mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-07-19 19:22:32 +01:00
parent d05c9b9276
commit aaf435ece1
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
8 changed files with 21 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/abstractions/freedesktop.org.d/complete
View File

@ -13,8 +13,6 @@
@{system_share_dirs}/ r,
@{system_share_dirs}/mime/ r,
/usr/share/mime/ r,
/etc/gnome/defaults.list r,
/etc/xfce4/defaults.list r,

4
apparmor.d/groups/grub/grub-mkconfig
View File

@ -32,6 +32,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
@{bin}/find rix,
@{bin}/findmnt rPx,
@{bin}/gettext rix,
@{bin}/grub-editenv rPx,
@{bin}/grub-mkrelpath rPx,
@{bin}/grub-probe rPx,
@{bin}/grub-script-check rPx,
@ -60,6 +61,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
@{bin}/zpool rPx,
/etc/grub.d/{,**} rix,
@{lib}/grub-customizer/* rix,
@{lib}/grub/grub-sort-version rPx,
@{lib}/libostree/grub[0-9]-@{int}_ostree rix,
@ -81,7 +83,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
/boot/{,**} r,
/boot/grub/{,**} rw,
# owner /tmp/** rw,
/tmp/grub-*.@{rand10}/{,**} rw,
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,

2
apparmor.d/groups/grub/grub-probe
View File

@ -13,6 +13,7 @@ profile grub-probe @{exec_path} {
include <abstractions/consoles>
include <abstractions/disks-read>
capability dac_read_search,
capability sys_admin,
@{exec_path} mr,
@ -36,6 +37,7 @@ profile grub-probe @{exec_path} {
/dev/bus/ r,
/dev/bus/usb/ r,
/dev/bus/usb/@{int}/ r,
/dev/char/ r,
/dev/cpu/ r,
/dev/cpu/@{int}/ r,
/dev/dma_heap/ r,

2
apparmor.d/groups/systemd/systemd-logind
View File

@ -79,7 +79,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+hid:* r,
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+wakeup:* r,
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # For /dev/input/*

27
apparmor.d/profiles-a-f/firewalld
View File

@ -9,12 +9,12 @@ include <tunables/global>
@{exec_path} = @{bin}/firewalld
profile firewalld @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app/kmod>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/nameservice-strict>
include <abstractions/app/kmod>
capability dac_read_search,
capability mknod,
@ -27,21 +27,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
network inet6 raw,
network netlink raw,
dbus receive bus=system path=/org/fedoraproject/FirewallD1
interface=org.fedoraproject.FirewallD1.direct
member=passthrough
peer=(name=:*, label=libvirtd),
dbus receive bus=system path=/org/fedoraproject/FirewallD1
interface=org.fedoraproject.FirewallD1.zone
member={changeZoneOfInterface,getZones}
peer=(name=:*, label=libvirtd),
dbus receive bus=system path=/org/fedoraproject/FirewallD1
interface=org.fedoraproject.FirewallD1.zone
member={changeZoneOfInterface,removeInterface}
peer=(name=:*, label=libvirtd),
#aa:dbus own bus=system name=org.fedoraproject.FirewallD1
@{exec_path} mr,
@ -53,7 +38,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
@{bin}/false rix,
@{bin}/ipset rix,
@{bin}/kmod rix,
@{bin}/modprobe rPx,
@{bin}/modprobe rix,
@{bin}/xtables-legacy-multi rix,
@{bin}/xtables-nft-multi rix,
@ -76,11 +61,9 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
@{run}/xtables.lock rwk,
@{sys}/module/compression r,
@{sys}/module/crc32c_{generic,intel}/initstate r,
@{sys}/module/crc32c_*/initstate r,
@{sys}/module/libcrc32c/initstate r,
@{sys}/module/nf_conntrack{,_tftp}/initstate r,
@{sys}/module/nf_defrag_ipv{4,6}/initstate r,
@{sys}/module/nf_nat/initstate r,
@{sys}/module/nf_*/initstate r,
@{PROC}/sys/kernel/modprobe r,
@{PROC}/sys/net/ipv{4,6}/ip_forward rw,

2
apparmor.d/profiles-g-l/ifup
View File

@ -106,10 +106,8 @@ profile ifup @{exec_path} {
profile sysctl {
include <abstractions/base>
# capability mac_admin,
capability net_admin,
capability sys_admin,
# capability sys_resource,
@{bin}/sysctl mr,

6
apparmor.d/profiles-m-r/os-prober
View File

@ -10,6 +10,7 @@ include <tunables/global>
profile os-prober @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
capability dac_read_search,
capability sys_admin,
@ -59,11 +60,12 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
/ r,
/boot/{efi/,} r,
/boot/{efi/,}EFI/ r,
/boot/{efi/,}EFI/*/ r,
/boot/{efi/,}EFI/**/ r,
owner @{tmp}/os-prober.*/{,**} rw,
@{sys}/block/ r,
@{run}/mount/utab r,
@{sys}/devices/@{pci}/block/*/ r,
@{sys}/devices/virtual/block/*/ r,

3
apparmor.d/profiles-s-z/wsdd
View File

@ -10,9 +10,12 @@ include <tunables/global>
profile wsdd @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/ssl_certs>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{exec_path} mr,