mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
Update profiles.
This commit is contained in:
parent
aa3c43c999
commit
94978242ff
@ -11,9 +11,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/fonts>
|
||||||
include <abstractions/mesa>
|
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@ profile evolution-addressbook-factory @{exec_path} {
|
|||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
@{exec_path}-subprocess rix,
|
@{exec_path}-subprocess rix,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
@ -21,10 +21,12 @@ profile gnome-contacts @{exec_path} {
|
|||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||||
/usr/share/applications/{,*.desktop} r,
|
/usr/share/applications/{,*.desktop} r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
|
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
|
||||||
owner @{user_cache_dirs}/gstreamer*/{,**} r,
|
owner @{user_cache_dirs}/gstreamer*/{,**} r,
|
||||||
|
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||||
owner @{user_config_dirs}/gnome-contacts/{,**} rw,
|
owner @{user_config_dirs}/gnome-contacts/{,**} rw,
|
||||||
owner @{user_share_dirs}/folks/relationships.ini r,
|
owner @{user_share_dirs}/folks/relationships.ini r,
|
||||||
|
|
||||||
@ -32,5 +34,9 @@ profile gnome-contacts @{exec_path} {
|
|||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
|
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||||
|
|
||||||
|
/dev/ r,
|
||||||
|
|
||||||
include if exists <local/gnome-contacts>
|
include if exists <local/gnome-contacts>
|
||||||
}
|
}
|
||||||
|
@ -30,6 +30,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||||||
/usr/share/X11/xkb/** r,
|
/usr/share/X11/xkb/** r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
|
owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
|
||||||
|
owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
|
||||||
|
|
||||||
/var/lib/gdm/.config/pulse/client.conf r,
|
/var/lib/gdm/.config/pulse/client.conf r,
|
||||||
|
|
||||||
|
@ -22,6 +22,7 @@ profile tracker-extract @{exec_path} {
|
|||||||
/usr/share/applications/*.desktop r,
|
/usr/share/applications/*.desktop r,
|
||||||
/usr/share/mime/mime.cache r,
|
/usr/share/mime/mime.cache r,
|
||||||
|
|
||||||
|
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||||
|
|
||||||
@ -36,8 +37,6 @@ profile tracker-extract @{exec_path} {
|
|||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
/tmp/tracker-extract-3-files.*/{,*} rw,
|
|
||||||
|
|
||||||
@{run}/udev/data/c236:* r,
|
@{run}/udev/data/c236:* r,
|
||||||
|
|
||||||
include if exists <local/tracker-extract>
|
include if exists <local/tracker-extract>
|
||||||
|
@ -32,9 +32,9 @@ profile tracker-miner @{exec_path} {
|
|||||||
owner @{user_config_dirs}/tracker3/{,**} rwk,
|
owner @{user_config_dirs}/tracker3/{,**} rwk,
|
||||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||||
|
|
||||||
@{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
@{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||||
|
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
|
@ -13,12 +13,14 @@ profile gvfsd-mtp @{exec_path} {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/user-download-strict>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
owner @{HOME}/{,**} rw,
|
||||||
|
owner @{MOUNTS}/*/{,**} rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||||
|
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
|
@ -67,6 +67,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
@{run}/NetworkManager/{,**} rw,
|
@{run}/NetworkManager/{,**} rw,
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
@{run}/systemd/users/@{uid} r,
|
||||||
@{run}/udev/data/n[0-9]* r,
|
@{run}/udev/data/n[0-9]* r,
|
||||||
@{run}/udev/data/+rfkill:* r,
|
@{run}/udev/data/+rfkill:* r,
|
||||||
@{run}/udev/data/+platform* r,
|
@{run}/udev/data/+platform* r,
|
||||||
|
@ -51,5 +51,9 @@ profile bootctl @{exec_path} {
|
|||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
@{PROC}/sys/kernel/random/poolsize r,
|
