mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-02-07 13:50:40 +00:00
parent 9b705ab76c
commit cdaf72eb3d
Failed to generate hash of commit
22 changed files with 31 additions and 63 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/bus/ibus-memconf
View file

@ -17,6 +17,7 @@ profile ibus-memconf @{exec_path} {
@{exec_path} mr,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,

4
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -33,7 +33,7 @@ profile pipewire-media-session @{exec_path} {
/usr/share/alsa-card-profile/{,**} r,
/usr/share/pipewire/*.conf r,
/usr/share/pipewire/media-session.d/{,**} r,
/usr/share/spa-*/bluez[0-9]*/{,*} r,
/usr/share/spa-*/bluez@{int}/{,*} r,
/etc/pipewire/*.conf r,
/etc/pipewire/media-session.d/*.conf r,
@ -48,7 +48,7 @@ profile pipewire-media-session @{exec_path} {
owner @{user_config_dirs}/pipewire/** rw,
owner @{user_config_dirs}/pulse/ rw,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
@{run}/udev/data/c116:@{int} r, # for ALSA

3
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -20,8 +20,7 @@ profile pulseaudio @{exec_path} {
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/dri>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>

2
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -82,7 +82,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
owner /tmp/icon* rw,
owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
@{PROC}/ r,
@{PROC}/*/ r,

3
apparmor.d/groups/gnome/gnome-control-center
View file

@ -72,7 +72,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/thumbnailers/{,*} r,
/usr/share/wallpapers/{,**} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r,
/etc/cups/client.conf r,
/etc/machine-info r,
@ -111,7 +110,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{run}/cups/cups.sock rw,
@{run}/samba/ rw,

3
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -115,8 +115,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/xdg/autostart/{,*.desktop} r,
/var/lib/gdm{3,}/.cache/gdm/Xauthority r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/.config/gnome-session/ rw,
/var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw,
/var/lib/gdm{3,}/.local/share/applications/{,**} r,

1
apparmor.d/groups/ssh/sshd
View file

@ -105,7 +105,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/fd/ r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/ngroups_max r,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/mounts r,

16
apparmor.d/groups/systemd/systemd-user-generators-flatpak
View file

@ -1,16 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/user-environment-generators/60-flatpak
profile systemd-generator-user-environment-flatpak @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/systemd-generator-user-environment-flatpak>
}

2
apparmor.d/profiles-g-l/gsettings
View file

@ -18,7 +18,7 @@ profile gsettings @{exec_path} {
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/dev/tty@{int} rw,

2
apparmor.d/profiles-g-l/ip
View file

@ -35,8 +35,8 @@ profile ip @{exec_path} flags=(attach_disconnected) {
/etc/iproute2/{,**} r,
/etc/netns/*/ r,
owner @{run}/netns/ rw,
@{run}/netns/* rw,
owner @{run}/netns/ rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/net/dev_mcast r,

1
apparmor.d/profiles-m-r/mount-nfs
View file

@ -60,7 +60,6 @@ profile mount-nfs @{exec_path} flags=(complain) {
owner @{run}/mount/utab{,.*} rw,
owner @{run}/rpc.statd.lock wk,
@{PROC}/filesystems r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/mount-nfs>

33
apparmor.d/profiles-m-r/qbittorrent
View file

@ -7,9 +7,6 @@ abi <abi/3.0>,
include <tunables/global>
@{FIREFOX_BIN} = @{lib}/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{exec_path} = @{bin}/qbittorrent
profile qbittorrent @{exec_path} {
include <abstractions/base>
@ -20,25 +17,17 @@ profile qbittorrent @{exec_path} {
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/graphics>
include <abstractions/ibus>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/nvidia>
include <abstractions/openssl>
include <abstractions/private-files-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/qt5>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/wayland>
include <abstractions/X-strict>
signal send set=(term, kill) peer=qbittorrent//python3,
@ -82,21 +71,19 @@ profile qbittorrent @{exec_path} {
@{bin}/python3.@{int} rCx -> python, # For "search engine"
# Allowed apps to open
@{bin}/spacefm rPx,
@{bin}/smplayer rPx,
@{bin}/vlc rPx,
@{bin}/mpv rPx,
@{bin}/geany rPx,
@{bin}/viewnior rPUx,
@{bin}/qpdfview rPx,
@{bin}/ebook-viewer rPx,
@{bin}/geany rPx,
@{bin}/mpv rPx,
@{bin}/nautilus rPx,
@{FIREFOX_BIN} rPx,
@{bin}/qpdfview rPx,
@{bin}/smplayer rPx,
@{bin}/spacefm rPx,
@{bin}/viewnior rPUx,
@{bin}/vlc rPx,
@{browsers_path} rPx,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/gvfs/remote-volume-monitors/{,*} r,
/usr/share/hwdata/*.ids r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#@{int} rw,

1
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -40,6 +40,7 @@ profile spice-vdagent @{exec_path} {
/etc/pipewire/client.conf r,
/var/lib/gdm{3,}/.config/user-dirs.dirs r,
/var/lib/nscd/passwd r,
owner @{user_config_dirs}/user-dirs.dirs r,

2
apparmor.d/profiles-s-z/update-ca-certificates
View file

@ -56,8 +56,6 @@ profile update-ca-certificates @{exec_path} {
/tmp/ r,
owner /tmp/ca-certificates{,.crt}.tmp.* rw,
@{PROC}/filesystems r,
/dev/tty rw,
include if exists <local/update-ca-certificates>

2
apparmor.d/profiles-s-z/wireplumber
View file

@ -38,7 +38,7 @@ profile wireplumber @{exec_path} {
/opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
/usr/share/alsa-card-profile/{,**} r,
/usr/share/spa-*/bluez[0-9]*/{,*} r,
/usr/share/spa-*/bluez@{int}/{,*} r,
/usr/share/wireplumber/{,**} r,
/etc/machine-id r,