mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source 
Also include some preparation for the systemd profile.
This commit is contained in:
Alexandre Pujol 2023-11-19 11:08:35 +00:00
parent 3197f52a97
commit b79a1fcd31
Failed to generate hash of commit
31 changed files with 86 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt
View file

@ -120,7 +120,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/var/cache/apt/ r, /var/cache/apt/ rw,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
/var/crash/{,*.@{uid}.crash} rw, /var/crash/{,*.@{uid}.crash} rw,

1
apparmor.d/groups/children/child-open
View file

@ -69,6 +69,7 @@ profile child-open {
@{bin}/engrampa rPx, @{bin}/engrampa rPx,
@{bin}/eog rPUx, @{bin}/eog rPUx,
@{bin}/evince rPx, @{bin}/evince rPx,
@{bin}/extension-manager rPx,
@{bin}/file-roller rPUx, @{bin}/file-roller rPUx,
@{bin}/filezilla rPx, @{bin}/filezilla rPx,
@{bin}/flameshot rPx, @{bin}/flameshot rPx,

9
apparmor.d/groups/freedesktop/colord
View file

@ -57,8 +57,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{lib}/colord/colord-sane rPx, @{lib}/{,colord/}colord-sane rPx,
@{lib}/colord-sane rPx,
/etc/machine-id r, /etc/machine-id r,
/etc/udev/hwdb.bin r, /etc/udev/hwdb.bin r,
@ -79,16 +78,18 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c81:@{int} r, # For video4linux
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/video4linux/ r, @{sys}/class/video4linux/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
@{sys}/devices/@{pci}/uevent r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/colord> include if exists <local/colord>
} }

4
apparmor.d/groups/freedesktop/polkitd
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/{,polkit-1/}polkitd @{exec_path} = @{lib}/{,polkit-1/}polkitd
profile polkitd @{exec_path} { profile polkitd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -58,8 +58,8 @@ profile polkitd @{exec_path} {
/usr/share/polkit-1/actions/*.policy r, /usr/share/polkit-1/actions/*.policy r,
/usr/share/polkit-1/actions/*.policy.choice r, /usr/share/polkit-1/actions/*.policy.choice r,
owner /var/lib/polkit{,-1}/.cache/ rw,
/var/lib/polkit{,-1}/localauthority/{,**} r, /var/lib/polkit{,-1}/localauthority/{,**} r,
owner /var/lib/polkit{,-1}/.cache/ rw,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

5
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -34,6 +34,11 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
/var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
/var/lib/snapd/desktop/applications/mimeinfo.cache w, /var/lib/snapd/desktop/applications/mimeinfo.cache w,
owner @{user_share_dirs}/.mimeinfo.cache.* rw,
owner @{user_share_dirs}/{,**/} r,
owner @{user_share_dirs}/**.desktop r,
owner @{user_share_dirs}/mimeinfo.cache w,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,
deny network inet stream, deny network inet stream,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -20,6 +20,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/nvidia> include <abstractions/nvidia>
include <abstractions/user-download> include <abstractions/user-download>
include <abstractions/vulkan> include <abstractions/vulkan>

6
apparmor.d/groups/freedesktop/xorg
View file

@ -22,6 +22,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
include <abstractions/opencl> include <abstractions/opencl>
include <abstractions/vulkan> include <abstractions/vulkan>
capability dac_override,
capability dac_read_search, capability dac_read_search,
capability ipc_owner, capability ipc_owner,
capability perfmon, capability perfmon,
@ -30,11 +31,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
capability sys_admin, capability sys_admin,
capability sys_rawio, capability sys_rawio,
# These can be denied?
#audit capability dac_override,
#audit capability sys_nice,
#capability sys_tty_config,
signal (send) set=(usr1), signal (send) set=(usr1),
signal (receive) peer=lightdm, signal (receive) peer=lightdm,

5
apparmor.d/groups/gnome/gdm-x-session
View file

@ -35,10 +35,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/Xorg rPx, @{bin}/dbus-daemon rPx,
@{bin}/dbus-run-session rPx, @{bin}/dbus-run-session rPx,
/etc/gdm{3,}/Xsession rPx, @{bin}/Xorg rPx,
/etc/gdm{3,}/Prime/Default rix, /etc/gdm{3,}/Prime/Default rix,
/etc/gdm{3,}/Xsession rPx,
/usr/share/gdm/gdm.schemas r, /usr/share/gdm/gdm.schemas r,

2
apparmor.d/groups/gnome/gnome-shell
View file

@ -524,7 +524,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.config/pulse/cookie rwk,
/var/lib/gdm{3,}/.local/share/applications/{,**} r, /var/lib/gdm{3,}/.local/share/applications/{,**} r,
/var/lib/gdm{3,}/.local/share/gnome-shell/ rw, /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw,
/var/lib/gdm{3,}/.local/share/icc/{,*} rw, /var/lib/gdm{3,}/.local/share/icc/{,*} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,

2
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -137,7 +137,9 @@ profile gsd-xsettings @{exec_path} {
@{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/ r,
@{etc_ro}/xdg/Xwayland-session.d/* rix, @{etc_ro}/xdg/Xwayland-session.d/* rix,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
/var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm3/greeter-dconf-defaults r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_cache_dirs}/mesa_shader_cache/index rw,

2
apparmor.d/groups/pacman/pacman
View file

@ -93,6 +93,8 @@ profile pacman @{exec_path} {
@{bin}/perl rix, @{bin}/perl rix,
@{bin}/pkgfile rPUx, @{bin}/pkgfile rPUx,
@{bin}/pkill rix, @{bin}/pkill rix,
@{bin}/mkdir rix,
@{bin}/setfacl rix,
@{bin}/pwd rix, @{bin}/pwd rix,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/rsync rix, @{bin}/rsync rix,

24
apparmor.d/groups/ssh/sshfs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov # Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,41 +11,40 @@ include <tunables/global>
profile sshfs @{exec_path} flags=(complain) { profile sshfs @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, mount fstype=fuse.sshfs -> @{HOME}/*/,
mount fstype=fuse.sshfs -> @{HOME}/*/*/,
unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
@{exec_path} mr,
@{bin}/ssh rPx, @{bin}/ssh rPx,
@{bin}/fusermount{,3} rCx -> fusermount, @{bin}/fusermount{,3} rCx -> fusermount,
/dev/fuse rw,
mount fstype=fuse.sshfs -> @{HOME}/*/,
mount fstype=fuse.sshfs -> @{HOME}/*/*/,
@{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/fs/pipe-max-size r,
/dev/fuse rw,
profile fusermount flags=(complain) { profile fusermount flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin, capability sys_admin,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
@{bin}/fusermount{,3} mr, @{bin}/fusermount{,3} mr,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
/etc/fuse.conf r, /etc/fuse.conf r,
/dev/fuse rw,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
/dev/fuse rw,
include if exists <local/sshfs_fusermount>
} }
include if exists <local/sshfs> include if exists <local/sshfs>

2
apparmor.d/groups/systemd/systemd-homed
View file

@ -68,7 +68,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
@{sys}/kernel/uevent_seqnum r, @{sys}/kernel/uevent_seqnum r,
@{sys}/devices/**/read_ahead_kb r, @{sys}/devices/**/read_ahead_kb r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/devices r, @{PROC}/devices r,
@{PROC}/pressure/* r,
@{PROC}/sysvipc/{shm,sem,msg} r, @{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

10
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -15,6 +15,13 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
capability sys_admin, # To set a hostname capability sys_admin, # To set a hostname
dbus bind bus=system name=org.freedesktop.hostname1,
dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.hostname1
member=SetHostname
peer=(name=:*, label=systemd//&systemd-networkd),
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,ReleaseName,GetConnectionUnixUser} member={RequestName,ReleaseName,GetConnectionUnixUser}
@ -35,9 +42,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
member=Set*Hostname member=Set*Hostname
peer=(name=:*, label=hostnamectl), peer=(name=:*, label=hostnamectl),
dbus bind bus=system
name=org.freedesktop.hostname[0-9],
@{exec_path} mr, @{exec_path} mr,
@{etc_rw}/.#hostname* rw, @{etc_rw}/.#hostname* rw,

9
apparmor.d/groups/systemd/systemd-journald
View file

@ -70,12 +70,13 @@ profile systemd-journald @{exec_path} {
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/module/printk/parameters/time r, @{sys}/module/printk/parameters/time r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/sessionid r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/sessionid r,
@{PROC}/pressure/* r,
@{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/hostname r,
/dev/kmsg rw, /dev/kmsg rw,

2
apparmor.d/groups/systemd/systemd-logind
View file

@ -66,6 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
/etc/systemd/sleep.conf r, /etc/systemd/sleep.conf r,
/etc/systemd/logind.conf.d/{,**} r, /etc/systemd/logind.conf.d/{,**} r,
/ r,
/boot/{,**} r, /boot/{,**} r,
/swap/swapfile r, /swap/swapfile r,
/swapfile r, /swapfile r,
@ -138,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
@{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/sessionid r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/1/cmdline r, @{PROC}/1/cmdline r,
@{PROC}/pressure/* r,
@{PROC}/swaps r, @{PROC}/swaps r,
@{PROC}/sysvipc/{shm,sem,msg} r, @{PROC}/sysvipc/{shm,sem,msg} r,

2
apparmor.d/groups/systemd/systemd-modules-load
View file

@ -25,5 +25,7 @@ profile systemd-modules-load @{exec_path} {
/etc/modules-load.d/ r, /etc/modules-load.d/ r,
/etc/modules-load.d/*.conf r, /etc/modules-load.d/*.conf r,
@{sys}/module/compression r,
include if exists <local/systemd-modules-load> include if exists <local/systemd-modules-load>
} }

2
apparmor.d/groups/systemd/systemd-networkd
View file

@ -76,6 +76,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/product_version r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/pressure/* r,
@{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/net/ipv{4,6}/** rw,
include if exists <local/systemd-networkd> include if exists <local/systemd-networkd>

2
apparmor.d/groups/systemd/systemd-resolved
View file

@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/resolve/{,**} rw, @{run}/systemd/resolve/{,**} rw,
owner @{run}/systemd/journal/socket w, owner @{run}/systemd/journal/socket w,
@{PROC}/@{pid}/cgroup r,
@{PROC}/pressure/* r,
@{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/hostname r,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,

11
apparmor.d/groups/systemd/systemd-timesyncd
View file

@ -21,13 +21,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
dbus bind bus=system name=org.freedesktop.timesync1,
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus bind bus=system name=org.freedesktop.timesync1,
@{exec_path} mr, @{exec_path} mr,
@{etc_rw}/adjtime r, @{etc_rw}/adjtime r,
@ -36,11 +36,14 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
owner /var/lib/systemd/timesync/clock rw, owner /var/lib/systemd/timesync/clock rw,
owner @{run}/systemd/journal/socket w,
owner @{run}/systemd/timesync/synchronized rw,
@{run}/resolvconf/*.conf r, @{run}/resolvconf/*.conf r,
@{run}/systemd/netif/state r, @{run}/systemd/netif/state r,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
owner @{run}/systemd/journal/socket w,
owner @{run}/systemd/timesync/synchronized rw,
@{PROC}/@{pid}/cgroup r,
@{PROC}/pressure/* r,
include if exists <local/systemd-timesyncd> include if exists <local/systemd-timesyncd>
} }

4
apparmor.d/groups/systemd/systemd-udevd
View file

@ -108,13 +108,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/** rw, @{sys}/** rw,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/devices r, @{PROC}/devices r,
@{PROC}/driver/nvidia/gpus/ r, @{PROC}/driver/nvidia/gpus/ r,
@{PROC}/driver/nvidia/gpus/*/information r, @{PROC}/driver/nvidia/gpus/*/information r,
@{PROC}/pressure/* r,
@{PROC}/sys/fs/nr_open r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/oom_score_adj rw,
/dev/ rw, /dev/ rw,

4
apparmor.d/groups/systemd/systemd-user-runtime-dir
View file

@ -22,10 +22,10 @@ profile systemd-user-runtime-dir @{exec_path} {
mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
umount @{run}/user/@{uid}/, umount @{run}/user/@{uid}/,
dbus send bus=system path=/org/freedesktop/login[0-9] dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member=Get
peer=(name=org.freedesktop.login[0-9]), peer=(name=org.freedesktop.login1),
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/systemd/systemd-userdbd
View file

@ -30,5 +30,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/userdb/{,**} rw, @{run}/systemd/userdb/{,**} rw,
@{PROC}/@{pid}/cgroup r,
@{PROC}/pressure/* r,
include if exists <local/systemd-userdbd> include if exists <local/systemd-userdbd>
} }

1
apparmor.d/groups/systemd/systemd-userwork
View file

@ -17,6 +17,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r, /etc/machine-id r,
/etc/shadow r,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,

2
apparmor.d/profiles-a-f/fwupd
View file

@ -100,7 +100,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/boot/EFI/*/.goutputstream-@{rand6} rw, /boot/EFI/*/.goutputstream-@{rand6} rw,
/boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
/boot/EFI/*/fwupdx@{int}.efi rw, /boot/EFI/*/fwupdx@{int}.efi rw,
@{lib}/fwupd/efi/fwupdx@{int}.efi r, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,

4
apparmor.d/profiles-g-l/haveged
View file

@ -25,8 +25,8 @@ profile haveged @{exec_path} {
@{PROC}/sys/kernel/random/write_wakeup_threshold w, @{PROC}/sys/kernel/random/write_wakeup_threshold w,
/dev/random w, /dev/random w,
@{sys}/devices/system/cpu/cpu*/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/ r,
@{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r,
include if exists <local/haveged> include if exists <local/haveged>
} }

2
apparmor.d/profiles-g-l/irqbalance
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/irqbalance @{exec_path} = @{bin}/irqbalance
profile irqbalance @{exec_path} { profile irqbalance @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
capability setpcap, capability setpcap,

1
apparmor.d/profiles-g-l/lvm
View file

@ -27,6 +27,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
@{etc_rw}/lvm/** rwkl, @{etc_rw}/lvm/** rwkl,
@{run}/lock/ rw,
@{run}/lock/lvm/ rw, @{run}/lock/lvm/ rw,
@{run}/lock/lvm/* rwk, @{run}/lock/lvm/* rwk,
@{run}/lvm/** rwk, @{run}/lvm/** rwk,

5
apparmor.d/profiles-m-r/packagekitd
View file

@ -101,14 +101,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{bin}/appstreamcli rPx, @{bin}/appstreamcli rPx,
@{bin}/arch-audit rPx, # only: arch @{bin}/arch-audit rPx, # only: arch
@{bin}/dpkg rPx -> child-dpkg, # only: dpkg @{bin}/dpkg rPx -> child-dpkg, # only: dpkg
@{bin}/fc-cache rPx
@{bin}/glib-compile-schemas rPx, @{bin}/glib-compile-schemas rPx,
@{bin}/install-info rPx
@{bin}/systemd-inhibit rPx, @{bin}/systemd-inhibit rPx,
@{bin}/update-desktop-database rPx, @{bin}/update-desktop-database rPx,
@{lib}/apt/methods/* rPx, # only: dpkg @{lib}/apt/methods/* rPx, # only: dpkg
@{lib}/cnf-update-db rPx, @{lib}/cnf-update-db rPx,
@{lib}/update-notifier/update-motd-updates-available rPx, @{lib}/update-notifier/update-motd-updates-available rPx,
@{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
/usr/share/libalpm/scripts/* rPx, /usr/share/libalpm/scripts/* rPx,
# Install/update packages # Install/update packages
/ r, / r,
@ -122,6 +124,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
/tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/ w,
/tmp/apt-changelog-@{rand6}/*.changelog rw, /tmp/apt-changelog-@{rand6}/*.changelog rw,
owner /tmp/alpm_*/{,**} rw,
owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
owner /tmp/packagekit* rw, owner /tmp/packagekit* rw,

3
apparmor.d/profiles-m-r/rngd
View file

@ -8,13 +8,14 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/rngd @{exec_path} = @{bin}/rngd
profile rngd @{exec_path} { profile rngd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
capability dac_read_search, capability dac_read_search,
capability net_admin,
capability sys_admin, capability sys_admin,
capability sys_nice, capability sys_nice,

2
apparmor.d/profiles-s-z/sudo
View file

@ -94,7 +94,7 @@ profile sudo @{exec_path} {
@{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/seccomp/actions_avail r,
/dev/ r, # interactive login /dev/ r, # interactive login
/dev/ptmx rw, /dev/ptmx rwk,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,