mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-19 01:18:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (1)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 13:20:25 +01:00
parent 59469b57b4
commit bb71f49598
Failed to generate hash of commit
125 changed files with 955 additions and 959 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/abstractions/app-launcher-root
View file

@ -8,8 +8,8 @@
# Root app location # Root app location
/ r, / r,
/usr/ r, /usr/ r,
/{usr/,}{s,}bin/ r, @{bin}/ r,
/{usr/,}{s,}bin/[a-z0-9]* rPUx, @{bin}/[a-z0-9]* rPUx,
/usr/local/{s,}bin/ r, /usr/local/{s,}bin/ r,
/usr/local/{s,}bin/[a-zA-Z0-9]* rPUx, /usr/local/{s,}bin/[a-zA-Z0-9]* rPUx,

12
apparmor.d/abstractions/app-launcher-user
View file

@ -21,26 +21,26 @@
/usr/share/codium/codium rPUx, /usr/share/codium/codium rPUx,
# Firefox # Firefox
/{usr/,}bin/firefox{,.sh,-esr,-bin} rPx, @{bin}/firefox{,.sh,-esr,-bin} rPx,
/{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
/opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
# Thunderbird # Thunderbird
/{usr/,}bin/thunderbird{,.sh,-esr,-bin} rPx, @{bin}/thunderbird{,.sh,-esr,-bin} rPx,
/{usr/,}lib{,32,64}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx, @{lib}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx,
/opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx, /opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx,
# Brave # Brave
/opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx, /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx,
# Chromium # Chromium
/{usr/,}lib/chromium/chromium rPx, @{lib}/chromium/chromium rPx,
# Chrome # Chrome
/opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx, /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx,
# Opera # Opera
/{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
# Discord # Discord
/usr/share/ r, /usr/share/ r,

42
apparmor.d/abstractions/chromium
View file

@ -8,7 +8,7 @@
# This abstraction requires the following variables definied in the profile header: # This abstraction requires the following variables definied in the profile header:
# @{chromium_name} = chromium # @{chromium_name} = chromium
# @{chromium_domain} = org.chromium.Chromium # @{chromium_domain} = org.chromium.Chromium
# @{chromium_lib_dirs} = /{usr/,}lib/chromium # @{chromium_lib_dirs} = @{lib}/chromium
# @{chromium_config_dirs} = @{user_config_dirs}/chromium # @{chromium_config_dirs} = @{user_config_dirs}/chromium
# @{chromium_cache_dirs} = @{user_cache_dirs}/chromium # @{chromium_cache_dirs} = @{user_cache_dirs}/chromium
@ -60,32 +60,32 @@
@{chromium_lib_dirs}/chrome-sandbox rPx, @{chromium_lib_dirs}/chrome-sandbox rPx,
# Desktop integration # Desktop integration
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-desktop-menu rPx, @{bin}/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-email rPx, @{bin}/xdg-email rPx,
/{usr/,}bin/xdg-icon-resource rPx, @{bin}/xdg-icon-resource rPx,
/{usr/,}bin/xdg-mime rPx, @{bin}/xdg-mime rPx,
/{usr/,}bin/xdg-open rPx -> child-open, @{bin}/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-settings rPx, @{bin}/xdg-settings rPx,
# Installing/removing extensions & applications # Installing/removing extensions & applications
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
# For storing passwords externally # For storing passwords externally
/{usr/,}bin/keepassxc-proxy rix, # as a temporary solution - see issue #128 @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128
/{usr/,}bin/browserpass rPx, @{bin}/browserpass rPx,
# Gnome shell integration # Gnome shell integration
/{usr/,}bin/chrome-gnome-shell rPx, @{bin}/chrome-gnome-shell rPx,
/{usr/,}bin/gnome-browser-connector-host rPx, @{bin}/gnome-browser-connector-host rPx,
/usr/share/@{chromium_name}/{,**} r, /usr/share/@{chromium_name}/{,**} r,
/usr/share/chromium/extensions/{,**} r, /usr/share/chromium/extensions/{,**} r,

12
apparmor.d/abstractions/gstreamer
View file

@ -42,12 +42,12 @@
#owner /tmp/orcexec.* mrw, #owner /tmp/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw,
/{usr/,}lib/frei0r-[0-9]/*.so mr, @{lib}/frei0r-[0-9]/*.so mr,
/{usr/,}lib{,exec}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, @{lib}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/{usr/,}lib{,exec}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, @{lib}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
/{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr, @{lib}/@{multiarch}/libproxy/*/pxgsettings ixr,
/{usr/,}lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw, owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,

6
apparmor.d/abstractions/kde4
View file

@ -6,9 +6,9 @@
/usr/share/kde4/** r, /usr/share/kde4/** r,
/{usr/,}lib/kde4/*.so mr, @{lib}/kde4/*.so mr,
/{usr/,}lib/kde4/plugins/*/ r, @{lib}/kde4/plugins/*/ r,
/{usr/,}lib/kde4/plugins/*/*.so mr, @{lib}/kde4/plugins/*/*.so mr,
# Create home KDE directory structure # Create home KDE directory structure
owner @{HOME}/.kde{,4}/ rw, owner @{HOME}/.kde{,4}/ rw,

6
apparmor.d/abstractions/kde5-plasma5
View file

@ -7,8 +7,8 @@
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
# KDE/Plasma5 themes # KDE/Plasma5 themes
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr, #@{lib}/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
#/{usr/,}lib/@{multiarch}/qt5/plugins/styles/breeze.so mr, #@{lib}/@{multiarch}/qt5/plugins/styles/breeze.so mr,
#/usr/share/plasma/look-and-feel/** r, #/usr/share/plasma/look-and-feel/** r,
#/usr/share/color-schemes/*.colors r, #/usr/share/color-schemes/*.colors r,
@ -34,7 +34,7 @@
#owner /**/.directory r, #owner /**/.directory r,
# For bookmarks # For bookmarks
#/{usr/,}bin/keditbookmarks rPUx, #@{bin}/keditbookmarks rPUx,
#owner @{user_share_dirs}/kfile/ rw, #owner @{user_share_dirs}/kfile/ rw,
#owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw, #owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw,
#owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9], #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9],

4
apparmor.d/abstractions/python.d/complete
View file

@ -3,8 +3,8 @@
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, @{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,

2
apparmor.d/abstractions/zsh
View file

@ -8,7 +8,7 @@
/usr/share/zsh/{,**} r, /usr/share/zsh/{,**} r,
/usr/local/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r,
/{usr/,}lib/@{multiarch}/zsh/[0-9]*/zsh/*.so mr, @{lib}/@{multiarch}/zsh/[0-9]*/zsh/*.so mr,
/etc/zsh/zshenv r, /etc/zsh/zshenv r,
/etc/zsh/zshrc r, /etc/zsh/zshrc r,

80
apparmor.d/groups/_full/systemd
View file

@ -15,8 +15,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd @{exec_path} = @{lib}/systemd/systemd
profile systemd /{usr/,}lib/systemd/systemd flags=(complain) { profile systemd @{lib}/systemd/systemd flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -30,56 +30,56 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
/{usr/,}lib/systemd/user-environment-generators/* rPx, @{lib}/systemd/user-environment-generators/* rPx,
/{usr/,}lib/systemd/user-environment-generators/* rPx, @{lib}/systemd/user-environment-generators/* rPx,
/{usr/,}lib/systemd/user-generators/* rPx, @{lib}/systemd/user-generators/* rPx,
# Server # Server
/{usr/,}lib/openssh/agent-launch rPx, @{lib}/openssh/agent-launch rPx,
# Dbus # Dbus
@{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @{bin}/dbus-daemon rPx,
/{usr/,}bin/dbus-daemon rPx, @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
# Desktop # Desktop
@{libexec}/xdg-desktop-portal* rPx, @{bin}/xdg-user-dirs-update rPx,
@{libexec}/xdg-document-portal rPx, @{lib}/xdg-desktop-portal* rPx,
@{libexec}/xdg-permission-store rPx, @{lib}/xdg-document-portal rPx,
/{usr/,}bin/xdg-user-dirs-update rPx, @{lib}/xdg-permission-store rPx,
# Audio # Audio
/{usr/,}bin/pipewire rux, # FIXME: no new privs @{bin}/pipewire rux, # FIXME: no new privs
/{usr/,}bin/pipewire-pulse rux, # FIXME: no new privs @{bin}/pipewire-pulse rux, # FIXME: no new privs
/{usr/,}bin/pulseaudio rux, # FIXME: no new privs @{bin}/pulseaudio rux, # FIXME: no new privs
/{usr/,}bin/wireplumber rux, # FIXME: no new privs @{bin}/wireplumber rux, # FIXME: no new privs
# Gnome # Gnome
@{libexec}/{,dconf/}dconf-service rPx, @{bin}/gjs rPx,
@{libexec}/evolution-addressbook-factory rPx, @{bin}/gnome-keyring-daemon rPx,
@{libexec}/evolution-calendar-factory rPx, @{bin}/gnome-shell rPx,
@{libexec}/evolution-source-registry rPx, @{bin}/gsettings rPx,
@{libexec}/gnome-session-binary rPx, @{lib}/{,dconf/}dconf-service rPx,
@{libexec}/gnome-session-ctl rPx, @{lib}/dconf/dconf-service rPx,
@{libexec}/gnome-terminal-server rPx, @{lib}/evolution-addressbook-factory rPx,
@{libexec}/goa-* rPx, @{lib}/evolution-calendar-factory rPx,
@{libexec}/gsd-* rPx, @{lib}/evolution-source-registry rPx,
@{libexec}/gvfs-* rPx, @{lib}/gnome-session-binary rPx,
@{libexec}/gvfsd* rPx, @{lib}/gnome-session-ctl rPx,
@{libexec}/tracker-extract-* rPx, @{lib}/gnome-terminal-server rPx,
@{libexec}/tracker-miner-* rPx, @{lib}/goa-* rPx,
/{usr/,}bin/gjs rPx, @{lib}/gsd-* rPx,
/{usr/,}bin/gnome-keyring-daemon rPx, @{lib}/gvfs-* rPx,
/{usr/,}bin/gnome-shell rPx, @{lib}/gvfs/gvfs-* rPx,
/{usr/,}bin/gsettings rPx, @{lib}/gvfs/gvfsd* rPx,
/{usr/,}lib/dconf/dconf-service rPx, @{lib}/gvfsd* rPx,
/{usr/,}lib/gvfs/gvfs-* rPx, @{lib}/tracker-extract-* rPx,
/{usr/,}lib/gvfs/gvfsd* rPx, @{lib}/tracker-miner-* rPx,
# Ubuntu # Ubuntu
/{usr/,}bin/snap rPx, @{bin}/snap rPx,
/etc/systemd/user.conf r, /etc/systemd/user.conf r,
/etc/systemd/user.conf.d/{,**} r, /etc/systemd/user.conf.d/{,**} r,
@ -123,7 +123,7 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {
profile systemctl { profile systemctl {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/systemctl mr, @{bin}/systemctl mr,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,

2
apparmor.d/groups/akonadi/akonadi_akonotes_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_akonotes_resource @{exec_path} = @{bin}/akonadi_akonotes_resource
profile akonadi_akonotes_resource @{exec_path} { profile akonadi_akonotes_resource @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_archivemail_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_archivemail_agent @{exec_path} = @{bin}/akonadi_archivemail_agent
profile akonadi_archivemail_agent @{exec_path} { profile akonadi_archivemail_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_birthdays_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_birthdays_resource @{exec_path} = @{bin}/akonadi_birthdays_resource
profile akonadi_birthdays_resource @{exec_path} { profile akonadi_birthdays_resource @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_contacts_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_contacts_resource @{exec_path} = @{bin}/akonadi_contacts_resource
profile akonadi_contacts_resource @{exec_path} { profile akonadi_contacts_resource @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

6
apparmor.d/groups/akonadi/akonadi_control
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_control @{exec_path} = @{bin}/akonadi_control
profile akonadi_control @{exec_path} { profile akonadi_control @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>
@ -21,8 +21,8 @@ profile akonadi_control @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/akonadi_* rPUx, @{bin}/akonadi_* rPUx,
/{usr/,}bin/akonadiserver rPx, @{bin}/akonadiserver rPx,
/usr/share/akonadi/{,**} r, /usr/share/akonadi/{,**} r,
/usr/share/hwdata/*.ids r, /usr/share/hwdata/*.ids r,

2
apparmor.d/groups/akonadi/akonadi_followupreminder_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_followupreminder_agent @{exec_path} = @{bin}/akonadi_followupreminder_agent
profile akonadi_followupreminder_agent @{exec_path} { profile akonadi_followupreminder_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_ical_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_ical_resource @{exec_path} = @{bin}/akonadi_ical_resource
profile akonadi_ical_resource @{exec_path} { profile akonadi_ical_resource @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_indexing_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_indexing_agent @{exec_path} = @{bin}/akonadi_indexing_agent
profile akonadi_indexing_agent @{exec_path} { profile akonadi_indexing_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_maildir_resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_maildir_resource @{exec_path} = @{bin}/akonadi_maildir_resource
profile akonadi_maildir_resource @{exec_path} { profile akonadi_maildir_resource @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_maildispatcher_agent @{exec_path} = @{bin}/akonadi_maildispatcher_agent
profile akonadi_maildispatcher_agent @{exec_path} { profile akonadi_maildispatcher_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_mailfilter_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_mailfilter_agent @{exec_path} = @{bin}/akonadi_mailfilter_agent
profile akonadi_mailfilter_agent @{exec_path} { profile akonadi_mailfilter_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_mailmerge_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_mailmerge_agent @{exec_path} = @{bin}/akonadi_mailmerge_agent
profile akonadi_mailmerge_agent @{exec_path} { profile akonadi_mailmerge_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_migration_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_migration_agent @{exec_path} = @{bin}/akonadi_migration_agent
profile akonadi_migration_agent @{exec_path} { profile akonadi_migration_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_newmailnotifier_agent @{exec_path} = @{bin}/akonadi_newmailnotifier_agent
profile akonadi_newmailnotifier_agent @{exec_path} { profile akonadi_newmailnotifier_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_notes_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_notes_agent @{exec_path} = @{bin}/akonadi_notes_agent
profile akonadi_notes_agent @{exec_path} { profile akonadi_notes_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_sendlater_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_sendlater_agent @{exec_path} = @{bin}/akonadi_sendlater_agent
profile akonadi_sendlater_agent @{exec_path} { profile akonadi_sendlater_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/akonadi_unifiedmailbox_agent @{exec_path} = @{bin}/akonadi_unifiedmailbox_agent
profile akonadi_unifiedmailbox_agent @{exec_path} { profile akonadi_unifiedmailbox_agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

109
apparmor.d/groups/apps/android-studio
View file

@ -44,40 +44,38 @@ profile android-studio @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix, @{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/chattr rix,
@{bin}/chmod rix,
@{bin}/cut rix,
@{bin}/dirname rix,
@{bin}/kill rix,
@{bin}/ldconfig rix,
@{bin}/mktemp rix,
@{bin}/nice rix,
@{bin}/python3.[0-9]* rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/setsid rix,
@{bin}/uname rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xargs rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/git rPx,
/{usr/,}bin/uname rix, @{bin}/lsusb rPx,
/{usr/,}bin/{,e}grep rix, @{bin}/ps rPx,
/{usr/,}bin/cut rix, @{bin}/xdg-mime rPx,
/{usr/,}bin/readlink rix, @{bin}/xprop rPx,
/{usr/,}bin/xargs rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
/{usr/,}{s,}bin/ldconfig rix, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/chmod rix, @{bin}/lsb_release rCx -> lsb-release,
/{usr/,}bin/chattr rix, @{bin}/xdg-open rCx -> open,
/{usr/,}bin/setsid rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/kill rix,
/{usr/,}bin/lsusb rPx, @{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/git rPx,
/{usr/,}bin/lsb_release rCx -> lsb-release,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/etc/java-[0-9]*-openjdk/** r, /etc/java-[0-9]*-openjdk/** r,
/usr/share/java/java-atk-wrapper.jar r, /usr/share/java/java-atk-wrapper.jar r,
@ -89,8 +87,7 @@ profile android-studio @{exec_path} {
@{MOUNTS}/ r, @{MOUNTS}/ r,
@{MOUNTS}/*/ r, @{MOUNTS}/*/ r,
/usr/ r, /usr/ r,
/{usr/,}lib/ r, @{lib}/ r,
/{usr/,}lib{x32,32,64}/ r,
@{AS_LIBDIR}/ rw, @{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix, @{AS_LIBDIR}/** mrwkix,
@ -99,12 +96,12 @@ profile android-studio @{exec_path} {
# Currently there is only the target platform of API Level 23 packaged, so only apps targeted at # Currently there is only the target platform of API Level 23 packaged, so only apps targeted at
# android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in # android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in
# order to use the SDK, build scripts need to be modified. # order to use the SDK, build scripts need to be modified.
/{usr/,}lib/android-sdk/ r, @{lib}/android-sdk/ r,
/{usr/,}lib/android-sdk/** mrkix, @{lib}/android-sdk/** mrkix,
/usr/share/android-sdk-platform-*/{,**} r, /usr/share/android-sdk-platform-*/{,**} r,
deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w, deny @{lib}/android-sdk/build-tools/*/package.xml w,
deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w, deny @{lib}/android-sdk/platforms/android-*/package.xml w,
deny /{usr/,}lib/android-sdk/.knownPackages w, deny @{lib}/android-sdk/.knownPackages w,
# This one is used if the standard android SDK location is missing # This one is used if the standard android SDK location is missing
@{AS_SDKDIR}/ rw, @{AS_SDKDIR}/ rw,
@ -220,7 +217,7 @@ profile android-studio @{exec_path} {
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -234,11 +231,11 @@ profile android-studio @{exec_path} {
signal (receive) set=(term, kill) peer=android-studio, signal (receive) set=(term, kill) peer=android-studio,
/{usr/,}bin/lsb_release r, @{bin}/lsb_release r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/apt-cache rPx, @{bin}/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@ -259,27 +256,27 @@ profile android-studio @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/spacefm rPx, @{bin}/spacefm rPx,
/{usr/,}bin/smplayer rPx, @{bin}/smplayer rPx,
/{usr/,}bin/vlc rPx, @{bin}/vlc rPx,
/{usr/,}bin/mpv rPx, @{bin}/mpv rPx,
/{usr/,}bin/geany rPx, @{bin}/geany rPx,
/{usr/,}bin/viewnior rPUx, @{bin}/viewnior rPUx,
/{usr/,}bin/qpdfview rPx, @{bin}/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx, @{bin}/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

70
apparmor.d/groups/apps/atom
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom @{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom @{bin}/atom
profile atom @{exec_path} { profile atom @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -40,40 +40,40 @@ profile atom @{exec_path} {
/usr/share/atom/resources/**/libexec/** rix, /usr/share/atom/resources/**/libexec/** rix,
deny /{usr/,}local/bin/ r, deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/ r, deny @{bin}/ r,
#/{usr/,}bin/{,ba,da}sh rix, #@{bin}/{,ba,da}sh rix,
#/{usr/,}bin/zsh rix, #@{bin}/zsh rix,
#/{usr/,}bin/env rix, #@{bin}/env rix,
#/{usr/,}bin/rmdir rix, #@{bin}/rmdir rix,
#/{usr/,}bin/{,e}grep rix, #@{bin}/{,e}grep rix,
#/{usr/,}bin/ls rix, #@{bin}/ls rix,
#/{usr/,}bin/{m,g,}awk rix, #@{bin}/{m,g,}awk rix,
#/{usr/,}bin/tty rix, #@{bin}/tty rix,
#/{usr/,}bin/dircolors rix, #@{bin}/dircolors rix,
#/{usr/,}bin/cut rix, #@{bin}/cut rix,
#/{usr/,}bin/xwininfo rix, #@{bin}/xwininfo rix,
#/{usr/,}bin/date rix, #@{bin}/date rix,
# The expr and uname tools are needed or Atom won't start with the following error: # The expr and uname tools are needed or Atom won't start with the following error:
# Your platform () is not supported. # Your platform () is not supported.
/{usr/,}bin/expr rix, @{bin}/expr rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
# The following also are needed to start Atom # The following also are needed to start Atom
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/nohup rix, @{bin}/nohup rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPx, @{bin}/xdg-settings rPx,
/{usr/,}bin/git rPx, @{bin}/git rPx,
# Needed to sign commits # Needed to sign commits
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
# /home/ r, # /home/ r,
# Reading of the user home dir is required or the following error will be printed: # Reading of the user home dir is required or the following error will be printed:
@ -139,7 +139,7 @@ profile atom @{exec_path} {
owner /tmp/net-export/ rw, owner /tmp/net-export/ rw,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
profile gpg { profile gpg {
@ -148,7 +148,7 @@ profile atom @{exec_path} {
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -163,19 +163,19 @@ profile atom @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

34
apparmor.d/groups/apps/calibre
View file

@ -7,12 +7,12 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} @{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += /{usr/,}bin/calibredb @{exec_path} += @{bin}/calibredb
@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert} @{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} += /{usr/,}bin/fetch-ebook-metadata @{exec_path} += @{bin}/fetch-ebook-metadata
@{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer
@{exec_path} += /{usr/,}bin/web2disk @{exec_path} += @{bin}/web2disk
profile calibre @{exec_path} { profile calibre @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
@ -83,20 +83,20 @@ profile calibre @{exec_path} {
peer=(name=:*), peer=(name=:*),
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig{,.real} rix, @{bin}/ldconfig{,.real} rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/file rix, @{bin}/file rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/{usr/,}bin/pdftoppm rPUx, # (#FIXME#) @{bin}/pdftoppm rPUx, # (#FIXME#)
/{usr/,}bin/pdfinfo rPUx, @{bin}/pdfinfo rPUx,
/{usr/,}bin/pdftohtml rPUx, @{bin}/pdftohtml rPUx,
/{usr/,}bin/xdg-open rPx -> child-open, @{bin}/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-mime rPx, @{bin}/xdg-mime rPx,
/usr/share/calibre/{,**} r, /usr/share/calibre/{,**} r,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,

16
apparmor.d/groups/apps/code
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/code /usr/share/code/{bin/,}code @{exec_path} = @{bin}/code /usr/share/code/{bin/,}code
profile code @{exec_path} { profile code @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/chromium-common> include <abstractions/chromium-common>
@ -24,16 +24,16 @@ profile code @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, @{lib}/code/extensions/git/dist/askpass.sh rPx,
/{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx, @{lib}/code/extensions/git/dist/git-editor.sh rPx,
# The shell is not confined on purpose. # The shell is not confined on purpose.
/{usr/,}bin/{,b,d,rb}ash rUx, @{bin}/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx, @{bin}/{c,k,tc,z}sh rUx,
/{usr/,}bin/git rPx, @{bin}/git rPx,
/{usr/,}bin/gpg{,2} rPUx, @{bin}/gpg{,2} rPUx,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
# /usr/share/code/** r, # /usr/share/code/** r,
# /usr/share/code/libffmpeg.so mr, # /usr/share/code/libffmpeg.so mr,

50
apparmor.d/groups/apps/discord
View file

@ -12,7 +12,7 @@ include <tunables/global>
@{DISCORD_HOMEDIR} += @{HOME}/.config/discordptb @{DISCORD_HOMEDIR} += @{HOME}/.config/discordptb
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord @{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} /{usr/,}bin/discord{,-ptb} @{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} @{bin}/discord{,-ptb}
profile discord @{exec_path} { profile discord @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -42,13 +42,13 @@ profile discord @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
#/{usr/,}bin/lsb_release rCx -> lsb_release, #@{bin}/lsb_release rCx -> lsb_release,
#/{usr/,}bin/xdg-mime rCx -> xdg-mime, #@{bin}/xdg-mime rCx -> xdg-mime,
deny /{usr/,}bin/lsb_release mrx, deny @{bin}/lsb_release mrx,
deny /{usr/,}bin/xdg-mime mrx, deny @{bin}/xdg-mime mrx,
@{DISCORD_LIBDIR}/ r, @{DISCORD_LIBDIR}/ r,
@{DISCORD_LIBDIR}/** r, @{DISCORD_LIBDIR}/** r,
@ -107,7 +107,7 @@ profile discord @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -117,14 +117,14 @@ profile discord @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
/{usr/,}bin/xdg-mime mr, @{bin}/xdg-mime mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/head rix, @{bin}/head rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
# file_inherit # file_inherit
/usr/share/discord/** r, /usr/share/discord/** r,
@ -142,11 +142,11 @@ profile discord @{exec_path} {
signal (receive) set=(kill, term) peer=discord, signal (receive) set=(kill, term) peer=discord,
/{usr/,}bin/lsb_release r, @{bin}/lsb_release r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/apt-cache rPx, @{bin}/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@ -167,19 +167,19 @@ profile discord @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

42
apparmor.d/groups/apps/dropbox
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/ @{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/ @{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
@{exec_path} = /{usr/,}bin/dropbox @{exec_path} = @{bin}/dropbox
profile dropbox @{exec_path} { profile dropbox @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/X>
@ -28,8 +28,8 @@ profile dropbox @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
# Dropbox home files # Dropbox home files
owner @{HOME}/ r, owner @{HOME}/ r,
@ -50,14 +50,14 @@ profile dropbox @{exec_path} {
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw, owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw, owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}{s,}bin/ldconfig rix, @{bin}/ldconfig rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix, @{bin}/{,@{multiarch}-}objdump rix,
# Needed for updating Dropbox # Needed for updating Dropbox
owner /tmp/.dropbox-dist-new-*/{,**} rw, owner /tmp/.dropbox-dist-new-*/{,**} rw,
@ -72,7 +72,7 @@ profile dropbox @{exec_path} {
deny owner @{user_config_dirs}/autostart/dropbox.desktop rw, deny owner @{user_config_dirs}/autostart/dropbox.desktop rw,
# What's this for? # What's this for?
/{usr/,}bin/mount mrix, @{bin}/mount mrix,
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
@{sys}/devices/virtual/block/loop[0-9]/ r, @{sys}/devices/virtual/block/loop[0-9]/ r,
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r, @{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
@ -115,30 +115,30 @@ profile dropbox @{exec_path} {
deny @{sys}/module/apparmor/parameters/enabled r, deny @{sys}/module/apparmor/parameters/enabled r,
# External apps # External apps
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

12
apparmor.d/groups/apps/filezilla
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/filezilla @{exec_path} = @{bin}/filezilla
profile filezilla @{exec_path} { profile filezilla @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
@ -20,13 +20,13 @@ profile filezilla @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
# When using SFTP protocol # When using SFTP protocol
/{usr/,}bin/fzsftp rPx, @{bin}/fzsftp rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{user_config_dirs}/filezilla/ rw, owner @{user_config_dirs}/filezilla/ rw,
@ -53,7 +53,7 @@ profile filezilla @{exec_path} {
owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw, owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw,
# External apps # External apps
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# FTP share folder # FTP share folder
owner @{MOUNTS}/ftp/ r, owner @{MOUNTS}/ftp/ r,

16
apparmor.d/groups/apps/flameshot
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/flameshot @{exec_path} = @{bin}/flameshot
profile flameshot @{exec_path} { profile flameshot @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/X>
@ -33,9 +33,9 @@ profile flameshot @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/whoami rix, @{bin}/whoami rix,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
# Flameshot home files # Flameshot home files
owner @{user_config_dirs}/flameshot/ rw, owner @{user_config_dirs}/flameshot/ rw,
@ -73,12 +73,12 @@ profile flameshot @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,

30
apparmor.d/groups/apps/freetube
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube @{FT_LIBDIR} = @{lib}/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue @{FT_LIBDIR} += @{lib}/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube @{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue @{FT_LIBDIR} += /opt/FreeTube-Vue
@ -83,14 +83,14 @@ profile freetube @{exec_path} {
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# no new privs # no new privs
/{usr/,}bin/xdg-settings rPx, @{bin}/xdg-settings rPx,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/{usr/,}bin/mpv rPx, @{bin}/mpv rPx,
/{usr/,}bin/vlc rPx, @{bin}/vlc rPx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -100,21 +100,21 @@ profile freetube @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/{usr/,}bin/mpv rPx, @{bin}/mpv rPx,
/{usr/,}bin/vlc rPx, @{bin}/vlc rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

4
apparmor.d/groups/apps/freetube-chrome-sandbox
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube @{FT_LIBDIR} = @{lib}/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue @{FT_LIBDIR} += @{lib}/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube @{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue @{FT_LIBDIR} += /opt/FreeTube-Vue

20
apparmor.d/groups/apps/geany
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/geany @{exec_path} = @{bin}/geany
profile geany @{exec_path} { profile geany @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
@ -27,10 +27,10 @@ profile geany @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
# For the sorting feature # For the sorting feature
/{usr/,}bin/sort rix, @{bin}/sort rix,
# When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following # When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following
# root processes: # root processes:
@ -38,10 +38,10 @@ profile geany @{exec_path} {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
# #
# Should this be allowed? Geany works fine without this. # Should this be allowed? Geany works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus, #@{bin}/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus, #@{bin}/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx, deny @{bin}/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx, deny @{bin}/dbus-send rx,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
@ -105,9 +105,9 @@ profile geany @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr, @{bin}/dbus-launch mr,
/{usr/,}bin/dbus-send mr, @{bin}/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx, @{bin}/dbus-daemon rPUx,
# for dbus-launch # for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

20
apparmor.d/groups/apps/okular
View file

@ -8,7 +8,7 @@ include <tunables/global>
@{okular_ext} = [pP][dD][fF] @{okular_ext} = [pP][dD][fF]
@{exec_path} = /{usr/,}bin/okular @{exec_path} = @{bin}/okular
profile okular @{exec_path} { profile okular @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/X>
@ -78,13 +78,13 @@ profile okular @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
# Search phrase in google # Search phrase in google
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/usr/share/kservices5/searchproviders/{,*.desktop} r, /usr/share/kservices5/searchproviders/{,*.desktop} r,
/usr/share/kservices5/{,*.protocol} r, /usr/share/kservices5/{,*.protocol} r,
/etc/xdg/kshorturifilterrc r, /etc/xdg/kshorturifilterrc r,
# Print to pdf # Print to pdf
/{usr/,}bin/ps2pdf rPUx, @{bin}/ps2pdf rPUx,
owner /tmp/@{hex} rw, owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw, owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9], owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
@ -93,26 +93,26 @@ profile okular @{exec_path} {
/usr/share/kf5/licenses/GPL_V2 r, /usr/share/kf5/licenses/GPL_V2 r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

4
apparmor.d/groups/apps/signal-desktop
View file

@ -76,9 +76,9 @@ profile signal-desktop @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
# No new privs # No new privs
/{usr/,}bin/xdg-settings rPx, @{bin}/xdg-settings rPx,
/{usr/,}bin/getconf rix, @{bin}/getconf rix,
include if exists <local/signal-desktop> include if exists <local/signal-desktop>
} }

2
apparmor.d/groups/apps/spotify
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify @{exec_path} = @{bin}/spotify /usr/share/spotify/spotify
profile spotify @{exec_path} { profile spotify @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>

38
apparmor.d/groups/apps/telegram-desktop
View file

@ -8,7 +8,7 @@ include <tunables/global>
@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram @{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram
@{exec_path} = /{usr/,}bin/telegram-desktop @{exec_path} = @{bin}/telegram-desktop
profile telegram-desktop @{exec_path} { profile telegram-desktop @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -38,13 +38,13 @@ profile telegram-desktop @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
# Launch external apps # Launch external apps
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
# What's this for? # What's this for?
deny /{usr/,}bin/fc-list rx, deny @{bin}/fc-list rx,
# Telegram files # Telegram files
/usr/share/TelegramDesktop/{,**} r, /usr/share/TelegramDesktop/{,**} r,
@ -81,11 +81,11 @@ profile telegram-desktop @{exec_path} {
/usr/share/qt5ct/** r, /usr/share/qt5ct/** r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx, @{bin}/smplayer rPx,
/{usr/,}bin/viewnior rPUx, @{bin}/viewnior rPUx,
/{usr/,}bin/qpdfview rPx, @{bin}/qpdfview rPx,
/{usr/,}bin/geany rPx, @{bin}/geany rPx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -95,23 +95,23 @@ profile telegram-desktop @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{TELEGRAM_WORK_DIR}/ r, owner @{TELEGRAM_WORK_DIR}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx, @{bin}/smplayer rPx,
/{usr/,}bin/qpdfview rPx, @{bin}/qpdfview rPx,
/{usr/,}bin/viewnior rPUx, @{bin}/viewnior rPUx,
/{usr/,}bin/geany rPx, @{bin}/geany rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

84
apparmor.d/groups/apps/thunderbird
View file

@ -8,15 +8,15 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox @{FIREFOX_BIN} = @{lib}/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox @{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird @{MOZ_LIBDIR} = @{lib}/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird @{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird @{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird
@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin} @{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin}
@{exec_path} += /{usr/,}bin/thunderbird @{exec_path} += @{bin}/thunderbird
profile thunderbird @{exec_path} { profile thunderbird @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -103,14 +103,14 @@ profile thunderbird @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
@{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix, @{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/date rix, @{bin}/date rix,
/{usr/,}bin/tr rix, @{bin}/tr rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/ps rPx, @{bin}/ps rPx,
/{usr/,}bin/dig rix, @{bin}/dig rix,
# Thunderbird files # Thunderbird files
/usr/share/thunderbird/{,**} r, /usr/share/thunderbird/{,**} r,
@ -146,14 +146,14 @@ profile thunderbird @{exec_path} {
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
# Spellcheck # Spellcheck
/{usr/,}bin/locale rix, @{bin}/locale rix,
# System integration # System integration
/etc/mime.types r, /etc/mime.types r,
owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_config_dirs}/mimeapps.list.* rw,
# KDE system keyring # KDE system keyring
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/usr/share/xul-ext/kwallet5/* r, /usr/share/xul-ext/kwallet5/* r,
/etc/xul-ext/kwallet5.js r, /etc/xul-ext/kwallet5.js r,
owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/kwalletrc r,
@ -216,25 +216,25 @@ profile thunderbird @{exec_path} {
/usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/sounds/freedesktop/stereo/*.oga r,
# Silencer # Silencer
deny /{usr/,}lib/thunderbird/** w, deny @{lib}/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-{open,mime} rCx -> open, @{bin}/xdg-{open,mime} rCx -> open,
/{usr/,}bin/exo-open rCx -> open, @{bin}/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Needed for enigmail # Needed for enigmail
/usr/share/xul-ext/enigmail/{,**} r, /usr/share/xul-ext/enigmail/{,**} r,
/{usr/,}bin/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,
/{usr/,}bin/gpg-connect-agent rCx -> gpg, @{bin}/gpg-connect-agent rCx -> gpg,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg, @{bin}/gpgsm rCx -> gpg,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/qpdfview rPx, @{bin}/qpdfview rPx,
/{usr/,}bin/viewnior rPUx, @{bin}/viewnior rPUx,
/{usr/,}bin/engrampa rPx, @{bin}/engrampa rPx,
/{usr/,}bin/geany rPx, @{bin}/geany rPx,
@{FIREFOX_BIN} rPx, @{FIREFOX_BIN} rPx,
# file_inherit # file_inherit
@ -252,11 +252,11 @@ profile thunderbird @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
/{usr/,}bin/gpgconf mr, @{bin}/gpgconf mr,
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
/{usr/,}bin/gpg-connect-agent mr, @{bin}/gpg-connect-agent mr,
/{usr/,}bin/gpgsm mr, @{bin}/gpgsm mr,
/{usr/,}bin/gpg-agent rix, @{bin}/gpg-agent rix,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -298,25 +298,25 @@ profile thunderbird @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/exo-open mr, @{bin}/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix, @{bin}/{,m,g}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/xfce4-mime-helper rix, @{bin}/xfce4-mime-helper rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/qpdfview rPx, @{bin}/qpdfview rPx,
/{usr/,}bin/viewnior rPUx, @{bin}/viewnior rPUx,
/{usr/,}bin/engrampa rPx, @{bin}/engrampa rPx,
/{usr/,}bin/geany rPx, @{bin}/geany rPx,
@{FIREFOX_BIN} rPx, @{FIREFOX_BIN} rPx,
# file_inherit # file_inherit

24
apparmor.d/groups/apps/vlc
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/{c,}vlc @{exec_path} = @{bin}/{c,}vlc
profile vlc @{exec_path} { profile vlc @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
@ -145,7 +145,7 @@ profile vlc @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, @{bin}/xdg-screensaver rCx -> xdg-screensaver,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
/usr/share/qt5ct/** r, /usr/share/qt5ct/** r,
@ -197,22 +197,22 @@ profile vlc @{exec_path} {
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
# Silencer # Silencer
deny /{usr/,}lib/@{multiarch}/vlc/{,**} w, deny @{lib}/@{multiarch}/vlc/{,**} w,
profile xdg-screensaver { profile xdg-screensaver {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr, @{bin}/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/xset rix, @{bin}/xset rix,
/{usr/,}bin/xautolock rix, @{bin}/xautolock rix,
/{usr/,}bin/dbus-send rix, @{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,

118
apparmor.d/groups/apt/apt
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd @{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd
profile apt @{exec_path} flags=(attach_disconnected) { profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@ -62,57 +62,57 @@ profile apt @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/echo rix, @{bin}/echo rix,
/{usr/,}bin/gdbus rix, @{bin}/gdbus rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/ischroot rix, @{bin}/ischroot rix,
/{usr/,}bin/test rix, @{bin}/test rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}{s,}bin/dpkg-preconfigure rPx, @{bin}/adequate rPx,
/{usr/,}{s,}bin/localepurge rPx, @{bin}/appstreamcli rPx,
/{usr/,}{s,}bin/update-command-not-found rPx, @{bin}/apt-listbugs rPx,
/{usr/,}bin/adequate rPx, @{bin}/apt-listchanges rPx,
/{usr/,}bin/appstreamcli rPx, @{bin}/apt-show-versions rPx,
/{usr/,}bin/apt-listbugs rPx, @{bin}/debtags rPx,
/{usr/,}bin/apt-listchanges rPx, @{bin}/df rPx,
/{usr/,}bin/apt-show-versions rPx, @{bin}/dmesg rPx,
/{usr/,}bin/debtags rPx, @{bin}/dpkg rPx,
/{usr/,}bin/df rPx, @{bin}/dpkg-preconfigure rPx,
/{usr/,}bin/dmesg rPx, @{bin}/dpkg-source rcx -> dpkg-source,
/{usr/,}bin/dpkg rPx, @{bin}/etckeeper rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source, @{bin}/localepurge rPx,
/{usr/,}bin/etckeeper rPx, @{bin}/ps rPx,
/{usr/,}bin/ps rPx, @{bin}/snap rPUx,
/{usr/,}bin/snap rPUx, @{bin}/systemctl rCx -> systemctl,
/{usr/,}bin/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx,
/{usr/,}lib/cnf-update-db rPx, @{lib}/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx, @{lib}/needrestart/apt-pinvoke rPx,
@{libexec}/zsys-system-autosnapshot rPx, @{lib}/zsys-system-autosnapshot rPx,
# For building the source after the download process is finished (apt-get source --compile) # For building the source after the download process is finished (apt-get source --compile)
/{usr/,}bin/dpkg-buildpackage rPUx, @{bin}/dpkg-buildpackage rPUx,
# Methods to use to download packages from the net # Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx, @{lib}/apt/methods/* rPx,
# Ubuntu specificities # Ubuntu specificities
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, @{lib}/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx, @{lib}/ubuntu-advantage/apt-esm-json-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx, @{lib}/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx, /usr/share/command-not-found/cnf-update-db rPx,
/usr/share/language-tools/language-options rPx, /usr/share/language-tools/language-options rPx,
# For editing the sources.list file # For editing the sources.list file
/{usr/,}bin/sensible-editor rCx -> editor, @{bin}/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor, @{bin}/vim.* rCx -> editor,
# For changelogs # For changelogs
/{usr/,}bin/sensible-pager rCx -> pager, @{bin}/sensible-pager rCx -> pager,
/usr/share/xml/iso-codes/{,**} r, /usr/share/xml/iso-codes/{,**} r,
/usr/share/language-selector/data/pkg_depends r, /usr/share/language-selector/data/pkg_depends r,
@ -161,10 +161,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/sensible-editor mr, @{bin}/sensible-editor mr,
/{usr/,}bin/vim.* mrix, @{bin}/vim.* mrix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/usr/share/vim/{,**} r, /usr/share/vim/{,**} r,
@ -184,11 +184,11 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/less rix, @{bin}/less rix,
/{usr/,}bin/sensible-pager mr, @{bin}/sensible-pager mr,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/root/ r, # For shell pwd /root/ r, # For shell pwd
@ -204,17 +204,17 @@ profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/perl> include <abstractions/perl>
/{usr/,}bin/dpkg-source mr, @{bin}/dpkg-source mr,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/bunzip2 rix, @{bin}/bunzip2 rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/gunzip rix, @{bin}/gunzip rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/{usr/,}bin/patch rix, @{bin}/patch rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/xz rix, @{bin}/xz rix,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,
@ -235,9 +235,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
ptrace (read), ptrace (read),
/{usr/,}bin/systemctl mr, @{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix, @{bin}/systemd-tty-ask-password-agent rix,
owner @{run}/systemd/ask-password-block/* rw, owner @{run}/systemd/ask-password-block/* rw,
owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password/ rw,

4
apparmor.d/groups/apt/apt-cache
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache @{exec_path} = @{bin}/apt-cache
profile apt-cache @{exec_path} { profile apt-cache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@ -15,7 +15,7 @@ profile apt-cache @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,

12
apparmor.d/groups/apt/apt-cdrom
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom @{exec_path} = @{bin}/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) { profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@ -16,10 +16,10 @@ profile apt-cdrom @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/mount rCx -> mount, @{bin}/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount, @{bin}/umount rCx -> umount,
/etc/fstab r, /etc/fstab r,
@ -58,7 +58,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
profile mount flags=(complain) { profile mount flags=(complain) {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/mount mr, @{bin}/mount mr,
/etc/fstab r, /etc/fstab r,
@ -71,7 +71,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
capability sys_admin, capability sys_admin,
/{usr/,}bin/umount mr, @{bin}/umount mr,
@{run}/mount/utab{,.*} rw, @{run}/mount/utab{,.*} rw,
@{run}/mount/utab.lock rwk, @{run}/mount/utab.lock rwk,

4
apparmor.d/groups/apt/apt-config
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config @{exec_path} = @{bin}/apt-config
profile apt-config @{exec_path} { profile apt-config @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@ -15,7 +15,7 @@ profile apt-config @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
owner /tmp/tmp*/apt.conf r, owner /tmp/tmp*/apt.conf r,

4
apparmor.d/groups/apt/apt-extracttemplates
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-extracttemplates @{exec_path} = @{bin}/apt-extracttemplates
profile apt-extracttemplates @{exec_path} { profile apt-extracttemplates @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -15,7 +15,7 @@ profile apt-extracttemplates @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,

16
apparmor.d/groups/apt/apt-file
View file

@ -7,22 +7,22 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-file @{exec_path} = @{bin}/apt-file
profile apt-file @{exec_path} { profile apt-file @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/fgrep rix, @{bin}/fgrep rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/xargs rix, @{bin}/xargs rix,
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
/{usr/,}bin/apt-get rPx, @{bin}/apt-get rPx,
/{usr/,}bin/apt rPx, @{bin}/apt rPx,
/etc/apt/apt-file.conf r, /etc/apt/apt-file.conf r,

8
apparmor.d/groups/apt/apt-forktracer
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-forktracer @{exec_path} = @{bin}/apt-forktracer
profile apt-forktracer @{exec_path} { profile apt-forktracer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@ -15,9 +15,9 @@ profile apt-forktracer @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-cache rPx, @{bin}/apt-cache rPx,
/usr/share/apt-forktracer/{,**} r, /usr/share/apt-forktracer/{,**} r,
/usr/share/distro-info/debian.csv r, /usr/share/distro-info/debian.csv r,

2
apparmor.d/groups/apt/apt-ftparchive
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-ftparchive @{exec_path} = @{bin}/apt-ftparchive
profile apt-ftparchive @{exec_path} { profile apt-ftparchive @{exec_path} {
include <abstractions/base> include <abstractions/base>

58
apparmor.d/groups/apt/apt-key
View file

@ -7,42 +7,42 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-key @{exec_path} = @{bin}/apt-key
profile apt-key @{exec_path} { profile apt-key @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/cmp rix, @{bin}/cmp rix,
/{usr/,}bin/comm rix, @{bin}/comm rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}bin/tr rix, @{bin}/tr rix,
/{usr/,}bin/uniq rix, @{bin}/uniq rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/{usr/,}bin/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
# #
/{usr/,}bin/apt-config rPx, @{bin}/apt-config rPx,
# For shell pwd # For shell pwd
/ r, / r,
@ -67,12 +67,12 @@ profile apt-key @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
/{usr/,}bin/gpgconf mr, @{bin}/gpgconf mr,
/{usr/,}bin/dirmngr rix, @{bin}/dirmngr rix,
/{usr/,}bin/gpg-agent rix, @{bin}/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix, @{bin}/gpg-connect-agent rix,
/usr/share/gnupg/sks-keyservers.netCA.pem r, /usr/share/gnupg/sks-keyservers.netCA.pem r,

22
apparmor.d/groups/apt/apt-listbugs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listbugs @{exec_path} = @{bin}/apt-listbugs
profile apt-listbugs @{exec_path} { profile apt-listbugs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -23,25 +23,25 @@ profile apt-listbugs @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix, @{bin}/ruby[0-9].[0-9]* rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/logname rix, @{bin}/logname rix,
/{usr/,}bin/apt-config rPx, @{bin}/apt-config rPx,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
/usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/*.gemspec rwk, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
/{usr/,}lib/ruby/gems/*/specifications/ r, @{lib}/ruby/gems/*/specifications/ r,
/{usr/,}lib/ruby/gems/*/specifications/** r, @{lib}/ruby/gems/*/specifications/** r,
/{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, @{lib}/ruby/gems/*/specifications/**.gemspec rwk,
/etc/apt/listbugs/{,*} r, /etc/apt/listbugs/{,*} r,
@ -53,8 +53,8 @@ profile apt-listbugs @{exec_path} {
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix, @{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

4
apparmor.d/groups/apt/apt-listbugs-aptcleanup
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/apt-listbugs/aptcleanup @{exec_path} = @{lib}/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} { profile apt-listbugs-aptcleanup @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/ruby> include <abstractions/ruby>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix, @{bin}/ruby2.[0-9]* rix,
include if exists <local/apt-listbugs-aptcleanup> include if exists <local/apt-listbugs-aptcleanup>
} }

10
apparmor.d/groups/apt/apt-listbugs-migratepins
View file

@ -6,21 +6,21 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/apt-listbugs/migratepins @{exec_path} = @{lib}/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} { profile apt-listbugs-migratepins @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/ruby> include <abstractions/ruby>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix, @{bin}/ruby[0-9].[0-9]* rix,
/usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/*.gemspec rwk, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
/{usr/,}lib/ruby/gems/*/specifications/ r, @{lib}/ruby/gems/*/specifications/ r,
/{usr/,}lib/ruby/gems/*/specifications/** r, @{lib}/ruby/gems/*/specifications/** r,
/{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, @{lib}/ruby/gems/*/specifications/**.gemspec rwk,
/etc/apt/preferences r, /etc/apt/preferences r,

14
apparmor.d/groups/apt/apt-listbugs-prefclean
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/prefclean @{exec_path} = @{lib}/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} { profile apt-listbugs-prefclean @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/ruby> include <abstractions/ruby>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix, @{bin}/ruby[0-9].[0-9]* rix,
/{usr/,}bin/date rix, @{bin}/date rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/ r, / r,

30
apparmor.d/groups/apt/apt-listchanges
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listchanges @{exec_path} = @{bin}/apt-listchanges
profile apt-listchanges @{exec_path} { profile apt-listchanges @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -16,20 +16,20 @@ profile apt-listchanges @{exec_path} {
#capability sys_tty_config, #capability sys_tty_config,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/tar rix, @{bin}/tar rix,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx, @{bin}/dpkg-deb rpx,
# #
/{usr/,}bin/sensible-pager rCx -> pager, @{bin}/sensible-pager rCx -> pager,
# Send results using email # Send results using email
/{usr/,}sbin/exim4 rPx, @{bin}/exim4 rPx,
/usr/share/apt-listchanges/{,**} r, /usr/share/apt-listchanges/{,**} r,
@ -69,8 +69,8 @@ profile apt-listchanges @{exec_path} {
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix, @{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
@ -82,12 +82,12 @@ profile apt-listchanges @{exec_path} {
capability dac_read_search, capability dac_read_search,
#capability sys_tty_config, #capability sys_tty_config,
/{usr/,}bin/sensible-pager mr, @{bin}/sensible-pager mr,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/less rix, @{bin}/less rix,
owner @{HOME}/.less* rw, owner @{HOME}/.less* rw,

4
apparmor.d/groups/apt/apt-mark
View file

@ -7,14 +7,14 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-mark @{exec_path} = @{bin}/apt-mark
profile apt-mark @{exec_path} { profile apt-mark @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx, @{bin}/dpkg rPx,
/etc/machine-id r, /etc/machine-id r,

2
apparmor.d/groups/apt/apt-methods-cdrom
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/cdrom @{exec_path} = @{lib}/apt/methods/cdrom
profile apt-methods-cdrom @{exec_path} { profile apt-methods-cdrom @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/groups/apt/apt-methods-copy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/copy @{exec_path} = @{lib}/apt/methods/copy
profile apt-methods-copy @{exec_path} { profile apt-methods-copy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-copy @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
# For shell pwd # For shell pwd
/ r, / r,

4
apparmor.d/groups/apt/apt-methods-file
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/file @{exec_path} = @{lib}/apt/methods/file
profile apt-methods-file @{exec_path} { profile apt-methods-file @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-file @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
# For shell pwd # For shell pwd
/ r, / r,

2
apparmor.d/groups/apt/apt-methods-ftp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/ftp @{exec_path} = @{lib}/apt/methods/ftp
profile apt-methods-ftp @{exec_path} { profile apt-methods-ftp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

42
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/gpgv @{exec_path} = @{lib}/apt/methods/gpgv
profile apt-methods-gpgv @{exec_path} { profile apt-methods-gpgv @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -28,27 +28,27 @@ profile apt-methods-gpgv @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# The following get "no new privs" so "rix" them # The following get "no new privs" so "rix" them
/{usr/,}bin/apt-config rix, @{bin}/apt-config rix,
/{usr/,}bin/apt-key rix, @{bin}/apt-key rix,
/{usr/,}bin/dpkg rix, @{bin}/dpkg rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/gpg-connect-agent rix, @{bin}/gpg-connect-agent rix,
/{usr/,}bin/gpgconf rix, @{bin}/gpgconf rix,
/{usr/,}bin/gpgv rix, @{bin}/gpgv rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/base64 rix, @{bin}/base64 rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/cmp rix, @{bin}/cmp rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/{usr/,}bin/head rix, @{bin}/head rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,

4
apparmor.d/groups/apt/apt-methods-http
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/http{,s} @{exec_path} = @{lib}/apt/methods/http{,s}
profile apt-methods-http @{exec_path} { profile apt-methods-http @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -36,7 +36,7 @@ profile apt-methods-http @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
# For shell pwd # For shell pwd
/ r, / r,

2
apparmor.d/groups/apt/apt-methods-mirror
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*} @{exec_path} = @{lib}/apt/methods/mirror{,+*}
profile apt-methods-mirror @{exec_path} { profile apt-methods-mirror @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/groups/apt/apt-methods-rred
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/rred @{exec_path} = @{lib}/apt/methods/rred
profile apt-methods-rred @{exec_path} { profile apt-methods-rred @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-rred @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
# For shell pwd # For shell pwd
/ r, / r,

2
apparmor.d/groups/apt/apt-methods-rsh
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh @{exec_path} = @{lib}/apt/methods/{r,s}sh
profile apt-methods-rsh @{exec_path} { profile apt-methods-rsh @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/groups/apt/apt-methods-store
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/methods/store @{exec_path} = @{lib}/apt/methods/store
profile apt-methods-store @{exec_path} { profile apt-methods-store @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -27,7 +27,7 @@ profile apt-methods-store @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
# For shell pwd # For shell pwd
/ r, / r,

14
apparmor.d/groups/apt/apt-overlay
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-overlay @{exec_path} = @{bin}/apt-overlay
profile apt-overlay @{exec_path} { profile apt-overlay @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/apt-get rPx, @{bin}/apt-get rPx,
/{usr/,}bin/ruby* mrix, @{bin}/ruby* mrix,
/{usr/,}sbin/apt-overlay r, @{bin}/apt-overlay r,
/{usr/,}lib/ruby/{,**} r, @{lib}/ruby/{,**} r,
/{usr/,}lib/locale/locale-archive r, @{lib}/locale/locale-archive r,
/{usr/,}lib/ruby/gems/3.0.0/specifications/default/*.gemspec rwk, @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
/usr/share/rubygems-integration/{,**} r, /usr/share/rubygems-integration/{,**} r,

12
apparmor.d/groups/apt/apt-show-versions
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-show-versions @{exec_path} = @{bin}/apt-show-versions
profile apt-show-versions @{exec_path} { profile apt-show-versions @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -14,14 +14,14 @@ profile apt-show-versions @{exec_path} {
include <abstractions/apt-common> include <abstractions/apt-common>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-get rPx, @{bin}/apt-get rPx,
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix, @{lib}/apt/apt-helper rix,
owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw, owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
owner /var/cache/apt-show-versions/files rw, owner /var/cache/apt-show-versions/files rw,

2
apparmor.d/groups/apt/apt-sortpkgs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-sortpkgs @{exec_path} = @{bin}/apt-sortpkgs
profile apt-sortpkgs @{exec_path} { profile apt-sortpkgs @{exec_path} {
include <abstractions/base> include <abstractions/base>

58
apparmor.d/groups/apt/apt-systemd-daily
View file

@ -7,43 +7,43 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily @{exec_path} = @{lib}/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} { profile apt-systemd-daily @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability dac_read_search, capability dac_read_search,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/cmp rix, @{bin}/cmp rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/{usr/,}bin/date rix, @{bin}/date rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/du rix, @{bin}/du rix,
/{usr/,}bin/env rix, @{bin}/env rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/flock rix, @{bin}/flock rix,
/{usr/,}bin/grep rix, @{bin}/grep rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/{usr/,}bin/ls rix, @{bin}/ls rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/savelog rix, @{bin}/savelog rix,
/{usr/,}bin/seq rix, @{bin}/seq rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/stat rix, @{bin}/stat rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}bin/uniq rix, @{bin}/uniq rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/xargs rix, @{bin}/xargs rix,
/{usr/,}bin/apt-config rPx, @{bin}/apt-config rPx,
/{usr/,}bin/apt-get rPx, @{bin}/apt-get rPx,
/{usr/,}bin/apt-overlay rPx, @{bin}/apt-overlay rPx,
/{usr/,}bin/unattended-upgrade rPx, @{bin}/unattended-upgrade rPx,
/etc/default/locale r, /etc/default/locale r,

48
apparmor.d/groups/apt/aptitude
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude{,-curses} @{exec_path} = @{bin}/aptitude{,-curses}
profile aptitude @{exec_path} flags=(complain) { profile aptitude @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -65,25 +65,25 @@ profile aptitude @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/test rix, @{bin}/test rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/ps rPx, @{bin}/ps rPx,
/{usr/,}bin/dpkg rPx, @{bin}/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx, @{bin}/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx, @{bin}/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx, @{bin}/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx, @{bin}/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx, @{bin}/debtags rPx,
/{usr/,}sbin/localepurge rPx, @{bin}/localepurge rPx,
/{usr/,}bin/appstreamcli rPx, @{bin}/appstreamcli rPx,
/{usr/,}bin/adequate rPx, @{bin}/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx, @{bin}/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx, /usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net # Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx, @{lib}/apt/methods/* rPx,
/var/lib/apt/lists/** rw, /var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk, /var/lib/apt/lists/lock rwk,
@ -94,7 +94,7 @@ profile aptitude @{exec_path} flags=(complain) {
/var/log/aptitude w, /var/log/aptitude w,
# For downloading the source of packages (showsrc/source options) # For downloading the source of packages (showsrc/source options)
/{usr/,}bin/apt rPx, @{bin}/apt rPx,
# For changelogs # For changelogs
owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw,
@ -104,7 +104,7 @@ profile aptitude @{exec_path} flags=(complain) {
owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/ rw,
owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw,
owner @{user_cache_dirs}/aptitude/metadata-download rwk, owner @{user_cache_dirs}/aptitude/metadata-download rwk,
/{usr/,}bin/sensible-pager rCx -> pager, @{bin}/sensible-pager rCx -> pager,
# For aptitude-run-state-bundle # For aptitude-run-state-bundle
owner /tmp/aptitudebug.*/ r, owner /tmp/aptitudebug.*/ r,
@ -137,7 +137,7 @@ profile aptitude @{exec_path} flags=(complain) {
owner @{HOME}/.aptitude/config@{pid} rw, owner @{HOME}/.aptitude/config@{pid} rw,
/tmp/apt-changelog-*/ rw, /tmp/apt-changelog-*/ rw,
/var/lib/debtags/vocabulary r, /var/lib/debtags/vocabulary r,
/{usr/,}bin/su rPx, @{bin}/su rPx,
@{run}/lock/aptitude rwk, @{run}/lock/aptitude rwk,
/usr/share/aptitude/ r, /usr/share/aptitude/ r,
@ -170,12 +170,12 @@ profile aptitude @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/sensible-pager mr, @{bin}/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/less rix, @{bin}/less rix,
owner @{HOME}/.less* rw, owner @{HOME}/.less* rw,

4
apparmor.d/groups/apt/aptitude-changelog-parser
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-changelog-parser @{exec_path} = @{bin}/aptitude-changelog-parser
profile aptitude-changelog-parser @{exec_path} { profile aptitude-changelog-parser @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,

12
apparmor.d/groups/apt/aptitude-create-state-bundle
View file

@ -6,19 +6,19 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle @{exec_path} = @{bin}/aptitude-create-state-bundle
profile aptitude-create-state-bundle @{exec_path} { profile aptitude-create-state-bundle @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/bzip2 rix, @{bin}/bzip2 rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
# Files included in the bundle # Files included in the bundle
owner @{HOME}/.aptitude/{,*} r, owner @{HOME}/.aptitude/{,*} r,

14
apparmor.d/groups/apt/aptitude-run-state-bundle
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle @{exec_path} = @{bin}/aptitude-run-state-bundle
profile aptitude-run-state-bundle @{exec_path} { profile aptitude-run-state-bundle @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -14,14 +14,14 @@ profile aptitude-run-state-bundle @{exec_path} {
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/bzip2 rix, @{bin}/bzip2 rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/aptitude-curses rPx, @{bin}/aptitude-curses rPx,
owner /tmp/aptitudebug.*/{,**} rw, owner /tmp/aptitudebug.*/{,**} rw,

10
apparmor.d/groups/apt/command-not-found
View file

@ -8,8 +8,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/command-not-found/command-not-found @{exec_path} = /usr/share/command-not-found/command-not-found
@{exec_path} += /{usr/,}bin/command-not-found @{exec_path} += @{bin}/command-not-found
@{exec_path} += /{usr/,}lib/command-not-found @{exec_path} += @{lib}/command-not-found
profile command-not-found @{exec_path} { profile command-not-found @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@ -18,10 +18,10 @@ profile command-not-found @{exec_path} {
include <abstractions/python> include <abstractions/python>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/snap rPx, @{bin}/snap rPx,
/var/lib/command-not-found/commands.db rwk, /var/lib/command-not-found/commands.db rwk,

18
apparmor.d/groups/apt/debconf-apt-progress
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/debconf-apt-progress @{exec_path} = @{bin}/debconf-apt-progress
profile debconf-apt-progress @{exec_path} flags=(complain) { profile debconf-apt-progress @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/apt-get rPx, @{bin}/apt-get rPx,
# Think what to do about this (#FIXME#) # Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx, /usr/share/debconf/frontend rPx,
@ -28,16 +28,16 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r, /usr/share/debconf/frontend r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/debconf-apt-progress rPx, @{bin}/debconf-apt-progress rPx,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/stty rix, @{bin}/stty rix,
/{usr/,}bin/locale rix, @{bin}/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend. # The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx, @{bin}/whiptail rPx,
/etc/debconf.conf r, /etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,

6
apparmor.d/groups/apt/debconf-show
View file

@ -6,16 +6,16 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/debconf-show @{exec_path} = @{bin}/debconf-show
profile debconf-show @{exec_path} { profile debconf-show @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/locale rix, @{bin}/locale rix,
/etc/debconf.conf r, /etc/debconf.conf r,

2
apparmor.d/groups/apt/deborphan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/deborphan @{exec_path} = @{bin}/deborphan
profile deborphan @{exec_path} { profile deborphan @{exec_path} {
include <abstractions/base> include <abstractions/base>

10
apparmor.d/groups/apt/debsecan
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/debsecan @{exec_path} = @{bin}/debsecan
profile debsecan @{exec_path} { profile debsecan @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -21,13 +21,13 @@ profile debsecan @{exec_path} {
network inet6 stream, network inet6 stream,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
# Send results using email # Send results using email
/{usr/,}{s,}bin/exim4 rPx, @{bin}/exim4 rPx,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,

44
apparmor.d/groups/apt/debsign
View file

@ -7,33 +7,33 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/debsign @{exec_path} = @{bin}/debsign
profile debsign @{exec_path} { profile debsign @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/cmp rix, @{bin}/cmp rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/{usr/,}bin/cu rix, @{bin}/cu rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/getopt rix, @{bin}/getopt rix,
/{usr/,}bin/head rix, @{bin}/head rix,
/{usr/,}bin/md5sum rix, @{bin}/md5sum rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/perl rix, @{bin}/perl rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/sha{1,256,512}sum rix, @{bin}/sha{1,256,512}sum rix,
/{usr/,}bin/stty rix, @{bin}/stty rix,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/etc/devscripts.conf r, /etc/devscripts.conf r,
@ -47,7 +47,7 @@ profile debsign @{exec_path} {
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/ r,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

15
apparmor.d/groups/apt/debsums
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/debsums @{exec_path} = @{bin}/debsums
profile debsums @{exec_path} { profile debsums @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@ -16,8 +16,8 @@ profile debsums @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg r,
@ -29,18 +29,17 @@ profile debsums @{exec_path} {
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
# #
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, @{bin}/dpkg-divert rPx -> child-dpkg-divert,
# For shell pwd # For shell pwd
/ r, / r,
/root/ r, /root/ r,
# Scanning files # Scanning files
/{usr/,}bin/{,*} r, @{bin}/{,*} r,
/{usr/,}sbin/{,*} r,
/usr/{,**} r, /usr/{,**} r,
/etc/{,**} r, /etc/{,**} r,
/var/lib/{,**} r, /var/lib/{,**} r,

8
apparmor.d/groups/apt/debtags
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/debtags @{exec_path} = @{bin}/debtags
profile debtags @{exec_path} { profile debtags @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -16,10 +16,10 @@ profile debtags @{exec_path} {
#capability sys_tty_config, #capability sys_tty_config,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

38
apparmor.d/groups/apt/dpkg
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg @{exec_path} = @{bin}/dpkg
profile dpkg @{exec_path} { profile dpkg @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -28,20 +28,20 @@ profile dpkg @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/dpkg-deb rpx, @{bin}/dpkg-deb rpx,
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
/{usr/,}bin/dpkg-split rPx, @{bin}/dpkg-split rPx,
/{usr/,}lib/needrestart/dpkg-status rPx, @{lib}/needrestart/dpkg-status rPx,
/usr/share/debian-security-support/check-support-status.hook rPx, /usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/pager rCx -> diff, @{bin}/pager rCx -> diff,
/{usr/,}bin/less rCx -> diff, @{bin}/less rCx -> diff,
/{usr/,}bin/more rCx -> diff, @{bin}/more rCx -> diff,
/{usr/,}bin/diff rCx -> diff, @{bin}/diff rCx -> diff,
/etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg r,
@ -122,11 +122,11 @@ profile dpkg @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/pager mr, @{bin}/pager mr,
/{usr/,}bin/less mr, @{bin}/less mr,
/{usr/,}bin/more mr, @{bin}/more mr,
/{usr/,}bin/diff mr, @{bin}/diff mr,
/etc/** r, # Diff changed config files /etc/** r, # Diff changed config files
/root/ r, # For shell pwd /root/ r, # For shell pwd
@ -138,8 +138,8 @@ profile dpkg @{exec_path} {
profile scripts { profile scripts {
include <abstractions/base> include <abstractions/base>
/{usr/,}{s,}bin/ r, @{bin}/ r,
/{usr/,}{s,}bin/* rPUx, @{bin}/* rPUx,
/var/lib/dpkg/info/*.config r, /var/lib/dpkg/info/*.config r,
/var/lib/dpkg/info/*.{preinst,postinst} r, /var/lib/dpkg/info/*.{preinst,postinst} r,

18
apparmor.d/groups/apt/dpkg-architecture
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-architecture @{exec_path} = @{bin}/dpkg-architecture
profile dpkg-architecture @{exec_path} { profile dpkg-architecture @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -17,11 +17,11 @@ profile dpkg-architecture @{exec_path} {
@{exec_path} r, @{exec_path} r,
/usr/bin/perl r, /usr/bin/perl r,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/ccache rCx -> ccache, @{bin}/ccache rCx -> ccache,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/usr/share/dpkg/** r, /usr/share/dpkg/** r,
@ -34,11 +34,11 @@ profile dpkg-architecture @{exec_path} {
profile ccache { profile ccache {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/ccache mr, @{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw, /media/ccache/*/** rw,

4
apparmor.d/groups/apt/dpkg-buildflags
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-buildflags @{exec_path} = @{bin}/dpkg-buildflags
profile dpkg-buildflags @{exec_path} flags=(complain) { profile dpkg-buildflags @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,

4
apparmor.d/groups/apt/dpkg-checkbuilddeps
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps @{exec_path} = @{bin}/dpkg-checkbuilddeps
profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,

6
apparmor.d/groups/apt/dpkg-deb
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-deb @{exec_path} = @{bin}/dpkg-deb
profile dpkg-deb @{exec_path} { profile dpkg-deb @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -18,8 +18,8 @@ profile dpkg-deb @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
owner /var/lib/dpkg/tmp.ci/ w, owner /var/lib/dpkg/tmp.ci/ w,
owner /var/lib/dpkg/tmp.ci/* w, owner /var/lib/dpkg/tmp.ci/* w,

2
apparmor.d/groups/apt/dpkg-divert
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-divert @{exec_path} = @{bin}/dpkg-divert
profile dpkg-divert @{exec_path} { profile dpkg-divert @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/groups/apt/dpkg-genbuildinfo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-genbuildinfo @{exec_path} = @{bin}/dpkg-genbuildinfo
profile dpkg-genbuildinfo @{exec_path} flags=(complain) { profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -17,7 +17,7 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
capability dac_override, capability dac_override,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/lto-disabled-list/lto-disabled-list r,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,

4
apparmor.d/groups/apt/dpkg-genchanges
View file

@ -7,14 +7,14 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-genchanges @{exec_path} = @{bin}/dpkg-genchanges
profile dpkg-genchanges @{exec_path} flags=(complain) { profile dpkg-genchanges @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,

20
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/dpkg-preconfigure @{exec_path} = @{bin}/dpkg-preconfigure
profile dpkg-preconfigure @{exec_path} { profile dpkg-preconfigure @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -17,15 +17,15 @@ profile dpkg-preconfigure @{exec_path} {
#capability sys_tty_config, #capability sys_tty_config,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/locale rix, @{bin}/locale rix,
/{usr/,}bin/stty rix, @{bin}/stty rix,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-extracttemplates rPx, @{bin}/apt-extracttemplates rPx,
/{usr/,}bin/whiptail rPx, @{bin}/whiptail rPx,
/etc/shadow r, /etc/shadow r,
@ -46,8 +46,8 @@ profile dpkg-preconfigure @{exec_path} {
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix, @{bin}/hostname rix,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

10
apparmor.d/groups/apt/dpkg-query
View file

@ -6,18 +6,18 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-query @{exec_path} = @{bin}/dpkg-query
profile dpkg-query @{exec_path} { profile dpkg-query @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager, @{bin}/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager, @{bin}/more rPx -> child-pager,
/var/lib/dpkg/** r, /var/lib/dpkg/** r,

4
apparmor.d/groups/apt/dpkg-split
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-split @{exec_path} = @{bin}/dpkg-split
profile dpkg-split @{exec_path} { profile dpkg-split @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -19,7 +19,7 @@ profile dpkg-split @{exec_path} {
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx, @{bin}/dpkg-deb rpx,
/var/lib/dpkg/parts/ r, /var/lib/dpkg/parts/ r,
/var/lib/dpkg/parts/* r, /var/lib/dpkg/parts/* r,

2
apparmor.d/groups/apt/dpkg-trigger
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-trigger @{exec_path} = @{bin}/dpkg-trigger
profile dpkg-trigger @{exec_path} { profile dpkg-trigger @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/groups/apt/dpkg-vendor
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-vendor @{exec_path} = @{bin}/dpkg-vendor
profile dpkg-vendor @{exec_path} { profile dpkg-vendor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>

30
apparmor.d/groups/apt/querybts
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/querybts @{exec_path} = @{bin}/querybts
profile querybts @{exec_path} { profile querybts @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
@ -26,16 +26,16 @@ profile querybts @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/stty rix, @{bin}/stty rix,
/{usr/,}{s,}bin/ldconfig rix, @{bin}/ldconfig rix,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/etc/reportbug.conf r, /etc/reportbug.conf r,
owner @{HOME}/.reportbugrc r, owner @{HOME}/.reportbugrc r,
@ -56,26 +56,26 @@ profile querybts @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

72
apparmor.d/groups/apt/reportbug
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/reportbug @{exec_path} = @{bin}/reportbug
profile reportbug @{exec_path} { profile reportbug @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
@ -30,39 +30,39 @@ profile reportbug @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig rix, @{bin}/ldconfig rix,
/{usr/,}{s,}bin/selinuxenabled rix, @{bin}/selinuxenabled rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/aa-enabled rix, @{bin}/aa-enabled rix,
/{usr/,}bin/locale rix, @{bin}/locale rix,
/{usr/,}bin/md5sum rix, @{bin}/md5sum rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/stty rix, @{bin}/stty rix,
/usr/share/reportbug/handle_bugscript rix, /usr/share/reportbug/handle_bugscript rix,
/{usr/,}{s,}bin/exim4 rPx, @{bin}/exim4 rPx,
/{usr/,}bin/apt-cache rPx, @{bin}/apt-cache rPx,
/{usr/,}bin/debconf-show rPx, @{bin}/debconf-show rPx,
/{usr/,}bin/debsums rPx, @{bin}/debsums rPx,
/{usr/,}bin/dlocate rPx, @{bin}/dlocate rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
/{usr/,}bin/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/more rPx -> child-pager, @{bin}/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager, @{bin}/pager rPx -> child-pager,
/{usr/,}bin/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
/{usr/,}lib/firefox/firefox rPUx, # App allowed to open @{lib}/firefox/firefox rPUx, # App allowed to open
/usr/share/bug/* rPUx, /usr/share/bug/* rPUx,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}lib/python3/dist-packages/pylocales/locales.db rk, @{lib}/python3/dist-packages/pylocales/locales.db rk,
/usr/share/bug/*/{control,presubj} r, /usr/share/bug/*/{control,presubj} r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
@ -92,14 +92,14 @@ profile reportbug @{exec_path} {
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/run-parts mr, @{bin}/run-parts mr,
} }
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -113,19 +113,19 @@ profile reportbug @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

60
apparmor.d/groups/apt/synaptic
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/synaptic /{usr/,}bin/synaptic-pkexec @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec
profile synaptic @{exec_path} { profile synaptic @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -63,13 +63,13 @@ profile synaptic @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/test rix, @{bin}/test rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
# For update-apt-xapian-index # For update-apt-xapian-index
/{usr/,}bin/nice rix, @{bin}/nice rix,
/{usr/,}bin/ionice rix, @{bin}/ionice rix,
# When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes: # following root processes:
@ -77,31 +77,31 @@ profile synaptic @{exec_path} {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
# #
# Should this be allowed? Synaptic works fine without this. # Should this be allowed? Synaptic works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus, #@{bin}/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus, #@{bin}/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx, deny @{bin}/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx, deny @{bin}/dbus-send rx,
/{usr/,}bin/ps rPx, @{bin}/ps rPx,
/{usr/,}bin/dpkg rPx, @{bin}/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx, @{bin}/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx, @{bin}/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx, @{bin}/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx, @{bin}/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx, @{bin}/debtags rPx,
/{usr/,}sbin/localepurge rPx, @{bin}/localepurge rPx,
/{usr/,}bin/appstreamcli rPx, @{bin}/appstreamcli rPx,
/{usr/,}bin/adequate rPx, @{bin}/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx, @{bin}/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx, /usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}sbin/update-apt-xapian-index rPx, @{bin}/update-apt-xapian-index rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/deborphan rPx, @{bin}/deborphan rPx,
/{usr/,}bin/tasksel rPx, @{bin}/tasksel rPx,
/{usr/,}bin/pkexec rPx, @{bin}/pkexec rPx,
# Methods to use to download packages from the net # Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx, @{lib}/apt/methods/* rPx,
/var/lib/apt/lists/** rw, /var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk, /var/lib/apt/lists/lock rwk,
@ -163,9 +163,9 @@ profile synaptic @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr, @{bin}/dbus-launch mr,
/{usr/,}bin/dbus-send mr, @{bin}/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx, @{bin}/dbus-daemon rPUx,
# for dbus-launch # for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

Some files were not shown because too many files have changed in this diff Show more