feat(profiles): general update.

This commit is contained in:
Alexandre Pujol 2023-08-22 23:23:47 +01:00
parent 7273bde534
commit 96b8f96137
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
33 changed files with 185 additions and 131 deletions

View File

@ -13,6 +13,7 @@
unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
/tmp/.X11-unix/* rw,
/tmp/.ICE-unix/* rw,
/tmp/.X{0,1}-lock rw,
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,
@ -23,10 +24,10 @@
# Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
owner /tmp/xauth_@{rand6} r,
owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int},
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/X11/Xauthority r,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},
# Xwayland
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,

View File

@ -28,8 +28,8 @@
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.lesshst* mrwkl,
deny @{HOME}/.mozilla/{,**} mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.thunderbird mrwkl,
deny @{HOME}/.mutt* mrwkl,
deny @{HOME}/.thunderbird/{,**} mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.wget-hsts mrwkl,
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,

View File

@ -18,5 +18,6 @@
/dev/kmsg w,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
include if exists <abstractions/systemd-common.d>

View File

@ -46,7 +46,9 @@ profile akonadi_archivemail_agent @{exec_path} {
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_share_dirs}/akonadi/file_db_data/{,**} r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,

View File

@ -21,6 +21,7 @@ profile akonadi_contacts_resource @{exec_path} {
@{exec_path} mr,
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
@ -39,7 +40,8 @@ profile akonadi_contacts_resource @{exec_path} {
owner @{user_config_dirs}/kwinrc r,
owner @{user_share_dirs}/contacts/ r,
owner @{user_share_dirs}/contacts/*.vcf w,
@{PROC}/sys/kernel/core_pattern r,
/dev/tty r,

View File

@ -46,6 +46,8 @@ profile akonadi_maildispatcher_agent @{exec_path} {
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/specialmailcollectionsrc r,
owner @{user_share_dirs}/akonadi/file_db_data/{,**} r,
@{PROC}/sys/kernel/core_pattern r,
/dev/tty r,

View File

@ -88,7 +88,7 @@ profile child-open {
@{bin}/thunderbird rPx,
@{bin}/transmission-gtk rPx,
@{bin}/viewnior rPUx,
@{bin}/vlc rPx,
@{bin}/vlc rPUx,
@{bin}/xarchiver rPx,
@{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,

View File

@ -53,6 +53,7 @@ profile child-systemctl flags=(attach_disconnected) {
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg w,

View File

@ -10,20 +10,14 @@ include <tunables/global>
profile xhost @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
include <abstractions/X-strict>
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
/tmp/.X11-unix/* rw,
# file_inherit
/dev/tty@{int} rw,
owner @{HOME}/.xsession-errors w,
/dev/tty@{int} rw,
# Silencer
deny @{user_share_dirs}/gvfs-metadata/* r,

View File

@ -10,11 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/xkbcomp
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/X-strict>
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
unix (send,receive) type=stream addr=none peer=(label=xwayland),
unix (send,receive) type=stream addr=@/tmp/.X11-unix/X[0-9]* peer=(label=gsd-xsettings),
@{exec_path} mr,
@ -23,7 +22,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
/var/lib/xkb/server-@{int}.xkm w,
/var/lib/xkb/compiled/server-@{int}.xkm rw,
owner @{HOME}/.Xauthority r,
owner @{HOME}/*.{xkb,xkm} rw,
owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,

View File

@ -14,11 +14,11 @@ profile xrdb @{exec_path} {
@{exec_path} mr,
@{bin}/{,*-}cpp-[0-9]* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cpp rix,
@{lib}/gcc/*/@{int}/cc1 rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,*-}cpp-[0-9]* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cpp rix,
@{lib}/gcc/@{multiarch}/@{int}*/cc1 rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
/usr/include/stdc-predef.h r,
/usr/etc/X11/xdm/Xresources r,
@ -37,7 +37,7 @@ profile xrdb @{exec_path} {
owner /tmp/plasma-apply-lookandfeel.* r,
owner /tmp/runtime-*/xauth_@{rand6} r,
owner /tmp/startplasma-x11.@{rand6} r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
owner /tmp/xauth-@{int}-_[0-9] r,
@{run}/sddm/\{@{uuid}\} r,
@{run}/sddm/xauth_@{rand6} r,

