mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-22 22:13:42 +00:00
parent 6d84301698
commit 8c516ea788
Failed to generate hash of commit
20 changed files with 74 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/abstractions/bus/org.freedesktop.timedate1
View file

@ -7,6 +7,12 @@
member=Get member=Get
peer=(name=org.freedesktop.timedate1, label=systemd-timedated), peer=(name=org.freedesktop.timedate1, label=systemd-timedated),
# FIXME: should be under the systemd-timedated label
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.timedate1, label=unconfined),
dbus send bus=system path=/org/freedesktop/timedate1 dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll

1
apparmor.d/groups/bus/dbus-accessibility
View file

@ -55,6 +55,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
@{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/kernel/security/apparmor/features/dbus/mask r,
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/attr/apparmor/current r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/oom_score_adj r, @{PROC}/@{pid}/oom_score_adj r,

1
apparmor.d/groups/freedesktop/xrdb
View file

@ -25,6 +25,7 @@ profile xrdb @{exec_path} {
/usr/include/stdc-predef.h r, /usr/include/stdc-predef.h r,
@{etc_ro}/X11/xdm/Xresources r, @{etc_ro}/X11/xdm/Xresources r,
@{etc_ro}/X11/Xresources r,
/etc/X11/Xresources/* r, /etc/X11/Xresources/* r,
# The location of the .Xresources file # The location of the .Xresources file

3
apparmor.d/groups/gnome/deja-dup-monitor
View file

@ -12,6 +12,7 @@ profile deja-dup-monitor @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/net.hadess.PowerProfiles> include <abstractions/bus/net.hadess.PowerProfiles>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor> include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
include <abstractions/bus/org.gtk.vfs.Daemon> include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -19,7 +20,7 @@ profile deja-dup-monitor @{exec_path} {
network netlink raw, network netlink raw,
#aa:dbus own bus=session name=org.gnome.DejaDup.Monitor #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor
#aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup interface=org.gtk.Actions
dbus send bus=system path=/org/freedesktop/NetworkManager dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

2
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -30,7 +30,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
signal (send) set=(kill) peer=bwrap, signal (send) set=(kill) peer=bwrap,
#aa:dbus: own bus=session name=org.gnome.Settings.GoaHelper #aa:dbus own bus=session name=org.gnome.Settings.GoaHelper
dbus send bus=session path=/org/gnome/OnlineAccounts dbus send bus=session path=/org/gnome/OnlineAccounts
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager

2
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -30,7 +30,7 @@ profile gnome-extension-ding @{exec_path} {
unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
#aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions
#aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

21
apparmor.d/groups/gnome/gnome-shell
View file

@ -75,10 +75,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
# Owned by gnome-shell # Owned by gnome-shell
dbus bind bus=session name=org.gnome.*, #aa:dbus own bus=session name=org.gnome.keyring.SystemPrompter
dbus (send, receive) bus=session path=/org/gnome/** #aa:dbus own bus=session name=org.gnome.Mutter
interface={org.gnome.*,org.freedesktop.{Application,DBus.Properties,DBus.ObjectManager},org.gtk.{Actions,Application}} #aa:dbus own bus=session name=org.gnome.Shell
peer=(name="{:*,org.gnome.*,org.freedesktop.DBus}"),
#aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity
#aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions
@ -88,17 +87,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
# Talk with gnome-shell # Talk with gnome-shell
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
## System bus #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
#aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
dbus (send, receive) bus=system path=/org/gnome/** # System bus
interface=org.gnome.*
peer=(name="{:*,org.gnome.*}"),
dbus (send, receive) bus=system path=/org/gnome/**
interface=org.freedesktop.DBus.Properties
peer=(name="{:*,org.gnome.*}"),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority interface=org.freedesktop.PolicyKit1.Authority
@ -145,7 +140,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
peer=(name=org.freedesktop.DBus, label=dbus-system), peer=(name=org.freedesktop.DBus, label=dbus-system),
## Session bus # Session bus
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus

6
apparmor.d/groups/gnome/nautilus
View file

@ -33,10 +33,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
interface={org.gnome.Nautilus,org.freedesktop.{Application,DBus.Properties},org.gtk.{Actions,Application}} interface={org.gnome.Nautilus,org.freedesktop.{Application,DBus.Properties},org.gtk.{Actions,Application}}
peer=(name="{:*,org.gnome.Nautilus,org.freedesktop.DBus}"), peer=(name="{:*,org.gnome.Nautilus,org.freedesktop.DBus}"),
#aa:dbus: own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.freedesktop.FileManager1
#aa:dbus: talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
#aa:dbus: talk bus=session name=org.gtk.vfs label=gvfsd #aa:dbus talk bus=session name=org.gtk.vfs label=gvfsd
dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider
interface=org.gnome.Shell.SearchProvider2 interface=org.gnome.Shell.SearchProvider2

11
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -22,18 +22,25 @@ profile DiscoverNotifier @{exec_path} {
@{bin}/apt-config rPx, @{bin}/apt-config rPx,
/usr/share/knotifications{5,6}/{,**} r,
/usr/share/metainfo/{,**} r, /usr/share/metainfo/{,**} r,
/etc/flatpak/remotes.d/ r, /etc/machine-id r,
/etc/flatpak/remotes.d/{,**} r,
/var/lib/flatpak/repo/{,**} r, /var/lib/flatpak/repo/{,**} r,
/var/cache/swcatalog/cache/ w,
owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/ r,
owner @{user_cache_dirs}/appstream/** r, owner @{user_cache_dirs}/appstream/** r,
owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_cache_dirs}/flatpak/{,**} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/PlasmaDiscoverUpdates r, owner @{user_config_dirs}/@{int} rw,
owner @{user_config_dirs}/PlasmaDiscoverUpdates rw,
owner @{user_config_dirs}/PlasmaDiscoverUpdates.@{rand6} rwl -> @{user_config_dirs}/@{int},
owner @{user_config_dirs}/PlasmaDiscoverUpdates.lock rwk,
owner @{user_share_dirs}/flatpak/{,**} rw, owner @{user_share_dirs}/flatpak/{,**} rw,

2
apparmor.d/groups/kde/plasmashell
View file

@ -48,6 +48,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
@{exec_path} mr, @{exec_path} mr,
@{lib}/libheif/{,**} mr,
@{bin}/dolphin rPUx, @{bin}/dolphin rPUx,
@{bin}/ksysguardd rix, @{bin}/ksysguardd rix,
@{bin}/plasma-discover rPUx, @{bin}/plasma-discover rPUx,

2
apparmor.d/groups/kde/xwaylandvideobridge
View file

@ -15,6 +15,8 @@ profile xwaylandvideobridge @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r,
owner @{user_cache_dirs}/xwaylandvideobridge/ rw, owner @{user_cache_dirs}/xwaylandvideobridge/ rw,
owner @{user_cache_dirs}/xwaylandvideobridge/** rwk, owner @{user_cache_dirs}/xwaylandvideobridge/** rwk,

8
apparmor.d/groups/network/mullvad-daemon
View file

@ -40,16 +40,16 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
"/opt/Mullvad VPN/resources/*" r, "/opt/Mullvad VPN/resources/*" r,
/etc/mullvad-vpn/{,*} r, /etc/mullvad-vpn/{,*} r,
/etc/mullvad-vpn/@{uid} rw, /etc/mullvad-vpn/@{uuid} rw,
/etc/mullvad-vpn/*.json rw, /etc/mullvad-vpn/*.json rw,
@{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf rw,
@{etc_rw}/resolv.conf.mullvadbackup rw, @{etc_rw}/resolv.conf.mullvadbackup rw,
/var/cache/mullvad-vpn/{,*} rw, owner /var/cache/mullvad-vpn/{,*} rw,
/var/log/mullvad-vpn/{,*} rw, owner /var/log/mullvad-vpn/{,*} rw,
owner /var/log/private/mullvad-vpn/*.log rw, owner /var/log/private/mullvad-vpn/*.log rw,
@{run}/mullvad-vpn rw, owner @{run}/mullvad-vpn rw,
@{run}/NetworkManager/resolv.conf r, @{run}/NetworkManager/resolv.conf r,
@{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/ w,

