mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update apparmor profiles

Browse Source
This commit is contained in:
Mikhail Morfikov 2021-03-21 17:04:10 +01:00
parent f7ddca7289
commit c5ca6e1d90
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
78 changed files with 1285 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apparmor.d/abstractions/thumbnails-cache-read
View File

@ -11,6 +11,10 @@
abi <abi/3.0>, abi <abi/3.0>,
owner @{HOME}/thumbnails/ r,
owner @{HOME}/thumbnails/{large,normal}/ r,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r,
owner @{HOME}/.cache/thumbnails/ r, owner @{HOME}/.cache/thumbnails/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/ r, owner @{HOME}/.cache/thumbnails/{large,normal}/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r, owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r,

5
apparmor.d/abstractions/thumbnails-cache-write
View File

@ -11,6 +11,11 @@
abi <abi/3.0>, abi <abi/3.0>,
owner @{HOME}/thumbnails/ rw,
owner @{HOME}/thumbnails/{large,normal}/ rw,
owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9],
owner @{HOME}/.cache/thumbnails/ rw, owner @{HOME}/.cache/thumbnails/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/ rw, owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw, owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw,

2
apparmor.d/adequate
View File

@ -99,7 +99,7 @@ profile adequate @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

7
apparmor.d/anyremote
View File

@ -80,13 +80,6 @@ profile anyremote @{exec_path} {
/usr/share/anyremote/{,**} r, /usr/share/anyremote/{,**} r,
/usr/share/anyremote/cfg-data/Utils/*.sh rix, /usr/share/anyremote/cfg-data/Utils/*.sh rix,
# Video dirs
/ r,
/media/ r,
/media/Zami/ r,
owner /media/Zami/Film/ r,
owner /media/Zami/Film/** r,
deny @{PROC}/sys/kernel/osrelease r, deny @{PROC}/sys/kernel/osrelease r,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,

116
apparmor.d/appimage-beyond-all-reason Normal file
View File

@ -0,0 +1,116 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = "/home/*/Desktop/Beyond All Reason.AppImage"
@{exec_path} += /home/*/Desktop/BeyondAllReason.AppImage
profile appimage-beyond-all-reason @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/ssl_certs>
include <abstractions/audio>
capability sys_ptrace,
# For kernel unprivileged user namespaces
capability sys_admin,
capability sys_chroot,
capability setuid,
capability setgid,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
network netlink raw,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/x86_64-linux-gnu-addr2line rix,
/{usr/,}bin/fusermount{,3} rPx,
mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,
/var/tmp/ r,
/tmp/ r,
/tmp/.mount_Beyond*/ rw,
/tmp/.mount_Beyond*/beyond-all-reason rix,
/tmp/.mount_Beyond*/AppRun rix,
/tmp/.mount_Beyond*/bin/* rix,
/tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix,
/tmp/.mount_Beyond*/** r,
/tmp/.mount_Beyond*/**.so{,.[0-9]*} mr,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
owner /tmp/.org.chromium.Chromium.*/SS rw,
owner /tmp/.org.chromium.Chromium.*/*.png rw,
owner /tmp/.org.chromium.Chromium.* rw,
owner @{HOME}/.config/Beyond-All-Reason/ rw,
owner @{HOME}/.config/Beyond-All-Reason/** rwk,
owner "@{HOME}/Beyond All Reason/" rw,
owner "@{HOME}/Beyond All Reason/**" rwkm,
owner "@{HOME}/Beyond All Reason/engine/**/spring" rix,
owner @{HOME}/.spring/ rw,
owner @{HOME}/.spring/** rw,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/statm r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/oom_{,score_}adj r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
@{PROC}sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
owner /dev/shm/.org.chromium.Chromium.* rw,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/class r,
@{sys}/devices/virtual/tty/tty0/active r,
/dev/fuse rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/appimage-beyond-all-reason>
}

2
apparmor.d/apt-listbugs
View File

@ -57,7 +57,7 @@ profile apt-listbugs @{exec_path} {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

3
apparmor.d/apt-listchanges
View File

@ -29,7 +29,6 @@ profile apt-listchanges @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix, /{usr/,}bin/tar rix,
/{usr/,}bin/hostname rPx,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
@ -77,7 +76,7 @@ profile apt-listchanges @{exec_path} {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

2
apparmor.d/calibre
View File

@ -59,7 +59,7 @@ profile calibre @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,

2
apparmor.d/check-support-status-hook
View File

@ -92,7 +92,7 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

2
apparmor.d/dhclient-script
View File

@ -32,7 +32,7 @@ profile dhclient-script @{exec_path} {
# To remove the following error: # To remove the following error:
# /sbin/dhclient-script: 133: hostname: Permission denied # /sbin/dhclient-script: 133: hostname: Permission denied
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
# To read scripts # To read scripts
/etc/dhcp/ r, /etc/dhcp/ r,

2
apparmor.d/discord
View File

@ -43,7 +43,7 @@ profile discord @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

2
apparmor.d/dpkg-preconfigure
View File

@ -50,7 +50,7 @@ profile dpkg-preconfigure @{exec_path} {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

6
apparmor.d/ffmpeg
View File

@ -59,6 +59,11 @@ profile ffmpeg @{exec_path} {
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr, @{exec_path} mr,
# Which files ffmpeg should be able to open # Which files ffmpeg should be able to open
@ -69,7 +74,6 @@ profile ffmpeg @{exec_path} {
/media/ r, /media/ r,
owner /media/**/ r, owner /media/**/ r,
owner /{home,media}/**.@{ffmpeg_ext}{,.[0-9]*} rw, owner /{home,media}/**.@{ffmpeg_ext}{,.[0-9]*} rw,
owner /media/Grafi/* rw,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r, @{sys}/devices/system/node/node[0-9]/meminfo r,

2
apparmor.d/firefox
View File

@ -46,7 +46,7 @@ profile firefox @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

4
apparmor.d/flameshot
View File

@ -36,8 +36,8 @@ profile flameshot @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
deny network netlink dgram, network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/freetube
View File

@ -47,7 +47,7 @@ profile freetube @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

2
apparmor.d/frontend
View File

@ -76,7 +76,7 @@ profile frontend @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

9
apparmor.d/fusermount
View File

@ -41,9 +41,13 @@ profile fusermount @{exec_path} {
mount fstype={fuse,fuse.*} -> @{HOME}/*/*/, mount fstype={fuse,fuse.*} -> @{HOME}/*/*/,
mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/, mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
mount fstype={fuse,fuse.*} -> /media/*/, mount fstype={fuse,fuse.*} -> /media/*/,
mount fstype={fuse,fuse.*} -> /media/*/*/,
# For MTP # For MTP
mount -> /, mount -> /,
# For AppImage
mount fstype={fuse,fuse.*} -> /tmp/.mount_*/,
# For GVFS # For GVFS
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
@ -52,6 +56,7 @@ profile fusermount @{exec_path} {
umount @{HOME}/*/*/, umount @{HOME}/*/*/,
umount @{HOME}/.cache/**/, umount @{HOME}/.cache/**/,
umount /media/*/, umount /media/*/,
umount /tmp/.mount_*/,
umount @{run}/user/[0-9]*/**/, umount @{run}/user/[0-9]*/**/,
# Image files to be mounted # Image files to be mounted
@ -60,6 +65,10 @@ profile fusermount @{exec_path} {
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# AppImage files
owner @{HOME}/**.AppImage r,
owner /media/*/**.AppImage r,
/etc/fuse.conf r, /etc/fuse.conf r,
/dev/fuse rw, /dev/fuse rw,

18
apparmor.d/git
View File

@ -15,7 +15,14 @@ include <tunables/global>
@{BUILD_DIR} = /media/debuilder/ @{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/git @{exec_path} = /{usr/,}bin/git
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
@{exec_path} += /usr/libexec/git-core/git
@{exec_path} += /usr/libexec/git-core/git-*
@{exec_path} += /usr/libexec/git-core/mergetools/*
profile git @{exec_path} { profile git @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -27,10 +34,7 @@ profile git @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
@{exec_path} mr, @{exec_path} mrix,
/{usr/,}lib/git-core/git rix,
/{usr/,}lib/git-core/git-* rix,
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
# the most similar commands, which it thinks can be used instead. Git binaries are all under # the most similar commands, which it thinks can be used instead. Git binaries are all under
@ -159,8 +163,8 @@ profile git @{exec_path} {
owner @{HOME}/.fzf/plugin/fzf.vim r, owner @{HOME}/.fzf/plugin/fzf.vim r,
# The git repository files # The git repository files
owner /media/debuilder/ r, owner @{BUILD_DIR}/ r,
owner /media/debuilder/** rw, owner @{BUILD_DIR}/** rw,
} }

2
apparmor.d/google-chrome-chrome
View File

@ -49,7 +49,7 @@ profile google-chrome-chrome @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

4
apparmor.d/gpartedbin
View File

@ -30,8 +30,8 @@ profile gpartedbin @{exec_path} {
# will remain in use. You should reboot now before making further changes. # will remain in use. You should reboot now before making further changes.
capability sys_admin, capability sys_admin,
# When gparted is started via pkexec. #
#capability dac_read_search, capability dac_read_search,
# Needed? (##FIXME##) # Needed? (##FIXME##)
capability sys_rawio, capability sys_rawio,

6
apparmor.d/gvfs-udisks2-volume-monitor
View File

@ -17,6 +17,7 @@ include <tunables/global>
@{exec_path} += /usr/libexec/gvfs-udisks2-volume-monitor @{exec_path} += /usr/libexec/gvfs-udisks2-volume-monitor
profile gvfs-udisks2-volume-monitor @{exec_path} { profile gvfs-udisks2-volume-monitor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -47,18 +48,19 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
@{HOME}/*/*/**/ r, @{HOME}/*/*/**/ r,
@{HOME}/bluetooth/ r, @{HOME}/bluetooth/ r,
owner @{HOME}/.local/share/mime/treemagic r, / r,
/usr/share/mime/treemagic r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
@{run}/mount/utab r, @{run}/mount/utab r,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/locks r,
include if exists <local/gvfs-udisks2-volume-monitor> include if exists <local/gvfs-udisks2-volume-monitor>
} }

41
apparmor.d/gvfsd
View File

@ -23,8 +23,8 @@ profile gvfsd @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
# Don't strip env here. # Don't strip env here.
/{usr/,}lib/gvfs/gvfsd-* rcx -> backends, /{usr/,}lib/gvfs/gvfsd-* rPx,
/usr/libexec/gvfsd-* rcx -> backends, /usr/libexec/gvfsd-* rPx,
/usr/share/gvfs/{,**} r, /usr/share/gvfs/{,**} r,
@ -32,42 +32,5 @@ profile gvfsd @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
profile backends {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/freedesktop.org>
include <abstractions/trash>
include <abstractions/disks-read>
include <abstractions/devices-usb>
include <abstractions/user-download-strict>
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
/{usr/,}lib/gvfs/gvfsd-* mr,
/usr/libexec/gvfsd-* mr,
/{usr/,}bin/ssh rPx,
/usr/bin/fusermount{,3} rPx,
/dev/ptmx rw,
/dev/fuse rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{run}/samba/ rw,
@{run}/mount/utab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
}
include if exists <local/gvfsd> include if exists <local/gvfsd>
} }

24
apparmor.d/gvfsd-admin Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-admin
@{exec_path} += /usr/libexec/gvfsd-admin
profile gvfsd-admin @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-admin>
}

24
apparmor.d/gvfsd-afc Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afc
@{exec_path} += /usr/libexec/gvfsd-afc
profile gvfsd-afc @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-afc>
}

24
apparmor.d/gvfsd-afp Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp
@{exec_path} += /usr/libexec/gvfsd-afp
profile gvfsd-afp @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-afp>
}

24
apparmor.d/gvfsd-afp-browse Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp-browse
@{exec_path} += /usr/libexec/gvfsd-afp-browse
profile gvfsd-afp-browse @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-afp-browse>
}

30
apparmor.d/gvfsd-archive Normal file
View File

@ -0,0 +1,30 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-archive
@{exec_path} += /usr/libexec/gvfsd-archive
profile gvfsd-archive @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner /**.tar r,
owner /**.tar.gz r,
owner /**.zip r,
include if exists <local/gvfsd-archive>
}

24
apparmor.d/gvfsd-burn Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-burn
@{exec_path} += /usr/libexec/gvfsd-burn
profile gvfsd-burn @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-burn>
}

24
apparmor.d/gvfsd-cdda Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-cdda
@{exec_path} += /usr/libexec/gvfsd-cdda
profile gvfsd-cdda @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-cdda>
}

24
apparmor.d/gvfsd-computer Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-computer
@{exec_path} += /usr/libexec/gvfsd-computer
profile gvfsd-computer @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-computer>
}

24
apparmor.d/gvfsd-dav Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-dav
@{exec_path} += /usr/libexec/gvfsd-dav
profile gvfsd-dav @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-dav>
}

24
apparmor.d/gvfsd-dnssd Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-dnssd
@{exec_path} += /usr/libexec/gvfsd-dnssd
profile gvfsd-dnssd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-dnssd>
}

38
apparmor.d/gvfsd-ftp Normal file
View File

@ -0,0 +1,38 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-ftp
@{exec_path} += /usr/libexec/gvfsd-ftp
profile gvfsd-ftp @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include if exists <local/gvfsd-ftp>
}

30
apparmor.d/gvfsd-fuse Normal file
View File

@ -0,0 +1,30 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-fuse
@{exec_path} += /usr/libexec/gvfsd-fuse
profile gvfsd-fuse @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rPx,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
/dev/fuse rw,
include if exists <local/gvfsd-fuse>
}

24
apparmor.d/gvfsd-google Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-google
@{exec_path} += /usr/libexec/gvfsd-google
profile gvfsd-google @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-google>
}

24
apparmor.d/gvfsd-gphoto2 Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-gphoto2
@{exec_path} += /usr/libexec/gvfsd-gphoto2
profile gvfsd-gphoto2 @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-gphoto2>
}

34
apparmor.d/gvfsd-http Normal file
View File

@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-http
@{exec_path} += /usr/libexec/gvfsd-http
profile gvfsd-http @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include if exists <local/gvfsd-http>
}

24
apparmor.d/gvfsd-localtest Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-localtest
@{exec_path} += /usr/libexec/gvfsd-localtest
profile gvfsd-localtest @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-localtest>
}

34
apparmor.d/gvfsd-mtp Normal file
View File

@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-mtp
@{exec_path} += /usr/libexec/gvfsd-mtp
profile gvfsd-mtp @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include if exists <local/gvfsd-mtp>
}

24
apparmor.d/gvfsd-network Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-network
@{exec_path} += /usr/libexec/gvfsd-network
profile gvfsd-network @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-network>
}

29
apparmor.d/gvfsd-nfs Normal file
View File

@ -0,0 +1,29 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-nfs
@{exec_path} += /usr/libexec/gvfsd-nfs
profile gvfsd-nfs @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
include if exists <local/gvfsd-nfs>
}

26
apparmor.d/gvfsd-recent Normal file
View File

@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-recent
@{exec_path} += /usr/libexec/gvfsd-recent
profile gvfsd-recent @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{HOME}/.local/share/recently-used.xbel r,
include if exists <local/gvfsd-recent>
}

33
apparmor.d/gvfsd-sftp Normal file
View File

@ -0,0 +1,33 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-sftp
@{exec_path} += /usr/libexec/gvfsd-sftp
profile gvfsd-sftp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/{usr/,}bin/ssh rPx,
include if exists <local/gvfsd-sftp>
}

39
apparmor.d/gvfsd-smb Normal file
View File

@ -0,0 +1,39 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb
@{exec_path} += /usr/libexec/gvfsd-smb
profile gvfsd-smb @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
network netlink raw,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/samba/smb.conf r,
include if exists <local/gvfsd-smb>
}

38
apparmor.d/gvfsd-smb-browse Normal file
View File

@ -0,0 +1,38 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb-browse
@{exec_path} += /usr/libexec/gvfsd-smb-browse
profile gvfsd-smb-browse @{exec_path} {
include <abstractions/base>
network netlink raw,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/samba/smb.conf r,
include if exists <local/gvfsd-smb-browse>
}

36
apparmor.d/gvfsd-trash Normal file
View File

@ -0,0 +1,36 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-trash
@{exec_path} += /usr/libexec/gvfsd-trash
profile gvfsd-trash @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/freedesktop.org>
include <abstractions/trash>
# When mounting a SMB share
network inet stream,
network inet6 stream,
@{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{run}/mount/utab r,
include if exists <local/gvfsd-trash>
}

102
apparmor.d/gzdoom Normal file
View File

@ -0,0 +1,102 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/games/gzdoom
@{exec_path} += /opt/gzdoom/gzdoom
profile gzdoom @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
network netlink raw,
ptrace (trace) peer=@{profile_name},
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/gdb rix,
/{usr/,}bin/iconv rix,
/opt/gzdoom/ r,
/opt/gzdoom/** mr,
/etc/gdb/gdbinit.d/ r,
/etc/gdb/gdbinit r,
/usr/share/gdb/{,**} r,
/usr/share/gcc/{,**} r,
deny /usr/share/gdb/{,**} w,
deny /usr/share/gcc/{,**} w,
/etc/zsh/zshenv r,
/etc/X11/app-defaults/* r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r,
owner @{HOME}/ r,
owner @{HOME}/.config/gzdoom/ rw,
owner @{HOME}/.config/gzdoom/** rw,
owner @{HOME}/.config/zdoom/ rw,
owner @{HOME}/.config/zdoom/** rwk,
owner @{HOME}/gzdoom-crash.log rw,
owner @{HOME}/gdb-respfile-* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/mem r,
owner @{PROC}/@{pids}/task/@{tid}/stat r,
owner @{PROC}/@{pids}/task/@{tid}/comm r,
owner @{PROC}/@{pids}/task/@{tid}/maps r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/cmdline r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/class/input/ r,
@{sys}/class/hidraw/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/sound/**/{uevent,ev,rel,key,abs} r,
@{sys}/devices/**/input/**/{uevent,ev,rel,key,abs} r,
@{run}/udev/data/+sound:* r,
@{run}/udev/data/+input:* r,
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{run}/udev/data/c240:[0-9]* r, # For USB HID
include if exists <local/gzdoom>
}

23
apparmor.d/htop
View File

@ -29,7 +29,7 @@ profile htop @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
# Needed? # Needed? (for system state)
audit deny capability net_admin, audit deny capability net_admin,
signal (send), signal (send),
@ -45,6 +45,10 @@ profile htop @{exec_path} {
@{PROC}/tty/drivers r, @{PROC}/tty/drivers r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
@{PROC}/diskstats r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@ -69,11 +73,25 @@ profile htop @{exec_path} {
@{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/io r, @{PROC}/@{pids}/task/@{tid}/io r,
@{PROC}/@{pids}/task/@{tid}/comm r, @{PROC}/@{pids}/task/@{tid}/comm r,
@{PROC}/@{pids}/net/dev r,
owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/smaps_rollup r,
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r, @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
@{sys}/class/i2c-adapter/ r,
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
@{sys}/class/hwmon/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/**/{uevent,type,online} r,
@{sys}/devices/**/hwmon/ r,
@{sys}/devices/**/hwmon/{name,temp*} r,
@{sys}/devices/**/hwmon/**/ r,
@{sys}/devices/**/hwmon/**/{name,temp*} r,
@{sys}/devices/**/hwmon[0-9]*/ r,
@{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
@{sys}/devices/**/hwmon[0-9]*/**/ r,
@{sys}/devices/**/hwmon[0-9]*/**/{name,temp*} r,
owner @{HOME}/.config/htop/ rw, owner @{HOME}/.config/htop/ rw,
owner @{HOME}/.config/htop/htoprc rw, owner @{HOME}/.config/htop/htoprc rw,
@ -85,5 +103,8 @@ profile htop @{exec_path} {
# htop[]: Oh, oh, it's an error! possibly I die! # htop[]: Oh, oh, it's an error! possibly I die!
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
/etc/sensors.d/ r,
/etc/sensors3.conf r,
include if exists <local/htop> include if exists <local/htop>
} }

4
apparmor.d/keepassxc
View File

@ -38,8 +38,8 @@ profile keepassxc @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

2
apparmor.d/keepassxc-proxy
View File

@ -25,7 +25,7 @@ profile keepassxc-proxy @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

7
apparmor.d/kodi
View File

@ -60,13 +60,6 @@ profile kodi @{exec_path} {
/usr/share/icons/*/index.theme r, /usr/share/icons/*/index.theme r,
/etc/mime.types r, /etc/mime.types r,
# Media lib
/ r,
/media/ r,
/media/{Kabi,Zami}/ r,
/media/Kabi/mp3/{,**} r,
/media/Zami/{Film,Serial}/{,**} r,
/etc/timezone r, /etc/timezone r,
/etc/fstab r, /etc/fstab r,

4
apparmor.d/mount
View File

@ -38,7 +38,9 @@ profile mount @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ntfs-3g rPx, /{usr/,}bin/ntfs-3g rPx,
/{usr/,}sbin/mount.cifs rPx, /{usr/,}bin/lowntfs-3g rPx,
/{usr/,}bin/sshfs rPx,
/{usr/,}sbin/mount.* rPx,
# Mount points # Mount points
/media/*/ r, /media/*/ r,

57
apparmor.d/mount-cifs Normal file
View File

@ -0,0 +1,57 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mount.cifs
profile mount-cifs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything.
capability sys_admin,
# (#FIXME#)
capability setpcap,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/systemd-ask-password rPUx,
/etc/fstab r,
owner @{HOME}/.smbcredentials r,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=cifs -> /media/*/,
mount fstype=cifs -> /media/*/*/,
mount fstype=cifs -> /mnt/,
mount fstype=cifs -> /mnt/*/,
umount /media/*/,
umount /media/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-cifs>
}

72
apparmor.d/mount-nfs Normal file
View File

@ -0,0 +1,72 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mount.nfs
profile mount-nfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to mount anything
capability sys_admin,
capability chown,
capability setgid,
capability setuid,
capability net_bind_service,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/start-statd rix,
/{usr/,}bin/flock rix,
/usr/bin/systemctl rPx -> child-systemctl,
/etc/fstab r,
/etc/netconfig r,
/etc/rpc r,
@{PROC}/filesystems r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
owner @{run}/rpc.statd.lock wk,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=nfs -> /media/*/,
mount fstype=nfs -> /media/*/*/,
mount fstype=nfs -> /mnt/,
mount fstype=nfs -> /mnt/*/,
umount /media/*/,
umount /media/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-nfs>
}

4
apparmor.d/mpsyt
View File

@ -53,10 +53,6 @@ profile mpsyt @{exec_path} {
# Cache files # Cache files
owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js_*.json{,.*.tmp} rw, owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js_*.json{,.*.tmp} rw,
# Download DIR
/media/Kabi/YT/ r,
/media/Kabi/YT/** rw,
/etc/inputrc r, /etc/inputrc r,
/etc/mime.types r, /etc/mime.types r,

2
apparmor.d/mpv
View File

@ -85,7 +85,7 @@ profile mpv @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

95
apparmor.d/nemo Normal file
View File

@ -0,0 +1,95 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/nemo
profile nemo @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
# This should be tightened when the "profile has merged rule with conflicting x modifiers" error
# will be fixed. (#FIXME#)
include <abstractions/app-launcher-user>
include <abstractions/app-launcher-root>
# For root window
deny capability dac_read_search,
deny capability dac_override,
# Needed?
deny capability sys_nice,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/nemo/** mrix,
/usr/libexec/gvfsd-* rPx,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
# the list.
/ r,
/boot/ r,
/boot/** r,
owner /boot/** rw,
/etc/ r,
/etc/** r,
owner /etc/** rw,
/home/ r,
/home/** r,
owner /home/** rw,
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
/media/ r,
/media/** r,
owner /media/** rw,
/mnt/ r,
/mnt/** r,
owner /mnt/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,
/root/ r,
/root/** r,
owner /root/** rw,
/run/ r,
/run/** r,
owner /run/** rw,
/srv/ r,
/srv/** r,
owner /srv/** rw,
/tmp/ r,
/tmp/** r,
owner /tmp/** rw,
/usr/ r,
/usr/** r,
owner /usr/** rw,
/var/ r,
/var/** r,
owner /var/** rw,
include if exists <local/nemo>
}

1
apparmor.d/openbox
View File

@ -46,6 +46,7 @@ profile openbox @{exec_path} {
owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/openbox/ rw, owner @{HOME}/.cache/openbox/ rw,
owner @{HOME}/.cache/openbox/openbox.log rw, owner @{HOME}/.cache/openbox/openbox.log rw,
owner @{HOME}/.cache/openbox/sessions/ rw,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,

2
apparmor.d/opera
View File

@ -52,7 +52,7 @@ profile opera @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

2
apparmor.d/pam-auth-update
View File

@ -59,7 +59,7 @@ profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

1
apparmor.d/ps
View File

@ -54,6 +54,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r, @{PROC}/tty/drivers r,
@{PROC}/uptime r, @{PROC}/uptime r,

4
apparmor.d/psi-plus
View File

@ -124,7 +124,7 @@ profile psi-plus @{exec_path} {
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
# file_inherit # file_inherit
deny /dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
} }
@ -137,7 +137,7 @@ profile psi-plus @{exec_path} {
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
# file_inherit # file_inherit
deny /dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
} }

4
apparmor.d/quiterss
View File

@ -39,8 +39,8 @@ profile quiterss @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
deny network netlink dgram, network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

6
apparmor.d/repo
View File

@ -13,6 +13,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{ANDROID_SOURCE_DIR} = /media/Android/
@{exec_path} = /{usr/,}bin/repo @{exec_path} = /{usr/,}bin/repo
profile repo @{exec_path} { profile repo @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -44,8 +46,8 @@ profile repo @{exec_path} {
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
# Android source dir # Android source dir
owner /media/Android/** rwkl -> /media/Android/**, owner @{ANDROID_SOURCE_DIR}/** rwkl -> @{ANDROID_SOURCE_DIR}/**,
owner /media/Android/**/.repo/repo/main.py rix, owner @{ANDROID_SOURCE_DIR}/**/.repo/repo/main.py rix,
owner @{HOME}/.repoconfig/{,**} rw, owner @{HOME}/.repoconfig/{,**} rw,
owner @{HOME}/.repo_.gitconfig.json rw, owner @{HOME}/.repo_.gitconfig.json rw,

2
apparmor.d/smplayer
View File

@ -89,7 +89,7 @@ profile smplayer @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
@{exec_path} mrix, @{exec_path} mrix,

21
apparmor.d/spflashtool
View File

@ -16,8 +16,10 @@ include <tunables/global>
@{exec_path} = /opt/SPFlashTool/flash_tool{,.sh} @{exec_path} = /opt/SPFlashTool/flash_tool{,.sh}
profile spflashtool @{exec_path} { profile spflashtool @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
@{exec_path} mrix, @{exec_path} mrix,
@ -38,33 +40,18 @@ profile spflashtool @{exec_path} {
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w, owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w,
# For reading the scatter.txt file # For reading the scatter.txt file
/ r, owner /**/scatter.txt r,
/media/ r,
owner /media/Android/{,**/} r,
owner /media/Android/**scatter.txt r,
# For backups
owner /media/Android/smartphones_flash_backup/ r,
owner /media/Android/smartphones_flash_backup/** rw,
owner @{HOME}/.config/Trolltech.conf rwk, owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.config/MTK/ rw, owner @{HOME}/.config/MTK/ rw,
owner @{HOME}/.config/MTK/Clipper.conf rwk, owner @{HOME}/.config/MTK/Clipper.conf rwk,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.icons/default/index.theme r,
/etc/X11/cursors/*.theme r,
/usr/share/icons/*/cursors/default r,
/usr/share/icons/*/index.theme rk,
/usr/share/icons/*/cursors/* r,
/dev/ r, /dev/ r,
# For reading/writing from/to phone flash memory # For reading/writing from/to phone flash memory
/dev/ttyACM[0-9]* rw, /dev/ttyACM[0-9]* rw,
/sys/devices/pci[0-9]*/**/{idVendor,idProduct} r, @{sys}/devices/pci[0-9]*/**/{idVendor,idProduct} r,
# Silence the noise # Silence the noise
/opt/SPFlashTool/** w, /opt/SPFlashTool/** w,

33
apparmor.d/sshfs Normal file
View File

@ -0,0 +1,33 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sshfs
profile sshfs @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/ssh rPx,
/{usr/,}bin/fusermount{,3} rPx,
/dev/fuse rw,
mount fstype=fuse.sshfs -> @{HOME}/*/,
mount fstype=fuse.sshfs -> @{HOME}/*/*/,
mount fstype=fuse.sshfs -> /media/*/,
mount fstype=fuse.sshfs -> /media/*/*/,
include if exists <local/sshfs>
}

12
apparmor.d/strawberry
View File

@ -13,6 +13,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{MEDIA_LIB} = /media/*/mp3/
@{exec_path} = /{usr/,}bin/strawberry @{exec_path} = /{usr/,}bin/strawberry
profile strawberry @{exec_path} { profile strawberry @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -54,9 +56,13 @@ profile strawberry @{exec_path} {
# Media library # Media library
/ r, / r,
/media/ r, /media/ r,
owner /media/Kabi/ r, owner /media/*/ r,
owner /media/Kabi/mp3/ r, owner @{MEDIA_LIB}/ r,
owner /media/Kabi/mp3/** rw, owner @{MEDIA_LIB}/** rw,
# Playlists
owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw,
owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.config/strawberry/ rw, owner @{HOME}/.config/strawberry/ rw,

6
apparmor.d/strawberry-tagreader
View File

@ -13,6 +13,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{MEDIA_LIB} = /media/*/mp3/
@{exec_path} = /{usr/,}bin/strawberry-tagreader @{exec_path} = /{usr/,}bin/strawberry-tagreader
profile strawberry-tagreader @{exec_path} { profile strawberry-tagreader @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -27,8 +29,8 @@ profile strawberry-tagreader @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Media library # Media library
owner /media/*/mp3/ r, owner @{MEDIA_LIB}/ r,
owner /media/*/mp3/** rw, owner @{MEDIA_LIB}/** rw,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

7
apparmor.d/syncthing
View File

@ -13,6 +13,9 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{SYNC_DIR} = @{HOME}/Sync/
@{SYNC_DIR} += /media/*/syncthing/
@{exec_path} = /{usr/,}bin/syncthing @{exec_path} = /{usr/,}bin/syncthing
profile syncthing @{exec_path} { profile syncthing @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -35,9 +38,7 @@ profile syncthing @{exec_path} {
owner @{HOME}/.config/syncthing/ rw, owner @{HOME}/.config/syncthing/ rw,
owner @{HOME}/.config/syncthing/** rwk, owner @{HOME}/.config/syncthing/** rwk,
# The sync folders @{SYNC_DIR}/{,**} rw,
#owner @{HOME}/Sync/{,**} rw,
owner /media/*/syncthing/{,**} rw,
/etc/mime.types r, /etc/mime.types r,

2
apparmor.d/thunderbird
View File

@ -46,7 +46,7 @@ profile thunderbird @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1". # to "1".

2
apparmor.d/ucf
View File

@ -113,7 +113,7 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,

6
apparmor.d/umount
View File

@ -16,6 +16,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/umount @{exec_path} = /{usr/,}bin/umount
profile umount @{exec_path} flags=(complain) { profile umount @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to umount anything # To be able to umount anything
# umount2("/mnt", 0) = -1 EPERM (Operation not permitted) # umount2("/mnt", 0) = -1 EPERM (Operation not permitted)
@ -33,9 +34,12 @@ profile umount @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}sbin/umount.udisks2 rPx, /{usr/,}sbin/umount.* rPx,
# Mount points # Mount points
@{HOME}/ r,
@{HOME}/*/ r,
@{HOME}/*/*/ r,
/media/*/ r, /media/*/ r,
/media/*/*/ r, /media/*/*/ r,
/mnt/ r, /mnt/ r,

3
apparmor.d/upowerd
View File

@ -13,7 +13,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd @{exec_path} = /{usr/,}lib/upower/upowerd
@{exec_path} += /usr/libexec/upowerd
profile upowerd @{exec_path} { profile upowerd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/devices-usb> include <abstractions/devices-usb>

2
apparmor.d/vlc
View File

@ -84,7 +84,7 @@ profile vlc @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

2
apparmor.d/wget
View File

@ -30,7 +30,7 @@ profile wget @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/xdg-screensaver
View File

@ -37,7 +37,7 @@ profile xdg-screensaver @{exec_path} {
/{usr/,}bin/xprop rPx, /{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xset rPx, /{usr/,}bin/xset rPx,
/{usr/,}bin/hostname rPx, /{usr/,}bin/hostname rix,
/dev/dri/card[0-9] rw, /dev/dri/card[0-9] rw,