general_initial

This commit is contained in:
nobody43 2023-02-19 23:40:41 +00:00 committed by Alex
parent 3eb8dd2811
commit a873af1f26
36 changed files with 640 additions and 110 deletions

View file

@ -82,6 +82,9 @@
# investigate # investigate
# /dev/ram[0-9]* r, # /dev/ram[0-9]* r,
# ??
@{sys}/devices/pci[0-9]*/*/virtio[0-9]*/host[0-9]*/target*/*/type r,
# CD-ROM # CD-ROM
/dev/sr[0-9]* rk, /dev/sr[0-9]* rk,

View file

@ -5,5 +5,8 @@
owner @{user_cache_dirs}/nvidia/ w, owner @{user_cache_dirs}/nvidia/ w,
owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/ rw,
owner @{user_cache_dirs}/nvidia/GLCache/** rwk, owner @{user_cache_dirs}/nvidia/GLCache/** rwk,
owner @{HOME}/.nv/nvidia-application-profiles-rc r,
/etc/nvidia/nvidia-application-profiles-rc r,
unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"), unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),

View file

@ -43,6 +43,8 @@ profile thunderbird @{exec_path} {
ptrace peer=@{profile_name}, ptrace peer=@{profile_name},
unix (send, receive) type=stream peer=(addr=none, label=xorg),
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
@ -76,6 +78,21 @@ profile thunderbird @{exec_path} {
member={Change,Notify} member={Change,Notify}
peer=(name=ca.desrt.dconf), peer=(name=ca.desrt.dconf),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktops
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/login[0-9]*
interface=org.freedesktop.login[0-9]*.Manager
member={UserAdded,UserRemoved}
peer=(name=:*, label=systemd-logind),
dbus bind bus=session dbus bind bus=session
name=org.mozilla.thunderbird.*, name=org.mozilla.thunderbird.*,

View file

@ -12,7 +12,7 @@ include <tunables/global>
@{firefox_config_dirs} = @{HOME}/.mozilla/ @{firefox_config_dirs} = @{HOME}/.mozilla/
@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ @{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = /{usr/,}bin/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name} @{exec_path} = /{usr/,}bin/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name}{-bin,}
profile firefox @{exec_path} flags=(attach_disconnected) { profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
@ -51,7 +51,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/ScreenSaver dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver interface=org.freedesktop.ScreenSaver
@ -110,12 +110,12 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/mozilla/firefox/Remote dbus send bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox interface=org.mozilla.firefox
member=OpenURL member=OpenURL
peer=(name=org.mozilla.firefox.* label=firefox), peer=(name=org.mozilla.firefox.* label=@{profile_name}),
dbus receive bus=session path=/org/mozilla/firefox/Remote dbus receive bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox interface=org.mozilla.firefox
member=OpenURL member=OpenURL
peer=(name=:* label=firefox), peer=(name=:* label=@{profile_name}),
dbus bind bus=session dbus bind bus=session
name=org.mpris.MediaPlayer2.firefox.*, name=org.mpris.MediaPlayer2.firefox.*,
@ -173,6 +173,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/etc/xul-ext/kwallet5.js r, /etc/xul-ext/kwallet5.js r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
@ -259,6 +261,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
owner /dev/tty[0-9]* rw, # File Inherit owner /dev/tty[0-9]* rw, # File Inherit
# X-tiny
/tmp/.X0-lock r,
# Silencer # Silencer
deny @{firefox_lib_dirs}/** w, deny @{firefox_lib_dirs}/** w,
deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,

View file

@ -35,7 +35,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,GetConnectionUnixUser} member={RequestName,ReleaseName,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus bind bus=system dbus bind bus=system
@ -51,6 +51,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/passwd rPx, /{usr/,}bin/passwd rPx,
/{usr/,}bin/chage rPx, /{usr/,}bin/chage rPx,
/usr/share/language-tools/language-validate rPx, /usr/share/language-tools/language-validate rPx,
/usr/share/language-tools/set-language-helper rPUx,
/usr/share/accountsservice/{,**} r, /usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/*.xml r, /usr/share/dbus-1/interfaces/*.xml r,

View file

@ -17,6 +17,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gdm*,
signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=dbus-daemon,
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
@ -45,12 +47,12 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Set member=Set
peer=(name=:*, label="{gnome-extension-ding,gnome-control-center}"), peer=(name=:*), # all peer's labels
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket interface=org.a11y.atspi.Socket
member=Embed member=Embed
peer=(name=:*, label="{gnome-extension-ding,gnome-control-center,spice-vdagent}"), peer=(name=:*), # all peer's labels
dbus send bus=accessibility path=/org/a11y/atspi/registry dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry interface=org.a11y.atspi.Registry
@ -60,17 +62,17 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
dbus receive bus=accessibility path=/org/a11y/atspi/registry dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry interface=org.a11y.atspi.Registry
member=GetRegisteredEvents member=GetRegisteredEvents
peer=(name=:*, label=gnome-control-center), peer=(name=:*), # all peer's labels
dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners} member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=:*, label="{gnome-control-center,xdg-desktop-portal-*}"), peer=(name=:*), # all peer's labels
dbus send bus=session path=/org/a11y/bus dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus interface=org.a11y.Bus
member=GetAddress member=GetAddress
peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), peer=(name=org.a11y.Bus, label="{at-spi-bus-launcher,unconfined}"),
dbus receive bus=session path=/ dbus receive bus=session path=/
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

View file

@ -18,7 +18,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName,ReleaseName},
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.ColorManager*, interface=org.freedesktop.ColorManager*,
@ -30,8 +30,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority interface=org.freedesktop.PolicyKit[0-9].Authority
member=Changed peer=(name=:*, label=polkitd), # all members
peer=(name=:*, label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
@ -43,10 +42,15 @@ profile colord @{exec_path} flags=(attach_disconnected) {
member=GetAll member=GetAll
peer=(name=:*, label="{gsd-color,colord-sane,gnome-control-center}"), peer=(name=:*, label="{gsd-color,colord-sane,gnome-control-center}"),
dbus (send, receive) bus=system path=/org/freedesktop/ColorManager dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*, label=colord), peer=(name=:*, label=@{profile_name}),
dbus receive bus=system path=/org/freedesktop/ColorManager/**
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=@{profile_name}),
dbus bind bus=system dbus bind bus=system
name=org.freedesktop.ColorManager, name=org.freedesktop.ColorManager,
@ -67,8 +71,9 @@ profile colord @{exec_path} flags=(attach_disconnected) {
owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/.cache/** rw,
owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
@{system_share_dirs}/mime/mime.cache r,
/var/lib/gdm{3,}/.local/share/icc/edid-*.icc r, /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
@{system_share_dirs}/mime/mime.cache r,
@{user_share_dirs}/icc/edid-*.icc r, @{user_share_dirs}/icc/edid-*.icc r,

View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord-sane @{exec_path} = @{libexec}/{,colord/}colord-sane
profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { profile colord-sane @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -26,7 +26,7 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
member={GetAPIVersion,GetState,ServiceBrowserNew,Ping} member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
peer=(name=org.freedesktop.Avahi), peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser interface=org.freedesktop.Avahi.ServiceBrowser
member={CacheExhausted,AllForNow}, member={CacheExhausted,AllForNow},
@ -46,7 +46,11 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/bus/scsi/devices/ r, @{sys}/bus/scsi/devices/ r,
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
@{PROC}/sys/dev/parport/parport[0-9]*/base-addr r,
@{PROC}/sys/dev/parport/parport[0-9]*/irq r,
@{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/ r,
/dev/parport[0-9]* r,
include if exists <local/colord-sane> include if exists <local/colord-sane>
} }

View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord-session @{exec_path} = @{libexec}/{,colord/}colord-session
profile colord-session @{exec_path} flags=(complain) { profile colord-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,

View file

@ -22,13 +22,12 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/ca/desrt/dconf/Writer/user dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer interface=ca.desrt.dconf.Writer
member=Notify peer=(name=org.freedesktop.DBus), # all members and peer's labels
peer=(name=org.freedesktop.DBus), # all peer's labels
dbus receive bus=session path=/ca/desrt/dconf/Writer/user dbus receive bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer interface=ca.desrt.dconf.Writer
member=Change member=Change
peer=(name=:*, label=gnome-control-center), peer=(name=:*), # all peer's labels
dbus receive bus=session path=/ dbus receive bus=session path=/
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

View file

@ -21,13 +21,17 @@ profile polkitd @{exec_path} {
ptrace (read), ptrace (read),
dbus (send) bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/* dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members
dbus (send) bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/gnome/PolicyKit1/*
interface=org.freedesktop.DBus interface=org.freedesktop.PolicyKit1.AuthenticationAgent
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName} peer=(name=:*), # all members
peer=(name=org.freedesktop.DBus),
dbus (bind) bus=system dbus (bind) bus=system
name=org.freedesktop.PolicyKit1, name=org.freedesktop.PolicyKit1,

