mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profiles): general update. See #101
This commit is contained in:
Alexandre Pujol
parent
f20aa4f548
commit
c59a40ec4e
28 changed files with 64 additions and 28 deletions
|
|
@ -90,6 +90,7 @@
|
||||||
/usr/share/chromium/extensions/{,**} r,
|
/usr/share/chromium/extensions/{,**} r,
|
||||||
/usr/share/egl/{,**} r,
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
/usr/share/libdrm/*.ids r,
|
||||||
/usr/share/mozilla/extensions/{,**} r,
|
/usr/share/mozilla/extensions/{,**} r,
|
||||||
/usr/share/webext/{,**} r,
|
/usr/share/webext/{,**} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -9,7 +10,7 @@
|
||||||
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r,
|
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/thumbnails/ r,
|
owner @{user_cache_dirs}/thumbnails/ r,
|
||||||
owner @{user_cache_dirs}/thumbnails/{large,normal}/ r,
|
owner @{user_cache_dirs}/thumbnails/{*large,normal}/ r,
|
||||||
owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png r,
|
owner @{user_cache_dirs}/thumbnails/{*large,normal}/[a-f0-9]*.png r,
|
||||||
|
|
||||||
include if exists <abstractions/thumbnails-cache-read.d>
|
include if exists <abstractions/thumbnails-cache-read.d>
|
||||||
|
|
@ -40,16 +40,15 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/{usr/,}bin/ r,
|
/{usr/,}bin/ r,
|
||||||
@{libexec}/* rPUx,
|
@{libexec}/* rPUx,
|
||||||
/{usr/,}lib/ibus/ibus-* rPx,
|
|
||||||
/{usr/,}bin/[a-z0-9]* rPUx,
|
/{usr/,}bin/[a-z0-9]* rPUx,
|
||||||
/{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
|
|
||||||
# Xubuntu
|
|
||||||
/{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx,
|
|
||||||
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
|
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
|
||||||
|
/{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx,
|
||||||
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
|
/{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
|
||||||
/usr/share/org.gnome.Characters/org.gnome.Characters rPx,
|
/{usr/,}lib/ibus/ibus-* rPx,
|
||||||
|
/{usr/,}lib/telepathy/mission-control-5 rPx,
|
||||||
/usr/share/gnome-documents/org.gnome.Documents rPx,
|
/usr/share/gnome-documents/org.gnome.Documents rPx,
|
||||||
|
/usr/share/org.gnome.Characters/org.gnome.Characters rPx,
|
||||||
|
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
|
||||||
|
|
||||||
/etc/dbus-1/{,**} r,
|
/etc/dbus-1/{,**} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,9 @@ profile child-pager {
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{HOME}/.lesshs* rw,
|
owner @{HOME}/.lesshs* rw,
|
||||||
|
owner @{HOME}/.terminfo/[0-9]*/* r,
|
||||||
owner @{user_cache_dirs}/lesshs* rw,
|
owner @{user_cache_dirs}/lesshs* rw,
|
||||||
|
owner @{user_state_dirs}/ r,
|
||||||
owner @{user_state_dirs}/lesshs* rw,
|
owner @{user_state_dirs}/lesshs* rw,
|
||||||
|
|
||||||
include if exists <local/child-pager>
|
include if exists <local/child-pager>
|
||||||
|
|
|
||||||
|
|
@ -61,7 +61,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
|
owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
|
||||||
|
|
||||||
@{run}/udev/data/c236:[0-9]* r,
|
@{run}/udev/data/c23[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c81:[0-9]* r, # For video4linux
|
@{run}/udev/data/c81:[0-9]* r, # For video4linux
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -33,14 +33,15 @@ profile xdg-settings @{exec_path} {
|
||||||
/{usr/,}bin/xdg-mime rPx,
|
/{usr/,}bin/xdg-mime rPx,
|
||||||
/{usr/,}bin/xprop rPx,
|
/{usr/,}bin/xprop rPx,
|
||||||
|
|
||||||
|
/usr/share/applications/{,*} r,
|
||||||
/usr/share/terminfo/x/xterm-256color r,
|
/usr/share/terminfo/x/xterm-256color r,
|
||||||
/usr/share/applications/ r,
|
|
||||||
/usr/share/ubuntu/applications/ r,
|
/usr/share/ubuntu/applications/ r,
|
||||||
|
|
||||||
/etc/xdg/xfce4/helpers.rc r,
|
/etc/xdg/xfce4/helpers.rc r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
|
/var/lib/flatpak/exports/share/applications/{,*} r,
|
||||||
/var/lib/snapd/desktop/applications/{,*} r,
|
/var/lib/snapd/desktop/applications/{,*} r,
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
|
|
|
||||||
|
|
@ -24,5 +24,8 @@ profile xhost @{exec_path} {
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
owner @{HOME}/.xsession-errors w,
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
|
||||||
|
# Silencer
|
||||||
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
include if exists <local/xhost>
|
include if exists <local/xhost>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ profile xrdb @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix,
|
||||||
|
/{usr/,}bin/cpp rix,
|
||||||
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
|
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
|
||||||
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
|
|
||||||
|
|
@ -27,7 +28,6 @@ profile xrdb @{exec_path} {
|
||||||
owner @{HOME}/.Xresources r,
|
owner @{HOME}/.Xresources r,
|
||||||
owner @{user_config_dirs}/.Xresources r,
|
owner @{user_config_dirs}/.Xresources r,
|
||||||
owner @{user_config_dirs}/Xresources/.Xresources r,
|
owner @{user_config_dirs}/Xresources/.Xresources r,
|
||||||
# If the .Xresources file includes some additional files
|
|
||||||
owner @{user_config_dirs}/Xresources/* r,
|
owner @{user_config_dirs}/Xresources/* r,
|
||||||
|
|
||||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||||
|
|
@ -37,6 +37,8 @@ profile xrdb @{exec_path} {
|
||||||
owner /dev/tty[0-9]* rw,
|
owner /dev/tty[0-9]* rw,
|
||||||
owner @{HOME}/.xsession-errors w,
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
|
||||||
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <local/xrdb>
|
include if exists <local/xrdb>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,9 +10,13 @@ include <tunables/global>
|
||||||
profile gnome-characters @{exec_path} {
|
profile gnome-characters @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/dri-common>
|
||||||
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/gnome>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/vulkan>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -22,6 +26,7 @@ profile gnome-characters @{exec_path} {
|
||||||
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
|
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
|
||||||
/usr/share/themes/{,**} r,
|
/usr/share/themes/{,**} r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
/usr/share/libdrm/*.ids r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,8 @@ profile gnome-contacts-search-provider @{exec_path} {
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/mime/mime.cache r,
|
/usr/share/mime/mime.cache r,
|
||||||
|
|
||||||
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/mime/mime.cache r,
|
owner @{user_share_dirs}/mime/mime.cache r,
|
||||||
owner @{user_share_dirs}/folks/relationships.ini r,
|
owner @{user_share_dirs}/folks/relationships.ini r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -153,8 +153,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||||
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
||||||
@{run}/udev/data/+pci* r,
|
@{run}/udev/data/+pci* r,
|
||||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||||
@{run}/udev/data/c235:[0-9]* r,
|
@{run}/udev/data/c23[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c236:[0-9]* r,
|
|
||||||
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/n[0-9]* r,
|
@{run}/udev/data/n[0-9]* r,
|
||||||
|
|
|
||||||
|
|
@ -166,6 +166,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
/{usr/,}bin/parcellite rPUx,
|
/{usr/,}bin/parcellite rPUx,
|
||||||
/{usr/,}bin/pkcs11-register rPx,
|
/{usr/,}bin/pkcs11-register rPx,
|
||||||
/{usr/,}bin/snap rPUx,
|
/{usr/,}bin/snap rPUx,
|
||||||
|
/{usr/,}bin/snapshot-detect rPUx,
|
||||||
/{usr/,}bin/spice-vdagent rPx,
|
/{usr/,}bin/spice-vdagent rPx,
|
||||||
/{usr/,}bin/start-pulseaudio-x11 rPx,
|
/{usr/,}bin/start-pulseaudio-x11 rPx,
|
||||||
/{usr/,}bin/ubuntu-report rPx,
|
/{usr/,}bin/ubuntu-report rPx,
|
||||||
|
|
@ -176,6 +177,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
/{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
|
/{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
|
||||||
/{usr/,}lib/caribou/caribou rPUx,
|
/{usr/,}lib/caribou/caribou rPUx,
|
||||||
/{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
|
/{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
|
||||||
|
/{usr/,}lib/xapps/sn-watcher/* rPUx,
|
||||||
/{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx,
|
/{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx,
|
||||||
@{libexec}/deja-dup/deja-dup-monitor rPUx,
|
@{libexec}/deja-dup/deja-dup-monitor rPUx,
|
||||||
@{libexec}/evolution-data-server/evolution-alarm-notify rPx,
|
@{libexec}/evolution-data-server/evolution-alarm-notify rPx,
|
||||||
|
|
@ -209,8 +211,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
/var/lib/gdm{3,}/.local/share/session_migration-* r,
|
/var/lib/gdm{3,}/.local/share/session_migration-* r,
|
||||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
|
|
||||||
/var/lib/flatpak/exports/share/applications/{,**} r,
|
/var/lib/flatpak/exports/share/applications/{,**} r,
|
||||||
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||||
|
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
|
||||||
|
|
||||||
owner /tmp/dirs-?????? rw,
|
owner /tmp/dirs-?????? rw,
|
||||||
|
|
||||||
|
|
@ -224,6 +227,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_config_dirs}/user-dirs.locale r,
|
owner @{user_config_dirs}/user-dirs.locale r,
|
||||||
owner @{user_share_dirs}/applications/ r,
|
owner @{user_share_dirs}/applications/ r,
|
||||||
owner @{user_share_dirs}/applications/defaults.list r,
|
owner @{user_share_dirs}/applications/defaults.list r,
|
||||||
|
owner @{user_share_dirs}/applications/mimeapps.list r,
|
||||||
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
||||||
owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
|
owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
|
||||||
owner @{user_share_dirs}/mime/mime.cache r,
|
owner @{user_share_dirs}/mime/mime.cache r,
|
||||||
|
|
|
||||||
|
|
@ -43,6 +43,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/firejail rPUx,
|
/{usr/,}bin/firejail rPUx,
|
||||||
|
/{usr/,}bin/bwrap rPUx,
|
||||||
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
|
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
|
||||||
|
|
||||||
/usr/share/*ubuntu/applications/{,**} r,
|
/usr/share/*ubuntu/applications/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -86,6 +86,7 @@ profile tracker-extract @{exec_path} {
|
||||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
|
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
|
||||||
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||||
/var/lib/snapd/desktop/applications/*.desktop r,
|
/var/lib/snapd/desktop/applications/*.desktop r,
|
||||||
|
|
||||||
# Allow to search user files
|
# Allow to search user files
|
||||||
|
|
@ -101,8 +102,7 @@ profile tracker-extract @{exec_path} {
|
||||||
|
|
||||||
@{run}/blkid/blkid.tab r,
|
@{run}/blkid/blkid.tab r,
|
||||||
|
|
||||||
@{run}/udev/data/c235:* r,
|
@{run}/udev/data/c23[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c236:* r,
|
|
||||||
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,9 @@ profile gpg @{exec_path} {
|
||||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||||
|
|
||||||
|
owner @{HOME}/.var/app/**/gnupg*/** rw,
|
||||||
|
owner @{HOME}/.var/app/**/gnupg*/** rwkl -> @{HOME}/.var/app/**/gnupg*/**,
|
||||||
|
|
||||||
owner @{user_projects_dirs}/**/gnupg/ rw,
|
owner @{user_projects_dirs}/**/gnupg/ rw,
|
||||||
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
|
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,7 @@ profile gpgconf @{exec_path} {
|
||||||
/{usr/,}bin/pinentry-* rPx,
|
/{usr/,}bin/pinentry-* rPx,
|
||||||
|
|
||||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||||
|
owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**,
|
||||||
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
|
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
|
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
|
||||||
|
|
|
||||||
|
|
@ -55,6 +55,8 @@ profile gvfsd-smb-browse @{exec_path} {
|
||||||
|
|
||||||
/etc/samba/smb.conf r,
|
/etc/samba/smb.conf r,
|
||||||
|
|
||||||
|
/var/cache/samba/ rw,
|
||||||
|
|
||||||
owner @{run}/samba/ rw,
|
owner @{run}/samba/ rw,
|
||||||
owner @{run}/samba/gencache.tdb rwk,
|
owner @{run}/samba/gencache.tdb rwk,
|
||||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||||
|
|
|
||||||
|
|
@ -33,9 +33,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/etc/systemd/coredump.conf r,
|
/etc/systemd/coredump.conf r,
|
||||||
|
|
||||||
/var/lib/systemd/coredump/ r,
|
/var/lib/systemd/coredump/{,**} rwl,
|
||||||
owner /var/lib/systemd/coredump/#[0-9]* rwl,
|
|
||||||
owner /var/lib/systemd/coredump/core.*.zst rwl,
|
|
||||||
|
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
@{PROC}/@{pids}/cmdline r,
|
@{PROC}/@{pids}/cmdline r,
|
||||||
|
|
|
||||||
|
|
@ -21,8 +21,9 @@ profile systemd-sleep @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/nvidia-sleep.sh rix,
|
/{usr/,}bin/nvidia-sleep.sh rix,
|
||||||
/{usr/,}lib/systemd/system-sleep/nvidia rix,
|
|
||||||
/{usr/,}lib/systemd/system-sleep/hdparm rix,
|
/{usr/,}lib/systemd/system-sleep/hdparm rix,
|
||||||
|
/{usr/,}lib/systemd/system-sleep/nvidia rix,
|
||||||
|
/{usr/,}lib/systemd/system-sleep/sysstat.sleep rPUx,
|
||||||
/{usr/,}lib/systemd/system-sleep/unattended-upgrades rix,
|
/{usr/,}lib/systemd/system-sleep/unattended-upgrades rix,
|
||||||
|
|
||||||
/etc/systemd/sleep.conf r,
|
/etc/systemd/sleep.conf r,
|
||||||
|
|
|
||||||
|
|
@ -206,7 +206,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{sys}/kernel/mm/hugepages/{,**} r,
|
@{sys}/kernel/mm/hugepages/{,**} r,
|
||||||
@{sys}/kernel/security/apparmor/profiles r,
|
@{sys}/kernel/security/apparmor/profiles r,
|
||||||
|
|
||||||
@{sys}/module/kvm_intel/parameters/nested r,
|
@{sys}/module/kvm_*/parameters/* r,
|
||||||
@{sys}/module/vhost/parameters/max_mem_regions r,
|
@{sys}/module/vhost/parameters/max_mem_regions r,
|
||||||
|
|
||||||
@{sys}/fs/cgroup/ r,
|
@{sys}/fs/cgroup/ r,
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,8 @@ profile aa-notify @{exec_path} {
|
||||||
/usr/share/terminfo/d/dumb r,
|
/usr/share/terminfo/d/dumb r,
|
||||||
/var/log/audit/audit.log r,
|
/var/log/audit/audit.log r,
|
||||||
|
|
||||||
|
owner @{HOME}/.terminfo/[0-9]*/dumb r,
|
||||||
|
|
||||||
owner /tmp/[a-z0-9]* rw,
|
owner /tmp/[a-z0-9]* rw,
|
||||||
owner /tmp/apparmor-bugreport-*.txt rw,
|
owner /tmp/apparmor-bugreport-*.txt rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{run}/systemd/journal/socket rw,
|
@{run}/systemd/journal/socket rw,
|
||||||
@{run}/systemd/inhibit/*.ref w,
|
@{run}/systemd/inhibit/*.ref w,
|
||||||
@{run}/udev/data/c239:[0-9]* r,
|
@{run}/udev/data/c23[0-9]:[0-9]* r,
|
||||||
|
|
||||||
@{sys}/class/hidraw/ r,
|
@{sys}/class/hidraw/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -94,9 +94,10 @@ profile htop @{exec_path} {
|
||||||
@{sys}/devices/*/name r,
|
@{sys}/devices/*/name r,
|
||||||
@{sys}/devices/i2c-[0-9]*/name r,
|
@{sys}/devices/i2c-[0-9]*/name r,
|
||||||
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
|
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
|
||||||
|
@{sys}/devices/platform/*/i2c-[0-9]*/name r,
|
||||||
@{sys}/devices/system/cpu/cpu[0-9]*/online r,
|
@{sys}/devices/system/cpu/cpu[0-9]*/online r,
|
||||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r,
