mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
feat(profiles): general update.
This commit is contained in:
parent
7273bde534
commit
96b8f96137
@ -13,6 +13,7 @@
|
||||
unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
||||
/tmp/.X11-unix/* rw,
|
||||
/tmp/.ICE-unix/* rw,
|
||||
/tmp/.X{0,1}-lock rw,
|
||||
|
||||
# Available Xsessions
|
||||
/usr/share/xsessions/{,*.desktop} r,
|
||||
@ -23,10 +24,10 @@
|
||||
|
||||
# Xauthority files required for X connections, per user
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner /tmp/xauth_@{rand6} r,
|
||||
owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int},
|
||||
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
|
||||
owner @{run}/user/@{uid}/X11/Xauthority r,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
# Xwayland
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
|
||||
|
@ -28,8 +28,8 @@
|
||||
deny @{HOME}/.fetchmail* mrwkl,
|
||||
deny @{HOME}/.lesshst* mrwkl,
|
||||
deny @{HOME}/.mozilla/{,**} mrwkl,
|
||||
deny @{HOME}/.mutt** mrwkl,
|
||||
deny @{HOME}/.thunderbird mrwkl,
|
||||
deny @{HOME}/.mutt* mrwkl,
|
||||
deny @{HOME}/.thunderbird/{,**} mrwkl,
|
||||
deny @{HOME}/.viminfo* mrwkl,
|
||||
deny @{HOME}/.wget-hsts mrwkl,
|
||||
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,
|
||||
|
@ -18,5 +18,6 @@
|
||||
/dev/kmsg w,
|
||||
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
||||
|
||||
include if exists <abstractions/systemd-common.d>
|
@ -47,6 +47,8 @@ profile akonadi_archivemail_agent @{exec_path} {
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
owner @{user_share_dirs}/akonadi/file_db_data/{,**} r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
|
@ -21,6 +21,7 @@ profile akonadi_contacts_resource @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
@ -39,6 +40,7 @@ profile akonadi_contacts_resource @{exec_path} {
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
owner @{user_share_dirs}/contacts/ r,
|
||||
owner @{user_share_dirs}/contacts/*.vcf w,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
|
@ -46,6 +46,8 @@ profile akonadi_maildispatcher_agent @{exec_path} {
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/specialmailcollectionsrc r,
|
||||
|
||||
owner @{user_share_dirs}/akonadi/file_db_data/{,**} r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/dev/tty r,
|
||||
|
@ -88,7 +88,7 @@ profile child-open {
|
||||
@{bin}/thunderbird rPx,
|
||||
@{bin}/transmission-gtk rPx,
|
||||
@{bin}/viewnior rPUx,
|
||||
@{bin}/vlc rPx,
|
||||
@{bin}/vlc rPUx,
|
||||
@{bin}/xarchiver rPx,
|
||||
@{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
|
||||
|
||||
|
@ -53,6 +53,7 @@ profile child-systemctl flags=(attach_disconnected) {
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
/dev/kmsg w,
|
||||
|
@ -10,20 +10,14 @@ include <tunables/global>
|
||||
profile xhost @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
/tmp/.X11-unix/* rw,
|
||||
|
||||
# file_inherit
|
||||
/dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
# Silencer
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
@ -10,11 +10,10 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/xkbcomp
|
||||
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||
unix (send,receive) type=stream addr=none peer=(label=xwayland),
|
||||
unix (send,receive) type=stream addr=@/tmp/.X11-unix/X[0-9]* peer=(label=gsd-xsettings),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@ -23,7 +22,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/xkb/server-@{int}.xkm w,
|
||||
/var/lib/xkb/compiled/server-@{int}.xkm rw,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{HOME}/*.{xkb,xkm} rw,
|
||||
|
||||
owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,
|
||||
|
@ -14,11 +14,11 @@ profile xrdb @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,*-}cpp-[0-9]* rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/cpp rix,
|
||||
@{lib}/gcc/*/@{int}/cc1 rix,
|
||||
@{lib}/llvm-[0-9]*/bin/clang rix,
|
||||
@{bin}/{,*-}cpp-[0-9]* rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/cpp rix,
|
||||
@{lib}/gcc/@{multiarch}/@{int}*/cc1 rix,
|
||||
@{lib}/llvm-[0-9]*/bin/clang rix,
|
||||
|
||||
/usr/include/stdc-predef.h r,
|
||||
/usr/etc/X11/xdm/Xresources r,
|
||||
@ -37,7 +37,7 @@ profile xrdb @{exec_path} {
|
||||
owner /tmp/plasma-apply-lookandfeel.* r,
|
||||
owner /tmp/runtime-*/xauth_@{rand6} r,
|
||||
owner /tmp/startplasma-x11.@{rand6} r,
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||
owner /tmp/xauth-@{int}-_[0-9] r,
|
||||
|
||||
@{run}/sddm/\{@{uuid}\} r,
|
||||
@{run}/sddm/xauth_@{rand6} r,
|
||||
|
@ -18,6 +18,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
signal (receive) set=(term hup) peer=gnome-shell,
|
||||
signal (receive) set=(term hup) peer=kwin_wayland,
|
||||
signal (receive) set=(term hup) peer=login,
|
||||
|
||||
unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
||||
|
@ -9,6 +9,11 @@ include <tunables/global>
|
||||
@{exec_path} = @{lib}/kf5/kconf_update
|
||||
profile kconf_update @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/python>
|
||||
|
||||
@ -35,32 +40,48 @@ profile kconf_update @{exec_path} {
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/akregatorrc r,
|
||||
owner @{user_config_dirs}/kateschemarc r,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kconf_updaterc r,
|
||||
owner @{user_config_dirs}/kconf_updaterc.lock rk,
|
||||
owner @{user_config_dirs}/kconf_updaterc* rwl,
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||
owner @{user_config_dirs}/kdeglobals.lock rk,
|
||||
owner @{user_config_dirs}/kdeglobals* rwl,
|
||||
owner @{user_config_dirs}/khotkeysrc r,
|
||||
owner @{user_config_dirs}/kmixrc r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/kwinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/akregatorrc.lock rwk,
|
||||
owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/dolphinrc.lock rwk,
|
||||
owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kateschemarc.lock rwk,
|
||||
owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kcminputrc.lock rwk,
|
||||
owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
|
||||
owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals.lock rwk,
|
||||
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
||||
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/khotkeysrc.lock rwk,
|
||||
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kmixrc.lock rwk,
|
||||
owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/konsolerc.lock rwk,
|
||||
owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/krunnerrc.lock rwk,
|
||||
owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/krunnerstaterc.lock rwk,
|
||||
owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kscreenlockerrc.lock rwk,
|
||||
owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||
owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrulesrc rw,
|
||||
owner @{user_config_dirs}/kwinrulesrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwinrulesrc.lock rwk,
|
||||
owner @{user_config_dirs}/kxkbrc rw,
|
||||
owner @{user_config_dirs}/kxkbrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kxkbrc.lock rwk,
|
||||
owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/plasmashellrc r,
|
||||
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/kconf_update.@{rand6} rwl,
|
||||
owner /tmp/kconf_update.@{rand6}.lock rwk,
|
||||
owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
|
||||
|
||||
@{PROC}/@{sys}/kernel/random/boot_id r,
|
||||
|
||||
|
@ -32,12 +32,10 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/powerdevilrc rwl,
|
||||
owner @{user_config_dirs}/powerdevilrc.lock rwk,
|
||||
owner @{user_config_dirs}/powermanagementprofilesrc r,
|
||||
owner @{user_config_dirs}/powermanagementprofilesrc rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
|
||||
owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
|
||||
@{run}/systemd/inhibit/*.ref rw,
|
||||