View file

@ -22,6 +22,7 @@ profile pulseaudio @{exec_path} {
include <abstractions/hosts_access> include <abstractions/hosts_access>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/X-strict> include <abstractions/X-strict>
include <abstractions/freedesktop.org>
ptrace (trace) peer=@{profile_name}, ptrace (trace) peer=@{profile_name},
@ -113,10 +114,8 @@ profile pulseaudio @{exec_path} {
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
/{usr/,}lib/pulse-*/modules/*.so mr, /{usr/,}lib/pulse-*/modules/*.so mr,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pulseaudio/{,**} r, /usr/share/pulseaudio/{,**} r,
/usr/share/ubuntu/applications/{,*} r,
/var/lib/snapd/desktop/applications/ r, /var/lib/snapd/desktop/applications/ r,

View file

@ -29,7 +29,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
member=Get member=Get
peer=(name=org.freedesktop.login[0-9]), peer=(name=org.freedesktop.login[0-9]),
dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* dbus receive bus=system path=/org/freedesktop/login[0-9]/session/*
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=PropertiesChanged member=PropertiesChanged
peer=(name=:*, label=systemd-logind), peer=(name=:*, label=systemd-logind),
@ -41,8 +41,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
dbus (send, receive) bus=session path=/org/gnome/keyring/daemon dbus (send, receive) bus=session path=/org/gnome/keyring/daemon
interface=org.gnome.keyring.Daemon interface=org.gnome.keyring.Daemon
member=GetControlDirectory peer=(name="{org.gnome.keyring,:*}", label=@{profile_name}), # all members
peer=(name="{org.gnome.keyring,:*}", label=gnome-keyring-daemon), # itself
dbus receive bus=session path=/org/freedesktop/secrets dbus receive bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
@ -54,6 +53,41 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
member=SearchItems member=SearchItems
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.Secret.Collection
member=CreateItem
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.Secret.Collection
member=ItemCreated
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={ReadAlias,OpenSession}
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/secrets/collection/login/[0-9]*
interface=org.freedesktop.Secret.Item
member=GetSecret
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/secrets{,/collection/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/portal/desktop dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
@ -64,6 +98,11 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
member=Introspect member=Introspect
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={GetSecrets,SearchItems}
peer=(name=:*), # label="{unconfined,remmina}"),
dbus bind bus=session dbus bind bus=session
name=org.gnome.keyring, name=org.gnome.keyring,
@ -88,6 +127,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.local/ w, owner @{HOME}/.local/ w,
owner @{HOME}/.local/share/ w, owner @{HOME}/.local/share/ w,
owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/keyring/ rw, owner @{run}/user/@{uid}/keyring/ rw,
owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/keyring/* rw,

View file

@ -18,6 +18,7 @@ profile tracker-extract @{exec_path} {
include <abstractions/opencl-nvidia> include <abstractions/opencl-nvidia>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/X-strict> include <abstractions/X-strict>
include <abstractions/freedesktop.org>
network netlink raw, network netlink raw,
@ -35,13 +36,15 @@ profile tracker-extract @{exec_path} {
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.Tracker3.Endpoint interface=org.freedesktop.Tracker3.Endpoint
member=Query peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), # all members
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.Tracker3.Endpoint interface=org.freedesktop.Tracker3.Endpoint
member=GraphUpdated peer=(name=:*, label=tracker-miner), # all members
peer=(name=:*, label=tracker-miner),
dbus send bus=session path=/org/freedesktop/Tracker3/Miner/**
interface=org.freedesktop.Tracker3.Miner
peer=(name=org.freedesktop.DBus, label=tracker-miner), # all members
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
@ -63,8 +66,6 @@ profile tracker-extract @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/applications/*.desktop r,
/usr/share/applications/mimeinfo.cache r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/hwdata/*.ids r, /usr/share/hwdata/*.ids r,
@ -85,6 +86,8 @@ profile tracker-extract @{exec_path} {
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp??????} r,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r, /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
/var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/snapd/desktop/applications/*.desktop r, /var/lib/snapd/desktop/applications/*.desktop r,