@{PROC}/sys/kernel/random/poolsize r,
|
||||||
|
|
||||||
|
# Silencer
|
||||||
|
deny network inet6 stream,
|
||||||
|
deny network inet stream,
|
||||||
|
|
||||||
include if exists <local/bootctl>
|
include if exists <local/bootctl>
|
||||||
}
|
}
|
@ -19,4 +19,5 @@ profile systemd-ac-power @{exec_path} {
|
|||||||
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r,
|
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r,
|
||||||
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r,
|
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r,
|
||||||
|
|
||||||
|
include if exists <local/systemd-ac-power>
|
||||||
}
|
}
|
||||||
|
@ -19,5 +19,9 @@ profile systemd-hwdb @{exec_path} {
|
|||||||
|
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
|
# Silencer
|
||||||
|
deny network inet6 stream,
|
||||||
|
deny network inet stream,
|
||||||
|
|
||||||
include if exists <local/systemd-hwdb>
|
include if exists <local/systemd-hwdb>
|
||||||
}
|
}
|
||||||
|
@ -27,5 +27,9 @@ profile systemd-sysctl @{exec_path} {
|
|||||||
|
|
||||||
/etc/sysctl.conf r,
|
/etc/sysctl.conf r,
|
||||||
|
|
||||||
|
# Silencer
|
||||||
|
deny network inet6 stream,
|
||||||
|
deny network inet stream,
|
||||||
|
|
||||||
include if exists <local/systemd-sysctl>
|
include if exists <local/systemd-sysctl>
|
||||||
}
|
}
|
||||||
|
@ -22,6 +22,7 @@ profile virtlogd @{exec_path} {
|
|||||||
/var/log/libvirt/qemu/*.log rw,
|
/var/log/libvirt/qemu/*.log rw,
|
||||||
|
|
||||||
@{run}/virtlogd.pid rwk,
|
@{run}/virtlogd.pid rwk,
|
||||||
|
@{run}/libvirt/common/system.token rwk,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||||
|
@ -13,19 +13,13 @@ profile wpa-supplicant @{exec_path} {
|
|||||||
include <abstractions/nameservice>
|
include <abstractions/nameservice>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
# To remove the following errors:
|
capability chown,
|
||||||
# wpa_supplicant[]: wlan0: Failed to initialize driver interface
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
|
capability fsetid,
|
||||||
|
capability mknod,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
capability net_raw,
|
capability net_raw,
|
||||||
|
|
||||||
# To remove the following errors:
|
|
||||||
# wpa_supplicant[]: Failed to initialize control interface 'DIR=/run/wpa_supplicant
|
|
||||||
# GROUP=netdev'. You may have another wpa_supplicant process already running or the file was
|
|
||||||
# left by an unclean termination of wpa_supplicant in which case you will need to manually
|
|
||||||
# remove this file before starting wpa_supplicant again.
|
|
||||||
capability chown,
|
|
||||||
|
|
||||||
capability fsetid,
|
|
||||||
capability sys_module,
|
capability sys_module,
|
||||||
|
|
||||||
network packet raw,
|
network packet raw,
|
||||||
@ -33,6 +27,8 @@ profile wpa-supplicant @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{HOME}/.cat_installer/*.pem r,
|
||||||
|
|
||||||
owner @{run}/wpa_supplicant/{,**} rw,
|
owner @{run}/wpa_supplicant/{,**} rw,
|
||||||
|
|
||||||
/etc/wpa_supplicant/wpa_supplicant.conf r,
|
/etc/wpa_supplicant/wpa_supplicant.conf r,
|
||||||
@ -46,7 +42,6 @@ profile wpa-supplicant @{exec_path} {
|
|||||||
@{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
|
@{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
|
||||||
|
|
||||||
# For wpa_gui
|
# For wpa_gui
|
||||||
#capability dac_override,
|
|
||||||
#/etc/wpa_supplicant/wpa_supplicant.conf w,
|
#/etc/wpa_supplicant/wpa_supplicant.conf w,
|
||||||
#/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
|
#/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/xdg-mime
|
@{exec_path} = /{usr/,}bin/xdg-mime
|
||||||
profile xdg-mime @{exec_path} {
|
profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
|
|
||||||
@ -55,6 +55,7 @@ profile xdg-mime @{exec_path} {
|
|||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
@{MOUNTS}/** rw,
|
@{MOUNTS}/** rw,
|
||||||
|
/dev/dri/card[0-9]* rw,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user