mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-24 19:05:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2025-02-21 00:55:52 +01:00
parent c1bea69cbf
commit 8912aaf126
Failed to generate hash of commit
12 changed files with 67 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/gvfs/gvfsd-sftp
View file

@ -19,6 +19,7 @@ profile gvfsd-sftp @{exec_path} {
@{bin}/ssh rPx, @{bin}/ssh rPx,
owner @{run}/user/@{uid}/gvfsd-sftp/ rw, owner @{run}/user/@{uid}/gvfsd-sftp/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

1
apparmor.d/groups/pacman/mkinitcpio
View file

@ -49,6 +49,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{bin}/plymouth rPx, @{bin}/plymouth rPx,
@{bin}/plymouth-set-default-theme rPx, @{bin}/plymouth-set-default-theme rPx,
@{bin}/sbctl rPx, @{bin}/sbctl rPx,
@{bin}/sync rPx,
@{lib}/initcpio/busybox rix, @{lib}/initcpio/busybox rix,
@{lib}/initcpio/post/** rix, @{lib}/initcpio/post/** rix,

2
apparmor.d/groups/pacman/pacman
View file

@ -135,8 +135,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/ r, @{PROC}/@{pids}/ r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/tty/drivers r, @{PROC}/tty/drivers r,
@{PROC}/uptime r, @{PROC}/uptime r,

95
apparmor.d/groups/procps/htop
View file

@ -20,10 +20,10 @@ profile htop @{exec_path} {
network netlink raw, network netlink raw,
signal (send), signal send,
signal (receive) set=(hup) peer=gnome-terminal-server, signal receive set=hup peer=gnome-terminal-server,
ptrace (read), ptrace read,
@{exec_path} mr, @{exec_path} mr,
@ -38,51 +38,6 @@ profile htop @{exec_path} {
owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/ rw,
owner @{user_config_dirs}/htop/* rw, owner @{user_config_dirs}/htop/* rw,
owner @{PROC}/@{pid}/smaps_rollup r,
@{PROC}/ r,
@{PROC}/diskstats r,
@{PROC}/loadavg r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/sched_autogroup_enabled r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/autogroup rw,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/io r,
@{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/ r,
@{PROC}/@{pids}/task/@{tid}/attr/current r,
@{PROC}/@{pids}/task/@{tid}/cgroup r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/comm r,
@{PROC}/@{pids}/task/@{tid}/environ r,
@{PROC}/@{pids}/task/@{tid}/io r,
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
@{PROC}/@{pids}/task/@{tid}/oom_score r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/statm r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/wchan r,
@{sys}/bus/dax/devices/ r, @{sys}/bus/dax/devices/ r,
@{sys}/bus/i2c/devices/ r, @{sys}/bus/i2c/devices/ r,
@{sys}/bus/soc/devices/ r, @{sys}/bus/soc/devices/ r,
@ -129,8 +84,52 @@ profile htop @{exec_path} {
@{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/ r,
@{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
@{PROC}/ r,
@{PROC}/diskstats r,
@{PROC}/loadavg r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/sched_autogroup_enabled r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/autogroup rw,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/io r,
@{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/ r,
@{PROC}/@{pids}/task/@{tid}/attr/current r,
@{PROC}/@{pids}/task/@{tid}/cgroup r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/comm r,
@{PROC}/@{pids}/task/@{tid}/environ r,
@{PROC}/@{pids}/task/@{tid}/io r,
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
@{PROC}/@{pids}/task/@{tid}/oom_score r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/statm r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/wchan r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
owner @{PROC}/@{pid}/cpuset r, owner @{PROC}/@{pid}/cpuset r,
owner @{PROC}/@{pid}/smaps_rollup r,
/dev/tty@{int} rw, /dev/tty@{int} rw,

2
apparmor.d/groups/procps/uptime
View file

@ -15,6 +15,8 @@ profile uptime @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{run}/systemd/sessions/@{int} r,
@{PROC}/uptime r, @{PROC}/uptime r,
@{PROC}/loadavg r, @{PROC}/loadavg r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,

10
apparmor.d/groups/ssh/ssh
View file

@ -13,19 +13,20 @@ profile ssh @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=(term) peer=gnome-keyring-daemon,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
signal receive set=term peer=gnome-keyring-daemon,
signal send set=hup peer=unconfined,
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/@{shells} rUx, @{bin}/@{shells} rUx,
@{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper, @{lib}/{,ssh/}ssh-sk-helper rPx,
@{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config r,
@{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config.d/{,*} r,
@ -42,8 +43,9 @@ profile ssh @{exec_path} {
owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/ssh/{,*} r,
owner @{user_projects_dirs}/**/config r, owner @{user_projects_dirs}/**/config r,
owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl,
owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16},
owner @{run}/user/@{uid}/keyring/ssh rw, owner @{run}/user/@{uid}/keyring/ssh rw,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,

2
apparmor.d/groups/ssh/ssh-sk-helper
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/ssh/ssh-sk-helper @{exec_path} = @{lib}/{,ssh/}ssh-sk-helper
profile ssh-sk-helper flags=(complain) { profile ssh-sk-helper flags=(complain) {
include <abstractions/base> include <abstractions/base>

6
apparmor.d/groups/systemd/busctl
View file

@ -20,11 +20,11 @@ profile busctl @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
capability sys_ptrace, capability sys_ptrace,
ptrace (read), ptrace read,
unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, unix bind type=stream addr=@@{udbus}/bus/busctl/busctl,
signal (send) set=(cont) peer=child-pager, signal send set=cont peer=child-pager,
dbus eavesdrop bus=accessibility, dbus eavesdrop bus=accessibility,
dbus eavesdrop bus=session, dbus eavesdrop bus=session,

1
apparmor.d/groups/systemd/systemd-analyze
View file

@ -61,6 +61,7 @@ profile systemd-analyze @{exec_path} {
@{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,
@{PROC}/swaps r, @{PROC}/swaps r,
@{PROC}/sys/fs/nr_open r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

3
apparmor.d/profiles-s-z/spotify
View file

@ -44,9 +44,10 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
@{PROC}/pressure/* r,
@{PROC}/@{pid}/net/unix r, @{PROC}/@{pid}/net/unix r,
@{PROC}/pressure/* r,
owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/clear_refs w,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/tty rw, /dev/tty rw,

1
apparmor.d/profiles-s-z/transmission
View file

@ -59,6 +59,7 @@ profile transmission @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

2
apparmor.d/profiles-s-z/wpa-cli
View file

@ -13,7 +13,7 @@ profile wpa-cli @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}/wpa_action rPx, @{bin}/wpa_action rPx,
/etc/inputrc r, /etc/inputrc r,