mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

New user login

Browse source
This commit is contained in:
nobodysu 2022-10-16 17:12:23 +03:00
parent 178e45c84b
commit ac7c42eefd
11 changed files with 48 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-media-session
profile pipewire-media-session @{exec_path} {
profile pipewire-media-session @{exec_path} flags=(complain ) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-session-strict>
@ -51,6 +51,7 @@ profile pipewire-media-session @{exec_path} {
owner @{HOME}/.local/state/ rw,
owner @{HOME}/.local/state/pipewire/{,**} rw,
owner @{user_config_dirs}/pipewire-media-session/ w,
owner @{user_config_dirs}/pipewire/ rw,
owner @{user_config_dirs}/pipewire/** rw,
owner @{user_config_dirs}/pulse/ rw,

3
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -9,7 +9,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pulseaudio
profile pulseaudio @{exec_path} {
profile pulseaudio @{exec_path} flags=(complain ) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/consoles>
@ -136,6 +136,7 @@ profile pulseaudio @{exec_path} {
owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k,
owner @{user_config_dirs}/ w,
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,

3
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-permission-store
profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
profile xdg-permission-store @{exec_path} flags=(attach_disconnected complain) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@ -48,6 +48,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
@{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
owner @{user_share_dirs}/flatpak/ w,
owner @{user_share_dirs}/flatpak/db/ rw,
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
owner @{user_share_dirs}/flatpak/db/background rw,

12
apparmor.d/groups/freedesktop/xdg-user-dirs-update
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dirs-update
profile xdg-user-dirs-update @{exec_path} {
profile xdg-user-dirs-update @{exec_path} flags=(complain ) {
include <abstractions/base>
@{exec_path} mr,
@ -26,6 +26,16 @@ profile xdg-user-dirs-update @{exec_path} {
/var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw,
# new user; change to 'c'
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
owner @{HOME}/@{XDG_MUSIC_DIR}/ w,
owner @{HOME}/@{XDG_PICTURES_DIR}/ w,
owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ w,
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w,
owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
owner @{user_config_dirs}/user-dirs.dirs r,
include if exists <local/xdg-user-dirs-update>

3
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/evolution-calendar-factory
profile evolution-calendar-factory @{exec_path} {
profile evolution-calendar-factory @{exec_path} flags=(complain ) {
include <abstractions/base>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
@ -42,6 +42,7 @@ profile evolution-calendar-factory @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_share_dirs}/evolution/calendar/{,**} rwk,
owner @{user_share_dirs}/evolution/tasks/system/ w,
owner @{user_share_dirs}/evolution/tasks/system/tasks.ics r,
owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,

15
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/evolution-source-registry
profile evolution-source-registry @{exec_path} {
profile evolution-source-registry @{exec_path} flags=(complain ) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
@ -30,6 +30,19 @@ profile evolution-source-registry @{exec_path} {
owner @{user_share_dirs}/evolution/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
# new user; change to 'c'
owner @{user_config_dirs}/evolution/ w,
owner @{user_share_dirs}/evolution/ w,
owner @{user_share_dirs}/evolution/addressbook/ w,
owner @{user_share_dirs}/evolution/addressbook/trash/ w,
owner @{user_share_dirs}/evolution/calendar/ w,
owner @{user_share_dirs}/evolution/calendar/trash/ w,
owner @{user_share_dirs}/evolution/mail/ w,
owner @{user_share_dirs}/evolution/mail/trash w,
owner @{user_share_dirs}/evolution/tasks/ w,
owner @{user_share_dirs}/evolution/tasks/trash/ w,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,

7
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
profile gnome-keyring-daemon @{exec_path} flags=(complain attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -75,7 +75,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/ssh-add rix,
/{usr/,}bin/ssh-agent rPx,
/var/lib/gdm{3,}/.local/share/keyrings/ r,
/var/lib/gdm{3,}/.local/share/keyrings/ rw,
# Keyrings location
owner @{user_share_dirs}/keyrings/ rw,
@ -84,6 +84,9 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
# Seahorse and SSH keys
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
owner @{HOME}/.local/ w,
owner @{HOME}/.local/share/ w,
owner @{run}/user/@{uid}/keyring/ rw,
owner @{run}/user/@{uid}/keyring/* rw,
owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-shell
profile gnome-shell @{exec_path} flags=(attach_disconnected) {
profile gnome-shell @{exec_path} flags=(attach_disconnected complain) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/audio>
@ -544,6 +544,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_music_dirs}/**/*.jpg r,
owner @{user_config_dirs}/ibus/ w,
owner @{user_config_dirs}/.goutputstream{,*} rw,
owner @{user_config_dirs}/monitors.xml{,~} rwl,

4
apparmor.d/groups/gnome/gsd-color
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/gsd-color
profile gsd-color @{exec_path} flags=(attach_disconnected) {
profile gsd-color @{exec_path} flags=(complain attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -129,7 +129,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.local/share/icc/edid-*.icc rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{user_share_dirs}/icc/ r,
owner @{user_share_dirs}/icc/ rw,
owner @{user_share_dirs}/icc/edid-*.icc rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,

4
apparmor.d/groups/gnome/tracker-extract
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/tracker-extract-3
profile tracker-extract @{exec_path} {
profile tracker-extract @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
@ -93,6 +93,8 @@ profile tracker-extract @{exec_path} {
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{user_cache_dirs}/ w,
owner @{user_cache_dirs}/tracker3/ w,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
owner /tmp/tracker-extract-3-files.*/{,*} rw,

5
apparmor.d/groups/ubuntu/update-notifier
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-notifier
profile update-notifier @{exec_path} {
profile update-notifier @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/audio>
@ -62,6 +62,7 @@ profile update-notifier @{exec_path} {
/var/lib/snapd/desktop/icons/ r,
/var/lib/update-notifier/user.d/ r,
owner @{user_config_dirs}update-notifier/ w,
owner @{user_share_dirs}/applications/ r,
owner @{run}/user/@{uid}/at-spi/bus rw,
@ -75,4 +76,4 @@ profile update-notifier @{exec_path} {
@{PROC}/@{pids}/mountinfo r,
include if exists <local/update-notifier>
}
}