mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-04-05 23:55:21 +01:00
parent 000e68fe0a
commit 9aa9f26507
Failed to generate hash of commit
21 changed files with 40 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/apt/apt
View file

@ -105,6 +105,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
# For changelogs # For changelogs
@{bin}/sensible-pager rCx -> pager, @{bin}/sensible-pager rCx -> pager,
#aa:only whonix
@{lib}/uwt/uwtwrapper rix,
/usr/share/xml/iso-codes/{,**} r, /usr/share/xml/iso-codes/{,**} r,
/usr/share/language-selector/data/pkg_depends r, /usr/share/language-selector/data/pkg_depends r,

1
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -52,6 +52,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
/etc/gdm{3,}/ r, /etc/gdm{3,}/ r,
/etc/gdm{3,}/custom.conf{,.@{rand6}} rw, /etc/gdm{3,}/custom.conf{,.@{rand6}} rw,
/etc/gdm{3,}/daemon.conf{,.@{rand6}} rw, /etc/gdm{3,}/daemon.conf{,.@{rand6}} rw,
/etc/lightdm/lightdm.conf r,
/etc/machine-id r, /etc/machine-id r,
/etc/shadow r, /etc/shadow r,
/etc/shells r, /etc/shells r,

4
apparmor.d/groups/freedesktop/xorg
View file

@ -56,9 +56,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/var/lib/xkb/server-@{int}.xkm rw, /var/lib/xkb/server-@{int}.xkm rw,
/var/lib/xkb/compiled/server-@{int}.xkm rw, /var/lib/xkb/compiled/server-@{int}.xkm rw,
/usr/share/libinput*/ r, /usr/share/libinput*/{,**} r,
/usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
/usr/share/libinput*/libinput/ r,
/etc/X11/{,**} r, /etc/X11/{,**} r,

3
apparmor.d/groups/gnome/epiphany-search-provider
View file

@ -25,7 +25,8 @@ profile epiphany-search-provider @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{lib}/webkitgtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
owner @{user_cache_dirs}/epiphany/{,**} rwk, owner @{user_cache_dirs}/epiphany/{,**} rwk,
owner @{user_share_dirs}/epiphany/{,**} rwk, owner @{user_share_dirs}/epiphany/{,**} rwk,

2
apparmor.d/groups/gnome/gnome-control-center
View file

@ -54,7 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{bin}/pkexec rCx -> pkexec, @{bin}/pkexec rCx -> pkexec,
@{bin}/software-properties-gtk rPx, @{bin}/software-properties-gtk rPx,
@{bin}/usermod rPx, @{bin}/usermod rPx,
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx,
@{lib}/cups/backend/snmp rPx, @{lib}/cups/backend/snmp rPx,
@{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-goa-helper rPx,
@{lib}/gnome-control-center-print-renderer rPx, @{lib}/gnome-control-center-print-renderer rPx,

2
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -14,6 +14,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/thumbnails-cache-write> include <abstractions/thumbnails-cache-write>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
@ -32,7 +33,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,

1
apparmor.d/groups/gnome/kgx
View file

@ -28,6 +28,7 @@ profile kgx @{exec_path} {
@{bin}/htop rPx, @{bin}/htop rPx,
@{bin}/micro rPUx, @{bin}/micro rPUx,
@{bin}/nvtop rPx, @{bin}/nvtop rPx,
@{bin}/vim rUx,
@{open_path} rPx -> child-open, @{open_path} rPx -> child-open,

14
apparmor.d/groups/kde/kwin_wayland
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/kwin_wayland @{exec_path} = @{bin}/kwin_wayland
profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/kde-strict> include <abstractions/kde-strict>
@ -27,12 +28,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/kcminit rPx,
@{bin}/plasmashell r,
@{bin}/Xwayland rPx,
@{lib}/kwin_killer_helper rix,
@{bin}/konsole rPx,
#aa:exec kscreenlocker_greet #aa:exec kscreenlocker_greet
/usr/share/color-schemes/*.colors r, /usr/share/color-schemes/*.colors r,
@ -76,11 +71,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/ksycoca{5,6}_* r,
owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/kwin/ w, owner @{user_cache_dirs}/kwin/ rw,
owner @{user_cache_dirs}/kwin/qmlcache/ w, owner @{user_cache_dirs}/kwin/** rwl -> @{user_cache_dirs}/kwin/**,
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rwl,
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int},
owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},

4
apparmor.d/groups/systemd/systemd-logind
View file

@ -40,10 +40,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
member=Introspect member=Introspect
peer=(label=ksmserver-logout-greeter), peer=(label=ksmserver-logout-greeter),
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
peer=(name=org.freedesktop.systemd1),
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}

9
apparmor.d/groups/whonix/open-link-confirmation
View file

@ -12,5 +12,14 @@ profile open-link-confirmation @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{bin}/readlink rix,
@{bin}/whichbrowser rix,
@{bin}/torbrowser rPx,
@{lib}/msgcollector/generic_gui_message rPx,
@{lib}/msgcollector/striphtml rPx,
/etc/open_link_confirm.d/{,**} r,
include if exists <local/open-link-confirmation> include if exists <local/open-link-confirmation>
} }

2
apparmor.d/profiles-a-f/abook
View file

@ -16,7 +16,7 @@ profile abook @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Used for printing # Used for printing
@{bin}/{,ba,da}sh rix, @{sh_path} rix,
@{bin}/lp{,r} rPUx, @{bin}/lp{,r} rPUx,
# Abook has built in support to launch mutt # Abook has built in support to launch mutt
@{bin}/mutt rPUx, @{bin}/mutt rPUx,

2
apparmor.d/profiles-a-f/acpi-powerbtn
View file

@ -24,7 +24,7 @@ profile acpi-powerbtn flags=(attach_disconnected) {
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/ps rPx, @{bin}/ps rPx,
@{bin}/fgconsole rCx, @{bin}/fgconsole rCx -> fgconsole,
/usr/share/acpi-support/** r, /usr/share/acpi-support/** r,

4
apparmor.d/profiles-a-f/atril
View file

@ -40,8 +40,8 @@ profile atril @{exec_path} {
@{bin}/atril-previewer rPx, @{bin}/atril-previewer rPx,
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
/usr/share/atril/{,**} r, /usr/share/atril/{,**} r,
/usr/share/poppler/{,**} r, /usr/share/poppler/{,**} r,

1
apparmor.d/profiles-a-f/evince
View file

@ -36,7 +36,6 @@ profile evince @{exec_path} {
@{exec_path} rix, @{exec_path} rix,
@{sh_path} rix, @{sh_path} rix,
@{bin}/gio-launch-desktop rPx,
@{open_path} rPx -> child-open, @{open_path} rPx -> child-open,
/usr/share/djvu/{,**} r, /usr/share/djvu/{,**} r,

1
apparmor.d/profiles-a-f/flatpak-system-helper
View file

@ -35,6 +35,7 @@ profile flatpak-system-helper @{exec_path} {
@{lib}/revokefs-fuse rix, @{lib}/revokefs-fuse rix,
/etc/flatpak/{,**} r, /etc/flatpak/{,**} r,
/etc/machine-id r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
/usr/share/flatpak/triggers/ r, /usr/share/flatpak/triggers/ r,

4
apparmor.d/profiles-a-f/font-manager
View file

@ -27,8 +27,8 @@ profile font-manager @{exec_path} {
@{exec_path} r, @{exec_path} r,
@{lib}/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/font-manager/ rw, owner @{user_cache_dirs}/font-manager/ rw,

4
apparmor.d/profiles-g-l/jami-gnome
View file

@ -25,8 +25,8 @@ profile jami-gnome @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
/usr/share/ring/{,**} r, /usr/share/ring/{,**} r,
/usr/share/sounds/jami-gnome/{,**} r, /usr/share/sounds/jami-gnome/{,**} r,

5
apparmor.d/profiles-s-z/system-config-printer
View file

@ -49,9 +49,10 @@ profile system-config-printer @{exec_path} flags=(complain) {
owner /tmp/* rw, owner /tmp/* rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

4
apparmor.d/profiles-s-z/system-config-printer-applet
View file

@ -23,7 +23,11 @@ profile system-config-printer-applet @{exec_path} {
/usr/share/system-config-printer/{,**} r, /usr/share/system-config-printer/{,**} r,
owner @{HOME}/.xsession-errors w,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/dev/tty rw,
include if exists <local/system-config-printer-applet> include if exists <local/system-config-printer-applet>
} }