View File

@ -18,6 +18,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term hup) peer=gdm*,
signal (receive) set=(term hup) peer=gnome-shell,
signal (receive) set=(term hup) peer=kwin_wayland,
signal (receive) set=(term hup) peer=login,
unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*",

View File

@ -9,6 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/kf5/kconf_update
profile kconf_update @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/perl>
include <abstractions/python>
@ -35,32 +40,48 @@ profile kconf_update @{exec_path} {
/etc/xdg/kdeglobals r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/akregatorrc r,
owner @{user_config_dirs}/kateschemarc r,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kconf_updaterc r,
owner @{user_config_dirs}/kconf_updaterc.lock rk,
owner @{user_config_dirs}/kconf_updaterc* rwl,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals.lock rk,
owner @{user_config_dirs}/kdeglobals* rwl,
owner @{user_config_dirs}/khotkeysrc r,
owner @{user_config_dirs}/kmixrc r,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/kwinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/akregatorrc.lock rwk,
owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/dolphinrc.lock rwk,
owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kateschemarc.lock rwk,
owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kcminputrc.lock rwk,
owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals.lock rwk,
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/khotkeysrc.lock rwk,
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kmixrc.lock rwk,
owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolerc.lock rwk,
owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/krunnerrc.lock rwk,
owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/krunnerstaterc.lock rwk,
owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kscreenlockerrc.lock rwk,
owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/ksmserverrc.lock rwk,
owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrc.lock rwk,
owner @{user_config_dirs}/kwinrulesrc rw,
owner @{user_config_dirs}/kwinrulesrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrulesrc.lock rwk,
owner @{user_config_dirs}/kxkbrc rw,
owner @{user_config_dirs}/kxkbrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kxkbrc.lock rwk,
owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/plasmashellrc r,
owner @{user_share_dirs}/#@{int} rw,
owner /tmp/#@{int} rw,
owner /tmp/kconf_update.@{rand6} rwl,
owner /tmp/kconf_update.@{rand6}.lock rwk,
owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
@{PROC}/@{sys}/kernel/random/boot_id r,

View File

@ -32,12 +32,10 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/powerdevilrc rwl,
owner @{user_config_dirs}/powerdevilrc.lock rwk,
owner @{user_config_dirs}/powermanagementprofilesrc r,
owner @{user_config_dirs}/powermanagementprofilesrc rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
@{run}/systemd/inhibit/*.ref rw,
owner @{run}/user/@{uid}kcrash_[0-9]* rw,
@ -49,7 +47,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/bus/ r,
@{sys}/devices/pci[0-9]*/@{int}/drm/card@{int}/*/status r,
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
/dev/tty rw,
/dev/rfkill r,

View File

@ -72,23 +72,23 @@ profile kded5 @{exec_path} {
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/bluedevilglobalrc rk,
owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
owner @{user_config_dirs}/gtk-{3,4}/settings.ini.lock rk,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kconf_updaterc r,
owner @{user_config_dirs}/kcookiejarrc r,
owner @{user_config_dirs}/kdebugrc r,
owner @{user_config_dirs}/kded5rc.lock rwk,
owner @{user_config_dirs}/kded5rc* rwl,
owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdedefaults/{,**} r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/khotkeysrc.lock rwk,
owner @{user_config_dirs}/khotkeysrc* rwl,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/ktimezonedrc r,
owner @{user_config_dirs}/kwinrc.lock rwk,
owner @{user_config_dirs}/kwinrc* rwl,
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kxkbrc r,
owner @{user_config_dirs}/libaccounts-glib/ rw,
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
@ -99,9 +99,9 @@ profile kded5 @{exec_path} {
owner @{user_config_dirs}/xsettingsd/{,**} rw,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/kcookiejar/#*[0-9] rw,
owner @{user_share_dirs}/kcookiejar/cookies rw,
owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk,
owner @{user_share_dirs}/kcookiejar/#@{int} rw,
owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwl -> @{user_share_dirs}/kcookiejar/#@{int},
owner @{user_share_dirs}/kded5/{,**} rw,
owner @{user_share_dirs}/kscreen/{,**} rwl,
owner @{user_share_dirs}/kservices5/{,**} r,
@ -109,6 +109,7 @@ profile kded5 @{exec_path} {
owner @{user_share_dirs}/remoteview/ r,
owner @{user_share_dirs}/services5/{,**} r,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/gvfs/ r,
owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,

