mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
4b61abf7ce
commit
8250e202a0
37 changed files with 67 additions and 53 deletions
|
|
@ -15,6 +15,7 @@
|
||||||
signal (receive) set=(term,cont) peer=systemd,
|
signal (receive) set=(term,cont) peer=systemd,
|
||||||
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
|
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
|
||||||
signal (receive) set=(term,kill) peer=gnome-shell,
|
signal (receive) set=(term,kill) peer=gnome-shell,
|
||||||
|
signal (receive) set=(term,kill) peer=gnome-system-monitor,
|
||||||
signal (receive) set=(term,kill) peer=openbox,
|
signal (receive) set=(term,kill) peer=openbox,
|
||||||
signal (receive) set=(term,kill) peer=su,
|
signal (receive) set=(term,kill) peer=su,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -104,9 +104,10 @@
|
||||||
|
|
||||||
/etc/@{name}/{,**} r,
|
/etc/@{name}/{,**} r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
/etc/igfx_user_feature{,_next}.txt w,
|
||||||
/etc/libva.conf r,
|
/etc/libva.conf r,
|
||||||
/etc/opensc.conf r,
|
/etc/opensc.conf r,
|
||||||
/etc/igfx_user_feature{,_next}.txt w,
|
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read) peer=@{systemd},
|
||||||
|
|
||||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||||
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ profile dbus-run-session @{exec_path} {
|
||||||
@{bin}/gnome-session rix,
|
@{bin}/gnome-session rix,
|
||||||
@{bin}/gnome-shell rPx,
|
@{bin}/gnome-shell rPx,
|
||||||
@{bin}/gsettings rPx,
|
@{bin}/gsettings rPx,
|
||||||
|
@{bin}/startplasma-wayland rPUx,
|
||||||
@{lib}/gnome-session-binary rPx,
|
@{lib}/gnome-session-binary rPx,
|
||||||
|
|
||||||
# /usr/share/glib-2.0/schemas/gschemas.compiled r,
|
# /usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
|
||||||
|
|
@ -15,8 +15,9 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
signal (receive) set=(term hup) peer=gdm*,
|
signal (receive) set=(term hup kill) peer=@{systemd},
|
||||||
signal (receive) set=(term hup kill) peer=dbus-daemon,
|
signal (receive) set=(term hup kill) peer=dbus-daemon,
|
||||||
|
signal (receive) set=(term hup kill) peer=gdm*,
|
||||||
|
|
||||||
dbus bind bus=accessibility name=org.a11y.atspi.Registry,
|
dbus bind bus=accessibility name=org.a11y.atspi.Registry,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -50,6 +50,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/usr/share/pipewire/pipewire*.conf r,
|
/usr/share/pipewire/pipewire*.conf r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/pipewire/client.conf r,
|
/etc/pipewire/client.conf r,
|
||||||
/etc/pipewire/pipewire-pulse.conf.d/{,*} r,
|
/etc/pipewire/pipewire-pulse.conf.d/{,*} r,
|
||||||
/etc/pipewire/pipewire.conf r,
|
/etc/pipewire/pipewire.conf r,
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ profile pipewire-media-session @{exec_path} {
|
||||||
include <abstractions/dbus-strict>
|
include <abstractions/dbus-strict>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/video>
|
||||||
|
|
||||||
network bluetooth raw,
|
network bluetooth raw,
|
||||||
network bluetooth seqpacket,
|
network bluetooth seqpacket,
|
||||||
|
|
@ -62,9 +63,7 @@ profile pipewire-media-session @{exec_path} {
|
||||||
|
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
||||||
@{sys}/class/video4linux/ r,
|
|
||||||
@{sys}/devices/**/sound/**/uevent r,
|
@{sys}/devices/**/sound/**/uevent r,
|
||||||
@{sys}/devices/pci[0-9]*/**/modalias r,
|
|
||||||
@{sys}/devices/pci[0-9]*/**/sound/**/pcm_class r,
|
@{sys}/devices/pci[0-9]*/**/sound/**/pcm_class r,
|
||||||
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
|
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
|
|
@ -72,7 +71,6 @@ profile pipewire-media-session @{exec_path} {
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/video@{int} rw,
|
|
||||||
/dev/snd/ r,
|
/dev/snd/ r,
|
||||||
|
