}/sys/kernel/core_pattern r,

2
apparmor.d/groups/kde/plasma-discover
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/plasma-discover
profile plasma-discover @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/dconf-write>
include <abstractions/graphics>
include <abstractions/kde-strict>
@ -46,7 +47,6 @@ profile plasma-discover @{exec_path} {
/usr/share/kservices{5,6}/{,*} r,
/usr/share/kservicetypes5/{,*} r,
/usr/share/libdiscover/** r,
/usr/share/qt/translations/*.qm r,
/etc/appstream.conf r,
/etc/flatpak/remotes.d/{,**} r,

11
apparmor.d/groups/ubuntu/apport-gtk
View File

@ -10,6 +10,7 @@ include <tunables/global>
profile apport-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
@ -54,11 +55,8 @@ profile apport-gtk @{exec_path} {
@{lib}/@{multiarch}/ld*.so* rix,
/usr/share/apport/root_info_wrapper rix,
/usr/share/alsa/{,**} r,
/usr/share/apport/{,**} r,
/usr/share/apport/general-hooks/*.py r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/etc/apport/{,**} r,
/etc/bash_completion.d/apport_completion r,
@ -67,8 +65,6 @@ profile apport-gtk @{exec_path} {
/etc/gtk-3.0/settings.ini r,
/etc/init.d/apport r,
/etc/logrotate.d/apport r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
/etc/xdg/autostart/*.desktop r,
/var/crash/{,*.@{uid}.crash} rw,
@ -78,10 +74,7 @@ profile apport-gtk @{exec_path} {
/var/lib/dpkg/info/*.md5sums r,
/var/log/installer/media-info r,
owner @{user_config_dirs}/pulse/cookie rk,
@{run}/snapd.socket rw,
owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw,
@{run}/snapd.socket rw,
/tmp/[a-z0-9]* rw,
/tmp/apport_core_* rw,

9
apparmor.d/groups/ubuntu/update-manager
View File

@ -10,6 +10,7 @@ include <tunables/global>
profile update-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
@ -59,8 +60,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
/usr/share/update-manager/{,**} r,
/etc/gtk-3.0/settings.ini r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
/etc/ubuntu-advantage/uaclient.conf r,
/etc/update-manager/{,**} r,
@ -74,11 +73,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
owner @{user_config_dirs}/pulse/cookie rk,
owner @{run}/user/@{uid}/pulse/ r,
owner @{run}/user/@{uid}/pulse/native rw,
@{run}/systemd/inhibit/*.ref w,
@{PROC}/@{pids}/mountinfo r,
@ -86,7 +80,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mounts r,
/dev/ptmx rw,
/dev/shm/ r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

11
apparmor.d/profiles-a-f/cawbird
View File

@ -10,16 +10,16 @@ include <tunables/global>
@{exec_path} = @{bin}/cawbird
profile cawbird @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gstreamer>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/enchant>
include <abstractions/audio>
include <abstractions/gstreamer>
network inet dgram,
network inet6 dgram,
@ -47,7 +47,6 @@ profile cawbird @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>

3
apparmor.d/profiles-a-f/element-desktop
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/element-desktop
profile element-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/chromium-common>
include <abstractions/dconf-write>
include <abstractions/desktop>
@ -49,8 +50,6 @@ profile element-desktop @{exec_path} {
owner @{user_config_dirs}/Element/ rw,
owner @{user_config_dirs}/Element/** rwkl -> @{user_config_dirs}/Element/**,
owner @{user_config_dirs}/pulse/client.conf r,
owner @{user_config_dirs}/pulse/cookie rk,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/tty/tty@{int}/active r,

59
apparmor.d/profiles-g-l/kodi
View File

@ -10,14 +10,12 @@ include <tunables/global>
@{exec_path} = @{bin}/kodi @{lib}/@{multiarch}/kodi/kodi.bin
profile kodi @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/vulkan>
include <abstractions/audio>
include <abstractions/dri-enumerate>
include <abstractions/audio-client>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/X-strict>
@{exec_path} mr,
@ -29,6 +27,7 @@ profile kodi @{exec_path} {
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/date rix,
@{bin}/df rix,
@{bin}/dirname rix,
@{bin}/find rix,
@{bin}/ldconfig rix,
@ -36,9 +35,14 @@ profile kodi @{exec_path} {
@{bin}/uname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/df rCx -> df,
/usr/share/kodi/{,**} r,
/usr/share/publicsuffix/* r,
/etc/fstab r,
/etc/machine-id r,
/etc/timezone r,
/var/lib/dbus/machine-id r,
owner @{HOME}/.kodi/ rw,
owner @{HOME}/.kodi/** rwk,
@ -46,49 +50,20 @@ profile kodi @{exec_path} {
owner @{HOME}/core w,
owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/publicsuffix/* r,
/usr/share/icons/*/index.theme r,
/etc/mime.types r,
/etc/timezone r,
/etc/fstab r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/@{pid}/net/route r,
@{run}/udev/data/* r,
@{sys}/**/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r,
@{sys}/devices/@{pci}/usb@{int}/**/{bDeviceClass,idProduct,idVendor} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
@{run}/udev/data/* r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
profile df {
include <abstractions/base>
@{bin}/df mr,
owner @{PROC}/@{pid}/mountinfo r,
# file_inherit
/usr/share/kodi/** r,
/sys/devices/virtual/thermal/thermal_zone@{int}/temp r,
/sys/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
/home/morfik/.kodi/temp/kodi.log w,
}
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/route r,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/kodi>
}

15
apparmor.d/profiles-m-r/mono-sgen
View File

@ -9,14 +9,12 @@ include <tunables/global>
@{exec_path} = @{bin}/mono-sgen
profile mono-sgen @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/audio-client>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/vulkan>
include <abstractions/wayland>
network inet dgram,
network inet6 dgram,
@ -37,18 +35,11 @@ profile mono-sgen @{exec_path} {
owner @{user_config_dirs}/openra/{,**} rw,
owner @{user_config_dirs}/.mono/{,**} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
owner /tmp/*.* rw,
owner /tmp/CASESENSITIVETEST* rw,
owner /dev/shm/mono.* rw,
@{sys}/devices/@{pci}/uevent r,
@{sys}/devices/@{pci}/vendor r,
@{sys}/devices/@{pci}/device r,
@{sys}/devices/@{pci}/subsystem_vendor r,
@{sys}/devices/@{pci}/subsystem_device r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/mono-sgen>

19
apparmor.d/profiles-m-r/pavucontrol
View File

@ -10,28 +10,23 @@ include <tunables/global>
@{exec_path} = @{bin}/pavucontrol
profile pavucontrol @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/audio-client>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/gtk>
@{exec_path} mr,
# Pavucontrol files
/usr/share/pavucontrol/pavucontrol.glade r,
# Pavucontrol config files
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/pavucontrol.ini* rw,
/usr/share/pavucontrol/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{PROC}/@{pid}/cmdline r,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/pavucontrol.ini* rw,
# Missing icons
/usr/share/**/icons/**/*.png r,
owner @{PROC}/@{pid}/cmdline r,
# file_inherit
owner /dev/tty@{int} rw,

59
apparmor.d/profiles-m-r/qtox
View File

@ -10,18 +10,14 @@ include <tunables/global>
@{exec_path} = @{bin}/qtox
profile qtox @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/qt5-settings-write>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,
@ -31,7 +27,12 @@ profile qtox @{exec_path} {
@{exec_path} mr,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open,
/usr/share/qt5ct/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# For importing old profile
owner @{HOME}/**.tox r,
@ -51,50 +52,14 @@ profile qtox @{exec_path} {
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/core_pattern r, # for KCrash::initialize()
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
@{sys}/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
@{sys}/devices/system/node/node@{int}/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/dev/ r,
/dev/video@{int} rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
@{bin}/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{user_cache_dirs}/qTox/qtox.log w,
deny /dev/video@{int} rw,
}
include if exists <local/qtox>
}