mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-02-01 22:37:33 +00:00
parent f19379c55f
commit 8dca20c5c6
Failed to generate hash of commit
8 changed files with 48 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/freedesktop/pipewire
View file

@ -76,6 +76,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/**/device:*/**/path r, @{sys}/devices/**/device:*/**/path r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
@{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
/dev/media[0-9]* rw, /dev/media[0-9]* rw,

4
apparmor.d/groups/network/mullvad-gui
View file

@ -43,6 +43,8 @@ profile mullvad-gui @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/libva.conf r, /etc/libva.conf r,
/etc/igfx_user_feature{,_next}.txt w,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
@ -53,7 +55,7 @@ profile mullvad-gui @{exec_path} {
@{sys}/bus/pci/devices/ r, @{sys}/bus/pci/devices/ r,
@{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/virtual/tty/tty[0-9]*/active r,
@{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r, @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config,resource,irq} r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/fs/inotify/max_user_watches r,

2
apparmor.d/profiles-a-f/findmnt
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken # Copyright (C) 2022 Jeroen Rijken
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,6 +11,7 @@ include <tunables/global>
profile findmnt @{exec_path} flags=(attach_disconnected,complain) { profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read>
capability dac_read_search, capability dac_read_search,

2
apparmor.d/profiles-g-l/git
View file

@ -89,7 +89,7 @@ profile git @{exec_path} {
owner /tmp/** rwkl -> /tmp/**, owner /tmp/** rwkl -> /tmp/**,
owner /tmp/**/bin/* rCx -> exec, owner /tmp/**/bin/* rCx -> exec,
owner @{HOME}/.gitconfig* r, owner @{HOME}/.gitconfig* rw,
owner @{HOME}/.netrc r, owner @{HOME}/.netrc r,
owner @{user_config_dirs}/git/{,*} rw, owner @{user_config_dirs}/git/{,*} rw,

8
apparmor.d/profiles-m-r/pass
View file

@ -55,7 +55,7 @@ profile pass @{exec_path} {
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,
owner @{HOME}/.password-store/{,**} rw, owner @{user_password_store_dirs}/{,**} rw,
owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/*-store/{,**} rw, owner @{user_config_dirs}/*-store/{,**} rw,
owner /dev/shm/pass.*/{,*} rw, owner /dev/shm/pass.*/{,*} rw,
@ -83,7 +83,7 @@ profile pass @{exec_path} {
owner @{HOME}/.fzf/plugin/fzf.vim r, owner @{HOME}/.fzf/plugin/fzf.vim r,
owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.password-store/ r, owner @{user_password_store_dirs}/ r,
owner @{user_projects_dirs}/**/*-store/ r, owner @{user_projects_dirs}/**/*-store/ r,
owner @{user_config_dirs}/*-store/ r, owner @{user_config_dirs}/*-store/ r,
@ -116,8 +116,8 @@ profile pass @{exec_path} {
owner @{HOME}/.gitconfig r, owner @{HOME}/.gitconfig r,
owner @{user_config_dirs}/git/{,*} r, owner @{user_config_dirs}/git/{,*} r,
owner @{HOME}/.password-store/ rw, owner @{user_password_store_dirs}/ rw,
owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/ rw,
owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
owner @{user_config_dirs}/*-store/ rw, owner @{user_config_dirs}/*-store/ rw,

4
apparmor.d/profiles-m-r/pass-import
View file

@ -32,9 +32,9 @@ profile pass-import @{exec_path} {
/usr/share/file/misc/magic.mgc r, /usr/share/file/misc/magic.mgc r,
owner @{HOME}/.password-store/{,**} rw, owner @{user_password_store_dirs}/{,**} rw,
owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/password-store/{,**} rw, owner @{user_config_dirs}/*-store/{,**} rw,
owner /tmp/[a-zA-Z0-9]* rw, owner /tmp/[a-zA-Z0-9]* rw,

90
apparmor.d/profiles-m-r/rpi-imager
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,22 +10,25 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/rpi-imager @{exec_path} = /{usr/,}bin/rpi-imager
profile rpi-imager @{exec_path} { profile rpi-imager @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/dconf-write>
include <abstractions/fonts> include <abstractions/disks-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict> include <abstractions/fontconfig-cache-read>
include <abstractions/ssl_certs> include <abstractions/fonts>
include <abstractions/openssl> include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>
include <abstractions/qt5-shader-cache> include <abstractions/qt5-shader-cache>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/disks-write> include <abstractions/vulkan>
#capability sys_admin, #capability sys_admin,
deny capability sys_nice, # deny capability sys_nice,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -35,70 +39,38 @@ profile rpi-imager @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/bin/lsblk rCx -> lsblk, /{usr/,}bin/lsblk rPx,
# When rpi-imager is run as root, it wants to exec dbus-launch, and hence it creates the two /etc/fstab r,
# following root processes: /etc/X11/cursors/*.theme r,
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr /usr/share/glib-2.0/schemas/gschemas.compiled r,
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session /usr/share/hwdata/pnp.ids r,
#
# Should this be allowed? Rpi-imager works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
owner "@{user_config_dirs}/Raspberry Pi/" rw,
owner "@{user_config_dirs}/Raspberry Pi/Imager.conf" rw,
owner "@{user_config_dirs}/Raspberry Pi/Imager.conf.lock" rwk,
owner "@{user_cache_dirs}/Raspberry Pi/" rw,
owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r, /usr/share/qt5ct/** r,
/usr/share/X11/xkb/{,**} r,
owner @{user_config_dirs}/QtProject.conf r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/usr/share/hwdata/pnp.ids r, owner "@{user_cache_dirs}/Raspberry Pi/" rw,
owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/QtProject.conf r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/etc/X11/cursors/*.theme r,
/dev/disk/by-label/ r, /dev/disk/by-label/ r,
deny @{user_share_dirs}/gvfs-metadata/* r,
profile lsblk {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
/usr/bin/lsblk mr,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mountinfo r,
# file_inherit
/dev/dri/card[0-9]* rw,
}
include if exists <local/rpi-imager> include if exists <local/rpi-imager>
} }

6
apparmor.d/profiles-s-z/snapd
View file

@ -122,9 +122,9 @@ profile snapd @{exec_path} {
owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk, owner @{run}/mount/utab.lock wk,
owner @{run}/user/@{uid}/ r, @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/@{uid}/snapd-session-agent.socket rw,
owner @{run}/user/snap.*/{,**} rw, @{run}/user/snap.*/{,**} rw,
@{run}/snapd*.socket rw, @{run}/snapd*.socket rw,
@{run}/snapd/{,**} rw, @{run}/snapd/{,**} rw,