|
|
||||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_{cur,min,max}_freq r,
|
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_{cur,min,max}_freq r,
|
||||||
|
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r,
|
||||||
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
|
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
|
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
|
||||||
@{sys}/kernel/mm/hugepages/ r,
|
@{sys}/kernel/mm/hugepages/ r,
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,7 @@ include <tunables/global>
|
||||||
profile kmod @{exec_path} flags=(attach_disconnected) {
|
profile kmod @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
|
|
||||||
|
|
@ -72,5 +72,8 @@ profile pkexec @{exec_path} flags=(complain) {
|
||||||
owner /dev/tty[0-9]* rw,
|
owner /dev/tty[0-9]* rw,
|
||||||
owner @{HOME}/.xsession-errors w,
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
|
||||||
|
# Silencer
|
||||||
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
include if exists <local/pkexec>
|
include if exists <local/pkexec>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -45,16 +45,19 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
/var/lib/power-profiles-daemon/{,**} rw,
|
/var/lib/power-profiles-daemon/{,**} rw,
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
|
@{sys}/bus/platform/devices/ r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/class/power_supply/ r,
|
@{sys}/class/power_supply/ r,
|
||||||
@{sys}/devices/**/power_supply/*/scope r,
|
@{sys}/devices/**/power_supply/*/scope r,
|
||||||
@{sys}/devices/**/power_supply/*/uevent r,
|
@{sys}/devices/**/power_supply/*/uevent r,
|
||||||
@{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
|
@{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
|
||||||
@{sys}/devices/system/cpu/*_pstate/status r,
|
@{sys}/devices/system/cpu/*_pstate/status r,
|
||||||
|
@{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw,
|
||||||
@{sys}/devices/system/cpu/cpufreq/ r,
|
@{sys}/devices/system/cpu/cpufreq/ r,
|
||||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw,
|
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw,
|
||||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw,
|
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw,
|
||||||
@{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw,
|
@{sys}/firmware/acpi/platform_profile* r,
|
||||||
|
@{sys}/firmware/acpi/pm_profile* r,
|
||||||
|
|
||||||
include if exists <local/power-profiles-daemon>
|
include if exists <local/power-profiles-daemon>
|
||||||
}
|
}
|
||||||
|
|
@ -20,7 +20,7 @@ profile run-parts @{exec_path} {
|
||||||
|
|
||||||
# Crontrab
|
# Crontrab
|
||||||
/etc/cron.{hourly,daily,weekly,monthly}/ r,
|
/etc/cron.{hourly,daily,weekly,monthly}/ r,
|
||||||
/etc/cron.{hourly,daily,weekly,monthly}/0anacron rPx,
|
/etc/cron.{hourly,daily,weekly,monthly}/0anacron rPUx,
|
||||||
/etc/cron.{hourly,daily,weekly,monthly}/apport rPx,
|
/etc/cron.{hourly,daily,weekly,monthly}/apport rPx,
|
||||||
/etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx,
|
/etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx,
|
||||||
/etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx,
|
/etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx,
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
|
||||||
@{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
|
@{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
|
||||||
|
|
||||||
@{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw,
|
@{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw,
|
||||||
|
@{PROC}/sys/net/ipv[4,6]/conf/wlo*/drop_* rw,
|
||||||
@{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw,
|
@{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw,
|
||||||
|
|
||||||
/dev/rfkill rw,
|
/dev/rfkill rw,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue