mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
Alexandre Pujol
parent
4ccf2156de
commit
b03b9b05eb
@ -137,6 +137,12 @@
|
|||||||
|
|
||||||
owner @{cache_dirs}/{,**} rw,
|
owner @{cache_dirs}/{,**} rw,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/kcminputrc r,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
|
||||||
|
owner @{user_config_dirs}/kioslaverc r,
|
||||||
|
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||||
|
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
|
||||||
|
|
||||||
# For importing data (bookmarks, cookies, etc) from Firefox
|
# For importing data (bookmarks, cookies, etc) from Firefox
|
||||||
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
|
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
|
||||||
# owner @{HOME}/.mozilla/firefox/*/ r,
|
# owner @{HOME}/.mozilla/firefox/*/ r,
|
||||||
|
|||||||
@ -34,9 +34,6 @@ profile brave @{exec_path} {
|
|||||||
/etc/opt/chrome/native-messaging-hosts/* r,
|
/etc/opt/chrome/native-messaging-hosts/* r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/BraveSoftware/ rw,
|
owner @{user_config_dirs}/BraveSoftware/ rw,
|
||||||
owner @{user_config_dirs}/kioslaverc r,
|
|
||||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
|
||||||
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
|
|
||||||
|
|
||||||
owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw,
|
owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw,
|
||||||
owner @{cache_dirs}/BraveSoftware/ rw,
|
owner @{cache_dirs}/BraveSoftware/ rw,
|
||||||
@ -44,6 +41,7 @@ profile brave @{exec_path} {
|
|||||||
owner @{tmp}/net-export/ rw, # For brave://net-export/
|
owner @{tmp}/net-export/ rw, # For brave://net-export/
|
||||||
|
|
||||||
# Silencer
|
# Silencer
|
||||||
|
deny /etc/opt/ w,
|
||||||
deny /etc/opt/chrome/ w,
|
deny /etc/opt/chrome/ w,
|
||||||
deny /dev/disk/by-uuid/ r,
|
deny /dev/disk/by-uuid/ r,
|
||||||
|
|
||||||
|
|||||||
@ -87,6 +87,25 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{tmp}/server-* rwk,
|
owner @{tmp}/server-* rwk,
|
||||||
owner @{tmp}/serverauth.* r,
|
owner @{tmp}/serverauth.* r,
|
||||||
|
|
||||||
|
@{run}/udev/data/+acpi:* r, # for acpi
|
||||||
|
@{run}/udev/data/+dmi* r, # for motherboard info
|
||||||
|
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||||
|
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
||||||
|
@{run}/udev/data/+i2c:* r,
|
||||||
|
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||||
|
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
||||||
|
@{run}/udev/data/+platform:* r, # for ?
|
||||||
|
@{run}/udev/data/+serio:* r, # for touchpad?
|
||||||
|
@{run}/udev/data/+sound:card@{int} r, # for sound card
|
||||||
|
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
|
||||||
|
|
||||||
|
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
|
||||||
|
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
|
||||||
|
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
|
||||||
|
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||||
|
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||||
|
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/pci/devices/ r,
|
@{sys}/bus/pci/devices/ r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@ -103,23 +122,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/devices/platform/ r,
|
@{sys}/devices/platform/ r,
|
||||||
@{sys}/module/i915/{,**} r,
|
@{sys}/module/i915/{,**} r,
|
||||||
|
|
||||||
@{run}/udev/data/+acpi:* r, # for acpi
|
|
||||||
@{run}/udev/data/+dmi* r, # for motherboard info
|
|
||||||
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
|
||||||
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
|
||||||
@{run}/udev/data/+i2c:* r,
|
|
||||||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
|
||||||
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
|
||||||
@{run}/udev/data/+platform:* r, # for ?
|
|
||||||
@{run}/udev/data/+serio:* r, # for touchpad?
