mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profile): cleanup common desktop files.
This commit is contained in:
parent
0d16d4fdab
commit
87db46113c
@ -2,7 +2,8 @@
|
|||||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
# Modernised version of <abstractions/audio>, will be merged with it.
|
# Modernized version of <abstractions/audio>, will be merged with it. It should
|
||||||
|
# only be used by audio servers that need direct access to device files.
|
||||||
|
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-client>
|
||||||
|
|
||||||
|
@ -5,8 +5,8 @@
|
|||||||
# Common rules for applications sandboxed using bwrap.
|
# Common rules for applications sandboxed using bwrap.
|
||||||
|
|
||||||
# This abstraction is wide on purpose. It is meant to be used by sandbox
|
# This abstraction is wide on purpose. It is meant to be used by sandbox
|
||||||
# applications (bwrap) that have no way to restrict access depending of the
|
# applications (bwrap) that have no way to restrict access depending on the
|
||||||
# application beeing confined.
|
# application being confined.
|
||||||
|
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-client>
|
||||||
include <abstractions/bus-accessibility>
|
include <abstractions/bus-accessibility>
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
# Unified minimal abstaction for all UI application regardless of the desktop environment.
|
# Unified minimal abstraction for all UI application regardless of the desktop environment.
|
||||||
|
|
||||||
# When supported in apparmor, condition will be used in this abstraction to filter
|
# When supported in apparmor, condition will be used in this abstraction to filter
|
||||||
# resources specific for supported DE.
|
# resources specific for supported DE.
|
||||||
|
@ -6,13 +6,16 @@
|
|||||||
@{system_share_dirs}/*ubuntu/applications/{,**} r,
|
@{system_share_dirs}/*ubuntu/applications/{,**} r,
|
||||||
@{system_share_dirs}/gnome/applications/{,**} r,
|
@{system_share_dirs}/gnome/applications/{,**} r,
|
||||||
@{system_share_dirs}/xfce4/applications/{,**} r,
|
@{system_share_dirs}/xfce4/applications/{,**} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
|
||||||
|
@{system_share_dirs}/glib-2.0/schemas/ r,
|
||||||
|
@{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
/usr/share/mime/ r,
|
/usr/share/mime/ r,
|
||||||
|
|
||||||
/etc/gnome/defaults.list r,
|
/etc/gnome/defaults.list r,
|
||||||
/etc/xfce4/defaults.list r,
|
/etc/xfce4/defaults.list r,
|
||||||
|
|
||||||
|
/var/lib/snapd/desktop/applications/{,**} r,
|
||||||
/var/lib/snapd/desktop/icons/{,**} r,
|
/var/lib/snapd/desktop/icons/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/.icons/{,**} r,
|
owner @{HOME}/.icons/{,**} r,
|
||||||
|
@ -89,8 +89,6 @@ profile pulseaudio @{exec_path} {
|
|||||||
|
|
||||||
/etc/pulse/{,**} r,
|
/etc/pulse/{,**} r,
|
||||||
|
|
||||||
/var/lib/snapd/desktop/applications/ r,
|
|
||||||
|
|
||||||
owner @{desktop_cache_dirs}/gstreamer-1.0/ rw,
|
owner @{desktop_cache_dirs}/gstreamer-1.0/ rw,
|
||||||
owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
|
owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
|
||||||
owner @{desktop_config_dirs}/dconf/user r,
|
owner @{desktop_config_dirs}/dconf/user r,
|
||||||
|
@ -11,26 +11,19 @@ include <tunables/global>
|
|||||||
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/{,ubuntu/}applications/{,**/} r,
|
@{system_share_dirs}/*ubuntu/applications/.mimeinfo.cache.* rw,
|
||||||
/usr/share/{,ubuntu/}applications/**.desktop r,
|
@{system_share_dirs}/*ubuntu/applications/mimeinfo.cache w,
|
||||||
/usr/share/{,ubuntu/}applications/.mimeinfo.cache.* rw,
|
|
||||||
/usr/share/{,ubuntu/}applications/mimeinfo.cache w,
|
|
||||||
|
|
||||||
/usr/share/*/*.desktop r,
|
@{system_share_dirs}/applications/.mimeinfo.cache.* rw,
|
||||||
|
@{system_share_dirs}/applications/mimeinfo.cache w,
|
||||||
|
|
||||||
/var/lib/flatpak/{app/**/,}export{s,}/share/applications/{,**/} r,
|
|
||||||
/var/lib/flatpak/{app/**/,}export{s,}/share/applications/**.desktop r,
|
|
||||||
/var/lib/flatpak/{app/**/,}export{s,}/share/applications/.mimeinfo.cache.* rw,
|
|
||||||
/var/lib/flatpak/{app/**/,}export{s,}/share/applications/mimeinfo.cache w,
|
|
||||||
|
|
||||||
/var/lib/snapd/desktop/applications/{,**/} r,
|
|
||||||
/var/lib/snapd/desktop/applications/**.desktop r,
|
|
||||||
/var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
|
/var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
|
||||||
/var/lib/snapd/desktop/applications/mimeinfo.cache w,
|
/var/lib/snapd/desktop/applications/mimeinfo.cache w,
|
||||||
|
|
||||||
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||||||
profile xdg-settings @{exec_path} {
|
profile xdg-settings @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