View file

@ -58,12 +58,14 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.Tracker3.Endpoint interface=org.freedesktop.Tracker3.Endpoint
member=GraphUpdated peer=(name=org.freedesktop.DBus, label=tracker-extract), # all members
peer=(name=org.freedesktop.DBus, label=tracker-extract),
dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.Tracker3.Endpoint interface=org.freedesktop.Tracker3.Endpoint
member=Query peer=(name=:*, label=tracker-extract), # all members
dbus receive bus=session path=/org/freedesktop/Tracker3/Miner/**
interface=org.freedesktop.Tracker3.Miner
peer=(name=:*, label=tracker-extract), peer=(name=:*, label=tracker-extract),
dbus receive bus=session path=/{,org} dbus receive bus=session path=/{,org}
@ -82,7 +84,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
/usr/share/tracker3-miners/{,**} r, /usr/share/tracker3-miners/{,**} r,
/usr/share/tracker3/{,**} r, /usr/share/tracker3/{,**} r,
/usr/share/ubuntu/applications/ r,
/etc/fstab r, /etc/fstab r,
@ -94,6 +95,10 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.local/share/applications/ r, /var/lib/gdm{3,}/.local/share/applications/ r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/lightdm/.config/dconf/user r,
/var/lib/lightdm/.cache/tracker3/files/meta.db{,-wal} rwk,
/var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.??????} rw,
owner /var/tmp/etilqs_@{hex} rw, owner /var/tmp/etilqs_@{hex} rw,
# Allow to search user files # Allow to search user files

View file

@ -12,6 +12,7 @@ profile networkd-dispatcher @{exec_path} {
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
include <abstractions/openssl>
dbus receive bus=system path=/org/freedesktop/network1/link/* dbus receive bus=system path=/org/freedesktop/network1/link/*
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/networkctl @{exec_path} = /{usr/,}bin/networkctl
profile networkctl @{exec_path} flags=(attach_disconnected,complain) { profile networkctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-machined @{exec_path} = /{usr/,}lib/systemd/systemd-machined
profile systemd-machined @{exec_path} { profile systemd-machined @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability chown, capability chown,
@ -23,6 +24,44 @@ profile systemd-machined @{exec_path} {
capability sys_chroot, capability sys_chroot,
capability sys_ptrace, capability sys_ptrace,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=system path=/org/freedesktop/systemd1/{,{unit,job}/*}
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.systemd1),
dbus receive bus=system path=/org/freedesktop/systemd1{,/{unit,job}/*}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*),
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member={StopUnit,UnrefUnit,StartTransientUnit,Subscribe}
peer=(name=org.freedesktop.systemd1),
dbus receive bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member={JobRemoved,UnitRemoved,Reloading}
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/machine1
interface=org.freedesktop.machine1.Manager
member={TerminateMachine,GetMachineByPID,CreateMachineWithNetwork}
peer=(name=:*, label=libvirtd),
dbus receive bus=system path=/org/freedesktop/machine1/machine/*
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=:*, label=libvirtd),
dbus bind bus=system
name=org.freedesktop.machine1,
@{exec_path} mr, @{exec_path} mr,
/var/lib/machines/{,**} rw, /var/lib/machines/{,**} rw,
@ -30,6 +69,7 @@ profile systemd-machined @{exec_path} {
@{run}/systemd/machines/{,**} rw, @{run}/systemd/machines/{,**} rw,
@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/io.systemd.Machine rw,
@{run}/systemd/notify w,
include if exists <local/systemd-machined> include if exists <local/systemd-machined>
} }

View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/virtlogd @{exec_path} = /{usr/,}{s,}bin/virtlogd
profile virtlogd @{exec_path} flags=(attach_disconnected) { profile virtlogd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/openssl> include <abstractions/openssl>
@ -30,6 +30,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
@{run}/libvirt/common/system.token rwk, @{run}/libvirt/common/system.token rwk,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/libvirt/virtlogd-sock rw,
@{run}/virtlogd.pid rwk, @{run}/virtlogd.pid rwk,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,

View file

@ -31,6 +31,7 @@ profile acpi-powerbtn flags=(attach_disconnected) {
@{PROC} r, @{PROC} r,
@{PROC}/uptime r, @{PROC}/uptime r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
deny / r, deny / r,

View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{,usr/}bin/loginctl
profile loginctl @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
capability sys_resource,
capability net_admin,
@{exec_path} mr,
dbus (send) bus=system path=/org/freedesktop/login[0-9]*
interface=org.freedesktop.login[0-9]*.Manager
member={ListSessions,GetSession}
peer=(name=org.freedesktop.login[0-9]* label=systemd-logind),
dbus (send) bus=system path=/org/freedesktop/login[0-9]*/session/**
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.login[0-9]* label=systemd-logind),
include if exists <local/loginctl>
}

View file

@ -46,6 +46,10 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/mysqladmin rPUx, /{usr/,}bin/mysqladmin rPUx,
/{usr/,}bin/systemd-tty-ask-password-agent rPx, /{usr/,}bin/systemd-tty-ask-password-agent rPx,
/{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx,
/etc/init.d/nginx rPUx,
/{usr/,}{s,}bin/squid rPUx,
/{usr/,}bin/pgrep rCx -> pgrep,
# no new privs # no new privs
#/{usr/,}bin/systemctl rCx -> systemctl, #/{usr/,}bin/systemctl rCx -> systemctl,
@ -98,5 +102,18 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
include if exists <local/logrotate_systemctl> include if exists <local/logrotate_systemctl>
} }
profile pgrep {
include <abstractions/base>
/{usr/,}bin/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/logrotate_pgrep>
}
include if exists <local/logrotate> include if exists <local/logrotate>
} }

View file

@ -9,7 +9,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount @{exec_path} = /{usr/,}{s,}bin/mount
profile mount @{exec_path} flags=(complain) { profile mount @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-write> include <abstractions/disks-write>

View file

@ -27,7 +27,7 @@ profile nmap @{exec_path} {
network netlink raw, network netlink raw,
network packet raw, network packet raw,
@{exec_path} r, @{exec_path} mr,
owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/if_inet6 r,

View file

@ -0,0 +1,15 @@
# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{,usr/}bin/nvidia-detector
profile nvidia-detector @{exec_path} {
include <abstractions/base>
@{exec_path} r,
include if exists <local/nvidia-detector>
}

View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{,usr/}bin/nvidia-persistenced
profile nvidia-persistenced @{exec_path} {
include <abstractions/base>
include <abstractions/nvidia>
include <abstractions/nameservice-strict>
capability chown,
capability setgid,
capability setuid,
@{exec_path} r,
/etc/netconfig r,
@{run}/nvidia-persistenced/{,**} rw,
@{run}/nvidia-persistenced/*.pid k,
include if exists <local/nvidia-persistenced>
}

View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/pkexec @{exec_path} = /{usr/,}bin/pkexec
profile pkexec @{exec_path} flags=(complain) { profile pkexec @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/consoles> include <abstractions/consoles>
@ -23,7 +23,8 @@ profile pkexec @{exec_path} flags=(complain) {
capability setgid, # gdbus capability setgid, # gdbus
capability setuid, # gmain capability setuid, # gmain
capability sys_ptrace, capability sys_ptrace,
audit deny capability sys_nice, capability sys_nice,
capability sys_resource,
ptrace (read), ptrace (read),
@ -54,6 +55,7 @@ profile pkexec @{exec_path} flags=(complain) {
# Apps to be run via pkexec # Apps to be run via pkexec
/{usr/,}{s,}bin/* rPUx, /{usr/,}{s,}bin/* rPUx,
/{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
@{libexec}/polkit-agent-helper-[0-9] rPx,
/{usr/,}lib/polkit-agent-helper-[0-9] rPx, /{usr/,}lib/polkit-agent-helper-[0-9] rPx,
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/{usr/,}lib/update-notifier/package-system-locked rPx, /{usr/,}lib/update-notifier/package-system-locked rPx,

View file

@ -31,11 +31,13 @@ profile qbittorrent @{exec_path} {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict> include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-gtk> include <abstractions/dbus-gtk>
include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/nvidia>
signal send set=(term, kill) peer=qbittorrent//python3, signal send set=(term, kill) peer=qbittorrent//python3,
@ -46,16 +48,16 @@ profile qbittorrent @{exec_path} {
network netlink dgram, network netlink dgram,
network netlink raw, network netlink raw,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
peer=(name=org.kde.StatusNotifierWatcher), peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem member=RegisterStatusNotifierItem
@ -71,12 +73,12 @@ profile qbittorrent @{exec_path} {
member=Activate member=Activate
peer=(name=:*), peer=(name=:*),
dbus receive bus=session path=/StatusNotifierItem dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=Get
peer=(name=:*), peer=(name=org.kde.StatusNotifierWatcher),
dbus receive bus=session path=/MenuBar dbus receive bus=session path={/StatusNotifierItem,/MenuBar}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*), peer=(name=:*),
@ -91,11 +93,6 @@ profile qbittorrent @{exec_path} {
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*), peer=(name=:*),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket interface=org.a11y.atspi.Socket
member=Embed member=Embed
@ -227,6 +224,7 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/{g,m,}awk rix, /{usr/,}bin/{g,m,}awk rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xfce4-mime-helper rix, /{usr/,}bin/xfce4-mime-helper rix,
owner @{HOME}/ r, owner @{HOME}/ r,