|
|
||||||
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
|
|
||||||
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
|
|
||||||
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
|
|
||||||
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
|
|
||||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
|
||||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
|
||||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
|
||||||
|
|
||||||
@{PROC}/@{pids}/cmdline r,
|
@{PROC}/@{pids}/cmdline r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/ioports r,
|
@{PROC}/ioports r,
|
||||||
@ -127,6 +129,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
/dev/fb@{int} rw,
|
/dev/fb@{int} rw,
|
||||||
/dev/input/event@{int} rw,
|
/dev/input/event@{int} rw,
|
||||||
|
/dev/input/mouse@{int} rw,
|
||||||
/dev/shm/#@{int} rw,
|
/dev/shm/#@{int} rw,
|
||||||
/dev/shm/shmfd-* rw,
|
/dev/shm/shmfd-* rw,
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|||||||
@ -42,8 +42,33 @@ profile baloo @{exec_path} {
|
|||||||
|
|
||||||
owner @{user_share_dirs}/baloo/{,**} rwk,
|
owner @{user_share_dirs}/baloo/{,**} rwk,
|
||||||
|
|
||||||
|
@{run}/udev/data/+acpi:* r, # for acpi
|
||||||
|
@{run}/udev/data/+backlight:* r,
|
||||||
|
@{run}/udev/data/+bluetooth:* r,
|
||||||
|
@{run}/udev/data/+dmi:* r, # For motherboard info
|
||||||
|
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||||
|
@{run}/udev/data/+leds:* r,
|
||||||
|
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
||||||
|
@{run}/udev/data/+platform:* r,
|
||||||
|
@{run}/udev/data/+power_supply* r,
|
||||||
|
@{run}/udev/data/+rfkill:* r,
|
||||||
|
@{run}/udev/data/+sound:card@{int} r, # for sound card
|
||||||
|
|
||||||
|
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
||||||
|
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||||
|
@{run}/udev/data/c7:@{int} r, # For Virtual console capture devices
|
||||||
|
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||||
|
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
|
||||||
|
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
||||||
|
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
|
||||||
|
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||||
|
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
|
||||||
|
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/*/devices/ r,
|
@{sys}/bus/*/devices/ r,
|
||||||
|
@{sys}/class/*/ r,
|
||||||
|
@{sys}/devices/**/uevent r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|||||||
@ -10,6 +10,7 @@ include <tunables/global>
|
|||||||
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner
|
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner
|
||||||
profile baloorunner @{exec_path} {
|
profile baloorunner @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
@ -20,6 +21,11 @@ profile baloorunner @{exec_path} {
|
|||||||
|
|
||||||
/etc/xdg/baloofilerc r,
|
/etc/xdg/baloofilerc r,
|
||||||
|
|
||||||
|
# Allow to search user files
|
||||||
|
owner @{HOME}/{,**} r,
|
||||||
|
owner @{MOUNTS}/{,**} r,
|
||||||
|
owner @{tmp}/*/{,**} r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/baloofilerc r,
|
owner @{user_config_dirs}/baloofilerc r,
|
||||||
|
|||||||
@ -59,6 +59,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||||||
@{sys}/devices/ r,
|
@{sys}/devices/ r,
|
||||||
@{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
|
@{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
|
||||||
@{sys}/devices/@{pci}/card@{int}/*/dpms r,
|
@{sys}/devices/@{pci}/card@{int}/*/dpms r,
|
||||||
|
@{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r,
|
||||||
@{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
|
@{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
|
||||||
@{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
|
@{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
|
||||||
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
|
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
|
||||||
|
|||||||
@ -73,7 +73,9 @@ profile kscreenlocker_greet @{exec_path} {
|
|||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
|
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
|
||||||
owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk,
|
owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk,
|
||||||
owner @{user_cache_dirs}/ksvg-elements r,
|
owner @{user_cache_dirs}/ksvg-elements rw,
|
||||||
|
owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
|
||||||
|
owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
|
||||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
|
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
|
||||||
|
|||||||
@ -56,6 +56,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
||||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||||
owner @{user_config_dirs}/menus/ r,
|
owner @{user_config_dirs}/menus/ r,
|
||||||
|
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||||
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
|
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
|
||||||
|
|
||||||
owner @{user_share_dirs}/kservices{5,6}/ r,
|
owner @{user_share_dirs}/kservices{5,6}/ r,
|
||||||
|
|||||||
@ -89,6 +89,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
owner @{user_config_dirs}/kdedefaults/* r,
|
||||||
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
|
owner @{user_config_dirs}/khotkeysrc r,
|
||||||
owner @{user_config_dirs}/klaunchrc r,
|
owner @{user_config_dirs}/klaunchrc r,
|
||||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
owner @{user_config_dirs}/kwinoutputconfig.json rw,
|
owner @{user_config_dirs}/kwinoutputconfig.json rw,
|
||||||
@ -110,6 +111,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||||||
@{sys}/class/drm/ r,
|
@{sys}/class/drm/ r,
|
||||||
@{sys}/class/input/ r,
|
@{sys}/class/input/ r,
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
|
|
||||||
@{run}/udev/data/+acpi:* r, # for ACPI
|
@{run}/udev/data/+acpi:* r, # for ACPI
|
||||||
@{run}/udev/data/+dmi:* r, # for motherboard info
|
@{run}/udev/data/+dmi:* r, # for motherboard info
|
||||||
|
|||||||
@ -151,6 +151,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
owner @{user_config_dirs}/plasma* rwlk,
|
owner @{user_config_dirs}/plasma* rwlk,
|
||||||
owner @{user_config_dirs}/trashrc r,
|
owner @{user_config_dirs}/trashrc r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/*/sessions/ r,
|
||||||
owner @{user_share_dirs}/#@{int} rw,
|
owner @{user_share_dirs}/#@{int} rw,
|
||||||
owner @{user_share_dirs}/akonadi/search_db/{,**} r,
|
owner @{user_share_dirs}/akonadi/search_db/{,**} r,
|
||||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk,
|
owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk,
|
||||||
@ -174,6 +175,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
owner @{user_share_dirs}/user-places.xbel{,*} rwl,
|
owner @{user_share_dirs}/user-places.xbel{,*} rwl,
|
||||||
owner @{user_share_dirs}/wallpapers/{,**} rw,
|
owner @{user_share_dirs}/wallpapers/{,**} rw,
|
||||||
|
|
||||||
|
owner @{user_state_dirs}/#@{int} rw,
|
||||||
|
owner @{user_state_dirs}/plasmashellstaterc rw,
|
||||||
|
owner @{user_state_dirs}/plasmashellstaterc.lock rwk,
|
||||||
|
owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl,
|
||||||
|
|
||||||
/tmp/.mount_nextcl@{rand6}/{,*} r,
|
/tmp/.mount_nextcl@{rand6}/{,*} r,
|
||||||
owner @{tmp}/#@{int} rw,
|
owner @{tmp}/#@{int} rw,
|
||||||
|
|
||||||
|
|||||||
@ -29,12 +29,13 @@ profile sddm-greeter @{exec_path} {
|
|||||||
@{lib}/libheif/*.so* rm,
|
@{lib}/libheif/*.so* rm,
|
||||||
|
|
||||||
/usr/share/desktop-base/*-theme/login/*.svg r,
|
/usr/share/desktop-base/*-theme/login/*.svg r,
|
||||||
|
/usr/share/endeavouros/backgrounds/** r,
|
||||||
|
/usr/share/hunspell/** r,
|
||||||
/usr/share/plasma/desktoptheme/** r,
|
/usr/share/plasma/desktoptheme/** r,
|
||||||
/usr/share/sddm/{,**} r,
|
/usr/share/sddm/{,**} r,
|
||||||
|
/usr/share/wallpapers/{,**} r,
|
||||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||||
/usr/share/xsessions/{,*.desktop} r,
|
/usr/share/xsessions/{,*.desktop} r,
|
||||||
/usr/share/wallpapers/{,**} r,
|
|
||||||
/usr/share/hunspell/** r,
|
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/os-release r,
|
/etc/os-release r,
|
||||||
|
|||||||
@ -21,12 +21,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
|||||||
capability syslog,
|
capability syslog,
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
|
||||||
network inet stream,
|
|
||||||
network inet6 stream,
|
|
||||||
network inet raw,
|
network inet raw,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 dgram,
|
||||||
network inet6 raw,
|
network inet6 raw,
|
||||||
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
network packet dgram,
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user