mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profile): start using new abstraction.
This commit is contained in:
Alexandre Pujol
parent
9f49052529
commit
b7140c9b2b
33 changed files with 44 additions and 196 deletions
|
|
@ -8,6 +8,8 @@
|
|||
@{system_share_dirs}/xfce4/applications/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/usr/share/mime/ r,
|
||||
|
||||
/etc/gnome/defaults.list r,
|
||||
/etc/xfce4/defaults.list r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,13 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_akonotes_resource
|
||||
profile akonadi_akonotes_resource @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -9,21 +9,17 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_archivemail_agent
|
||||
profile akonadi_archivemail_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
|
|
|||
|
|
@ -9,13 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_birthdays_resource
|
||||
profile akonadi_birthdays_resource @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -9,14 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_contacts_resource
|
||||
profile akonadi_contacts_resource @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -9,15 +9,12 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_control
|
||||
profile akonadi_control @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,15 +9,12 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_followupreminder_agent
|
||||
profile akonadi_followupreminder_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
|
|||
|
|
@ -9,11 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_ical_resource
|
||||
profile akonadi_ical_resource @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -9,14 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_indexing_agent
|
||||
profile akonadi_indexing_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
@ -27,7 +24,6 @@ profile akonadi_indexing_agent @{exec_path} {
|
|||
/usr/share/akonadi/plugins/serializer/*.desktop r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
|
|
|||
|
|
@ -9,21 +9,17 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_maildir_resource
|
||||
profile akonadi_maildir_resource @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
|
|
|||
|
|
@ -9,16 +9,13 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_maildispatcher_agent
|
||||
profile akonadi_maildispatcher_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -34,7 +31,6 @@ profile akonadi_maildispatcher_agent @{exec_path} {
|
|||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/knotifications5/akonadi_maildispatcher_agent.notifyrc r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
|
|
|||
|
|
@ -9,14 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_mailfilter_agent
|
||||
profile akonadi_mailfilter_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
ptrace (read) peer=akonadi_archivemail_agent,
|
||||
|
|
@ -28,7 +25,6 @@ profile akonadi_mailfilter_agent @{exec_path} {
|
|||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
|
@ -60,9 +56,6 @@ profile akonadi_mailfilter_agent @{exec_path} {
|
|||
|
||||
owner @{user_share_dirs}/akonadi/file_db_data/{,**} rw,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,13 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_mailmerge_agent
|
||||
profile akonadi_mailmerge_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
|
|
|
|||
|
|
@ -9,14 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_migration_agent
|
||||
profile akonadi_migration_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -9,21 +9,17 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_newmailnotifier_agent
|
||||
profile akonadi_newmailnotifier_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/knotifications5/akonadi_newmailnotifier_agent.notifyrc r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,14 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_notes_agent
|
||||
profile akonadi_notes_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -28,7 +25,6 @@ profile akonadi_notes_agent @{exec_path} {
|
|||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
|
|
|||
|
|
@ -9,14 +9,11 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_sendlater_agent
|
||||
profile akonadi_sendlater_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -28,7 +25,6 @@ profile akonadi_sendlater_agent @{exec_path} {
|
|||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/kwinrc r,
|
||||
|
|
@ -44,9 +40,6 @@ profile akonadi_sendlater_agent @{exec_path} {
|
|||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/dev/tty r,
|
||||
|
|
|
|||
|
|
@ -9,20 +9,16 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/akonadi_unifiedmailbox_agent
|
||||
profile akonadi_unifiedmailbox_agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
|
@ -38,9 +34,6 @@ profile akonadi_unifiedmailbox_agent @{exec_path} {
|
|||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/dev/tty r,
|
||||
|
|
|
|||
|
|
@ -25,20 +25,16 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
||||
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/graphics-full>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/user-read>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
# userns,
|
||||
|
||||
|
|
@ -121,9 +117,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/@{name}/{,**} r,
|
||||
/usr/share/doc/{,**} r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/libdrm/*.ids r,
|
||||
/usr/share/mozilla/extensions/{,**} r,
|
||||
/usr/share/webext/{,**} r,
|
||||
/usr/share/xul-ext/kwallet5/* r,
|
||||
|
|
@ -132,7 +125,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/cups/client.conf r,
|
||||
/etc/fstab r,
|
||||
/etc/igfx_user_feature{,_next}.txt w,
|
||||
/etc/libva.conf r,
|
||||
/etc/mailcap r,
|
||||
/etc/mime.types r,
|
||||
/etc/opensc.conf r,
|
||||
|
|
@ -145,9 +137,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.cups/lpoptions r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
|
|
@ -156,7 +145,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
|
||||
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/applications/userapp-Firefox-@{rand6}.desktop{,.@{rand6}} rw,
|
||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
|
||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
|
||||
|
|
@ -206,10 +194,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/@{pci}/ r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/ r,
|
||||
@{sys}/devices/@{pci}/drm/renderD[0-9]*/ r,
|
||||
@{sys}/devices/@{pci}/irq r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index[0-9]/size r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
||||
@{sys}/devices/@{pci}/drm/renderD128/ r,
|
||||
@{sys}/devices/@{pci}/drm/renderD129/ r,
|
||||
@{sys}/devices/system/cpu/present r,
|
||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||
|
||||
|
|
@ -219,7 +205,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pid}/net/if_inet6 r,
|
||||
@{PROC}/@{pid}/net/route r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
|
@ -241,15 +226,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/shm/ r,
|
||||
/dev/tty rw,
|
||||
/dev/video@{int} rw,
|
||||
owner /dev/dri/card@{int} rw, # File Inherit
|
||||
owner /dev/shm/org.chromium.* rw,
|
||||
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
|
||||
owner /dev/tty@{int} rw, # File Inherit
|
||||
|
||||
# X-tiny
|
||||
/tmp/.X0-lock r,
|
||||
|
||||
# Silencer
|
||||
deny @{lib_dirs}/** w,
|
||||
deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
|
|
|
|||
|
|
@ -16,13 +16,10 @@ include <tunables/global>
|
|||
profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (receive) set=(term, kill) peer=firefox,
|
||||
|
||||
|
|
@ -37,8 +34,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{bin}/mv rix,
|
||||
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw,
|
||||
owner @{config_dirs}/*.*/crashes/{,**} rw,
|
||||
owner @{config_dirs}/*.*/crashes/events/@{uuid} rw,
|
||||
|
|
|
|||
|
|
@ -13,12 +13,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib_dirs}/glxtest
|
||||
profile firefox-glxtest @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
@ -27,9 +23,6 @@ profile firefox-glxtest @{exec_path} {
|
|||
|
||||
owner /tmp/@{name}/.parentlock rw,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/@{pci}/class r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
include if exists <local/firefox-glxtest>
|
||||
|
|
|
|||
|
|
@ -9,11 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/mozilla/kmozillahelper
|
||||
profile firefox-kmozillahelper @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5-settings-write>
|
||||
include <abstractions/qt5>
|
||||
|
|
@ -31,7 +29,6 @@ profile firefox-kmozillahelper @{exec_path} {
|
|||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/mime/ r,
|
||||
/usr/share/sounds/{,**} r,
|
||||
|
||||
/etc/pulse/client.conf r,
|
||||
|
|
|
|||
|
|
@ -13,23 +13,16 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib_dirs}/vaapitest
|
||||
profile firefox-vaapitest @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/graphics>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/igfx_user_feature{,_next}.txt w,
|
||||
/etc/libva.conf r,
|
||||
|
||||
owner /tmp/@{name}/.parentlock rw,
|
||||
|
||||
@{sys}/devices/@{pci}/{irq,revision,resource} r,
|
||||
@{sys}/devices/@{pci}/config r,
|
||||
|
||||
deny @{config_dirs}/firefox/*/.parentlock rw,
|
||||
deny @{config_dirs}/firefox/*/startupCache/** r,
|
||||
deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
|
||||
|
|
|
|||
|
|
@ -18,8 +18,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/dri>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
|
|
|
|||
|
|
@ -21,18 +21,13 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
include <abstractions/bus/org.gnome.Shell.Introspect>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/user-write>
|
||||
include <abstractions/wayland>
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
||||
|
||||
|
|
@ -53,8 +48,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/ r,
|
||||
|
||||
owner /var/lib/xkb/server-@{int}.xkm rw,
|
||||
|
|
@ -65,7 +58,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
owner @{HOME}/@{XDG_DATA_DIR}/ r,
|
||||
|
||||
owner /tmp/runtime-*/xauth_@{rand6} r,
|
||||
owner /tmp/xauth_@{rand6} r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
|
|
|||
|
|
@ -9,13 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/xdg-desktop-portal-kde
|
||||
profile xdg-desktop-portal-kde @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -27,7 +24,6 @@ profile xdg-desktop-portal-kde @{exec_path} {
|
|||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/qt5/qtlogging.ini r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
|
|
|||
|
|
@ -15,13 +15,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
|
|
|||
|
|
@ -9,12 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/Xwayland
|
||||
profile xwayland @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
|
@ -29,10 +25,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/xkbcomp rPx,
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/fonts/{,**} r,
|
||||
/usr/share/ghostscript/fonts/{,**} r,
|
||||
/usr/share/libdrm/*.ids r,
|
||||
|
||||
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||
|
||||
|
|
@ -41,10 +35,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/server-@{int}.xkm rw,
|
||||
owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pids}/comm r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
/dev/tty rw,
|
||||
|
|
|
|||
|
|
@ -10,17 +10,13 @@ include <tunables/global>
|
|||
profile epiphany-search-provider @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -49,7 +45,6 @@ profile epiphany-search-provider @{exec_path} {
|
|||
@{PROC}/zoneinfo r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ profile evolution-alarm-notify @{exec_path} {
|
|||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/openssl>
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
|
|
@ -19,14 +19,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.gnome.Shell.Introspect>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -59,7 +55,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/openni2/OpenNI.ini r,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gnome-shell/{,**} r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
|
|
|||
|
|
@ -11,11 +11,8 @@ profile gnome-calculator-search-provider @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/graphics>
|
||||
|
||||
signal (send) set=kill peer=unconfined,
|
||||
|
||||
|
|
@ -28,11 +25,8 @@ profile gnome-calculator-search-provider @{exec_path} {
|
|||
|
||||
@{bin}/* rPUx,
|
||||
|
||||
/usr/share/nvidia/nvidia-application-profiles-*-rc r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
||||
include if exists <local/gnome-calculator-search-provider>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,13 +19,11 @@ profile gnome-calendar @{exec_path} {
|
|||
include <abstractions/bus/org.freedesktop.timedate1>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -42,7 +40,6 @@ profile gnome-calendar @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/evolution-data-server/{,**} r,
|
||||
/usr/share/libgweather/Locations.xml r,
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue