mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
Update various profiles
Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
This commit is contained in:
Jeroen Rijken
Alex
parent
92a1d9f65f
commit
b532dd6827
@ -7,4 +7,35 @@
|
|||||||
member={GetAll,PropertiesChanged}
|
member={GetAll,PropertiesChanged}
|
||||||
peer=(name=:*, label=wpa-supplicant),
|
peer=(name=:*, label=wpa-supplicant),
|
||||||
|
|
||||||
|
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
|
||||||
|
interface=fi.w1.wpa_supplicant1.Interface
|
||||||
|
member={Disconnect,RemoveNetwork,Scan}
|
||||||
|
peer=(name=:*, label=wpa-supplicant),
|
||||||
|
|
||||||
|
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
|
||||||
|
interface=fi.w1.wpa_supplicant1.Interface.P2PDevice
|
||||||
|
member=Cancel
|
||||||
|
peer=(name=:*, label=wpa-supplicant),
|
||||||
|
|
||||||
|
# Unconfined for now, don't know the label yet.
|
||||||
|
# dbus send bus=system path=/org/freedesktop
|
||||||
|
# interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
# member=InterfacesRemoved
|
||||||
|
# peer=(name=:*, label=unconfined),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
|
||||||
|
interface=fi.w1.wpa_supplicant1.Interface
|
||||||
|
member={BSSAdded,BSSRemoved,NetworkRemoved,ScanDone,PropertiesChanged}
|
||||||
|
peer=(name=:*, label=wpa-supplicant),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=PropertiesChanged
|
||||||
|
peer=(name=:*, label=wpa-supplicant),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int}
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=PropertiesChanged
|
||||||
|
peer=(name=:*, label=wpa-supplicant),
|
||||||
|
|
||||||
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
|
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
|
||||||
|
|||||||
@ -2,9 +2,29 @@
|
|||||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
dbus receive bus=system path=/
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=InterfacesRemoved
|
||||||
|
peer=(name=:*, label=bluetoothd),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
|
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=PropertiesChanged
|
member=PropertiesChanged
|
||||||
peer=(name=:*, label=bluetoothd),
|
peer=(name=:*, label=bluetoothd),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/bluez
|
||||||
|
interface=org.bluez.ProfileManager@{int}
|
||||||
|
member=RegisterProfile
|
||||||
|
peer=(name=org.bluez, label=bluetoothd),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/bluez/hci@{int}
|
||||||
|
interface=org.bluez.BatteryProviderManager@{int}
|
||||||
|
member=RegisterProfile
|
||||||
|
peer=(name=org.bluez, label=bluetoothd),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/bluez/hci@{int}
|
||||||
|
interface=org.bluez.Media@{int}
|
||||||
|
member=RegisterApplication
|
||||||
|
peer=(name=org.bluez, label=bluetoothd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.bluez.d>
|
include if exists <abstractions/bus/org.bluez.d>
|
||||||
|
|||||||
@ -37,6 +37,11 @@
|
|||||||
member=GetAll
|
member=GetAll
|
||||||
peer=(name=:*, label=NetworkManager),
|
peer=(name=:*, label=NetworkManager),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||||
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
member=Introspect
|
||||||
|
peer=(name=:*, label=NetworkManager),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
|
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=PropertiesChanged
|
member=PropertiesChanged
|
||||||
|
|||||||
@ -2,6 +2,11 @@
|
|||||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
|
member=Changed
|
||||||
|
peer=(name=:*, label=polkitd),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member=GetAll
|
||||||
@ -11,6 +16,7 @@
|
|||||||
interface=org.freedesktop.PolicyKit1.Authority
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
member=CheckAuthorization
|
member=CheckAuthorization
|
||||||
peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
|
peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.PolicyKit1.Authority
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
member=CheckAuthorization
|
member=CheckAuthorization
|
||||||
@ -20,9 +26,9 @@
|
|||||||
member=CheckAuthorization
|
member=CheckAuthorization
|
||||||
peer=(name=org.freedesktop.PolicyKit1),
|
peer=(name=org.freedesktop.PolicyKit1),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.PolicyKit1.Authority
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Changed
|
member=Introspect
|
||||||
peer=(name=:*, label=polkitd),
|
peer=(name=:*, label=polkitd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
|
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
|
||||||
|
|||||||
@ -12,11 +12,21 @@
|
|||||||
member=GetAll
|
member=GetAll
|
||||||
peer=(name=:*, label=upowerd),
|
peer=(name=:*, label=upowerd),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UPower/devices/DisplayDevice
|
dbus send bus=system path=/org/freedesktop/UPower
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member={Get,GetDisplayDevice}
|
||||||
|
peer=(name=org.freedesktop.UPower, label=upowerd),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/UPower/devices/*
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={Get,GetAll}
|
member={Get,GetAll}
|
||||||
peer=(name=:*, label=upowerd),
|
peer=(name=:*, label=upowerd),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/UPower/devices/*
|
||||||
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
member=Introspect
|
||||||
|
peer=(name=:*, label=upowerd),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/UPower/devices/*
|
dbus receive bus=system path=/org/freedesktop/UPower/devices/*
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=PropertiesChanged
|
member=PropertiesChanged
|
||||||
|
|||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1
|
dbus send bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login1.Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member=Inhibit
|
member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend}
|
||||||
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login1
|
dbus receive bus=system path=/org/freedesktop/login1
|
||||||
