mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-20 17:05:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(abs): add new shells abstraction.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-29 18:31:15 +00:00
parent 58a4f1601a
commit adb936e62f
Failed to generate hash of commit
10 changed files with 28 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
apparmor.d/abstractions/shells Normal file
View file

@ -0,0 +1,11 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# This abstraction is only required when an interactive shell is started.
# Classic shell scripts do not need it.
include <abstractions/bash-strict>
include <abstractions/zsh>
include if exists <abstractions/shells.d>

4
apparmor.d/groups/gnome/gdm-xsession
View file

@ -9,14 +9,14 @@ include <tunables/global>
@{exec_path} = @{etc_ro}/gdm{3,}/Xsession
profile gdm-xsession @{exec_path} {
include <abstractions/base>
include <abstractions/bash-strict>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/shells>
@{exec_path} mr,
@{sh_path} rix,
@{shells_path} rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/cat rix,

3
apparmor.d/groups/gnome/gnome-session
View file

@ -9,10 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-session
profile gnome-session @{exec_path} {
include <abstractions/base>
include <abstractions/bash-strict>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/zsh>
include <abstractions/shells>
@{exec_path} mrix,

4
apparmor.d/groups/kde/sddm
View file

@ -11,7 +11,6 @@ include <tunables/global>
profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bash-strict>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1>
@ -20,6 +19,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/shells>
include <abstractions/wutmp>
capability audit_write,
@ -70,7 +70,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{lib}/sddm/sddm-helper-start-wayland rix,
@{lib}/sddm/sddm-helper-start-x11user rix,
@{sh_path} rix,
@{shells_path} rix,
@{bin}/cat rix,
@{bin}/checkproc rix,
@{bin}/disable-paste rix,

3
apparmor.d/groups/kde/sddm-xsession
View file

@ -12,8 +12,7 @@ profile sddm-xsession @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/bash-strict>
include <abstractions/zsh>
include <abstractions/shells>
@{exec_path} r,

6
apparmor.d/groups/kde/wayland-session
View file

@ -9,12 +9,12 @@ include <tunables/global>
@{exec_path} = @{etc_ro}/sddm/wayland-session
profile wayland-session @{exec_path} {
include <abstractions/base>
include <abstractions/bash-strict>
include <abstractions/shells>
@{exec_path} mr,
@{sh_path} rix,
@{bin}/id rix,
@{shells_path} rix,
@{bin}/id rix,
@{lib}/plasma-dbus-run-session-if-needed rix,
@{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix,

4
apparmor.d/groups/kde/xdm-xsession
View file

@ -9,14 +9,14 @@ include <tunables/global>
@{exec_path} = @{etc_ro}/X11/xdm/Xsession
profile xdm-xsession @{exec_path} {
include <abstractions/base>
include <abstractions/bash-strict>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/shells>
include <abstractions/X-strict>
@{exec_path} mr,
@{sh_path} rix,
@{shells_path} rix,
@{bin}/checkproc rix,
@{bin}/basename rix,

3
apparmor.d/groups/virt/cockpit-session
View file

@ -10,9 +10,8 @@ include <tunables/global>
profile cockpit-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bash-strict>
include <abstractions/nameservice-strict>
include <abstractions/zsh>
include <abstractions/shells>
capability audit_write,
capability dac_read_search,

8
apparmor.d/profiles-m-r/pam_roles
View file

@ -18,9 +18,9 @@ include <tunables/global>
# of files.
profile default_user flags=(complain) {
include <abstractions/base>
include <abstractions/bash-strict>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/nameservice-strict>
include <abstractions/shells>
deny capability sys_ptrace,
@ -38,9 +38,9 @@ profile default_user flags=(complain) {
# anywhere, and execute from some places.
profile confined_user flags=(complain) {
include <abstractions/base>
include <abstractions/bash-strict>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/nameservice-strict>
include <abstractions/shells>
deny capability sys_ptrace,

2
apparmor.d/tunables/multiarch.d/paths
View file

@ -5,7 +5,7 @@
# Define some paths for some commonly used programs
# Default distribution shells
@{sh} = sh zsh bash dash
@{sh} = sh bash dash
@{sh_path} = @{bin}/@{sh}
# All interactive shells users may want to use