2
apparmor.d/groups/ssh/ssh-agent
View file

@ -20,7 +20,7 @@ profile ssh-agent @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/enlightenment_start rPUx, @{bin}/enlightenment_start rPUx,
@{bin}/gpg-agent rPx, @{bin}/gpg-agent rPx,
@{bin}/im-launch rPUx, @{bin}/im-launch rPx,
@{bin}/kwalletaskpass rPUx, @{bin}/kwalletaskpass rPUx,
@{bin}/openbox-session rPx, @{bin}/openbox-session rPx,
@{bin}/startkde rPUx, @{bin}/startkde rPUx,

1
apparmor.d/groups/systemd/systemd-journald
View file

@ -33,6 +33,7 @@ profile systemd-journald @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/systemd/journald.conf r, /etc/systemd/journald.conf r,
/etc/systemd/journald.conf.d/{,**} r,
@{run}/log/ rw, @{run}/log/ rw,
/{run,var}/log/journal/ rw, /{run,var}/log/journal/ rw,

3
apparmor.d/groups/systemd/systemd-networkd
View file

@ -46,8 +46,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/etc/systemd/networkd.conf r, /etc/systemd/networkd.conf r,
/etc/systemd/network/ r, /etc/systemd/network/{,**} r,
/etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
/etc/networkd-dispatcher/carrier.d/{,*} r, /etc/networkd-dispatcher/carrier.d/{,*} r,

1
apparmor.d/groups/systemd/systemd-oomd
View file

@ -22,6 +22,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/systemd/oomd.conf r, /etc/systemd/oomd.conf r,
/etc/systemd/oomd.conf.d/{,**} r,
@{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw,
@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw,

1
apparmor.d/groups/systemd/systemd-udevd
View file

@ -45,6 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{bin}/cut rix, @{bin}/cut rix,
@{bin}/dmsetup rPUx, @{bin}/dmsetup rPUx,
@{bin}/ethtool rix, @{bin}/ethtool rix,
@{bin}/issue-generator rPUx,
@{bin}/kmod rPx, @{bin}/kmod rPx,
@{bin}/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
@{bin}/ln rix, @{bin}/ln rix,

21
apparmor.d/profiles-a-f/fwupdmgr
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -25,26 +26,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
dbus send bus=system path=/ #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/
interface=org.freedesktop.fwupd
member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.systemd[0-9].Manager
member={GetDefaultTarget,GetUnit},
dbus receive bus=system path=/
interface=org.freedesktop.fwupd
member=Changed,
@{exec_path} mr, @{exec_path} mr,
@{bin}/dbus-launch rCx -> dbus, @{bin}/dbus-launch rCx -> dbus,

21
apparmor.d/profiles-g-l/jackdbus Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/jackdbus
profile jackdbus @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{HOME}/.log/ w,
owner @{HOME}/.log/jack/{,**} rw,
owner @{user_config_dirs}/jack/{,**} rw,
include if exists <local/jackdbus>
}

6
apparmor.d/profiles-s-z/snap
View file

@ -22,6 +22,8 @@ profile snap @{exec_path} {
capability setuid, capability setuid,
capability sys_admin, capability sys_admin,
network netlink raw,
unix (send, receive) type=stream peer=(label=apt), unix (send, receive) type=stream peer=(label=apt),
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,
@ -31,6 +33,10 @@ profile snap @{exec_path} {
member=StartTransientUnit member=StartTransientUnit
peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"), peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
dbus receive bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=JobRemoved
peer=(name=:*, label="@{systemd}"),
dbus receive bus=session path=/org/freedesktop/systemd1 dbus receive bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member=JobRemoved member=JobRemoved