mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-19 01:18:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-09-09 19:57:49 +01:00
parent a99fbaa0be
commit c7181ecadf
Failed to generate hash of commit
32 changed files with 152 additions and 158 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/abstractions/common/electron
View file

@ -61,6 +61,7 @@
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/SS w, owner @{tmp}/scoped_dir@{rand6}/SS w,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
@{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/system/cpu/kernel_max r,

12
apparmor.d/abstractions/common/game
View file

@ -3,9 +3,9 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Core set of resources for any games on Linux. Runtimes such as sandboxing, # Core set of resources for any games on Linux. Runtimes such as sandboxing,
# wine, proton, game launchers should use this abstraction. # wine, proton, game launchers should use this abstraction.
# This abstraction use the following tunables: # This abstraction uses the following tunables:
# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories # - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) # - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
@ -38,7 +38,7 @@
owner @{user_games_dirs}/ r, owner @{user_games_dirs}/ r,
owner @{user_games_dirs}/*/ r, owner @{user_games_dirs}/*/ r,
owner @{user_games_dirs}/*/{,**} rwkl, owner @{user_games_dirs}/*/** rwlk,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
@ -50,11 +50,15 @@
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/AsyncGPUReadbackPlugin_*.log w,
owner @{tmp}/CASESENSITIVETEST@{hex32} rw, owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
owner @{tmp}/crashes/ rw, owner @{tmp}/crashes/ rw,
owner @{tmp}/crashes/** rwk, owner @{tmp}/crashes/** rwk,
owner @{tmp}/miles_image_@{rand6} mrw, owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw, owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/tmp@{rand6}.tmp rw,
owner @{tmp}/tmp@{rand6}@{h}.tmp rw,
owner @{tmp}/tmp@{rand8}.tmp rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/mono.@{int} rw, owner /dev/shm/mono.@{int} rw,

4
apparmor.d/abstractions/qt5-shader-cache
View file

@ -6,10 +6,10 @@
owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/ w,
owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#@{int} rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, owner @{user_cache_dirs}/qtshadercache/@{hex} rwl,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl,
include if exists <abstractions/qt5-shader-cache.d> include if exists <abstractions/qt5-shader-cache.d>

28
apparmor.d/groups/apt/apt-cdrom
View file

@ -18,19 +18,18 @@ profile apt-cdrom @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/mount rCx -> mount, @{bin}/mount rCx -> mount,
@{bin}/umount rCx -> umount, @{bin}/umount rCx -> umount,
/etc/fstab r, /etc/fstab r,
# Are all of these needed? (#FIXME#) /etc/apt/sources.list{,.new} rw,
@{sys}/bus/ r, /etc/apt/sources.list~ w,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r, /var/lib/apt/lists/** rw,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r, /var/lib/apt/cdroms.list{,.new} rw,
# @{run}/udev/data/* r, /var/lib/apt/cdroms.list~ w,
# For cd-roms # For cd-roms
/media/cdrom@{int}/ r, /media/cdrom@{int}/ r,
@ -46,16 +45,15 @@ profile apt-cdrom @{exec_path} flags=(complain) {
@{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
@{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw, # Are all of these needed? (#FIXME#)
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/var/lib/apt/cdroms.list{,.new} rw,
/var/lib/apt/cdroms.list~ w,
/etc/apt/sources.list{,.new} rw,
/etc/apt/sources.list~ w,
profile mount flags=(complain) { profile mount flags=(complain) {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/groups/bus/dbus-session
View file

@ -64,7 +64,7 @@ profile dbus-session flags=(attach_disconnected) {
@{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/.access rw,
@{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/kernel/security/apparmor/features/dbus/mask r,
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/attr/apparmor/current r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/groups/children/child-modprobe-nvidia
View file

@ -62,13 +62,9 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
include <abstractions/app/kmod> include <abstractions/app/kmod>
capability mknod, capability mknod,
# capability sys_module,
/etc/nvidia/{current,legacy*,tesla*}/*.conf r, /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
# @{sys}/module/ipmi_devintf/initstate r,
# @{sys}/module/ipmi_msghandler/initstate r,
# @{sys}/module/{drm,nvidia}/initstate r,
@{sys}/module/compression r, @{sys}/module/compression r,
deny @{HOME}/.steam/** r, deny @{HOME}/.steam/** r,

19
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -21,7 +21,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
ptrace (read) peer=unconfined, ptrace read peer=unconfined,
#aa:dbus own bus=system name=org.freedesktop.Accounts #aa:dbus own bus=system name=org.freedesktop.Accounts
@ -58,24 +58,23 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
/etc/shells r, /etc/shells r,
/etc/sysconfig/displaymanager r, /etc/sysconfig/displaymanager r,
/var/log/wtmp r,
owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw, owner /var/lib/AccountsService/** rw,
@{HOME}/ r, @{HOME}/ r,
owner @{HOME}/.pam_environment r, owner @{HOME}/.pam_environment r,
owner @{PROC}/@{pid}/fd/ r, owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw,
owner @{PROC}/@{pid}/loginuid rw,
@{PROC}/@{pids}/loginuid r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pid}/loginuid r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r,
# wtmp.d ? owner @{PROC}/@{pid}/loginuid rw,
/var/log/wtmp r,
owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw,
include if exists <local/accounts-daemon> include if exists <local/accounts-daemon>
} }

4
apparmor.d/groups/freedesktop/xdg-screensaver
View file

@ -32,14 +32,14 @@ profile xdg-screensaver @{exec_path} {
@{bin}/xset rPx, @{bin}/xset rPx,
@{bin}/hostname rix, @{bin}/hostname rix,
/dev/dri/card@{int} rw,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner @{tmp}/xauth-@{int}-_[0-9] r, owner @{tmp}/xauth-@{int}-_[0-9] r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
/dev/dri/card@{int} rw,
include if exists <local/xdg-screensaver> include if exists <local/xdg-screensaver>
} }

17
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -39,7 +39,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bwrap rPUx, @{bin}/bwrap rCx -> bwrap,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@ -48,9 +48,11 @@ profile gnome-control-center-goa-helper @{exec_path} {
owner @{user_config_dirs}/goa-1.0/accounts.conf r, owner @{user_config_dirs}/goa-1.0/accounts.conf r,
owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, owner @{user_cache_dirs}/gnome-control-center-goa-helper/ rw,
owner @{user_cache_dirs}/gnome-control-center-goa-helper/** rwl,
owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk, owner @{user_share_dirs}/gnome-control-center-goa-helper/ rw,
owner @{user_share_dirs}/gnome-control-center-goa-helper/** rwk,
owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/{,**} rw,
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
@ -63,6 +65,15 @@ profile gnome-control-center-goa-helper @{exec_path} {
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
profile bwrap flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/common/bwrap>
@{bin}/bwrap mr,
include if exists <local/gnome-control-center-goa-helper_bwrap>
}
include if exists <local/gnome-control-center-goa-helper> include if exists <local/gnome-control-center-goa-helper>
} }

2
apparmor.d/groups/gnome/gnome-weather
View file

@ -33,6 +33,8 @@ profile gnome-weather @{exec_path} {
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/gnome-weather> include if exists <local/gnome-weather>
} }

28
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -31,38 +31,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill
#aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member=PowerOff member=PowerOff
peer=(name=:*, label=systemd-logind), peer=(name=:*, label=systemd-logind),
dbus send bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell
interface=org.gnome.Shell
member={GrabAccelerators,UngrabAccelerators}
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell
interface=org.gnome.Shell
member=AcceleratorActivated
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gsd-rfkill),
dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gsd-rfkill),
dbus send bus=session path=/ dbus send bus=session path=/
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member=ListNames member=ListNames

37
apparmor.d/groups/gpg/gpg
View file

@ -32,6 +32,23 @@ profile gpg @{exec_path} {
/etc/inputrc r, /etc/inputrc r,
#aa:only pacman
/etc/pacman.d/gnupg/gpg.conf r,
/etc/pacman.d/gnupg/pubring.gpg r,
/etc/pacman.d/gnupg/trustdb.gpg r,
#aa:only apt
owner /etc/apt/keyrings/ rw,
owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
owner /var/lib/*/{,.}gnupg/ rw,
owner /var/lib/*/{,.}gnupg/** rwkl -> /var/lib/*/{,.}gnupg/**,
# TODO: Remove after zypper profile is created
#aa:only zypper
owner /var/tmp/zypp.@{rand6}/ rw,
owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -45,26 +62,6 @@ profile gpg @{exec_path} {
owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw,
owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**, owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
#aa:only apt
owner /etc/apt/keyrings/ rw,
owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
#aa:only pacman
/etc/pacman.d/gnupg/gpg.conf r,
/etc/pacman.d/gnupg/pubring.gpg r,
/etc/pacman.d/gnupg/trustdb.gpg r,
owner /var/lib/*/gnupg/ rw,
owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,
owner /var/lib/*/.gnupg/ rw,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
# TODO: Remove after zypper profile is created
#aa:only zypper
owner /var/tmp/zypp.@{rand6}/ rw,
owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
#aa:exclude ubuntu #aa:exclude ubuntu
owner @{tmp}/ostree-gpg-@{rand6}/ r, owner @{tmp}/ostree-gpg-@{rand6}/ r,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

6
apparmor.d/groups/pacman/arch-audit
View file

@ -28,12 +28,12 @@ profile arch-audit @{exec_path} {
/var/lib/pacman/local/{,**} r, /var/lib/pacman/local/{,**} r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/pts/@{int} rw, /dev/pts/@{int} rw,
include if exists <local/arch-audit> include if exists <local/arch-audit>

7
apparmor.d/groups/pacman/pacman
View file

@ -46,7 +46,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg, @{bin}/gpgsm rCx -> gpg,
# Pacman hooks & install scripts # Pacman hooks & install scripts
@{sh_path} rix, @{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@ -64,7 +64,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
@{bin}/gdk-pixbuf-query-loaders rPx, @{bin}/gdk-pixbuf-query-loaders rPx,
@{bin}/getent rix, @{bin}/getent rix,
@{bin}/gettext rix, @{bin}/gettext rix,
@{bin}/ghc-pkg{,-*} rPx,
@{bin}/gio-querymodules rPx, @{bin}/gio-querymodules rPx,
@{bin}/glib-compile-schemas rPx, @{bin}/glib-compile-schemas rPx,
@{bin}/groupadd rPx, @{bin}/groupadd rPx,
@ -118,9 +117,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
/var/** rwlk -> /var/**, /var/** rwlk -> /var/**,
# Read packages files # Read packages files
@{user_pkg_dirs}/ r, @{user_pkg_dirs}/{,**} r,
@{user_pkg_dirs}/**/ r,
@{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
owner /var/lib/pacman/{,**} rwl, owner /var/lib/pacman/{,**} rwl,
owner @{tmp}/alpm_@{rand6}/{,**} rw, owner @{tmp}/alpm_@{rand6}/{,**} rw,

3
apparmor.d/groups/ssh/ssh
View file

@ -23,8 +23,7 @@ profile ssh @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/{,b,d,rb}ash rix, @{bin}/@{shells} rUx,
@{bin}/{c,k,tc,z}sh rix,
@{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config r,
@{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config.d/{,*} r,

2
apparmor.d/groups/ssh/ssh-agent-launch
View file

@ -12,7 +12,7 @@ profile ssh-agent-launch @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/{,z,ba,da}sh rix, @{sh_path} rix,
@{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/dbus-update-activation-environment rCx -> dbus,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/grep rix, @{bin}/grep rix,

10
apparmor.d/profiles-a-f/bluetoothd
View file

@ -35,16 +35,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
member=GetManagedObjects member=GetManagedObjects
peer=(name=:*, label=pulseaudio), peer=(name=:*, label=pulseaudio),
dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/*
interface=org.bluez.MediaEndpoint1
member=Release
peer=(name=:*, label=pulseaudio),
dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile}
interface=org.bluez.MediaEndpoint1
member=Release
peer=(name=:*, label=pulseaudio),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved member=InterfacesRemoved

12
apparmor.d/profiles-a-f/cemu
View file

@ -29,18 +29,18 @@ profile cemu @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/Cemu/{,**} rw, owner @{user_config_dirs}/Cemu/{,**} rw,
owner @{user_share_dirs}/Cemu/{,**} rw, owner @{user_share_dirs}/Cemu/{,**} rw,
owner @{PROC}/@{pid}/cmdline r, @{sys}/class/ r,
owner @{PROC}/@{pid}/fd r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/statm r,
owner @{sys}/class/ r,
@{sys}/class/input/ r, @{sys}/class/input/ r,
@{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r,
@{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r,
@{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r,
@{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/statm r,
/dev/input/ r, /dev/input/ r,
/dev/input/event@{int} rw, /dev/input/event@{int} rw,
/dev/input/js@{int} rw, /dev/input/js@{int} rw,

2
apparmor.d/profiles-a-f/dkms
View file

@ -41,7 +41,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{bin}/update-secureboot-policy rPUx, @{bin}/update-secureboot-policy rPUx,
@{bin}/zstd rix, @{bin}/zstd rix,
@{lib}/gcc/@{multiarch}/@{int}*/* rix, @{lib}/gcc/@{multiarch}/@{version}/* rix,
@{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/scripts/** rix,
@{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix,
@{lib}/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,

10
apparmor.d/profiles-g-l/git
View file

@ -101,9 +101,11 @@ profile git @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
owner @{tmp}/git-commit-msg-.txt rw, # For android studio owner @{tmp}/git-commit-msg-.txt rw, # For android studio
deny @{user_share_dirs}/gvfs-metadata/* r,
deny /dev/shm/.org.chromium.Chromium* rw,
deny owner @{code_config_dirs}/** rw, deny owner @{code_config_dirs}/** rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
deny owner @{user_share_dirs}/zed/**/data.mdb rw,
deny /usr/share/nvidia/nvidia-application-profiles-* r,
deny /dev/shm/.org.chromium.Chromium* rw,
profile gpg flags=(attach_disconnected) { profile gpg flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
@ -163,11 +165,11 @@ profile git @{exec_path} flags=(attach_disconnected) {
profile editor flags=(attach_disconnected) { profile editor flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/editor> include <abstractions/app/editor>
owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/ r,
owner @{user_projects_dirs}/**/.git/@{int} rw, owner @{user_projects_dirs}/**/.git/@{int} rw,
owner @{user_projects_dirs}/**/.git/*MSG rw, owner @{user_projects_dirs}/**/.git/*MSG rw,
# The git repository files # The git repository files
owner @{user_build_dirs}/ r, owner @{user_build_dirs}/ r,
owner @{user_build_dirs}/** rw, owner @{user_build_dirs}/** rw,

1
apparmor.d/profiles-g-l/gitstatusd
View file

@ -22,6 +22,7 @@ profile gitstatusd @{exec_path} {
deny capability dac_read_search, deny capability dac_read_search,
deny capability dac_override, deny capability dac_override,
deny owner @{HOME}/.*-store/{,**} r, deny owner @{HOME}/.*-store/{,**} r,
deny owner @{user_share_dirs}/zed/**/data.mdb rw,
include if exists <local/gitstatusd> include if exists <local/gitstatusd>
} }

6
apparmor.d/profiles-m-r/run-parts
View file

@ -4,6 +4,12 @@
# Copyright (C) 2022 Jeroen Rijken # Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile
# Possible confinement depending of profile architecture:
# - As rix,
# - As rCx -> run-parts,
# - As rPx -> foo-run-parts,
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>

23
apparmor.d/profiles-m-r/runuser
View file

@ -10,43 +10,30 @@ include <tunables/global>
@{exec_path} = @{bin}/runuser @{exec_path} = @{bin}/runuser
profile runuser @{exec_path} { profile runuser @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wutmp> include <abstractions/wutmp>
# To remove the following errors:
# runuser: cannot set user id: Operation not permitted
capability setuid, capability setuid,
# To remove the following errrors:
# runuser: cannot set groups: Operation not permitted
capability setgid, capability setgid,
# To write records to the kernel auditing log.
capability audit_write, capability audit_write,
# Needed? (#FIXME#)
capability sys_resource, capability sys_resource,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
# Shells to use @{bin}/@{shells} rUx,
@{bin}/{,b,d,rb}ash rpux,
@{bin}/{c,k,tc,z}sh rpux,
owner @{PROC}/@{pid}/loginuid r,
@{PROC}/1/limits r,
@{etc_ro}/security/limits.d/ r, @{etc_ro}/security/limits.d/ r,
/etc/default/runuser r, /etc/default/runuser r,
# file_inherit
owner @{tmp}/debian-security-support.postinst.*/output w, owner @{tmp}/debian-security-support.postinst.*/output w,
@{PROC}/1/limits r,
owner @{PROC}/@{pid}/loginuid r,
include if exists <local/runuser> include if exists <local/runuser>
} }

7
apparmor.d/profiles-s-z/speedtest
View file

@ -12,6 +12,7 @@ profile speedtest @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/python>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -26,12 +27,10 @@ profile speedtest @{exec_path} {
@{bin}/file rix, @{bin}/file rix,
@{bin}/uname rix, @{bin}/uname rix,
owner @{PROC}/@{pid}/fd/ r,
/usr/local/lib/python*/dist-packages/ r,
/etc/magic r, /etc/magic r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/speedtest> include if exists <local/speedtest>
} }

4
apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
View file

@ -17,10 +17,8 @@ profile spice-client-glib-usb-acl-helper @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{lib}/gconv/gconv-modules r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/cap_last_cap r, @{PROC}/sys/kernel/cap_last_cap r,
owner @{PROC}/@{pid}/stat r,
include if exists <local/spice-client-glib-usb-acl-helper> include if exists <local/spice-client-glib-usb-acl-helper>
} }

19
apparmor.d/profiles-s-z/ss
View file

@ -16,7 +16,7 @@ profile ss @{exec_path} {
capability dac_read_search, capability dac_read_search,
capability sys_ptrace, capability sys_ptrace,
ptrace (read), # unconfined, TODO ptrace read,
network netlink raw, network netlink raw,
@ -27,21 +27,20 @@ profile ss @{exec_path} {
owner @{tmp}/*.ss rw, owner @{tmp}/*.ss rw,
owner @{HOME}/*.ss rw, owner @{HOME}/*.ss rw,
@{sys}/fs/cgroup/{,**/} r,
@{PROC} r, @{PROC} r,
@{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, @{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/attr/current r, @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
owner @{PROC}/@{pids}/net/sockstat r, owner @{PROC}/@{pids}/mounts r,
owner @{PROC}/@{pids}/net/snmp r,
owner @{PROC}/@{pids}/net/unix r,
owner @{PROC}/@{pids}/net/raw r, owner @{PROC}/@{pids}/net/raw r,
owner @{PROC}/@{pids}/net/snmp r,
owner @{PROC}/@{pids}/net/sockstat r,
owner @{PROC}/@{pids}/net/tcp r, owner @{PROC}/@{pids}/net/tcp r,
owner @{PROC}/@{pids}/net/udp r, owner @{PROC}/@{pids}/net/udp r,
owner @{PROC}/@{pids}/net/unix r,
# [e]xtended
owner @{PROC}/@{pids}/mounts r,
@{sys}/fs/cgroup/{,**/} r,
include if exists <local/ss> include if exists <local/ss>
} }

2
apparmor.d/profiles-s-z/steam
View file

@ -54,7 +54,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
ptrace read, ptrace read,
ptrace trace peer=steam, ptrace trace peer=steam,
signal send peer=steam-game, signal send peer=steam-game-{native,proton},
signal send peer=steam-launcher, signal send peer=steam-launcher,
signal send peer=steam//journalctl, signal send peer=steam//journalctl,
signal send peer=steam//web, signal send peer=steam//web,

2
apparmor.d/profiles-s-z/steam-launch
View file

@ -34,7 +34,7 @@ profile steam-launch @{exec_path} {
@{lib}/steam/bin_steam.sh rix, @{lib}/steam/bin_steam.sh rix,
@{share_dirs}/steam.sh rPx, @{share_dirs}/steam.sh rPx,
@{runtime_dirs}/@{arch}/steam-runtime-steam-remote rPUx, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx,
/usr/ r, /usr/ r,
/usr/local/ r, /usr/local/ r,

29
apparmor.d/profiles-s-z/steam-runtime-steam-remote Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote
profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
@{runtime_dirs}/** rm,
owner @{HOME}/.steam/steam.pipe rw,
include if exists <local/steam-runtime-steam-remote>
}
# vim:syntax=apparmor

3
apparmor.d/profiles-s-z/uname
View file

@ -17,7 +17,8 @@ profile uname @{exec_path} flags=(attach_disconnected) {
/dev/tty@{int} rw, /dev/tty@{int} rw,
deny network, deny network,
deny @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_share_dirs}/gvfs-metadata/* r,
deny owner @{user_share_dirs}/zed/**/data.mdb rw,
include if exists <local/uname> include if exists <local/uname>
} }

3
apparmor.d/profiles-s-z/vipw-vigr
View file

@ -35,7 +35,6 @@ profile vipw-vigr @{exec_path} {
# modify the /etc/passwd or /etc/shadow password database. # modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk, /etc/.pwd.lock rwk,
profile editor { profile editor {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/editor> include <abstractions/app/editor>
@ -43,6 +42,8 @@ profile vipw-vigr @{exec_path} {
capability fsetid, capability fsetid,
/etc/{passwd,shadow,gshadow,group}.edit rw, /etc/{passwd,shadow,gshadow,group}.edit rw,
include if exists <local/vipw-vigr_editor>
} }
include if exists <local/vipw-vigr> include if exists <local/vipw-vigr>

1
apparmor.d/profiles-s-z/who
View file

@ -19,6 +19,7 @@ profile who @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
deny owner @{user_share_dirs}/zed/**/data.mdb rw,
include if exists <local/who> include if exists <local/who>
} }