mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-17 17:39:56 +00:00
parent ee328f727b
commit a46dfaad61
Failed to generate hash of commit
17 changed files with 59 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/abstractions/bwrap-app
View file

@ -17,6 +17,7 @@
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gnome-strict>
include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>

2
apparmor.d/groups/freedesktop/xdg-email
View file

@ -23,6 +23,8 @@ profile xdg-email @{exec_path} flags=(complain) {
@{bin}/which rix,
@{bin}/xdg-mime rPx,
@{thunderbird_path} rPx,
owner /dev/tty@{int} rw,
include if exists <local/xdg-email>

3
apparmor.d/groups/gnome/epiphany-search-provider
View file

@ -36,6 +36,9 @@ profile epiphany-search-provider @{exec_path} {
owner @{user_cache_dirs}/epiphany/{,**} rwk,
owner @{user_share_dirs}/epiphany/{,**} rwk,
owner /tmp/ContentRuleList@{rand6} rw,
owner /tmp/Serialized* rw,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,

3
apparmor.d/groups/gnome/gdm
View file

@ -65,8 +65,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{run}/gdm{3,}/gdm.pid rw,
@{run}/gdm{3,}/greeter/ rw,
@{run}/systemd/seats/seat@{int} r,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref r,
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs

3
apparmor.d/groups/gnome/gdm-generate-config
View file

@ -31,6 +31,9 @@ profile gdm-generate-config @{exec_path} {
/var/lib/ r,
/var/lib/gdm{3,}/{,**} r,
/var/lib/gdm{3,}/greeter-dconf-defaults rw,
/var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
@{PROC}/ r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,

11
apparmor.d/groups/gnome/gnome-contacts
View file

@ -9,6 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-contacts
profile gnome-contacts @{exec_path} {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
@ -23,9 +27,12 @@ profile gnome-contacts @{exec_path} {
network netlink raw,
@{exec_path} mr,
# dbus: own bus=session name=org.gnome.Contacts
/usr/share/applications/{,*.desktop} r,
# dbus: talk bus=session name=org.gnome.evolution.dataserver.AddressBookFactory label=evolution-addressbook-factory
# dbus: talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry
@{exec_path} mr,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
owner @{user_config_dirs}/gnome-contacts/{,**} rw,

7
apparmor.d/groups/systemd/bootctl
View file

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/bootctl
profile bootctl @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/consoles>
include <abstractions/disks-read>
include <abstractions/systemd-common>
capability mknod,
capability net_admin,
@ -42,7 +43,7 @@ profile bootctl @{exec_path} {
@{run}/host/container-manager r,
@{sys}//class/tpmrm/ r,
@{sys}/class/tpmrm/ r,
@{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
@ -68,8 +69,8 @@ profile bootctl @{exec_path} {
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/sys/kernel/random/poolsize r,
owner @{PROC}/@{pid}/cgroup r,
# Inherit silencer
deny network inet6 stream,

2
apparmor.d/groups/ubuntu/package-system-locked
View file

@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
network inet dgram,
network inet6 dgram,
# mqueue read type=posix /,
# mqueue r type=posix /,
ptrace (read),

9
apparmor.d/groups/ubuntu/update-manager
View file

@ -40,6 +40,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/{,ba,da}sh rix,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/hwe-support-status rPx,
@{bin}/ischroot rix,
@ -56,6 +57,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
/usr/share/X11/{,**} r,
/etc/gtk-3.0/settings.ini r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
/etc/update-manager/{,**} r,
/boot/ r,
@ -68,6 +71,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
owner @{user_config_dirs}/pulse/cookie rk,
owner @{run}/user/@{uid}/pulse/ r,
owner @{run}/user/@{uid}/pulse/native rw,
@{run}/systemd/inhibit/*.ref w,
owner @{PROC}/@{pid}/fd/ r,
@ -75,6 +83,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/mountinfo r,
/dev/ptmx rw,
/dev/shm/ r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

1
apparmor.d/profiles-a-f/cups-notifier-dbus
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile cups-notifier-dbus @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/nameservice-strict>
signal (receive) set=(term) peer=cupsd,

19
apparmor.d/profiles-a-f/dkms
View file

@ -20,7 +20,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
capability setgid,
capability setuid,
unix (receive) type=stream,
deny unix (receive) type=stream,
@{exec_path} rm,
@ -56,7 +56,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{bin}/{,g,m}awk rix,
@{bin}/update-secureboot-policy rPUx,
@{lib}/gcc/@{multiarch}/@{int}*/* rix,
@{lib}/gcc/@{multiarch}/@{int}*/* rix,
@{lib}/linux-kbuild-*/scripts/** rix,
@{lib}/linux-kbuild-*/tools/objtool/objtool rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@ -81,28 +81,28 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
/etc/dkms/{,**} r,
# For building module in /usr/src/ subdirs
/usr/include/**.h r,
/usr/src/ r,
/usr/src/** rw,
/usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
/usr/src/linux-headers-*/scripts/** rix,
/usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
/usr/src/linux-headers-*/tools/** rix,
/usr/include/**.h r,
# For autosign modules
owner /etc/kernel_key/sign-kernel.sh rix,
owner /etc/kernel_key/*.key r,
owner /etc/kernel_key/*.crt r,
owner /etc/kernel_key/*.key r,
owner /etc/kernel_key/sign-kernel.sh rix,
owner @{HOME}/ r,
owner /tmp/* rw,
owner /tmp/cc* rw,
owner /tmp/dkms.*/ rw,
owner /tmp/tmp.* rw,
owner /tmp/sh-thd.* rw,
owner /tmp/* rw,
owner /tmp/tmp.* rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r,
# Inherit silencer
deny /apparmor/.null rw,
@ -125,7 +125,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
owner /tmp/tmp.* r,
# Inherit silencer
deny /apparmor/.null rw,
include if exists <local/dkms_kmod>

42
apparmor.d/profiles-a-f/fzsftp
View file

@ -1,42 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/fzsftp
profile fzsftp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
signal (receive) set=(term, kill) peer=filezilla,
# Needed?
deny ptrace (trace),
@{exec_path} mr,
@{bin}/{,ba,da}sh mrix,
@{bin}/ps rix,
@{bin}/ls rix,
@{PROC}/ r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/tty/drivers r,
deny @{PROC}/@{pids}/stat r,
deny @{PROC}/@{pids}/cmdline r,
/tmp/ r,
owner @{HOME}/.putty/randomseed rw,
# file_inherit
#deny @{user_cache_dirs}/filezilla/** rw,
include if exists <local/fzsftp>
}

5
apparmor.d/profiles-m-r/nvtop
View file

@ -35,7 +35,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/devices/@{pci}/drm/card@{int}/gt_cur_freq_mhz r,
@{sys}/devices/@{pci}/drm/card@{int}/gt_*_freq_mhz r,
@{sys}/devices/@{pci}/enable r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@ -51,7 +51,8 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
/dev/dri/ r,
/dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
/dev/nvidia-caps/ rw,
/dev/nvidia-caps/nvidia-cap@{int} rw,
include if exists <local/nvtop>
}

6
apparmor.d/profiles-m-r/pass
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/pass
profile pass @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@ -69,8 +70,9 @@ profile pass @{exec_path} {
profile editor {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/consoles>
include <abstractions/fzf>
include <abstractions/nameservice-strict>
@{bin}/vim{,.*} mrix,
@ -95,6 +97,7 @@ profile pass @{exec_path} {
profile git {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
@ -129,6 +132,7 @@ profile pass @{exec_path} {
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,

16
apparmor.d/profiles-m-r/pkexec
View file

@ -12,7 +12,6 @@ profile pkexec @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
@ -32,20 +31,7 @@ profile pkexec @{exec_path} {
ptrace (read),
dbus (send) bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus (receive) bus=system path=/org/freedesktop/PolicyKit1*/Authority
interface=org.freedesktop.PolicyKit1*.Authority
member=Changed
peer=(name=:*),
dbus (receive) bus=system path=/org/freedesktop/PolicyKit1*/AuthenticationAgent
interface=org.freedesktop.PolicyKit1*.AuthenticationAgent
member=BeginAuthentication
peer=(name=:*),
# dbus: talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
@{exec_path} mr,

2
apparmor.d/profiles-s-z/steam
View file

@ -82,7 +82,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
@{bin}/xdg-user-dir rix,
@{bin}/xz rix,
@{bin}/zenity rix,
@{lib}/ld-linux.so* rix,
@{lib}/ld-linux.so* rix,
@{lib_dirs}/*.so* mr,
@{lib_dirs}/*driverquery rix,

7
apparmor.d/tunables/multiarch.d/paths
View file

@ -2,7 +2,7 @@
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Define some paths for some program commonly used
# Define some paths for some commonly used programs
# Browsers
@ -26,3 +26,8 @@
@{opera_lib_dirs} = @{lib}/@{multiarch}/@{opera_name}
@{opera_path} = @{opera_lib_dirs}/@{opera_name}
# Emails
@{thunderbird_name} = thunderbird{,-bin}
@{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name}
@{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name}