mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(profile): general update.
This commit is contained in:
parent
21e8456383
commit
8730c09b96
@ -29,6 +29,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
include if exists <local/firefox-glxtest>
|
||||
}
|
||||
|
||||
|
@ -25,6 +25,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) {
|
||||
deny @{config_dirs}/firefox/*/.parentlock rw,
|
||||
deny @{config_dirs}/firefox/*/startupCache/** r,
|
||||
deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
|
||||
deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
include if exists <local/firefox-vaapitest>
|
||||
}
|
||||
|
@ -28,6 +28,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
|
||||
owner @{desktop_config_dirs}/ibus/bus/ r,
|
||||
owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||
|
||||
|
@ -33,6 +33,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
|
||||
owner @{desktop_config_dirs}/ibus/bus/ r,
|
||||
owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||
|
||||
|
@ -15,8 +15,8 @@ profile child-open-strict {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/open>
|
||||
|
||||
@{browsers_path} rPx,
|
||||
@{file_explorers_path} rPx,
|
||||
@{browsers_path} Px,
|
||||
@{file_explorers_path} Px,
|
||||
|
||||
include if exists <usr/child-open-strict.d>
|
||||
include if exists <local/child-open-strict>
|
||||
|
@ -14,7 +14,7 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more
|
||||
profile child-pager {
|
||||
profile child-pager flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
|
@ -40,7 +40,6 @@ profile cpupower @{exec_path} {
|
||||
|
||||
/dev/cpu/@{int}/msr r,
|
||||
|
||||
|
||||
profile kmod {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/kmod>
|
||||
|
@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.Accounts>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.gnome.Shell.Introspect>
|
||||
|
@ -49,7 +49,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/xkbcomp rPx,
|
||||
@{bin}/pkexec rPx,
|
||||
@{bin}/pkexec rCx -> pkexec,
|
||||
|
||||
@{lib}/xorg/ r,
|
||||
@{lib}/xorg/modules/ r,
|
||||
@ -136,6 +136,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
/dev/tty@{int} rw,
|
||||
/dev/vga_arbiter rw, # Graphic card modules
|
||||
|
||||
profile pkexec {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/pkexec>
|
||||
|
||||
include if exists <local/xorg_pkexec>
|
||||
}
|
||||
|
||||
include if exists <local/xorg>
|
||||
}
|
||||
|
||||
|
@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} {
|
||||
@{sh_path} rix,
|
||||
@{bin}/dconf rix,
|
||||
@{bin}/install rix,
|
||||
@{bin}/pgrep rCx -> pgrep,
|
||||
@{bin}/pgrep rix,
|
||||
@{bin}/pkill rix,
|
||||
@{bin}/setpriv rix,
|
||||
@{bin}/setsid rix,
|
||||
@ -46,13 +46,6 @@ profile gdm-generate-config @{exec_path} {
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
profile pgrep {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/pgrep>
|
||||
|
||||
include if exists <local/gdm-generate-config_pgrep>
|
||||
}
|
||||
|
||||
include if exists <local/gdm-generate-config>
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/trash-strict>
|
||||
include <abstractions/user-read-strict>
|
||||
include <abstractions/user-write-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
@ -13,6 +13,8 @@ profile gnome-clocks @{exec_path} {
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/common/gnome>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
@ -163,6 +163,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
|
||||
dbus send bus=session path=/org/gnome/*/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
peer=(name=@{busname}),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/unzip rix,
|
||||
@ -280,7 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/systemd/notify rw,
|
||||
|
||||
owner /dev/shm/.org.chromium.Chromium.@{rand6} r,
|
||||
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
|
||||
|
||||
/tmp/.X@{int}-lock rw,
|
||||
@ -343,6 +347,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/attr/current r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/net/* r,
|
||||
@{PROC}/1/cgroup r,
|
||||
@ -350,8 +356,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
@{PROC}/vmstat r,
|
||||
owner @{PROC}/@{pid}/attr/current r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/yelp @{bin}/gnome-help
|
||||
profile yelp @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/common/gnome>
|
||||
|
@ -11,15 +11,15 @@ profile makepkg @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
signal send set=winch peer=pacman,
|
||||
signal send set=winch peer=pacman//systemctl,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
signal send set=winch peer=pacman,
|
||||
signal send set=winch peer=pacman//systemctl,
|
||||
|
||||
file,
|
||||
|
||||
@{bin}/gpg{,2} Cx -> gpg,
|
||||
@ -74,6 +74,9 @@ profile makepkg @{exec_path} {
|
||||
|
||||
ptrace read,
|
||||
|
||||
signal send set=winch peer=pacman,
|
||||
signal send set=winch peer=pacman//systemctl,
|
||||
|
||||
@{bin}/pacman Px,
|
||||
|
||||
include if exists <local/makepkg_sudo>
|
||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules
|
||||
profile pacman-hook-gtk4-querymodules @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
|
@ -65,9 +65,10 @@ profile pacman-key @{exec_path} {
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
|
||||
|
||||
/dev/pts/@{int} rw,
|
||||
/dev/tty@{int} rw,
|
||||
/dev/pts/@{int} rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/pacman-key_gpg>
|
||||
}
|
||||
|
||||
include if exists <local/pacman-key>
|
||||
|
@ -29,9 +29,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/xdg/reflector/reflector.conf r,
|
||||
/etc/pacman.d/mirrorlist rw,
|
||||
|
||||
owner @{user_cache_dirs}/mirrorstatus.json rw,
|
||||
/var/cache/reflector/mirrorstatus.json rw,
|
||||
|
||||
owner @{user_cache_dirs}/mirrorstatus.json r,
|
||||
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} {
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{user_projects_dirs}/**/ssh/{,*} r,
|
||||
|
||||
owner @{tmp}/ssh-*/ rw,
|
||||
owner @{tmp}/ssh-*/agent.* rw,
|
||||
owner @{tmp}/ssh-@{rand12}/ rw,
|
||||
owner @{tmp}/ssh-@{rand12}/agent.@{int} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/keyring/.ssh rw,
|
||||
owner @{run}/user/@{uid}/openssh_agent rw,
|
||||
|
@ -31,7 +31,6 @@ profile systemd-sleep @{exec_path} {
|
||||
|
||||
@{sys}/power/state rw,
|
||||
|
||||
|
||||
include if exists <local/systemd-sleep>
|
||||
}
|
||||
|
||||
|
@ -13,15 +13,15 @@ profile cockpit-certificate-helper @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/id rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/openssl rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sscg rix,
|
||||
@{bin}/tr rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/id rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/openssl rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sscg rix,
|
||||
@{bin}/tr rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/cockpit/ws-certs.d/* w,
|
||||
|
@ -47,7 +47,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/apparmor_parser rPx,
|
||||
@{bin}/containerd-shim-runc-v2 rPUx,
|
||||
@{bin}/containerd-shim-runc-v2 rPx,
|
||||
@{bin}/kmod rPx,
|
||||
@{bin}/unpigz rPUx,
|
||||
/{usr/,}{local/,}{s,}bin/zfs rPx,
|
||||
@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
|
||||
/var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
|
||||
/var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
|
||||
/var/lib/containerd/{,**} rwk,
|
||||
/var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
|
||||
/var/lib/containerd/{,**} rwlk,
|
||||
/var/lib/docker/containerd/{,**} rwk,
|
||||
/var/lib/kubelet/seccomp/{,**} r,
|
||||
/var/lib/security-profiles-operator/{,**} r,
|
||||
|
@ -27,19 +27,22 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 dgram,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount /tmp/containerd-mount@{int}/,
|
||||
mount /var/lib/docker/buildkit/**/,
|
||||
mount /var/lib/docker/overlay2/**/,
|
||||
mount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
mount options=(rw, bind) -> /run/docker/netns/*,
|
||||
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
|
||||
mount options=(rw, rprivate) -> /.pivot_root@{int}/,
|
||||
mount options=(rw, rslave) -> /,
|
||||
mount /tmp/containerd-mount@{int}/,
|
||||
mount /var/lib/docker/buildkit/**/,
|
||||
mount /var/lib/docker/overlay2/**/,
|
||||
mount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
|
||||
mount options=(rw bind) -> /run/docker/netns/*,
|
||||
mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
|
||||
mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
|
||||
mount options=(rw rprivate) -> /.pivot_root@{int}/,
|
||||
mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
|
||||
mount options=(rw rslave) -> /,
|
||||
|
||||
remount /tmp/containerd-mount@{int10}/,
|
||||
remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
|
||||
@ -48,18 +51,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||
umount /run/docker/netns/*,
|
||||
umount /tmp/containerd-mount@{int}/,
|
||||
umount /var/lib/docker/buildkit/**/,
|
||||
umount /var/lib/docker/rootfs/**/,
|
||||
umount /var/lib/docker/overlay*/**/,
|
||||
umount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
|
||||
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
|
||||
|
||||
ptrace (read) peer=docker-*,
|
||||
ptrace (read) peer=unconfined,
|
||||
ptrace read peer=docker-*,
|
||||
ptrace read peer=unconfined,
|
||||
|
||||
signal (send) set=int peer=docker-proxy,
|
||||
signal (send) set=kill peer=docker-*,
|
||||
signal (send) set=term peer=containerd,
|
||||
signal send set=int peer=docker-proxy,
|
||||
signal send set=kill peer=docker-*,
|
||||
signal send set=term peer=containerd,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
@ -33,7 +33,7 @@ profile aa-enforce @{exec_path} {
|
||||
owner @{tmp}/@{rand8} rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
|
||||
|
||||
@{PROC}/@{pid}/fd r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/aa-enforce>
|
||||
}
|
||||
|
@ -27,6 +27,8 @@ profile aa-log @{exec_path} {
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/@{hex32}/{,*} r,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/aa-log>
|
||||
|
@ -18,17 +18,19 @@ profile aa-notify @{exec_path} {
|
||||
capability setuid,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
|
||||
/etc/apparmor/*.conf r,
|
||||
/etc/inputrc r,
|
||||
/usr/etc/inputrc.keys r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
@{etc_ro}/inputrc r,
|
||||
@{etc_ro}/inputrc.keys r,
|
||||
/etc/apparmor.d/{,**} r,
|
||||
/etc/apparmor/*.conf r,
|
||||
|
||||
/var/log/audit/audit.log r,
|
||||
|
||||
owner @{HOME}/.inputrc r,
|
||||
|
@ -36,7 +36,8 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/adjtime r,
|
||||
/etc/chrony.* r,
|
||||
/etc/chrony.conf r,
|
||||
/etc/chrony.keys r,
|
||||
/etc/chrony.d/{,*} r,
|
||||
/etc/chrony/{,**} r,
|
||||
|
||||
|
@ -38,14 +38,17 @@ profile discord @{exec_path} {
|
||||
|
||||
@{open_path} rPx -> child-open-strict,
|
||||
|
||||
/etc/lsb-release r,
|
||||
|
||||
owner @{user_videos_dirs}/{,**} rwl,
|
||||
owner @{user_pictures_dirs}/{,**} rwl,
|
||||
|
||||
owner @{tmp}/net-export/ rw,
|
||||
owner @{tmp}/discord.sock rw,
|
||||
owner "@{tmp}/Discord Crashes/" rw,
|
||||
owner @{config_dirs}/@{version}/modules/** m,
|
||||
|
||||
audit owner @{config_dirs}/*/modules/** rm,
|
||||
owner "@{tmp}/Discord Crashes/" rw,
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
|
||||
owner @{tmp}/discord.sock rw,
|
||||
owner @{tmp}/net-export/ rw,
|
||||
|
||||
owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
|
||||
|
||||
|
@ -32,7 +32,9 @@ profile element-desktop @{exec_path} {
|
||||
|
||||
@{sh_path} r,
|
||||
@{open_path} rPx -> child-open-strict,
|
||||
@{bin}/xdg-settings rPx,
|
||||
|
||||
#aa:stack X xdg-settings
|
||||
@{bin}/xdg-settings rPx -> element-desktop//&xdg-settings,
|
||||
|
||||
/usr/share/webapps/element/{,**} r,
|
||||
|
||||
|
@ -38,6 +38,8 @@ profile file-roller @{exec_path} {
|
||||
@{bin}/zstd rix,
|
||||
@{lib}/p7zip/7z rix,
|
||||
|
||||
/ r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
@ -95,7 +95,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
|
@ -39,6 +39,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app,
|
||||
/var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app,
|
||||
|
||||
owner @{user_config_dirs}/mimeapps.list w,
|
||||
|
||||
owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
|
||||
owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
|
||||
|
||||
|
@ -24,11 +24,14 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
#aa:dbus own bus=session name=com.github.johnfactotum.Foliate
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bwrap rix,
|
||||
@{bin}/gjs-console rix,
|
||||
@{bin}/xdg-dbus-proxy rix,
|
||||
@{bin}/speech-dispatcher rPx,
|
||||
|
||||
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
|
||||
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
|
||||
|
@ -100,15 +100,16 @@ profile gajim @{exec_path} {
|
||||
@{bin}/{,@{multiarch}-}ld.bfd rix,
|
||||
@{lib}/gcc/@{multiarch}/@{int}/collect2 rix,
|
||||
|
||||
owner @{tmp}/cc* rw,
|
||||
owner @{tmp}/tmp* rw,
|
||||
/etc/debian_version r,
|
||||
|
||||
/media/ccache/*/** rw,
|
||||
|
||||
owner @{tmp}/cc* rw,
|
||||
owner @{tmp}/tmp* rw,
|
||||
|
||||
owner @{run}/user/@{uid}/ccache-tmp/ rw,
|
||||
|
||||
/etc/debian_version r,
|
||||
|
||||
include if exists <local/gajim_ccache>
|
||||
}
|
||||
|
||||
profile gpg {
|
||||
@ -121,8 +122,8 @@ profile gajim @{exec_path} {
|
||||
@{bin}/gpg-agent rix,
|
||||
@{lib}/{,gnupg/}scdaemon rix,
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w,
|
||||
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||
@ -134,6 +135,7 @@ profile gajim @{exec_path} {
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
include if exists <local/gajim_gpg>
|
||||
}
|
||||
|
||||
include if exists <local/gajim>
|
||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/gio-querymodules
|
||||
profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
capability mknod,
|
||||
|
@ -18,7 +18,6 @@ profile keepassxc @{exec_path} {
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/qt5-compose-cache-write>
|
||||
include <abstractions/qt5-settings-write>
|
||||
include <abstractions/ssl_certs>
|
||||
@ -93,7 +92,7 @@ profile keepassxc @{exec_path} {
|
||||
|
||||
/dev/shm/#@{int} rw,
|
||||
/dev/tty rw,
|
||||
/dev/urandom rw,
|
||||
/dev/urandom w,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
# Silencer
|
||||
|
@ -22,15 +22,6 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/kmod rPx, # To load the fuse kernel module
|
||||
|
||||
# Mount points
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
|
||||
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
|
||||
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
|
||||
@ -47,12 +38,22 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/kmod rPx, # To load the fuse kernel module
|
||||
|
||||
# Mount points
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
@{PROC}/swaps r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/fuse rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ntfs-3g>
|
||||
}
|
||||
|
@ -60,7 +60,7 @@ profile pass @{exec_path} {
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
owner @{user_password_store_dirs}/{,**} rw,
|
||||
owner /dev/shm/pass.*/{,*} rw,
|
||||
owner /dev/shm/pass.@{rand}/{,*} rw,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
|
||||
@ -90,7 +90,7 @@ profile pass @{exec_path} {
|
||||
|
||||
owner @{user_password_store_dirs}/{,**/} r,
|
||||
|
||||
owner /dev/shm/pass.*/{,*} rw,
|
||||
owner /dev/shm/pass.@{rand}/{,*} rw,
|
||||
|
||||
deny owner @{HOME}/ r,
|
||||
|
||||
@ -124,7 +124,7 @@ profile pass @{exec_path} {
|
||||
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
|
||||
|
||||
owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
|
||||
owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw,
|
||||
owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw,
|
||||
|
||||
include if exists <local/pass_git>
|
||||
}
|
||||
@ -144,7 +144,7 @@ profile pass @{exec_path} {
|
||||
|
||||
owner @{user_password_store_dirs}/ rw,
|
||||
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
|
||||
owner /dev/shm/pass.*/{,*} rw,
|
||||
owner /dev/shm/pass.@{rand}/* rw,
|
||||
owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
|
||||
|
||||
owner /dev/pts/@{int} rw,
|
||||
|
@ -21,7 +21,7 @@ profile passwd @{exec_path} {
|
||||
capability net_admin,
|
||||
capability setuid,
|
||||
|
||||
signal (receive) set=(term, kill) peer=gnome-control-center,
|
||||
signal receive set=(term kill) peer=gnome-control-center,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2024 curiosityseeker
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
@ -28,7 +29,7 @@ profile protonmail @{exec_path} flags=(complain) {
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/xdg-settings Px,
|
||||
@{open_path} rpx -> child-open,
|
||||
@{open_path} Px -> child-open,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
|
||||
|
@ -8,24 +8,17 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/rpi-imager
|
||||
profile rpi-imager @{exec_path} {
|
||||
profile rpi-imager @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/disks-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/qt5-shader-cache>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
#capability sys_admin,
|
||||
# deny capability sys_nice,
|
||||
@ -42,18 +35,15 @@ profile rpi-imager @{exec_path} {
|
||||
@{bin}/lsblk rPx,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/X11/cursors/*.theme r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner "@{user_cache_dirs}/Raspberry Pi/" rw,
|
||||
owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
|
||||
owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_config_dirs}/QtProject.conf r,
|
||||
|
||||
owner "@{user_config_dirs}/Raspberry Pi/" rw,
|
||||
owner "@{user_config_dirs}/Raspberry Pi/**" rwlk -> "@{user_config_dirs}/Raspberry Pi/**",
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
@ -30,5 +30,4 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
|
||||
include if exists <local/signal-desktop-chrome-sandbox>
|
||||
}
|
||||
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
@ -28,6 +28,7 @@ profile snapd @{exec_path} {
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability fsetid,
|
||||
capability mac_admin,
|
||||
capability net_admin,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
@ -153,6 +154,7 @@ profile snapd @{exec_path} {
|
||||
@{sys}/fs/cgroup/user.slice/ r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
|
||||
@{sys}/kernel/kexec_loaded r,
|
||||
@{sys}/kernel/security/apparmor/.notify r,
|
||||
@{sys}/kernel/security/apparmor/features/{,**} r,
|
||||
@{sys}/kernel/security/apparmor/profiles r,
|
||||
|
||||
|
@ -247,6 +247,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/bwrap>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
@ -254,6 +255,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/video>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability sys_chroot,
|
||||
|
||||
@ -304,12 +306,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
owner /var/cache/ldconfig/aux-cache* rw,
|
||||
owner /var/pressure-vessel/ldso/* rw,
|
||||
|
||||
owner @{HOME}/.pki/ rw,
|
||||
owner @{HOME}/.pki/nssdb/ rw,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
|
||||
|
||||
owner @{lib_dirs}/.cef-* wk,
|
||||
|
||||
owner @{share_dirs}/{,**} r,
|
||||
@ -320,14 +316,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
|
||||
@{tmp}/ r,
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
|
||||
owner @{tmp}/dumps/ rw,
|
||||
owner @{tmp}/dumps/** rwk,
|
||||
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
|
||||
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
|
||||
owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
|
||||
|
||||
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
|
||||
@ -389,7 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
|
||||
owner @{share_dirs}/ r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/1/cgroup r,
|
||||
|
||||
include if exists <local/steam_check>
|
||||
}
|
||||
|
@ -19,6 +19,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/common/steam-game>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
network inet dgram,
|
||||
|
@ -41,9 +41,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
|
||||
@{app_dirs}/@{runtime}/*entry-point rmix,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-* rix,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
|
||||
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
|
||||
@{app_dirs}/@{runtime}/run rix,
|
||||
@{bin}/bwrap rpx -> steam-game-proton,
|
||||
|
@ -18,7 +18,7 @@ profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{runtime_dirs}/** rm,
|
||||
@{runtime_dirs}/** mr,
|
||||
|
||||
owner @{HOME}/.steam/steam.pipe rw,
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user