|
|||||||
@ -7,9 +7,14 @@
|
|||||||
member=GetSession
|
member=GetSession
|
||||||
peer=(name=:*, label=systemd-logind),
|
peer=(name=:*, label=systemd-logind),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*}
|
||||||
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
member=Introspect
|
||||||
|
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1/session/*
|
dbus send bus=system path=/org/freedesktop/login1/session/*
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member={Get,GetAll}
|
||||||
peer=(name=:*, label=systemd-logind),
|
peer=(name=:*, label=systemd-logind),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1/session/*
|
dbus send bus=system path=/org/freedesktop/login1/session/*
|
||||||
@ -17,6 +22,11 @@
|
|||||||
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
|
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
|
||||||
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/login1/seat/*
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member={Get,GetAll}
|
||||||
|
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login1/session/*
|
dbus receive bus=system path=/org/freedesktop/login1/session/*
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=PropertiesChanged
|
member=PropertiesChanged
|
||||||
|
|||||||
@ -13,11 +13,15 @@
|
|||||||
# @{cache_dirs} = @{user_cache_dirs}/chromium
|
# @{cache_dirs} = @{user_cache_dirs}/chromium
|
||||||
|
|
||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics-full>
|
include <abstractions/graphics-full>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
@ -51,6 +55,11 @@
|
|||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
dbus send bus=system path=/
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=GetManagedObjects
|
||||||
|
peer=(name=org.bluez, label=bluetoothd),
|
||||||
|
|
||||||
@{lib_dirs}/{,**} r,
|
@{lib_dirs}/{,**} r,
|
||||||
@{lib_dirs}/*.so* mr,
|
@{lib_dirs}/*.so* mr,
|
||||||
@{lib_dirs}/chrome_crashpad_handler rPx,
|
@{lib_dirs}/chrome_crashpad_handler rPx,
|
||||||
@ -93,16 +102,19 @@
|
|||||||
/usr/share/hwdata/pnp.ids r,
|
/usr/share/hwdata/pnp.ids r,
|
||||||
/usr/share/mozilla/extensions/{,**} r,
|
/usr/share/mozilla/extensions/{,**} r,
|
||||||
/usr/share/qt{5,}/translations/*.qm r,
|
/usr/share/qt{5,}/translations/*.qm r,
|
||||||
|
/usr/share/uim/* r,
|
||||||
/usr/share/webext/{,**} r,
|
/usr/share/webext/{,**} r,
|
||||||
|
|
||||||
/etc/@{name}/{,**} r,
|
/etc/@{name}/{,**} r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/igfx_user_feature{,_next}.txt w,
|
/etc/igfx_user_feature{,_next}.txt rw,
|
||||||
/etc/opensc.conf r,
|
/etc/opensc.conf r,
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
/var/lib/uim/* r,
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
|
|
||||||
owner @{HOME}/.pki/ rw,
|
owner @{HOME}/.pki/ rw,
|
||||||
@ -110,9 +122,13 @@
|
|||||||
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
|
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||||
|
owner @{HOME}/.uim.d/customs/* r,
|
||||||
|
owner @{HOME}/.XCompose r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/gtk-3.0/servers r,
|
owner @{user_config_dirs}/gtk-3.0/servers r,
|
||||||
owner @{user_share_dirs}/.@{domain}.* rw,
|
owner @{user_share_dirs}/.@{domain}.* rw,
|
||||||
|
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
|
||||||
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{config_dirs}/ rw,
|
owner @{config_dirs}/ rw,
|
||||||
owner @{config_dirs}/** rwk,
|
owner @{config_dirs}/** rwk,
|
||||||
@ -145,6 +161,10 @@
|
|||||||
|
|
||||||
audit @{run}/udev/data/* r,
|
audit @{run}/udev/data/* r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
|
||||||
|
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
|
||||||
|
owner @{run}/user/@{uid}/uim/socket/uim-helper rw,
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/**/devices/ r,
|
@{sys}/bus/**/devices/ r,
|
||||||
@{sys}/class/**/ r,
|
@{sys}/class/**/ r,
|
||||||
@ -154,6 +174,7 @@
|
|||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/system/cpu/kernel_max r,
|
@{sys}/devices/system/cpu/kernel_max r,
|
||||||
@{sys}/devices/virtual/**/report_descriptor r,
|
@{sys}/devices/virtual/**/report_descriptor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r,
|
||||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
|
|||||||
@ -3,8 +3,14 @@
|
|||||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
capability sys_ptrace,
|
||||||
|
|
||||||
ptrace (read) peer=@{systemd},
|
ptrace (read) peer=@{systemd},
|
||||||
|
|
||||||
|
owner @{lib}/systemd/{,systemd} r,
|
||||||
|
|
||||||
|
owner @{run}/systemd/system/ r,
|
||||||
|
|
||||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||||
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
||||||
|
|
||||||
@ -14,6 +20,7 @@
|
|||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
owner @{PROC}/filesystems r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
/dev/kmsg w,
|
/dev/kmsg w,
|
||||||
|
|||||||
@ -18,6 +18,8 @@ profile brave @{exec_path} {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/chromium>
|
include <abstractions/chromium>
|
||||||
|
|
||||||
|
unix (send, receive) type=stream peer=brave-crashpad-handler,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
@{bin}/man rPUx, # For "brave --help"
|
@{bin}/man rPUx, # For "brave --help"
|
||||||
@ -25,8 +27,10 @@ profile brave @{exec_path} {
|
|||||||
/usr/share/chromium/extensions/ r,
|
/usr/share/chromium/extensions/ r,
|
||||||
|
|
||||||
/etc/opt/chrome/ r,
|
/etc/opt/chrome/ r,
|
||||||
|
/etc/opt/chrome/native-messaging-hosts/* r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/BraveSoftware/ rw,
|
owner @{user_config_dirs}/BraveSoftware/ rw,
|
||||||
|
owner @{user_config_dirs}/kioslaverc r,
|
||||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||||
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
|
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
|
||||||
|
|
||||||
@ -42,6 +46,7 @@ profile brave @{exec_path} {
|
|||||||
|
|
||||||
# Silencer
|
# Silencer
|
||||||
deny /etc/opt/chrome/ w,
|
deny /etc/opt/chrome/ w,
|
||||||
|
deny /dev/disk/by-uuid/ r,
|
||||||
|
|
||||||
