mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 17:08:09 +01:00
feat(abs): restric abstraction by using new @{int} and @{rand} variables.
This commit is contained in:
Alexandre Pujol
parent
557d905543
commit
b2d093e125
13 changed files with 135 additions and 131 deletions
|
|
@ -137,7 +137,7 @@
|
|||
/var/tmp/ r,
|
||||
owner /tmp/.@{chromium_domain}.* rw,
|
||||
owner /tmp/.@{chromium_domain}*/{,**} rw,
|
||||
owner /tmp/@{chromium_name}-crashlog-[0-9]*-[0-9]*.txt rw,
|
||||
owner /tmp/@{chromium_name}-crashlog-@{int}-@{int}.txt rw,
|
||||
owner /tmp/scoped_dir*/{,**} rw,
|
||||
owner /tmp/tmp.* rw,
|
||||
owner /tmp/tmp.*/ rw,
|
||||
|
|
@ -190,12 +190,12 @@
|
|||
@{sys}/devices/virtual/tty/tty[0-9]/active r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/hidraw[0-9]* rw,
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/tty rw,
|
||||
/dev/video[0-9]* rw,
|
||||
/dev/video@{int} rw,
|
||||
|
||||
# File Inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
# Silencer
|
||||
deny @{chromium_lib_dirs}/** w,
|
||||
|
|
|
|||
|
|
@ -6,8 +6,8 @@
|
|||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/[0-9]*/ r,
|
||||
/dev/bus/usb/[0-9]*/[0-9]* rwk,
|
||||
/dev/bus/usb/@{int}/ r,
|
||||
/dev/bus/usb/@{int}/@{int} rwk,
|
||||
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/usbmisc/ r,
|
||||
|
|
@ -16,12 +16,12 @@
|
|||
@{sys}/bus/usb/ r,
|
||||
@{sys}/bus/usb/devices/{,**} r,
|
||||
|
||||
@{sys}/devices/**/usb[0-9]/{,**} rw,
|
||||
@{sys}/devices/**/usb@{int}/{,**} rw,
|
||||
|
||||
# Udev data about usb devices (~equal to content of lsusb -v)
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/c16[6,7]:[0-9]* r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/c8[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/c8[0-9]:@{int} r,
|
||||
|
||||
include if exists <abstractions/devices-usb.d>
|
||||
|
|
@ -13,86 +13,86 @@
|
|||
|
||||
# Regular disk/partition devices
|
||||
/dev/{s,v}d[a-z]* rk,
|
||||
/dev/{s,v}d[a-z]*[0-9]* rk,
|
||||
/dev/{s,v}d[a-z]*@{int} rk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
|
||||
|
||||
# SSD Nvme devices
|
||||
/dev/nvme* rk,
|
||||
@{sys}/devices/pci[0-9]*/**/nvme/nvme[0-9]*/{,**} r,
|
||||
@{sys}/devices/pci[0-9]*/**/nvme/nvme@{int}/{,**} r,
|
||||
|
||||
# SD card devices
|
||||
/dev/mmcblk[0-9]* rk,
|
||||
/dev/mmcblk[0-9]*p[0-9]* rk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
|
||||
/dev/mmcblk@{int} rk,
|
||||
/dev/mmcblk@{int}p@{int} rk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/** r,
|
||||
|
||||
# Loop devices
|
||||
/dev/loop[0-9]* rk,
|
||||
/dev/loop[0-9]*p[0-9]* rk,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/** r,
|
||||
/dev/loop@{int} rk,
|
||||
/dev/loop@{int}p@{int} rk,
|
||||
@{sys}/devices/virtual/block/loop@{int}/ r,
|
||||
@{sys}/devices/virtual/block/loop@{int}/** r,
|
||||
|
||||
# LUKS/LVM (device-mapper) devices
|
||||
/dev/dm-[0-9]* rk,
|
||||
/dev/dm-@{int} rk,
|
||||
/dev/mapper/{,*} r,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
|
||||
@{sys}/devices/virtual/block/dm-@{int}/ r,
|
||||
@{sys}/devices/virtual/block/dm-@{int}/** r,
|
||||
|
||||
# ZFS devices
|
||||
/dev/zd[0-9]* rk,
|
||||
/dev/zd@{int} rk,
|
||||
/dev/zvol/{,*/} r,
|
||||
/dev/*pool/ r,
|
||||
@{sys}/devices/virtual/block/zd[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/zd[0-9]*/** r,
|
||||
@{sys}/devices/virtual/block/zd@{int}/ r,
|
||||
@{sys}/devices/virtual/block/zd@{int}/** r,
|
||||
|
||||
# ZRAM devices
|
||||
/dev/zram[0-9]* rk,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/** r,
|
||||
/dev/zram@{int} rk,
|
||||
@{sys}/devices/virtual/block/zram@{int}/ r,
|
||||
@{sys}/devices/virtual/block/zram@{int}/** r,
|
||||
|
||||
# NBD devices
|
||||
/dev/nbd* rk,
|
||||
@{sys}/devices/virtual/block/nbd[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/nbd[0-9]*/** r,
|
||||
@{sys}/devices/virtual/block/nbd@{int}/ r,
|
||||
@{sys}/devices/virtual/block/nbd@{int}/** r,
|
||||
|
||||
# Floppy disks
|
||||
/dev/fd[0-9]* rk,
|
||||
@{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/ r,
|
||||
@{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/** r,
|
||||
/dev/fd@{int} rk,
|
||||
@{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/ r,
|
||||
@{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/** r,
|
||||
|
||||
# Armbian / DietPi
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/} r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/ r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/ r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/ r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/hidden r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/dev r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/size r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/ro r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/removable r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/holders/ r,
|
||||
@{sys}/devices/virtual/block/ram[0-9]*/slaves/ r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/} r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}hidden r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}dev r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}size r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}ro r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}removable r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}start r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}uevent r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}holders/ r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}slaves/ r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/mmc@{int}/mmc*/ r,
|
||||
@{sys}/devices/platform/{soc,*.mmc}/**/mmc@{int}/mmc*/type r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/ r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/hidden r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/dev r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/size r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/ro r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/removable r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/holders/ r,
|
||||
@{sys}/devices/virtual/block/ram@{int}/slaves/ r,
|
||||
# investigate
|
||||
# /dev/ram[0-9]* r,
|
||||
# /dev/ram@{int} r,
|
||||
|
||||
# ??
|
||||
@{sys}/devices/pci[0-9]*/*/virtio[0-9]*/host[0-9]*/target*/*/type r,
|
||||
@{sys}/devices/pci[0-9]*/*/virtio@{int}/host@{int}/target*/*/type r,
|
||||
|
||||
# CD-ROM
|
||||
/dev/sr[0-9]* rk,
|
||||
/dev/sr@{int} rk,
|
||||
|
||||
@{sys}/class/block/ r,
|
||||
@{sys}/block/ r,
|
||||
|
|
@ -105,18 +105,18 @@
|
|||
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
|
||||
# visible in the /proc/devices file.
|
||||
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||
@{run}/udev/data/b24[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/b25[0-4]:[0-9]* r,
|
||||
@{run}/udev/data/b259:[0-9]* r,
|
||||
@{run}/udev/data/b24[0-9]:@{int} r,
|
||||
@{run}/udev/data/b25[0-4]:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r,
|
||||
|
||||
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
@{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
|
||||
@{run}/udev/data/b43:[0-9]* r, # for /dev/nbd*
|
||||
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
@{run}/udev/data/b11:@{int} r, # for /dev/sr*
|
||||
@{run}/udev/data/b179:@{int} r, # for /dev/mmcblk*
|
||||
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
|
||||
@{run}/udev/data/b43:@{int} r, # for /dev/nbd*
|
||||
@{run}/udev/data/b7:@{int} r, # for /dev/loop*
|
||||
@{run}/udev/data/b8:@{int} r, # for /dev/sd*
|
||||
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
|
||||
@{run}/udev/data/+usb:* r, # for ?
|
||||
|
||||
|
|
|
|||
|
|
@ -13,57 +13,57 @@
|
|||
|
||||
# Regular disk/partition devices
|
||||
/dev/{s,v}d[a-z]* rwk,
|
||||
/dev/{s,v}d[a-z]*[0-9]* rwk,
|
||||
/dev/{s,v}d[a-z]*@{int} rwk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
|
||||
|
||||
# SSD Nvme devices
|
||||
/dev/nvme[0-9]* rwk,
|
||||
@{sys}/devices/pci[0-9]*/**/nvme/nvme[0-9]*/{,**} r,
|
||||
/dev/nvme@{int} rwk,
|
||||
@{sys}/devices/pci[0-9]*/**/nvme/nvme@{int}/{,**} r,
|
||||
|
||||
# SD card devices
|
||||
/dev/mmcblk[0-9]* rwk,
|
||||
/dev/mmcblk[0-9]*p[0-9]* rwk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
|
||||
/dev/mmcblk@{int} rwk,
|
||||
/dev/mmcblk@{int}p@{int} rwk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/** r,
|
||||
|
||||
# Loop devices
|
||||
/dev/loop[0-9]* rwk,
|
||||
/dev/loop[0-9]*p[0-9]* rwk,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/** r,
|
||||
/dev/loop@{int} rwk,
|
||||
/dev/loop@{int}p@{int} rwk,
|
||||
@{sys}/devices/virtual/block/loop@{int}/ r,
|
||||
@{sys}/devices/virtual/block/loop@{int}/** r,
|
||||
|
||||
# LUKS/LVM (device-mapper) devices
|
||||
/dev/dm-[0-9]* rwk,
|
||||
/dev/dm-@{int} rwk,
|
||||
/dev/mapper/{,*} rw,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
|
||||
@{sys}/devices/virtual/block/dm-@{int}/ r,
|
||||
@{sys}/devices/virtual/block/dm-@{int}/** r,
|
||||
|
||||
# ZFS devices
|
||||
/dev/zd[0-9]* rwk,
|
||||
@{sys}/devices/virtual/block/zd[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/zd[0-9]*/** r,
|
||||
/dev/zd@{int} rwk,
|
||||
@{sys}/devices/virtual/block/zd@{int}/ r,
|
||||
@{sys}/devices/virtual/block/zd@{int}/** r,
|
||||
|
||||
# ZRAM devices
|
||||
/dev/zram[0-9]* rwk,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/** r,
|
||||
/dev/zram@{int} rwk,
|
||||
@{sys}/devices/virtual/block/zram@{int}/ r,
|
||||
@{sys}/devices/virtual/block/zram@{int}/** r,
|
||||
|
||||
# NBD devices
|
||||
/dev/nbd* rwk,
|
||||
@{sys}/devices/virtual/block/nbd[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/nbd[0-9]*/** r,
|
||||
@{sys}/devices/virtual/block/nbd@{int}/ r,
|
||||
@{sys}/devices/virtual/block/nbd@{int}/** r,
|
||||
|
||||
# Floppy disks
|
||||
/dev/fd[0-9]* rwk,
|
||||
@{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/ r,
|
||||
@{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/** r,
|
||||
/dev/fd@{int} rwk,
|
||||
@{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/ r,
|
||||
@{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/** r,
|
||||
|
||||
# CD-ROM
|
||||
/dev/sr[0-9]* rwk,
|
||||
/dev/sr@{int} rwk,
|
||||
|
||||
@{sys}/class/block/ r,
|
||||
@{sys}/block/ r,
|
||||
|
|
@ -76,19 +76,19 @@
|
|||
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
|
||||
# visible in the /proc/devices file.
|
||||
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||
@{run}/udev/data/b24[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/b25[0-4]:[0-9]* r,
|
||||
@{run}/udev/data/b259:[0-9]* r,
|
||||
@{run}/udev/data/b24[0-9]:@{int} r,
|
||||
@{run}/udev/data/b25[0-4]:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r,
|
||||
|
||||
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
@{run}/udev/data/b2:[0-9]* r, # for /dev/fd*
|
||||
@{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
|
||||
@{run}/udev/data/b43:[0-9]* r, # for /dev/nbd*
|
||||
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
@{run}/udev/data/b11:@{int} r, # for /dev/sr*
|
||||
@{run}/udev/data/b179:@{int} r, # for /dev/mmcblk*
|
||||
@{run}/udev/data/b2:@{int} r, # for /dev/fd*
|
||||
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
|
||||
@{run}/udev/data/b43:@{int} r, # for /dev/nbd*
|
||||
@{run}/udev/data/b7:@{int} r, # for /dev/loop*
|
||||
@{run}/udev/data/b8:@{int} r, # for /dev/sd*
|
||||
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
|
||||
@{run}/udev/data/+usb:* r, # for ?
|
||||
|
||||
|
|
|
|||
|
|
@ -29,8 +29,8 @@
|
|||
|
||||
/var/cache/fontconfig/ rw,
|
||||
owner /var/cache/fontconfig/** rw,
|
||||
owner /var/cache/fontconfig/*.cache-[0-9]* rwk,
|
||||
owner /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
|
||||
owner /var/cache/fontconfig/*.cache-@{int} rwk,
|
||||
owner /var/cache/fontconfig/*.cache-@{int}.LCK rwl,
|
||||
owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
|
||||
|
||||
# For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
|
||||
|
|
|
|||
|
|
@ -4,4 +4,4 @@
|
|||
|
||||
include <abstractions/gtk>
|
||||
|
||||
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
|
||||
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
||||
|
|
|
|||
|
|
@ -4,16 +4,16 @@
|
|||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
@{lib}/frei0r-[0-9]/*.so mr,
|
||||
@{lib}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner{,x86_64} mrix,
|
||||
@{lib}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner{,x86_64} mrix,
|
||||
@{lib}/gstreamer-@{int}.@{int}/gst-plugin-scanner{,x86_64} mrix,
|
||||
@{lib}/@{multiarch}/gstreamer@{int}.@{int}/gstreamer-@{int}.@{int}/gst-plugin-scanner{,x86_64} mrix,
|
||||
@{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
|
||||
@{lib}/@{multiarch}/libproxy/*/pxgsettings ixr,
|
||||
@{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
|
||||
|
||||
/etc/openni2/OpenNI.ini r,
|
||||
|
||||
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw,
|
||||
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
owner @{HOME}/{.cache/,.}gstreamer-@{int}/ rw,
|
||||
owner @{HOME}/{.cache/,.}gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
|
|
@ -28,9 +28,9 @@
|
|||
@{run}/udev/data/+drm:* r, # For screen outputs
|
||||
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
|
||||
|
||||
@{run}/udev/data/c81:[0-9]* r, # For video4linux
|
||||
@{run}/udev/data/c189:[0-9]* r, # For USB serial converters
|
||||
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]*
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
@{run}/udev/data/c189:@{int} r, # For USB serial converters
|
||||
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/media/devices/ r,
|
||||
|
|
@ -40,7 +40,7 @@
|
|||
@{sys}/class/video4linux/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
@{bin}/kde-open rix,
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
@{bin}/kde-open rix,
|
||||
|
||||
owner @{run}/user/@{uid}/kioclient*.[0-9]*.kioworker.socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/kioclient*.[0-9]*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
|
|
|||
|
|
@ -7,10 +7,10 @@
|
|||
|
||||
owner @{HOME}/thumbnails/ r,
|
||||
owner @{HOME}/thumbnails/{large,normal}/ r,
|
||||
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r,
|
||||
owner @{HOME}/thumbnails/{large,normal}/@{hex}.png r,
|
||||
|
||||
owner @{user_cache_dirs}/thumbnails/ r,
|
||||
owner @{user_cache_dirs}/thumbnails/{*large,normal}/ r,
|
||||
owner @{user_cache_dirs}/thumbnails/{*large,normal}/[a-f0-9]*.png r,
|
||||
owner @{user_cache_dirs}/thumbnails/{*large,normal}/@{hex}.png r,
|
||||
|
||||
include if exists <abstractions/thumbnails-cache-read.d>
|
||||
|
|
@ -7,11 +7,11 @@
|
|||
owner @{HOME}/thumbnails/ rw,
|
||||
owner @{HOME}/thumbnails/{large,normal}/ rw,
|
||||
owner @{HOME}/thumbnails/{large,normal}/#@{int} rw,
|
||||
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
|
||||
owner @{HOME}/thumbnails/{large,normal}/@{hex}.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
|
||||
|
||||
owner @{user_cache_dirs}/thumbnails/ rw,
|
||||
owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw,
|
||||
owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
|
||||
owner @{user_cache_dirs}/thumbnails/{large,normal}/@{hex}.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
|
||||
|
||||
include if exists <abstractions/thumbnails-cache-write.d>
|
||||
|
|
@ -9,7 +9,7 @@
|
|||
owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int},
|
||||
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
owner @{run}/user/@{uid}/trash.so*.@{int}.slave-socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
# Home trash location
|
||||
owner @{user_share_dirs}/Trash/{,**} rwl,
|
||||
|
|
@ -18,10 +18,10 @@
|
|||
owner /{media,mnt}/*/.Trash/{,**} rwl,
|
||||
|
||||
# Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
|
||||
owner /{media,mnt}/*/.Trash-[0-9]*/{,**} rwl,
|
||||
owner /{media,mnt}/*/.Trash-@{int}/{,**} rwl,
|
||||
|
||||
# Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir
|
||||
owner /{media,mnt}/*/*/.Trash/{,**} rwl,
|
||||
|
||||
# Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
|
||||
owner /{media,mnt}/*/*/.Trash-[0-9]*/{,**} rwl,
|
||||
owner /{media,mnt}/*/*/.Trash-@{int}/{,**} rwl,
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@
|
|||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
owner /dev/shm/sway* rw,
|
||||
owner /dev/shm/dunst-?????? rw,
|
||||
owner /dev/shm/dunst-@{rand6} rw,
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
/usr/share/zsh/{,**} r,
|
||||
/usr/local/share/zsh/{,**} r,
|
||||
|
||||
@{lib}/@{multiarch}/zsh/[0-9]*/zsh/*.so mr,
|
||||
@{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr,
|
||||
|
||||
/etc/zsh/zshenv r,
|
||||
/etc/zsh/zshrc r,
|
||||
|
|
|
|||
Loading…
Reference in a new issue