mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-06 20:00:40 +00:00
parent 1307250250
commit cc133e5f57
Failed to generate hash of commit
26 changed files with 49 additions and 106 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/bwrap-app
View file

@ -1,5 +1,5 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Common rules for applications sandboxed using bwrap. # Common rules for applications sandboxed using bwrap.

8
apparmor.d/groups/_full/bwrap
View file

@ -29,8 +29,12 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
mount, mount options=(rw, silent, rslave) -> /,
umount, mount fstype=tmpfs -> /tmp/,
mount -> /newroot/{,**},
mount -> /oldroot/,
mount -> /tmp/newroot/,
umount /{,oldroot/},
pivot_root oldroot=/newroot/ -> /newroot/, pivot_root oldroot=/newroot/ -> /newroot/,
pivot_root oldroot=/tmp/oldroot/ -> /tmp/, pivot_root oldroot=/tmp/oldroot/ -> /tmp/,

1
apparmor.d/groups/children/child-open
View file

@ -96,6 +96,7 @@ profile child-open {
@{bin}/vlc rPUx, @{bin}/vlc rPUx,
@{bin}/xarchiver rPx, @{bin}/xarchiver rPx,
@{bin}/xbrlapi rPx, @{bin}/xbrlapi rPx,
@{bin}/yelp rPUx,
@{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx, @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
include if exists <usr/child-open.d> include if exists <usr/child-open.d>

2
apparmor.d/groups/freedesktop/plymouthd
View file

@ -61,7 +61,7 @@ profile plymouthd @{exec_path} {
/dev/ptmx rw, /dev/ptmx rw,
/dev/tty@{int} rw, /dev/tty@{int} rw,
/dev/ttyS[0-9]* rw, /dev/ttyS@{int} rw,
include if exists <local/plymouthd> include if exists <local/plymouthd>
} }

8
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -17,10 +17,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/usr/share/applications/{,**/} r, /usr/share/{,ubuntu/}applications/{,**/} r,
/usr/share/applications/**.desktop r, /usr/share/{,ubuntu/}applications/**.desktop r,
/usr/share/applications/.mimeinfo.cache.* rw, /usr/share/{,ubuntu/}applications/.mimeinfo.cache.* rw,
/usr/share/applications/mimeinfo.cache w, /usr/share/{,ubuntu/}applications/mimeinfo.cache w,
/usr/share/*/*.desktop r, /usr/share/*/*.desktop r,

2
apparmor.d/groups/gnome/evolution-alarm-notify
View file

@ -14,7 +14,7 @@ profile evolution-alarm-notify @{exec_path} {
include <abstractions/bus/session> include <abstractions/bus/session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl> include <abstractions/opencl>
include <abstractions/openssl> include <abstractions/openssl>

18
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -14,32 +14,22 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/freedesktop.org> include <abstractions/gnome-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/trash> include <abstractions/trash>
@{exec_path} mr, @{exec_path} mr,
@{lib}/gio-launch-desktop rix, owner @{HOME}/{,**} rw,
owner /tmp/wl-copy-buffer-*/{,**} rw,
# System files @{run}/mount/utab r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
# User files
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
# file_inherit
owner @{HOME}/.xsession-errors w,
# Required by many gio command
owner @{HOME}/{,**} rw,
owner /tmp/wl-copy-buffer-*/{,**} rw,
/dev/dri/card@{int} rw, /dev/dri/card@{int} rw,
@{run}/mount/utab r,
include if exists <local/gio-launch-desktop> include if exists <local/gio-launch-desktop>
} }

12
apparmor.d/groups/gnome/gnome-calculator-search-provider
View file

@ -13,11 +13,9 @@ profile gnome-calculator-search-provider @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/wayland>
signal (send) set=kill peer=unconfined, signal (send) set=kill peer=unconfined,
@ -27,15 +25,11 @@ profile gnome-calculator-search-provider @{exec_path} {
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/[a-z0-9]* rPUx,
/usr/share/glib-2.0/schemas/gschemas.compiled r, @{bin}/* rPUx,
/usr/share/x11/xkb/{,**} r,
/usr/share/icons/{,**} r,
/usr/share/nvidia/nvidia-application-profiles-*-rc r, /usr/share/nvidia/nvidia-application-profiles-*-rc r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,

5
apparmor.d/groups/gnome/gnome-characters
View file

@ -16,7 +16,7 @@ profile gnome-characters @{exec_path} {
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/vulkan> include <abstractions/vulkan>
@ -30,12 +30,9 @@ profile gnome-characters @{exec_path} {
@{bin}/gjs-console rix, @{bin}/gjs-console rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/libdrm/*.ids r, /usr/share/libdrm/*.ids r,
/usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r, /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/nvidia/nvidia-application-profiles-*-rc r, /usr/share/nvidia/nvidia-application-profiles-*-rc r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,

3
apparmor.d/groups/gnome/gnome-contacts
View file

@ -12,7 +12,7 @@ profile gnome-contacts @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -25,7 +25,6 @@ profile gnome-contacts @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/applications/{,*.desktop} r, /usr/share/applications/{,*.desktop} r,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r,

20
apparmor.d/groups/gnome/gnome-control-center
View file

@ -17,14 +17,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia> include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/vulkan> include <abstractions/vulkan>
network inet dgram, network inet dgram,
@ -56,11 +54,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{bin}/pkexec rPx, @{bin}/pkexec rPx,
@{bin}/software-properties-gtk rPx, @{bin}/software-properties-gtk rPx,
@{bin}/usermod rPx, @{bin}/usermod rPx,
@{lib}/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx,
@{lib}/cups/backend/snmp rPx, @{lib}/cups/backend/snmp rPx,
@{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-goa-helper rPx,
@{lib}/gnome-control-center-print-renderer rPx, @{lib}/gnome-control-center-print-renderer rPx,
@{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix, /usr/share/language-tools/language2locale rix,
/usr/share/language-tools/language-options rPUx, /usr/share/language-tools/language-options rPUx,
@ -78,16 +75,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome/gnome-version.xml r, /usr/share/gnome/gnome-version.xml r,
/usr/share/libdrm/*.ids r, /usr/share/libdrm/*.ids r,
/usr/share/language-tools/main-countries r, /usr/share/language-tools/main-countries r,
/usr/share/mime/{,**} r,
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,
/usr/share/thumbnailers/{,*} r, /usr/share/thumbnailers/{,*} r,
/usr/share/wallpapers/{,**} r, /usr/share/wallpapers/{,**} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r, /usr/share/zoneinfo/{,**} r,
# freedesktop.org-strict
/usr/share/*ubuntu/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/cups/client.conf r, /etc/cups/client.conf r,
/etc/machine-info r, /etc/machine-info r,
@ -100,8 +92,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/var/lib/snapd/desktop/icons/ r,
/var/cache/cracklib/cracklib_dict.* r, /var/cache/cracklib/cracklib_dict.* r,
/var/cache/samba/ rw, /var/cache/samba/ rw,
/var/lib/AccountsService/icons/* r, /var/lib/AccountsService/icons/* r,
@ -120,18 +110,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/sounds/__custom/{,*} rw,
owner @{user_share_dirs}/webkitgtk/{,**} r,
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
owner @{user_share_dirs}/gnome-remote-desktop/ w, owner @{user_share_dirs}/gnome-remote-desktop/ w,
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w, owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/wayland-@{int} rw, owner @{run}/user/@{uid}/wayland-@{int} rw,
@{run}/cups/cups.sock rw, @{run}/cups/cups.sock rw,

2
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -37,7 +37,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
@{bin}/bwrap rPUx, @{bin}/bwrap rPUx,
@{lib}/webkit2gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/themes/{,**} r, /usr/share/themes/{,**} r,

9
apparmor.d/groups/gnome/gnome-control-center-search-provider
View file

@ -13,9 +13,7 @@ profile gnome-control-center-search-provider @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/vulkan> include <abstractions/vulkan>
@ -26,13 +24,8 @@ profile gnome-control-center-search-provider @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/X11/xkb/{,**} r,
/usr/share/nvidia/nvidia-application-profiles-*-rc r, /usr/share/nvidia/nvidia-application-profiles-*-rc r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,

8
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -20,13 +20,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/freedesktop.org> include <abstractions/gnome-strict>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
@ -158,10 +155,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/hardware-compatibility r,
/usr/share/gnome-session/sessions/*.session r, /usr/share/gnome-session/sessions/*.session r,
/usr/share/gnome/autostart/{,*.desktop} r, /usr/share/gnome/autostart/{,*.desktop} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/session-migration/scripts/{,*} r, /usr/share/session-migration/scripts/{,*} r,
/etc/gnome/defaults.list r,
@{etc_ro}/xdg/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
@ -172,7 +167,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.local/share/session_migration-* r, /var/lib/gdm{3,}/.local/share/session_migration-* r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
/var/lib/flatpak/exports/share/applications/{,**} r, /var/lib/flatpak/exports/share/applications/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,

6
apparmor.d/groups/gnome/gnome-software
View file

@ -12,9 +12,7 @@ profile gnome-software @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl> include <abstractions/opencl>
@ -48,7 +46,6 @@ profile gnome-software @{exec_path} {
/usr/share/appdata/{,**} r, /usr/share/appdata/{,**} r,
/usr/share/metainfo/{,**} r, /usr/share/metainfo/{,**} r,
/usr/share/swcatalog/{,**} r, /usr/share/swcatalog/{,**} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/xml/iso-codes/{,**} r, /usr/share/xml/iso-codes/{,**} r,
/etc/appstream.conf r, /etc/appstream.conf r,
@ -61,7 +58,6 @@ profile gnome-software @{exec_path} {
/var/cache/app-info/icons/**.png r, /var/cache/app-info/icons/**.png r,
/var/cache/app-info/xmls/{,**} r, /var/cache/app-info/xmls/{,**} r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
/var/lib/apt/lists/*.yml.gz r, /var/lib/apt/lists/*.yml.gz r,

14
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -16,13 +16,12 @@ profile gnome-terminal-server @{exec_path} {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/wayland>
include <abstractions/X-strict>
signal (send) set=(hup) peer=htop,
signal (send) set=(term hup kill) peer=unconfined, signal (send) set=(term hup kill) peer=unconfined,
ptrace (read) peer=htop,
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
dbus bind bus=session name=org.gnome.Terminal, dbus bind bus=session name=org.gnome.Terminal,
@ -64,10 +63,7 @@ profile gnome-terminal-server @{exec_path} {
@{lib}/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/X11/xkb/{,**} r, /usr/share/sounds/{,**} r,
/var/lib/flatpak/exports/share/icons/{,**} r,
/var/lib/snapd/desktop/icons/{,**} r,
/etc/pulse/client.conf r, /etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r, /etc/pulse/client.conf.d/{,**} r,

9
apparmor.d/groups/gnome/gsd-power
View file

@ -24,10 +24,8 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/gtk>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wayland>
network netlink raw, network netlink raw,
@ -97,9 +95,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r,
/var/lib/gdm{3,}/.config/pulse/ rw, /var/lib/gdm{3,}/.config/pulse/ rw,
/var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.config/pulse/cookie rwk,
@ -108,8 +103,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/udev/data/+backlight:* r, @{run}/udev/data/+backlight:* r,
@{run}/udev/data/+drm:card* r, @{run}/udev/data/+drm:card* r,
@{run}/udev/data/+leds:* r, @{run}/udev/data/+leds:* r,

1
apparmor.d/groups/network/NetworkManager
View file

@ -95,6 +95,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{lib}/{,NetworkManager/}nm-openvpn-service rPx, @{lib}/{,NetworkManager/}nm-openvpn-service rPx,
@{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
/usr/share/netplan/netplan.script rPx,
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
/ r, / r,

2
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -93,7 +93,7 @@ profile subiquity-console-conf @{exec_path} {
/dev/tty rw, /dev/tty rw,
/dev/tty@{int} rw, /dev/tty@{int} rw,
/dev/ttyS[0-9]* rw, /dev/ttyS@{int} rw,
profile journalctl { profile journalctl {
include <abstractions/base> include <abstractions/base>

4
apparmor.d/profiles-a-f/arduino
View file

@ -102,8 +102,8 @@ profile arduino @{exec_path} {
@{sys}/class/tty/ r, @{sys}/class/tty/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r,
/dev/ttyS[0-9]* rw, /dev/ttyS@{int} rw,
/dev/ttyACM[0-9]* rw, /dev/ttyACM@{int} rw,
# Silencer # Silencer
deny /usr/share/arduino/** w, deny /usr/share/arduino/** w,

2
apparmor.d/profiles-a-f/cups-backend-serial
View file

@ -14,5 +14,7 @@ profile cups-backend-serial @{exec_path} {
/etc/papersize r, /etc/papersize r,
/dev/ttyS@{int} w,
include if exists <local/cups-backend-serial> include if exists <local/cups-backend-serial>
} }

1
apparmor.d/profiles-a-f/cups-backend-snmp
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/cups/backend/snmp @{exec_path} = @{lib}/cups/backend/snmp
profile cups-backend-snmp @{exec_path} { profile cups-backend-snmp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

2
apparmor.d/profiles-a-f/cupsd
View file

@ -66,7 +66,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{lib}/cups/driver/* rix, @{lib}/cups/driver/* rix,
@{lib}/cups/filter/* rix, @{lib}/cups/filter/* rix,
@{lib}/cups/monitor/* rix, @{lib}/cups/monitor/* rix,
@{lib}/cups/notifier/* rix, @{lib}/cups/notifier/* rPx,
/usr/share/cups/{,**} r, /usr/share/cups/{,**} r,
/usr/share/ghostscript/{,**} r, /usr/share/ghostscript/{,**} r,

4
apparmor.d/profiles-a-f/fritzing
View file

@ -63,8 +63,8 @@ profile fritzing @{exec_path} {
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]* @{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]*
/dev/ttyS[0-9]* rw, /dev/ttyS@{int} rw,
/dev/ttyACM[0-9]* rw, /dev/ttyACM@{int} rw,
owner @{run}/lock/LCK..ttyACM[0-9]* rwk, owner @{run}/lock/LCK..ttyACM[0-9]* rwk,

8
apparmor.d/profiles-g-l/hwinfo
View file

@ -54,9 +54,8 @@ profile hwinfo @{exec_path} {
/dev/nvram r, /dev/nvram r,
/dev/psaux r, /dev/psaux r,
/dev/console rw, /dev/console rw,
/dev/ttyS0 r, /dev/ttyS@{int} r,
/dev/ttyS1 r, /dev/fb@{int} r,
/dev/fb[0-9] r,
@{sys}/bus/{,**/} r, @{sys}/bus/{,**/} r,
@{sys}/class/*/ r, @{sys}/class/*/ r,
@ -84,8 +83,7 @@ profile hwinfo @{exec_path} {
@{PROC}/cmdline r, @{PROC}/cmdline r,
# file_inherit # file_inherit
/dev/ttyS0 r, /dev/ttyS@{int} r,
/dev/ttyS1 r,
owner /tmp/hwinfo*.txt rw, owner /tmp/hwinfo*.txt rw,
@{sys}/devices/pci[0-9]*/**/drm/card@{int}/ r, @{sys}/devices/pci[0-9]*/**/drm/card@{int}/ r,

2
apparmor.d/profiles-s-z/snap
View file

@ -86,7 +86,7 @@ profile snap @{exec_path} {
@{PROC}/version r, @{PROC}/version r,
/dev/tty@{int} rw, /dev/tty@{int} rw,
/dev/ttyS[0-9]* rw, /dev/ttyS@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,