update apparmor profiles

This commit is contained in:
Mikhail Morfikov 2021-03-21 17:04:10 +01:00
parent f7ddca7289
commit c5ca6e1d90
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
78 changed files with 1285 additions and 131 deletions

View File

@ -11,6 +11,10 @@
abi <abi/3.0>,
owner @{HOME}/thumbnails/ r,
owner @{HOME}/thumbnails/{large,normal}/ r,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r,
owner @{HOME}/.cache/thumbnails/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r,

View File

@ -11,6 +11,11 @@
abi <abi/3.0>,
owner @{HOME}/thumbnails/ rw,
owner @{HOME}/thumbnails/{large,normal}/ rw,
owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9],
owner @{HOME}/.cache/thumbnails/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw,

View File

@ -99,7 +99,7 @@ profile adequate @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -80,13 +80,6 @@ profile anyremote @{exec_path} {
/usr/share/anyremote/{,**} r,
/usr/share/anyremote/cfg-data/Utils/*.sh rix,
# Video dirs
/ r,
/media/ r,
/media/Zami/ r,
owner /media/Zami/Film/ r,
owner /media/Zami/Film/** r,
deny @{PROC}/sys/kernel/osrelease r,
owner @{HOME}/.Xauthority r,

View File

@ -0,0 +1,116 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = "/home/*/Desktop/Beyond All Reason.AppImage"
@{exec_path} += /home/*/Desktop/BeyondAllReason.AppImage
profile appimage-beyond-all-reason @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/ssl_certs>
include <abstractions/audio>
capability sys_ptrace,
# For kernel unprivileged user namespaces
capability sys_admin,
capability sys_chroot,
capability setuid,
capability setgid,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
network netlink raw,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/x86_64-linux-gnu-addr2line rix,
/{usr/,}bin/fusermount{,3} rPx,
mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,
/var/tmp/ r,
/tmp/ r,
/tmp/.mount_Beyond*/ rw,
/tmp/.mount_Beyond*/beyond-all-reason rix,
/tmp/.mount_Beyond*/AppRun rix,
/tmp/.mount_Beyond*/bin/* rix,
/tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix,
/tmp/.mount_Beyond*/** r,
/tmp/.mount_Beyond*/**.so{,.[0-9]*} mr,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
owner /tmp/.org.chromium.Chromium.*/SS rw,
owner /tmp/.org.chromium.Chromium.*/*.png rw,
owner /tmp/.org.chromium.Chromium.* rw,
owner @{HOME}/.config/Beyond-All-Reason/ rw,
owner @{HOME}/.config/Beyond-All-Reason/** rwk,
owner "@{HOME}/Beyond All Reason/" rw,
owner "@{HOME}/Beyond All Reason/**" rwkm,
owner "@{HOME}/Beyond All Reason/engine/**/spring" rix,
owner @{HOME}/.spring/ rw,
owner @{HOME}/.spring/** rw,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/statm r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/oom_{,score_}adj r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
@{PROC}sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
owner /dev/shm/.org.chromium.Chromium.* rw,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/class r,
@{sys}/devices/virtual/tty/tty0/active r,
/dev/fuse rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/appimage-beyond-all-reason>
}

View File

@ -57,7 +57,7 @@ profile apt-listbugs @{exec_path} {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -29,7 +29,6 @@ profile apt-listchanges @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/hostname rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
@ -77,7 +76,7 @@ profile apt-listchanges @{exec_path} {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -59,7 +59,7 @@ profile calibre @{exec_path} {
capability sys_ptrace,
deny network netlink raw,
network netlink raw,
@{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r,

View File

@ -92,7 +92,7 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -32,7 +32,7 @@ profile dhclient-script @{exec_path} {
# To remove the following error:
# /sbin/dhclient-script: 133: hostname: Permission denied
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
# To read scripts
/etc/dhcp/ r,

View File

@ -43,7 +43,7 @@ profile discord @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mrix,

View File

@ -50,7 +50,7 @@ profile dpkg-preconfigure @{exec_path} {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -59,6 +59,11 @@ profile ffmpeg @{exec_path} {
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
# Which files ffmpeg should be able to open
@ -69,7 +74,6 @@ profile ffmpeg @{exec_path} {
/media/ r,
owner /media/**/ r,
owner /{home,media}/**.@{ffmpeg_ext}{,.[0-9]*} rw,
owner /media/Grafi/* rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,

View File

@ -46,7 +46,7 @@ profile firefox @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mrix,

View File

@ -36,8 +36,8 @@ profile flameshot @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
deny network netlink dgram,
network netlink raw,
network netlink dgram,
@{exec_path} mr,

View File

@ -47,7 +47,7 @@ profile freetube @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mrix,

View File

@ -76,7 +76,7 @@ profile frontend @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -41,9 +41,13 @@ profile fusermount @{exec_path} {
mount fstype={fuse,fuse.*} -> @{HOME}/*/*/,
mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
mount fstype={fuse,fuse.*} -> /media/*/,
mount fstype={fuse,fuse.*} -> /media/*/*/,
# For MTP
mount -> /,
# For AppImage
mount fstype={fuse,fuse.*} -> /tmp/.mount_*/,
# For GVFS
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
@ -52,6 +56,7 @@ profile fusermount @{exec_path} {
umount @{HOME}/*/*/,
umount @{HOME}/.cache/**/,
umount /media/*/,
umount /tmp/.mount_*/,
umount @{run}/user/[0-9]*/**/,
# Image files to be mounted
@ -60,6 +65,10 @@ profile fusermount @{exec_path} {
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# AppImage files
owner @{HOME}/**.AppImage r,
owner /media/*/**.AppImage r,
/etc/fuse.conf r,
/dev/fuse rw,

View File

@ -16,6 +16,13 @@ include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/git
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
@{exec_path} += /usr/libexec/git-core/git
@{exec_path} += /usr/libexec/git-core/git-*
@{exec_path} += /usr/libexec/git-core/mergetools/*
profile git @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -27,10 +34,7 @@ profile git @{exec_path} {
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}lib/git-core/git rix,
/{usr/,}lib/git-core/git-* rix,
@{exec_path} mrix,
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
# the most similar commands, which it thinks can be used instead. Git binaries are all under
@ -159,8 +163,8 @@ profile git @{exec_path} {
owner @{HOME}/.fzf/plugin/fzf.vim r,
# The git repository files
owner /media/debuilder/ r,
owner /media/debuilder/** rw,
owner @{BUILD_DIR}/ r,
owner @{BUILD_DIR}/** rw,
}

View File

@ -49,7 +49,7 @@ profile google-chrome-chrome @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mrix,

View File

@ -30,8 +30,8 @@ profile gpartedbin @{exec_path} {
# will remain in use. You should reboot now before making further changes.
capability sys_admin,
# When gparted is started via pkexec.
#capability dac_read_search,
#
capability dac_read_search,
# Needed? (##FIXME##)
capability sys_rawio,

View File

@ -17,6 +17,7 @@ include <tunables/global>
@{exec_path} += /usr/libexec/gvfs-udisks2-volume-monitor
profile gvfs-udisks2-volume-monitor @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/disks-read>
include <abstractions/devices-usb>
@ -47,18 +48,19 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
@{HOME}/*/*/**/ r,
@{HOME}/bluetooth/ r,
owner @{HOME}/.local/share/mime/treemagic r,
/usr/share/mime/treemagic r,
/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{run}/mount/utab r,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r,
@{PROC}/locks r,
include if exists <local/gvfs-udisks2-volume-monitor>
}

View File

@ -23,8 +23,8 @@ profile gvfsd @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
# Don't strip env here.
/{usr/,}lib/gvfs/gvfsd-* rcx -> backends,
/usr/libexec/gvfsd-* rcx -> backends,
/{usr/,}lib/gvfs/gvfsd-* rPx,
/usr/libexec/gvfsd-* rPx,
/usr/share/gvfs/{,**} r,
@ -32,42 +32,5 @@ profile gvfsd @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
profile backends {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/freedesktop.org>
include <abstractions/trash>
include <abstractions/disks-read>
include <abstractions/devices-usb>
include <abstractions/user-download-strict>
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
/{usr/,}lib/gvfs/gvfsd-* mr,
/usr/libexec/gvfsd-* mr,
/{usr/,}bin/ssh rPx,
/usr/bin/fusermount{,3} rPx,
/dev/ptmx rw,
/dev/fuse rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{run}/samba/ rw,
@{run}/mount/utab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
}
include if exists <local/gvfsd>
}

24
apparmor.d/gvfsd-admin Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-admin
@{exec_path} += /usr/libexec/gvfsd-admin
profile gvfsd-admin @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-admin>
}

24
apparmor.d/gvfsd-afc Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afc
@{exec_path} += /usr/libexec/gvfsd-afc
profile gvfsd-afc @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-afc>
}

24
apparmor.d/gvfsd-afp Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp
@{exec_path} += /usr/libexec/gvfsd-afp
profile gvfsd-afp @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-afp>
}

View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp-browse
@{exec_path} += /usr/libexec/gvfsd-afp-browse
profile gvfsd-afp-browse @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-afp-browse>
}

30
apparmor.d/gvfsd-archive Normal file
View File

@ -0,0 +1,30 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-archive
@{exec_path} += /usr/libexec/gvfsd-archive
profile gvfsd-archive @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner /**.tar r,
owner /**.tar.gz r,
owner /**.zip r,
include if exists <local/gvfsd-archive>
}

24
apparmor.d/gvfsd-burn Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-burn
@{exec_path} += /usr/libexec/gvfsd-burn
profile gvfsd-burn @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-burn>
}

24
apparmor.d/gvfsd-cdda Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-cdda
@{exec_path} += /usr/libexec/gvfsd-cdda
profile gvfsd-cdda @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-cdda>
}

24
apparmor.d/gvfsd-computer Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-computer
@{exec_path} += /usr/libexec/gvfsd-computer
profile gvfsd-computer @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-computer>
}

24
apparmor.d/gvfsd-dav Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-dav
@{exec_path} += /usr/libexec/gvfsd-dav
profile gvfsd-dav @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-dav>
}

24
apparmor.d/gvfsd-dnssd Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-dnssd
@{exec_path} += /usr/libexec/gvfsd-dnssd
profile gvfsd-dnssd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-dnssd>
}

38
apparmor.d/gvfsd-ftp Normal file
View File

@ -0,0 +1,38 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-ftp
@{exec_path} += /usr/libexec/gvfsd-ftp
profile gvfsd-ftp @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include if exists <local/gvfsd-ftp>
}

30
apparmor.d/gvfsd-fuse Normal file
View File

@ -0,0 +1,30 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-fuse
@{exec_path} += /usr/libexec/gvfsd-fuse
profile gvfsd-fuse @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rPx,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
/dev/fuse rw,
include if exists <local/gvfsd-fuse>
}

24
apparmor.d/gvfsd-google Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-google
@{exec_path} += /usr/libexec/gvfsd-google
profile gvfsd-google @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-google>
}

24
apparmor.d/gvfsd-gphoto2 Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-gphoto2
@{exec_path} += /usr/libexec/gvfsd-gphoto2
profile gvfsd-gphoto2 @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-gphoto2>
}

34
apparmor.d/gvfsd-http Normal file
View File

@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-http
@{exec_path} += /usr/libexec/gvfsd-http
profile gvfsd-http @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include if exists <local/gvfsd-http>
}

View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-localtest
@{exec_path} += /usr/libexec/gvfsd-localtest
profile gvfsd-localtest @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-localtest>
}

34
apparmor.d/gvfsd-mtp Normal file
View File

@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-mtp
@{exec_path} += /usr/libexec/gvfsd-mtp
profile gvfsd-mtp @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include if exists <local/gvfsd-mtp>
}

24
apparmor.d/gvfsd-network Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-network
@{exec_path} += /usr/libexec/gvfsd-network
profile gvfsd-network @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gvfsd-network>
}

29
apparmor.d/gvfsd-nfs Normal file
View File

@ -0,0 +1,29 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-nfs
@{exec_path} += /usr/libexec/gvfsd-nfs
profile gvfsd-nfs @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
include if exists <local/gvfsd-nfs>
}

26
apparmor.d/gvfsd-recent Normal file
View File

@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-recent
@{exec_path} += /usr/libexec/gvfsd-recent
profile gvfsd-recent @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{HOME}/.local/share/recently-used.xbel r,
include if exists <local/gvfsd-recent>
}

33
apparmor.d/gvfsd-sftp Normal file
View File

@ -0,0 +1,33 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-sftp
@{exec_path} += /usr/libexec/gvfsd-sftp
profile gvfsd-sftp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/{usr/,}bin/ssh rPx,
include if exists <local/gvfsd-sftp>
}

39
apparmor.d/gvfsd-smb Normal file
View File

@ -0,0 +1,39 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb
@{exec_path} += /usr/libexec/gvfsd-smb
profile gvfsd-smb @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
network netlink raw,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/samba/smb.conf r,
include if exists <local/gvfsd-smb>
}

View File

@ -0,0 +1,38 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb-browse
@{exec_path} += /usr/libexec/gvfsd-smb-browse
profile gvfsd-smb-browse @{exec_path} {
include <abstractions/base>
network netlink raw,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/samba/smb.conf r,
include if exists <local/gvfsd-smb-browse>
}

36
apparmor.d/gvfsd-trash Normal file
View File

@ -0,0 +1,36 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-trash
@{exec_path} += /usr/libexec/gvfsd-trash
profile gvfsd-trash @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/freedesktop.org>
include <abstractions/trash>
# When mounting a SMB share
network inet stream,
network inet6 stream,
@{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{run}/mount/utab r,
include if exists <local/gvfsd-trash>
}

102
apparmor.d/gzdoom Normal file
View File

@ -0,0 +1,102 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/games/gzdoom
@{exec_path} += /opt/gzdoom/gzdoom
profile gzdoom @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
network netlink raw,
ptrace (trace) peer=@{profile_name},
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/gdb rix,
/{usr/,}bin/iconv rix,
/opt/gzdoom/ r,
/opt/gzdoom/** mr,
/etc/gdb/gdbinit.d/ r,
/etc/gdb/gdbinit r,
/usr/share/gdb/{,**} r,
/usr/share/gcc/{,**} r,
deny /usr/share/gdb/{,**} w,
deny /usr/share/gcc/{,**} w,
/etc/zsh/zshenv r,
/etc/X11/app-defaults/* r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r,
owner @{HOME}/ r,
owner @{HOME}/.config/gzdoom/ rw,
owner @{HOME}/.config/gzdoom/** rw,
owner @{HOME}/.config/zdoom/ rw,
owner @{HOME}/.config/zdoom/** rwk,
owner @{HOME}/gzdoom-crash.log rw,
owner @{HOME}/gdb-respfile-* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/mem r,
owner @{PROC}/@{pids}/task/@{tid}/stat r,
owner @{PROC}/@{pids}/task/@{tid}/comm r,
owner @{PROC}/@{pids}/task/@{tid}/maps r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/cmdline r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/class/input/ r,
@{sys}/class/hidraw/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/sound/**/{uevent,ev,rel,key,abs} r,
@{sys}/devices/**/input/**/{uevent,ev,rel,key,abs} r,
@{run}/udev/data/+sound:* r,
@{run}/udev/data/+input:* r,
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{run}/udev/data/c240:[0-9]* r, # For USB HID
include if exists <local/gzdoom>
}

View File

@ -29,7 +29,7 @@ profile htop @{exec_path} {
capability sys_ptrace,
# Needed?
# Needed? (for system state)
audit deny capability net_admin,
signal (send),
@ -45,6 +45,10 @@ profile htop @{exec_path} {
@{PROC}/tty/drivers r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
@{PROC}/diskstats r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@ -69,11 +73,25 @@ profile htop @{exec_path} {
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/io r,
@{PROC}/@{pids}/task/@{tid}/comm r,
@{PROC}/@{pids}/net/dev r,
owner @{PROC}/@{pid}/smaps_rollup r,
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
@{sys}/class/i2c-adapter/ r,
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
@{sys}/class/hwmon/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/**/{uevent,type,online} r,
@{sys}/devices/**/hwmon/ r,
@{sys}/devices/**/hwmon/{name,temp*} r,
@{sys}/devices/**/hwmon/**/ r,
@{sys}/devices/**/hwmon/**/{name,temp*} r,
@{sys}/devices/**/hwmon[0-9]*/ r,
@{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
@{sys}/devices/**/hwmon[0-9]*/**/ r,
@{sys}/devices/**/hwmon[0-9]*/**/{name,temp*} r,
owner @{HOME}/.config/htop/ rw,
owner @{HOME}/.config/htop/htoprc rw,
@ -85,5 +103,8 @@ profile htop @{exec_path} {
# htop[]: Oh, oh, it's an error! possibly I die!
/dev/tty[0-9]* rw,
/etc/sensors.d/ r,
/etc/sensors3.conf r,
include if exists <local/htop>
}

View File

@ -38,8 +38,8 @@ profile keepassxc @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink dgram,
deny network netlink raw,
network netlink dgram,
network netlink raw,
@{exec_path} mrix,

View File

@ -25,7 +25,7 @@ profile keepassxc-proxy @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mr,

View File

@ -60,13 +60,6 @@ profile kodi @{exec_path} {
/usr/share/icons/*/index.theme r,
/etc/mime.types r,
# Media lib
/ r,
/media/ r,
/media/{Kabi,Zami}/ r,
/media/Kabi/mp3/{,**} r,
/media/Zami/{Film,Serial}/{,**} r,
/etc/timezone r,
/etc/fstab r,

View File

@ -38,7 +38,9 @@ profile mount @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/ntfs-3g rPx,
/{usr/,}sbin/mount.cifs rPx,
/{usr/,}bin/lowntfs-3g rPx,
/{usr/,}bin/sshfs rPx,
/{usr/,}sbin/mount.* rPx,
# Mount points
/media/*/ r,

57
apparmor.d/mount-cifs Normal file
View File

@ -0,0 +1,57 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mount.cifs
profile mount-cifs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything.
capability sys_admin,
# (#FIXME#)
capability setpcap,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/systemd-ask-password rPUx,
/etc/fstab r,
owner @{HOME}/.smbcredentials r,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=cifs -> /media/*/,
mount fstype=cifs -> /media/*/*/,
mount fstype=cifs -> /mnt/,
mount fstype=cifs -> /mnt/*/,
umount /media/*/,
umount /media/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-cifs>
}

72
apparmor.d/mount-nfs Normal file
View File

@ -0,0 +1,72 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mount.nfs
profile mount-nfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to mount anything
capability sys_admin,
capability chown,
capability setgid,
capability setuid,
capability net_bind_service,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/start-statd rix,
/{usr/,}bin/flock rix,
/usr/bin/systemctl rPx -> child-systemctl,
/etc/fstab r,
/etc/netconfig r,
/etc/rpc r,
@{PROC}/filesystems r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
owner @{run}/rpc.statd.lock wk,
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/mnt/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=nfs -> /media/*/,
mount fstype=nfs -> /media/*/*/,
mount fstype=nfs -> /mnt/,
mount fstype=nfs -> /mnt/*/,
umount /media/*/,
umount /media/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-nfs>
}

View File

@ -53,10 +53,6 @@ profile mpsyt @{exec_path} {
# Cache files
owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js_*.json{,.*.tmp} rw,
# Download DIR
/media/Kabi/YT/ r,
/media/Kabi/YT/** rw,
/etc/inputrc r,
/etc/mime.types r,

View File

@ -85,7 +85,7 @@ profile mpv @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mr,

95
apparmor.d/nemo Normal file
View File

@ -0,0 +1,95 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/nemo
profile nemo @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
# This should be tightened when the "profile has merged rule with conflicting x modifiers" error
# will be fixed. (#FIXME#)
include <abstractions/app-launcher-user>
include <abstractions/app-launcher-root>
# For root window
deny capability dac_read_search,
deny capability dac_override,
# Needed?
deny capability sys_nice,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/nemo/** mrix,
/usr/libexec/gvfsd-* rPx,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
# the list.
/ r,
/boot/ r,
/boot/** r,
owner /boot/** rw,
/etc/ r,
/etc/** r,
owner /etc/** rw,
/home/ r,
/home/** r,
owner /home/** rw,
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
/media/ r,
/media/** r,
owner /media/** rw,
/mnt/ r,
/mnt/** r,
owner /mnt/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,
/root/ r,
/root/** r,
owner /root/** rw,
/run/ r,
/run/** r,
owner /run/** rw,
/srv/ r,
/srv/** r,
owner /srv/** rw,
/tmp/ r,
/tmp/** r,
owner /tmp/** rw,
/usr/ r,
/usr/** r,
owner /usr/** rw,
/var/ r,
/var/** r,
owner /var/** rw,
include if exists <local/nemo>
}

View File

@ -46,6 +46,7 @@ profile openbox @{exec_path} {
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/openbox/ rw,
owner @{HOME}/.cache/openbox/openbox.log rw,
owner @{HOME}/.cache/openbox/sessions/ rw,
owner @{HOME}/.Xauthority r,

View File

@ -52,7 +52,7 @@ profile opera @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mrix,

View File

@ -59,7 +59,7 @@ profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -54,6 +54,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,

View File

@ -124,7 +124,7 @@ profile psi-plus @{exec_path} {
owner @{HOME}/.Xauthority r,
# file_inherit
deny /dev/dri/card[0-9]* rw,
/dev/dri/card[0-9]* rw,
}
@ -137,7 +137,7 @@ profile psi-plus @{exec_path} {
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
# file_inherit
deny /dev/dri/card[0-9]* rw,
/dev/dri/card[0-9]* rw,
}

View File

@ -39,8 +39,8 @@ profile quiterss @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
deny network netlink dgram,
network netlink raw,
network netlink dgram,
@{exec_path} mr,

View File

@ -13,6 +13,8 @@ abi <abi/3.0>,
include <tunables/global>
@{ANDROID_SOURCE_DIR} = /media/Android/
@{exec_path} = /{usr/,}bin/repo
profile repo @{exec_path} {
include <abstractions/base>
@ -44,8 +46,8 @@ profile repo @{exec_path} {
/{usr/,}bin/gpg rCx -> gpg,
# Android source dir
owner /media/Android/** rwkl -> /media/Android/**,
owner /media/Android/**/.repo/repo/main.py rix,
owner @{ANDROID_SOURCE_DIR}/** rwkl -> @{ANDROID_SOURCE_DIR}/**,
owner @{ANDROID_SOURCE_DIR}/**/.repo/repo/main.py rix,
owner @{HOME}/.repoconfig/{,**} rw,
owner @{HOME}/.repo_.gitconfig.json rw,

View File

@ -89,7 +89,7 @@ profile smplayer @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink dgram,
network netlink dgram,
@{exec_path} mrix,

View File

@ -16,8 +16,10 @@ include <tunables/global>
@{exec_path} = /opt/SPFlashTool/flash_tool{,.sh}
profile spflashtool @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/deny-root-dir-access>
@{exec_path} mrix,
@ -38,33 +40,18 @@ profile spflashtool @{exec_path} {
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w,
# For reading the scatter.txt file
/ r,
/media/ r,
owner /media/Android/{,**/} r,
owner /media/Android/**scatter.txt r,
# For backups
owner /media/Android/smartphones_flash_backup/ r,
owner /media/Android/smartphones_flash_backup/** rw,
owner /**/scatter.txt r,
owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.config/MTK/ rw,
owner @{HOME}/.config/MTK/Clipper.conf rwk,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.icons/default/index.theme r,
/etc/X11/cursors/*.theme r,
/usr/share/icons/*/cursors/default r,
/usr/share/icons/*/index.theme rk,
/usr/share/icons/*/cursors/* r,
/dev/ r,
# For reading/writing from/to phone flash memory
/dev/ttyACM[0-9]* rw,
/sys/devices/pci[0-9]*/**/{idVendor,idProduct} r,
@{sys}/devices/pci[0-9]*/**/{idVendor,idProduct} r,
# Silence the noise
/opt/SPFlashTool/** w,

33
apparmor.d/sshfs Normal file
View File

@ -0,0 +1,33 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sshfs
profile sshfs @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/ssh rPx,
/{usr/,}bin/fusermount{,3} rPx,
/dev/fuse rw,
mount fstype=fuse.sshfs -> @{HOME}/*/,
mount fstype=fuse.sshfs -> @{HOME}/*/*/,
mount fstype=fuse.sshfs -> /media/*/,
mount fstype=fuse.sshfs -> /media/*/*/,
include if exists <local/sshfs>
}

View File

@ -13,6 +13,8 @@ abi <abi/3.0>,
include <tunables/global>
@{MEDIA_LIB} = /media/*/mp3/
@{exec_path} = /{usr/,}bin/strawberry
profile strawberry @{exec_path} {
include <abstractions/base>
@ -54,9 +56,13 @@ profile strawberry @{exec_path} {
# Media library
/ r,
/media/ r,
owner /media/Kabi/ r,
owner /media/Kabi/mp3/ r,
owner /media/Kabi/mp3/** rw,
owner /media/*/ r,
owner @{MEDIA_LIB}/ r,
owner @{MEDIA_LIB}/** rw,
# Playlists
owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw,
owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw,
owner @{HOME}/ r,
owner @{HOME}/.config/strawberry/ rw,

View File

@ -13,6 +13,8 @@ abi <abi/3.0>,
include <tunables/global>
@{MEDIA_LIB} = /media/*/mp3/
@{exec_path} = /{usr/,}bin/strawberry-tagreader
profile strawberry-tagreader @{exec_path} {
include <abstractions/base>
@ -27,8 +29,8 @@ profile strawberry-tagreader @{exec_path} {
@{exec_path} mr,
# Media library
owner /media/*/mp3/ r,
owner /media/*/mp3/** rw,
owner @{MEDIA_LIB}/ r,
owner @{MEDIA_LIB}/** rw,
# file_inherit
owner @{HOME}/.xsession-errors w,

View File

@ -13,6 +13,9 @@ abi <abi/3.0>,
include <tunables/global>
@{SYNC_DIR} = @{HOME}/Sync/
@{SYNC_DIR} += /media/*/syncthing/
@{exec_path} = /{usr/,}bin/syncthing
profile syncthing @{exec_path} {
include <abstractions/base>
@ -35,9 +38,7 @@ profile syncthing @{exec_path} {
owner @{HOME}/.config/syncthing/ rw,
owner @{HOME}/.config/syncthing/** rwk,
# The sync folders
#owner @{HOME}/Sync/{,**} rw,
owner /media/*/syncthing/{,**} rw,
@{SYNC_DIR}/{,**} rw,
/etc/mime.types r,

View File

@ -46,7 +46,7 @@ profile thunderbird @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".

View File

@ -113,7 +113,7 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

View File

@ -16,6 +16,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/umount
profile umount @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to umount anything
# umount2("/mnt", 0) = -1 EPERM (Operation not permitted)
@ -33,9 +34,12 @@ profile umount @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}sbin/umount.udisks2 rPx,
/{usr/,}sbin/umount.* rPx,
# Mount points
@{HOME}/ r,
@{HOME}/*/ r,
@{HOME}/*/*/ r,
/media/*/ r,
/media/*/*/ r,
/mnt/ r,

View File

@ -13,7 +13,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd
@{exec_path} = /{usr/,}lib/upower/upowerd
@{exec_path} += /usr/libexec/upowerd
profile upowerd @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>

View File

@ -84,7 +84,7 @@ profile vlc @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mrix,

View File

@ -30,7 +30,7 @@ profile wget @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
deny network netlink raw,
network netlink raw,
@{exec_path} mr,

View File

@ -37,7 +37,7 @@ profile xdg-screensaver @{exec_path} {
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xset rPx,
/{usr/,}bin/hostname rPx,
/{usr/,}bin/hostname rix,
/dev/dri/card[0-9] rw,