mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-03 20:13:11 +01:00
parent 8142ad657d
commit c32b19a808
Failed to generate hash of commit
40 changed files with 218 additions and 196 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/apt/apt
View file

@ -33,6 +33,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
@ -49,7 +50,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
@ -81,6 +85,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
/dev/ptmx rw,

1
apparmor.d/groups/apt/unattended-upgrade
View file

@ -37,6 +37,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/uname rix,

2
apparmor.d/groups/apt/unattended-upgrade-shutdown
View file

@ -14,6 +14,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/ischroot rix,
/usr/share/unattended-upgrades/{,*} r,
/etc/apt/apt.conf.d/{,*} r,

2
apparmor.d/groups/bus/dbus-daemon
View file

@ -81,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/oom_score_adj rw,
@{PROC}/@{pids}/cmdline r,

11
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -15,6 +15,8 @@ profile accounts-daemon @{exec_path} {
include <abstractions/wutmp>
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
@ -25,9 +27,10 @@ profile accounts-daemon @{exec_path} {
/usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/*.xml r,
/etc/gdm/ r,
/etc/gdm/custom.conf rw,
/etc/gdm/custom.conf.* rw,
/etc/default/locale r,
/etc/gdm{3,}/ r,
/etc/gdm{3,}/custom.conf rw,
/etc/gdm{3,}/custom.conf.* rw,
/etc/machine-id r,
/etc/shadow r,
/etc/shells r,
@ -35,6 +38,8 @@ profile accounts-daemon @{exec_path} {
owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw,
@{HOME}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,

2
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -37,7 +37,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/lightdm/.Xauthority r,
/var/lib/gdm/.config/dconf/user r,

3
apparmor.d/groups/freedesktop/colord-session
View file

@ -6,7 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session
@{exec_path} = /{usr/,}lib/colord/colord-session
@{exec_path} += @{libexec}/colord-session
profile colord-session @{exec_path} flags=(complain) {
include <abstractions/base>

119
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -16,12 +16,17 @@ profile pulseaudio @{exec_path} {
include <abstractions/dbus-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gstreamer>
include <abstractions/hosts_access>
include <abstractions/nameservice-strict>
ptrace (trace) peer=@{profile_name},
signal (receive) peer=pacmd,
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
network inet stream,
network inet6 stream,
network netlink raw,
@ -29,65 +34,6 @@ profile pulseaudio @{exec_path} {
network bluetooth stream,
network bluetooth seqpacket,
@{exec_path} mrix,
/{usr/,}lib{exec,}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
# PulseAudio files
/usr/share/pulseaudio/{,**} r,
/{usr/,}lib/pulse-*/modules/*.so mr,
# PulseAudio home config files
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
# Needed when PulseAudio is started via the start-pulseaudio-x11 script
owner @{HOME}/.Xauthority r,
# Needed when PulseAudio is started via gdm
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
owner @{HOME}/.ICEauthority r,
# TCP wrap
/etc/hosts.{allow,deny} r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
deny @{sys}/module/apparmor/parameters/enabled r,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# DBus
dbus (send)
bus=session
path=/org/freedesktop/DBus
@ -139,14 +85,18 @@ profile pulseaudio @{exec_path} {
member=GetManagedObjects
peer=(name=org.bluez),
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
@{exec_path} mrix,
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
owner @{run}/user/@{uid}/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
/{usr/,}@{libexec}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
/{usr/,}lib/pulse-*/modules/*.so mr,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pulseaudio/{,**} r,
/usr/share/ubuntu/applications/{,*} r,
/var/lib/snapd/desktop/applications/ r,
# For GDM
owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw,
@ -164,13 +114,42 @@ profile pulseaudio @{exec_path} {
owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.ICEauthority r,
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
deny @{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
# Snap
/var/lib/snapd/desktop/applications/ r,
/usr/{local/,}share/ubuntu/applications/{,*} r,
include if exists <local/pulseaudio>
}

1
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -28,7 +28,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
/ r,
/.flatpak-info r,
/{usr/,}lib/x r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pipewire/client.conf r,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>

11
apparmor.d/groups/gnome/gdm
View file

@ -26,13 +26,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/plymouth rPx,
/{usr/,}lib/gdm-session-worker rPx,
/{usr/,}{s,}prime-switch rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/plymouth rPx,
/etc/gdm{3,}/PrimeOff/Default rix,
@{libexec}/gdm-session-worker rPx,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
/usr/share/xsessions/*.desktop r,
/etc/default/locale r,
/etc/gdm{3,}/custom.conf r,
/etc/locale.conf r,
@ -49,6 +53,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/users/@{uid} r,
@{run}/udev/tags/master-of-seat/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/boot_vga r,
@{sys}/devices/virtual/tty/tty[0-9]*/active r,