View File

@ -9,7 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/kf5/kioslave5
profile kioslave5 @{exec_path} {
include <abstractions/base>
include <abstractions/deny-sensitive-home>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
@ -18,6 +20,7 @@ profile kioslave5 @{exec_path} {
include <abstractions/qt5>
include <abstractions/ssl_certs>
include <abstractions/trash>
include <abstractions/vulkan>
network inet dgram,
network inet6 dgram,
@ -26,6 +29,7 @@ profile kioslave5 @{exec_path} {
network netlink raw,
network netlink dgram,
signal (receive) set=term peer=dolphin,
signal (receive) set=term peer=firefox-kmozillahelper,
signal (receive) set=term peer=plasmashell,
@ -39,6 +43,7 @@ profile kioslave5 @{exec_path} {
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/*.desktop r,
/usr/share/mime/ r,
/etc/fstab r,
/etc/xdg/kdeglobals r,
@ -46,11 +51,24 @@ profile kioslave5 @{exec_path} {
/etc/xdg/kwinrc r,
/etc/xdg/menus/{,**} r,
owner @{MOUNTDIRS}/** r,
# Full access to user's data
/ r,
/*/ r,
@{bin}/ r,
@{lib}/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
owner @{HOME}/{,**} rw,
owner @{run}/user/@{uid}/{,**} rw,
owner /tmp/{,**} rw,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
# Silence non user's data
deny /boot/{,**} r,
deny /opt/{,**} r,
deny /root/{,**} r,
deny /tmp/.* rw,
deny /tmp/.*/{,**} rw,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/thumbnails/*/ r,
@ -61,8 +79,11 @@ profile kioslave5 @{exec_path} {
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_share_dirs}/baloo/index-lock rwk,
owner @{user_share_dirs}/baloo/index rw,
owner @{user_share_dirs}/baloo/index-lock rwk,
owner @{user_share_dirs}/kactivitymanagerd/resources/database rk,
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw,

View File

@ -35,7 +35,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
network inet6 stream,
network netlink raw,
ptrace read peer=pinentry-qt,
ptrace (read) peer=pinentry-qt,
ptrace (read) peer=kded5,
signal (send),
@ -101,10 +102,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_cache_dirs}/ksycoca5_* rl,
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwlk,
owner @{user_cache_dirs}/plasma-svgelements.{,@{rand6}} rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_cache_dirs}/plasma-svgelements* rwl,
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
owner @{user_cache_dirs}/bookmarksrunner/ rw,
owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int},
owner @{user_config_dirs}/#@{int} rwk,
owner @{user_config_dirs}/*kde*.desktop* r,
@ -116,9 +118,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/kactivitymanagerd-statsrc r,
owner @{user_config_dirs}/{KDE,kde.org}/ rw,
owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#@{int},
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/klipperrc r,
@ -149,6 +149,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
owner @{user_share_dirs}/user-places.xbel r,
owner /tmp/#@{int} rw,
@{run}/mount/utab r,
@{run}/user/@{uid}/gvfs/ r,
owner @{run}/user/@{uid}/#@{int} rw,

View File

@ -26,6 +26,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability net_admin,
capability setgid,
capability setuid,
@ -35,7 +36,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
network netlink raw,
ptrace (trace) peer=@{profile_name},
ptrace (read) peer=unconfined,
ptrace (read) peer=kwalletd5,
signal (send) set=(kill, term) peer=startplasma,
signal (send) set=(kill, term) peer=xorg,
@{exec_path} mr,
@ -116,9 +120,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/ w,
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/kdewallet.salt r,
owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
owner @{user_share_dirs}/sddm/ w,
owner @{user_share_dirs}/sddm/wayland-session.log w,
owner @{user_share_dirs}/sddm/xorg-session.log w,
/tmp/sddm-* rw,
@ -130,6 +134,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/sddm.pid rw,
@{run}/sddm/\{@{uuid}\} rw,
@{run}/sddm/#@{int} rw,
@{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
@{run}/systemd/sessions/*.ref rw,
@{run}/user/@{uid}/xauth_@{rand6} rwl,
@ -137,7 +142,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kwallet5.socket rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/core_pattern r,

View File

@ -13,6 +13,7 @@ profile bootctl @{exec_path} {
include <abstractions/disks-read>
capability mknod,
capability net_admin,
signal (send) peer=child-pager,

View File

@ -68,8 +68,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
@{sys}/kernel/uevent_seqnum r,
@{sys}/devices/**/read_ahead_kb r,
@{sys}/fs/cgroup/system.slice/systemd-homed.service/memory.pressure rw,
@{PROC}/devices r,
@{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/gid_map w,

View File

@ -30,7 +30,8 @@ profile systemd-journald @{exec_path} {
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
/{run,var}/log/journal/@{md5}/{,*} rw -> /{run,var}/log/journal/@{md5}/**,
/{run,var}/log/journal/@{md5}/ rw,
/{run,var}/log/journal/@{md5}/* rw -> /{run,var}/log/journal/@{md5}/#@{int},
owner @{run}/systemd/journal/{,**} rw,
owner @{run}/systemd/notify rw,

View File

@ -128,7 +128,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
@{sys}/fs/cgroup/memory.max r,
@{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
@{sys}/fs/cgroup/system.slice/systemd-logind.service/memory.pressure rw,
@{sys}/module/vt/parameters/default_utf8 r,
@{sys}/power/{state,resume_offset,resume,disk} r,

View File

@ -71,7 +71,5 @@ profile systemd-machined @{exec_path} {
@{run}/systemd/userdb/io.systemd.Machine rw,
@{run}/systemd/notify w,
@{sys}/fs/cgroup/system.slice/systemd-machined.service/memory.pressure rw,
include if exists <local/systemd-machined>
}

View File

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-oomd
profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/dbus-strict>
include <abstractions/systemd-common>
capability dac_override,
capability kill,
@ -33,7 +33,6 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
@{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/memory.pressure r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,
@{PROC}/pressure/{cpu,io,memory} r,

View File

@ -55,8 +55,6 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/resolve/{,**} rw,
owner @{run}/systemd/journal/socket w,
owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw,
@{PROC}/sys/kernel/hostname r,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,

View File

@ -37,8 +37,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
owner /var/lib/systemd/timesync/clock rw,
@{sys}/fs/cgroup/system.slice/systemd-timesyncd.service/memory.pressure rw,
owner @{run}/systemd/journal/socket w,
owner @{run}/systemd/timesync/synchronized rw,
@{run}/resolvconf/*.conf r,

View File

@ -34,7 +34,7 @@ profile systemd-vconsole-setup @{exec_path} {
@{sys}/module/vt/parameters/default_utf8 w,
/dev/tty@{int} rw,
/dev/tty@{int} rwk,
include if exists <local/systemd-vconsole-setup>
}

View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/{dumpe2fs,e2mmpstatus}
@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus
profile dumpe2fs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -12,48 +13,47 @@ profile localepurge @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
@{bin}/{,ba,da}sh rix,
@{bin}/fgrep rix,
@{bin}/chmod rix,
@{bin}/mkdir rix,
@{bin}/touch rix,
@{bin}/ls rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/sort rix,
@{bin}/basename rix,
@{bin}/chmod rix,
@{bin}/du rix,
@{bin}/fgrep rix,
@{bin}/find rix,
@{bin}/ls rix,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sort rix,
@{bin}/touch rix,
@{bin}/tr rix,
@{bin}/du rix,
@{bin}/xargs rix,
@{bin}/basename rix,
@{bin}/find rix,
@{bin}/df rPx,
owner @{PROC}/@{pid}/fd/ r,
# Dirs cleaned from locales
/usr/share/{gnome/,}help/{,**/} r,
/usr/share/{gnome/,}help/**/** w,
/usr/share/{locale,man,omf,calendar}/{,**/} r,
/usr/share/{locale,man,omf,calendar}/**/** w,
/usr/share/aptitude/{,*} r,
/usr/share/aptitude/* w,
/usr/share/cups/{templates,locale,doc-root}/{,**/} r,
/usr/share/cups/{templates,locale,doc-root}/**/** w,
/usr/share/vim/ r,
/usr/share/vim/vim[0-9]*/lang/{,**/} r,
/usr/share/vim/vim[0-9]*/lang/**/** w,
/usr/share/X11/locale/**/** w,
/etc/locale.nopurge r,
owner /var/cache/localepurge/localelist r,
owner /var/cache/localepurge/localelist-new{,.temp} rw,
# Dirs cleaned from locales
/usr/share/{locale,man,omf,calendar}/{,**/} r,
/usr/share/{locale,man,omf,calendar}/**/** w,
/usr/share/{gnome/,}help/{,**/} r,
/usr/share/{gnome/,}help/**/** w,
/usr/share/cups/{templates,locale,doc-root}/{,**/} r,
/usr/share/cups/{templates,locale,doc-root}/**/** w,
/usr/share/vim/ r,
/usr/share/vim/vim[0-9]*/lang/{,**/} r,
/usr/share/vim/vim[0-9]*/lang/**/** w,
/usr/share/X11/locale/{,**/} r,
/usr/share/X11/locale/**/** w,
/usr/share/aptitude/{,*} r,
/usr/share/aptitude/* w,
/tmp/ r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/localepurge>
}

