mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profile): update flatpak.
This commit is contained in:
Alexandre Pujol
parent
d81bce5559
commit
c54d72543e
@ -27,12 +27,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
|
|||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/bwrap rPx -> flatpak-bwrap,
|
@{bin}/bwrap rPx -> flatpak-bwrap,
|
||||||
|
@{bin}/fusermount{,3} rCx -> fusermount,
|
||||||
@{bin}/gpg rCx -> gpg,
|
@{bin}/gpg rCx -> gpg,
|
||||||
@{bin}/gpgconf rCx -> gpg,
|
@{bin}/gpgconf rCx -> gpg,
|
||||||
@{bin}/gpgsm rCx -> gpg,
|
@{bin}/gpgsm rCx -> gpg,
|
||||||
|
@{lib}/revokefs-fuse rix,
|
||||||
|
|
||||||
/usr/share/gvfs/remote-volume-monitors/*.monitor r,
|
/usr/share/gvfs/remote-volume-monitors/*.monitor r,
|
||||||
/usr/share/flatpak/{,**} r,
|
/usr/share/flatpak/{,**} r,
|
||||||
@ -40,11 +44,14 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
|
|||||||
/etc/flatpak/{,**} r,
|
/etc/flatpak/{,**} r,
|
||||||
/etc/pulse/client.conf r,
|
/etc/pulse/client.conf r,
|
||||||
|
|
||||||
/var/lib/flatpak/{,**} rwlk,
|
|
||||||
/var/tmp/#@{int} rw,
|
|
||||||
|
|
||||||
/ r,
|
/ r,
|
||||||
|
|
||||||
|
/var/lib/flatpak/{,**} rwlk,
|
||||||
|
|
||||||
|
/var/tmp/#@{int} rw,
|
||||||
|
/var/tmp/flatpak-cache-@{rand6}/{,**/} r,
|
||||||
|
owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk,
|
||||||
|
|
||||||
owner @{HOME}/.var/ w,
|
owner @{HOME}/.var/ w,
|
||||||
owner @{HOME}/.var/app/{,**} rw,
|
owner @{HOME}/.var/app/{,**} rw,
|
||||||
|
|
||||||
@ -69,15 +76,18 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
|
|||||||
|
|
||||||
@{sys}/module/nvidia/version r,
|
@{sys}/module/nvidia/version r,
|
||||||
|
|
||||||
|
@{PROC}/sys/fs/pipe-max-size r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
/dev/fuse rw,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
/dev/tty@{int} rw,
|
/dev/tty@{int} rw,
|
||||||
|
|
||||||
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
profile gpg {
|
profile gpg {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
@ -93,5 +103,26 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
|
|||||||
include if exists <local/flatpak_gpg>
|
include if exists <local/flatpak_gpg>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
profile fusermount {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
capability sys_admin,
|
||||||
|
|
||||||
|
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
|
||||||
|
umount /var/tmp/flatpak-cache-*/*/,
|
||||||
|
|
||||||
|
@{bin}/fusermount{,3} mr,
|
||||||
|
|
||||||
|
/etc/fuse.conf r,
|
||||||
|
|
||||||
|
@{PROC}/@{pids}/mounts r,
|
||||||
|
|
||||||
|
/dev/fuse rw,
|
||||||
|
|
||||||
|
include if exists <local/flatpak_fusermount>
|
||||||
|
}
|
||||||
|
|
||||||
include if exists <local/flatpak>
|
include if exists <local/flatpak>
|
||||||
}
|
}
|
||||||
|
|||||||
@ -13,12 +13,15 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bwrap-app>
|
include <abstractions/bwrap-app>
|
||||||
|
|
||||||
|
capability sys_ptrace,
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
ptrace (read),
|
||||||
ptrace peer=flatpak-app//&flatpak-bwrap,
|
ptrace peer=flatpak-app//&flatpak-bwrap,
|
||||||
|
|
||||||
signal peer=flatpak-app//&flatpak-bwrap,
|
signal peer=flatpak-app//&flatpak-bwrap,
|
||||||
@ -26,6 +29,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
|
|||||||
@{bin}/** rmix,
|
@{bin}/** rmix,
|
||||||
@{lib}/** rmix,
|
@{lib}/** rmix,
|
||||||
/app/** rmix,
|
/app/** rmix,
|
||||||
|
/var/lib/flatpak/app/*/**/@{bin}/** rmix,
|
||||||
|
/var/lib/flatpak/app/*/**/@{lib}/** rmix,
|
||||||
|
|
||||||
/var/lib/flatpak/app/{,**} r,
|
/var/lib/flatpak/app/{,**} r,
|
||||||
|
|
||||||
|
|||||||
@ -25,8 +25,12 @@ profile flatpak-bwrap flags=(attach_disconnected,mediate_deleted) {
|
|||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
mount,
|
mount options=(rw, silent, rslave) -> /,
|
||||||
umount,
|
mount fstype=tmpfs -> /tmp/,
|
||||||
|
mount -> /newroot/{,**},
|
||||||
|
mount -> /oldroot/,
|
||||||
|
mount -> /tmp/newroot/,
|
||||||
|
umount /{,oldroot/},
|
||||||
|
|
||||||
pivot_root oldroot=/newroot/ -> /newroot/,
|
pivot_root oldroot=/newroot/ -> /newroot/,
|
||||||
pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
|
pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
|
||||||
|
|||||||
17
apparmor.d/profiles-a-f/flatpak-oci-authenticator
Normal file
17
apparmor.d/profiles-a-f/flatpak-oci-authenticator
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{lib}/flatpak-oci-authenticator
|
||||||
|
profile flatpak-oci-authenticator @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/openssl>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
include if exists <local/flatpak-oci-authenticator>
|
||||||
|
}
|
||||||
@ -22,6 +22,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{bin}/pkexec rPx,
|
@{bin}/pkexec rPx,
|
||||||
@{lib}/p11-kit/p11-kit-remote rix,
|
@{lib}/p11-kit/p11-kit-remote rix,
|
||||||
@{lib}/p11-kit/p11-kit-server rix,
|
@{lib}/p11-kit/p11-kit-server rix,
|
||||||
|
/var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app,
|
||||||
|
/var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
|
owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
|
||||||
owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-[0-9]* rw,
|
owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-[0-9]* rw,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user