mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
Alexandre Pujol
parent
960135e593
commit
cb30dcc4bc
7 changed files with 21 additions and 25 deletions
|
|
@ -25,6 +25,7 @@ profile crontab @{exec_path} {
|
||||||
@{bin}/vim.* rCx -> editor,
|
@{bin}/vim.* rCx -> editor,
|
||||||
|
|
||||||
/etc/cron.{allow,deny} r,
|
/etc/cron.{allow,deny} r,
|
||||||
|
/etc/pam.d/* r,
|
||||||
|
|
||||||
/var/spool/cron/ r,
|
/var/spool/cron/ r,
|
||||||
/var/spool/cron/crontabs/ rw,
|
/var/spool/cron/crontabs/ rw,
|
||||||
|
|
@ -32,19 +33,18 @@ profile crontab @{exec_path} {
|
||||||
|
|
||||||
owner @{tmp}/crontab.*/{,crontab} rw,
|
owner @{tmp}/crontab.*/{,crontab} rw,
|
||||||
|
|
||||||
|
|
||||||
profile editor {
|
profile editor {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app/editor>
|
include <abstractions/app/editor>
|
||||||
|
|
||||||
capability fsetid,
|
capability fsetid,
|
||||||
|
|
||||||
|
/etc/cron.{allow,deny} r,
|
||||||
|
|
||||||
/tmp/ r,
|
/tmp/ r,
|
||||||
owner @{tmp}/crontab.*/crontab rw,
|
owner @{tmp}/crontab.*/crontab rw,
|
||||||
|
|
||||||
# file_inherit
|
include if exists <local/crontab_editor>
|
||||||
/etc/cron.{allow,deny} r,
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
include if exists <local/crontab>
|
include if exists <local/crontab>
|
||||||
|
|
|
||||||
|
|
@ -218,6 +218,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
/.flatpak-info r,
|
/.flatpak-info r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/timezone r,
|
/etc/timezone r,
|
||||||
|
/etc/tpm2-tss/*.json r,
|
||||||
/etc/udev/hwdb.bin r,
|
/etc/udev/hwdb.bin r,
|
||||||
/etc/xdg/menus/gnome-applications.menu r,
|
/etc/xdg/menus/gnome-applications.menu r,
|
||||||
|
|
||||||
|
|
@ -249,10 +250,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
|
||||||
owner @{HOME}/.face r,
|
owner @{HOME}/.face r,
|
||||||
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
||||||
owner @{HOME}/.var/app/**/ r,
|
owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
|
||||||
owner @{HOME}/.var/app/**.{png,jpg,svg} r,
|
owner @{HOME}/.var/app/**.{png,jpg,svg} r,
|
||||||
|
owner @{HOME}/.var/app/**/ r,
|
||||||
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
|
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
|
||||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,
|
||||||
|
|
||||||
owner @{user_games_dirs}/**.{png,jpg,svg} r,
|
owner @{user_games_dirs}/**.{png,jpg,svg} r,
|
||||||
owner @{user_music_dirs}/**.{png,jpg,svg} r,
|
owner @{user_music_dirs}/**.{png,jpg,svg} r,
|
||||||
|
|
@ -282,6 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
||||||
|
|
||||||
@{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
|
@{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
|
||||||
|
owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
|
||||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
|
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
|
||||||
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
||||||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||||
|
|
|
||||||
|
|
@ -31,16 +31,16 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
/etc/{,opensc/}opensc.conf r,
|
/etc/{,opensc/}opensc.conf r,
|
||||||
/etc/tpm2-tss/* r,
|
/etc/tpm2-tss/* rk,
|
||||||
|
|
||||||
/var/tmp/ r,
|
/var/tmp/ r,
|
||||||
/tmp/ r,
|
/tmp/ r,
|
||||||
|
|
||||||
owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
|
owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
|
||||||
owner @{GDM_HOME}/greeter-dconf-defaults r,
|
owner @{GDM_HOME}/greeter-dconf-defaults r,
|
||||||
owner @{gdm_config_dirs}/dconf/user r,
|
owner @{gdm_config_dirs}/dconf/user r,
|
||||||
|
|
||||||
owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
|
owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
|
||||||
|
|
||||||
owner /dev/tty@{int} rw,
|
owner /dev/tty@{int} rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -39,20 +39,12 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{lib}/dhcpcd/dhcpcd-run-hooks rix,
|
@{lib}/dhcpcd/dhcpcd-run-hooks rix,
|
||||||
|
|
||||||
/var/lib/dhcpcd/*.lease{,6} rw,
|
|
||||||
/var/lib/dhcpcd/secret rw,
|
|
||||||
|
|
||||||
/etc/dhcpcd.conf r,
|
/etc/dhcpcd.conf r,
|
||||||
/etc/resolv.conf rw,
|
/etc/resolv.conf rw,
|
||||||
|
|
||||||
@{run}/dhcpcd/{.pid,pid} rwk,
|
/var/lib/dhcpcd/** rw,
|
||||||
@{run}/dhcpcd/{.sock,sock} w,
|
|
||||||
@{run}/dhcpcd/*.pid wk,
|
@{run}/dhcpcd/** rwk,
|
||||||
@{run}/dhcpcd/*.sock w,
|
|
||||||
@{run}/dhcpcd/hook-state/ rw,
|
|
||||||
@{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw,
|
|
||||||
@{run}/dhcpcd/hook-state/resolv.conf/ rw,
|
|
||||||
@{run}/dhcpcd/unpriv.sock w,
|
|
||||||
|
|
||||||
@{run}/udev/data/n@{int} r,
|
@{run}/udev/data/n@{int} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
signal (send) peer=aurpublish,
|
signal send peer=aurpublish,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,9 +20,9 @@ profile nft @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner /etc/iproute2/** r,
|
/etc/iproute2/** r,
|
||||||
|
/etc/nftables.conf r,
|
||||||
owner /etc/nftables/**.nft r,
|
/etc/nftables/{,**} r,
|
||||||
|
|
||||||
@{PROC}/1/environ r,
|
@{PROC}/1/environ r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
|
|
|
||||||
|
|
@ -118,12 +118,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/pci/slots/ r,
|
@{sys}/bus/pci/slots/ r,
|
||||||
|
@{sys}/bus/pci/slots/@{int}/address r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/class/nvme-subsystem/ r,
|
@{sys}/class/nvme-subsystem/ r,
|
||||||
@{sys}/class/nvme/ r,
|
@{sys}/class/nvme/ r,
|
||||||
@{sys}/devices/@{pci}/uevent r,
|
|
||||||
@{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
|
@{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
|
||||||
@{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
|
@{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
|
||||||
|
@{sys}/devices/@{pci}/uevent r,
|
||||||
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
|
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
|
||||||
@{sys}/devices/virtual/block/*/{,**} rw,
|
@{sys}/devices/virtual/block/*/{,**} rw,
|
||||||
@{sys}/devices/virtual/block/loop@{int}/uevent rw,
|
@{sys}/devices/virtual/block/loop@{int}/uevent rw,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue