mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
Profile update.
This commit is contained in:
parent
20c3b0575c
commit
a59387ac9e
@ -1,8 +0,0 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
|
||||||
# Copyright (C) 2021 Mikhail Morfikov
|
|
||||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
deny /var/log/wtmp wk,
|
|
||||||
/var/log/wtmp rwk,
|
|
||||||
/var/log/btmp rwk,
|
|
@ -25,17 +25,17 @@ profile accounts-daemon @{exec_path} {
|
|||||||
/usr/share/accountsservice/{,**} r,
|
/usr/share/accountsservice/{,**} r,
|
||||||
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
|
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
|
||||||
|
|
||||||
/etc/gdm/custom.conf r,
|
/etc/gdm/ r,
|
||||||
|
/etc/gdm/custom.conf rw,
|
||||||
|
/etc/gdm/custom.conf.* rw,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/shadow r,
|
/etc/shadow r,
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
|
||||||
/etc/gdm/custom.conf.* rw,
|
|
||||||
|
|
||||||
owner /var/lib/AccountsService/ r,
|
owner /var/lib/AccountsService/ r,
|
||||||
owner /var/lib/AccountsService/** rw,
|
owner /var/lib/AccountsService/** rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pids}/cmdline r,
|
||||||
@{PROC}/1/environ r,
|
@{PROC}/1/environ r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
@ -28,10 +28,12 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||||||
signal (receive) set=term peer=gdm,
|
signal (receive) set=term peer=gdm,
|
||||||
signal (send) set=hup peer=at-spi*,
|
signal (send) set=hup peer=at-spi*,
|
||||||
signal (send) set=hup peer=dbus-daemon,
|
signal (send) set=hup peer=dbus-daemon,
|
||||||
|
signal (send) set=hup peer=dbus-run-session,
|
||||||
signal (send) set=hup peer=gjs-console,
|
signal (send) set=hup peer=gjs-console,
|
||||||
signal (send) set=hup peer=gnome-*,
|
signal (send) set=hup peer=gnome-*,
|
||||||
signal (send) set=hup peer=gsd-*,
|
signal (send) set=hup peer=gsd-*,
|
||||||
signal (send) set=hup peer=ibus-*,
|
signal (send) set=hup peer=ibus-*,
|
||||||
|
signal (send) set=hup peer=xorg,
|
||||||
signal (send) set=hup peer=xwayland,
|
signal (send) set=hup peer=xwayland,
|
||||||
signal (send) set=term peer=gdm-*-session,
|
signal (send) set=term peer=gdm-*-session,
|
||||||
|
|
||||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}lib/gnome-session-binary
|
@{exec_path} = /{usr/,}lib/gnome-session-binary
|
||||||
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/dconf>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
@ -49,43 +50,43 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||||||
/{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
|
/{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
|
||||||
/{usr/,}lib/gsd-* rPx,
|
/{usr/,}lib/gsd-* rPx,
|
||||||
|
|
||||||
/usr/share/applications/org.gnome.Shell.desktop r,
|
/usr/share/applications//{,**} r,
|
||||||
/usr/share/gdm/greeter-dconf-defaults r,
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
|
/usr/share/gdm/greeter/applications/{,**} r,
|
||||||
|
/usr/share/gdm/greeter/autostart/{,*.desktop} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/glvnd/egl_vendor.d/ r,
|
/usr/share/glvnd/egl_vendor.d/ r,
|
||||||
/usr/share/gnome-session/hardware-compatibility r,
|
/usr/share/gnome-session/hardware-compatibility r,
|
||||||
/usr/share/gnome-session/sessions/*.session r,
|
/usr/share/gnome-session/sessions/*.session r,
|
||||||
/usr/share/icons/{,**} r,
|
/usr/share/icons/{,**} r,
|
||||||
|
/usr/share/dconf/profile/gdm r,
|
||||||
|
/usr/share/mime/mime.cache r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
|
||||||
|
/etc/xdg/autostart/{,*.desktop} r,
|
||||||
|
|
||||||
|
/var/lib/gdm/.config/dconf/user r,
|
||||||
/var/lib/gdm/.cache/mesa_shader_cache/index rw,
|
/var/lib/gdm/.cache/mesa_shader_cache/index rw,
|
||||||
/var/lib/gdm/.config/gnome-session/ rw,
|
/var/lib/gdm/.config/gnome-session/ rw,
|
||||||
/var/lib/gdm/.config/gnome-session/saved-session/ rw,
|
/var/lib/gdm/.config/gnome-session/saved-session/ rw,
|
||||||
|
/var/lib/gdm/.local/share/applications/{,**} r,
|
||||||
|
|
||||||
|
/var/lib/flatpak/exports/share/applications/{,**} r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||||
|
owner @{user_config_dirs}/autostart/{,*.desktop} r,
|
||||||
owner @{user_config_dirs}/gnome-session/ rw,
|
owner @{user_config_dirs}/gnome-session/ rw,
|
||||||
owner @{user_config_dirs}/gnome-session/saved-session/ rw,
|
owner @{user_config_dirs}/gnome-session/saved-session/ rw,
|
||||||
owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
|
owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
|
||||||
owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,
|
owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,
|
||||||
|
owner @{user_config_dirs}/mimeapps.list r,
|
||||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
|
||||||
|
|
||||||
# Users xdg
|
|
||||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||||
owner @{user_config_dirs}/user-dirs.locale r,
|
owner @{user_config_dirs}/user-dirs.locale r,
|
||||||
|
owner @{user_share_dirs}/applications/ r,
|
||||||
|
|
||||||
# Autostart
|
|
||||||
/etc/xdg/autostart/{,*.desktop} r,
|
|
||||||
/usr/share/gdm/greeter/autostart/{,*.desktop} r,
|
|
||||||
owner @{user_config_dirs}/autostart/{,*.desktop} r,
|
|
||||||
|
|
||||||
# Dconf
|
|
||||||
include <abstractions/dconf>
|
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
/usr/share/dconf/profile/gdm r,
|
|
||||||
/var/lib/gdm/.config/dconf/user r,
|
|
||||||
|
|
||||||
# Temp files
|
|
||||||
/tmp/.ICE-unix/[0-9]* rw,
|
/tmp/.ICE-unix/[0-9]* rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||||
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}lib/tracker-extract-3
|
@{exec_path} = /{usr/,}lib/tracker-extract-3
|
||||||
profile tracker-extract @{exec_path} {
|
profile tracker-extract @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/dconf>
|
||||||
|
include <abstractions/disks-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
@ -31,18 +33,15 @@ profile tracker-extract @{exec_path} {
|
|||||||
|
|
||||||
/etc/libva.conf r,
|
/etc/libva.conf r,
|
||||||
|
|
||||||
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
|
||||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
|
||||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
|
||||||
|
|
||||||
# Allow to search user files
|
# Allow to search user files
|
||||||
owner @{HOME}/{,**} r,
|
owner @{HOME}/{,**} r,
|
||||||
owner @{MOUNTS}/*/{,**} r,
|
owner @{MOUNTS}/*/{,**} r,
|
||||||
owner /tmp/*/{,**} r,
|
owner /tmp/*/{,**} r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||||
|
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||||
|
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||||
|
|
||||||
include <abstractions/dconf>
|
|
||||||
owner @{run}/user/@{uid}/dconf/ rw,
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
@ -50,6 +49,10 @@ profile tracker-extract @{exec_path} {
|
|||||||
@{run}/udev/data/c236:* r,
|
@{run}/udev/data/c236:* r,
|
||||||
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
||||||
|
@{run}/mount/utab r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
/dev/dri/renderD128 rw,
|
/dev/dri/renderD128 rw,
|
||||||
/dev/media[0-9]* r,
|
/dev/media[0-9]* r,
|
||||||
|
@ -9,8 +9,9 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}lib/tracker-miner-fs-{,control-}3
|
@{exec_path} = /{usr/,}lib/tracker-miner-fs-{,control-}3
|
||||||
profile tracker-miner @{exec_path} {
|
profile tracker-miner @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/private-files>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
|
include <abstractions/private-files>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@ -17,6 +17,7 @@ profile gvfsd-metadata @{exec_path} {
|
|||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
|
owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
|
||||||
|
owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw,
|
||||||
|
|
||||||
include if exists <local/gvfsd-metadata>
|
include if exists <local/gvfsd-metadata>
|
||||||
}
|
}
|
||||||
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/systemd/systemd-binfmt
|
@{exec_path} = /{usr/,}lib/systemd/systemd-binfmt
|
||||||
profile systemd-binfmt @{exec_path} {
|
profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
@ -28,5 +28,7 @@ profile systemd-binfmt @{exec_path} {
|
|||||||
@{PROC}/sys/fs/binfmt_misc/register w,
|
@{PROC}/sys/fs/binfmt_misc/register w,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
||||||
|
deny /apparmor/.null rw,
|
||||||
|
|
||||||
include if exists <local/systemd-binfmt>
|
include if exists <local/systemd-binfmt>
|
||||||
}
|
}
|
||||||
|
@ -11,6 +11,7 @@ profile systemd-modules-load @{exec_path} {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
|
capability net_admin,
|
||||||
capability sys_module,
|
capability sys_module,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@ -9,17 +9,20 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}bin/libvirt-dbus
|
@{exec_path} = /{usr/,}bin/libvirt-dbus
|
||||||
profile libvirt-dbus @{exec_path} {
|
profile libvirt-dbus @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}{s,}bin/libvirtd rPx,
|
/{usr/,}{s,}bin/libvirtd rPx,
|
||||||
|
/{usr/,}{s,}bin/virtqemud rPx,
|
||||||
|
|
||||||
/usr/share/dbus-1/interfaces/org.libvirt.*.xml r,
|
/usr/share/dbus-1/interfaces/org.libvirt.*.xml r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk,
|
owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk,
|
||||||
|
|
||||||
@{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
@{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
||||||
|
@{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node*/meminfo r,
|
@{sys}/devices/system/node/node*/meminfo r,
|
||||||
|
@ -18,6 +18,7 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
|
|||||||
/usr/share/icons/**/.icon-theme.cache rw,
|
/usr/share/icons/**/.icon-theme.cache rw,
|
||||||
/usr/share/icons/**/icon-theme.cache rw,
|
/usr/share/icons/**/icon-theme.cache rw,
|
||||||
|
|
||||||
|
/var/lib/flatpak/exports/share/icons/hicolor/ r,
|
||||||
/var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw,
|
/var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw,
|
||||||
|
|
||||||
deny /apparmor/.null rw,
|
deny /apparmor/.null rw,
|
||||||
|
@ -15,7 +15,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
|
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
|
||||||
owner @{run}/user/@{uid}/.dbus-proxy/{session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
||||||
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
|
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
|
||||||
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw,
|
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw,
|
||||||
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
|
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
|
||||||
|
Loading…
Reference in New Issue
Block a user