mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-20 21:07:27 +01:00
parent a3d121fe23
commit af1eda51bd
Failed to generate hash of commit
27 changed files with 107 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -20,9 +20,10 @@ profile apt-methods-gpgv @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=synaptic,
@{exec_path} mr,
@ -60,7 +61,7 @@ profile apt-methods-gpgv @{exec_path} {
/etc/apt/keyrings/ r,
/etc/apt/keyrings/*.{gpg,asc} r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg.d/{,*.{gpg,asc}} r,
/etc/dpkg/dpkg.cfg r,
/etc/dpkg/dpkg.cfg.d/{,*} r,

1
apparmor.d/groups/apt/apt-methods-http
View file

@ -26,6 +26,7 @@ profile apt-methods-http @{exec_path} {
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=synaptic,
signal (receive) peer=ubuntu-advantage,
signal (receive) peer=unattended-upgrade,

3
apparmor.d/groups/apt/apt-methods-store
View file

@ -19,9 +19,10 @@ profile apt-methods-store @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=synaptic,
@{exec_path} mr,

1
apparmor.d/groups/apt/apt-overlay
View file

@ -12,6 +12,7 @@ profile apt-overlay @{exec_path} {
include <abstractions/nameservice-strict>
@{exec_path} mr,
@{bin}/apt-get rPx,
@{bin}/ruby* mrix,

11
apparmor.d/groups/browsers/firefox
View file

@ -38,17 +38,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
capability sys_ptrace,
ptrace peer=@{profile_name},
signal (send) set=(term, kill) peer=keepassxc-proxy,
signal (send) set=(term, kill) peer=firefox-*,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace peer=@{profile_name},
signal (send) set=(term, kill) peer=keepassxc-proxy,
signal (send) set=(term, kill) peer=firefox-*,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
@ -199,6 +199,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{firefox_config_dirs}/ rw,
owner @{firefox_config_dirs}/{extensions,systemextensionsdev}/ rw,
owner @{firefox_config_dirs}/extensions/\{*\}/ r,
owner @{firefox_config_dirs}/firefox/ rw,
owner @{firefox_config_dirs}/firefox/*/ rw,
owner @{firefox_config_dirs}/firefox/*/** rwk,

2
apparmor.d/groups/browsers/firefox-glxtest
View file

@ -26,6 +26,8 @@ profile firefox-glxtest @{exec_path} {
owner /tmp/firefox/.parentlock rw,
owner @{run}/user/@{uid}/xauth_?????? r,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/class r,

2
apparmor.d/groups/browsers/firefox-kmozillahelper
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile firefox-kmozillahelper @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
@ -36,6 +37,7 @@ profile firefox-kmozillahelper @{exec_path} {
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kmozillahelperrc r,
owner @{user_config_dirs}/kwinrc r,
owner @{run}/user/@{uid}/xauth_* rl,

2
apparmor.d/groups/cron/cron
View file

@ -48,6 +48,8 @@ profile cron @{exec_path} flags=(attach_disconnected) {
owner @{run}/cron.pid rwk,
owner @{run}/cron.reboot rw,
owner @{run}/crond.pid rwk,
owner @{run}/crond.reboot rw,
@{run}/systemd/sessions/*.ref rw,

7
apparmor.d/groups/freedesktop/dconf-service
View file

@ -39,15 +39,16 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm{3,}/.config/dconf/ rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/user.* rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/dconf/ rw,
owner @{user_cache_dirs}/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/ rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/user.* rw,
@{PROC}/cmdline r,

3
apparmor.d/groups/freedesktop/xrdb
View file

@ -23,8 +23,8 @@ profile xrdb @{exec_path} {
/usr/include/stdc-predef.h r,
/usr/etc/X11/xdm/Xresources r,
@{etc_ro}/Xresources/x11-common r,
@{etc_ro}/X11/Xresources r,
@{etc_ro}/X11/Xresources/x11-common r,
# The location of the .Xresources file
owner @{HOME}/.Xdefaults r,
@ -34,6 +34,7 @@ profile xrdb @{exec_path} {
owner @{user_config_dirs}/Xresources/* r,
owner /tmp/kcminit.* r,
owner /tmp/plasma-apply-lookandfeel.* r,
owner /tmp/runtime-*/xauth_?????? r,
owner /tmp/startplasma-x11.?????? r,
owner /tmp/xauth-[0-9]*-_[0-9] r,

1
apparmor.d/groups/freedesktop/xsetroot
View file

@ -25,6 +25,7 @@ profile xsetroot @{exec_path} {
@{run}/sddm/\{@{uuid}\} r,
@{run}/user/@{uid}/xauth_* rl,
@{run}/sddm/xauth_?????? r,
include if exists <local/xsetroot>
}

2
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -116,6 +116,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
/etc/gcrypt/hwf.deny r,
/var/lib/gdm{3,}/.local/ rw,
/var/lib/gdm{3,}/.local/share/ rw,
/var/lib/gdm{3,}/.local/share/keyrings/ rw,
# Keyrings location

1
apparmor.d/groups/gnome/gnome-shell
View file

@ -480,6 +480,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/usr/share/{,zoneinfo-}icu/{,**} r,
/usr/share/app-info/icons/{,**} r,
/usr/share/backgrounds/{,**} r,
/usr/share/byobu/desktop/byobu* r,
/usr/share/dconf/profile/gdm r,
/usr/share/desktop-base/** r,
/usr/share/desktop-directories/{,*.directory} r,

7
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -68,12 +68,13 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.local/share/applications/ w,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_share_dirs}/applications/ rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/mountinfo r,

2
apparmor.d/groups/gnome/gsd-rfkill
View file

@ -88,6 +88,8 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/misc/rfkill/uevent r,
@{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features
owner /dev/tty[0-9]* rw,
/dev/rfkill rw,

1
apparmor.d/groups/gnome/mutter-x11-frames
View file

@ -17,6 +17,7 @@ profile mutter-x11-frames @{exec_path} {
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/nvidia>
include <abstractions/vulkan>
include <abstractions/wayland>

10
apparmor.d/groups/gpg/gpgconf
View file

@ -17,16 +17,18 @@ profile gpgconf @{exec_path} {
@{exec_path} mrix,
@{bin}/dirmngr rPx,
@{bin}/gpg-agent rPx,
@{bin}/gpg-connect-agent rPx,
@{bin}/gpg{,2} rPx,
@{bin}/gpg-agent rPx,
@{bin}/dirmngr rPx,
@{bin}/gpgsm rPx,
@{lib}/gnupg/scdaemon rPx,
@{bin}/pinentry-* rPx,
@{bin}/scdaemon rPx,
@{lib}/gnupg/scdaemon rPx,
@{lib}/keyboxd rPUx,
/etc/gcrypt/hwf.deny r,
/etc/gnupg/gpgconf.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{run}/user/@{uid}/gnupg/ w,

2
apparmor.d/groups/ssh/ssh-agent
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,

12
apparmor.d/groups/ssh/ssh-agent-launch
View file

@ -13,6 +13,18 @@ profile ssh-agent-launch @{exec_path} {
@{exec_path} mr,
@{bin}/{,z,ba,da}sh rix,
@{bin}/dbus-update-activation-environment rCx -> dbus,
@{bin}/grep rix,
@{bin}/ssh-agent rPx,
profile dbus {
include <abstractions/base>
@{bin}/dbus-update-activation-environment mr,
include if exists <local/ssh-agent-launch_dbus>
}
include if exists <local/ssh-agent-launch>
}

3
apparmor.d/groups/systemd/systemd-backlight
View file

@ -27,15 +27,14 @@ profile systemd-backlight @{exec_path} {
@{sys}/class/ r,
@{sys}/class/backlight/ r,
@{sys}/devices/pci[0-9]*/*:[0-9]*.[0-9]*/**/ r,
@{sys}/devices/pci[0-9]*/**/backlight/**/{max_brightness,actual_brightness} r,
@{sys}/devices/pci[0-9]*/**/backlight/**/{uevent,type} r,
@{sys}/devices/pci[0-9]*/**/backlight/**/brightness rw,
@{sys}/devices/pci[0-9]*/**/class r,
@{sys}/devices/pci[0-9]*/**/drm/**/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type} r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw,
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/uevent r,
@{sys}/devices/platform/**/leds/*backlight*/brightness rw,

2
apparmor.d/groups/systemd/systemd-tmpfiles
View file

@ -46,6 +46,8 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
/tmp/{,**} rwk,
/usr/{,**} rw,
/var/{,**} rwk,
@{sys}/kernel/security/ r,
@{sys}/kernel/security/{,**} rw,
@{sys}/devices/system/cpu/microcode/reload w,

3
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -52,6 +52,9 @@ profile check-new-release-gtk @{exec_path} {
/var/lib/update-manager/{,**} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.cache/update-manager-core/meta-release-lts rw,
/var/lib/gdm{3,}/.cache/update-manager-core/ rwk,
/var/cache/apt/ rw,
owner @{user_cache_dirs}/update-manager-core/{,**} rw,

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -65,7 +65,7 @@ profile update-notifier @{exec_path} {
/var/lib/snapd/desktop/icons/ r,
/var/lib/update-notifier/user.d/ r,
owner @{user_config_dirs}update-notifier/ w,
owner @{user_config_dirs}/update-notifier/ w,
owner @{user_share_dirs}/applications/ r,
owner @{run}/user/@{uid}/at-spi/bus rw,

98
apparmor.d/profiles-a-f/engrampa
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -91,43 +92,8 @@ profile engrampa @{exec_path} {
# For deb packages
@{bin}/dpkg-deb rix,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{bin}/xdg-open rCx -> open,
owner @{user_config_dirs}/engrampa/ rw,
/ r,
/home/ r,
#owner @{HOME}/ r,
#owner @{HOME}/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
/tmp/ r,
owner /tmp/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/.fr-*/{,**} rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_share_dirs}/ r,
/usr/share/engrampa/{,**} r,
/usr/share/**.desktop r,
/etc/magic r,
# gnome-tiny
@{run}/mount/utab r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
/etc/fstab r,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{bin}/xdg-open rPx -> child-open,
# Allowed apps to open
@{bin}/engrampa rPx,
@ -136,38 +102,40 @@ profile engrampa @{exec_path} {
@{bin}/spacefm rPx,
@{bin}/ristretto rPUx,
/usr/share/engrampa/{,**} r,
/usr/share/**.desktop r,
/etc/magic r,
/etc/fstab r,
/ r,
/home/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/.fr-*/{,**} rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/engrampa/ rw,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_share_dirs}/ r,
/tmp/ r,
owner /tmp/** rw,
@{run}/mount/utab r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{bin}/xdg-open mr,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{bin}/engrampa rPx,
@{bin}/geany rPx,
@{bin}/viewnior rPUx,
@{bin}/spacefm rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/engrampa_open>
}
include if exists <local/engrampa>
}

7
apparmor.d/profiles-g-l/gsettings
View file

@ -11,15 +11,20 @@ profile gsettings @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/dev/tty[0-9]* rw,
owner @{run}/user/@{uid}/bus rw,
include if exists <local/gsettings>
}

1
apparmor.d/profiles-g-l/keepassxc
View file

@ -99,6 +99,7 @@ profile keepassxc @{exec_path} {
/dev/shm/#[0-9]*[0-9] rw,
/dev/tty rw,
/dev/urandom rw,
owner /dev/tty[0-9]* rw,
# Silencer