include if exists <local/brave>
|
include if exists <local/brave>
|
||||||
}
|
}
|
||||||
|
|||||||
@ -16,11 +16,15 @@ profile brave-crashpad-handler @{exec_path} {
|
|||||||
|
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
|
unix (send, receive) type=stream peer=(label=brave),
|
||||||
|
|
||||||
ptrace peer=brave,
|
ptrace peer=brave,
|
||||||
signal (send) peer=brave,
|
signal (send) peer=brave,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/BraveSoftware/Brave-Browser/CrashpadMetrics-active.pma rw,
|
||||||
|
owner @{user_config_dirs}/BraveSoftware/Brave-Browser/CrashpadMetrics.pma rw,
|
||||||
owner "@{config_dirs}/Crash Reports/**" rwk,
|
owner "@{config_dirs}/Crash Reports/**" rwk,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||||
|
|||||||
@ -27,7 +27,7 @@ profile brave-wrapper @{exec_path} {
|
|||||||
|
|
||||||
@{lib_dirs}/brave rPx,
|
@{lib_dirs}/brave rPx,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ w,
|
owner @{PROC}/@{pid}/fd/@{int} w,
|
||||||
|
|
||||||
# Silencer
|
# Silencer
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|||||||
@ -51,6 +51,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235
|
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235
|
||||||
@{lib}/@{multiarch}/tumbler-1/tumblerd rPUx,
|
@{lib}/@{multiarch}/tumbler-1/tumblerd rPUx,
|
||||||
@{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
|
@{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||||
|
@{lib}/@{multiarch}/libexec/ksmserver-logout-greeter rPx,
|
||||||
@{lib}/* rPUx,
|
@{lib}/* rPUx,
|
||||||
@{lib}/atril/atrild rPx,
|
@{lib}/atril/atrild rPx,
|
||||||
@{lib}/dbus-1*/dbus-daemon-launch-helper rPx,
|
@{lib}/dbus-1*/dbus-daemon-launch-helper rPx,
|
||||||
|
|||||||
@ -10,6 +10,7 @@ include <tunables/global>
|
|||||||
profile plymouth @{exec_path} {
|
profile plymouth @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|
||||||
unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
|
unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
|
||||||
|
|||||||
@ -50,11 +50,37 @@ profile pulseaudio @{exec_path} {
|
|||||||
member=Introspect
|
member=Introspect
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||||
|
interface=org.freedesktop.Avahi.ServiceResolver
|
||||||
|
member=Found
|
||||||
|
peer=(name=:*, label=avahi-daemon),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
|
||||||
|
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||||
|
member=ItemRemove
|
||||||
|
peer=(name=:*, label=avahi-daemon),
|
||||||
|
|
||||||
dbus send bus=system path=/
|
dbus send bus=system path=/
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetManagedObjects
|
member=GetManagedObjects
|
||||||
peer=(name=org.bluez),
|
peer=(name=org.bluez),
|
||||||
|
|
||||||
|
dbus send bus=system path=/
|
||||||
|
interface=org.freedesktop.DBus.Peer
|
||||||
|
member=Ping
|
||||||
|
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||||
|
|
||||||
|
dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||||
|
interface=org.freedesktop.Avahi.ServiceResolver
|
||||||
|
member={Found,Free}
|
||||||
|
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||||
|
|
||||||
|
# No label in rule
|
||||||
|
dbus send bus=system path=/org/freedesktop/RealtimeKit@{int}
|
||||||
|
interface=org.freedesktop.RealtimeKit@{int}
|
||||||
|
member=MakeThreadHighPriority
|
||||||
|
peer=(name=org.freedesktop.RealtimeKit@{int}),
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
@{lib}/pulse/gsettings-helper rix,
|
@{lib}/pulse/gsettings-helper rix,
|
||||||
@ -104,6 +130,7 @@ profile pulseaudio @{exec_path} {
|
|||||||
|
|
||||||
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
|
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
|
||||||
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
|
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
|
||||||
|
@{sys}/devices/virtual/video4linux/video@{int}/uevent r,
|
||||||
|
|
||||||
deny @{sys}/module/apparmor/parameters/enabled r,
|
deny @{sys}/module/apparmor/parameters/enabled r,
|
||||||
|
|
||||||
|
|||||||
@ -34,6 +34,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||||||
member=MakeThread*
|
member=MakeThread*
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||||
|
interface=org.freedesktop.NetworkManager
|
||||||
|
member=CheckPermissions
|
||||||
|
peer=(name=:*, label=NetworkManager),
|
||||||
|
|
||||||
# dbus: own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
|
# dbus: own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/portal/documents
|
dbus send bus=session path=/org/freedesktop/portal/documents
|
||||||
|
|||||||
@ -10,6 +10,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/xsetroot
|
@{exec_path} = @{bin}/xsetroot
|
||||||
profile xsetroot @{exec_path} {
|
profile xsetroot @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
|
|||||||
@ -29,6 +29,7 @@ profile dolphin @{exec_path} {
|
|||||||
@{bin}/ldd rix,
|
@{bin}/ldd rix,
|
||||||
@{lib}/kf5/kioslave5 rPx,
|
@{lib}/kf5/kioslave5 rPx,
|
||||||
@{lib}/@{multiarch}/kf5/kioslave5 rPx,
|
@{lib}/@{multiarch}/kf5/kioslave5 rPx,
|
||||||
|
@{lib}/@{multiarch}/libexec/kf5/kioslave5 rPx,
|
||||||
|
|
||||||
/usr/share/kf5/kmoretools/{,**} r,
|
/usr/share/kf5/kmoretools/{,**} r,
|
||||||
/usr/share/kio/{,**} r,
|
/usr/share/kio/{,**} r,
|
||||||
|
|||||||
@ -9,6 +9,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/kcminit
|
@{exec_path} = @{bin}/kcminit
|
||||||
profile kcminit @{exec_path} {
|
profile kcminit @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-session>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
|
|
||||||
|
|||||||
@ -121,6 +121,7 @@ profile kded5 @{exec_path} {
|
|||||||
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
||||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
|
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||||
owner @{user_config_dirs}/plasma-nm r,
|
owner @{user_config_dirs}/plasma-nm r,
|
||||||
owner @{user_config_dirs}/touchpadrc r,
|
owner @{user_config_dirs}/touchpadrc r,
|
||||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||||
@ -147,6 +148,7 @@ profile kded5 @{exec_path} {
|
|||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pids}/cmdline/ r,
|
@{PROC}/@{pids}/cmdline/ r,
|
||||||
@{PROC}/@{pids}/fd/ r,
|
@{PROC}/@{pids}/fd/ r,
|
||||||
|
@{PROC}/@{pids}/fdinfo/@{int} r,
|
||||||
@{PROC}/@{pids}/fd/info/@{int} r,
|
@{PROC}/@{pids}/fd/info/@{int} r,
|
||||||
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|||||||
@ -24,6 +24,7 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
@{bin}/@{shells} rUx,
|
@{bin}/@{shells} rUx,
|
||||||
|
@{browsers_path} rPx,
|
||||||
@{lib}/@{multiarch}/utempter/utempter rPUx,
|
@{lib}/@{multiarch}/utempter/utempter rPUx,
|
||||||
|
|
||||||
/usr/share/color-schemes/{,**} r,
|
/usr/share/color-schemes/{,**} r,
|
||||||
|
|||||||
@ -11,6 +11,10 @@ include <tunables/global>
|
|||||||
@{exec_path} += @{lib}/@{multiarch}/libexec/kscreenlocker_greet
|
@{exec_path} += @{lib}/@{multiarch}/libexec/kscreenlocker_greet
|
||||||
profile kscreenlocker-greet @{exec_path} {
|
profile kscreenlocker-greet @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.freedesktop.login1>
|
||||||
|
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||||
include <abstractions/bus/org.freedesktop.UPower>
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
@ -25,6 +29,13 @@ profile kscreenlocker-greet @{exec_path} {
|
|||||||
signal (receive) set=(usr1, term) peer=ksmserver,
|
signal (receive) set=(usr1, term) peer=ksmserver,
|
||||||
signal (receive) set=(term) peer=kwin_wayland,
|
signal (receive) set=(term) peer=kwin_wayland,
|
||||||
|
|
||||||
|
unix (send,receive) type=stream peer=(label="ksmserver",addr=none),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||||
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
member=Introspect
|
||||||
|
peer=(name=:*, label=sddm),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/libheif/ r,
|
@{lib}/libheif/ r,
|
||||||
@ -57,6 +68,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||||||
|
|
||||||
owner @{HOME}/.face.icon r,
|
owner @{HOME}/.face.icon r,
|
||||||
owner @{HOME}/.xsession-errors w,
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
owner @{user_pictures_dirs}/{,**} r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ rw,
|
owner @{user_cache_dirs}/ rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
@ -85,6 +97,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pid}/cmdline r,
|
||||||
|
@{PROC}/@{pid}/fd/ r,
|
||||||
@{PROC}/@{pid}/loginuid r,
|
@{PROC}/@{pid}/loginuid r,
|
||||||
@{PROC}/@{pid}/mounts r,
|
@{PROC}/@{pid}/mounts r,
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|||||||
@ -9,6 +9,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/ksmserver
|
@{exec_path} = @{bin}/ksmserver
|
||||||
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||||
include <abstractions/app-launcher-user>
|
include <abstractions/app-launcher-user>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
@ -16,6 +17,8 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
|
|
||||||
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
||||||
|
|
||||||
|
unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
@ -32,27 +35,33 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
/usr/share/color-schemes/{,**} r,
|
/usr/share/color-schemes/{,**} r,
|
||||||
/usr/share/knotifications5/*.notifyrc r,
|
/usr/share/knotifications5/*.notifyrc r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
|
|
||||||
/etc/xdg/menus/applications-merged/ r,
|
/etc/xdg/menus/applications-merged/ r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kscreenlockerrc r,
|
/etc/xdg/kscreenlockerrc r,
|
||||||
/etc/xdg/menus/ r,
|
/etc/xdg/menus/ r,
|
||||||
|
|
||||||
|
/var/lib/flatpak/exports/share/mime/ r,
|
||||||
|
|
||||||
owner @{HOME}/@{rand6} rw,
|
owner @{HOME}/@{rand6} rw,
|
||||||
owner @{HOME}/.Xauthority rw,
|
owner @{HOME}/.Xauthority rw,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/#@{int} rw,
|
owner @{user_cache_dirs}/#@{int} rw,
|
||||||
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
|
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/ksycoca5_* rl,
|
owner @{user_cache_dirs}/ksycoca5_* rwlk,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
owner @{user_config_dirs}/ksmserverrc r,
|
owner @{user_config_dirs}/ksmserverrc rw,
|
||||||
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
||||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||||
owner @{user_config_dirs}/menus/ r,
|
owner @{user_config_dirs}/menus/ r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/kservices5/ r,
|
||||||
|
owner @{user_share_dirs}/kservices5/ServiceMenus/ r,
|
||||||
|
|
||||||
owner /tmp/@{rand6} rw,
|
owner /tmp/@{rand6} rw,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
|||||||
66
apparmor.d/groups/kde/ksmserver-logout-greeter
Normal file
66
apparmor.d/groups/kde/ksmserver-logout-greeter
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Jeroen Rijken
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{lib}/@{multiarch}/libexec/ksmserver-logout-greeter
|
||||||
|
profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/dri>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
include <abstractions/kde-icon-cache-write>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
|
include <abstractions/qt5>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
owner @{HOME}/ r,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
/etc/timezone r,
|
||||||
|
|
||||||
|
/usr/share/plasma/desktoptheme/** r,
|
||||||
|
/usr/share/plasma/look-and-feel/** r,
|
||||||
|
/var/lib/AccountsService/icons/ r,
|
||||||
|
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||||
|
/var/lib/flatpak/exports/share/mime/generic-icons r,
|
||||||
|
|
||||||
|
@{lib}/os-release r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/ r,
|
||||||
|
owner @{user_cache_dirs}/#@{int} rwlk,
|
||||||
|
owner @{user_cache_dirs}/kcrash-metadata/ r,
|
||||||
|
owner @{user_cache_dirs}/ksmserver-logout-greeter/qmlcache/{,*} r,
|
||||||
|
owner @{user_cache_dirs}/plasma_theme_breeze-dark_v5.114.0.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements r,
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} l -> @{user_cache_dirs}/#@{int},
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/ r,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||||
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
|
owner @{user_config_dirs}/plasmarc r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/icons/{**,} r,
|
||||||
|
owner @{user_share_dirs}/mime/generic-icons r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/exe r,
|
||||||
|
owner @{PROC}/@{pid}/status r,
|
||||||
|
owner @{run}/user/@{uid}/ r,
|
||||||
|
|
||||||
|
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
|
include if exists <local/ksmserver-logout-greeter>
|
||||||
|
}
|
||||||
@ -53,7 +53,7 @@ profile kwin_x11 @{exec_path} {
|
|||||||
owner @{user_config_dirs}/kxkbrc r,
|
owner @{user_config_dirs}/kxkbrc r,
|
||||||
owner @{user_config_dirs}/session/kwin_* rwk,
|
owner @{user_config_dirs}/session/kwin_* rwk,
|
||||||
owner @{user_config_dirs}/plasmarc r,
|
owner @{user_config_dirs}/plasmarc r,
|
||||||
|
owner @{user_config_dirs}/session/#@{int} rw,
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
owner /tmp/kwin.@{rand6} rwl,
|
owner /tmp/kwin.@{rand6} rwl,
|
||||||
|
|
||||||
|
|||||||
@ -9,6 +9,8 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/plasma-browser-integration-host
|
@{exec_path} = @{bin}/plasma-browser-integration-host
|
||||||
profile plasma-browser-integration-host @{exec_path} {
|
profile plasma-browser-integration-host @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
@ -19,13 +21,22 @@ profile plasma-browser-integration-host @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/xdg/menus/applications-merged/ r,
|
||||||
|
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
|
|
||||||
/etc/xdg/menus/ r,
|
/etc/xdg/menus/ r,
|
||||||
/etc/xdg/taskmanagerrulesrc r,
|
/etc/xdg/taskmanagerrulesrc r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
/var/lib/flatpak/exports/share/mime/ r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/menus/ r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/kservices5/ r,
|
||||||
|
owner @{user_share_dirs}/kservices5/ServiceMenus/ r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|||||||
@ -13,6 +13,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||||
include <abstractions/bus/org.freedesktop.UPower>
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
@ -36,6 +37,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
ptrace (read) peer=akonadi*,
|
ptrace (read) peer=akonadi*,
|
||||||
ptrace (read) peer=kalendarac,
|
ptrace (read) peer=kalendarac,
|
||||||
ptrace (read) peer=kded5,
|
ptrace (read) peer=kded5,
|
||||||
|
ptrace (read) peer=ksmserver-logout-greeter,
|
||||||
ptrace (read) peer=kwin_x11,
|
ptrace (read) peer=kwin_x11,
|
||||||
ptrace (read) peer=libreoffice*,
|
ptrace (read) peer=libreoffice*,
|
||||||
ptrace (read) peer=pinentry-qt,
|
ptrace (read) peer=pinentry-qt,
|
||||||
@ -85,6 +87,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
|
|
||||||
@{HOME}/ r,
|
@{HOME}/ r,
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||||
|
owner @{user_pictures_dirs}/{,**} r,
|
||||||
|
|
||||||
owner @{user_templates_dirs}/ r,
|
owner @{user_templates_dirs}/ r,
|
||||||
|
|
||||||
@ -127,6 +130,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
owner @{user_config_dirs}/ksmserverrc r,
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
owner @{user_config_dirs}/kwalletrc r,
|
owner @{user_config_dirs}/kwalletrc r,
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
|
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||||
owner @{user_config_dirs}/plasma* rwlk,
|
owner @{user_config_dirs}/plasma* rwlk,
|
||||||
owner @{user_config_dirs}/pulse/ rw,
|
owner @{user_config_dirs}/pulse/ rw,
|
||||||
owner @{user_config_dirs}/pulse/cookie rwk,
|
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||||
@ -152,6 +156,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||||||
owner @{user_share_dirs}/user-places.xbel{,*} rwl -> @{user_share_dirs}/#@{int},
|
owner @{user_share_dirs}/user-places.xbel{,*} rwl -> @{user_share_dirs}/#@{int},
|
||||||
|
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
|
/tmp/.mount_nextcl@{rand6}/{,*} r,
|
||||||
|
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
@{run}/user/@{uid}/gvfs/ r,
|
@{run}/user/@{uid}/gvfs/ r,
|
||||||
|
|||||||
@ -12,6 +12,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/authentication>
|
include <abstractions/authentication>
|
||||||
include <abstractions/bash>
|
include <abstractions/bash>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.freedesktop.login1>
|
||||||
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
@ -42,6 +46,21 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
signal (send) set=(term) peer=sddm-greeter,
|
signal (send) set=(term) peer=sddm-greeter,
|
||||||
signal (send) set=(kill, term) peer=xorg,
|
signal (send) set=(kill, term) peer=xorg,
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||||
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
member=Introspect
|
||||||
|
peer=(name=:*, label=kscreenlocker-greet),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=PropertiesChanged
|
||||||
|
peer=(name=:*, label=systemd-logind),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||||
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
member=Introspect
|
||||||
|
peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/@{multiarch}/sddm/sddm-helper rix,
|
@{lib}/@{multiarch}/sddm/sddm-helper rix,
|
||||||
|
|||||||
@ -10,6 +10,10 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/sddm-greeter
|
@{exec_path} = @{bin}/sddm-greeter
|
||||||
profile sddm-greeter @{exec_path} {
|
profile sddm-greeter @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.freedesktop.login1>
|
||||||
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
@ -60,6 +64,7 @@ profile sddm-greeter @{exec_path} {
|
|||||||
owner @{HOME}/.glvnd* mrw,
|
owner @{HOME}/.glvnd* mrw,
|
||||||
|
|
||||||
owner /tmp/runtime-sddm/ rw,
|
owner /tmp/runtime-sddm/ rw,
|
||||||
|
owner /tmp/sddm-:@{int}-@{rand6} rw,
|
||||||
|
|
||||||
owner @{run}/sddm/{,*} rw,
|
owner @{run}/sddm/{,*} rw,
|
||||||
|
|
||||||
|
|||||||
@ -50,6 +50,26 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||||||
member=GetManagedObjects
|
member=GetManagedObjects
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=InterfacesRemoved
|
||||||
|
peer=(name=:*, label=bluetoothd),
|
||||||
|
|
||||||
|
dbus send bus=system path=/
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=GetManagedObjects
|
||||||
|
peer=(name=:*, label=bluetoothd),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/fedoraproject/FirewallD1
|
||||||
|
interface=org.fedoraproject.FirewallD1.zone
|
||||||
|
member={changeZoneOfInterface,removeInterface}
|
||||||
|
peer=(name=org.freedesktop.DBus, label=firewalld),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=InterfacesAdded
|
||||||
|
peer=(name=org.freedesktop.DBus, label=nm-online),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/nm_dispatcher
|
dbus send bus=system path=/org/freedesktop/nm_dispatcher
|
||||||
interface=org.freedesktop.nm_dispatcher
|
interface=org.freedesktop.nm_dispatcher
|
||||||
member=Action
|
member=Action
|
||||||
|
|||||||
@ -26,11 +26,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/basename rix,
|
@{bin}/basename rix,
|
||||||
|
@{bin}/cat rix,
|
||||||
@{bin}/chronyc rPUx,
|
@{bin}/chronyc rPUx,
|
||||||
@{bin}/date rix,
|
@{bin}/date rix,
|
||||||
@{bin}/gawk rix,
|
@{bin}/gawk rix,
|
||||||
@{bin}/grep rix,
|
@{bin}/grep rix,
|
||||||
@{bin}/id rix,
|
@{bin}/id rix,
|
||||||
|
@{bin}/invoke-rc.d rCx -> invoke-rc,
|
||||||
@{bin}/mkdir rix,
|
@{bin}/mkdir rix,
|
||||||
@{bin}/mktemp rix,
|
@{bin}/mktemp rix,
|
||||||
@{bin}/netconfig rPUx,
|
@{bin}/netconfig rPUx,
|
||||||
@ -39,7 +41,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
@{bin}/run-parts rCx -> run-parts,
|
@{bin}/run-parts rCx -> run-parts,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/systemctl rix,
|
@{bin}/systemctl rCx -> systemctl,
|
||||||
@{bin}/systemd-cat rPx,
|
@{bin}/systemd-cat rPx,
|
||||||
@{bin}/tr rix,
|
@{bin}/tr rix,
|
||||||
/usr/share/tlp/tlp-readconfs rPUx,
|
/usr/share/tlp/tlp-readconfs rPUx,
|
||||||
@ -48,6 +50,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{lib}/NetworkManager/dispatcher.d/** rix,
|
@{lib}/NetworkManager/dispatcher.d/** rix,
|
||||||
/etc/NetworkManager/dispatcher.d/ r,
|
/etc/NetworkManager/dispatcher.d/ r,
|
||||||
/etc/NetworkManager/dispatcher.d/** rix,
|
/etc/NetworkManager/dispatcher.d/** rix,
|
||||||
|
/etc/dhcp/dhclient-exit-hooks.d/ntp r,
|
||||||
|
|
||||||
/usr/share/tlp/{,**} rw,
|
/usr/share/tlp/{,**} rw,
|
||||||
|
|
||||||
@ -57,6 +60,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{run}/systemd/notify rw,
|
@{run}/systemd/notify rw,
|
||||||
@{run}/tlp/{,*} rw,
|
@{run}/tlp/{,*} rw,
|
||||||
@{run}/chrony-dhcp/ rw,
|
@{run}/chrony-dhcp/ rw,
|
||||||
|
@{run}/ntp.conf.dhcp rw,
|
||||||
|
|
||||||
@{sys}/class/net/ r,
|
@{sys}/class/net/ r,
|
||||||
|
|
||||||
@ -64,6 +68,45 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
profile systemctl {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/systemd-common>
|
||||||
|
|
||||||
|
@{bin}/systemctl mr,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
|
@{etc_ro}/ r,
|
||||||
|
@{etc_ro}/systemd/ r,
|
||||||
|
@{etc_ro}/systemd/system/ r,
|
||||||
|
@{etc_ro}/systemd/system/ntp.service r,
|
||||||
|
|
||||||
|
owner @{run}/systemd/private rw,
|
||||||
|
@{run}/utmp k,
|
||||||
|
|
||||||
|
/dev r,
|
||||||
|
|
||||||
|
include if exists <local/nm-dispatcher_systemctl>
|
||||||
|
}
|
||||||
|
|
||||||
|
profile invoke-rc {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
@{sh_path} rix,
|
||||||
|
@{bin}/ls rix,
|
||||||
|
@{bin}/systemctl rCx -> systemctl,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
|
/etc/ r,
|
||||||
|
@{etc_ro}/rc{[0-9],S}.d/{,*} r,
|
||||||
|
@{etc_ro}/init.d/ntp r,
|
||||||
|
|
||||||
|
owner @{PROC}/filesystems r,
|
||||||
|
|
||||||
|
include if exists <local/nm-dispatcher_invoke-rc>
|
||||||
|
}
|
||||||
|
|
||||||
profile run-parts {
|
profile run-parts {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
|
|||||||
@ -178,6 +178,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{run}/udev/data/c21:@{int} r, # Generic SCSI access
|
@{run}/udev/data/c21:@{int} r, # Generic SCSI access
|
||||||
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
||||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||||
|
@{run}/udev/data/c89:@{int} r, # ?
|
||||||
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
|
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
|
||||||
@{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport*
|
@{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport*
|
||||||
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
||||||
|
|||||||
@ -11,6 +11,7 @@ include <tunables/global>
|
|||||||
profile bluetoothd @{exec_path} flags=(attach_disconnected) {
|
profile bluetoothd @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.freedesktop.hostname1>
|
||||||
|
|
||||||
# Needed for configuring HCI interfaces
|
# Needed for configuring HCI interfaces
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
@ -24,6 +25,31 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
# dbus: own bus=system name=org.bluez
|
# dbus: own bus=system name=org.bluez
|
||||||
|
|
||||||
|
dbus receive bus=system path=/
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=GetManagedObjects
|
||||||
|
peer=(name=:*, label={brave,NetworkManager,pulseaudio,upowerd}),
|
||||||
|
|
||||||
|
dbus send bus=system path=/MediaEndpoint
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=GetManagedObjects
|
||||||
|
peer=(name=:*, label=pulseaudio),
|
||||||
|
|
||||||
|
dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/*
|
||||||
|
interface=org.bluez.MediaEndpoint1
|
||||||
|
member=Release
|
||||||
|
peer=(name=:*, label=pulseaudio),
|
||||||
|
|
||||||
|
dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile}
|
||||||
|
interface=org.bluez.MediaEndpoint1
|
||||||
|
member=Release
|
||||||
|
peer=(name=:*, label=pulseaudio),
|
||||||
|
|
||||||
|
dbus send bus=system path=/
|
||||||
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
member=InterfacesRemoved
|
||||||
|
peer=(name=org.freedesktop.DBus, label={fwupd,NetworkManager,pulseaudio,upowerd),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/@{multiarch}/bluetooth/plugins/*.so mr,
|
@{lib}/@{multiarch}/bluetooth/plugins/*.so mr,
|
||||||
@ -33,10 +59,11 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
|
|||||||
/var/lib/bluetooth/{,**} rw,
|
/var/lib/bluetooth/{,**} rw,
|
||||||
|
|
||||||
@{run}/sdp rw,
|
@{run}/sdp rw,
|
||||||
|
owner @{run}/systemd/notify w,
|
||||||
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
||||||
|
|
||||||
@{sys}/devices/@{pci}/rfkill@{int}/name r,
|
@{sys}/devices/@{pci}/rfkill@{int}/name r,
|
||||||
@{sys}/devices/@{pci}/bluetooth/**/{uevent,name} r,
|
@{sys}/devices/@{pci}/**/{uevent,name} r,
|
||||||
@{sys}/devices/platform/**/rfkill/**/name r,
|
@{sys}/devices/platform/**/rfkill/**/name r,
|
||||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||||
|
|
||||||
|
|||||||
@ -19,6 +19,15 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
# dbus: own bus=system name=org.freedesktop.bolt
|
# dbus: own bus=system name=org.freedesktop.bolt
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/freedesktop/bolt
|
||||||
|
interface=org.freedesktop.bolt1.Manager
|
||||||
|
member=ListDevices
|
||||||
|
peer(name=:*, label=kded5),
|
||||||
|
|
||||||
|
dbus (send,receive) bus=system path=/org/freedesktop/bolt{,/**}
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=Get,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/var/lib/boltd/{,**} rw,
|
/var/lib/boltd/{,**} rw,
|
||||||
@ -34,10 +43,12 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/bus/wmi/devices/ r,
|
@{sys}/bus/wmi/devices/ r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/devices/@{pci}/device r,
|
@{sys}/devices/@{pci}/device r,
|
||||||
|
@{sys}/devices/@{pci}/domain[0-9]*/boot_acl rw,
|
||||||
@{sys}/devices/@{pci}/domain@{int}/{security,uevent} r,
|
@{sys}/devices/@{pci}/domain@{int}/{security,uevent} r,
|
||||||
@{sys}/devices/@{pci}/domain@{int}/**/ r,
|
@{sys}/devices/@{pci}/domain@{int}/**/ r,
|
||||||
@{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r,
|
@{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r,
|
||||||
@{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r,
|
@{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r,
|
||||||
|
@{sys}/devices/@{pci}/domain@{int}/**/{boot,rx_lanes,rx_speed,tx_lanes,tx_speed} r,
|
||||||
@{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r,
|
@{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r,
|
||||||
@{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r,
|
@{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r,
|
||||||
@{sys}/devices/platform/**/uevent r,
|
@{sys}/devices/platform/**/uevent r,
|
||||||
|
|||||||
@ -9,6 +9,10 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/firewalld
|
@{exec_path} = @{bin}/firewalld
|
||||||
profile firewalld @{exec_path} {
|
profile firewalld @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
||||||
|
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
@ -21,6 +25,21 @@ profile firewalld @{exec_path} {
|
|||||||
network inet6 raw,
|
network inet6 raw,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/fedoraproject/FirewallD1
|
||||||
|
interface=org.fedoraproject.FirewallD1.direct
|
||||||
|
member=passthrough
|
||||||
|
peer=(name=:*, label=libvirtd),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/fedoraproject/FirewallD1
|
||||||
|
interface=org.fedoraproject.FirewallD1.zone
|
||||||
|
member={changeZoneOfInterface,getZones}
|
||||||
|
peer=(name=:*, label=libvirtd),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/fedoraproject/FirewallD1
|
||||||
|
interface=org.fedoraproject.FirewallD1.zone
|
||||||
|
member={changeZoneOfInterface,removeInterface}
|
||||||
|
peer=(name=:*, label=libvirtd),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
@ -33,6 +52,8 @@ profile firewalld @{exec_path} {
|
|||||||
@{bin}/xtables-legacy-multi rix,
|
@{bin}/xtables-legacy-multi rix,
|
||||||
@{bin}/xtables-nft-multi rix,
|
@{bin}/xtables-nft-multi rix,
|
||||||
|
|
||||||
|
/usr/local/lib/python3.10/dist-packages/ r,
|
||||||
|
|
||||||
/usr/share/libalternatives/ r,
|
/usr/share/libalternatives/ r,
|
||||||
/usr/share/libalternatives/ebtables*/{,*} r,
|
/usr/share/libalternatives/ebtables*/{,*} r,
|
||||||
/usr/share/libalternatives/ip{,4,6}tables*/{,*} r,
|
/usr/share/libalternatives/ip{,4,6}tables*/{,*} r,
|
||||||
|
|||||||
@ -10,6 +10,7 @@ include <tunables/global>
|
|||||||
profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
|
profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.freedesktop.Accounts>
|
include <abstractions/bus/org.freedesktop.Accounts>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
|||||||
@ -28,6 +28,7 @@ profile frontend @{exec_path} flags=(complain) {
|
|||||||
@{bin}/locale rix,
|
@{bin}/locale rix,
|
||||||
@{bin}/lsb_release rPx -> lsb_release,
|
@{bin}/lsb_release rPx -> lsb_release,
|
||||||
@{bin}/stty rix,
|
@{bin}/stty rix,
|
||||||
|
@{bin}/update-secureboot-policy rPx,
|
||||||
|
|
||||||
# debconf apps
|
# debconf apps
|
||||||
@{bin}/adequate rPx,
|
@{bin}/adequate rPx,
|
||||||
|
|||||||
@ -23,6 +23,7 @@ profile fusermount @{exec_path} {
|
|||||||
mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
|
mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
|
||||||
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/,
|
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/,
|
||||||
mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/,
|
mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/,
|
||||||
|
mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/,
|
||||||
|
|
||||||
umount @{HOME}/*/,
|
umount @{HOME}/*/,
|
||||||
umount @{HOME}/*/*/,
|
umount @{HOME}/*/*/,
|
||||||
|
|||||||
@ -60,6 +60,7 @@ profile keepassxc @{exec_path} {
|
|||||||
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||||
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||||
|
owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r,
|
||||||
|
|
||||||
# Database locations
|
# Database locations
|
||||||
owner @{user_cache_dirs}/keepassxc/ rw,
|
owner @{user_cache_dirs}/keepassxc/ rw,
|
||||||
|
|||||||
@ -25,12 +25,12 @@ profile sensors @{exec_path} {
|
|||||||
@{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
|
@{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
|
||||||
@{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
|
@{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
|
||||||
@{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r,
|
@{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r,
|
||||||
|
@{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r,
|
||||||
@{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r,
|
@{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r,
|
||||||
@{sys}/devices/@{pci}/name r,
|
@{sys}/devices/@{pci}/name r,
|
||||||
@{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r,
|
@{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r,
|
||||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/ r,
|
@{sys}/devices/virtual/hwmon/hwmon@{int}/ r,
|
||||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r,
|
@{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r,
|
||||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/fan[0-9]_label r,
|
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
deny @{PROC}/@{pid}/net/dev r,
|
deny @{PROC}/@{pid}/net/dev r,
|
||||||
|
|||||||
@ -49,6 +49,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{sys}/devices/**/hwmon@{int}/temp@{int}_{max,crit} r,
|
@{sys}/devices/**/hwmon@{int}/temp@{int}_{max,crit} r,
|
||||||
@{sys}/devices/**/path r,
|
@{sys}/devices/**/path r,
|
||||||
|
|
||||||
|
@{sys}/devices/platform/*/uuids/current_uuid rw,
|
||||||
|
|
||||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
@{sys}/devices/virtual/dmi/id/product_uuid r,
|
@{sys}/devices/virtual/dmi/id/product_uuid r,
|
||||||
|
|
||||||
|
|||||||
@ -96,6 +96,7 @@ profile thunderbird @{exec_path} {
|
|||||||
/usr/share/qt5ct/** r,
|
/usr/share/qt5ct/** r,
|
||||||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||||
/usr/share/xul-ext/kwallet5/* r,
|
/usr/share/xul-ext/kwallet5/* r,
|
||||||
|
/usr/share/uim/* r,
|
||||||
|
|
||||||
/etc/@{name}/{,**} r,
|
/etc/@{name}/{,**} r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
@ -104,9 +105,12 @@ profile thunderbird @{exec_path} {
|
|||||||
/etc/timezone r,
|
/etc/timezone r,
|
||||||
/etc/xul-ext/kwallet5.js r,
|
/etc/xul-ext/kwallet5.js r,
|
||||||
|
|
||||||
|
/var/lib/uim/* r,
|
||||||
owner /var/mail/* rwk,
|
owner /var/mail/* rwk,
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
|
owner @{HOME}/.uim.d/customs/* r,
|
||||||
|
owner @{HOME}/.XCompose r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kwalletrc r,
|
owner @{user_config_dirs}/kwalletrc r,
|
||||||
owner @{user_config_dirs}/mimeapps.list.* rw,
|
owner @{user_config_dirs}/mimeapps.list.* rw,
|
||||||
@ -116,11 +120,14 @@ profile thunderbird @{exec_path} {
|
|||||||
owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
|
owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
|
||||||
|
|
||||||
owner @{config_dirs}/ rw,
|
owner @{config_dirs}/ rw,
|
||||||
|
owner @{user_config_dirs}/gtk-3.0/assets/* r,
|
||||||
owner @{config_dirs}/*/ rw,
|
owner @{config_dirs}/*/ rw,
|
||||||
owner @{config_dirs}/*/** rwk,
|
owner @{config_dirs}/*/** rwk,
|
||||||
owner @{config_dirs}/installs.ini rw,
|
owner @{config_dirs}/installs.ini rw,
|
||||||
owner @{config_dirs}/profiles.ini rw,
|
owner @{config_dirs}/profiles.ini rw,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
|
||||||
|
|
||||||
owner @{cache_dirs}/{,**} rw,
|
owner @{cache_dirs}/{,**} rw,
|
||||||
|
|
||||||
/tmp/ r,
|
/tmp/ r,
|
||||||
@ -135,6 +142,7 @@ profile thunderbird @{exec_path} {
|
|||||||
owner /tmp/Temp-@{uuid}/ rw,
|
owner /tmp/Temp-@{uuid}/ rw,
|
||||||
|
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
|
owner @{run}/user/@{uid}/uim/socket/uim-helper rw,
|
||||||
|
|
||||||
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
|
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
|
||||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||||
|
|||||||
@ -20,7 +20,7 @@ profile thunderbird-vaapitest @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/igfx_user_feature{,_next}.txt w,
|
/etc/igfx_user_feature{,_next}.txt rw,
|
||||||
|
|
||||||
owner /tmp/thunderbird/.parentlock rw,
|
owner /tmp/thunderbird/.parentlock rw,
|
||||||
|
|
||||||
|
|||||||
@ -25,10 +25,12 @@ profile update-secureboot-policy @{exec_path} {
|
|||||||
@{bin}/wc rix,
|
@{bin}/wc rix,
|
||||||
/usr/share/debconf/frontend rPx,
|
/usr/share/debconf/frontend rPx,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
/usr/share/debconf/confmodule r,
|
/usr/share/debconf/confmodule r,
|
||||||
|
|
||||||
/var/lib/dkms/ r,
|
/var/lib/dkms/ r,
|
||||||
/var/lib/shim-signed/dkms-list r,
|
/var/lib/shim-signed/dkms-list rw,
|
||||||
|
|
||||||
include if exists <local/update-secureboot-policy>
|
include if exists <local/update-secureboot-policy>
|
||||||
}
|
}
|
||||||
@ -19,6 +19,9 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
network netlink dgram,
|
network netlink dgram,
|
||||||
|
|
||||||
|
unix (bind, listen) type=stream,
|
||||||
|
unix (bind, connect, listen) type=stream peer=(name=usbguard-dbus, addr=none),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/usbguard/*.conf rw,
|
/etc/usbguard/*.conf rw,
|
||||||
|
|||||||
@ -10,10 +10,13 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/usbguard-dbus
|
@{exec_path} = @{bin}/usbguard-dbus
|
||||||
profile usbguard-dbus @{exec_path} {
|
profile usbguard-dbus @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/dbus-system>
|
||||||
|
|
||||||
# Needed?
|
# Needed?
|
||||||
deny capability sys_nice,
|
deny capability sys_nice,
|
||||||
|
|
||||||
|
unix (send, receive, connect) type=stream peer=(name=usbguard-daemon, addr=@@{int}),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||||
|
|||||||
@ -10,6 +10,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{bin}/xinput
|
@{exec_path} = @{bin}/xinput
|
||||||
profile xinput @{exec_path} {
|
profile xinput @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user