View file

@ -0,0 +1,145 @@
# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{,usr/}bin/remmina
profile remmina @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ibus>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/ssl_certs>
include <abstractions/openssl>
include <abstractions/freedesktop.org>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-gtk>
network inet stream,
network inet6 stream,
network netlink raw,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/freedesktop/secrets{,/collection/login{,/[0-9]*}}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-keyring-daemon),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={OpenSession,GetSecrets,SearchItems,ReadAlias}
peer=(name=:*, label=gnome-keyring-daemon),
dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**}
peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry),
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name=:*),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/secrets/collection/session
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-keyring-daemon),
dbus send bus=system path=/org/freedesktop/hostname[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=:*),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry),
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,List}
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.Secret.Collection
member=CreateItem
peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon),
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.Secret.Collection
member=ItemCreated
peer=(name=:*, label=gnome-keyring-daemon),
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-keyring-daemon),
dbus bind bus=session
name=org.remmina.Remmina,
@{exec_path} r,
/etc/timezone r,
/etc/ssh/ssh_config r,
/etc/ssh/ssh_config.d/{,*} r,
/usr/share/remmina/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_config_dirs}/autostart/remmina-applet.desktop r,
owner @{user_config_dirs}/gtk-3.0/bookmarks r,
owner @{user_config_dirs}/freerdp/known_hosts2 rwk,
owner @{user_config_dirs}/remmina/{,**} rw,
owner @{user_share_dirs}/remmina/{,**} rw,
owner @{user_cache_dirs}/remmina/{,**} rw,
owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{run}/user/@{uid}/keyring/ssh rw,
# gtk-tiny
/etc/gtk-3.0/settings.ini r,
/usr/share/themes/{,**} r,
# X-strict
owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w,
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
/etc/X11/{,**} r,
include if exists <local/remmina>
}

View file

@ -9,6 +9,7 @@ include <tunables/global>
profile rustdesk @{exec_path} { profile rustdesk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/X-strict> include <abstractions/X-strict>
include <abstractions/fonts> include <abstractions/fonts>
@ -18,6 +19,9 @@ profile rustdesk @{exec_path} {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-gtk> include <abstractions/dbus-gtk>
capability dac_read_search,
capability dac_override,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
@ -46,15 +50,22 @@ profile rustdesk @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{,usr/}bin/w rPx,
/{,usr/}bin/ps rPx, /{,usr/}bin/ps rPx,
/{,usr/}bin/whoami rPx, /{,usr/}bin/whoami rPx,
/{,usr/}bin/loginctl rPx, /{,usr/}bin/loginctl rPx,
/{,usr/}bin/curl rix, /{,usr/}bin/curl rix,
/{,usr/}bin/ls rix,
/{,usr/}bin/python3.[0-9]* rCx -> python, /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python,
/{,usr/}bin/{,ba,da}sh rPx -> rustdesk_shell,
owner /tmp/[rR]ust[dD]esk/{,**} rw, /etc/gdm{,3}/custom.conf r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{HOME}/.local/ w,
owner @{user_share_dirs}/ w,
owner @{user_share_dirs}/logs/ w,
owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw, owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw,
owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw, owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw,
@ -64,6 +75,27 @@ profile rustdesk @{exec_path} {
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
# grep ps
@{PROC} r,
capability sys_ptrace,
ptrace (read),
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/io r,
@{PROC}/@{pid}/task/ r,
@{PROC}/@{pid}/task/@{tid}/stat r,
@{PROC}/@{pid}/task/@{tid}/io r,
@{PROC}/@{pid}/task/@{tid}/status r,
# service and GUI intercommunication
@{HOME}/.Xauthority r,
@{run}/user/@{uid}/.mutter-Xwaylandauth.?????? r,
@{run}/user/@{uid}/gdm{,3}/Xauthority r,
/tmp/[rR]ust[dD]esk/{,**} rw,
/tmp/.X11-unix/ r,
/var/lib/lightdm/.Xauthority r,
# pulse # pulse
/dev/shm/ r, /dev/shm/ r,
/etc/pulse/client.conf r, /etc/pulse/client.conf r,
@ -72,8 +104,11 @@ profile rustdesk @{exec_path} {
owner @{run}/user/@{uid}/pulse/native rw, owner @{run}/user/@{uid}/pulse/native rw,
owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/cookie rwk, owner @{user_config_dirs}/pulse/cookie rwk,
owner @{user_config_dirs}/pulse/*-runtime{,.tmp} rw,
owner /tmp/pulse-*/ rw,
# gtk-tiny # gtk-tiny
/usr/share/themes/{,**} r,
/etc/gtk-3.0/settings.ini r, /etc/gtk-3.0/settings.ini r,
/usr/share/themes/*/gtk-3.0/gtk.css r, /usr/share/themes/*/gtk-3.0/gtk.css r,
@ -84,43 +119,52 @@ profile rustdesk @{exec_path} {
# file_inherit, X-tiny # file_inherit, X-tiny
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
# excessive? # Do not reveal username (pop-up only)
deny @{PROC} r, deny /etc/passwd r,
# @{PROC} r,
# capability sys_ptrace,
# ptrace (read),
# owner @{PROC}/@{pid}/stat r,
# owner @{PROC}/@{pid}/environ r,
# owner @{PROC}/@{pid}/io r,
# owner @{PROC}/@{pid}/task/ r,
# owner @{PROC}/@{pid}/task/@{tid}/stat r,
# owner @{PROC}/@{pid}/task/@{tid}/io r,
# owner @{PROC}/@{pid}/task/@{tid}/status r,
profile python { # It's possible to disable root-based service ('systemctl disable rustdesk.service') and use RD only on-demand (or as client-only). After that, sudo isn't necessary.
# deny /{,usr/}bin/sudo x,
/{,usr/}bin/sudo rCx -> sudo,
profile sudo {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/consoles>
include <abstractions/python> include <abstractions/python>
include <abstractions/openssl> include <abstractions/wutmp>
/{,usr/}bin/python3.[0-9]* r, capability sys_resource,
capability setuid,
capability setgid,
capability audit_write,
/{,usr/}bin/{,ba,da}sh rix, network netlink raw,
/{,usr/}bin/chmod rix,
/{,usr/}bin/uname rPx,
/usr/share/rustdesk/files/pynput_service.py rPx,
/{,usr/}bin/sudo r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/pam.d/* r,
/etc/login.defs r,
/etc/shadow r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/{,*} r,
/etc/security/pam_env.conf r,
/etc/sudoers.d/{,*} r,
/etc/environment r,
/etc/default/locale r,
/usr/libexec/sudo/libsudo_util.so* mr,
/usr/libexec/sudo/sudoers.so mr,
@{PROC}/1/limits r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/usr/share/[rR]ust[dD]esk/files/{,**} r, /{,usr/}{,local/}bin/rustdesk rPx,
owner /tmp/[rR]ust[dD]esk/ w, /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python,
owner /tmp/[rR]ust[dD]esk/pynput_service rw,
# X-tiny include if exists <local/rustdesk_sudo>
/tmp/.X11-unix/* rw,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.Xauthority r,
include if exists <local/rustdesk_python>
} }
include if exists <local/rustdesk> include if exists <local/rustdesk>
@ -133,3 +177,61 @@ profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py {
include if exists <local/rustdesk_pynput_service> include if exists <local/rustdesk_pynput_service>
} }
profile rustdesk_python {
include <abstractions/base>
include <abstractions/python>
include <abstractions/openssl>
capability dac_read_search,
capability dac_override,
/{,usr/}bin/python3.[0-9]* r,
/{,usr/}bin/{,ba,da}sh rix,
/{,usr/}bin/chmod rix,
/{,usr/}bin/uname rPx,
/usr/share/rustdesk/files/pynput_service.py rPx,
/usr/local/lib/python3.[0-9]*/dist-packages/pynput/{,**} r,
/usr/share/[rR]ust[dD]esk/files/{,**} r,
/tmp/[rR]ust[dD]esk/ w,
/tmp/[rR]ust[dD]esk/pynput_service rw,
@{run}/user/@{uid}/gdm{,3}/Xauthority r,
owner @{PROC}/@{pid}/fd/ r,
# X-tiny
/tmp/.X11-unix/* rw,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.Xauthority r,
include if exists <local/rustdesk_python>
}
profile rustdesk_shell {
include <abstractions/base>
capability sys_ptrace,
capability dac_read_search,
deny capability dac_override,
ptrace (read),
/{,usr/}bin/{,ba,da}sh r,
/{,usr/}bin/tr rix,
/{,usr/}bin/{,e}grep rix,
/{,usr/}bin/tail rix,
/{,usr/}bin/xargs rix,
/{,usr/}bin/sed rix,
/{,usr/}bin/cat rix,
/{,usr/}bin/ps rPx,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/environ r,
include if exists <local/rustdesk_shell>
}

View file

@ -25,7 +25,7 @@ profile sensors @{exec_path} {
@{sys}/devices/**/hwmon*/{name,temp*,*_input} r, @{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
@{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
@{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r, @{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r,
@{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-[0-9]*/name r,
@{sys}/devices/pci[0-9]*/**/name r, @{sys}/devices/pci[0-9]*/**/name r,
@{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r, @{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r,
@{sys}/devices/virtual/hwmon/hwmon[0-9]* r, @{sys}/devices/virtual/hwmon/hwmon[0-9]* r,

View file

@ -21,5 +21,7 @@ profile smartctl @{exec_path} {
/usr/share/smartmontools/** r, /usr/share/smartmontools/** r,
/var/lib/smartmontools/** r, /var/lib/smartmontools/** r,
@{PROC}/devices r,
include if exists <local/smartctl> include if exists <local/smartctl>
} }

View file

@ -14,13 +14,19 @@ profile thermald @{exec_path} {
capability sys_boot, capability sys_boot,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus (bind) bus=system dbus (bind) bus=system
name=org.freedesktop.thermald, name=org.freedesktop.thermald,
dbus (send) bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName,
@{exec_path} mr, @{exec_path} mr,
owner @{run}/thermald/ rw, owner @{run}/thermald/ rw,
@ -52,6 +58,7 @@ profile thermald @{exec_path} {
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw, @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r, @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw, @{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,

View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/umount @{exec_path} = /{usr/,}{s,}bin/umount
profile umount @{exec_path} flags=(complain) { profile umount @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>

View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{LOCAL_SHARED_DIRS} = /var/lib/libvirt/shared
@{exec_path} = /{,usr/}lib/qemu/virtiofsd
profile virtiofsd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
capability setgid,
capability setuid,
capability fowner,
capability fsetid,
capability sys_resource,
capability sys_admin,
capability setpcap,
capability dac_read_search,
capability dac_override,
capability chown,
unix (send, receive) type=stream peer=(addr=none, label=libvirt-@{uuid}),
mount options=(rw, rslave) -> /,
umount /,
mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC},
@{exec_path} r,
@{PROC}/sys/fs/file-max r,
owner @{run}/libvirt/qemu/*.pid rw,
/var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,
# shared folders
mount options=(rw, rbind) -> @{LOCAL_SHARED_DIRS}/,
pivot_root @{LOCAL_SHARED_DIRS}/,
@{LOCAL_SHARED_DIRS}/ r,
include if exists <local/virtiofsd>
}

View file

@ -29,6 +29,8 @@ cockpit-ssh complain
cockpit-tls complain cockpit-tls complain
cockpit-ws complain cockpit-ws complain
cockpit-wsinstance-factory complain cockpit-wsinstance-factory complain
colord-sane complain
colord-session complain
containerd-shim-runc-v2 attach_disconnected,complain containerd-shim-runc-v2 attach_disconnected,complain
cups-backend-beh complain cups-backend-beh complain
cups-backend-brf complain cups-backend-brf complain
@ -132,11 +134,11 @@ libvirtd attach_disconnected,complain
locale-gen complain locale-gen complain
localectl complain localectl complain
login complain login complain
loginctl complain
lvm complain lvm complain
lvmconfig complain lvmconfig complain
lvmdump complain lvmdump complain
lvmpolld complain lvmpolld complain
lvmpolld complain
man complain man complain
mdevctl complain mdevctl complain
mke2fs complain mke2fs complain
@ -144,8 +146,11 @@ ModemManager attach_disconnected,complain
molly-guard complain molly-guard complain
mount complain mount complain
nautilus complain nautilus complain
nvidia-detector complain
nvidia-persistenced complain
needrestart attach_disconnected,complain needrestart attach_disconnected,complain
needrestart-iucode-scan-versions complain needrestart-iucode-scan-versions complain
networkctl complain
networkd-dispatcher complain networkd-dispatcher complain
nft complain nft complain
nmap complain nmap complain
@ -159,6 +164,7 @@ pinentry complain
pinentry-curses complain pinentry-curses complain
pinentry-gnome3 complain pinentry-gnome3 complain
pinentry-gtk-2 complain pinentry-gtk-2 complain
pkexec complain
pkttyagent complain pkttyagent complain
plymouth complain plymouth complain
plymouth-set-default-theme attach_disconnected,complain plymouth-set-default-theme attach_disconnected,complain
@ -166,6 +172,7 @@ plymouthd complain
power-profiles-daemon attach_disconnected,complain power-profiles-daemon attach_disconnected,complain
qemu-ga complain qemu-ga complain
repo complain repo complain
remmina complain
resolvconf complain resolvconf complain
run-parts complain run-parts complain
runuser complain runuser complain
@ -258,6 +265,7 @@ update-secureboot-policy complain
uptimed complain uptimed complain
userdbctl complain userdbctl complain
virt-manager attach_disconnected,complain virt-manager attach_disconnected,complain
virtiofsd complain
wg complain wg complain
wg-quick complain wg-quick complain
xdg-dbus-proxy attach_disconnected,complain xdg-dbus-proxy attach_disconnected,complain