|
|
||||||
@ -41,15 +42,6 @@ profile xdg-settings @{exec_path} {
|
|||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/applications/{,*} r,
|
|
||||||
/var/lib/snapd/desktop/applications/{,*} r,
|
|
||||||
|
|
||||||
# freedesktop.org-strict
|
|
||||||
/usr/{,local/}share/applications/{,*} r,
|
|
||||||
/usr/{,local/}share/ubuntu/applications/ r,
|
|
||||||
owner @{user_share_dirs}/applications/ r,
|
|
||||||
owner @{user_share_dirs}/applications/*.desktop r,
|
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
||||||
|
@ -52,9 +52,6 @@ profile gnome-terminal-server @{exec_path} {
|
|||||||
|
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
|
||||||
/var/lib/snapd/desktop/icons/{,**} r,
|
|
||||||
|
|
||||||
owner @{user_config_dirs}/*xdg-terminals.list* rw,
|
owner @{user_config_dirs}/*xdg-terminals.list* rw,
|
||||||
owner @{user_config_dirs}/ibus/bus/ r,
|
owner @{user_config_dirs}/ibus/bus/ r,
|
||||||
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||||
|
@ -43,9 +43,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||||||
/etc/blkid.conf r,
|
/etc/blkid.conf r,
|
||||||
/etc/timezone r,
|
/etc/timezone r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r,
|
|
||||||
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
|
|
||||||
|
|
||||||
owner @{GDM_HOME}/ r,
|
owner @{GDM_HOME}/ r,
|
||||||
owner @{GDM_HOME}/greeter-dconf-defaults r,
|
owner @{GDM_HOME}/greeter-dconf-defaults r,
|
||||||
owner @{gdm_cache_dirs}/gstreamer-*/registry.*.bin r,
|
owner @{gdm_cache_dirs}/gstreamer-*/registry.*.bin r,
|
||||||
|
@ -71,7 +71,6 @@ profile software-properties-gtk @{exec_path} {
|
|||||||
/etc/update-manager/release-upgrades r,
|
/etc/update-manager/release-upgrades r,
|
||||||
|
|
||||||
/var/crash/*software-properties-gtk.@{uid}.crash rw,
|
/var/crash/*software-properties-gtk.@{uid}.crash rw,
|
||||||
/var/lib/snapd/desktop/icons/ r,
|
|
||||||
/var/lib/ubuntu-advantage/status.json r,
|
/var/lib/ubuntu-advantage/status.json r,
|
||||||
|
|
||||||
owner /tmp/???????? rw,
|
owner /tmp/???????? rw,
|
||||||
|
@ -66,8 +66,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
/var/lib/dpkg/info/*.list r,
|
/var/lib/dpkg/info/*.list r,
|
||||||
/var/lib/dpkg/updates/ r,
|
/var/lib/dpkg/updates/ r,
|
||||||
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
|
|
||||||
/var/lib/snapd/desktop/icons/{,*} r,
|
|
||||||
/var/lib/update-manager/{,**} rw,
|
/var/lib/update-manager/{,**} rw,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
||||||
|
@ -13,19 +13,12 @@ profile plank @{exec_path} {
|
|||||||
include <abstractions/app-launcher-user>
|
include <abstractions/app-launcher-user>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
|
include <abstractions/desktop>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/gtk>
|
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
@{exec_path} rm,
|
@{exec_path} rm,
|
||||||
|
|
||||||
/usr/{,local/}share/plank/{,**} r,
|
/usr/{,local/}share/plank/{,**} r,
|
||||||
/usr/{,local/}share/mime/mime.cache r,
|
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
|
||||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
|
||||||
|
|
||||||
owner @{user_config_dirs}/plank/{,**} rw,
|
owner @{user_config_dirs}/plank/{,**} rw,
|
||||||
|
|
||||||
|
@ -16,13 +16,10 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
|||||||
include <abstractions/bus/org.freedesktop.hostname1>
|
include <abstractions/bus/org.freedesktop.hostname1>
|
||||||
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/desktop>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/gtk>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
include <abstractions/wayland>
|
|
||||||
|
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
@ -37,20 +34,17 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
|||||||
|
|
||||||
/usr/share/cups/data/testprint r,
|
/usr/share/cups/data/testprint r,
|
||||||
/usr/share/system-config-printer/{,**} r,
|
/usr/share/system-config-printer/{,**} r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
|
||||||
|
|
||||||
/etc/cups/cupsd.conf r,
|
/etc/cups/cupsd.conf r,
|
||||||
/etc/cupshelpers/preferreddrivers.xml r,
|
/etc/cupshelpers/preferreddrivers.xml r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/papersize r,
|
/etc/papersize r,
|
||||||
|
|
||||||
/var/lib/snapd/desktop/icons/ r,
|
|
||||||
|
|
||||||
owner @{HOME}/.cups/ rw,
|
owner @{HOME}/.cups/ rw,
|
||||||
owner @{HOME}/.cups/lpoptions rw,
|
owner @{HOME}/.cups/lpoptions rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
|
||||||
@{run}/cups/cups.sock rw,
|
@{run}/cups/cups.sock rw,
|
||||||
|
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||||
|
|
||||||
owner /tmp/* rw,
|
owner /tmp/* rw,
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user