|
||||||
include if exists <local/pipewire-media-session>
|
include if exists <local/pipewire-media-session>
|
||||||
|
|
|
||||||
|
|
@ -134,6 +134,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
||||||
|
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
||||||
/var/lib/snapd/desktop/icons/{,**} r,
|
/var/lib/snapd/desktop/icons/{,**} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/flatpak rCx -> flatpak,
|
@{bin}/flatpak rPUx,
|
||||||
@{bin}/fusermount{,3} rCx -> fusermount,
|
@{bin}/fusermount{,3} rCx -> fusermount,
|
||||||
|
|
||||||
/ r,
|
/ r,
|
||||||
|
|
@ -72,27 +72,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
||||||
# file inherit
|
# file inherit
|
||||||
owner /dev/tty@{int} rw,
|
owner /dev/tty@{int} rw,
|
||||||
|
|
||||||
profile flatpak {
|
|
||||||
include <abstractions/base>
|
|
||||||
|
|
||||||
@{bin}/flatpak mr,
|
|
||||||
|
|
||||||
/ r,
|
|
||||||
/etc/flatpak/remotes.d/{,*} r,
|
|
||||||
|
|
||||||
/var/lib/flatpak/{,**} rw,
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/flatpak/{,**} r,
|
|
||||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
|
||||||
owner @{user_share_dirs}/flatpak/{,**} r,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
|
||||||
|
|
||||||
/dev/tty rw,
|
|
||||||
|
|
||||||
include if exists <local/xdg-document-portal_flatpak>
|
|
||||||
}
|
|
||||||
|
|
||||||
profile fusermount {
|
profile fusermount {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,8 @@ profile evolution-addressbook-factory @{exec_path} {
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/evolution/{,**} rwk,
|
owner @{user_share_dirs}/evolution/{,**} rwk,
|
||||||
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
|
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -47,6 +47,8 @@ profile evolution-calendar-factory @{exec_path} {
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
|
owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
|
||||||
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
|
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -50,6 +50,8 @@ profile evolution-source-registry @{exec_path} {
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/evolution/{,**} rwk,
|
owner @{user_cache_dirs}/evolution/{,**} rwk,
|
||||||
owner @{user_config_dirs}/evolution/sources/{,*} rw,
|
owner @{user_config_dirs}/evolution/sources/{,*} rw,
|
||||||
owner @{user_share_dirs}/evolution/{,**} r,
|
owner @{user_share_dirs}/evolution/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@ profile gdm-wayland-session @{exec_path} {
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/zsh>
|
include <abstractions/zsh>
|
||||||
|
|
||||||
|
signal (receive) set=(hup) peer=@{systemd},
|
||||||
signal (receive) set=term peer=gdm{,-session-worker},
|
signal (receive) set=term peer=gdm{,-session-worker},
|
||||||
signal (send) set=(term) peer=dbus-run-session,
|
signal (send) set=(term) peer=dbus-run-session,
|
||||||
signal (send) set=(term) peer=dbus-daemon,
|
signal (send) set=(term) peer=dbus-daemon,
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,10 @@ profile gnome-session-ctl @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
|
|
||||||
|
signal (receive) set=(kill) peer=@{systemd},
|
||||||
|
|
||||||
|
unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd[0-9]*
|
dbus send bus=session path=/org/freedesktop/systemd[0-9]*
|
||||||
interface=org.freedesktop.systemd[0-9]*.Manager
|
interface=org.freedesktop.systemd[0-9]*.Manager
|
||||||
member={StartUnit,StopUnit}
|
member={StartUnit,StopUnit}
|
||||||
|
|
@ -21,12 +25,10 @@ profile gnome-session-ctl @{exec_path} {
|
||||||
member=Initialized
|
member=Initialized
|
||||||
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
|
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
|
||||||
|
|
||||||
unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon),
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gnome-session-leader-fifo r,
|
|
||||||
@{run}/user/@{uid}/systemd/notify rw,
|
@{run}/user/@{uid}/systemd/notify rw,
|
||||||
|
owner @{run}/user/@{uid}/gnome-session-leader-fifo r,
|
||||||
|
|
||||||
include if exists <local/gnome-session-ctl>
|
include if exists <local/gnome-session-ctl>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -468,7 +468,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
@{lib}/* rPUx,
|
@{lib}/* rPUx,
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,
|
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,
|
||||||
|
|
||||||
/usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx,
|
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
|
||||||
|
|
||||||
/opt/*/**/*.png r,
|
/opt/*/**/*.png r,
|
||||||
/snap/*/@{uid}/**.png r,
|
/snap/*/@{uid}/**.png r,
|
||||||
|
|
@ -500,6 +500,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/.flatpak-info r,
|
/.flatpak-info r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/pipewire/client.conf.d/{,**} r,
|
/etc/pipewire/client.conf.d/{,**} r,
|
||||||
/etc/timezone r,
|
/etc/timezone r,
|
||||||
/etc/udev/hwdb.bin r,
|
/etc/udev/hwdb.bin r,
|
||||||
|
|
|
||||||
|
|
@ -53,6 +53,7 @@ profile gnome-software @{exec_path} {
|
||||||
|
|
||||||
/etc/appstream.conf r,
|
/etc/appstream.conf r,
|
||||||
/etc/flatpak/remotes.d/{,**} r,
|
/etc/flatpak/remotes.d/{,**} r,
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/PackageKit/Vendor.conf r,
|
/etc/PackageKit/Vendor.conf r,
|
||||||
/etc/pulse/client.conf r,
|
/etc/pulse/client.conf r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -65,6 +65,8 @@ profile goa-daemon @{exec_path} {
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/goa-1.0/ rw,
|
owner @{user_config_dirs}/goa-1.0/ rw,
|
||||||
|
|
|
||||||
|
|
@ -79,8 +79,9 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
@{lib}/gsd-printer rPx,
|
@{lib}/gsd-printer rPx,
|
||||||
|
|
||||||
/etc/machine-id r,
|
|
||||||
/etc/cups/client.conf r,
|
/etc/cups/client.conf r,
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
@{run}/cups/cups.sock rw,
|
@{run}/cups/cups.sock rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,8 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
owner /tmp/[a-z0-9]* rw,
|
owner /tmp/[a-z0-9]* rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,8 @@ profile mutter-x11-frames @{exec_path} {
|
||||||
/usr/share/dconf/profile/gdm r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/gdm/greeter-dconf-defaults r,
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
include <abstractions/private-files>
|
include <abstractions/private-files>
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,8 @@ profile gvfsd-http @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||||
|
|
||||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||||
|
|
|
||||||
|
|
@ -70,7 +70,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
||||||
@{sys}/class/wwan/ r,
|
@{sys}/class/wwan/ r,
|
||||||
|
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
@{sys}/devices/@{pci}/revision r,
|
||||||
@{sys}/devices/virtual/net/*/ r,
|
@{sys}/devices/virtual/net/*/ r,
|
||||||
@{sys}/devices/virtual/tty/*/ r,
|
@{sys}/devices/virtual/tty/*/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -118,6 +118,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/ r,
|
/ r,
|
||||||
/etc/ r,
|
/etc/ r,
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/iproute2/* r,
|
/etc/iproute2/* r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/network/interfaces r,
|
/etc/network/interfaces r,
|
||||||
|
|
|
||||||
|
|
@ -19,9 +19,10 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{lib_dirs}/snapd/apparmor.d/{,**} r,
|
@{lib_dirs}/snapd/apparmor.d/{,**} r,
|
||||||
|
|
||||||
/etc/apparmor/{,**} r,
|
|
||||||
/etc/apparmor.d/{,**} r,
|
/etc/apparmor.d/{,**} r,
|
||||||
/etc/apparmor.d/cache.d/{,**} rw,
|
/etc/apparmor.d/cache.d/{,**} rw,
|
||||||
|
/etc/apparmor/{,**} r,
|
||||||
|
/etc/apparmor/cache.d/{,**} rw,
|
||||||
/etc/apparmor/earlypolicy/{,**} rw,
|
/etc/apparmor/earlypolicy/{,**} rw,
|
||||||
|
|
||||||
/usr/share/apparmor-features/{,**} r,
|
/usr/share/apparmor-features/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ profile ffprobe @{exec_path} {
|
||||||
owner @{user_videos_dirs}/** rw,
|
owner @{user_videos_dirs}/** rw,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node[0-9]/meminfo r,
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|
||||||
include if exists <local/ffprobe>
|
include if exists <local/ffprobe>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -32,9 +32,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||||
owner @{user_share_dirs}/mime/mime.cache r,
|
owner @{user_share_dirs}/mime/mime.cache r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/.flatpak/@{int}/bwrapinfo.json r,
|
owner @{run}/user/@{uid}/.flatpak/@{int}/* r,
|
||||||
owner @{run}/user/@{uid}/.flatpak/@{int}/info r,
|
owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r,
|
||||||
owner @{run}/user/@{uid}/.flatpak/@{int}/pid r,
|
|
||||||
|
|
||||||
include if exists <local/flatpak-portal>
|
include if exists <local/flatpak-portal>
|
||||||
}
|
}
|
||||||
|
|
@ -7,12 +7,14 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{lib}/flatpak-session-helper
|
@{exec_path} = @{lib}/flatpak-session-helper
|
||||||
profile flatpak-session-helper @{exec_path} {
|
profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
|
||||||
|
signal (send) set=(int) peer=@{systemd},
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/dbus-monitor rPUx,
|
@{bin}/dbus-monitor rPUx,
|
||||||
|
|
|
||||||
|
|
@ -87,6 +87,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
||||||
/usr/share/mime/mime.cache r,
|
/usr/share/mime/mime.cache r,
|
||||||
|
|
||||||
/etc/fwupd/{,**} rw,
|
/etc/fwupd/{,**} rw,
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/lsb-release r,
|
/etc/lsb-release r,
|
||||||
/etc/pki/fwupd-metadata/{,**} r,
|
/etc/pki/fwupd-metadata/{,**} r,
|
||||||
/etc/pki/fwupd/{,**} r,
|
/etc/pki/fwupd/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/usr/share/dbus-1/interfaces/org.freedesktop.Passim.xml r,
|
/usr/share/dbus-1/interfaces/org.freedesktop.Passim.xml r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/passim.conf r,
|
/etc/passim.conf r,
|
||||||
|
|
||||||
/var/lib/passim/{,**} r,
|
/var/lib/passim/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -16,20 +16,21 @@ profile pkexec @{exec_path} {
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/wutmp>
|
include <abstractions/wutmp>
|
||||||
|
|
||||||
signal (send) set=(term, kill) peer=polkit-agent-helper,
|
|
||||||
|
|
||||||
capability audit_write,
|
capability audit_write,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
capability net_admin,
|
||||||
capability setgid, # gdbus
|
capability setgid, # gdbus
|
||||||
capability setuid, # gmain
|
capability setuid, # gmain
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
capability sys_resource,
|
capability sys_resource,
|
||||||
audit deny capability sys_nice,
|
audit deny capability sys_nice,
|
||||||
|
|
||||||
ptrace (read),
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
signal (send) set=(term, kill) peer=polkit-agent-helper,
|
||||||
|
|
||||||
|
ptrace (read),
|
||||||
|
|
||||||
dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member=GetAll
|
||||||
|
|
@ -61,13 +62,14 @@ profile pkexec @{exec_path} {
|
||||||
@{lib}/update-notifier/package-system-locked rPx,
|
@{lib}/update-notifier/package-system-locked rPx,
|
||||||
/usr/share/apport/apport-gtk rPx,
|
/usr/share/apport/apport-gtk rPx,
|
||||||
|
|
||||||
/etc/shells r,
|
|
||||||
@{etc_ro}/environment r,
|
@{etc_ro}/environment r,
|
||||||
/etc/default/locale r,
|
|
||||||
@{etc_ro}/security/limits.d/{,*} r,
|
@{etc_ro}/security/limits.d/{,*} r,
|
||||||
|
/etc/default/locale r,
|
||||||
|
/etc/shells r,
|
||||||
|
|
||||||
@{PROC}/@{pids}/stat r,
|
@{PROC}/@{pids}/stat r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
owner /dev/tty@{int} rw,
|
owner /dev/tty@{int} rw,
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ profile snapd-apparmor @{exec_path} {
|
||||||
|
|
||||||
@{bin}/systemd-detect-virt rPx,
|
@{bin}/systemd-detect-virt rPx,
|
||||||
@{lib_dirs}/snapd/apparmor_parser rPx,
|
@{lib_dirs}/snapd/apparmor_parser rPx,
|
||||||
|
@{bin}/apparmor_parser rPx,
|
||||||
|
|
||||||
@{lib_dirs}/snapd/info r,
|
@{lib_dirs}/snapd/info r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,7 @@ profile spotify @{exec_path} {
|
||||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/libva.conf r,
|
/etc/libva.conf r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/spotify-adblock/* r,
|
/etc/spotify-adblock/* r,
|
||||||
|
|
|
||||||
|
|
@ -35,10 +35,10 @@ profile sudo @{exec_path} {
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
|
signal (send,receive) peer=cockpit-bridge,
|
||||||
signal (send) peer=unconfined,
|
signal (send) peer=unconfined,
|
||||||
signal (send) set=(cont,hup) peer=su,
|
signal (send) set=(cont,hup) peer=su,
|
||||||
signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot,pacman},
|
signal (send) set=(winch),
|
||||||
signal (send,receive) peer=cockpit-bridge,
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
dbus send bus=system path=/org/freedesktop/login[0-9]
|
||||||
interface=org.freedesktop.login[0-9].Manager
|
interface=org.freedesktop.login[0-9].Manager
|
||||||
|
|
@ -50,12 +50,11 @@ profile sudo @{exec_path} {
|
||||||
member={JobRemoved,StartTransientUnit},
|
member={JobRemoved,StartTransientUnit},
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@{lib}/sudo/** mr,
|
||||||
|
|
||||||
@{bin}/{,b,d,rb}ash rUx,
|
@{bin}/{,b,d,rb}ash rUx,
|
||||||
@{bin}/{c,k,tc,z}sh rUx,
|
@{bin}/{c,k,tc,z}sh rUx,
|
||||||
|
|
||||||
@{lib}/** rPUx,
|
@{lib}/** rPUx,
|
||||||
@{lib}/sudo/** mr,
|
|
||||||
/opt/*/** rPUx,
|
/opt/*/** rPUx,
|
||||||
/snap/snapd/@{int}@{bin}/snap rPUx,
|
/snap/snapd/@{int}@{bin}/snap rPUx,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||||
umount @{MOUNTS}/,
|
umount @{MOUNTS}/,
|
||||||
umount @{MOUNTS}/*/,
|
umount @{MOUNTS}/*/,
|
||||||
umount @{run}/udisks2/temp-mount-*/,
|
umount @{run}/udisks2/temp-mount-*/,
|
||||||
umount /media/cdrom[0-9]/,
|
umount /media/cdrom@{int}/,
|
||||||
|
|
||||||
signal (receive) set=(int) peer=@{systemd},
|
signal (receive) set=(int) peer=@{systemd},
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@ profile useradd @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/nscd rix,
|
||||||
@{bin}/usermod rPx,
|
@{bin}/usermod rPx,
|
||||||
|
|
||||||
@{bin}/pam_tally2 rCx -> pam_tally2,
|
@{bin}/pam_tally2 rCx -> pam_tally2,
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,7 @@ profile wireplumber @{exec_path} {
|
||||||
/usr/share/spa-*/bluez[0-9]*/{,*} r,
|
/usr/share/spa-*/bluez[0-9]*/{,*} r,
|
||||||
/usr/share/wireplumber/{,**} r,
|
/usr/share/wireplumber/{,**} r,
|
||||||
|
|
||||||
|
/etc/gnutls/config r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
|
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
|
||||||
|
|
@ -61,7 +62,6 @@ profile wireplumber @{exec_path} {
|
||||||
@{sys}/devices/**/device:*/**/path r,
|
@{sys}/devices/**/device:*/**/path r,
|
||||||
@{sys}/devices/**/sound/**/pcm_class r,
|
@{sys}/devices/**/sound/**/pcm_class r,
|
||||||
@{sys}/devices/**/sound/**/uevent r,
|
@{sys}/devices/**/sound/**/uevent r,
|
||||||
@{sys}/devices/pci[0-9]*/**/modalias r,
|
|
||||||
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
|
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
|
||||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue