mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(profiles): deny gvfs-metadata when possible.
This commit is contained in:
Alexandre Pujol
parent
fcee586e9e
commit
ae6cecde52
23 changed files with 42 additions and 30 deletions
|
|
@ -13,8 +13,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
|
||||
|
|
@ -25,5 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/xdg-dbus-proxy>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,7 +39,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
|
|
@ -60,6 +59,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
|||
deny /{usr/,}bin/dbus-launch rx,
|
||||
deny /{usr/,}bin/dbus-send rx,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
profile dbus {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -27,11 +27,12 @@ profile evolution-source-registry @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/evolution/sources/{,*} rw,
|
||||
owner @{user_share_dirs}/evolution/{,**} r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_cache_dirs}/evolution/{,**} rwk,
|
||||
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/evolution-source-registry>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -91,7 +91,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/mimeapps.list.* rw,
|
||||
owner @{user_share_dirs}/backgrounds/{,**} rw,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/icc/{,edid-*} r,
|
||||
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
|
||||
owner @{user_share_dirs}/webkitgtk/{,**} r,
|
||||
|
|
@ -148,5 +147,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/media[0-9]* r,
|
||||
/dev/video[0-9]* rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/gnome-control-center>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -60,12 +60,11 @@ profile gnome-extension-ding @{exec_path} {
|
|||
|
||||
owner @{user_share_dirs}/nautilus/scripts/ r,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/home r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/gnome-extension-ding>
|
||||
}
|
||||
|
|
@ -45,7 +45,6 @@ profile gnome-music @{exec_path} {
|
|||
owner @{user_cache_dirs}/media-art/album-*.jpeg rw,
|
||||
owner @{user_share_dirs}/grilo-plugins/ rwk,
|
||||
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,
|
||||
|
||||
owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
|
@ -54,5 +53,7 @@ profile gnome-music @{exec_path} {
|
|||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/gnome-music>
|
||||
}
|
||||
|
|
@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/desktop-directories/{,**} r,
|
||||
owner @{user_share_dirs}/gnome-shell/{,**} rw,
|
||||
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
|
||||
owner @{user_cache_dirs}/gnome-boxes/*.png r,
|
||||
|
|
@ -203,5 +202,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/input/event[0-9]* rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/gnome-shell>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,8 +37,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/var/lib/snapd/desktop/icons/ r,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/doc/ rw,
|
||||
|
||||
@{run}/systemd/sessions/* r,
|
||||
|
|
@ -69,5 +67,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pids}/wchan r,
|
||||
@{PROC}/vmstat r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/gnome-system-monitor>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,11 +33,12 @@ profile gnome-tweaks @{exec_path} {
|
|||
owner @{user_config_dirs}/autostart/*.desktop r,
|
||||
owner @{user_share_dirs}/backgrounds/{,**} r,
|
||||
owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/recently-used.xbel* rw,
|
||||
owner @{user_share_dirs}/sounds/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/gnome-tweaks>
|
||||
}
|
||||
|
|
@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} {
|
|||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||
|
||||
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile mullvad-gui @{exec_path} {
|
|||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/* r,
|
||||
owner @{user_cache_dirs}/dconf/user rw,
|
||||
|
||||
owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||
|
|
@ -73,5 +73,7 @@ profile mullvad-gui @{exec_path} {
|
|||
|
||||
/dev/tty rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
include if exists <local/mullvad-gui>
|
||||
}
|
||||
|
|
@ -87,7 +87,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/update-manager/{,**} rw,
|
||||
|
||||
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
|
|
@ -99,5 +98,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/ptmx rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/update-manager>
|
||||
}
|
||||
|
|
@ -73,9 +73,6 @@ profile atril @{exec_path} {
|
|||
|
||||
owner @{user_cache_dirs}/atril/{,**} rw,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/home r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
|
||||
|
||||
owner /tmp/gtkprint_* rw,
|
||||
owner /tmp/settings*.ini rw,
|
||||
owner /tmp/settings*.ini.* rw,
|
||||
|
|
@ -95,5 +92,7 @@ profile atril @{exec_path} {
|
|||
owner /tmp/atril-@{pid}/*/content.opf rw,
|
||||
owner /tmp/atril-@{pid}/*/META-INF/calibre_bookmarks.txt rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/atril>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -56,8 +56,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/obexd/ rw,
|
||||
owner @{user_cache_dirs}/obexd/* rw,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
@ -69,6 +67,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/shm/ r,
|
||||
/dev/tty rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
profile open {
|
||||
include <abstractions/base>
|
||||
include <abstractions/xdg-open>
|
||||
|
|
|
|||
|
|
@ -117,7 +117,6 @@ profile engrampa @{exec_path} {
|
|||
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
||||
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
/usr/share/engrampa/{,**} r,
|
||||
|
||||
|
|
@ -148,6 +147,8 @@ profile engrampa @{exec_path} {
|
|||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
profile open {
|
||||
include <abstractions/base>
|
||||
include <abstractions/xdg-open>
|
||||
|
|
|
|||
|
|
@ -47,7 +47,6 @@ profile font-manager @{exec_path} {
|
|||
owner "@{user_share_dirs}/fonts/Google Fonts/**" rw,
|
||||
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
|
|
@ -63,6 +62,7 @@ profile font-manager @{exec_path} {
|
|||
# Silencer
|
||||
owner /var/cache/fontconfig/ w,
|
||||
deny /var/cache/fontconfig/ w,
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/font-manager>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,5 +20,7 @@ profile hostname @{exec_path} {
|
|||
|
||||
@{run}/resolvconf/resolv.conf r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/hostname>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -121,7 +121,6 @@ profile steam @{exec_path} {
|
|||
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/applications/*.desktop w,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
|
||||
owner @{user_share_dirs}/Steam/ rw,
|
||||
owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**,
|
||||
|
|
@ -203,6 +202,7 @@ profile steam @{exec_path} {
|
|||
/dev/uinput w,
|
||||
|
||||
audit deny /**.steam_exec_test.sh rw,
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/steam>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
|
|
@ -40,5 +39,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/pressure/io r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/steam-fossilize>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -155,8 +155,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk,
|
||||
owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
@{run}/host/fonts/{,**} r,
|
||||
@{run}/host/share/{,**} r,
|
||||
@{run}/host/usr/{,**} r,
|
||||
|
|
@ -223,5 +221,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/input/ r,
|
||||
/dev/tty rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/steam-game>
|
||||
}
|
||||
|
|
@ -32,7 +32,6 @@ profile steam-gameoverlayui @{exec_path} {
|
|||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.steam/registry.vdf rk,
|
||||
owner @{HOME}/.steam/steam.pipe r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/Steam/{,**} r,
|
||||
owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw,
|
||||
owner @{user_share_dirs}/Steam/public/* rk,
|
||||
|
|
@ -55,5 +54,7 @@ profile steam-gameoverlayui @{exec_path} {
|
|||
|
||||
@{PROC}/version r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/steam-gameoverlayui>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,11 +23,12 @@ profile steam-reaper @{exec_path} {
|
|||
|
||||
owner @{HOME}/.steam/steam.pipe r,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
|
||||
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
|
||||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/steam-reaper>
|
||||
}
|
||||
|
|
@ -69,7 +69,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/virt-manager/ rw,
|
||||
owner @{user_cache_dirs}/virt-manager/** rw,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
# For disk images
|
||||
@{MOUNTS}/ r,
|
||||
|
|
@ -103,6 +102,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# Silence the noise
|
||||
deny /usr/share/virt-manager/{,**} w,
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/virt-manager>
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue