mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profile): general update.
This commit is contained in:
parent
da7747e0fe
commit
bed9545082
@ -3,10 +3,9 @@
|
|||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
/usr/share/qt{,5,6}/qtlogging.ini r,
|
/usr/share/qt{,5,6}/qtlogging.ini r,
|
||||||
|
/usr/share/qt{,5,6}/resources/*.pak r,
|
||||||
/usr/share/qt{,5,6}/translations/*.qm r,
|
/usr/share/qt{,5,6}/translations/*.qm r,
|
||||||
/usr/share/qt{,5,6}/translations/qtwebengine_locales/*.pak r,
|
/usr/share/qt{,5,6}/translations/qtwebengine_locales/*.pak r,
|
||||||
/usr/share/qt{,5,6}/resources/*.pak r,
|
|
||||||
|
|
||||||
# Qt5CT and Qt6CT support and integration with others DE
|
|
||||||
/usr/share/qt{,5,6}ct/{,**} r,
|
/usr/share/qt{,5,6}ct/{,**} r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/qt{,5,6}ct/{,**} r,
|
owner @{user_config_dirs}/qt{,5,6}ct/{,**} r,
|
||||||
|
@ -8,26 +8,26 @@
|
|||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{MOUNTS}/ r,
|
owner @{MOUNTS}/ r,
|
||||||
|
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk,
|
||||||
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rk,
|
||||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rk,
|
||||||
owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r,
|
owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} rk,
|
||||||
owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
|
owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} rk,
|
||||||
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rk,
|
||||||
|
|
||||||
owner @{user_books_dirs}/{,**} r,
|
owner @{user_books_dirs}/{,**} rk,
|
||||||
owner @{user_documents_dirs}/{,**} r,
|
owner @{user_documents_dirs}/{,**} rk,
|
||||||
owner @{user_download_dirs}/{,**} r,
|
owner @{user_download_dirs}/{,**} rk,
|
||||||
owner @{user_games_dirs}/{,**} r,
|
owner @{user_games_dirs}/{,**} rk,
|
||||||
owner @{user_music_dirs}/{,**} r,
|
owner @{user_music_dirs}/{,**} rk,
|
||||||
owner @{user_pictures_dirs}/{,**} r,
|
owner @{user_pictures_dirs}/{,**} rk,
|
||||||
owner @{user_projects_dirs}/{,**} r,
|
owner @{user_projects_dirs}/{,**} rk,
|
||||||
owner @{user_publicshare_dirs}/{,**} r,
|
owner @{user_publicshare_dirs}/{,**} rk,
|
||||||
owner @{user_sync_dirs}/{,**} r,
|
owner @{user_sync_dirs}/{,**} rk,
|
||||||
owner @{user_templates_dirs}/{,**} r,
|
owner @{user_templates_dirs}/{,**} rk,
|
||||||
owner @{user_torrents_dirs}/{,**} r,
|
owner @{user_torrents_dirs}/{,**} rk,
|
||||||
owner @{user_videos_dirs}/{,**} r,
|
owner @{user_videos_dirs}/{,**} rk,
|
||||||
owner @{user_vm_dirs}/{,**} r,
|
owner @{user_vm_dirs}/{,**} rk,
|
||||||
owner @{user_work_dirs}/{,**} r,
|
owner @{user_work_dirs}/{,**} rk,
|
||||||
|
|
||||||
include if exists <abstractions/user-read-strict.d>
|
include if exists <abstractions/user-read-strict.d>
|
@ -26,8 +26,8 @@ profile dpkg-split @{exec_path} {
|
|||||||
|
|
||||||
/var/cache/apt/archives/*.deb r,
|
/var/cache/apt/archives/*.deb r,
|
||||||
|
|
||||||
|
@{user_pkg_dirs}/** r,
|
||||||
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||||
owner @{user_pkg_dirs}/** r,
|
|
||||||
|
|
||||||
include if exists <local/dpkg-split>
|
include if exists <local/dpkg-split>
|
||||||
}
|
}
|
||||||
|
@ -17,6 +17,7 @@ include <tunables/global>
|
|||||||
profile dbus-session flags=(attach_disconnected) {
|
profile dbus-session flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none),
|
unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none),
|
||||||
@ -62,7 +63,8 @@ profile dbus-session flags=(attach_disconnected) {
|
|||||||
owner @{PROC}/@{pid}/oom_score_adj r,
|
owner @{PROC}/@{pid}/oom_score_adj r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
|
/dev/ptmx rw,
|
||||||
/dev/tty@{int} rw,
|
/dev/tty@{int} rw,
|
||||||
|
|
||||||
include if exists <local/dbus-session>
|
include if exists <local/dbus-session>
|
||||||
}
|
}
|
@ -53,16 +53,19 @@ profile dbus-system flags=(attach_disconnected) {
|
|||||||
@{user_share_dirs}/icc/ r,
|
@{user_share_dirs}/icc/ r,
|
||||||
@{user_share_dirs}/icc/edid-@{hex32}.icc r,
|
@{user_share_dirs}/icc/edid-@{hex32}.icc r,
|
||||||
|
|
||||||
@{run}/systemd/users/@{int} r,
|
|
||||||
@{run}/systemd/sessions/*.ref rw,
|
|
||||||
@{run}/systemd/inhibit/*.ref rw,
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
|
@{run}/systemd/notify w,
|
||||||
|
@{run}/systemd/sessions/*.ref rw,
|
||||||
|
@{run}/systemd/users/@{int} r,
|
||||||
|
|
||||||
@{sys}/kernel/security/apparmor/.access rw,
|
@{sys}/kernel/security/apparmor/.access rw,
|
||||||
@{sys}/kernel/security/apparmor/features/dbus/mask r,
|
@{sys}/kernel/security/apparmor/features/dbus/mask r,
|
||||||
@{sys}/module/apparmor/parameters/enabled r,
|
@{sys}/module/apparmor/parameters/enabled r,
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/attr/apparmor/current r,
|
||||||
@{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pid}/cmdline r,
|
||||||
@{PROC}/@{pid}/environ r,
|
@{PROC}/@{pid}/environ r,
|
||||||
|
@{PROC}/@{pid}/mounts r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
@ -268,6 +268,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
owner @{user_cache_dirs}/gnome-boxes/*.png r,
|
owner @{user_cache_dirs}/gnome-boxes/*.png r,
|
||||||
owner @{user_cache_dirs}/gnome-photos/{,**} r,
|
owner @{user_cache_dirs}/gnome-photos/{,**} r,
|
||||||
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
|
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
|
||||||
|
owner @{user_cache_dirs}/gnome-software/icons/{,**} r,
|
||||||
owner @{user_cache_dirs}/libgweather/{,**} rw,
|
owner @{user_cache_dirs}/libgweather/{,**} rw,
|
||||||
owner @{user_cache_dirs}/media-art/{,**} r,
|
owner @{user_cache_dirs}/media-art/{,**} r,
|
||||||
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
||||||
|
@ -19,9 +19,14 @@ profile dmesg @{exec_path} {
|
|||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/less rPx -> child-pager,
|
@{bin}/less rPx -> child-pager,
|
||||||
|
@{bin}/more rPx -> child-pager,
|
||||||
|
@{bin}/pager rPx -> child-pager,
|
||||||
|
|
||||||
|
/usr/share/terminfo/** r,
|
||||||
|
|
||||||
|
owner @{PROC}/sys/kernel/pid_max r,
|
||||||
|
|
||||||
/dev/kmsg r,
|
/dev/kmsg r,
|
||||||
/usr/share/terminfo/** r,
|
|
||||||
|
|
||||||
deny /{usr/,}local/bin/ r,
|
deny /{usr/,}local/bin/ r,
|
||||||
deny @{bin}/{,*/} r,
|
deny @{bin}/{,*/} r,
|
||||||
|
@ -30,6 +30,7 @@ profile landscape-sysinfo @{exec_path} {
|
|||||||
|
|
||||||
@{run}/utmp rwk,
|
@{run}/utmp rwk,
|
||||||
|
|
||||||
|
@{sys}/class/hwmon/ r,
|
||||||
@{sys}/class/thermal/ r,
|
@{sys}/class/thermal/ r,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
|
||||||
|
|
||||||
|
@ -153,14 +153,15 @@ profile snapd @{exec_path} {
|
|||||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
|
||||||
@{sys}/kernel/kexec_loaded r,
|
@{sys}/kernel/kexec_loaded r,
|
||||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
@{sys}/kernel/security/apparmor/features/ r,
|
@{sys}/kernel/security/apparmor/features/{,*/} r,
|
||||||
@{sys}/kernel/security/apparmor/profiles r,
|
@{sys}/kernel/security/apparmor/profiles r,
|
||||||
|
|
||||||
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
|
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
|
||||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
|
||||||
|
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pid}/cgroup r,
|
||||||
@{PROC}/@{pids}/stat r,
|
@{PROC}/@{pid}/mounts r,
|
||||||
|
@{PROC}/@{pid}/stat r,
|
||||||
@{PROC}/cgroups r,
|
@{PROC}/cgroups r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||||
|
@ -1,5 +1,4 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Extended system directories definition
|
|
||||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
@ -1,5 +1,4 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Extended user XDG directories definition
|
|
||||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user