Update profiles.

This commit is contained in:
Alexandre Pujol 2022-02-08 18:16:45 +00:00
parent 7274f98fa6
commit 9ecc1aa240
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
10 changed files with 33 additions and 14 deletions

View File

@ -20,8 +20,10 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/usr/share/locale/locale.alias r, /usr/share/locale/locale.alias r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, /var/lib/gdm/.config/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
/dev/null rw, /dev/null rw,

View File

@ -17,6 +17,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/egl/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
@ -25,6 +26,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_share_dirs}/icons/{,**} r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,

View File

@ -27,7 +27,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
# Full access to user's data # Full access to user's data
/ r, / r,
owner @{HOME}/{,**} rw, owner @{HOME}/{,**} rw,
owner @{MOUNTS}/*/{,**} rw, owner @{MOUNTS}/{,**} r,
owner @{run}/user/@{uid}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw,
owner /tmp/{,**} rw, owner /tmp/{,**} rw,

View File

@ -10,9 +10,17 @@ include <tunables/global>
profile systemd-makefs @{exec_path} { profile systemd-makefs @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability net_admin,
capability sys_resource,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/mkswap rPx, /{usr/,}{s,}bin/mkswap rPx,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
/dev/zram[0-9]* rwk,
include if exists <local/systemd-makefs> include if exists <local/systemd-makefs>
} }

View File

@ -15,17 +15,17 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/systemd-common> include <abstractions/systemd-common>
# (##FIXME##) capability chown,
capability sys_admin,
capability net_admin,
capability dac_read_search,
capability dac_override, capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability net_admin,
capability sys_admin,
capability sys_module,
capability sys_ptrace, capability sys_ptrace,
capability sys_resource, capability sys_resource,
capability chown,
capability fsetid,
capability sys_module,
capability mknod,
ptrace (read), ptrace (read),

View File

@ -16,6 +16,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
/etc/apparmor/{,**} r, /etc/apparmor/{,**} r,
/etc/apparmor.d/{,**} r, /etc/apparmor.d/{,**} r,
/etc/apparmor.d/cache.d/{,**} rw,
owner /var/cache/apparmor/{,**} rw, owner /var/cache/apparmor/{,**} rw,
owner /var/lib/docker/tmp/docker-default[0-9]* r, owner /var/lib/docker/tmp/docker-default[0-9]* r,

View File

@ -14,6 +14,7 @@ profile auditd @{exec_path} {
capability audit_control, capability audit_control,
capability chown, capability chown,
capability fsetid, capability fsetid,
capability sys_nice,
capability sys_resource, capability sys_resource,
network netlink raw, network netlink raw,
@ -24,11 +25,13 @@ profile auditd @{exec_path} {
/var/log/audit/{,**} rw, /var/log/audit/{,**} rw,
@{run}/auditd.pid rw,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,
owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/attr/current r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/sessionid r,
owner @{PROC}/@{pid}/oom_score_adj rw,
include if exists <local/auditd> include if exists <local/auditd>
} }

View File

@ -23,6 +23,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
/etc/login.defs r, /etc/login.defs r,
/etc/firejail/firejail.users r, /etc/firejail/firejail.users r,
/etc/firejail/firecfg.config r,
/usr/local/bin/ r, /usr/local/bin/ r,
/usr/local/bin/* rw, /usr/local/bin/* rw,

View File

@ -38,6 +38,7 @@ profile fusermount @{exec_path} {
umount @{MOUNTS}/*/*/, umount @{MOUNTS}/*/*/,
umount /tmp/.mount_*/, umount /tmp/.mount_*/,
umount @{run}/user/@{uid}/doc/, umount @{run}/user/@{uid}/doc/,
umount @{run}/user/@{uid}/gvfs/,
/etc/fuse.conf r, /etc/fuse.conf r,

View File

@ -30,10 +30,11 @@ profile syncthing @{exec_path} {
/etc/mime.types r, /etc/mime.types r,
/usr/share/mime/globs2 r, /usr/share/mime/globs2 r,
owner @{user_config_dirs}/syncthing/{,**} rwk, owner @{HOME}/ r,
owner @{HOME}/@{XDG_DATA_HOME}/syncthing/{,**} rwk, owner @{HOME}/@{XDG_DATA_HOME}/syncthing/{,**} rwk,
owner @{user_config_dirs}/syncthing/{,**} rwk,
@{HOME}/ r, /home/ r,
@{user_sync_dirs}/{,**} rw, @{user_sync_dirs}/{,**} rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,