mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): modernize some profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-12 15:48:43 +00:00
parent 81b9de3aff
commit 9c859cec9d
Failed to generate hash of commit
14 changed files with 124 additions and 211 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
apparmor.d/groups/apt/reportbug
View file

@ -13,14 +13,11 @@ profile reportbug @{exec_path} {
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/wayland>
network inet dgram,
network inet6 dgram,
@ -54,18 +51,17 @@ profile reportbug @{exec_path} {
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemctl rCx -> systemctl,
@{lib}/firefox/firefox rPUx, # App allowed to open
/usr/share/bug/* rPUx,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/run-parts rCx -> run-parts,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open,
@{lib}/python3/dist-packages/pylocales/locales.db rk,
/usr/share/bug/*/{control,presubj} r,
/usr/share/X11/xkb/** r,
/etc/** r,
/etc/reportbug.conf r,
@ -94,6 +90,7 @@ profile reportbug @{exec_path} {
@{bin}/run-parts mr,
include if exists <local/reportbug_run-parts>
}
profile gpg {
@ -107,29 +104,14 @@ profile reportbug @{exec_path} {
owner /tmp/reportbug-*-{signed,unsigned}-* rw,
owner @{HOME}/draftbugreports/reportbug-*-{signed,unsigned}-* rw,
include if exists <local/reportbug_gpg>
}
profile open {
profile systemctl {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include <abstractions/systemctl>
include if exists <local/reportbug_systemctl>
}
include if exists <local/reportbug>

9
apparmor.d/groups/kde/xdm-xsession
View file

@ -39,7 +39,7 @@ profile xdm-xsession @{exec_path} {
@{bin}/flatpak rPx,
@{bin}/pidof rPx,
@{bin}/startplasma-x11 rPx,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemctl rCx -> systemctl,
@{bin}/xdg-user-dirs-update rPx,
@{bin}/xrdb rPx,
@ -101,5 +101,12 @@ profile xdm-xsession @{exec_path} {
include if exists <local/xdm-xsession_dbus>
}
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/xdm-xsession_systemctl>
}
include if exists <local/xdm-xsession>
}

9
apparmor.d/profiles-a-f/acpi-powerbtn
View file

@ -21,7 +21,7 @@ profile acpi-powerbtn flags=(attach_disconnected) {
@{bin}/shutdown rix,
/etc/acpi/powerbtn.sh rix,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemctl rCx -> systemctl,
@{bin}/ps rPx,
@{bin}/fgconsole rCx,
@ -46,5 +46,12 @@ profile acpi-powerbtn flags=(attach_disconnected) {
owner /dev/tty@{int} rw,
}
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/acpi-powerbtn_systemctl>
}
include if exists <local/acpi-powerbtn>
}

8
apparmor.d/profiles-a-f/blueman
View file

@ -12,15 +12,12 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/wayland>
network inet stream,
network inet6 stream,
@ -37,7 +34,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
@{open_path} rPx -> child-open,
/usr/share/blueman/{,**} r,
/usr/share/X11/xkb/{,**} r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@ -57,8 +53,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/obexd/ rw,
owner @{user_cache_dirs}/obexd/* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/cmdline r,

10
apparmor.d/profiles-a-f/dkms-autoinstaller
View file

@ -20,7 +20,7 @@ profile dkms-autoinstaller @{exec_path} {
@{bin}/plymouth rix,
@{bin}/readlink rix,
@{bin}/run-parts rCx -> run-parts,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemctl rCx -> systemctl,
@{bin}/tput rix,
# For shell pwd
@ -34,6 +34,14 @@ profile dkms-autoinstaller @{exec_path} {
@{bin}/run-parts mr,
include if exists <local/dkms-autoinstaller_run-parts>
}
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/dkms-autoinstaller_systemctl>
}
include if exists <local/dkms-autoinstaller>

39
apparmor.d/profiles-g-l/gajim
View file

@ -10,23 +10,19 @@ include <tunables/global>
@{exec_path} = @{bin}/gajim
profile gajim @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/dconf-write>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/video>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/gstreamer>
include <abstractions/desktop>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/video>
network inet dgram,
network inet6 dgram,
@ -58,8 +54,12 @@ profile gajim @{exec_path} {
@{lib}/firefox/firefox rPx,
@{bin}/spacefm rPx,
# Gajim plugins
/usr/share/gajim/plugins/{,**} r,
/usr/share/xml/iso-codes/{,**} r,
/etc/fstab r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
# Gajim home files
owner @{HOME}/ r,
@ -80,13 +80,6 @@ profile gajim @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/etc/fstab r,
/usr/share/xml/iso-codes/{,**} r,
# TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
/var/tmp/ r,
/tmp/ r,

21
apparmor.d/profiles-g-l/gparted
View file

@ -42,7 +42,7 @@ profile gparted @{exec_path} {
@{bin}/ps rPx,
@{bin}/xhost rPx,
@{bin}/pkexec rPx,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemctl rCx -> systemctl,
# For shell pwd
/ r,
@ -60,25 +60,18 @@ profile gparted @{exec_path} {
profile udevadm {
include <abstractions/base>
ptrace (read),
include <abstractions/systemd-common>
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
@{sys}/** r,
@{sys}/devices/virtual/block/**/uevent rw,
@{sys}/devices/@{pci}/block/**/uevent rw,
@{run}/udev/data/* r,
include if exists <local/gparted_udevadm>
}
profile killall flags=(attach_disconnected) {
@ -99,6 +92,14 @@ profile gparted @{exec_path} {
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
include if exists <local/gparted_killall>
}
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/gparted_systemctl>
}
include if exists <local/gparted>

19
apparmor.d/profiles-g-l/hw-probe
View file

@ -69,8 +69,6 @@ profile hw-probe @{exec_path} {
@{bin}/xinput rPx,
@{bin}/xrandr rPx,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/curl rCx -> curl,
@{bin}/ethtool rCx -> netconfig,
@{bin}/find rCx -> find,
@ -80,6 +78,7 @@ profile hw-probe @{exec_path} {
@{bin}/journalctl rCx -> journalctl,
@{bin}/killall rCx -> killall,
@{bin}/kmod rCx -> kmod,
@{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-analyze rPx,
@{bin}/udevadm rCx -> udevadm,
@ -166,25 +165,18 @@ profile hw-probe @{exec_path} {
profile udevadm {
include <abstractions/base>
include <abstractions/systemd-common>
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
@{run}/udev/data/* r,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/stat r,
include if exists <local/hw-probe_udevadm>
}
@ -228,5 +220,12 @@ profile hw-probe @{exec_path} {
include if exists <local/hw-probe_netconfig>
}
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/hw-probe_systemctl>
}
include if exists <local/hw-probe>
}

11
apparmor.d/profiles-g-l/hypnotix
View file

@ -13,18 +13,14 @@ profile hypnotix @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
signal (send) set=(term, kill) peer=youtube-dl,
signal (send) set=(term, kill) peer=yt-dlp,
@ -49,7 +45,6 @@ profile hypnotix @{exec_path} {
@{lib}/firefox/firefox rPx,
/usr/share/hypnotix/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/machine-id r,
/etc/vdpau_wrapper.cfg r,
@ -60,8 +55,6 @@ profile hypnotix @{exec_path} {
owner @{user_music_dirs}/** r,
@{sys}/devices/@{pci}/drm/ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/cmdline r,

17
apparmor.d/profiles-g-l/initd-kexec
View file

@ -40,27 +40,16 @@ profile initd-kexec @{exec_path} {
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
capability sys_resource,
ptrace (read),
@{bin}/systemctl mr,
@{bin}/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
/dev/kmsg w,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
include if exists <local/initd-kexec_systemctl>
}
include if exists <local/initd-kexec>

49
apparmor.d/profiles-g-l/inxi
View file

@ -35,11 +35,10 @@ profile inxi @{exec_path} {
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/ip rCx -> ip,
@{lib}/systemd/systemd rCx -> systemd,
@{bin}/kmod rCx -> kmod,
@{bin}/systemctl rCx -> systemctl,
@{bin}/udevadm rCx -> udevadm,
@{bin}/systemctl rPx -> child-systemctl,
@{lib}/systemd/systemd rCx -> systemd,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
@ -87,6 +86,14 @@ profile inxi @{exec_path} {
@{run}/ r,
@{sys}/class/power_supply/ r,
@{sys}/class/net/ r,
@{sys}/firmware/acpi/tables/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/{,**} r,
@{sys}/module/*/version r,
@{sys}/power/wakeup_count r,
@{PROC}/asound/ r,
@{PROC}/asound/version r,
@{PROC}/sys/kernel/hostname r,
@ -105,15 +112,6 @@ profile inxi @{exec_path} {
/dev/disk/*/ r,
/dev/dm-[0-9]* r,
@{sys}/class/power_supply/ r,
@{sys}/class/net/ r,
@{sys}/firmware/acpi/tables/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/{,**} r,
@{sys}/module/*/version r,
@{sys}/power/wakeup_count r,
profile ip {
include <abstractions/base>
@ -125,38 +123,33 @@ profile inxi @{exec_path} {
/etc/iproute2/group r,
include if exists <local/inxi_ip>
}
profile systemd {
include <abstractions/base>
include <abstractions/systemd-common>
@{lib}/systemd/systemd mr,
/etc/systemd/user.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/threads-max r,
@{PROC}/1/cgroup r,
include if exists <local/inxi_systemd>
}
profile udevadm {
include <abstractions/base>
include <abstractions/systemd-common>
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/devices/@{pci}/block/**/uevent r,
@{run}/udev/data/b* r,
@{sys}/devices/@{pci}/block/**/uevent r,
include if exists <local/inxi_udevadm>
}
profile kmod {
@ -167,6 +160,14 @@ profile inxi @{exec_path} {
@{PROC}/cmdline r,
@{PROC}/modules r,
include if exists <local/inxi_kmod>
}
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/inxi_systemctl>
}
include if exists <local/inxi>

15
apparmor.d/profiles-g-l/labwc
View file

@ -11,16 +11,11 @@ include <tunables/global>
profile labwc @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/wayland>
network netlink raw,
@ -32,8 +27,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
/usr/share/libinput/ r,
/usr/share/libinput/*.quirks r,
/usr/share/themes/**/themerc r,
/usr/share/X11/xkb/** r,
owner @{user_config_dirs}/labwc/ r,
owner @{user_config_dirs}/labwc/* r,
@ -61,9 +54,5 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fd/ r,
owner /tmp/.X@{int}-lock rw,
owner /tmp/.X11-unix/ rw,
owner /tmp/.X11-unix/X@{int} rw,
include if exists <local/labwc>
}

76
apparmor.d/profiles-m-r/mumble
View file

@ -10,21 +10,17 @@ include <tunables/global>
@{exec_path} = @{bin}/mumble
profile mumble @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,
@ -35,25 +31,22 @@ profile mumble @{exec_path} {
@{exec_path} mrix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
@{browsers_path} rPx,
@{open_path} rPx -> child-open,
/etc/fstab r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
# Mumble home files
owner @{HOME}/ r,
owner @{HOME}/.jackdrc r,
owner @{HOME}/.MumbleOverlayPipe rw,
owner @{HOME}/.MumbleSocket rw,
owner @{user_config_dirs}/Mumble/ rw,
owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#@{int},
owner @{user_share_dirs}/Mumble/ rw,
owner @{user_share_dirs}/Mumble/** rwk,
owner @{HOME}/.MumbleOverlayPipe rw,
owner @{HOME}/.MumbleSocket rw,
owner @{HOME}/.jackdrc r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/dev/shm/MumbleLink.@{int} rw,
/dev/shm/#@{int} rw,
owner @{run}/user/@{uid}/MumbleSocket rw,
owner @{run}/user/@{uid}/MumbleOverlayPipe rw,
@ -64,42 +57,11 @@ profile mumble @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
/etc/fstab r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
/dev/shm/MumbleLink.@{int} rw,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty@{int} rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/mumble>
}

16
apparmor.d/profiles-s-z/vidcutter
View file

@ -12,12 +12,9 @@ profile vidcutter @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/dconf-write>
include <abstractions/dri-enumerate>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
@ -26,7 +23,6 @@ profile vidcutter @{exec_path} {
include <abstractions/qt5-shader-cache>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/X>
@{exec_path} r,
@{bin}/python3.@{int} r,
@ -40,9 +36,6 @@ profile vidcutter @{exec_path} {
@{open_path} rPx -> child-open,
/usr/share/hwdata/pnp.ids r,
/usr/share/qt5ct/** r,
/etc/fstab r,
/etc/vdpau_wrapper.cfg r,
@ -58,13 +51,8 @@ profile vidcutter @{exec_path} {
owner @{user_config_dirs}/vidcutter/ rw,
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int},
owner @{user_cache_dirs}/ rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
owner /tmp/vidcutter-@{uuid} w,
owner /tmp/#@{int} rw,
owner /tmp/*.jpg rwl -> /tmp/#@{int},