mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-29 22:35:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-08-21 20:16:29 +01:00
parent e6e0ef9067
commit 9d4956df0d
Failed to generate hash of commit
23 changed files with 147 additions and 104 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/freedesktop/pipewire
View file

@ -33,7 +33,6 @@ profile pipewire @{exec_path} {
/usr/share/pipewire/pipewire.conf r,
/etc/machine-id r,
/etc/pipewire/client.conf r,
/etc/pipewire/pipewire-pulse.conf.d/{,*} r,
/etc/pipewire/pipewire.conf r,

3
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile pipewire-media-session @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
@ -44,11 +45,11 @@ profile pipewire-media-session @{exec_path} {
owner @{HOME}/.local/state/ rw,
owner @{HOME}/.local/state/pipewire/{,**} rw,
owner @{user_config_dirs}/pipewire/ rw,
owner @{user_config_dirs}/pipewire/** rw,
owner @{user_config_dirs}/pulse/ rw,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
@{run}/udev/data/+sound:card[0-9]* r, # For sound

2
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-document-portal
profile xdg-document-portal @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
ptrace (read) peer=xdg-desktop-portal,
@ -23,7 +24,6 @@ profile xdg-document-portal @{exec_path} {
owner @{user_share_dirs}/flatpak/db/documents r,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/doc/ rw,
owner @{PROC}/@{pid}/fd/ r,

5
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
@ -53,7 +54,6 @@ profile gdm-wayland-session @{exec_path} {
/etc/default/im-config r,
/etc/gdm{3,}/custom.conf r,
/etc/machine-id r,
/etc/shells r,
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r,
@ -61,8 +61,7 @@ profile gdm-wayland-session @{exec_path} {
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/bus rw,
@{run}/gdm/custom.conf r,
@{run}/gdm/custom.conf r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,

2
apparmor.d/groups/gnome/gnome-characters-backgroudservice
View file

@ -24,6 +24,8 @@ profile gnome-characters-backgroudservice @{exec_path} {
/etc/gtk-3.0/settings.ini r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,

3
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -34,6 +34,9 @@ profile gnome-extension-ding @{exec_path} {
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus bind bus=session
name=com.rastersoft.ding,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,

3
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gnome-terminal-server @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -34,8 +35,6 @@ profile gnome-terminal-server @{exec_path} {
/etc/shells r,
owner @{run}/user/@{uid}/at-spi/bus rw,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,

15
apparmor.d/groups/gnome/nautilus
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/gnome>
@ -21,6 +22,20 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*}
interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions},
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,List}
peer=(name=:*),
dbus bind bus=session
name=org.gnome.Nautilus,
dbus bind bus=session
name=org.freedesktop.FileManager1,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,

4
apparmor.d/groups/gnome/tracker-extract
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/tracker-extract-3
profile tracker-extract @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/disks-read>
include <abstractions/fonts>
@ -51,8 +52,7 @@ profile tracker-extract @{exec_path} {
owner /tmp/tracker-extract-3-files.*/{,*} rw,
owner @{run}/user/@{uid}/bus rw,
@{run}/blkid/blkid.tab r,
@{run}/blkid/blkid.tab r,
@{run}/udev/data/c235:* r,
@{run}/udev/data/c236:* r,

66
apparmor.d/groups/gpg/gpg
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2017-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,8 +11,9 @@ include <tunables/global>
profile gpg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/user-read>
capability dac_read_search,
@ -20,15 +21,15 @@ profile gpg @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/dirmngr rPx,
/{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/gpgsm rPx,
/{usr/,}lib/gnupg/scdaemon rPx,
# GPG config files
owner @{HOME}/ r,
/etc/inputrc r,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -41,54 +42,9 @@ profile gpg @{exec_path} {
owner /var/lib/*/.gnupg/ rw,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
# For flatpak
owner /tmp/ostree-gpg-*/ r,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
# For ToR Browser
owner @{user_share_dirs}/torbrowser/gnupg_homedir/ r,
owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
# For spamassassin
owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
# For lintian
owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r,
owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r,
owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw,
owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*/trustdb.gpg rw,
owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*/pubring.kbx rw,
owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*.gpg rw,
owner /tmp/*.gpg~ w,
owner /tmp/*.gpg.tmp rw,
owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
# APT upstream/user keyrings
/usr/share/keyrings/*.{gpg,asc} r,
/etc/apt/keyrings/*.{gpg,asc} r,
# APT repositories
/var/lib/apt/lists/*_InRelease r,
# Verify files
owner @{HOME}/** r,
owner @{MOUNTS}/** r,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/fd/ r,
/etc/inputrc r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
include if exists <local/gpg>
}

2
apparmor.d/groups/gvfs/gvfsd
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd
profile gvfsd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@{exec_path} mr,
@ -20,7 +21,6 @@ profile gvfsd @{exec_path} {
/usr/share/gvfs/{,**} r,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/gvfs/ rw,
owner @{run}/user/@{uid}/gvfsd/ rw,

13
apparmor.d/groups/systemd/networkctl
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/networkctl
profile networkctl @{exec_path} flags=(complain) {
profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -39,9 +39,6 @@ profile networkctl @{exec_path} flags=(complain) {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{run}/systemd/netif/links/[0-9]* r,
@{run}/systemd/netif/state r,
# To be able to read logs
@{run}/log/ r,
/{run,var}/log/journal/ r,
@ -50,12 +47,16 @@ profile networkctl @{exec_path} flags=(complain) {
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
@{run}/systemd/netif/links/[0-9]* r,
@{run}/systemd/netif/state r,
@{run}/systemd/notify w,
@{sys}/devices/**/net/**/uevent r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
include if exists <local/networkctl>
}

10
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -17,11 +17,17 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName},
member={RequestName,ReleaseName,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1),
dbus receive bus=system path=/org/freedesktop/hostname[0-9]
interface=org.freedesktop.DBus.Properties
member={Get,GetAll},
member={Get,GetAll,SetHostname},
dbus bind bus=system
name=org.freedesktop.hostname[0-9],

59
apparmor.d/groups/systemd/systemd-networkd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -7,40 +8,68 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-networkd
profile systemd-networkd @{exec_path} flags=(complain) {
profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/systemd-common>
capability net_admin,
capability net_raw,
capability net_bind_service,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network netlink raw,
network packet dgram,
network packet raw,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/hostname[0-9]
interface=org.freedesktop.hostname1
member=SetHostname
peer=(name=org.freedesktop.hostname1),
dbus receive bus=system path=/org/freedesktop/network[0-9]
interface=org.freedesktop.DBus.Properties
member=Get,
dbus bind bus=system
name=org.freedesktop.network1,
@{exec_path} mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/systemd/networkd.conf r,
/etc/systemd/network/ r,
/etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
/etc/networkd-dispatcher/carrier.d/{,*} r,
@{run}/systemd/network/ r,
@{run}/systemd/network/*.network r,
owner @{run}/systemd/netif/.#state rw,
owner @{run}/systemd/netif/.#state* rw,
owner @{run}/systemd/netif/leases/.#* rw,
owner @{run}/systemd/netif/leases/[0-9]* rw,
owner @{run}/systemd/netif/links/.#* rw,
owner @{run}/systemd/netif/links/[0-9]* rw,
owner @{run}/systemd/netif/leases/[0-9]* rw,
owner @{run}/systemd/netif/leases/.#* rw,
owner @{run}/systemd/netif/.#state* rw,
owner @{run}/systemd/netif/.#state rw,
owner @{run}/systemd/netif/state rw,
# To be able to configure network interfaces
@{PROC}/sys/net/ipv{4,6}/** rw,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/**/net/** r,
@{run}/udev/data/n[0-9]* r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{sys}/devices/**/net/** r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{PROC}/sys/net/ipv{4,6}/** rw,
include if exists <local/systemd-networkd>
}

4
apparmor.d/groups/systemd/systemd-networkd-wait-online
View file

@ -11,6 +11,10 @@ profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/systemd-common>
capability net_admin,
network netlink raw,
@{exec_path} mr,
@{run}/systemd/netif/links/[0-9]* r,

21
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -17,9 +17,15 @@ profile apport-gtk @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
capability sys_ptrace,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
/{usr/,}{s,}bin/killall5 rix,
@ -50,21 +56,22 @@ profile apport-gtk @{exec_path} {
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/etc/apport/blacklist.d/apport r,
/etc/apport/blacklist.d/README.blacklist r,
/etc/apport/crashdb.conf r,
/etc/apport/{,**} r,
/etc/bash_completion.d/apport_completion r,
/etc/cron.daily/apport r,
/etc/default/apport r,
/etc/init.d/apport r,
/etc/logrotate.d/apport r,
/etc/xdg/autostart/*.desktop r,
/etc/gtk-3.0/settings.ini r,
/var/crash/{,*.@{uid}.crash} r,
/var/crash/{,*.@{uid}.crash} rw,
/var/lib/dpkg/info/ r,
/var/lib/dpkg/info/*.list r,
/var/lib/dpkg/info/*.md5sums r,
/var/log/installer/media-info r,
@{run}/snapd.socket rw,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
/tmp/[a-z0-9]* rw,
@ -83,8 +90,9 @@ profile apport-gtk @{exec_path} {
profile gdb {
include <abstractions/base>
include <abstractions/python>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/python>
/{usr/,}bin/gdb mr,
@ -92,6 +100,9 @@ profile apport-gtk @{exec_path} {
/{usr/,}{s,}bin/* r,
/usr/share/gdb/{,**} r,
/usr/share/themes/{,**} r,
/usr/share/gnome-shell/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/gdb/{,**} r,

8
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -14,7 +14,9 @@ profile software-properties-gtk @{exec_path} {
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager}
interface=org.freedesktop.DBus.Introspectable
@ -51,10 +53,13 @@ profile software-properties-gtk @{exec_path} {
/usr/share/X11/xkb/{,**} r,
/usr/share/xml/iso-codes/{,**} r,
/etc/apport/blacklist.d/{,*} r,
/etc/default/apport r,
/etc/gtk-3.0/settings.ini r,
/etc/machine-id r,
/etc/update-manager/release-upgrades r,
/var/crash/*software-properties-gtk.@{uid}.crash rw,
/var/lib/snapd/desktop/icons/ r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@ -68,6 +73,9 @@ profile software-properties-gtk @{exec_path} {
@{PROC}/@{pids}/mountinfo r,
@{PROC}/asound/cards r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,

3
apparmor.d/groups/virt/libvirtd
View file

@ -103,7 +103,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}{s,}bin/dnsmasq rPx,
/{usr/,}{s,}bin/virtiofsd rux, # TODO: WIP
/{usr/,}{s,}bin/virtlogd rPX,
/{usr/,}{s,}bin/virtlogd rPx,
/{usr/,}bin/lvm rUx,
/{usr/,}bin/mdevctl rPx,
/{usr/,}bin/swtpm rPx,
@ -155,6 +155,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+dmi:id r,
@{run}/udev/data/+drm:* r,
@{run}/udev/data/+hid:* r,
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci* r,

8
apparmor.d/profiles-m-r/run-parts
View file

@ -119,11 +119,13 @@ profile run-parts @{exec_path} {
include <abstractions/base>
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{e,}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/find rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/id rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix,
@ -133,13 +135,17 @@ profile run-parts @{exec_path} {
/usr/share/unattended-upgrades/update-motd-unattended-upgrades rix,
/ r,
/etc/default/motd-news r,
/etc/lsb-release r,
/etc/update-motd.d/[0-9]*-[a-z]* r,
/var/cache/motd-news r,
/var/lib/update-notifier/updates-available r,
@{run}/motd.d/{,*} r,
@{PROC}/@{pids}/mounts r,
}
profile kernel {

8
apparmor.d/profiles-s-z/snapd
View file

@ -69,15 +69,15 @@ profile snapd @{exec_path} {
/{usr/,}bin/unsquashfs rix,
/{usr/,}bin/update-desktop-database rPx,
/{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* mr,
/{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx,
/{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ?
/{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/** mr,
/{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so rix,
/{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns rPx,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix,
/{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* rPx -> fc-cache,
/{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ?
/usr/share/bash-completion/completions/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@ -133,7 +133,6 @@ profile snapd @{exec_path} {
@{sys}/kernel/security/apparmor/features/ r,
@{sys}/kernel/security/apparmor/profiles r,
owner @{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/stat r,
@{PROC}/cgroups r,
@ -141,6 +140,7 @@ profile snapd @{exec_path} {
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r,
owner @{PROC}/@{pids}/mountinfo r,
/dev/loop-control rw,

2
apparmor.d/profiles-s-z/steam
View file

@ -32,7 +32,7 @@ profile steam @{exec_path} {
network inet6 stream,
network netlink raw,
ptrace (read) peer=steam-*,
ptrace (read),
signal (send) peer=steam-game,
signal (read),

3
apparmor.d/profiles-s-z/steam-game
View file

@ -91,6 +91,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
@{steamruntime}/pressure-vessel/lib{,exec}/** mrix,
@{steamruntime}/run rix,
@{user_share_dirs}/Steam/bin/ r,
@{user_share_dirs}/Steam/bin/* mr,
@{user_share_dirs}/Steam/legacycompat/ r,
@{user_share_dirs}/Steam/legacycompat/** mr,
@{user_share_dirs}/Steam/linux{32,64}/ r,
@ -139,6 +141,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/Steam/ r,
owner @{user_share_dirs}/Steam/* r,
owner @{user_share_dirs}/Steam/*log* rw,
owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw,
owner @{user_share_dirs}/Steam/steamapps/ r,
owner @{user_share_dirs}/Steam/steamapps/common/ r,
owner @{user_share_dirs}/Steam/steamapps/common/*/ r,

6
cmd/aa-log/main.go
View file

@ -22,9 +22,9 @@ import (
// Command line options
var (
dbus bool
help bool
path string
dbus bool
help bool
path string
)
// LogFile is the default path to the file to query