View File

@ -17,6 +17,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
capability checkpoint_restore,
capability dac_read_search,
capability kill,
capability sys_ptrace,
ptrace (read),

View File

@ -12,6 +12,11 @@ profile needrestart-apt-pinvoke @{exec_path} {
include <abstractions/consoles>
include <abstractions/dbus-strict>
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.login1, label=systemd-logind),
@{exec_path} mr,
@{bin}/{,ba,da}sh rix,

View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu@{int}_{32,64}
@{exec_path} = @{user_share_dirs}/Steam/steam.sh
profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
@ -84,20 +84,20 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
@{bin}/zenity rix,
@{lib}/ld-linux.so* rix,
@{steam_lib_dirs}/*.so* mr,
@{steam_lib_dirs}/*driverquery rix,
@{steam_lib_dirs}/fossilize_replay rpx,
@{steam_lib_dirs}/gameoverlayui rpx,
@{steam_lib_dirs}/panorama/** rm,
@{steam_lib_dirs}/reaper rpx,
@{steam_lib_dirs}/steam rix,
@{steam_lib_dirs}/steam-runtime-heavy.sh rix,
@{steam_lib_dirs}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
@{steam_lib_dirs}/steam-runtime{,-heavy}/{setup,run}.sh rix,
@{steam_lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix,
@{steam_lib_dirs}/steamwebhelper rix,
@{steam_lib_dirs}/steamwebhelper.sh rix,
@{steam_lib_dirs}/swiftshader/* rm,
@{lib_dirs}/*.so* mr,
@{lib_dirs}/*driverquery rix,
@{lib_dirs}/fossilize_replay rpx,
@{lib_dirs}/gameoverlayui rpx,
@{lib_dirs}/panorama/** rm,
@{lib_dirs}/reaper rpx,
@{lib_dirs}/steam rix,
@{lib_dirs}/steam-runtime-heavy.sh rix,
@{lib_dirs}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
@{lib_dirs}/steam-runtime{,-heavy}/{setup,run}.sh rix,
@{lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix,
@{lib_dirs}/steamwebhelper rix,
@{lib_dirs}/steamwebhelper.sh rix,
@{lib_dirs}/swiftshader/* rm,
@{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr,
@{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx,
@ -113,14 +113,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@{bin}/ r,
@{lib}/ r,
/ r,
/{usr/,}{local/,} r,
/{usr/,}{local/,}share/ r,
@{lib}/ r,
/etc/ r,
/home/ r,
/run/ r,
/usr/bin/ r,
/var/ r,
owner @{HOME}/ r,
@ -149,18 +149,18 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/shm/#@{int} rw,
owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner /tmp/dumps/ rw,
owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw,
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
owner /tmp/miles_image_* mrw,
owner /tmp/runtime-info.txt.* rwk,
owner /tmp/sh-thd.* rw,
owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
@{run}/udev/data/+sound* r,

View File

@ -12,6 +12,8 @@ profile whiptail @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
@{exec_path} mr,
/etc/newt/palette.ubuntu r,