mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
abaf9fdc7c
commit
c950c74bf7
29 changed files with 96 additions and 97 deletions
|
|
@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
@ -33,12 +34,10 @@ profile gdm-xsession @{exec_path} {
|
|||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/etc/X11/{,**} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
# file_inherit
|
||||
/dev/tty rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
profile dbus {
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gnome-contacts-search-provider
|
||||
profile gnome-contacts-search-provider @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/openssl>
|
||||
|
||||
|
|
@ -21,7 +22,6 @@ profile gnome-contacts-search-provider @{exec_path} {
|
|||
|
||||
owner @{user_share_dirs}/folks/relationships.ini r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/gnome-disk-image-mounter
|
||||
profile gnome-disk-image-mounter @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
|
|
@ -23,7 +24,6 @@ profile gnome-disk-image-mounter @{exec_path} {
|
|||
owner @{MOUNTS}/*/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2017-2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2017-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -8,15 +8,17 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
|
||||
profile gnome-keyring-daemon @{exec_path} {
|
||||
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability ipc_lock,
|
||||
|
||||
signal (receive) set=(term) peer=gdm,
|
||||
signal (send) set=(term) peer=ssh-agent,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/ssh-add rix,
|
||||
/{usr/,}bin/ssh-agent rPx,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,13 +9,13 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gnome-shell-calendar-server
|
||||
profile gnome-shell-calendar-server @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/gnome-system-monitor
|
||||
profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
@ -34,10 +35,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
@{run}/systemd/sessions/[0-9]*{,.ref} r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/collisions r,
|
||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/rx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/tx_{bytes,errors,packets} r,
|
||||
|
|
@ -60,7 +62,5 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pids}/wchan r,
|
||||
@{PROC}/vmstat r,
|
||||
|
||||
@{run}/systemd/sessions/[0-9]*{,.ref} r,
|
||||
|
||||
include if exists <local/gnome-system-monitor>
|
||||
}
|
||||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/goa-daemon
|
||||
profile goa-daemon @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/openssl>
|
||||
|
|
@ -27,7 +28,6 @@ profile goa-daemon @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/goa-1.0/accounts.conf r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,18 +9,19 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gsd-a11y-settings
|
||||
profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gsd-color
|
||||
profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/gtk>
|
||||
|
|
@ -17,27 +18,25 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
/var/lib/gdm/.local/share/icc/ rw,
|
||||
/var/lib/gdm/.local/share/icc/edid-*.icc rw,
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner @{user_share_dirs}/icc/ r,
|
||||
owner @{user_share_dirs}/icc/edid-*.icc rw,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/gsd-color>
|
||||
|
|
|
|||
|
|
@ -9,18 +9,19 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gsd-datetime
|
||||
profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
|
@ -19,16 +20,16 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/fstab r,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
owner @{user_share_dirs}/applications/ rw,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -20,6 +21,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
|
|
@ -36,17 +38,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
|
||||
owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
/var/lib/gdm/.config/pulse/client.conf r,
|
||||
/var/lib/gdm/.config/pulse/cookie rk,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -20,6 +21,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
|
|
@ -28,13 +30,17 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
/var/lib/gdm/.cache/event-sound-cache.tdb.* rwk,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
/var/lib/gdm/.config/pulse/client.conf r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
@{run}/udev/data/+backlight:* r,
|
||||
@{run}/udev/data/+leds:*backlight* r,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/class/ r,
|
||||
|
|
@ -52,13 +58,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/platform/**/leds/*backlight*/max_brightness r,
|
||||
@{sys}/devices/platform/**/leds/*backlight*/brightness rw,
|
||||
|
||||
@{run}/udev/data/+backlight:* r,
|
||||
@{run}/udev/data/+leds:*backlight* r,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,18 +9,19 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gsd-sharing
|
||||
profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -9,18 +9,19 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gsd-smartcard
|
||||
profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gsd-usb-protection
|
||||
profile gsd-usb-protection @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gsd-wacom
|
||||
profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
|
|
@ -17,22 +18,20 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/usr/share/libwacom/{,*} r,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/libwacom/{,*} r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
/etc/machine-id r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -39,11 +39,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
|
|||
/etc/machine-id r,
|
||||
|
||||
# Mount points
|
||||
owner @{MOUNTS}/*/ r,
|
||||
owner @{MOUNTS}/*/**/ r,
|
||||
owner @{HOME}/*/*/ r,
|
||||
owner @{HOME}/*/*/**/ r,
|
||||
owner @{HOME}/bluetooth/ r,
|
||||
owner @{MOUNTS}/**/ r,
|
||||
owner @{HOME}/**/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ w,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-dav
|
||||
profile gvfsd-dav @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
@ -27,10 +28,8 @@ profile gvfsd-dav @{exec_path} {
|
|||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/ rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -10,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-ftp
|
||||
profile gvfsd-ftp @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
@ -21,11 +23,10 @@ profile gvfsd-ftp @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
include <abstractions/dconf>
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include if exists <local/gvfsd-ftp>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-http
|
||||
profile gvfsd-http @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
@ -26,10 +27,8 @@ profile gvfsd-http @{exec_path} {
|
|||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
|
||||
include if exists <local/gvfsd-http>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -11,17 +11,16 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-network
|
||||
profile gvfsd-network @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/ rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
include if exists <local/gvfsd-network>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -16,11 +17,11 @@ profile gvfsd-sftp @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/ssh rPx,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
/{usr/,}bin/ssh rPx,
|
||||
|
||||
include if exists <local/gvfsd-sftp>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -10,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-smb
|
||||
profile gvfsd-smb @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/freedesktop.org>
|
||||
|
||||
network netlink raw,
|
||||
|
|
@ -20,15 +22,13 @@ profile gvfsd-smb @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/etc/samba/smb.conf r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||
|
||||
include if exists <local/gvfsd-smb>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -10,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-smb-browse
|
||||
profile gvfsd-smb-browse @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
|
@ -20,17 +22,14 @@ profile gvfsd-smb-browse @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/etc/samba/smb.conf r,
|
||||
|
||||
owner @{run}samba/ rw,
|
||||
owner @{run}/samba/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||
|
||||
include if exists <local/gvfsd-smb-browse>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile ssh @{exec_path} {
|
|||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r,
|
||||
|
||||
/etc/ssh/ssh_config r,
|
||||
/etc/ssh/ssh_config.d/ r,
|
||||
/etc/ssh/ssh_config.d/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/keyring/ssh rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -43,10 +43,11 @@ profile systemd-logind @{exec_path} flags=(complain) {
|
|||
@{run}/udev/static_node-tags/uaccess/ r,
|
||||
|
||||
@{run}/udev/data/c10:[0-9]* r,
|
||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||
@{run}/udev/data/c116:[0-9]* r, # for ALSA
|
||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
|
||||
@{run}/udev/data/c23[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/c29:[0-9]* r,
|
||||
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
||||
|
|
|
|||
|
|
@ -17,12 +17,12 @@ profile pass-import @{exec_path} {
|
|||
/{usr/,}bin/ r,
|
||||
/{usr/,}bin/pass rPx,
|
||||
/{usr/,}{s,}bin/ldconfig rix,
|
||||
/{usr/,}bin/gcc rix,
|
||||
/{usr/,}bin/gcc rix, # TODO: Test deny
|
||||
/{usr/,}bin/ld rix,
|
||||
/{usr/,}bin/python3.[0-9]* rix,
|
||||
/{usr/,}lib/gcc/**/collect2 rix,
|
||||
|
||||
/{usr/,}lib/python{2.[4-7],3,3.[0-9]*}/** w,
|
||||
/{usr/,}lib/python{2.[4-7],3,3.[0-9]*}/** w, # TODO: Test deny
|
||||
|
||||
/usr/share/file/misc/magic.mgc r,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2020-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -7,7 +8,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/update-desktop-database
|
||||
profile update-desktop-database @{exec_path} {
|
||||
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue