mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profile): improve integration with opensuse.
This commit is contained in:
parent
eb66feef62
commit
bf22e0770f
@ -21,9 +21,9 @@
|
||||
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*} r,
|
||||
/etc/sudo.conf r,
|
||||
/etc/sudoers r,
|
||||
/etc/sudoers.d/{,*} r,
|
||||
@{etc_ro}/sudo.conf r,
|
||||
@{etc_ro}/sudoers r,
|
||||
@{etc_ro}/sudoers.d/{,*} r,
|
||||
|
||||
/ r,
|
||||
|
||||
|
@ -12,6 +12,8 @@ profile plymouthd @{exec_path} {
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dri-common>
|
||||
|
||||
capability checkpoint_restore,
|
||||
capability net_admin,
|
||||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
capability sys_tty_config,
|
||||
|
@ -24,8 +24,7 @@ profile xrdb @{exec_path} {
|
||||
|
||||
/usr/include/stdc-predef.h r,
|
||||
|
||||
/usr/etc/X11/xdm/Xresources r,
|
||||
|
||||
@{etc_ro}/X11/xdm/Xresources r,
|
||||
/etc/X11/Xresources/* r,
|
||||
|
||||
# The location of the .Xresources file
|
||||
|
@ -12,6 +12,8 @@ profile xset @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
@ -16,6 +16,9 @@ profile ksplashqml @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/libheif/ r,
|
||||
@{lib}/libheif/*.so* rm,
|
||||
|
||||
/usr/share/plasma/** r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
@ -73,9 +73,14 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
@{bin}/cat rix,
|
||||
@{bin}/checkproc rix,
|
||||
@{bin}/disable-paste rix,
|
||||
@{bin}/locale rix,
|
||||
@{bin}/manpath rix,
|
||||
@{bin}/pidof rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/realpath rix,
|
||||
@{bin}/tr rix,
|
||||
@{bin}/tty rix,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/xdm r,
|
||||
@{bin}/xmodmap rix,
|
||||
|
||||
@ -117,19 +122,28 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
/{usr/,}etc/security/limits.d/{,*.conf} r,
|
||||
/{usr/,}etc/X11/Xmodmap r,
|
||||
/etc/debuginfod/{,*} r,
|
||||
/etc/manpath.config r,
|
||||
/etc/default/locale r,
|
||||
/etc/locale.conf r,
|
||||
/etc/machine-id r,
|
||||
/etc/sddm.conf r,
|
||||
/etc/sddm.conf.d/{,*} r,
|
||||
/etc/shells r,
|
||||
/etc/sysconfig/console r,
|
||||
/etc/sysconfig/displaymanager r,
|
||||
/etc/sysconfig/language r,
|
||||
/etc/sysconfig/mail r,
|
||||
/etc/sysconfig/proxy r,
|
||||
/etc/sysconfig/windowmanager r,
|
||||
|
||||
/ r,
|
||||
|
||||
/var/lib/lastlog/ r,
|
||||
/var/lib/lastlog/* rwk,
|
||||
|
||||
/var/lib/wtmpdb/ r,
|
||||
/var/lib/wtmpdb/* rwk,
|
||||
|
||||
/var/lib/sddm/state.conf rw,
|
||||
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
|
||||
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,
|
||||
|
@ -72,6 +72,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*.conf} r,
|
||||
@{etc_rw}/motd r,
|
||||
@{etc_rw}/motd.d/{,**} r,
|
||||
/etc/default/locale r,
|
||||
/etc/gss/mech.d/{,*} r,
|
||||
/etc/issue.net r,
|
||||
|
@ -53,8 +53,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/systemd/logind.conf r,
|
||||
/etc/systemd/sleep.conf r,
|
||||
/etc/systemd/logind.conf.d/{,**} r,
|
||||
/etc/systemd/sleep.conf r,
|
||||
/etc/systemd/sleep.conf.d/{,**} r,
|
||||
|
||||
/ r,
|
||||
/boot/{,**} r,
|
||||
|
@ -12,6 +12,7 @@ profile agetty @{exec_path} {
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability checkpoint_restore,
|
||||
capability fsetid,
|
||||
capability sys_admin,
|
||||
capability sys_tty_config,
|
||||
|
@ -57,7 +57,7 @@ profile flatpak-system-helper @{exec_path} {
|
||||
@{bin}/gpgconf mr,
|
||||
@{bin}/gpgsm mr,
|
||||
|
||||
@{lib}/gnupg/scdaemon rix,
|
||||
@{lib}/{,gnupg/}scdaemon rix,
|
||||
@{bin}/gpg-agent rix,
|
||||
|
||||
owner /tmp/ostree-gpg-*/ r,
|
||||
|
@ -83,10 +83,13 @@ profile htop @{exec_path} {
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
@{PROC}/@{pids}/task/@{tid}/wchan r,
|
||||
|
||||
@{sys}/bus/dax/devices/ r,
|
||||
@{sys}/bus/i2c/devices/ r,
|
||||
@{sys}/bus/soc/devices/ r,
|
||||
@{sys}/class/hwmon/ r,
|
||||
@{sys}/class/i2c-adapter/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/name r,
|
||||
@{sys}/devices/**/hwmon@{int}/ r,
|
||||
@{sys}/devices/**/hwmon@{int}/{name,temp*} r,
|
||||
@{sys}/devices/**/hwmon@{int}/**/ r,
|
||||
@ -98,16 +101,37 @@ profile htop @{exec_path} {
|
||||
@{sys}/devices/**/power_supply/**/{uevent,type,online} r,
|
||||
@{sys}/devices/*/name r,
|
||||
@{sys}/devices/i2c-@{int}/name r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/name r,
|
||||
@{sys}/devices/platform/*/i2c-@{int}/name r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/online r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/** r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
|
||||
@{sys}/devices/system/node/node@{int}/cpumap r,
|
||||
@{sys}/devices/system/node/node@{int}/hugepages/ r,
|
||||
@{sys}/devices/system/node/node@{int}/hugepages/hugepages-*/nr_hugepages r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
@{sys}/devices/system/node/online r,
|
||||
@{sys}/devices/virtual/block/zram@{int}/{disksize,mm_stat} r,
|
||||
@{sys}/devices/virtual/dmi/id/ r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_date r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_version r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_asset_tag r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_version r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/product_version r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
|
||||
@{sys}/fs/cgroup/cgroup.controllers r,
|
||||
@{sys}/fs/cgroup/cpuset.cpus.effective r,
|
||||
@{sys}/fs/cgroup/cpuset.mems.effective r,
|
||||
@{sys}/kernel/mm/hugepages/ r,
|
||||
@{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
owner @{PROC}/@{pid}/cpuset r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/htop>
|
||||
|
@ -68,6 +68,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/fc-cache rPx,
|
||||
@{bin}/glib-compile-schemas rPx,
|
||||
@{bin}/install-info rPx,
|
||||
@{bin}/rpmdb2solv rPx, # only: opensuse
|
||||
@{bin}/systemd-inhibit rPx,
|
||||
@{bin}/update-desktop-database rPx,
|
||||
@{lib}/apt/methods/* rPx, # only: dpkg
|
||||
@ -125,6 +126,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{bin}/gpg-agent rix,
|
||||
@{bin}/scdaemon rix,
|
||||
@{lib}/{,gnupg/}scdaemon rix,
|
||||
|
||||
/etc/gcrypt/hwf.deny r,
|
||||
|
||||
|
@ -18,6 +18,7 @@ profile passwd @{exec_path} {
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability fsetid,
|
||||
capability net_admin,
|
||||
capability setuid,
|
||||
|
||||
signal (receive) set=(term, kill) peer=gnome-control-center,
|
||||
|
@ -86,10 +86,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-escape rPx,
|
||||
|
||||
/etc/udisks2/{,**} r,
|
||||
/etc/libblockdev/{,**} r,
|
||||
/etc/fstab r,
|
||||
/etc/crypttab r,
|
||||
/etc/fstab r,
|
||||
/etc/libblockdev/{,**} r,
|
||||
/etc/nvme/* r,
|
||||
/etc/udisks2/{,**} r,
|
||||
|
||||
/var/lib/udisks2/{,**} r,
|
||||
/var/lib/udisks2/mounted-fs{,*} rw,
|
||||
|
Loading…
Reference in New Issue
Block a user