mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-03-15 16:07:53 +00:00
parent 9f3be7a96d
commit cf4e47f10f
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
22 changed files with 75 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/groups/apt/apt-helper
View File

@ -23,6 +23,8 @@ profile apt-helper @{exec_path} {
include <abstractions/base>
include <abstractions/systemctl>
capability net_admin,
include if exists <local/apt-helper_systemctl>
}

2
apparmor.d/groups/apt/unattended-upgrade
View File

@ -92,6 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/var/cache/apt/{,**} rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/lib/apt/lists/ rw,
/var/lib/apt/lists/partial/ rw,
/var/lib/apt/periodic/ w,
/var/log/apt/{term,history}.log w,
/var/log/apt/eipp.log.xz w,

8
apparmor.d/groups/bus/ibus-daemon
View File

@ -21,12 +21,8 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=ibus-*),
unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=gnome-shell),
dbus bind bus=session name=org.freedesktop.portal.IBus,
dbus bind bus=session name=org.freedesktop.IBus,
dbus send bus=session path=/org/freedesktop/IBus
interface=org.freedesktop.DBus.Peer
peer=(name=org.freedesktop.portal.IBus), # all members, all peer's labels
# dbus: own bus=session name=org.freedesktop.portal.IBus
# dbus: own bus=session name=org.freedesktop.IBus
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable

6
apparmor.d/groups/freedesktop/pipewire
View File

@ -51,10 +51,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/pipewire/pipewire-pulse.conf r,
owner @{user_config_dirs}/pipewire/pipewire.conf r,
owner /tmp/librnnoise-@{int}.so rm,
owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,
owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
owner @{run}/user/@{uid}/pulse/pid rw,
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

10
apparmor.d/groups/freedesktop/pulseaudio
View File

@ -22,12 +22,10 @@ profile pulseaudio @{exec_path} {
include <abstractions/dconf-write>
include <abstractions/dri>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/desktop>
include <abstractions/gstreamer>
include <abstractions/hosts_access>
include <abstractions/nameservice-strict>
include <abstractions/X-strict>
ptrace (trace) peer=@{profile_name},
@ -89,6 +87,8 @@ profile pulseaudio @{exec_path} {
/usr/share/ladspa/rdf/{,*} r,
/usr/share/pulseaudio/{,**} r,
/etc/pulse/{,**} r,
/var/lib/snapd/desktop/applications/ r,
# For GDM
@ -117,8 +117,8 @@ profile pulseaudio @{exec_path} {
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
owner @{run}/user/@{uid}/pulse/ rw,
owner @{run}/user/@{uid}/pulse/** rwk,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/systemd/users/@{uid} r,

2
apparmor.d/groups/freedesktop/xorg
View File

@ -36,7 +36,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
signal (receive) peer=sddm,
signal (receive) peer=xinit,
signal (receive) set=hup peer=gdm-session-worker,
signal (receive) set=term peer=gdm{,-x-session},
signal (receive) set=term peer=gdm{,-session},
unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*,
unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers

6
apparmor.d/groups/gnome/gnome-initial-setup
View File

@ -18,6 +18,8 @@ profile gnome-initial-setup @{exec_path} {
include <abstractions/graphics>
include <abstractions/nameservice-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@ -40,8 +42,8 @@ profile gnome-initial-setup @{exec_path} {
/var/lib/gdm{,3}/greeter-dconf-defaults r,
@{run}/systemd/sessions/@{int} r,
owner @{run}/systemd/users/@{uid} r,
@{run}/systemd/sessions/@{int} r,
@{run}/systemd/users/@{uid} r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,

6
apparmor.d/groups/gnome/gsd-media-keys
View File

@ -16,6 +16,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.hostname1>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -35,11 +36,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
member=PowerOff
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=upowerd),
dbus send bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties
member=GetAll

2
apparmor.d/groups/gnome/mutter-x11-frames
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/mutter-x11-frames
profile mutter-x11-frames @{exec_path} {
profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>

1
apparmor.d/groups/grub/grub-mkrelpath
View File

@ -21,6 +21,7 @@ profile grub-mkrelpath @{exec_path} {
/ r,
/usr/share/grub/* r,
/boot/ r,
/boot/grub/themes/{,**} r,
/tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r,

4
apparmor.d/groups/kde/konsole
View File

@ -30,6 +30,7 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
/usr/share/color-schemes/{,**} r,
/usr/share/kf6/{,**} r,
/usr/share/knotifications{5,6}/konsole.notifyrc r,
/usr/share/knotifications{5,6}/plasma_workspace.notifyrc r,
/usr/share/konsole/{,**} r,
/usr/share/sounds/** r,
@ -49,7 +50,8 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_share_dirs}/konsole/{,**} rwlk,
owner @{user_share_dirs}/konsole/ rw,
owner @{user_share_dirs}/konsole/** rwlk,
owner /tmp/#@{int} rw,
owner /tmp/konsole.@{rand6} rw,

6
apparmor.d/groups/kde/plasmashell
View File

@ -31,6 +31,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
include <abstractions/recent-documents-write>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
# userns,
@ -39,6 +40,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
ptrace (read) peer=akonadi*,
@ -114,6 +116,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasmashell/ rw,
owner @{user_cache_dirs}/plasmashell/** rwkl -> @{user_cache_dirs}/plasmashell/**,
owner @{user_cache_dirs}/org.kde.*/ rw,
owner @{user_cache_dirs}/org.kde.*/** rwlk,
owner @{user_config_dirs}/{KDE,kde.org}/ rw,
owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#@{int},
@ -160,6 +164,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**,
owner @{user_share_dirs}/user-places.xbel{,*} rwl,
owner @{user_share_dirs}/libkunitconversion/ rw,
owner @{user_share_dirs}/libkunitconversion/** rwlk,
/tmp/.mount_nextcl@{rand6}/{,*} r,
owner /tmp/#@{int} rw,

1
apparmor.d/groups/kde/utempter
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,@{multiarch}/}utempter/utempter
profile utempter @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>

4
apparmor.d/groups/pacman/pacman
View File

@ -130,6 +130,8 @@ profile pacman @{exec_path} {
owner /tmp/checkup-db-@{int}/sync/{,*.db*} rw,
owner /tmp/checkup-db-@{int}/db.lck rw,
@{run}/utmp rk,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@ -140,8 +142,6 @@ profile pacman @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{run}/utmp rk,
/dev/tty@{int} rw,
owner /dev/pts/@{int} rw,

7
apparmor.d/groups/ssh/ssh-agent
View File

@ -35,9 +35,10 @@ profile ssh-agent @{exec_path} {
owner /tmp/ssh-*/ rw,
owner /tmp/ssh-*/agent.* rw,
@{run}/user/@{uid}/openssh_agent rw,
@{run}/user/@{uid}/keyring/.ssh rw,
@{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w,
owner @{run}/user/@{uid}/keyring/.ssh rw,
owner @{run}/user/@{uid}/openssh_agent rw,
owner @{run}/user/@{uid}/ssh-agent.@{rand6} w,
owner @{run}/user/@{uid}/gcr/.ssh w,
/dev/tty@{int} rw,

1
apparmor.d/groups/systemd/systemd-generator-ds-identify
View File

@ -25,6 +25,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
/etc/cloud/{,**} r,
@{run}/cloud-init/{,.}ds-identify.* rw,
@{run}/cloud-init/cloud.cfg rw,
@{sys}/devices/virtual/dmi/id/chassis_asset_tag r,
@{sys}/devices/virtual/dmi/id/product_name r,

1
apparmor.d/groups/systemd/systemd-id128
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-id128
profile systemd-id128 @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,

6
apparmor.d/groups/systemd/systemd-machined
View File

@ -24,6 +24,12 @@ profile systemd-machined @{exec_path} {
capability sys_chroot,
capability sys_ptrace,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
# dbus: own bus=system name=org.freedesktop.machine1
# dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"

5
apparmor.d/groups/systemd/systemd-oomd
View File

@ -15,13 +15,16 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
capability dac_override,
capability kill,
unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom,
# dbus: own bus=system name=org.freedesktop.oom1
@{exec_path} mr,
/etc/systemd/oomd.conf r,
@{run}/systemd/io.system.ManagedOOM rw,
@{run}/systemd/io.system.ManagedOOM rw,
@{run}/systemd/io.systemd.ManagedOOM rw,
@{run}/systemd/notify rw,
owner @{run}/systemd/journal/socket w,

18
apparmor.d/groups/systemd/systemd-portabled
View File

@ -11,8 +11,26 @@ profile systemd-portabled @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability mknod,
capability setgid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
# dbus: own bus=system name=org.freedesktop.portable1
@{exec_path} mr,
/var/lib/portables/{,**} rw,

2
apparmor.d/profiles-a-f/cctk
View File

@ -23,10 +23,12 @@ profile cctk @{exec_path} {
/opt/dell/srvadmin/lib64/*.so* rm,
/opt/dell/srvadmin/var/lib/openmanage/.ipc/* rwk,
@{sys}/devices/platform/dcdbas/smi_data* rwk,
@{sys}/firmware/dmi/tables/DMI r,
@{sys}/firmware/dmi/tables/smbios_entry_point r,
@{sys}/firmware/efi/systab r,
/dev/mem r,
/dev/wmi/dell-smbios r,
include if exists <local/cctk>

4
apparmor.d/profiles-s-z/unix-chkpwd
View File

@ -21,6 +21,10 @@ profile unix-chkpwd @{exec_path} {
/etc/shadow r,
# systemd userdb, used in nspawn
@{run}/host/userdb/*.user r,
@{run}/host/userdb/*.user-privileged r,
owner /dev/tty@{int} rw,
include if exists <local/unix-chkpwd>