mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-12 18:29:08 +00:00
parent 42ea537687
commit ab9e1932da
Failed to generate hash of commit
32 changed files with 102 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/bwrap-app
View file

@ -16,7 +16,7 @@
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>

2
apparmor.d/abstractions/wayland.d/complete
View file

@ -2,7 +2,7 @@
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/@{uid}/wayland-@{int}.lock rk, owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
owner /dev/shm/sway* rw, owner /dev/shm/sway* rw,
owner /dev/shm/dunst-@{rand6} rw, owner /dev/shm/dunst-@{rand6} rw,

2
apparmor.d/groups/_full/default
View file

@ -19,7 +19,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>

4
apparmor.d/groups/apt/apt
View file

@ -158,6 +158,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.selected_editor r, owner @{HOME}/.selected_editor r,
include if exists <local/apt_editor>
} }
profile pager { profile pager {
@ -179,6 +180,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r, owner /tmp/apt-changelog-*/*.changelog r,
include if exists <local/apt_pager>
} }
profile dpkg-source flags=(complain) { profile dpkg-source flags=(complain) {
@ -206,6 +208,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
audit deny owner @{HOME}/.*/ rw, audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl, audit deny owner @{HOME}/.*/** mrwkl,
include if exists <local/apt_dpkg-source>
} }
profile systemctl { profile systemctl {
@ -234,6 +237,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/dev/kmsg w, /dev/kmsg w,
include if exists <local/apt_systemctl>
} }
include if exists <local/apt> include if exists <local/apt>

2
apparmor.d/groups/freedesktop/polkitd
View file

@ -30,7 +30,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.PolicyKit1.AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent
peer=(name=:*), # all members peer=(name=:*), # all members
dbus (send) bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser} member={GetConnectionUnixProcessID,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),

8
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -34,10 +34,10 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,

2
apparmor.d/groups/gnome/epiphany-search-provider
View file

@ -14,7 +14,7 @@ profile epiphany-search-provider @{exec_path} {
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/enchant> include <abstractions/enchant>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/nvidia> include <abstractions/nvidia>

2
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,

1
apparmor.d/groups/gnome/gjs-console
View file

@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gnome.Shell.Introspect> include <abstractions/bus/org.gnome.Shell.Introspect>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>

7
apparmor.d/groups/gnome/gnome-calendar
View file

@ -9,8 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-calendar @{exec_path} = @{bin}/gnome-calendar
profile gnome-calendar @{exec_path} { profile gnome-calendar @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.GeoClue2>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.login1> include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -28,6 +31,10 @@ profile gnome-calendar @{exec_path} {
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gnome.Calendar, dbus bind bus=session name=org.gnome.Calendar,
dbus (send, receive) bus=session path=/org/gnome/Calendar
interface=org.freedesktop.{Actions,Application}
peer=(name="{:*,org.freedesktop.DBus}"),
dbus receive bus=session path=/org/gnome/Calendar/SearchProvider dbus receive bus=session path=/org/gnome/Calendar/SearchProvider
interface=org.gnome.Shell.SearchProvider2 interface=org.gnome.Shell.SearchProvider2
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),

8
apparmor.d/groups/gnome/gnome-control-center
View file

@ -107,17 +107,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
owner @{user_games_dirs}/**.png r,
owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
owner @{user_share_dirs}/gnome-remote-desktop/ w, owner @{user_share_dirs}/gnome-remote-desktop/ w,
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w, owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/wayland-@{int} rw,
@{run}/cups/cups.sock rw, @{run}/cups/cups.sock rw,
@{run}/samba/ rw, @{run}/samba/ rw,
@{run}/systemd/sessions/ r, @{run}/systemd/sessions/ r,

