mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
b0d52d68f4
commit
beaf1bad16
@ -35,6 +35,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
signal (send) peer=apt-methods-*,
|
||||
|
||||
unix (bind) type=stream addr=@@{hex}/bus/apt/system,
|
||||
unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
|
||||
unix (send, receive) type=stream peer=(label=snapd),
|
||||
|
||||
@ -226,6 +227,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
||||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
signal (send) set=(cont, term) peer=systemd-tty-ask-password-agent,
|
||||
|
||||
@{bin}/systemd-tty-ask-password-agent rPx,
|
||||
|
||||
owner @{run}/systemd/ask-password-block/{,*} rw,
|
||||
|
||||
@ -21,6 +21,7 @@ profile dpkg-preconfigure @{exec_path} {
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/locale rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/stty rix,
|
||||
|
||||
@{bin}/dpkg rPx -> child-dpkg,
|
||||
|
||||
@ -176,6 +176,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||
owner /tmp/Temp-@{uuid}/{**,} rw,
|
||||
owner /tmp/tmp-???.xpi rw,
|
||||
owner /tmp/tmpaddon r,
|
||||
owner /tmp/tmpaddon-@{int} r,
|
||||
owner /tmp/user/@{uid}/ rw,
|
||||
owner /tmp/user/@{uid}/@{name}/ rw,
|
||||
owner /tmp/user/@{uid}/@{name}/* rwk,
|
||||
|
||||
@ -42,7 +42,7 @@ profile firefox-kmozillahelper @{exec_path} {
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
|
||||
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||
|
||||
@ -47,6 +47,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/ r,
|
||||
|
||||
@{bin}/* rPUx,
|
||||
@{bin}/{false,true} rix,
|
||||
@{bin}/dbus-launch rix,
|
||||
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235
|
||||
@{lib}/{,kf6/}kauth/{,libexec/}* rPx,
|
||||
|
||||
@ -19,10 +19,10 @@ profile dbus-daemon-launch-helper @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx,
|
||||
@{lib}/{,kf6/}kauth/{,libexec/}* rPx,
|
||||
@{lib}/{,polkit-1/}polkitd rPx,
|
||||
@{lib}/{,udisks2/}udisksd rPx,
|
||||
@{lib}/@{multiarch}/cups-pk-helper-mechanism rPx,
|
||||
@{lib}/kauth/{,libexec/}* rPx,
|
||||
@{lib}/language-selector/ls-dbus-backend rPx,
|
||||
@{lib}/software-properties/software-properties-dbus rPx,
|
||||
|
||||
|
||||
@ -41,6 +41,8 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm{3,}/.config/dconf/user rw,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
|
||||
|
||||
@ -33,15 +33,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
||||
# dbus: own bus=system name=org.gnome.DisplayManager
|
||||
|
||||
# dbus: talk bus=system name=org.freedesktop.login1 label=systemd-logind
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.Accounts
|
||||
member={ListCachedUsers,UserAdded}
|
||||
peer=(name=:*, label=accounts-daemon),
|
||||
dbus send bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=accounts-daemon),
|
||||
# dbus: talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
|
||||
@ -58,7 +58,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_share_dirs}/ w,
|
||||
owner @{run}/user/@{uid}/keyring/ rw,
|
||||
owner @{run}/user/@{uid}/keyring/* rw,
|
||||
owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
|
||||
owner @{run}/user/@{uid}/ssh-askpass.@{rand6}/{,*} rw,
|
||||
@{run}/user/@{uid}/keyring/control r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
@ -39,7 +39,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
@{run}/systemd/sessions/@{int} r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
||||
@ -9,25 +9,38 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/loupe
|
||||
profile loupe @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bwrap>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-read>
|
||||
|
||||
signal (send) set=(kill) peer=loupe//bwrap,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bwrap rix,
|
||||
@{lib}/glycin-loaders/*/glycin-image-rs rix,
|
||||
@{bin}/bwrap rCx -> bwrap,
|
||||
|
||||
/usr/share/glycin-loaders/{,**} r,
|
||||
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r,
|
||||
owner @{user_books_dirs}/{,**} r,
|
||||
owner @{user_download_dirs}/{,**} r,
|
||||
owner @{user_pictures_dirs}/{,**} r,
|
||||
owner @{user_torrents_dirs}/{,**} r,
|
||||
owner @{user_work_dirs}/{,**} r,
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
profile bwrap flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bwrap>
|
||||
|
||||
signal (receive) set=(kill) peer=loupe,
|
||||
|
||||
@{bin}/bwrap mr,
|
||||
@{lib}/glycin-loaders/*/glycin-image-rs rix,
|
||||
|
||||
include if exists <local/loupe_bwrap>
|
||||
}
|
||||
|
||||
include if exists <local/loupe>
|
||||
}
|
||||
@ -17,10 +17,6 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}{local/,}{s,}bin/zfs rPx,
|
||||
/{usr/,}{local/,}{s,}bin/zpool rPx,
|
||||
@{bin}/dmsetup rPUx,
|
||||
@{bin}/grub-probe rPx,
|
||||
@{sh_path} rix,
|
||||
@{bin}/{e,f,}grep rix,
|
||||
@{bin}/{m,g,}awk rix,
|
||||
@ -31,11 +27,13 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/cut rix,
|
||||
@{bin}/date rix,
|
||||
@{bin}/dirname rix,
|
||||
@{bin}/dmsetup rPUx,
|
||||
@{bin}/dpkg rPx,
|
||||
@{bin}/find rix,
|
||||
@{bin}/findmnt rPx,
|
||||
@{bin}/gettext rix,
|
||||
@{bin}/grub-mkrelpath rPx,
|
||||
@{bin}/grub-probe rPx,
|
||||
@{bin}/grub-script-check rPx,
|
||||
@{bin}/head rix,
|
||||
@{bin}/id rPx,
|
||||
@ -58,36 +56,38 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/umount rPx,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/which{.debianutils,} rix,
|
||||
/etc/grub.d/{**,} rix,
|
||||
@{bin}/zfs rPx,
|
||||
@{bin}/zpool rPx,
|
||||
/etc/grub.d/{,**} rix,
|
||||
|
||||
@{lib}/gconv/gconv-modules r,
|
||||
@{lib}/gconv/gconv-modules.d/{,gconv-modules-extra.conf} r,
|
||||
@{lib}/grub/grub-sort-version rPx,
|
||||
@{lib}/libostree/grub[0-9]-@{int}_ostree rix,
|
||||
|
||||
/boot/{**,} r,
|
||||
/boot/grub/{**,} rw,
|
||||
/usr/share/grub/{,**} r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/default/grub r,
|
||||
/etc/default/grub-btrfs/config r,
|
||||
/etc/default/grub.d/{*,} r,
|
||||
|
||||
/usr/share/grub/{**,} r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/.zfs/snapshot/*/boot/ r,
|
||||
/.zfs/snapshot/*/etc/{machine-id,} r,
|
||||
/.zfs/snapshot/*/etc/fstab r,
|
||||
/.zfs/snapshot/*/{usr/,}lib/os-release r,
|
||||
/etc/default/grub.d/{,*} r,
|
||||
|
||||
/ r,
|
||||
|
||||
owner /tmp/** rw,
|
||||
/.zfs/snapshot/*/@{lib}/os-release r,
|
||||
/.zfs/snapshot/*/boot/ r,
|
||||
/.zfs/snapshot/*/etc/ r,
|
||||
/.zfs/snapshot/*/etc/fstab r,
|
||||
/.zfs/snapshot/*/etc/machine-id r,
|
||||
|
||||
/boot/{,**} r,
|
||||
/boot/grub/{,**} rw,
|
||||
|
||||
# owner /tmp/** rw,
|
||||
|
||||
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
||||
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/grub-mkconfig>
|
||||
|
||||
@ -15,7 +15,7 @@ profile drkonqi-coredump-processor @{exec_path} {
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/@{md5}/ r,
|
||||
/{run,var}/log/journal/@{md5}/user-@{uid}.journal r,
|
||||
/{run,var}/log/journal/@{md5}/user-@{uid}@@{uuid}.journal r,
|
||||
/{run,var}/log/journal/@{md5}/user-@{uid}@@{hex}.journal r,
|
||||
|
||||
include if exists <local/drkonqi-coredump-processor>
|
||||
}
|
||||
@ -103,6 +103,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||
owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int},
|
||||
owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w,
|
||||
owner @{user_cache_dirs}/ksvg-elements* rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
|
||||
|
||||
@ -14,5 +14,12 @@ profile gcr-ssh-agent @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ssh-agent rPx,
|
||||
@{bin}/ssh-add rix,
|
||||
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/* r,
|
||||
|
||||
owner @{run}/user/@{uid}/ssh-askpass.@{rand6}/{,*} rw,
|
||||
|
||||
include if exists <local/gcr-ssh-agent>
|
||||
}
|
||||
@ -7,8 +7,10 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/systemd-dissect
|
||||
profile systemd-dissect @{exec_path} {
|
||||
profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-read>
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_admin,
|
||||
@ -16,6 +18,9 @@ profile systemd-dissect @{exec_path} {
|
||||
|
||||
mount options=(rw, rslave) -> /,
|
||||
mount options=(rw, nodev) -> /mnt/*/,
|
||||
mount -> /tmp/dissect-@{rand6}/,
|
||||
|
||||
signal (send) set=(cont) peer=child-pager,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@ -30,13 +35,14 @@ profile systemd-dissect @{exec_path} {
|
||||
@{user_projects_dirs}/{,**} r,
|
||||
@{user_vm_dirs}/{,**} r,
|
||||
|
||||
owner /tmp/dissect-*/{,**} rw,
|
||||
owner /tmp/dissect-@{rand6}/{,**} rw,
|
||||
|
||||
@{sys}/devices/virtual/block/loop@{int}/{,**} r,
|
||||
@{sys}/kernel/uevent_seqnum r,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
|
||||
/dev/btrfs-control rw,
|
||||
/dev/loop-control rwk,
|
||||
/dev/loop* rwk,
|
||||
|
||||
|
||||
@ -16,6 +16,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
|
||||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
signal (receive) set=(term cont) peer=*//systemctl,
|
||||
signal (receive) set=(term cont) peer=default,
|
||||
signal (receive) set=(term cont) peer=logrotate,
|
||||
|
||||
|
||||
@ -18,6 +18,8 @@ profile list-oem-metapackages @{exec_path} {
|
||||
@{bin}/dpkg rPx -> child-dpkg,
|
||||
@{bin}/ischroot rix,
|
||||
|
||||
@{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
@{sys}/devices/ r,
|
||||
|
||||
@ -50,6 +50,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/uname rix,
|
||||
@{lib}/apt/methods/http{,s} rPx,
|
||||
|
||||
@{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
|
||||
@{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
|
||||
@{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
|
||||
|
||||
/usr/share/distro-info/{,**} r,
|
||||
/usr/share/ubuntu-release-upgrader/{,**} r,
|
||||
/usr/share/update-manager/{,**} r,
|
||||
|
||||
@ -67,9 +67,6 @@ profile update-notifier @{exec_path} {
|
||||
/usr/share/dpkg/cputable r,
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/update-notifier/{,**} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/snapd/desktop/applications/{,**} r,
|
||||
/var/lib/update-notifier/user.d/ r,
|
||||
@ -89,6 +86,8 @@ profile update-notifier @{exec_path} {
|
||||
include <abstractions/systemctl>
|
||||
include <abstractions/bus-system>
|
||||
|
||||
unix (bind) type=stream addr=@@{hex}/bus/systemctl/system,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=GetUnitFileState
|
||||
|
||||
@ -17,10 +17,11 @@ profile adduser @{exec_path} {
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
capability fowner,
|
||||
capability fsetid,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
|
||||
@{exec_path} r,
|
||||
@{bin}/perl r,
|
||||
|
||||
@ -22,7 +22,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
|
||||
dbus receive bus=system path=/org/freedesktop/bolt
|
||||
interface=org.freedesktop.bolt1.Manager
|
||||
member=ListDevices
|
||||
peer=(name=:*, label=kded5),
|
||||
peer=(name=:*, label=kded),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/bolt{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
||||
@ -46,7 +46,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
|
||||
signal (receive) set=(int) peer=flatpak-portal,
|
||||
|
||||
@{bin}/** rmix,
|
||||
@{lib}/kf5/kioslave5 rPx,
|
||||
@{lib}/** rmix,
|
||||
/app/** rmix,
|
||||
/var/lib/flatpak/app/*/**/@{bin}/** rmix,
|
||||
@ -57,6 +56,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
|
||||
@{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database,
|
||||
@{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy,
|
||||
|
||||
@{lib}/kf5/kioslave5 rPx,
|
||||
@{lib}/kf6/kioworker rPx,
|
||||
|
||||
/var/lib/flatpak/app/{,**} r,
|
||||
|
||||
/usr/share/flatpak/triggers/* rix,
|
||||
|
||||
@ -53,6 +53,7 @@ profile mkinitramfs @{exec_path} {
|
||||
@{bin}/xargs rix,
|
||||
@{bin}/xz rix,
|
||||
@{bin}/zstd rix,
|
||||
@{lib}/dracut/dracut-install rix,
|
||||
|
||||
@{bin}/find rCx -> find,
|
||||
@{bin}/kmod rCx -> kmod,
|
||||
|
||||
@ -9,6 +9,8 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/scrcpy
|
||||
profile scrcpy @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/graphics>
|
||||
|
||||
network inet stream,
|
||||
|
||||
@ -46,7 +46,7 @@ profile snap @{exec_path} {
|
||||
@{bin}/mount rix,
|
||||
|
||||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
|
||||
@{lib_dirs}/snapd/snap-confine rPx,
|
||||
@{lib_dirs}/snapd/snap-seccomp rPx,
|
||||
@ -58,8 +58,9 @@ profile snap @{exec_path} {
|
||||
/var/cache/snapd/commands.db rwk,
|
||||
/var/cache/snapd/names r,
|
||||
|
||||
/snap/{,**} rw,
|
||||
@{HOME}/snap/{,**} rw,
|
||||
/snap/{,**} rw,
|
||||
/var/lib/gdm{,3}/snap/{,**} rw,
|
||||
|
||||
owner /tmp/snapd-auto-import-mount-@{int}/ rw,
|
||||
|
||||
@ -104,5 +105,12 @@ profile snap @{exec_path} {
|
||||
include if exists <local/snap_gpg>
|
||||
}
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
include if exists <local/snap_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/snap>
|
||||
}
|
||||
|
||||
@ -14,7 +14,7 @@ profile snap-failure @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{lib_dirs}/snapd/snapd rPx,
|
||||
|
||||
/var/lib/snapd/sequence/snapd.json r,
|
||||
@ -23,5 +23,12 @@ profile snap-failure @{exec_path} {
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
include if exists <local/snap-failure_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/snap-failure>
|
||||
}
|
||||
@ -33,6 +33,8 @@ profile terminator @{exec_path} flags=(attach_disconnected) {
|
||||
# The shell is not confined on purpose.
|
||||
@{bin}/@{shells} rUx,
|
||||
|
||||
@{open_path} rPx,
|
||||
|
||||
owner @{user_config_dirs}/terminator/{,**} rw,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
|
||||
@ -84,7 +84,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/ntfsfix rPx,
|
||||
@{bin}/sfdisk rPx,
|
||||
@{bin}/sgdisk rPx,
|
||||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-escape rPx,
|
||||
|
||||
/etc/udisks2/{,**} r,
|
||||
@ -138,5 +138,12 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||
/dev/loop-control rw,
|
||||
/dev/null.@{int} rw,
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
include if exists <local/udisksd_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/udisksd>
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user