owner @{run}/user/@{uid}kcrash_[0-9]* rw,
|
||||
@ -49,7 +47,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/drm/ r,
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/devices/pci[0-9]*/@{int}/drm/card@{int}/*/status r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/rfkill r,
|
||||
|
@ -72,23 +72,23 @@ profile kded5 @{exec_path} {
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc rk,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
||||
owner @{user_config_dirs}/gtk-{3,4}/settings.ini.lock rk,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kconf_updaterc r,
|
||||
owner @{user_config_dirs}/kcookiejarrc r,
|
||||
owner @{user_config_dirs}/kdebugrc r,
|
||||
owner @{user_config_dirs}/kded5rc.lock rwk,
|
||||
owner @{user_config_dirs}/kded5rc* rwl,
|
||||
owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kdedefaults/{,**} r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/khotkeysrc.lock rwk,
|
||||
owner @{user_config_dirs}/khotkeysrc* rwl,
|
||||
owner @{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/ktimezonedrc r,
|
||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrc* rwl,
|
||||
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||
@ -99,9 +99,9 @@ profile kded5 @{exec_path} {
|
||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||
|
||||
owner @{user_share_dirs}/icc/{,edid-*} r,
|
||||
owner @{user_share_dirs}/kcookiejar/#*[0-9] rw,
|
||||
owner @{user_share_dirs}/kcookiejar/cookies rw,
|
||||
owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk,
|
||||
owner @{user_share_dirs}/kcookiejar/#@{int} rw,
|
||||
owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
|
||||
owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwl -> @{user_share_dirs}/kcookiejar/#@{int},
|
||||
owner @{user_share_dirs}/kded5/{,**} rw,
|
||||
owner @{user_share_dirs}/kscreen/{,**} rwl,
|
||||
owner @{user_share_dirs}/kservices5/{,**} r,
|
||||
@ -109,6 +109,7 @@ profile kded5 @{exec_path} {
|
||||
owner @{user_share_dirs}/remoteview/ r,
|
||||
owner @{user_share_dirs}/services5/{,**} r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/gvfs/ r,
|
||||
owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
|
||||
|
@ -9,7 +9,9 @@ include <tunables/global>
|
||||
@{exec_path} = @{lib}/kf5/kioslave5
|
||||
profile kioslave5 @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
@ -18,6 +20,7 @@ profile kioslave5 @{exec_path} {
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/trash>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
@ -26,6 +29,7 @@ profile kioslave5 @{exec_path} {
|
||||
network netlink raw,
|
||||
network netlink dgram,
|
||||
|
||||
signal (receive) set=term peer=dolphin,
|
||||
signal (receive) set=term peer=firefox-kmozillahelper,
|
||||
signal (receive) set=term peer=plasmashell,
|
||||
|
||||
@ -39,6 +43,7 @@ profile kioslave5 @{exec_path} {
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/kservicetypes5/*.desktop r,
|
||||
/usr/share/mime/ r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
@ -46,11 +51,24 @@ profile kioslave5 @{exec_path} {
|
||||
/etc/xdg/kwinrc r,
|
||||
/etc/xdg/menus/{,**} r,
|
||||
|
||||
owner @{MOUNTDIRS}/** r,
|
||||
# Full access to user's data
|
||||
/ r,
|
||||
/*/ r,
|
||||
@{bin}/ r,
|
||||
@{lib}/ r,
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/** rw,
|
||||
owner @{HOME}/{,**} rw,
|
||||
owner @{run}/user/@{uid}/{,**} rw,
|
||||
owner /tmp/{,**} rw,
|
||||
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
# Silence non user's data
|
||||
deny /boot/{,**} r,
|
||||
deny /opt/{,**} r,
|
||||
deny /root/{,**} r,
|
||||
deny /tmp/.* rw,
|
||||
deny /tmp/.*/{,**} rw,
|
||||
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
owner @{user_cache_dirs}/thumbnails/*/ r,
|
||||
@ -61,8 +79,11 @@ profile kioslave5 @{exec_path} {
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
owner @{user_share_dirs}/baloo/index-lock rwk,
|
||||
owner @{user_share_dirs}/baloo/index rw,
|
||||
owner @{user_share_dirs}/baloo/index-lock rwk,
|
||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database rk,
|
||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
|
||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
|
@ -35,7 +35,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
ptrace read peer=pinentry-qt,
|
||||
ptrace (read) peer=pinentry-qt,
|
||||
ptrace (read) peer=kded5,
|
||||
|
||||
signal (send),
|
||||
|
||||
@ -101,10 +102,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
owner @{user_cache_dirs}/ksycoca5_* rl,
|
||||
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwlk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.{,@{rand6}} rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements* rwl,
|
||||
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
|
||||
owner @{user_cache_dirs}/bookmarksrunner/ rw,
|
||||
owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int},
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rwk,
|
||||
owner @{user_config_dirs}/*kde*.desktop* r,
|
||||
@ -116,9 +118,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
owner @{user_config_dirs}/kactivitymanagerd-statsrc r,
|
||||
owner @{user_config_dirs}/{KDE,kde.org}/ rw,
|
||||
owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#@{int},
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/klipperrc r,
|
||||
@ -149,6 +149,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/user/@{uid}/gvfs/ r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
|
@ -26,6 +26,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability kill,
|
||||
capability net_admin,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
@ -35,7 +36,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
network netlink raw,
|
||||
|
||||
ptrace (trace) peer=@{profile_name},
|
||||
ptrace (read) peer=unconfined,
|
||||
ptrace (read) peer=kwalletd5,
|
||||
|
||||
signal (send) set=(kill, term) peer=startplasma,
|
||||
signal (send) set=(kill, term) peer=xorg,
|
||||
|
||||
@{exec_path} mr,
|
||||
@ -116,9 +120,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
|
||||
owner @{user_share_dirs}/ w,
|
||||
owner @{user_share_dirs}/kwalletd/ rw,
|
||||
owner @{user_share_dirs}/kwalletd/kdewallet.salt r,
|
||||
owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
|
||||
owner @{user_share_dirs}/sddm/ w,
|
||||
owner @{user_share_dirs}/sddm/wayland-session.log w,
|
||||
owner @{user_share_dirs}/sddm/xorg-session.log w,
|
||||
|
||||
/tmp/sddm-* rw,
|
||||
@ -130,6 +134,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||
@{run}/sddm.pid rw,
|
||||
@{run}/sddm/\{@{uuid}\} rw,
|
||||
@{run}/sddm/#@{int} rw,
|
||||
@{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rwl,
|
||||
@ -137,7 +142,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kwallet5.socket rw,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/uptime r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
@ -13,6 +13,7 @@ profile bootctl @{exec_path} {
|
||||
include <abstractions/disks-read>
|
||||
|
||||
capability mknod,
|
||||
capability net_admin,
|
||||
|
||||
signal (send) peer=child-pager,
|
||||
|
||||
|
@ -68,8 +68,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
|
||||
@{sys}/kernel/uevent_seqnum r,
|
||||
@{sys}/devices/**/read_ahead_kb r,
|
||||
|
||||
@{sys}/fs/cgroup/system.slice/systemd-homed.service/memory.pressure rw,
|
||||
|
||||
@{PROC}/devices r,
|
||||
@{PROC}/sysvipc/{shm,sem,msg} r,
|
||||
owner @{PROC}/@{pid}/gid_map w,
|
||||
|
@ -30,7 +30,8 @@ profile systemd-journald @{exec_path} {
|
||||
|
||||
@{run}/log/ rw,
|
||||
/{run,var}/log/journal/ rw,
|
||||
/{run,var}/log/journal/@{md5}/{,*} rw -> /{run,var}/log/journal/@{md5}/**,
|
||||
/{run,var}/log/journal/@{md5}/ rw,
|
||||
/{run,var}/log/journal/@{md5}/* rw -> /{run,var}/log/journal/@{md5}/#@{int},
|
||||
|
||||
owner @{run}/systemd/journal/{,**} rw,
|
||||
owner @{run}/systemd/notify rw,
|
||||
|
@ -128,7 +128,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
||||
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
||||
@{sys}/fs/cgroup/memory.max r,
|
||||
@{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
|
||||
@{sys}/fs/cgroup/system.slice/systemd-logind.service/memory.pressure rw,
|
||||
@{sys}/module/vt/parameters/default_utf8 r,
|
||||
@{sys}/power/{state,resume_offset,resume,disk} r,
|
||||
|
||||
|
@ -71,7 +71,5 @@ profile systemd-machined @{exec_path} {
|
||||
@{run}/systemd/userdb/io.systemd.Machine rw,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
@{sys}/fs/cgroup/system.slice/systemd-machined.service/memory.pressure rw,
|
||||
|
||||
include if exists <local/systemd-machined>
|
||||
}
|
||||
|
@ -9,8 +9,8 @@ include <tunables/global>
|
||||
@{exec_path} = @{lib}/systemd/systemd-oomd
|
||||
profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability dac_override,
|
||||
capability kill,
|
||||
@ -33,7 +33,6 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{sys}/fs/cgroup/cgroup.controllers r,
|
||||
@{sys}/fs/cgroup/memory.pressure r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,
|
||||
|
||||
@{PROC}/pressure/{cpu,io,memory} r,
|
||||
|
||||
|
@ -55,8 +55,6 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
|
||||
@{run}/systemd/resolve/{,**} rw,
|
||||
owner @{run}/systemd/journal/socket w,
|
||||
|
||||
owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw,
|
||||
|
||||
@{PROC}/sys/kernel/hostname r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
|
||||
|
@ -37,8 +37,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
owner /var/lib/systemd/timesync/clock rw,
|
||||
|
||||
@{sys}/fs/cgroup/system.slice/systemd-timesyncd.service/memory.pressure rw,
|
||||
|
||||
owner @{run}/systemd/journal/socket w,
|
||||
owner @{run}/systemd/timesync/synchronized rw,
|
||||
@{run}/resolvconf/*.conf r,
|
||||
|
@ -34,7 +34,7 @@ profile systemd-vconsole-setup @{exec_path} {
|
||||
|
||||
@{sys}/module/vt/parameters/default_utf8 w,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
/dev/tty@{int} rwk,
|
||||
|
||||
include if exists <local/systemd-vconsole-setup>
|
||||
}
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/{dumpe2fs,e2mmpstatus}
|
||||
@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus
|
||||
profile dumpe2fs @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/disks-read>
|
||||
|
@ -1,5 +1,6 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
@ -12,48 +13,47 @@ profile localepurge @{exec_path} {
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
||||
@{bin}/fgrep rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/touch rix,
|
||||
@{bin}/ls rix,
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/sort rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/du rix,
|
||||
@{bin}/fgrep rix,
|
||||
@{bin}/find rix,
|
||||
@{bin}/ls rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sort rix,
|
||||
@{bin}/touch rix,
|
||||
@{bin}/tr rix,
|
||||
@{bin}/du rix,
|
||||
@{bin}/xargs rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/find rix,
|
||||
|
||||
@{bin}/df rPx,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
# Dirs cleaned from locales
|
||||
/usr/share/{gnome/,}help/{,**/} r,
|
||||
/usr/share/{gnome/,}help/**/** w,
|
||||
/usr/share/{locale,man,omf,calendar}/{,**/} r,
|
||||
/usr/share/{locale,man,omf,calendar}/**/** w,
|
||||
/usr/share/aptitude/{,*} r,
|
||||
/usr/share/aptitude/* w,
|
||||
/usr/share/cups/{templates,locale,doc-root}/{,**/} r,
|
||||
/usr/share/cups/{templates,locale,doc-root}/**/** w,
|
||||
/usr/share/vim/ r,
|
||||
/usr/share/vim/vim[0-9]*/lang/{,**/} r,
|
||||
/usr/share/vim/vim[0-9]*/lang/**/** w,
|
||||
/usr/share/X11/locale/**/** w,
|
||||
|
||||
/etc/locale.nopurge r,
|
||||
|
||||
owner /var/cache/localepurge/localelist r,
|
||||
owner /var/cache/localepurge/localelist-new{,.temp} rw,
|
||||
|
||||
# Dirs cleaned from locales
|
||||
/usr/share/{locale,man,omf,calendar}/{,**/} r,
|
||||
/usr/share/{locale,man,omf,calendar}/**/** w,
|
||||
/usr/share/{gnome/,}help/{,**/} r,
|
||||
/usr/share/{gnome/,}help/**/** w,
|
||||
/usr/share/cups/{templates,locale,doc-root}/{,**/} r,
|
||||
/usr/share/cups/{templates,locale,doc-root}/**/** w,
|
||||
/usr/share/vim/ r,
|
||||
/usr/share/vim/vim[0-9]*/lang/{,**/} r,
|
||||
/usr/share/vim/vim[0-9]*/lang/**/** w,
|
||||
/usr/share/X11/locale/{,**/} r,
|
||||
/usr/share/X11/locale/**/** w,
|
||||
/usr/share/aptitude/{,*} r,
|
||||
/usr/share/aptitude/* w,
|
||||
|
||||
/tmp/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/localepurge>
|
||||
}
|
||||
|
@ -17,6 +17,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
capability checkpoint_restore,
|
||||
capability dac_read_search,
|
||||
capability kill,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
|
@ -12,6 +12,11 @@ profile needrestart-apt-pinvoke @{exec_path} {
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
|
||||
@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu@{int}_{32,64}
|
||||
@{exec_path} = @{user_share_dirs}/Steam/steam.sh
|
||||
profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
|
||||
include <abstractions/base>
|
||||
@ -84,20 +84,20 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
||||
@{bin}/zenity rix,
|
||||
@{lib}/ld-linux.so* rix,
|
||||
|
||||
@{steam_lib_dirs}/*.so* mr,
|
||||
@{steam_lib_dirs}/*driverquery rix,
|
||||
@{steam_lib_dirs}/fossilize_replay rpx,
|
||||
@{steam_lib_dirs}/gameoverlayui rpx,
|
||||
@{steam_lib_dirs}/panorama/** rm,
|
||||
@{steam_lib_dirs}/reaper rpx,
|
||||
@{steam_lib_dirs}/steam rix,
|
||||
@{steam_lib_dirs}/steam-runtime-heavy.sh rix,
|
||||
@{steam_lib_dirs}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
|
||||
@{steam_lib_dirs}/steam-runtime{,-heavy}/{setup,run}.sh rix,
|
||||
@{steam_lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix,
|
||||
@{steam_lib_dirs}/steamwebhelper rix,
|
||||
@{steam_lib_dirs}/steamwebhelper.sh rix,
|
||||
@{steam_lib_dirs}/swiftshader/* rm,
|
||||
@{lib_dirs}/*.so* mr,
|
||||
@{lib_dirs}/*driverquery rix,
|
||||
@{lib_dirs}/fossilize_replay rpx,
|
||||
@{lib_dirs}/gameoverlayui rpx,
|
||||
@{lib_dirs}/panorama/** rm,
|
||||
@{lib_dirs}/reaper rpx,
|
||||
@{lib_dirs}/steam rix,
|
||||
@{lib_dirs}/steam-runtime-heavy.sh rix,
|
||||
@{lib_dirs}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
|
||||
@{lib_dirs}/steam-runtime{,-heavy}/{setup,run}.sh rix,
|
||||
@{lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix,
|
||||
@{lib_dirs}/steamwebhelper rix,
|
||||
@{lib_dirs}/steamwebhelper.sh rix,
|
||||
@{lib_dirs}/swiftshader/* rm,
|
||||
@{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr,
|
||||
@{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx,
|
||||
|
||||
@ -113,14 +113,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
@{bin}/ r,
|
||||
@{lib}/ r,
|
||||
/ r,
|
||||
/{usr/,}{local/,} r,
|
||||
/{usr/,}{local/,}share/ r,
|
||||
@{lib}/ r,
|
||||
/etc/ r,
|
||||
/home/ r,
|
||||
/run/ r,
|
||||
/usr/bin/ r,
|
||||
/var/ r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
@ -149,18 +149,18 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner /dev/shm/#@{int} rw,
|
||||
owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
|
||||
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
|
||||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||
owner /dev/shm/ValveIPCSHM_@{uid} rw,
|
||||
|
||||
owner /tmp/dumps/ rw,
|
||||
owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
|
||||
owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw,
|
||||
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
|
||||
owner /tmp/miles_image_* mrw,
|
||||
owner /tmp/runtime-info.txt.* rwk,
|
||||
owner /tmp/sh-thd.* rw,
|
||||
owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
|
||||
owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
|
||||
|
||||
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/+sound* r,
|
||||
|
@ -12,6 +12,8 @@ profile whiptail @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/newt/palette.ubuntu r,
|
||||
|
Loading…
Reference in New Issue
Block a user