mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-22 22:13:42 +00:00
parent 6d84301698
commit 8c516ea788
Failed to generate hash of commit
20 changed files with 74 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/abstractions/bus/org.freedesktop.timedate1
View file

@ -7,6 +7,12 @@
member=Get
peer=(name=org.freedesktop.timedate1, label=systemd-timedated),
# FIXME: should be under the systemd-timedated label
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.timedate1, label=unconfined),
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=GetAll

1
apparmor.d/groups/bus/dbus-accessibility
View file

@ -55,6 +55,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
@{sys}/kernel/security/apparmor/features/dbus/mask r,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/attr/apparmor/current r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/oom_score_adj r,

1
apparmor.d/groups/freedesktop/xrdb
View file

@ -25,6 +25,7 @@ profile xrdb @{exec_path} {
/usr/include/stdc-predef.h r,
@{etc_ro}/X11/xdm/Xresources r,
@{etc_ro}/X11/Xresources r,
/etc/X11/Xresources/* r,
# The location of the .Xresources file

3
apparmor.d/groups/gnome/deja-dup-monitor
View file

@ -12,6 +12,7 @@ profile deja-dup-monitor @{exec_path} {
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/net.hadess.PowerProfiles>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/dconf-write>
@ -19,7 +20,7 @@ profile deja-dup-monitor @{exec_path} {
network netlink raw,
#aa:dbus own bus=session name=org.gnome.DejaDup.Monitor
#aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup
#aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup interface=org.gtk.Actions
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties

2
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -30,7 +30,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
signal (send) set=(kill) peer=bwrap,
#aa:dbus: own bus=session name=org.gnome.Settings.GoaHelper
#aa:dbus own bus=session name=org.gnome.Settings.GoaHelper
dbus send bus=session path=/org/gnome/OnlineAccounts
interface=org.freedesktop.DBus.ObjectManager

2
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -30,7 +30,7 @@ profile gnome-extension-ding @{exec_path} {
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
#aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions
#aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell
#aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus.Introspectable

21
apparmor.d/groups/gnome/gnome-shell
View file

@ -75,10 +75,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
# Owned by gnome-shell
dbus bind bus=session name=org.gnome.*,
dbus (send, receive) bus=session path=/org/gnome/**
interface={org.gnome.*,org.freedesktop.{Application,DBus.Properties,DBus.ObjectManager},org.gtk.{Actions,Application}}
peer=(name="{:*,org.gnome.*,org.freedesktop.DBus}"),
#aa:dbus own bus=session name=org.gnome.keyring.SystemPrompter
#aa:dbus own bus=session name=org.gnome.Mutter
#aa:dbus own bus=session name=org.gnome.Shell
#aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity
#aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions
@ -88,17 +87,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
# Talk with gnome-shell
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
## System bus
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
#aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
dbus (send, receive) bus=system path=/org/gnome/**
interface=org.gnome.*
peer=(name="{:*,org.gnome.*}"),
dbus (send, receive) bus=system path=/org/gnome/**
interface=org.freedesktop.DBus.Properties
peer=(name="{:*,org.gnome.*}"),
# System bus
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
@ -145,7 +140,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
peer=(name=org.freedesktop.DBus, label=dbus-system),
## Session bus
# Session bus
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus

6
apparmor.d/groups/gnome/nautilus
View file

@ -33,10 +33,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
interface={org.gnome.Nautilus,org.freedesktop.{Application,DBus.Properties},org.gtk.{Actions,Application}}
peer=(name="{:*,org.gnome.Nautilus,org.freedesktop.DBus}"),
#aa:dbus: own bus=session name=org.freedesktop.FileManager1
#aa:dbus own bus=session name=org.freedesktop.FileManager1
#aa:dbus: talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
#aa:dbus: talk bus=session name=org.gtk.vfs label=gvfsd
#aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
#aa:dbus talk bus=session name=org.gtk.vfs label=gvfsd
dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider
interface=org.gnome.Shell.SearchProvider2

11
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -22,18 +22,25 @@ profile DiscoverNotifier @{exec_path} {
@{bin}/apt-config rPx,
/usr/share/knotifications{5,6}/{,**} r,
/usr/share/metainfo/{,**} r,
/etc/flatpak/remotes.d/ r,
/etc/machine-id r,
/etc/flatpak/remotes.d/{,**} r,
/var/lib/flatpak/repo/{,**} r,
/var/cache/swcatalog/cache/ w,
owner @{user_cache_dirs}/appstream/ r,
owner @{user_cache_dirs}/appstream/** r,
owner @{user_cache_dirs}/flatpak/{,**} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/PlasmaDiscoverUpdates r,
owner @{user_config_dirs}/@{int} rw,
owner @{user_config_dirs}/PlasmaDiscoverUpdates rw,
owner @{user_config_dirs}/PlasmaDiscoverUpdates.@{rand6} rwl -> @{user_config_dirs}/@{int},
owner @{user_config_dirs}/PlasmaDiscoverUpdates.lock rwk,
owner @{user_share_dirs}/flatpak/{,**} rw,

2
apparmor.d/groups/kde/plasmashell
View file

@ -48,6 +48,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
@{exec_path} mr,
@{lib}/libheif/{,**} mr,
@{bin}/dolphin rPUx,
@{bin}/ksysguardd rix,
@{bin}/plasma-discover rPUx,

2
apparmor.d/groups/kde/xwaylandvideobridge
View file

@ -15,6 +15,8 @@ profile xwaylandvideobridge @{exec_path} {
@{exec_path} mr,
/etc/machine-id r,
owner @{user_cache_dirs}/xwaylandvideobridge/ rw,
owner @{user_cache_dirs}/xwaylandvideobridge/** rwk,

8
apparmor.d/groups/network/mullvad-daemon
View file

@ -40,16 +40,16 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
"/opt/Mullvad VPN/resources/*" r,
/etc/mullvad-vpn/{,*} r,
/etc/mullvad-vpn/@{uid} rw,
/etc/mullvad-vpn/@{uuid} rw,
/etc/mullvad-vpn/*.json rw,
@{etc_rw}/resolv.conf rw,
@{etc_rw}/resolv.conf.mullvadbackup rw,
/var/cache/mullvad-vpn/{,*} rw,
/var/log/mullvad-vpn/{,*} rw,
owner /var/cache/mullvad-vpn/{,*} rw,
owner /var/log/mullvad-vpn/{,*} rw,
owner /var/log/private/mullvad-vpn/*.log rw,
@{run}/mullvad-vpn rw,
owner @{run}/mullvad-vpn rw,
@{run}/NetworkManager/resolv.conf r,
@{sys}/fs/cgroup/net_cls/ w,

2
apparmor.d/groups/ssh/ssh-agent
View file

@ -20,7 +20,7 @@ profile ssh-agent @{exec_path} {
@{sh_path} rix,
@{bin}/enlightenment_start rPUx,
@{bin}/gpg-agent rPx,
@{bin}/im-launch rPUx,
@{bin}/im-launch rPx,
@{bin}/kwalletaskpass rPUx,
@{bin}/openbox-session rPx,
@{bin}/startkde rPUx,

1
apparmor.d/groups/systemd/systemd-journald
View file

@ -33,6 +33,7 @@ profile systemd-journald @{exec_path} {
@{exec_path} mr,
/etc/systemd/journald.conf r,
/etc/systemd/journald.conf.d/{,**} r,
@{run}/log/ rw,
/{run,var}/log/journal/ rw,

3
apparmor.d/groups/systemd/systemd-networkd
View file

@ -46,8 +46,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/etc/systemd/networkd.conf r,
/etc/systemd/network/ r,
/etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
/etc/systemd/network/{,**} r,
/etc/networkd-dispatcher/carrier.d/{,*} r,

1
apparmor.d/groups/systemd/systemd-oomd
View file

@ -22,6 +22,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/etc/systemd/oomd.conf r,
/etc/systemd/oomd.conf.d/{,**} r,
@{run}/systemd/io.system.ManagedOOM rw,
@{run}/systemd/io.systemd.ManagedOOM rw,

1
apparmor.d/groups/systemd/systemd-udevd
View file

@ -45,6 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{bin}/cut rix,
@{bin}/dmsetup rPUx,
@{bin}/ethtool rix,
@{bin}/issue-generator rPUx,
@{bin}/kmod rPx,
@{bin}/less rPx -> child-pager,
@{bin}/ln rix,

21
apparmor.d/profiles-a-f/fwupdmgr
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@ -25,26 +26,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
network inet6 dgram,
network netlink raw,
dbus send bus=system path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
#aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/
dbus send bus=system path=/
interface=org.freedesktop.fwupd
member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.systemd[0-9].Manager
member={GetDefaultTarget,GetUnit},
dbus receive bus=system path=/
interface=org.freedesktop.fwupd
member=Changed,
@{exec_path} mr,
@{bin}/dbus-launch rCx -> dbus,

21
apparmor.d/profiles-g-l/jackdbus Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/jackdbus
profile jackdbus @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{HOME}/.log/ w,
owner @{HOME}/.log/jack/{,**} rw,
owner @{user_config_dirs}/jack/{,**} rw,
include if exists <local/jackdbus>
}

6
apparmor.d/profiles-s-z/snap
View file

@ -22,6 +22,8 @@ profile snap @{exec_path} {
capability setuid,
capability sys_admin,
network netlink raw,
unix (send, receive) type=stream peer=(label=apt),
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,
@ -31,6 +33,10 @@ profile snap @{exec_path} {
member=StartTransientUnit
peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
dbus receive bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=JobRemoved
peer=(name=:*, label="@{systemd}"),
dbus receive bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=JobRemoved