9
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -45,6 +45,10 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{libexec}/gdm-wayland-session rPx,
@{libexec}/gdm-x-session rPx,
/etc/gdm{3,}/{Pre,Post}Session/Default rix,
/etc/gdm{3,}/PrimeOff/Default rix,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
/etc/default/locale r,
/etc/environment r,
@ -56,8 +60,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/etc/security/limits.d/{,*.conf} r,
/etc/shells r,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
owner @{run}/user/@{uid}/keyring/control rw,
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/gdm/custom.conf r,
@ -65,8 +68,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/users/@{uid} r,
@{run}/utmp rwk,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,

9
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -22,18 +22,19 @@ profile gdm-wayland-session @{exec_path} {
@{exec_path} mr,
# It can run hooks, how to handle them nicely? rCx? them mostly include if exist
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gnome-session rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gsettings rix,
/{usr/,}bin/head rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/locale-check rix,
/{usr/,}bin/qmake rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/dbus-daemon rPx,
@ -42,12 +43,14 @@ profile gdm-wayland-session @{exec_path} {
/{usr/,}bin/flatpak rPUx,
@{libexec}/gnome-session-binary rPx,
/{usr/,}bin/gettext.sh r,
/usr/share/im-config/{,**} r,
/etc/default/im-config r,
/etc/gdm{3,}/custom.conf r,
/etc/machine-id r,
/etc/shells r,
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r,
/usr/share/gdm/gdm.schemas r,

2
apparmor.d/groups/gnome/gnome-calendar
View file

@ -30,7 +30,5 @@ profile gnome-calendar @{exec_path} {
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
include if exists <local/gnome-calendar>
}

4
apparmor.d/groups/gnome/gnome-contacts
View file

@ -14,6 +14,7 @@ profile gnome-contacts @{exec_path} {
include <abstractions/dri-enumerate>
include <abstractions/gnome>
include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>
@ -28,14 +29,11 @@ profile gnome-contacts @{exec_path} {
/usr/share/applications/{,*.desktop} r,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_config_dirs}/gnome-contacts/{,**} rw,
owner @{user_share_dirs}/folks/relationships.ini r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
include if exists <local/gnome-contacts>
}

1
apparmor.d/groups/gnome/gnome-control-center
View file

@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/maps r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,

5
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -10,8 +10,9 @@ include <tunables/global>
profile gnome-extension-ding @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
@{exec_path} mr,
@ -22,7 +23,7 @@ profile gnome-extension-ding @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
/usr/share/themes/{,**} r,
/usr/share/thumbnailers/*.thumbnailer r,
/usr/share/thumbnailers/{,*.thumbnailer} r,
/usr/share/X11/{,**} r,
/var/lib/snapd/desktop/icons/{,**} r,

8
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -43,17 +43,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/aa-notify rPx,
/{usr/,}bin/blueman-applet rPx,
/{usr/,}bin/xdg-user-dirs-update rPx,
/{usr/,}bin/firewall-applet rPUx,
/{usr/,}bin/gnome-keyring-daemon rPx,
/{usr/,}bin/gnome-shell rPx,
/{usr/,}bin/im-launch rPx,
/{usr/,}bin/pkcs11-register rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}bin/spice-vdagent rPx,
/{usr/,}bin/start-pulseaudio-x11 rPx,
/{usr/,}bin/ubuntu-report rPx,
/{usr/,}bin/update-notifier rPx,
/{usr/,}bin/xbrlapi rPx,
/{usr/,}bin/xdg-user-dirs-update rPx,
/{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
@{libexec}/at-spi-bus-launcher rPx,
@{libexec}/evolution-data-server/evolution-alarm-notify rPx,
@ -98,14 +99,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/applications/ r,
owner @{user_share_dirs}/applications/mimeinfo.cache r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/systemd/notify w,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,

1
apparmor.d/groups/gnome/gnome-shell
View file

@ -125,6 +125,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
owner /dev/shm/.org.chromium.Chromium.* rw,

2
apparmor.d/groups/gnome/gsd-color
View file

@ -10,8 +10,8 @@ include <tunables/global>
profile gsd-color @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/gtk>
signal (receive) set=(term, hup) peer=gdm*,

2
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -10,8 +10,8 @@ include <tunables/global>
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/gtk>
signal (receive) set=(term, hup) peer=gdm*,

