mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-08-13 20:31:57 +01:00
parent e02b12aa6d
commit c148aa978c
Failed to generate hash of commit
30 changed files with 202 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/apt/unattended-upgrade
View file

@ -85,12 +85,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/log/unattended-upgrades/*.log rw,
/var/log/unattended-upgrades/{,**} rw,
/var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/updates/ r,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/cache/apt/{,**} rwk,
/var/lib/apt/extended_states{,.*} rw,

1
apparmor.d/groups/browsers/firefox
View file

@ -154,6 +154,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{sys}/devices/system/cpu/possible r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/present r,

2
apparmor.d/groups/freedesktop/fc-cache
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fc-cache{,-32}
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
profile fc-cache @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>

1
apparmor.d/groups/freedesktop/plymouthd
View file

@ -39,6 +39,7 @@ profile plymouthd @{exec_path} {
@{sys}/class/drm/ r,
@{sys}/class/graphics/ r,
@{sys}/devices/pci[0-9]*/**/{,uevent} r,
@{sys}/devices/virtual/graphics/fbcon/uevent r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/acpi/bgrt/{,*} r,

2
apparmor.d/groups/freedesktop/upowerd
View file

@ -17,7 +17,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.{DBus.Properties,UPower*},
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.Properties

1
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@{exec_path} mr,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -45,6 +45,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/snap rPx,
# Allowed apps to open
/{usr/,}bin/firefox rPx -> firefox,

10
apparmor.d/groups/freedesktop/xdg-email
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,8 +12,13 @@ profile xdg-email @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-mime rPx,
owner /dev/tty[0-9]* rw,

1
apparmor.d/groups/freedesktop/xwayland
View file

@ -35,6 +35,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/system/cpu/possible r,
@{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/comm r,

2
apparmor.d/groups/gnome/gjs-console
View file

@ -49,6 +49,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,

9
apparmor.d/groups/gnome/gnome-characters-backgroudservice
View file

@ -10,14 +10,23 @@ include <tunables/global>
profile gnome-characters-backgroudservice @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dbus-session-strict>
@{exec_path} mr,
/{usr/,}bin/gjs-console rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/etc/gtk-3.0/settings.ini r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
include if exists <local/gnome-characters-backgroudservice>
}

6
apparmor.d/groups/gnome/gnome-control-center
View file

@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/bwrap rPUx,
/{usr/,}bin/openvpn rPx,
/{usr/,}bin/passwd rPx,
/{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix,
@ -70,6 +71,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r,
/etc/machine-info r,
/etc/pipewire/client.conf.d/ r,
/etc/security/pwquality.conf r,
/etc/security/pwquality.conf.d/{,**} r,
@ -98,6 +100,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
@{run}/cups/cups.sock rw,
@{run}/samba/ rw,
@ -120,9 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{sys}/class/input/ r,
@{sys}/devices/**/{name,vendor,product,uevent} r,
@{sys}/devices/platform/**/uevent r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/**/uevent r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
@{sys}/firmware/acpi/pm_profile r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,

2
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View file

@ -39,6 +39,8 @@ profile gnome-control-center-print-renderer @{exec_path} {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -195,7 +195,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
@ -245,6 +245,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
owner @{PROC}/@{pid}/comm r,

1
apparmor.d/groups/network/tailscaled
View file

@ -42,6 +42,7 @@ profile tailscaled @{exec_path} {
owner /var/lib/tailscale/{,**} rw,
owner @{run}/tailscale/{,**} rw,
@{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{PROC}/ r,

9
apparmor.d/groups/pacman/pacman-key
View file

@ -37,10 +37,6 @@ profile pacman-key @{exec_path} {
/dev/tty rw,
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,
profile gpg {
include <abstractions/base>
include <abstractions/p11-kit>
@ -61,10 +57,9 @@ profile pacman-key @{exec_path} {
@{HOME}/.gnupg/gpg.conf r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,
}
include if exists <local/pacman-key>

6
apparmor.d/groups/systemd/systemd-detect-virt
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -15,6 +15,8 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
capability net_admin,
network netlink raw,
@{exec_path} mr,
@{run}/host/container-manager r,

1
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -47,6 +47,7 @@ profile check-new-release-gtk @{exec_path} {
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r,
include if exists <local/check-new-release-gtk>

52
apparmor.d/groups/ubuntu/packagekitd
View file

@ -13,13 +13,26 @@ profile packagekitd @{exec_path} {
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_nice,
network netlink raw,
signal send set=int peer=apt-methods-*,
dbus (send,receive) bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.{DBus.*,PackageKit},
dbus send bus=system path=/[0-9]*_@{hex}
interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
@ -28,9 +41,17 @@ profile packagekitd @{exec_path} {
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
interface=org.freedesktop.DBus
member=RequestName,
member={RequestName,GetConnectionUnixUser},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=CheckAuthorization,
dbus receive bus=system path=/[0-9]*_@{hex}
interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction},
# peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
@ -53,17 +74,42 @@ profile packagekitd @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
/{usr/,}lib/apt/methods/* rPx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/dpkg/tupletable r,
/usr/share/dpkg/cputable r,
/etc/PackageKit/PackageKit.conf r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/cache/PackageKit/downloads/ r,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/periodic/update-success-stamp rw,
/var/lib/dpkg/info/{,*} r,
/var/lib/PackageKit/{,*} rw,
/var/lib/PackageKit/transactions.db rwk,
owner @{run}/systemd/users/@{uid} r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/mountinfo r,
include if exists <local/packagekitd>
}

2
apparmor.d/groups/ubuntu/update-motd-updates-available
View file

@ -40,6 +40,8 @@ profile update-motd-updates-available @{exec_path} {
/var/lib/update-notifier/{,*} rw,
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,

1
apparmor.d/groups/virt/libvirtd
View file

@ -187,6 +187,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r,
@{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/system/cpu/present r,
@{sys}/devices/system/cpu/present/ r,
@{sys}/devices/system/node/ r,

1
apparmor.d/groups/virt/virtlogd
View file

@ -32,6 +32,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/virtlogd.pid rwk,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,

49
apparmor.d/profiles-a-f/acpi-powerbtn Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
profile acpi-powerbtn flags=(attach_disconnected) {
include <abstractions/base>
/etc/acpi/powerbtn-acpi-support.sh r,
/{usr/,}{s,}bin/killall5 rix,
/{usr/,}{s,}bin/shutdown rix,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{e,}grep rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/pgrep rix,
/{usr/,}bin/pinky rix,
/{usr/,}bin/sed rix,
/etc/acpi/powerbtn.sh rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/ps rPx,
/{usr/,}bin/fgconsole rCx,
/usr/share/acpi-support/** r,
@{PROC} r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cmdline r,
deny / r,
profile fgconsole {
include <abstractions/base>
capability sys_tty_config,
/{usr/,}bin/fgconsole r,
/dev/tty rw,
owner /dev/tty[0-9]* rw,
}
include if exists <local/acpi-powerbtn>
}

44
apparmor.d/profiles-a-f/acpid
View file

@ -21,7 +21,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/logger rix,
/etc/acpi/powerbtn-acpi-support.sh rPx -> powerbtn-acpi-support,
/etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn,
/etc/acpi/{,**} r,
/etc/acpi/handler.sh rix,
@ -37,45 +37,3 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
include if exists <local/acpid>
}
profile powerbtn-acpi-support flags=(attach_disconnected) {
include <abstractions/base>
/etc/acpi/powerbtn-acpi-support.sh r,
/{usr/,}{s,}bin/killall5 rix,
/{usr/,}{s,}bin/shutdown rix,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{e,}grep rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/pgrep rix,
/{usr/,}bin/pinky rix,
/{usr/,}bin/sed rix,
/etc/acpi/powerbtn.sh rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/ps rPx,
/{usr/,}bin/fgconsole rCx,
/usr/share/acpi-support/** r,
@{PROC} r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cmdline r,
deny / r,
profile fgconsole {
include <abstractions/base>
capability sys_tty_config,
/{usr/,}bin/fgconsole r,
/dev/tty rw,
owner /dev/tty[0-9]* rw,
}
include if exists <local/powerbtn-acpi-support>
}

5
apparmor.d/profiles-a-f/apparmor_parser
View file

@ -28,11 +28,12 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
owner /tmp/cri-containerd.apparmor.d[0-9]* r,
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
@{sys}/devices/system/cpu/possible r,
@{sys}/kernel/security/apparmor/{,**} r,
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/mounts r,
deny /apparmor/.null rw,

39
apparmor.d/profiles-a-f/fwupd
View file

@ -7,9 +7,10 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd
@{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
@ -25,6 +26,41 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
network netlink raw,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,RemoveMatch,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.{Properties,ObjectManager}
member={GetAll,GetManagedObjects},
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/UDisks2/Manager
interface=org.freedesktop.{DBus.Properties,UDisks2.Manager}
member={GetAll,GetBlockDevices},
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/
interface=org.freedesktop.fwupd,
dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus bind bus=system
name=org.freedesktop.fwupd,
@{exec_path} mr,
/{usr/,}bin/gpg rCx -> gpg,
@ -85,6 +121,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
/dev/cpu/[0-9]*/msr rw,
/dev/drm_dp_aux[0-9]* rw,
/dev/gpiochip[0-9]* r,
/dev/hidraw[0-9]* rw,

3
apparmor.d/profiles-g-l/hugo
View file

@ -11,8 +11,11 @@ include <tunables/global>
profile hugo @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,

11
apparmor.d/profiles-s-z/snapd
View file

@ -72,14 +72,17 @@ profile snapd @{exec_path} {
/snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx,
/snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx,
/snap/snapd/[0-9]*/usr/lib/snapd/snapd rix,
/snap/snapd/[0-9]*/usr/bin/fc-cache-* rPx -> fc-cache,
/snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ?
/usr/share/bash-completion/completions/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} r,
/usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**/} r,
/etc/dbus-1/system.d/{,**/} r,
/etc/fstab r,
/etc/mime.types r,
/etc/modprobe.d/{,**/} r,
/etc/modules-load.d/{,**/} r,
/etc/systemd/system/{,**/} r,
@ -101,8 +104,8 @@ profile snapd @{exec_path} {
/tmp/syscheck-squashfs-[0-9]* rw,
/tmp/read-file[0-9]*/{,**} rw,
owner @{HOME}/ r,
owner @{HOME}/snap/{,**} rw,
@{HOME}/ r,
@{HOME}/snap/{,**} rw,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw,
@ -113,14 +116,14 @@ profile snapd @{exec_path} {
@{run}/snapd-snap.socket rw,
@{run}/snapd.socket rw,
@{run}/snapd/lock/core[0-9]*.lock rwk,
@{run}/snapd/lock/*.lock rwk,
@{run}/systemd/notify rw,
@{run}/systemd/private rw,
@{sys}/fs/cgroup/{,*/} r,
@{sys}/fs/cgroup/system.slice/{,**/} r,
@{sys}/fs/cgroup/user.slice/ r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/**/ r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/features/ r,
@{sys}/kernel/security/apparmor/profiles r,

4
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -13,9 +13,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
capability sys_nice,
dbus receive
bus=system
path=/org/freedesktop/login[0-9]/session/_[0-9]*
dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]*
interface=org.freedesktop.login[0-9].Session
member=Unlock,

1
apparmor.d/profiles-s-z/wireplumber
View file

@ -45,6 +45,7 @@ profile wireplumber @{exec_path} {
@{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/pci[0-9]*/**/modalias r,
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r,
/dev/snd/ r,