mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-19 01:18:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (1)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 13:20:25 +01:00
parent 59469b57b4
commit bb71f49598
Failed to generate hash of commit
125 changed files with 955 additions and 959 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/abstractions/app-launcher-root
View file

@ -8,8 +8,8 @@
# Root app location
/ r,
/usr/ r,
/{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/[a-z0-9]* rPUx,
@{bin}/ r,
@{bin}/[a-z0-9]* rPUx,
/usr/local/{s,}bin/ r,
/usr/local/{s,}bin/[a-zA-Z0-9]* rPUx,

12
apparmor.d/abstractions/app-launcher-user
View file

@ -21,26 +21,26 @@
/usr/share/codium/codium rPUx,
# Firefox
/{usr/,}bin/firefox{,.sh,-esr,-bin} rPx,
/{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
@{bin}/firefox{,.sh,-esr,-bin} rPx,
@{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
/opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
# Thunderbird
/{usr/,}bin/thunderbird{,.sh,-esr,-bin} rPx,
/{usr/,}lib{,32,64}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx,
@{bin}/thunderbird{,.sh,-esr,-bin} rPx,
@{lib}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx,
/opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx,
# Brave
/opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx,
# Chromium
/{usr/,}lib/chromium/chromium rPx,
@{lib}/chromium/chromium rPx,
# Chrome
/opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx,
# Opera
/{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
@{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
# Discord
/usr/share/ r,

42
apparmor.d/abstractions/chromium
View file

@ -8,7 +8,7 @@
# This abstraction requires the following variables definied in the profile header:
# @{chromium_name} = chromium
# @{chromium_domain} = org.chromium.Chromium
# @{chromium_lib_dirs} = /{usr/,}lib/chromium
# @{chromium_lib_dirs} = @{lib}/chromium
# @{chromium_config_dirs} = @{user_config_dirs}/chromium
# @{chromium_cache_dirs} = @{user_cache_dirs}/chromium
@ -60,32 +60,32 @@
@{chromium_lib_dirs}/chrome-sandbox rPx,
# Desktop integration
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-email rPx,
/{usr/,}bin/xdg-icon-resource rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-settings rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-desktop-menu rPx,
@{bin}/xdg-email rPx,
@{bin}/xdg-icon-resource rPx,
@{bin}/xdg-mime rPx,
@{bin}/xdg-open rPx -> child-open,
@{bin}/xdg-settings rPx,
# Installing/removing extensions & applications
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/touch rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/touch rix,
# For storing passwords externally
/{usr/,}bin/keepassxc-proxy rix, # as a temporary solution - see issue #128
/{usr/,}bin/browserpass rPx,
@{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128
@{bin}/browserpass rPx,
# Gnome shell integration
/{usr/,}bin/chrome-gnome-shell rPx,
/{usr/,}bin/gnome-browser-connector-host rPx,
@{bin}/chrome-gnome-shell rPx,
@{bin}/gnome-browser-connector-host rPx,
/usr/share/@{chromium_name}/{,**} r,
/usr/share/chromium/extensions/{,**} r,

12
apparmor.d/abstractions/gstreamer
View file

@ -42,12 +42,12 @@
#owner /tmp/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
/{usr/,}lib/frei0r-[0-9]/*.so mr,
/{usr/,}lib{,exec}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/{usr/,}lib{,exec}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr,
/{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr,
/{usr/,}lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
@{lib}/frei0r-[0-9]/*.so mr,
@{lib}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
@{lib}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
@{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
@{lib}/@{multiarch}/libproxy/*/pxgsettings ixr,
@{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,

6
apparmor.d/abstractions/kde4
View file

@ -6,9 +6,9 @@
/usr/share/kde4/** r,
/{usr/,}lib/kde4/*.so mr,
/{usr/,}lib/kde4/plugins/*/ r,
/{usr/,}lib/kde4/plugins/*/*.so mr,
@{lib}/kde4/*.so mr,
@{lib}/kde4/plugins/*/ r,
@{lib}/kde4/plugins/*/*.so mr,
# Create home KDE directory structure
owner @{HOME}/.kde{,4}/ rw,

6
apparmor.d/abstractions/kde5-plasma5
View file

@ -7,8 +7,8 @@
include <abstractions/thumbnails-cache-read>
# KDE/Plasma5 themes
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
#/{usr/,}lib/@{multiarch}/qt5/plugins/styles/breeze.so mr,
#@{lib}/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
#@{lib}/@{multiarch}/qt5/plugins/styles/breeze.so mr,
#/usr/share/plasma/look-and-feel/** r,
#/usr/share/color-schemes/*.colors r,
@ -34,7 +34,7 @@
#owner /**/.directory r,
# For bookmarks
#/{usr/,}bin/keditbookmarks rPUx,
#@{bin}/keditbookmarks rPUx,
#owner @{user_share_dirs}/kfile/ rw,
#owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw,
#owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9],

4
apparmor.d/abstractions/python.d/complete
View file

@ -3,8 +3,8 @@
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/{usr/,}bin/ r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
@{bin}/ r,
@{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,

2
apparmor.d/abstractions/zsh
View file

@ -8,7 +8,7 @@
/usr/share/zsh/{,**} r,
/usr/local/share/zsh/{,**} r,
/{usr/,}lib/@{multiarch}/zsh/[0-9]*/zsh/*.so mr,
@{lib}/@{multiarch}/zsh/[0-9]*/zsh/*.so mr,
/etc/zsh/zshenv r,
/etc/zsh/zshrc r,

80
apparmor.d/groups/_full/systemd
View file

@ -15,8 +15,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd
profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {
@{exec_path} = @{lib}/systemd/systemd
profile systemd @{lib}/systemd/systemd flags=(complain) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -30,56 +30,56 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/systemctl rCx -> systemctl,
@{bin}/{,ba,da}sh rix,
@{bin}/systemctl rCx -> systemctl,
/{usr/,}lib/systemd/user-environment-generators/* rPx,
/{usr/,}lib/systemd/user-environment-generators/* rPx,
/{usr/,}lib/systemd/user-generators/* rPx,
@{lib}/systemd/user-environment-generators/* rPx,
@{lib}/systemd/user-environment-generators/* rPx,
@{lib}/systemd/user-generators/* rPx,
# Server
/{usr/,}lib/openssh/agent-launch rPx,
@{lib}/openssh/agent-launch rPx,
# Dbus
@{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
/{usr/,}bin/dbus-daemon rPx,
@{bin}/dbus-daemon rPx,
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
# Desktop
@{libexec}/xdg-desktop-portal* rPx,
@{libexec}/xdg-document-portal rPx,
@{libexec}/xdg-permission-store rPx,
/{usr/,}bin/xdg-user-dirs-update rPx,
@{bin}/xdg-user-dirs-update rPx,
@{lib}/xdg-desktop-portal* rPx,
@{lib}/xdg-document-portal rPx,
@{lib}/xdg-permission-store rPx,
# Audio
/{usr/,}bin/pipewire rux, # FIXME: no new privs
/{usr/,}bin/pipewire-pulse rux, # FIXME: no new privs
/{usr/,}bin/pulseaudio rux, # FIXME: no new privs
/{usr/,}bin/wireplumber rux, # FIXME: no new privs
@{bin}/pipewire rux, # FIXME: no new privs
@{bin}/pipewire-pulse rux, # FIXME: no new privs
@{bin}/pulseaudio rux, # FIXME: no new privs
@{bin}/wireplumber rux, # FIXME: no new privs
# Gnome
@{libexec}/{,dconf/}dconf-service rPx,
@{libexec}/evolution-addressbook-factory rPx,
@{libexec}/evolution-calendar-factory rPx,
@{libexec}/evolution-source-registry rPx,
@{libexec}/gnome-session-binary rPx,
@{libexec}/gnome-session-ctl rPx,
@{libexec}/gnome-terminal-server rPx,
@{libexec}/goa-* rPx,
@{libexec}/gsd-* rPx,
@{libexec}/gvfs-* rPx,
@{libexec}/gvfsd* rPx,
@{libexec}/tracker-extract-* rPx,
@{libexec}/tracker-miner-* rPx,
/{usr/,}bin/gjs rPx,
/{usr/,}bin/gnome-keyring-daemon rPx,
/{usr/,}bin/gnome-shell rPx,
/{usr/,}bin/gsettings rPx,
/{usr/,}lib/dconf/dconf-service rPx,
/{usr/,}lib/gvfs/gvfs-* rPx,
/{usr/,}lib/gvfs/gvfsd* rPx,
@{bin}/gjs rPx,
@{bin}/gnome-keyring-daemon rPx,
@{bin}/gnome-shell rPx,
@{bin}/gsettings rPx,
@{lib}/{,dconf/}dconf-service rPx,
@{lib}/dconf/dconf-service rPx,
@{lib}/evolution-addressbook-factory rPx,
@{lib}/evolution-calendar-factory rPx,
@{lib}/evolution-source-registry rPx,
@{lib}/gnome-session-binary rPx,
@{lib}/gnome-session-ctl rPx,
@{lib}/gnome-terminal-server rPx,
@{lib}/goa-* rPx,
@{lib}/gsd-* rPx,
@{lib}/gvfs-* rPx,
@{lib}/gvfs/gvfs-* rPx,
@{lib}/gvfs/gvfsd* rPx,
@{lib}/gvfsd* rPx,
@{lib}/tracker-extract-* rPx,
@{lib}/tracker-miner-* rPx,
# Ubuntu
/{usr/,}bin/snap rPx,
@{bin}/snap rPx,
/etc/systemd/user.conf r,
/etc/systemd/user.conf.d/{,**} r,
@ -123,7 +123,7 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {
profile systemctl {
include <abstractions/base>
/{usr/,}bin/systemctl mr,
@{bin}/systemctl mr,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,

2
apparmor.d/groups/akonadi/akonadi_akonotes_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_akonotes_resource
@{exec_path} = @{bin}/akonadi_akonotes_resource
profile akonadi_akonotes_resource @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_archivemail_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_archivemail_agent
@{exec_path} = @{bin}/akonadi_archivemail_agent
profile akonadi_archivemail_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_birthdays_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_birthdays_resource
@{exec_path} = @{bin}/akonadi_birthdays_resource
profile akonadi_birthdays_resource @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_contacts_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_contacts_resource
@{exec_path} = @{bin}/akonadi_contacts_resource
profile akonadi_contacts_resource @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

6
apparmor.d/groups/akonadi/akonadi_control
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_control
@{exec_path} = @{bin}/akonadi_control
profile akonadi_control @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
@ -21,8 +21,8 @@ profile akonadi_control @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/akonadi_* rPUx,
/{usr/,}bin/akonadiserver rPx,
@{bin}/akonadi_* rPUx,
@{bin}/akonadiserver rPx,
/usr/share/akonadi/{,**} r,
/usr/share/hwdata/*.ids r,

2
apparmor.d/groups/akonadi/akonadi_followupreminder_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_followupreminder_agent
@{exec_path} = @{bin}/akonadi_followupreminder_agent
profile akonadi_followupreminder_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_ical_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_ical_resource
@{exec_path} = @{bin}/akonadi_ical_resource
profile akonadi_ical_resource @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_indexing_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_indexing_agent
@{exec_path} = @{bin}/akonadi_indexing_agent
profile akonadi_indexing_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_maildir_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_maildir_resource
@{exec_path} = @{bin}/akonadi_maildir_resource
profile akonadi_maildir_resource @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_maildispatcher_agent
@{exec_path} = @{bin}/akonadi_maildispatcher_agent
profile akonadi_maildispatcher_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_mailfilter_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_mailfilter_agent
@{exec_path} = @{bin}/akonadi_mailfilter_agent
profile akonadi_mailfilter_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_mailmerge_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_mailmerge_agent
@{exec_path} = @{bin}/akonadi_mailmerge_agent
profile akonadi_mailmerge_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_migration_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_migration_agent
@{exec_path} = @{bin}/akonadi_migration_agent
profile akonadi_migration_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_newmailnotifier_agent
@{exec_path} = @{bin}/akonadi_newmailnotifier_agent
profile akonadi_newmailnotifier_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_notes_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_notes_agent
@{exec_path} = @{bin}/akonadi_notes_agent
profile akonadi_notes_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_sendlater_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_sendlater_agent
@{exec_path} = @{bin}/akonadi_sendlater_agent
profile akonadi_sendlater_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_unifiedmailbox_agent
@{exec_path} = @{bin}/akonadi_unifiedmailbox_agent
profile akonadi_unifiedmailbox_agent @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

109
apparmor.d/groups/apps/android-studio
View file

@ -44,40 +44,38 @@ profile android-studio @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/chattr rix,
@{bin}/chmod rix,
@{bin}/cut rix,
@{bin}/dirname rix,
@{bin}/kill rix,
@{bin}/ldconfig rix,
@{bin}/mktemp rix,
@{bin}/nice rix,
@{bin}/python3.[0-9]* rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/setsid rix,
@{bin}/uname rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xargs rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
@{bin}/git rPx,
@{bin}/lsusb rPx,
@{bin}/ps rPx,
@{bin}/xdg-mime rPx,
@{bin}/xprop rPx,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/chattr rix,
/{usr/,}bin/setsid rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/kill rix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/lsb_release rCx -> lsb-release,
@{bin}/xdg-open rCx -> open,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/git rPx,
/{usr/,}bin/lsb_release rCx -> lsb-release,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
@{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/etc/java-[0-9]*-openjdk/** r,
/usr/share/java/java-atk-wrapper.jar r,
@ -89,8 +87,7 @@ profile android-studio @{exec_path} {
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
/usr/ r,
/{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,
@{lib}/ r,
@{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix,
@ -99,12 +96,12 @@ profile android-studio @{exec_path} {
# Currently there is only the target platform of API Level 23 packaged, so only apps targeted at
# android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in
# order to use the SDK, build scripts need to be modified.
/{usr/,}lib/android-sdk/ r,
/{usr/,}lib/android-sdk/** mrkix,
@{lib}/android-sdk/ r,
@{lib}/android-sdk/** mrkix,
/usr/share/android-sdk-platform-*/{,**} r,
deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w,
deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w,
deny /{usr/,}lib/android-sdk/.knownPackages w,
deny @{lib}/android-sdk/build-tools/*/package.xml w,
deny @{lib}/android-sdk/platforms/android-*/package.xml w,
deny @{lib}/android-sdk/.knownPackages w,
# This one is used if the standard android SDK location is missing
@{AS_SDKDIR}/ rw,
@ -220,7 +217,7 @@ profile android-studio @{exec_path} {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -234,11 +231,11 @@ profile android-studio @{exec_path} {
signal (receive) set=(term, kill) peer=android-studio,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/lsb_release r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
@{bin}/ r,
@{bin}/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
@ -259,27 +256,27 @@ profile android-studio @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
@{bin}/spacefm rPx,
@{bin}/smplayer rPx,
@{bin}/vlc rPx,
@{bin}/mpv rPx,
@{bin}/geany rPx,
@{bin}/viewnior rPUx,
@{bin}/qpdfview rPx,
@{bin}/ebook-viewer rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

70
apparmor.d/groups/apps/atom
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom @{bin}/atom
profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -40,40 +40,40 @@ profile atom @{exec_path} {
/usr/share/atom/resources/**/libexec/** rix,
deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/ r,
#/{usr/,}bin/{,ba,da}sh rix,
#/{usr/,}bin/zsh rix,
#/{usr/,}bin/env rix,
#/{usr/,}bin/rmdir rix,
#/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/ls rix,
#/{usr/,}bin/{m,g,}awk rix,
#/{usr/,}bin/tty rix,
#/{usr/,}bin/dircolors rix,
#/{usr/,}bin/cut rix,
#/{usr/,}bin/xwininfo rix,
#/{usr/,}bin/date rix,
deny @{bin}/ r,
#@{bin}/{,ba,da}sh rix,
#@{bin}/zsh rix,
#@{bin}/env rix,
#@{bin}/rmdir rix,
#@{bin}/{,e}grep rix,
#@{bin}/ls rix,
#@{bin}/{m,g,}awk rix,
#@{bin}/tty rix,
#@{bin}/dircolors rix,
#@{bin}/cut rix,
#@{bin}/xwininfo rix,
#@{bin}/date rix,
# The expr and uname tools are needed or Atom won't start with the following error:
# Your platform () is not supported.
/{usr/,}bin/expr rix,
/{usr/,}bin/uname rix,
@{bin}/expr rix,
@{bin}/uname rix,
# The following also are needed to start Atom
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/nohup rix,
/{usr/,}bin/cat rix,
@{bin}/basename rix,
@{bin}/readlink rix,
@{bin}/dirname rix,
@{bin}/mkdir rix,
@{bin}/nohup rix,
@{bin}/cat rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPx,
@{bin}/xdg-settings rPx,
/{usr/,}bin/git rPx,
@{bin}/git rPx,
# Needed to sign commits
/{usr/,}bin/gpg{,2} rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
# /home/ r,
# Reading of the user home dir is required or the following error will be printed:
@ -139,7 +139,7 @@ profile atom @{exec_path} {
owner /tmp/net-export/ rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile gpg {
@ -148,7 +148,7 @@ profile atom @{exec_path} {
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -163,19 +163,19 @@ profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

34
apparmor.d/groups/apps/calibre
View file

@ -7,12 +7,12 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += /{usr/,}bin/calibredb
@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} += /{usr/,}bin/fetch-ebook-metadata
@{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer
@{exec_path} += /{usr/,}bin/web2disk
@{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += @{bin}/calibredb
@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} += @{bin}/fetch-ebook-metadata
@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer
@{exec_path} += @{bin}/web2disk
profile calibre @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
@ -83,20 +83,20 @@ profile calibre @{exec_path} {
peer=(name=:*),
@{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig{,.real} rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/file rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
@{bin}/ldconfig{,.real} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/file rix,
@{bin}/uname rix,
@{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/{usr/,}bin/pdftoppm rPUx, # (#FIXME#)
/{usr/,}bin/pdfinfo rPUx,
/{usr/,}bin/pdftohtml rPUx,
@{bin}/pdftoppm rPUx, # (#FIXME#)
@{bin}/pdfinfo rPUx,
@{bin}/pdftohtml rPUx,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-mime rPx,
@{bin}/xdg-open rPx -> child-open,
@{bin}/xdg-mime rPx,
/usr/share/calibre/{,**} r,
/usr/share/hwdata/pnp.ids r,

16
apparmor.d/groups/apps/code
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/code /usr/share/code/{bin/,}code
@{exec_path} = @{bin}/code /usr/share/code/{bin/,}code
profile code @{exec_path} {
include <abstractions/base>
include <abstractions/chromium-common>
@ -24,16 +24,16 @@ profile code @{exec_path} {
@{exec_path} mrix,
/{usr/,}lib/code/extensions/git/dist/askpass.sh rPx,
/{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx,
@{lib}/code/extensions/git/dist/askpass.sh rPx,
@{lib}/code/extensions/git/dist/git-editor.sh rPx,
# The shell is not confined on purpose.
/{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx,
@{bin}/{,b,d,rb}ash rUx,
@{bin}/{c,k,tc,z}sh rUx,
/{usr/,}bin/git rPx,
/{usr/,}bin/gpg{,2} rPUx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
@{bin}/git rPx,
@{bin}/gpg{,2} rPUx,
@{bin}/lsb_release rPx -> lsb_release,
# /usr/share/code/** r,
# /usr/share/code/libffmpeg.so mr,

50
apparmor.d/groups/apps/discord
View file

@ -12,7 +12,7 @@ include <tunables/global>
@{DISCORD_HOMEDIR} += @{HOME}/.config/discordptb
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} /{usr/,}bin/discord{,-ptb}
@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} @{bin}/discord{,-ptb}
profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -42,13 +42,13 @@ profile discord @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
#/{usr/,}bin/lsb_release rCx -> lsb_release,
#/{usr/,}bin/xdg-mime rCx -> xdg-mime,
deny /{usr/,}bin/lsb_release mrx,
deny /{usr/,}bin/xdg-mime mrx,
@{bin}/xdg-open rCx -> open,
#@{bin}/lsb_release rCx -> lsb_release,
#@{bin}/xdg-mime rCx -> xdg-mime,
deny @{bin}/lsb_release mrx,
deny @{bin}/xdg-mime mrx,
@{DISCORD_LIBDIR}/ r,
@{DISCORD_LIBDIR}/** r,
@ -107,7 +107,7 @@ profile discord @{exec_path} {
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -117,14 +117,14 @@ profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
/{usr/,}bin/xdg-mime mr,
@{bin}/xdg-mime mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/sed rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/cut rix,
@{bin}/{,e}grep rix,
@{bin}/head rix,
@{bin}/sed rix,
# file_inherit
/usr/share/discord/** r,
@ -142,11 +142,11 @@ profile discord @{exec_path} {
signal (receive) set=(kill, term) peer=discord,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/lsb_release r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
@{bin}/ r,
@{bin}/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
@ -167,19 +167,19 @@ profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

42
apparmor.d/groups/apps/dropbox
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
@{exec_path} = /{usr/,}bin/dropbox
@{exec_path} = @{bin}/dropbox
profile dropbox @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -28,8 +28,8 @@ profile dropbox @{exec_path} {
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/ r,
@{bin}/python3.[0-9]* r,
# Dropbox home files
owner @{HOME}/ r,
@ -50,14 +50,14 @@ profile dropbox @{exec_path} {
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
@{bin}/{,ba,da}sh rix,
@{bin}/readlink rix,
@{bin}/dirname rix,
@{bin}/uname rix,
@{bin}/ldconfig rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}objdump rix,
# Needed for updating Dropbox
owner /tmp/.dropbox-dist-new-*/{,**} rw,
@ -72,7 +72,7 @@ profile dropbox @{exec_path} {
deny owner @{user_config_dirs}/autostart/dropbox.desktop rw,
# What's this for?
/{usr/,}bin/mount mrix,
@{bin}/mount mrix,
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
@{sys}/devices/virtual/block/loop[0-9]/ r,
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
@ -115,30 +115,30 @@ profile dropbox @{exec_path} {
deny @{sys}/module/apparmor/parameters/enabled r,
# External apps
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

12
apparmor.d/groups/apps/filezilla
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/filezilla
@{exec_path} = @{bin}/filezilla
profile filezilla @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -20,13 +20,13 @@ profile filezilla @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/uname rix,
# When using SFTP protocol
/{usr/,}bin/fzsftp rPx,
@{bin}/fzsftp rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx -> lsb_release,
owner @{HOME}/ r,
owner @{user_config_dirs}/filezilla/ rw,
@ -53,7 +53,7 @@ profile filezilla @{exec_path} {
owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# FTP share folder
owner @{MOUNTS}/ftp/ r,

16
apparmor.d/groups/apps/flameshot
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/flameshot
@{exec_path} = @{bin}/flameshot
profile flameshot @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -33,9 +33,9 @@ profile flameshot @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/whoami rix,
@{bin}/whoami rix,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Flameshot home files
owner @{user_config_dirs}/flameshot/ rw,
@ -73,12 +73,12 @@ profile flameshot @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,

30
apparmor.d/groups/apps/freetube
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} = @{lib}/freetube
@{FT_LIBDIR} += @{lib}/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue
@ -83,14 +83,14 @@ profile freetube @{exec_path} {
owner @{run}/user/@{uid}/ r,
# no new privs
/{usr/,}bin/xdg-settings rPx,
@{bin}/xdg-settings rPx,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/vlc rPx,
@{lib}/firefox/firefox rPx,
@{bin}/mpv rPx,
@{bin}/vlc rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -100,21 +100,21 @@ profile freetube @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/vlc rPx,
@{lib}/firefox/firefox rPx,
@{bin}/mpv rPx,
@{bin}/vlc rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

4
apparmor.d/groups/apps/freetube-chrome-sandbox
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} = @{lib}/freetube
@{FT_LIBDIR} += @{lib}/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue

20
apparmor.d/groups/apps/geany
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/geany
@{exec_path} = @{bin}/geany
profile geany @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -27,10 +27,10 @@ profile geany @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
# For the sorting feature
/{usr/,}bin/sort rix,
@{bin}/sort rix,
# When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following
# root processes:
@ -38,10 +38,10 @@ profile geany @{exec_path} {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Geany works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
@ -105,9 +105,9 @@ profile geany @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

20
apparmor.d/groups/apps/okular
View file

@ -8,7 +8,7 @@ include <tunables/global>
@{okular_ext} = [pP][dD][fF]
@{exec_path} = /{usr/,}bin/okular
@{exec_path} = @{bin}/okular
profile okular @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -78,13 +78,13 @@ profile okular @{exec_path} {
/etc/machine-id r,
# Search phrase in google
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
/usr/share/kservices5/searchproviders/{,*.desktop} r,
/usr/share/kservices5/{,*.protocol} r,
/etc/xdg/kshorturifilterrc r,
# Print to pdf
/{usr/,}bin/ps2pdf rPUx,
@{bin}/ps2pdf rPUx,
owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
@ -93,26 +93,26 @@ profile okular @{exec_path} {
/usr/share/kf5/licenses/GPL_V2 r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

4
apparmor.d/groups/apps/signal-desktop
View file

@ -76,9 +76,9 @@ profile signal-desktop @{exec_path} {
/etc/machine-id r,
# No new privs
/{usr/,}bin/xdg-settings rPx,
@{bin}/xdg-settings rPx,
/{usr/,}bin/getconf rix,
@{bin}/getconf rix,
include if exists <local/signal-desktop>
}

2
apparmor.d/groups/apps/spotify
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify
@{exec_path} = @{bin}/spotify /usr/share/spotify/spotify
profile spotify @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>

38
apparmor.d/groups/apps/telegram-desktop
View file

@ -8,7 +8,7 @@ include <tunables/global>
@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram
@{exec_path} = /{usr/,}bin/telegram-desktop
@{exec_path} = @{bin}/telegram-desktop
profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -38,13 +38,13 @@ profile telegram-desktop @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
# Launch external apps
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# What's this for?
deny /{usr/,}bin/fc-list rx,
deny @{bin}/fc-list rx,
# Telegram files
/usr/share/TelegramDesktop/{,**} r,
@ -81,11 +81,11 @@ profile telegram-desktop @{exec_path} {
/usr/share/qt5ct/** r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/geany rPx,
@{lib}/firefox/firefox rPx,
@{bin}/smplayer rPx,
@{bin}/viewnior rPUx,
@{bin}/qpdfview rPx,
@{bin}/geany rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -95,23 +95,23 @@ profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{TELEGRAM_WORK_DIR}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/geany rPx,
@{lib}/firefox/firefox rPx,
@{bin}/smplayer rPx,
@{bin}/qpdfview rPx,
@{bin}/viewnior rPUx,
@{bin}/geany rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

84
apparmor.d/groups/apps/thunderbird
View file

@ -8,15 +8,15 @@ abi <abi/3.0>,
include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox
@{FIREFOX_BIN} = @{lib}/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
@{MOZ_LIBDIR} = @{lib}/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird
@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin}
@{exec_path} += /{usr/,}bin/thunderbird
@{exec_path} += @{bin}/thunderbird
profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -103,14 +103,14 @@ profile thunderbird @{exec_path} {
@{exec_path} mrix,
@{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/date rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/sed rix,
@{bin}/date rix,
@{bin}/tr rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dig rix,
@{bin}/ps rPx,
@{bin}/dig rix,
# Thunderbird files
/usr/share/thunderbird/{,**} r,
@ -146,14 +146,14 @@ profile thunderbird @{exec_path} {
owner @{user_share_dirs}/ r,
# Spellcheck
/{usr/,}bin/locale rix,
@{bin}/locale rix,
# System integration
/etc/mime.types r,
owner @{user_config_dirs}/mimeapps.list.* rw,
# KDE system keyring
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
@{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/usr/share/xul-ext/kwallet5/* r,
/etc/xul-ext/kwallet5.js r,
owner @{user_config_dirs}/kwalletrc r,
@ -216,25 +216,25 @@ profile thunderbird @{exec_path} {
/usr/share/sounds/freedesktop/stereo/*.oga r,
# Silencer
deny /{usr/,}lib/thunderbird/** w,
deny @{lib}/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-{open,mime} rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-{open,mime} rCx -> open,
@{bin}/exo-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Needed for enigmail
/usr/share/xul-ext/enigmail/{,**} r,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg-connect-agent rCx -> gpg,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpg-connect-agent rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
# Allowed apps to open
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{bin}/qpdfview rPx,
@{bin}/viewnior rPUx,
@{bin}/engrampa rPx,
@{bin}/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit
@ -252,11 +252,11 @@ profile thunderbird @{exec_path} {
network inet6 stream,
network netlink raw,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpg-connect-agent mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
@{bin}/gpgconf mr,
@{bin}/gpg{,2} mr,
@{bin}/gpg-connect-agent mr,
@{bin}/gpgsm mr,
@{bin}/gpg-agent rix,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -298,25 +298,25 @@ profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{bin}/xdg-open mr,
@{bin}/exo-open mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/xfce4-mime-helper rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,m,g}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
@{bin}/xfce4-mime-helper rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{bin}/qpdfview rPx,
@{bin}/viewnior rPUx,
@{bin}/engrampa rPx,
@{bin}/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit

24
apparmor.d/groups/apps/vlc
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{c,}vlc
@{exec_path} = @{bin}/{c,}vlc
profile vlc @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -145,7 +145,7 @@ profile vlc @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
@{bin}/xdg-screensaver rCx -> xdg-screensaver,
/usr/share/hwdata/pnp.ids r,
/usr/share/qt5ct/** r,
@ -197,22 +197,22 @@ profile vlc @{exec_path} {
owner /dev/tty[0-9]* rw,
# Silencer
deny /{usr/,}lib/@{multiarch}/vlc/{,**} w,
deny @{lib}/@{multiarch}/vlc/{,**} w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
@{bin}/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xset rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r,

122
apparmor.d/groups/apt/apt
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd
@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd
profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt-common>
@ -62,57 +62,57 @@ profile apt @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}{s,}bin/ r,
@{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/echo rix,
@{bin}/gdbus rix,
@{bin}/id rix,
@{bin}/ischroot rix,
@{bin}/test rix,
@{bin}/touch rix,
/{usr/,}{s,}bin/dpkg-preconfigure rPx,
/{usr/,}{s,}bin/localepurge rPx,
/{usr/,}{s,}bin/update-command-not-found rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}bin/df rPx,
/{usr/,}bin/dmesg rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}bin/systemctl rCx -> systemctl,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx,
@{libexec}/zsys-system-autosnapshot rPx,
@{bin}/adequate rPx,
@{bin}/appstreamcli rPx,
@{bin}/apt-listbugs rPx,
@{bin}/apt-listchanges rPx,
@{bin}/apt-show-versions rPx,
@{bin}/debtags rPx,
@{bin}/df rPx,
@{bin}/dmesg rPx,
@{bin}/dpkg rPx,
@{bin}/dpkg-preconfigure rPx,
@{bin}/dpkg-source rcx -> dpkg-source,
@{bin}/etckeeper rPx,
@{bin}/localepurge rPx,
@{bin}/ps rPx,
@{bin}/snap rPUx,
@{bin}/systemctl rCx -> systemctl,
@{bin}/update-command-not-found rPx,
@{lib}/cnf-update-db rPx,
@{lib}/needrestart/apt-pinvoke rPx,
@{lib}/zsys-system-autosnapshot rPx,
# For building the source after the download process is finished (apt-get source --compile)
/{usr/,}bin/dpkg-buildpackage rPUx,
@{bin}/dpkg-buildpackage rPUx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
@{lib}/apt/methods/* rPx,
# Ubuntu specificities
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/usr/share/language-tools/language-options rPx,
@{lib}/ubuntu-advantage/apt-esm-hook rPx,
@{lib}/ubuntu-advantage/apt-esm-json-hook rPx,
@{lib}/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/usr/share/language-tools/language-options rPx,
# For editing the sources.list file
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
@{bin}/sensible-editor rCx -> editor,
@{bin}/vim.* rCx -> editor,
# For changelogs
/{usr/,}bin/sensible-pager rCx -> pager,
@{bin}/sensible-pager rCx -> pager,
/usr/share/xml/iso-codes/{,**} r,
/usr/share/language-selector/data/pkg_depends r,
@ -161,10 +161,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/sensible-editor mr,
@{bin}/vim.* mrix,
@{bin}/which{,.debianutils} rix,
/usr/share/vim/{,**} r,
@ -184,11 +184,11 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/less rix,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/less rix,
@{bin}/sensible-pager mr,
@{bin}/which{,.debianutils} rix,
/root/ r, # For shell pwd
@ -204,17 +204,17 @@ profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict>
include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
@{bin}/dpkg-source mr,
@{bin}/perl r,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/patch rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/xz rix,
@{bin}/bunzip2 rix,
@{bin}/chmod rix,
@{bin}/gunzip rix,
@{bin}/gzip rix,
@{bin}/patch rix,
@{bin}/rm rix,
@{bin}/tar rix,
@{bin}/xz rix,
/etc/dpkg/origins/debian r,
@ -235,9 +235,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
ptrace (read),
/{usr/,}bin/systemctl mr,
@{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
@{bin}/systemd-tty-ask-password-agent rix,
owner @{run}/systemd/ask-password-block/* rw,
owner @{run}/systemd/ask-password/ rw,

4
apparmor.d/groups/apt/apt-cache
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache
@{exec_path} = @{bin}/apt-cache
profile apt-cache @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@ -15,7 +15,7 @@ profile apt-cache @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
/var/lib/dbus/machine-id r,
/etc/machine-id r,

12
apparmor.d/groups/apt/apt-cdrom
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom
@{exec_path} = @{bin}/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/apt-common>
@ -16,10 +16,10 @@ profile apt-cdrom @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount,
@{bin}/mount rCx -> mount,
@{bin}/umount rCx -> umount,
/etc/fstab r,
@ -58,7 +58,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
profile mount flags=(complain) {
include <abstractions/base>
/{usr/,}bin/mount mr,
@{bin}/mount mr,
/etc/fstab r,
@ -71,7 +71,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
capability sys_admin,
/{usr/,}bin/umount mr,
@{bin}/umount mr,
@{run}/mount/utab{,.*} rw,
@{run}/mount/utab.lock rwk,

4
apparmor.d/groups/apt/apt-config
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config
@{exec_path} = @{bin}/apt-config
profile apt-config @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@ -15,7 +15,7 @@ profile apt-config @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
owner /tmp/tmp*/apt.conf r,

4
apparmor.d/groups/apt/apt-extracttemplates
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-extracttemplates
@{exec_path} = @{bin}/apt-extracttemplates
profile apt-extracttemplates @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -15,7 +15,7 @@ profile apt-extracttemplates @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
/var/cache/apt/ r,
/var/cache/apt/** rwk,

16
apparmor.d/groups/apt/apt-file
View file

@ -7,22 +7,22 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-file
@{exec_path} = @{bin}/apt-file
profile apt-file @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/fgrep rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/xargs rix,
/{usr/,}lib/apt/apt-helper rix,
@{bin}/fgrep rix,
@{bin}/{,e}grep rix,
@{bin}/xargs rix,
@{lib}/apt/apt-helper rix,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/apt rPx,
@{bin}/apt-get rPx,
@{bin}/apt rPx,
/etc/apt/apt-file.conf r,

8
apparmor.d/groups/apt/apt-forktracer
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-forktracer
@{exec_path} = @{bin}/apt-forktracer
profile apt-forktracer @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@ -15,9 +15,9 @@ profile apt-forktracer @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-cache rPx,
@{bin}/ r,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/apt-cache rPx,
/usr/share/apt-forktracer/{,**} r,
/usr/share/distro-info/debian.csv r,

2
apparmor.d/groups/apt/apt-ftparchive
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-ftparchive
@{exec_path} = @{bin}/apt-ftparchive
profile apt-ftparchive @{exec_path} {
include <abstractions/base>

58
apparmor.d/groups/apt/apt-key
View file

@ -7,42 +7,42 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-key
@{exec_path} = @{bin}/apt-key
profile apt-key @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/find rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cmp rix,
@{bin}/comm rix,
@{bin}/cp rix,
@{bin}/cut rix,
@{bin}/find rix,
@{bin}/id rix,
@{bin}/mktemp rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/touch rix,
@{bin}/tr rix,
@{bin}/uniq rix,
@{bin}/wc rix,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
#
/{usr/,}bin/apt-config rPx,
@{bin}/apt-config rPx,
# For shell pwd
/ r,
@ -67,12 +67,12 @@ profile apt-key @{exec_path} {
network inet stream,
network inet6 stream,
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgconf mr,
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
@{bin}/dirmngr rix,
@{bin}/gpg-agent rix,
@{bin}/gpg-connect-agent rix,
/usr/share/gnupg/sks-keyservers.netCA.pem r,

22
apparmor.d/groups/apt/apt-listbugs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listbugs
@{exec_path} = @{bin}/apt-listbugs
profile apt-listbugs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -23,25 +23,25 @@ profile apt-listbugs @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix,
@{bin}/ruby[0-9].[0-9]* rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/logname rix,
/{usr/,}bin/apt-config rPx,
@{bin}/apt-config rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
/{usr/,}lib/ruby/gems/*/specifications/ r,
/{usr/,}lib/ruby/gems/*/specifications/** r,
/{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
@{lib}/ruby/gems/*/specifications/ r,
@{lib}/ruby/gems/*/specifications/** r,
@{lib}/ruby/gems/*/specifications/**.gemspec rwk,
/etc/apt/listbugs/{,*} r,
@ -53,8 +53,8 @@ profile apt-listbugs @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

4
apparmor.d/groups/apt/apt-listbugs-aptcleanup
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/apt-listbugs/aptcleanup
@{exec_path} = @{lib}/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
@{bin}/ruby2.[0-9]* rix,
include if exists <local/apt-listbugs-aptcleanup>
}

10
apparmor.d/groups/apt/apt-listbugs-migratepins
View file

@ -6,21 +6,21 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/apt-listbugs/migratepins
@{exec_path} = @{lib}/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix,
@{bin}/ruby[0-9].[0-9]* rix,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
/{usr/,}lib/ruby/gems/*/specifications/ r,
/{usr/,}lib/ruby/gems/*/specifications/** r,
/{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
@{lib}/ruby/gems/*/specifications/ r,
@{lib}/ruby/gems/*/specifications/** r,
@{lib}/ruby/gems/*/specifications/**.gemspec rwk,
/etc/apt/preferences r,

14
apparmor.d/groups/apt/apt-listbugs-prefclean
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/prefclean
@{exec_path} = @{lib}/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix,
@{bin}/ruby[0-9].[0-9]* rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
@{bin}/date rix,
@{bin}/cat rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/cp rix,
/ r,

30
apparmor.d/groups/apt/apt-listchanges
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listchanges
@{exec_path} = @{bin}/apt-listchanges
profile apt-listchanges @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -16,20 +16,20 @@ profile apt-listchanges @{exec_path} {
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/tar rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
@{bin}/dpkg-deb rpx,
#
/{usr/,}bin/sensible-pager rCx -> pager,
@{bin}/sensible-pager rCx -> pager,
# Send results using email
/{usr/,}sbin/exim4 rPx,
@{bin}/exim4 rPx,
/usr/share/apt-listchanges/{,**} r,
@ -69,8 +69,8 @@ profile apt-listchanges @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
@ -82,12 +82,12 @@ profile apt-listchanges @{exec_path} {
capability dac_read_search,
#capability sys_tty_config,
/{usr/,}bin/sensible-pager mr,
@{bin}/sensible-pager mr,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/less rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/which{,.debianutils} rix,
@{bin}/less rix,
owner @{HOME}/.less* rw,

4
apparmor.d/groups/apt/apt-mark
View file

@ -7,14 +7,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-mark
@{exec_path} = @{bin}/apt-mark
profile apt-mark @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
@{bin}/dpkg rPx,
/etc/machine-id r,

2
apparmor.d/groups/apt/apt-methods-cdrom
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/cdrom
@{exec_path} = @{lib}/apt/methods/cdrom
profile apt-methods-cdrom @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/groups/apt/apt-methods-copy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/copy
@{exec_path} = @{lib}/apt/methods/copy
profile apt-methods-copy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-copy @{exec_path} {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
@{lib}/apt/apt-helper rix,
# For shell pwd
/ r,

4
apparmor.d/groups/apt/apt-methods-file
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/file
@{exec_path} = @{lib}/apt/methods/file
profile apt-methods-file @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-file @{exec_path} {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
@{lib}/apt/apt-helper rix,
# For shell pwd
/ r,

2
apparmor.d/groups/apt/apt-methods-ftp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/ftp
@{exec_path} = @{lib}/apt/methods/ftp
profile apt-methods-ftp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

42
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/gpgv
@{exec_path} = @{lib}/apt/methods/gpgv
profile apt-methods-gpgv @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -28,27 +28,27 @@ profile apt-methods-gpgv @{exec_path} {
@{exec_path} mr,
# The following get "no new privs" so "rix" them
/{usr/,}bin/apt-config rix,
/{usr/,}bin/apt-key rix,
/{usr/,}bin/dpkg rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpg-connect-agent rix,
/{usr/,}bin/gpgconf rix,
/{usr/,}bin/gpgv rix,
@{bin}/apt-config rix,
@{bin}/apt-key rix,
@{bin}/dpkg rix,
@{bin}/find rix,
@{bin}/gpg-connect-agent rix,
@{bin}/gpgconf rix,
@{bin}/gpgv rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/base64 rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
@{bin}/{m,g,}awk rix,
@{bin}/base64 rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cmp rix,
@{bin}/cp rix,
@{bin}/head rix,
@{bin}/mktemp rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/touch rix,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,

4
apparmor.d/groups/apt/apt-methods-http
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/http{,s}
@{exec_path} = @{lib}/apt/methods/http{,s}
profile apt-methods-http @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -36,7 +36,7 @@ profile apt-methods-http @{exec_path} {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
@{lib}/apt/apt-helper rix,
# For shell pwd
/ r,

2
apparmor.d/groups/apt/apt-methods-mirror
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
@{exec_path} = @{lib}/apt/methods/mirror{,+*}
profile apt-methods-mirror @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/groups/apt/apt-methods-rred
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/rred
@{exec_path} = @{lib}/apt/methods/rred
profile apt-methods-rred @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-rred @{exec_path} {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
@{lib}/apt/apt-helper rix,
# For shell pwd
/ r,

2
apparmor.d/groups/apt/apt-methods-rsh
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
@{exec_path} = @{lib}/apt/methods/{r,s}sh
profile apt-methods-rsh @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/groups/apt/apt-methods-store
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/store
@{exec_path} = @{lib}/apt/methods/store
profile apt-methods-store @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-store @{exec_path} {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
@{lib}/apt/apt-helper rix,
# For shell pwd
/ r,

14
apparmor.d/groups/apt/apt-overlay
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-overlay
@{exec_path} = @{bin}/apt-overlay
profile apt-overlay @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/ruby* mrix,
@{bin}/apt-get rPx,
@{bin}/ruby* mrix,
/{usr/,}sbin/apt-overlay r,
@{bin}/apt-overlay r,
/{usr/,}lib/ruby/{,**} r,
/{usr/,}lib/locale/locale-archive r,
/{usr/,}lib/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
@{lib}/ruby/{,**} r,
@{lib}/locale/locale-archive r,
@{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
/usr/share/rubygems-integration/{,**} r,

12
apparmor.d/groups/apt/apt-show-versions
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-show-versions
@{exec_path} = @{bin}/apt-show-versions
profile apt-show-versions @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -14,14 +14,14 @@ profile apt-show-versions @{exec_path} {
include <abstractions/apt-common>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/perl r,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-get rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/apt-get rPx,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
@{lib}/apt/apt-helper rix,
owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
owner /var/cache/apt-show-versions/files rw,

2
apparmor.d/groups/apt/apt-sortpkgs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-sortpkgs
@{exec_path} = @{bin}/apt-sortpkgs
profile apt-sortpkgs @{exec_path} {
include <abstractions/base>

58
apparmor.d/groups/apt/apt-systemd-daily
View file

@ -7,43 +7,43 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
@{exec_path} = @{lib}/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} {
include <abstractions/base>
capability dac_read_search,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/du rix,
/{usr/,}bin/env rix,
/{usr/,}bin/find rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xargs rix,
@{bin}/basename rix,
@{bin}/cmp rix,
@{bin}/cp rix,
@{bin}/date rix,
@{bin}/dirname rix,
@{bin}/du rix,
@{bin}/env rix,
@{bin}/find rix,
@{bin}/flock rix,
@{bin}/grep rix,
@{bin}/gzip rix,
@{bin}/ls rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/savelog rix,
@{bin}/seq rix,
@{bin}/sort rix,
@{bin}/stat rix,
@{bin}/touch rix,
@{bin}/uniq rix,
@{bin}/wc rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xargs rix,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/apt-overlay rPx,
/{usr/,}bin/unattended-upgrade rPx,
@{bin}/apt-config rPx,
@{bin}/apt-get rPx,
@{bin}/apt-overlay rPx,
@{bin}/unattended-upgrade rPx,
/etc/default/locale r,

48
apparmor.d/groups/apt/aptitude
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude{,-curses}
@{exec_path} = @{bin}/aptitude{,-curses}
profile aptitude @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -65,25 +65,25 @@ profile aptitude @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/{,ba,da}sh rix,
@{bin}/test rix,
@{bin}/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
@{bin}/ps rPx,
@{bin}/dpkg rPx,
@{bin}/apt-listbugs rPx,
@{bin}/apt-listchanges rPx,
@{bin}/apt-show-versions rPx,
@{bin}/dpkg-preconfigure rPx,
@{bin}/debtags rPx,
@{bin}/localepurge rPx,
@{bin}/appstreamcli rPx,
@{bin}/adequate rPx,
@{bin}/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
@{lib}/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
@ -94,7 +94,7 @@ profile aptitude @{exec_path} flags=(complain) {
/var/log/aptitude w,
# For downloading the source of packages (showsrc/source options)
/{usr/,}bin/apt rPx,
@{bin}/apt rPx,
# For changelogs
owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw,
@ -104,7 +104,7 @@ profile aptitude @{exec_path} flags=(complain) {
owner @{user_cache_dirs}/aptitude/ rw,
owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw,
owner @{user_cache_dirs}/aptitude/metadata-download rwk,
/{usr/,}bin/sensible-pager rCx -> pager,
@{bin}/sensible-pager rCx -> pager,
# For aptitude-run-state-bundle
owner /tmp/aptitudebug.*/ r,
@ -137,7 +137,7 @@ profile aptitude @{exec_path} flags=(complain) {
owner @{HOME}/.aptitude/config@{pid} rw,
/tmp/apt-changelog-*/ rw,
/var/lib/debtags/vocabulary r,
/{usr/,}bin/su rPx,
@{bin}/su rPx,
@{run}/lock/aptitude rwk,
/usr/share/aptitude/ r,
@ -170,12 +170,12 @@ profile aptitude @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/ r,
@{bin}/sensible-pager mr,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/less rix,
@{bin}/which{,.debianutils} rix,
@{bin}/less rix,
owner @{HOME}/.less* rw,

4
apparmor.d/groups/apt/aptitude-changelog-parser
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-changelog-parser
@{exec_path} = @{bin}/aptitude-changelog-parser
profile aptitude-changelog-parser @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/etc/dpkg/origins/debian r,

12
apparmor.d/groups/apt/aptitude-create-state-bundle
View file

@ -6,19 +6,19 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle
@{exec_path} = @{bin}/aptitude-create-state-bundle
profile aptitude-create-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
@{bin}/which{,.debianutils} rix,
@{bin}/tar rix,
@{bin}/bzip2 rix,
@{bin}/gzip rix,
# Files included in the bundle
owner @{HOME}/.aptitude/{,*} r,

14
apparmor.d/groups/apt/aptitude-run-state-bundle
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle
@{exec_path} = @{bin}/aptitude-run-state-bundle
profile aptitude-run-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -14,14 +14,14 @@ profile aptitude-run-state-bundle @{exec_path} {
include <abstractions/user-download-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
@{bin}/tar rix,
@{bin}/bzip2 rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
/{usr/,}bin/aptitude-curses rPx,
@{bin}/aptitude-curses rPx,
owner /tmp/aptitudebug.*/{,**} rw,

10
apparmor.d/groups/apt/command-not-found
View file

@ -8,8 +8,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/command-not-found/command-not-found
@{exec_path} += /{usr/,}bin/command-not-found
@{exec_path} += /{usr/,}lib/command-not-found
@{exec_path} += @{bin}/command-not-found
@{exec_path} += @{lib}/command-not-found
profile command-not-found @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@ -18,10 +18,10 @@ profile command-not-found @{exec_path} {
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/snap rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/snap rPx,
/var/lib/command-not-found/commands.db rwk,

18
apparmor.d/groups/apt/debconf-apt-progress
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debconf-apt-progress
@{exec_path} = @{bin}/debconf-apt-progress
profile debconf-apt-progress @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/apt-get rPx,
@{bin}/apt-get rPx,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
@ -28,16 +28,16 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/debconf-apt-progress rPx,
@{bin}/debconf-apt-progress rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx,
@{bin}/whiptail rPx,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,

6
apparmor.d/groups/apt/debconf-show
View file

@ -6,16 +6,16 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debconf-show
@{exec_path} = @{bin}/debconf-show
profile debconf-show @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/locale rix,
@{bin}/locale rix,
/etc/debconf.conf r,

2
apparmor.d/groups/apt/deborphan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/deborphan
@{exec_path} = @{bin}/deborphan
profile deborphan @{exec_path} {
include <abstractions/base>

10
apparmor.d/groups/apt/debsecan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debsecan
@{exec_path} = @{bin}/debsecan
profile debsecan @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -21,13 +21,13 @@ profile debsecan @{exec_path} {
network inet6 stream,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
# Send results using email
/{usr/,}{s,}bin/exim4 rPx,
@{bin}/exim4 rPx,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,

44
apparmor.d/groups/apt/debsign
View file

@ -7,33 +7,33 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debsign
@{exec_path} = @{bin}/debsign
profile debsign @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cu rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/head rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sha{1,256,512}sum rix,
/{usr/,}bin/stty rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cmp rix,
@{bin}/cp rix,
@{bin}/cu rix,
@{bin}/cut rix,
@{bin}/dirname rix,
@{bin}/getopt rix,
@{bin}/head rix,
@{bin}/md5sum rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/perl rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sha{1,256,512}sum rix,
@{bin}/stty rix,
/{usr/,}bin/gpg{,2} rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
/etc/devscripts.conf r,
@ -47,7 +47,7 @@ profile debsign @{exec_path} {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ r,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

15
apparmor.d/groups/apt/debsums
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debsums
@{exec_path} = @{bin}/debsums
profile debsums @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@ -16,8 +16,8 @@ profile debsums @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
@ -29,18 +29,17 @@ profile debsums @{exec_path} {
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
#
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/dpkg-divert rPx -> child-dpkg-divert,
# For shell pwd
/ r,
/root/ r,
# Scanning files
/{usr/,}bin/{,*} r,
/{usr/,}sbin/{,*} r,
@{bin}/{,*} r,
/usr/{,**} r,
/etc/{,**} r,
/var/lib/{,**} r,

8
apparmor.d/groups/apt/debtags
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debtags
@{exec_path} = @{bin}/debtags
profile debtags @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -16,10 +16,10 @@ profile debtags @{exec_path} {
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/ r,
@{bin}/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,

38
apparmor.d/groups/apt/dpkg
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg
@{exec_path} = @{bin}/dpkg
profile dpkg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -28,20 +28,20 @@ profile dpkg @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/rm rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/rm rix,
/{usr/,}bin/dpkg-deb rpx,
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/dpkg-split rPx,
/{usr/,}lib/needrestart/dpkg-status rPx,
@{bin}/dpkg-deb rpx,
@{bin}/dpkg-query rpx,
@{bin}/dpkg-split rPx,
@{lib}/needrestart/dpkg-status rPx,
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/pager rCx -> diff,
/{usr/,}bin/less rCx -> diff,
/{usr/,}bin/more rCx -> diff,
/{usr/,}bin/diff rCx -> diff,
@{bin}/pager rCx -> diff,
@{bin}/less rCx -> diff,
@{bin}/more rCx -> diff,
@{bin}/diff rCx -> diff,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
@ -122,11 +122,11 @@ profile dpkg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/pager mr,
/{usr/,}bin/less mr,
/{usr/,}bin/more mr,
/{usr/,}bin/diff mr,
@{bin}/ r,
@{bin}/pager mr,
@{bin}/less mr,
@{bin}/more mr,
@{bin}/diff mr,
/etc/** r, # Diff changed config files
/root/ r, # For shell pwd
@ -138,8 +138,8 @@ profile dpkg @{exec_path} {
profile scripts {
include <abstractions/base>
/{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/* rPUx,
@{bin}/ r,
@{bin}/* rPUx,
/var/lib/dpkg/info/*.config r,
/var/lib/dpkg/info/*.{preinst,postinst} r,

18
apparmor.d/groups/apt/dpkg-architecture
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-architecture
@{exec_path} = @{bin}/dpkg-architecture
profile dpkg-architecture @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -17,11 +17,11 @@ profile dpkg-architecture @{exec_path} {
@{exec_path} r,
/usr/bin/perl r,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/ccache rCx -> ccache,
@{bin}/dpkg rPx -> child-dpkg,
/usr/share/dpkg/** r,
@ -34,11 +34,11 @@ profile dpkg-architecture @{exec_path} {
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
@{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,

4
apparmor.d/groups/apt/dpkg-buildflags
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-buildflags
@{exec_path} = @{bin}/dpkg-buildflags
profile dpkg-buildflags @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/etc/dpkg/origins/debian r,

4
apparmor.d/groups/apt/dpkg-checkbuilddeps
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps
@{exec_path} = @{bin}/dpkg-checkbuilddeps
profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/etc/dpkg/origins/debian r,

6
apparmor.d/groups/apt/dpkg-deb
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-deb
@{exec_path} = @{bin}/dpkg-deb
profile dpkg-deb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -18,8 +18,8 @@ profile dpkg-deb @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/tar rix,
/{usr/,}bin/rm rix,
@{bin}/tar rix,
@{bin}/rm rix,
owner /var/lib/dpkg/tmp.ci/ w,
owner /var/lib/dpkg/tmp.ci/* w,

2
apparmor.d/groups/apt/dpkg-divert
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-divert
@{exec_path} = @{bin}/dpkg-divert
profile dpkg-divert @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/groups/apt/dpkg-genbuildinfo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-genbuildinfo
@{exec_path} = @{bin}/dpkg-genbuildinfo
profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -17,7 +17,7 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
capability dac_override,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/usr/share/lto-disabled-list/lto-disabled-list r,
/usr/share/dpkg/cputable r,

4
apparmor.d/groups/apt/dpkg-genchanges
View file

@ -7,14 +7,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-genchanges
@{exec_path} = @{bin}/dpkg-genchanges
profile dpkg-genchanges @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/etc/dpkg/origins/debian r,

20
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/dpkg-preconfigure
@{exec_path} = @{bin}/dpkg-preconfigure
profile dpkg-preconfigure @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -17,15 +17,15 @@ profile dpkg-preconfigure @{exec_path} {
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/stty rix,
@{bin}/{,ba,da}sh rix,
@{bin}/locale rix,
@{bin}/stty rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-extracttemplates rPx,
/{usr/,}bin/whiptail rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/apt-extracttemplates rPx,
@{bin}/whiptail rPx,
/etc/shadow r,
@ -46,8 +46,8 @@ profile dpkg-preconfigure @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
@{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/mounts r,

10
apparmor.d/groups/apt/dpkg-query
View file

@ -6,18 +6,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-query
@{exec_path} = @{bin}/dpkg-query
profile dpkg-query @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
/var/lib/dpkg/** r,

4
apparmor.d/groups/apt/dpkg-split
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-split
@{exec_path} = @{bin}/dpkg-split
profile dpkg-split @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -19,7 +19,7 @@ profile dpkg-split @{exec_path} {
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
@{bin}/dpkg-deb rpx,
/var/lib/dpkg/parts/ r,
/var/lib/dpkg/parts/* r,

2
apparmor.d/groups/apt/dpkg-trigger
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-trigger
@{exec_path} = @{bin}/dpkg-trigger
profile dpkg-trigger @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/apt/dpkg-vendor
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-vendor
@{exec_path} = @{bin}/dpkg-vendor
profile dpkg-vendor @{exec_path} {
include <abstractions/base>
include <abstractions/perl>

30
apparmor.d/groups/apt/querybts
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/querybts
@{exec_path} = @{bin}/querybts
profile querybts @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -26,16 +26,16 @@ profile querybts @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}{s,}bin/ldconfig rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/stty rix,
@{bin}/ldconfig rix,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/dpkg rPx -> child-dpkg,
/etc/reportbug.conf r,
owner @{HOME}/.reportbugrc r,
@ -56,26 +56,26 @@ profile querybts @{exec_path} {
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

74
apparmor.d/groups/apt/reportbug
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/reportbug
@{exec_path} = @{bin}/reportbug
profile reportbug @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@ -30,39 +30,39 @@ profile reportbug @{exec_path} {
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/ r,
@{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}{s,}bin/selinuxenabled rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/aa-enabled rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/stty rix,
@{bin}/ldconfig rix,
@{bin}/selinuxenabled rix,
@{bin}/{,ba,da}sh rix,
@{bin}/aa-enabled rix,
@{bin}/locale rix,
@{bin}/md5sum rix,
@{bin}/readlink rix,
@{bin}/stty rix,
/usr/share/reportbug/handle_bugscript rix,
/{usr/,}{s,}bin/exim4 rPx,
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/debconf-show rPx,
/{usr/,}bin/debsums rPx,
/{usr/,}bin/dlocate rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}lib/firefox/firefox rPUx, # App allowed to open
/usr/share/bug/* rPUx,
@{bin}/exim4 rPx,
@{bin}/apt-cache rPx,
@{bin}/debconf-show rPx,
@{bin}/debsums rPx,
@{bin}/dlocate rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/dpkg-query rpx,
@{bin}/less rPx -> child-pager,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{bin}/systemctl rPx -> child-systemctl,
@{lib}/firefox/firefox rPUx, # App allowed to open
/usr/share/bug/* rPUx,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/run-parts rCx -> run-parts,
@{bin}/xdg-open rCx -> open,
/{usr/,}lib/python3/dist-packages/pylocales/locales.db rk,
@{lib}/python3/dist-packages/pylocales/locales.db rk,
/usr/share/bug/*/{control,presubj} r,
/usr/share/X11/xkb/** r,
@ -92,14 +92,14 @@ profile reportbug @{exec_path} {
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
@{bin}/run-parts mr,
}
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -113,19 +113,19 @@ profile reportbug @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

60
apparmor.d/groups/apt/synaptic
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/synaptic /{usr/,}bin/synaptic-pkexec
@{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec
profile synaptic @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -63,13 +63,13 @@ profile synaptic @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/{,ba,da}sh rix,
@{bin}/test rix,
@{bin}/{,e}grep rix,
# For update-apt-xapian-index
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
@{bin}/nice rix,
@{bin}/ionice rix,
# When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes:
@ -77,31 +77,31 @@ profile synaptic @{exec_path} {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Synaptic works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
@{bin}/ps rPx,
@{bin}/dpkg rPx,
@{bin}/apt-listbugs rPx,
@{bin}/apt-listchanges rPx,
@{bin}/apt-show-versions rPx,
@{bin}/dpkg-preconfigure rPx,
@{bin}/debtags rPx,
@{bin}/localepurge rPx,
@{bin}/appstreamcli rPx,
@{bin}/adequate rPx,
@{bin}/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}sbin/update-apt-xapian-index rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/deborphan rPx,
/{usr/,}bin/tasksel rPx,
/{usr/,}bin/pkexec rPx,
@{bin}/update-apt-xapian-index rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/deborphan rPx,
@{bin}/tasksel rPx,
@{bin}/pkexec rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
@{lib}/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
@ -163,9 +163,9 @@ profile synaptic @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

Some files were not shown because too many files have changed in this diff Show more