Update profiles.

This commit is contained in:
Alexandre Pujol 2021-07-16 21:33:11 +01:00
parent aa3c43c999
commit 94978242ff
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
15 changed files with 42 additions and 22 deletions

View File

@ -11,9 +11,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict> include <abstractions/fonts>
include <abstractions/mesa>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,

View File

@ -18,7 +18,7 @@ profile evolution-addressbook-factory @{exec_path} {
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{exec_path}-subprocess rix, @{exec_path}-subprocess rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

View File

@ -21,10 +21,12 @@ profile gnome-contacts @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/applications/{,*.desktop} r, /usr/share/applications/{,*.desktop} r,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
owner @{user_cache_dirs}/gstreamer*/{,**} r, owner @{user_cache_dirs}/gstreamer*/{,**} r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_config_dirs}/gnome-contacts/{,**} rw,
owner @{user_share_dirs}/folks/relationships.ini r, owner @{user_share_dirs}/folks/relationships.ini r,
@ -32,5 +34,9 @@ profile gnome-contacts @{exec_path} {
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
/dev/ r,
include if exists <local/gnome-contacts> include if exists <local/gnome-contacts>
} }

View File

@ -30,6 +30,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
owner @{user_share_dirs}/event-sound-cache.tdb.* rwk, owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
/var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/client.conf r,

View File

@ -22,6 +22,7 @@ profile tracker-extract @{exec_path} {
/usr/share/applications/*.desktop r, /usr/share/applications/*.desktop r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
owner /tmp/tracker-extract-3-files.*/{,*} rw,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
owner @{user_share_dirs}/gvfs-metadata/** r, owner @{user_share_dirs}/gvfs-metadata/** r,
@ -36,8 +37,6 @@ profile tracker-extract @{exec_path} {
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
/tmp/tracker-extract-3-files.*/{,*} rw,
@{run}/udev/data/c236:* r, @{run}/udev/data/c236:* r,
include if exists <local/tracker-extract> include if exists <local/tracker-extract>

View File

@ -32,9 +32,9 @@ profile tracker-miner @{exec_path} {
owner @{user_config_dirs}/tracker3/{,**} rwk, owner @{user_config_dirs}/tracker3/{,**} rwk,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
@{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/fs/inotify/max_user_watches r,
include <abstractions/dconf> include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,

View File

@ -13,12 +13,14 @@ profile gvfsd-mtp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/user-download-strict>
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/{,**} rw,
owner @{MOUNTS}/*/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw,
include <abstractions/dconf> include <abstractions/dconf>

View File

@ -67,6 +67,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{run}/NetworkManager/{,**} rw, @{run}/NetworkManager/{,**} rw,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/n[0-9]* r, @{run}/udev/data/n[0-9]* r,
@{run}/udev/data/+rfkill:* r, @{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+platform* r, @{run}/udev/data/+platform* r,

View File

@ -51,5 +51,9 @@ profile bootctl @{exec_path} {
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
@{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/poolsize r,
# Silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/bootctl> include if exists <local/bootctl>
} }

View File

@ -19,4 +19,5 @@ profile systemd-ac-power @{exec_path} {
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r, @{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r,
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r, @{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r,
include if exists <local/systemd-ac-power>
} }

View File

@ -19,5 +19,9 @@ profile systemd-hwdb @{exec_path} {
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
# Silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/systemd-hwdb> include if exists <local/systemd-hwdb>
} }

View File

@ -27,5 +27,9 @@ profile systemd-sysctl @{exec_path} {
/etc/sysctl.conf r, /etc/sysctl.conf r,
# Silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/systemd-sysctl> include if exists <local/systemd-sysctl>
} }

View File

@ -22,6 +22,7 @@ profile virtlogd @{exec_path} {
/var/log/libvirt/qemu/*.log rw, /var/log/libvirt/qemu/*.log rw,
@{run}/virtlogd.pid rwk, @{run}/virtlogd.pid rwk,
@{run}/libvirt/common/system.token rwk,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/meminfo r,

View File

@ -13,19 +13,13 @@ profile wpa-supplicant @{exec_path} {
include <abstractions/nameservice> include <abstractions/nameservice>
include <abstractions/openssl> include <abstractions/openssl>
# To remove the following errors: capability chown,
# wpa_supplicant[]: wlan0: Failed to initialize driver interface capability dac_override,
capability dac_read_search,
capability fsetid,
capability mknod,
capability net_admin, capability net_admin,
capability net_raw, capability net_raw,
# To remove the following errors:
# wpa_supplicant[]: Failed to initialize control interface 'DIR=/run/wpa_supplicant
# GROUP=netdev'. You may have another wpa_supplicant process already running or the file was
# left by an unclean termination of wpa_supplicant in which case you will need to manually
# remove this file before starting wpa_supplicant again.
capability chown,
capability fsetid,
capability sys_module, capability sys_module,
network packet raw, network packet raw,
@ -33,6 +27,8 @@ profile wpa-supplicant @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{HOME}/.cat_installer/*.pem r,
owner @{run}/wpa_supplicant/{,**} rw, owner @{run}/wpa_supplicant/{,**} rw,
/etc/wpa_supplicant/wpa_supplicant.conf r, /etc/wpa_supplicant/wpa_supplicant.conf r,
@ -46,7 +42,6 @@ profile wpa-supplicant @{exec_path} {
@{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r, @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
# For wpa_gui # For wpa_gui
#capability dac_override,
#/etc/wpa_supplicant/wpa_supplicant.conf w, #/etc/wpa_supplicant/wpa_supplicant.conf w,
#/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,

View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-mime @{exec_path} = /{usr/,}bin/xdg-mime
profile xdg-mime @{exec_path} { profile xdg-mime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -55,6 +55,7 @@ profile xdg-mime @{exec_path} {
# file_inherit # file_inherit
@{MOUNTS}/** rw, @{MOUNTS}/** rw,
/dev/dri/card[0-9]* rw,
/dev/tty rw, /dev/tty rw,