15
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -9,14 +9,16 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-control-center-goa-helper @{exec_path} = @{lib}/gnome-control-center-goa-helper
profile gnome-control-center-goa-helper @{exec_path} { profile gnome-control-center-goa-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.Avahi> include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl> include <abstractions/opencl>
@ -33,15 +35,20 @@ profile gnome-control-center-goa-helper @{exec_path} {
signal (send) set=(kill) peer=bwrap, signal (send) set=(kill) peer=bwrap,
dbus bind bus=session name=org.gnome.Settings.GoaHelper,
dbus send bus=session path=/org/gnome/OnlineAccounts
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=goa-daemon),
@{exec_path} mr, @{exec_path} mr,
@{bin}/bwrap rPUx, @{bin}/bwrap rPUx,
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/publicsuffix/public_suffix_list.dafsa r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/var/lib/flatpak/exports/share/icons/{,**} r, /var/lib/flatpak/exports/share/icons/{,**} r,

5
apparmor.d/groups/gnome/gnome-disks
View file

@ -12,7 +12,7 @@ profile gnome-disks @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/disks-write> include <abstractions/disks-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
dbus bind bus=session name=org.gnome.DiskUtility, dbus bind bus=session name=org.gnome.DiskUtility,
@ -22,9 +22,6 @@ profile gnome-disks @{exec_path} {
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/{,**} r,
owner @{user_cache_dirs}/gnome-disks/{,**} rw, owner @{user_cache_dirs}/gnome-disks/{,**} rw,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,

2
apparmor.d/groups/gnome/gnome-initial-setup
View file

@ -11,7 +11,7 @@ profile gnome-initial-setup @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
network netlink raw, network netlink raw,

2
apparmor.d/groups/gnome/gnome-music
View file

@ -11,7 +11,7 @@ profile gnome-music @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -324,7 +324,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int} rw,
owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/.org.chromium.Chromium.* rw,
@ -333,7 +332,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/tmp/.X@{int}-lock rw, /tmp/.X@{int}-lock rw,
/tmp/dbus-@{rand8} rw, /tmp/dbus-@{rand8} rw,
owner /tmp/[0-9A-Z]*.shell-extension.zip rw, owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{run}/systemd/seats/seat@{int} r, @{run}/systemd/seats/seat@{int} r,

11
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -11,7 +11,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_ptrace, capability sys_ptrace,
@ -31,15 +31,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-system-monitor/{,**} r, /usr/share/gnome-system-monitor/{,**} r,
/usr/share/firefox-esr/browser/chrome/icons/default/*.png r, /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
# freedesktop.org-strict
/usr/share/pixmaps/{,**} r,
/usr/share/*ubuntu/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/machine-id r,
/var/lib/snapd/desktop/icons/ r,
owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/doc/ rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

4
apparmor.d/groups/gnome/gnome-tweaks
View file

@ -11,8 +11,7 @@ profile gnome-tweaks @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/gtk>
include <abstractions/python> include <abstractions/python>
@{exec_path} mr, @{exec_path} mr,
@ -23,7 +22,6 @@ profile gnome-tweaks @{exec_path} {
@{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, @{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-tweaks/{,**} r, /usr/share/gnome-tweaks/{,**} r,
/etc/xdg/autostart/{,**} r, /etc/xdg/autostart/{,**} r,

6
apparmor.d/groups/gnome/nautilus
View file

@ -20,8 +20,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor> include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home> include <abstractions/deny-sensitive-home>
include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia> include <abstractions/opencl-nvidia>
@ -92,6 +93,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/bwrap rPUx, @{bin}/bwrap rPUx,
@{bin}/file-roller rPx,
@{bin}/firejail rPUx, @{bin}/firejail rPUx,
@{bin}/net rPUx, @{bin}/net rPUx,
@{bin}/tracker3 rPUx, @{bin}/tracker3 rPUx,
@ -99,7 +101,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open,
/usr/share/*ubuntu/applications/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/libdrm/*.ids r, /usr/share/libdrm/*.ids r,
/usr/share/nautilus/{,**} r, /usr/share/nautilus/{,**} r,
@ -112,7 +113,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
/etc/fstab r, /etc/fstab r,
/var/cache/fontconfig/ rw, /var/cache/fontconfig/ rw,
/var/lib/snapd/desktop/icons/{,**} r,
# Full access to user's data # Full access to user's data
/ r, / r,

2
apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
View file

@ -12,7 +12,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home> include <abstractions/deny-sensitive-home>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

8
apparmor.d/groups/gnome/seahorse
View file

@ -17,7 +17,7 @@ profile seahorse @{exec_path} {
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.secrets> include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -33,15 +33,9 @@ profile seahorse @{exec_path} {
@{bin}/gpg{,2} rPx, @{bin}/gpg{,2} rPx,
@{bin}/gpgsm rPx, @{bin}/gpgsm rPx,
# freedesktop.org-strict
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/*ubuntu/applications/ r,
/etc/pki/trust/blocklist/ r, /etc/pki/trust/blocklist/ r,
/etc/gcrypt/hwf.deny r, /etc/gcrypt/hwf.deny r,
/var/lib/snapd/desktop/icons/ r,
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

1
apparmor.d/groups/kde/kwin_wayland_wrapper
View file

@ -20,7 +20,6 @@ profile kwin_wayland_wrapper @{exec_path} {
owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/xauth_@{rand6} w, owner @{run}/user/@{uid}/xauth_@{rand6} w,
owner @{run}/user/@{uid}/wayland-*.lock rk,
owner /tmp/.X1-lock rw, owner /tmp/.X1-lock rw,

25
apparmor.d/groups/network/netplan.script
View file

@ -9,18 +9,41 @@ include <tunables/global>
@{exec_path} = /usr/share/netplan/netplan.script @{exec_path} = /usr/share/netplan/netplan.script
profile netplan.script @{exec_path} flags=(attach_disconnected) { profile netplan.script @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/python>
@{exec_path} mr, @{exec_path} mr,
@{lib}/netplan/generate rix, @{lib}/netplan/generate rix,
@{bin}/udevadm rCx -> udevadm,
/usr/share/netplan/{,**} r, /usr/share/netplan/{,**} r,
/etc/netplan/{,*} r, /etc/netplan/{,*} r,
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf w,
@{run}/NetworkManager/system-connections/ r,
@{run}/NetworkManager/system-connections/netplan-*.nmconnection w,
@{run}/systemd/system/ r, @{run}/systemd/system/ r,
@{run}/systemd/system/netplan-* rw,
@{run}/systemd/system/systemd-networkd.service.wants/ r, @{run}/systemd/system/systemd-networkd.service.wants/ r,
@{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
@{run}/udev/rules.d/ r, @{run}/udev/rules.d/ r,
profile udevadm {
include <abstractions/base>
include <abstractions/systemd-common>
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
@{run}/udev/rules.d/90-netplan.rules rw,
@{run}/udev/rules.d/90-netplan.rules.@{rand6} rw,
include if exists <local/netplan.script_udevadm>
}
include if exists <local/netplan.script> include if exists <local/netplan.script>
} }

30
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -10,33 +10,37 @@ include <tunables/global>
profile software-properties-gtk @{exec_path} { profile software-properties-gtk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python> include <abstractions/python>
include <abstractions/wayland>
dbus bind bus=session name=com.ubuntu.SoftwareProperties, dbus bind bus=session name=com.ubuntu.SoftwareProperties,
dbus send bus=system path=/ dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties
interface=com.ubuntu.SoftwareProperties interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}}
peer=(name=:*), peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
peer=(name=:*), peer=(name=:*),
dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,
@ -51,8 +55,6 @@ profile software-properties-gtk @{exec_path} {
@{bin}/ubuntu-advantage rPx, @{bin}/ubuntu-advantage rPx,
/usr/share/distro-info/*.csv r, /usr/share/distro-info/*.csv r,
/usr/share/icons/{,**} r,
/usr/share/mime/mime.cache r,
/usr/share/pixmaps/ r, /usr/share/pixmaps/ r,
/usr/share/python-apt/{,**} r, /usr/share/python-apt/{,**} r,
/usr/share/software-properties/{,**} r, /usr/share/software-properties/{,**} r,
@ -64,8 +66,6 @@ profile software-properties-gtk @{exec_path} {
/etc/apport/blacklist.d/{,*} r, /etc/apport/blacklist.d/{,*} r,
/etc/default/apport r, /etc/default/apport r,
/etc/gtk-3.0/settings.ini r,
/etc/machine-id r,
/etc/update-manager/release-upgrades r, /etc/update-manager/release-upgrades r,
/var/crash/*software-properties-gtk.@{uid}.crash rw, /var/crash/*software-properties-gtk.@{uid}.crash rw,

7
apparmor.d/groups/ubuntu/update-manager
View file

@ -10,20 +10,20 @@ include <tunables/global>
profile update-manager @{exec_path} flags=(attach_disconnected) { profile update-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.login1> include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.UPower> include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/wayland>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -55,7 +55,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
/usr/share/X11/{,**} r, /usr/share/X11/{,**} r,
/etc/gtk-3.0/settings.ini r, /etc/gtk-3.0/settings.ini r,
/etc/machine-id r,
/etc/update-manager/{,**} r, /etc/update-manager/{,**} r,
/boot/ r, /boot/ r,

2
apparmor.d/groups/whonix/torbrowser
View file

@ -36,6 +36,8 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/vulkan> include <abstractions/vulkan>
# userns,
capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_admin, # If kernel.unprivileged_userns_clone = 1
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1

4
apparmor.d/profiles-a-f/cups-notifier-dbus
View file

@ -10,7 +10,11 @@ include <tunables/global>
profile cups-notifier-dbus @{exec_path} { profile cups-notifier-dbus @{exec_path} {
include <abstractions/base> include <abstractions/base>
signal (receive) set=(term) peer=cupsd,
@{exec_path} mr, @{exec_path} mr,
/tmp/cups-dbus-notifier-lockfile rwk,
include if exists <local/cups-notifier-dbus> include if exists <local/cups-notifier-dbus>
} }

2
apparmor.d/profiles-a-f/cupsd
View file

@ -41,6 +41,8 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
network rose dgram, network rose dgram,
network x25 seqpacket, network x25 seqpacket,
signal (send) set=(term) peer=cups-notifier-dbus,
@{exec_path} mr, @{exec_path} mr,
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,

3
apparmor.d/profiles-a-f/evince
View file

@ -14,7 +14,7 @@ profile evince @{exec_path} {
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/ibus> include <abstractions/ibus>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
@ -50,7 +50,6 @@ profile evince @{exec_path} {
/usr/share/ghostscript/{,**} r, /usr/share/ghostscript/{,**} r,
/usr/share/poppler/{,**} r, /usr/share/poppler/{,**} r,
/usr/share/thumbnailers/{,*} r, /usr/share/thumbnailers/{,*} r,
/usr/share/themes/{,**} r,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r,

1
apparmor.d/profiles-a-f/file-roller
View file

@ -29,6 +29,7 @@ profile file-roller @{exec_path} {
# Archivers # Archivers
@{bin}/7z rix, @{bin}/7z rix,
@{bin}/ar rix,
@{bin}/bzip2 rix, @{bin}/bzip2 rix,
@{bin}/cpio rix, @{bin}/cpio rix,
@{bin}/gzip rix, @{bin}/gzip rix,

2
apparmor.d/profiles-g-l/labwc
View file

@ -58,8 +58,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/seats/seat@{int} r, @{run}/systemd/seats/seat@{int} r,
@{run}/user/@{uid}/wayland-@{int}.lock k,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner /tmp/.X[0-9]*-lock rw, owner /tmp/.X[0-9]*-lock rw,

2
apparmor.d/profiles-s-z/steam
View file

@ -156,7 +156,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
owner /tmp/dumps/ rw, owner /tmp/dumps/ rw,
owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw, owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw,
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner /tmp/miles_image_* mrw, owner /tmp/miles_image_* mrw,
owner /tmp/runtime-info.txt.* rwk, owner /tmp/runtime-info.txt.* rwk,
owner /tmp/sh-thd.* rw, owner /tmp/sh-thd.* rw,