5
apparmor.d/groups/gnome/tracker-miner
View file

@ -12,17 +12,16 @@ profile tracker-miner @{exec_path} {
include <abstractions/dbus-session-strict> # TODO: FIXME: See if we keep them like this.
include <abstractions/dconf>
include <abstractions/disks-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/private-files-strict>
include <abstractions/private-files>
@{exec_path} mr,
/usr/share/applications/{,mimeinfo.cache,*.list} r,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mime/mime.cache r,
/usr/share/tracker3-miners/{,**} r,
/usr/share/tracker3/{,**} r,
/usr/share/ubuntu/applications/ r,
@ -43,8 +42,6 @@ profile tracker-miner @{exec_path} {
owner @{MOUNTS}/*/{,**} r,
owner /tmp/*/{,**} r,
owner @{user_share_dirs}/{applications/,mime/mime.cache} r,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_config_dirs}/tracker3/{,**} rwk,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,

4
apparmor.d/groups/pacman/pacman
View file

@ -21,6 +21,7 @@ profile pacman @{exec_path} {
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability mknod,
capability net_admin,
capability setfcap,
@ -83,6 +84,7 @@ profile pacman @{exec_path} {
/{usr/,}bin/glib-compile-schemas rPx,
/{usr/,}bin/groupadd rPx,
/{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
/{usr/,}bin/install-catalog rPx,
/{usr/,}bin/install-info rPx,
/{usr/,}bin/journalctl rPx,
/{usr/,}bin/locale-gen rPx,
@ -124,7 +126,9 @@ profile pacman @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,

6
apparmor.d/groups/ssh/sshd
View file

@ -51,12 +51,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}{s,}bin/nologin rPx,
/{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx,
/{usr/,}{s,}bin/nologin rPx,
/{usr/,}bin/false rix,
/{usr/,}bin/passwd rPx,
/{usr/,}lib/openssh/sftp-server rPx,
/{usr/,}bin/false rix,
/etc/default/locale r,
/etc/environment r,
@ -78,8 +78,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{run}/motd.dynamic rw,
@{run}/motd.dynamic.new rw,
@{run}/resolvconf/resolv.conf r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/notify w,
@{run}/systemd/sessions/*.ref rw,
@{sys}/fs/cgroup/*/user/*/[0-9]*/ rw,
@{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw,

4
apparmor.d/groups/systemd/bootctl
View file

@ -24,12 +24,14 @@ profile bootctl @{exec_path} {
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
/{boot,efi}/EFI/systemd/systemd-boot*.efi w,
/{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
/{boot,efi}/loader/.#entries.srel* w,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/loader/entries.srel w,
/{boot,efi}/loader/random-seed w,
/etc/machine-id r,

6
apparmor.d/groups/systemd/networkctl
View file

@ -11,12 +11,11 @@ include <tunables/global>
profile networkctl @{exec_path} flags=(complain) {
include <abstractions/base>
# To be able to manage network interfaces,
capability net_admin,
# Needed? (#FIXME#)
audit deny capability sys_resource,
audit deny capability sys_module,
audit capability sys_resource,
audit capability sys_module,
signal send peer=child-pager,
@ -49,6 +48,7 @@ profile networkctl @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/kernel/random/boot_id r,
include if exists <local/networkctl>

9
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -17,7 +17,11 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{run}/systemd/notify rw,
@{run}/udev/data/+dmi:id r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/bios_version r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/virtual/dmi/id/product_name r,
@ -25,7 +29,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/uevent r,
@{run}/udev/data/+dmi:id r,
@{sys}/firmware/dmi/entries/*/raw r,
/etc/.#hostname* rw,

6
apparmor.d/groups/ubuntu/apport-checkreports
View file

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = /usr/share/apport/apport-checkreports
profile apport-checkreports @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
@{exec_path} mr,
@ -21,6 +22,9 @@ profile apport-checkreports @{exec_path} {
/usr/share/apport/ r,
/etc/apt/apt.conf.d/{,**} r,
/etc/default/apport r,
/var/crash/ r,
include if exists <local/apport-checkreports>
}

1
apparmor.d/groups/ubuntu/package-system-locked
View file

@ -11,6 +11,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
capability dac_read_search,
capability sys_ptrace,
capability syslog,
ptrace (read),

2
apparmor.d/profiles-a-f/aurpublish
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile aurpublish @{exec_path} {
include <abstractions/base>
signal (receive) peer=git,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,

7
apparmor.d/profiles-a-f/borg
View file

@ -18,8 +18,11 @@ profile borg @{exec_path} {
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/uname rix,
@ -66,15 +69,11 @@ profile borg @{exec_path} {
# Dirs that can be backed up
/ r,
/boot/{,**} r,
/efi/{,**} r,
/etc/{,**} r,
/home/{,**} r,
@{MOUNTS}/{,**} r,
/opt/{,**} r,
/root/{,**} r,
/srv/{,**} r,
/usr/{,**} r,
/var/{,**} r,
# The backup dirs

2
apparmor.d/profiles-g-l/git
View file

@ -27,6 +27,8 @@ profile git @{exec_path} {
network inet6 stream,
network netlink raw,
signal (send) peer=aurpublish,
@{exec_path} mrix,
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you

67
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -19,37 +20,36 @@ profile mkinitramfs @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ r,
/{usr/,}bin/ r,
/{usr/,}{s,}bin/ r,
/{usr/,}lib/ r,
/{usr/,}lib64/ r,
/{usr/,}bin/getopt rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/id rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/env rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/env rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
@ -87,20 +87,21 @@ profile mkinitramfs @{exec_path} {
/var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
owner /var/tmp/mkinitramfs-* rw,
@{PROC}/modules r,
owner @{PROC}/@{uid}/fd/ r,
@{PROC}/modules r,
profile ldd {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
/{usr/,}bin/ldd mr,
/{usr/,}bin/kmod mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
/{usr/,}lib/@{multiarch}/ld-*.so* rix,
/{usr/,}lib{,x}32/ld-*.so rix,
}
@ -110,7 +111,10 @@ profile mkinitramfs @{exec_path} {
capability sys_chroot,
/{usr/,}sbin/ldconfig mr,
/{usr/,}{s,}bin/ldconfig mr,
/{usr/,}{s,}bin/ldconfig.real rix,
/{usr/,}bin/{,ba,da}sh rix,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
@ -148,11 +152,14 @@ profile mkinitramfs @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/openssl>
/{usr/,}bin/kmod mr,
@{PROC}/cmdline r,
/etc/depmod.d/ r,
/etc/depmod.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,

2
apparmor.d/profiles-m-r/qemu-ga
View file

@ -12,6 +12,8 @@ profile qemu-ga @{exec_path} {
@{exec_path} mr,
/etc/qemu/qemu-ga.conf r,
owner @{run}/qga.state* rw,
/dev/vport[0-9]*p[0-9]* rw,

24
apparmor.d/profiles-m-r/rsyslogd
View file

@ -16,25 +16,12 @@ profile rsyslogd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>
# Needed to remove the following error:
# rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
capability syslog,
# For remote logs
capability net_admin,
# for creating new log files and changing their owner/group
capability chown,
# downgrade privileges on Ubuntu
capability setgid,
capability chown, # For creating new log files and changing their owner/group
capability net_admin, # For remote logs
capability setgid, # For downgrading privileges
capability setuid,
# Needed?
deny capability sys_nice,
# capability sys_ptrace,
# ptrace (read),
capability syslog,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/rsyslog/*.so mr,
@ -47,6 +34,7 @@ profile rsyslogd @{exec_path} {
owner @{run}/rsyslogd.pid{,.tmp} rwk,
owner @{run}/systemd/journal/syslog w,
@{run}/systemd/notify rw,
# log files and devices
/var/log/** rw,

2
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -20,7 +20,7 @@ profile spice-vdagent @{exec_path} {
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
owner @{run}/spice-vdagentd/spice-vdagent-sock rw,
@{run}/spice-vdagentd/spice-vdagent-sock rw,
@{sys}/devices/pci[0-9]*/**/{device,vendor} r,

7
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -6,15 +6,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spice-vdagentd
profile spice-vdagentd @{exec_path} {
@{exec_path} = /{usr/,}{s,}bin/spice-vdagentd
profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
capability sys_nice,
@{exec_path} mr,
owner @{run}/spice-vdagentd/spice-vdagent-sock r,
owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,
@{run}/systemd/journal/dev-log w,
@{run}/systemd/seats/seat[0-9]* r,
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,

4
apparmor.d/profiles-s-z/switcheroo-control
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/switcheroo-control
profile switcheroo-control @{exec_path} {
profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
capability sys_nice,
@ -18,6 +18,8 @@ profile switcheroo-control @{exec_path} {
@{run}/udev/data/+drm:* r,
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,

34
apparmor.d/profiles-s-z/ucf
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -14,25 +15,26 @@ profile ucf @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/id rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mawk rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/which{,.debianutils} rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open

21
apparmor.d/profiles-s-z/update-command-not-found
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -8,33 +9,33 @@ include <tunables/global>
@{exec_path} = /usr/share/command-not-found/cnf-update-db
@{exec_path} += /{usr/,}{s,}bin/update-command-not-found
@{exec_path} += /{usr/,}lib/cnf-update-db
profile update-command-not-found @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/python>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}lib/apt/apt-helper rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/command-not-found/ r,
/var/lib/command-not-found/commands.db* rwk,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}lib/apt/apt-helper rix,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/usr/share/command-not-found/{,**} r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/command-not-found/ r,
/var/lib/command-not-found/commands.db* rwk,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/*_Contents-* r,
/var/lib/apt/lists/*_Commands-* r,
owner @{PROC}/@{pid}/fd/ r,