mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-06 20:00:40 +00:00
parent 1307250250
commit cc133e5f57
Failed to generate hash of commit
26 changed files with 49 additions and 106 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/bwrap-app
View file

@ -1,5 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Common rules for applications sandboxed using bwrap.

8
apparmor.d/groups/_full/bwrap
View file

@ -29,8 +29,12 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
network inet6 stream,
network netlink raw,
mount,
umount,
mount options=(rw, silent, rslave) -> /,
mount fstype=tmpfs -> /tmp/,
mount -> /newroot/{,**},
mount -> /oldroot/,
mount -> /tmp/newroot/,
umount /{,oldroot/},
pivot_root oldroot=/newroot/ -> /newroot/,
pivot_root oldroot=/tmp/oldroot/ -> /tmp/,

1
apparmor.d/groups/children/child-open
View file

@ -96,6 +96,7 @@ profile child-open {
@{bin}/vlc rPUx,
@{bin}/xarchiver rPx,
@{bin}/xbrlapi rPx,
@{bin}/yelp rPUx,
@{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
include if exists <usr/child-open.d>

2
apparmor.d/groups/freedesktop/plymouthd
View file

@ -61,7 +61,7 @@ profile plymouthd @{exec_path} {
/dev/ptmx rw,
/dev/tty@{int} rw,
/dev/ttyS[0-9]* rw,
/dev/ttyS@{int} rw,
include if exists <local/plymouthd>
}

8
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -17,10 +17,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/applications/{,**/} r,
/usr/share/applications/**.desktop r,
/usr/share/applications/.mimeinfo.cache.* rw,
/usr/share/applications/mimeinfo.cache w,
/usr/share/{,ubuntu/}applications/{,**/} r,
/usr/share/{,ubuntu/}applications/**.desktop r,
/usr/share/{,ubuntu/}applications/.mimeinfo.cache.* rw,
/usr/share/{,ubuntu/}applications/mimeinfo.cache w,
/usr/share/*/*.desktop r,

2
apparmor.d/groups/gnome/evolution-alarm-notify
View file

@ -14,7 +14,7 @@ profile evolution-alarm-notify @{exec_path} {
include <abstractions/bus/session>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/gnome>
include <abstractions/gnome-strict>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>

18
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -14,32 +14,22 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
include <abstractions/gnome-strict>
include <abstractions/nameservice-strict>
include <abstractions/trash>
@{exec_path} mr,
@{lib}/gio-launch-desktop rix,
owner @{HOME}/{,**} rw,
owner /tmp/wl-copy-buffer-*/{,**} rw,
# System files
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
@{run}/mount/utab r,
# User files
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
# file_inherit
owner @{HOME}/.xsession-errors w,
# Required by many gio command
owner @{HOME}/{,**} rw,
owner /tmp/wl-copy-buffer-*/{,**} rw,
/dev/dri/card@{int} rw,
@{run}/mount/utab r,
include if exists <local/gio-launch-desktop>
}

12
apparmor.d/groups/gnome/gnome-calculator-search-provider
View file

@ -13,11 +13,9 @@ profile gnome-calculator-search-provider @{exec_path} {
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/gnome-strict>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/wayland>
signal (send) set=kill peer=unconfined,
@ -27,15 +25,11 @@ profile gnome-calculator-search-provider @{exec_path} {
peer=(name=:*, label=gnome-shell),
@{exec_path} mrix,
/{usr/,}bin/[a-z0-9]* rPUx,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/x11/xkb/{,**} r,
/usr/share/icons/{,**} r,
@{bin}/* rPUx,
/usr/share/nvidia/nvidia-application-profiles-*-rc r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,

5
apparmor.d/groups/gnome/gnome-characters
View file

@ -16,7 +16,7 @@ profile gnome-characters @{exec_path} {
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/gnome>
include <abstractions/gnome-strict>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
@ -30,12 +30,9 @@ profile gnome-characters @{exec_path} {
@{bin}/gjs-console rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/libdrm/*.ids r,
/usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/nvidia/nvidia-application-profiles-*-rc r,
owner @{PROC}/@{pid}/cmdline r,

3
apparmor.d/groups/gnome/gnome-contacts
View file

@ -12,7 +12,7 @@ profile gnome-contacts @{exec_path} {
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gnome>
include <abstractions/gnome-strict>
include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
@ -25,7 +25,6 @@ profile gnome-contacts @{exec_path} {
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/applications/{,*.desktop} r,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,

20
apparmor.d/groups/gnome/gnome-control-center
View file

@ -17,14 +17,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gnome>
include <abstractions/gnome-strict>
include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/vulkan>
network inet dgram,
@ -56,11 +54,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{bin}/pkexec rPx,
@{bin}/software-properties-gtk rPx,
@{bin}/usermod rPx,
@{lib}/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx,
@{lib}/cups/backend/snmp rPx,
@{lib}/gnome-control-center-goa-helper rPx,
@{lib}/gnome-control-center-print-renderer rPx,
@{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix,
/usr/share/language-tools/language-options rPUx,
@ -78,17 +75,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome/gnome-version.xml r,
/usr/share/libdrm/*.ids r,
/usr/share/language-tools/main-countries r,
/usr/share/mime/{,**} r,
/usr/share/pipewire/client.conf r,
/usr/share/thumbnailers/{,*} r,
/usr/share/wallpapers/{,**} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r,
# freedesktop.org-strict
/usr/share/*ubuntu/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/cups/client.conf r,
/etc/machine-info r,
/etc/pipewire/client.conf.d/ r,
@ -100,8 +92,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/snapd/desktop/icons/ r,
/var/cache/cracklib/cracklib_dict.* r,
/var/cache/samba/ rw,
/var/lib/AccountsService/icons/* r,
@ -120,18 +110,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
owner @{user_share_dirs}/webkitgtk/{,**} r,
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
owner @{user_share_dirs}/gnome-remote-desktop/ w,
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/wayland-@{int} rw,
@{run}/cups/cups.sock rw,

2
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -37,7 +37,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
@{bin}/bwrap rPUx,
@{lib}/webkit2gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/themes/{,**} r,

9
apparmor.d/groups/gnome/gnome-control-center-search-provider
View file

@ -13,9 +13,7 @@ profile gnome-control-center-search-provider @{exec_path} {
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/gnome-strict>
include <abstractions/mesa>
include <abstractions/vulkan>
@ -26,13 +24,8 @@ profile gnome-control-center-search-provider @{exec_path} {
@{exec_path} mr,
/usr/share/X11/xkb/{,**} r,
/usr/share/nvidia/nvidia-application-profiles-*-rc r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,

8
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -20,13 +20,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/gnome-strict>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
network inet stream,
network inet6 stream,
@ -158,10 +155,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-session/hardware-compatibility r,
/usr/share/gnome-session/sessions/*.session r,
/usr/share/gnome/autostart/{,*.desktop} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/session-migration/scripts/{,*} r,
/etc/gnome/defaults.list r,
@{etc_ro}/xdg/autostart/{,*.desktop} r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
@ -172,7 +167,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.local/share/session_migration-* r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
/var/lib/flatpak/exports/share/applications/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,

6
apparmor.d/groups/gnome/gnome-software
View file

@ -12,9 +12,7 @@ profile gnome-software @{exec_path} {
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/gnome-strict>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
@ -48,7 +46,6 @@ profile gnome-software @{exec_path} {
/usr/share/appdata/{,**} r,
/usr/share/metainfo/{,**} r,
/usr/share/swcatalog/{,**} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/xml/iso-codes/{,**} r,
/etc/appstream.conf r,
@ -61,7 +58,6 @@ profile gnome-software @{exec_path} {
/var/cache/app-info/icons/**.png r,
/var/cache/app-info/xmls/{,**} r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
/var/lib/apt/lists/*.yml.gz r,

14
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -16,13 +16,12 @@ profile gnome-terminal-server @{exec_path} {
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/gnome-strict>
signal (send) set=(hup) peer=htop,
signal (send) set=(term hup kill) peer=unconfined,
ptrace (read) peer=htop,
ptrace (read) peer=unconfined,
dbus bind bus=session name=org.gnome.Terminal,
@ -64,10 +63,7 @@ profile gnome-terminal-server @{exec_path} {
@{lib}/gio-launch-desktop rPx -> child-open,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/X11/xkb/{,**} r,
/var/lib/flatpak/exports/share/icons/{,**} r,
/var/lib/snapd/desktop/icons/{,**} r,
/usr/share/sounds/{,**} r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,

9
apparmor.d/groups/gnome/gsd-power
View file

@ -24,10 +24,8 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/gnome-strict>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
network netlink raw,
@ -97,9 +95,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r,
/var/lib/gdm{3,}/.config/pulse/ rw,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
@ -108,8 +103,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+drm:card* r,
@{run}/udev/data/+leds:* r,

1
apparmor.d/groups/network/NetworkManager
View file

@ -95,6 +95,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{lib}/{,NetworkManager/}nm-openvpn-service rPx,
@{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
/usr/share/netplan/netplan.script rPx,
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
/ r,

2
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -93,7 +93,7 @@ profile subiquity-console-conf @{exec_path} {
/dev/tty rw,
/dev/tty@{int} rw,
/dev/ttyS[0-9]* rw,
/dev/ttyS@{int} rw,
profile journalctl {
include <abstractions/base>

4
apparmor.d/profiles-a-f/arduino
View file

@ -102,8 +102,8 @@ profile arduino @{exec_path} {
@{sys}/class/tty/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r,
/dev/ttyS[0-9]* rw,
/dev/ttyACM[0-9]* rw,
/dev/ttyS@{int} rw,
/dev/ttyACM@{int} rw,
# Silencer
deny /usr/share/arduino/** w,

2
apparmor.d/profiles-a-f/cups-backend-serial
View file

@ -14,5 +14,7 @@ profile cups-backend-serial @{exec_path} {
/etc/papersize r,
/dev/ttyS@{int} w,
include if exists <local/cups-backend-serial>
}

1
apparmor.d/profiles-a-f/cups-backend-snmp
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/cups/backend/snmp
profile cups-backend-snmp @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network inet dgram,
network inet6 dgram,

2
apparmor.d/profiles-a-f/cupsd
View file

@ -66,7 +66,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{lib}/cups/driver/* rix,
@{lib}/cups/filter/* rix,
@{lib}/cups/monitor/* rix,
@{lib}/cups/notifier/* rix,
@{lib}/cups/notifier/* rPx,
/usr/share/cups/{,**} r,
/usr/share/ghostscript/{,**} r,

4
apparmor.d/profiles-a-f/fritzing
View file

@ -63,8 +63,8 @@ profile fritzing @{exec_path} {
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]*
/dev/ttyS[0-9]* rw,
/dev/ttyACM[0-9]* rw,
/dev/ttyS@{int} rw,
/dev/ttyACM@{int} rw,
owner @{run}/lock/LCK..ttyACM[0-9]* rwk,

8
apparmor.d/profiles-g-l/hwinfo
View file

@ -54,9 +54,8 @@ profile hwinfo @{exec_path} {
/dev/nvram r,
/dev/psaux r,
/dev/console rw,
/dev/ttyS0 r,
/dev/ttyS1 r,
/dev/fb[0-9] r,
/dev/ttyS@{int} r,
/dev/fb@{int} r,
@{sys}/bus/{,**/} r,
@{sys}/class/*/ r,
@ -84,8 +83,7 @@ profile hwinfo @{exec_path} {
@{PROC}/cmdline r,
# file_inherit
/dev/ttyS0 r,
/dev/ttyS1 r,
/dev/ttyS@{int} r,
owner /tmp/hwinfo*.txt rw,
@{sys}/devices/pci[0-9]*/**/drm/card@{int}/ r,

2
apparmor.d/profiles-s-z/snap
View file

@ -86,7 +86,7 @@ profile snap @{exec_path} {
@{PROC}/version r,
/dev/tty@{int} rw,
/dev/ttyS[0-9]* rw,
/dev/ttyS@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r,