feat(profile): general update.

This commit is contained in:
Alexandre Pujol 2024-05-08 20:08:41 +01:00
parent da7747e0fe
commit bed9545082
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
11 changed files with 43 additions and 33 deletions

View File

@ -3,10 +3,9 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
/usr/share/qt{,5,6}/qtlogging.ini r, /usr/share/qt{,5,6}/qtlogging.ini r,
/usr/share/qt{,5,6}/resources/*.pak r,
/usr/share/qt{,5,6}/translations/*.qm r, /usr/share/qt{,5,6}/translations/*.qm r,
/usr/share/qt{,5,6}/translations/qtwebengine_locales/*.pak r, /usr/share/qt{,5,6}/translations/qtwebengine_locales/*.pak r,
/usr/share/qt{,5,6}/resources/*.pak r,
# Qt5CT and Qt6CT support and integration with others DE
/usr/share/qt{,5,6}ct/{,**} r, /usr/share/qt{,5,6}ct/{,**} r,
owner @{user_config_dirs}/qt{,5,6}ct/{,**} r, owner @{user_config_dirs}/qt{,5,6}ct/{,**} r,

View File

@ -8,26 +8,26 @@
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{MOUNTS}/ r, owner @{MOUNTS}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk,
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rk,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rk,
owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r, owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} rk,
owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} rk,
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rk,
owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/{,**} rk,
owner @{user_documents_dirs}/{,**} r, owner @{user_documents_dirs}/{,**} rk,
owner @{user_download_dirs}/{,**} r, owner @{user_download_dirs}/{,**} rk,
owner @{user_games_dirs}/{,**} r, owner @{user_games_dirs}/{,**} rk,
owner @{user_music_dirs}/{,**} r, owner @{user_music_dirs}/{,**} rk,
owner @{user_pictures_dirs}/{,**} r, owner @{user_pictures_dirs}/{,**} rk,
owner @{user_projects_dirs}/{,**} r, owner @{user_projects_dirs}/{,**} rk,
owner @{user_publicshare_dirs}/{,**} r, owner @{user_publicshare_dirs}/{,**} rk,
owner @{user_sync_dirs}/{,**} r, owner @{user_sync_dirs}/{,**} rk,
owner @{user_templates_dirs}/{,**} r, owner @{user_templates_dirs}/{,**} rk,
owner @{user_torrents_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} rk,
owner @{user_videos_dirs}/{,**} r, owner @{user_videos_dirs}/{,**} rk,
owner @{user_vm_dirs}/{,**} r, owner @{user_vm_dirs}/{,**} rk,
owner @{user_work_dirs}/{,**} r, owner @{user_work_dirs}/{,**} rk,
include if exists <abstractions/user-read-strict.d> include if exists <abstractions/user-read-strict.d>

View File

@ -26,8 +26,8 @@ profile dpkg-split @{exec_path} {
/var/cache/apt/archives/*.deb r, /var/cache/apt/archives/*.deb r,
@{user_pkg_dirs}/** r,
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
owner @{user_pkg_dirs}/** r,
include if exists <local/dpkg-split> include if exists <local/dpkg-split>
} }

View File

@ -17,6 +17,7 @@ include <tunables/global>
profile dbus-session flags=(attach_disconnected) { profile dbus-session flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none),
@ -62,7 +63,8 @@ profile dbus-session flags=(attach_disconnected) {
owner @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/oom_score_adj r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/dev/ptmx rw,
/dev/tty@{int} rw, /dev/tty@{int} rw,
include if exists <local/dbus-session> include if exists <local/dbus-session>
} }

View File

@ -53,16 +53,19 @@ profile dbus-system flags=(attach_disconnected) {
@{user_share_dirs}/icc/ r, @{user_share_dirs}/icc/ r,
@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{user_share_dirs}/icc/edid-@{hex32}.icc r,
@{run}/systemd/users/@{int} r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/inhibit/*.ref rw, @{run}/systemd/inhibit/*.ref rw,
@{run}/systemd/notify w,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{int} r,
@{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/.access rw,
@{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/kernel/security/apparmor/features/dbus/mask r,
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/attr/apparmor/current r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r, @{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/mounts r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

View File

@ -268,6 +268,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-boxes/*.png r,
owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-photos/{,**} r,
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
owner @{user_cache_dirs}/gnome-software/icons/{,**} r,
owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/libgweather/{,**} rw,
owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r,
owner @{user_cache_dirs}/vlc/**/*.jpg r, owner @{user_cache_dirs}/vlc/**/*.jpg r,

View File

@ -19,9 +19,14 @@ profile dmesg @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/usr/share/terminfo/** r,
owner @{PROC}/sys/kernel/pid_max r,
/dev/kmsg r, /dev/kmsg r,
/usr/share/terminfo/** r,
deny /{usr/,}local/bin/ r, deny /{usr/,}local/bin/ r,
deny @{bin}/{,*/} r, deny @{bin}/{,*/} r,

View File

@ -30,6 +30,7 @@ profile landscape-sysinfo @{exec_path} {
@{run}/utmp rwk, @{run}/utmp rwk,
@{sys}/class/hwmon/ r,
@{sys}/class/thermal/ r, @{sys}/class/thermal/ r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,

View File

@ -153,14 +153,15 @@ profile snapd @{exec_path} {
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
@{sys}/kernel/kexec_loaded r, @{sys}/kernel/kexec_loaded r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/features/{,*/} r,
@{sys}/kernel/security/apparmor/profiles r, @{sys}/kernel/security/apparmor/profiles r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/stat r,
@{PROC}/cgroups r, @{PROC}/cgroups r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/seccomp/actions_avail r,

View File

@ -1,5 +1,4 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Extended system directories definition
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only

View File

@ -1,5 +1,4 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Extended user XDG directories definition
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only