mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ubuntu compatibility, Debian polishing (#27)

Browse source
This commit is contained in:
nobodysu 2022-02-16 17:00:38 +00:00 committed by GitHub
parent 1143ea4d6d
commit d22aff27ac
Failed to generate hash of commit
1 changed files with 165 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

214
apparmor.d/profiles-m-r/qbittorrent
View file

@ -14,13 +14,20 @@ profile qbittorrent @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/X> include <abstractions/X>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/gnome>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/private-files-strict> include <abstractions/private-files-strict>
include <abstractions/qt5>
include <abstractions/qt5-compose-cache-write> include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write> include <abstractions/qt5-settings-write>
include <abstractions/dconf>
include <abstractions/ibus>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/mesa> include <abstractions/mesa>
@ -28,6 +35,8 @@ profile qbittorrent @{exec_path} {
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
include if exists <abstractions/ubuntu-unity7-base>
include if exists <abstractions/dbus-network-manager-strict>
signal (send) set=(term, kill) peer=qbittorrent//python3, signal (send) set=(term, kill) peer=qbittorrent//python3,
@ -46,10 +55,11 @@ profile qbittorrent @{exec_path} {
# Qbittorrent home dirs # Qbittorrent home dirs
owner @{user_config_dirs}/qBittorrent/ rw, owner @{user_config_dirs}/qBittorrent/ rw,
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9], owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
owner @{user_share_dirs}/qBittorrent/ rw, owner @{user_share_dirs}/data/ rw,
owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/qBittorrent/**/#[0-9]*[0-9], owner @{user_share_dirs}/{,data/}qBittorrent/ rw,
owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
# Old dir, not recommended to use: # Old dir, not recommended to use:
deny owner @{user_share_dirs}/data/qBittorrent/ rw, # deny owner @{user_share_dirs}/data/qBittorrent/ rw,
# Cache dir # Cache dir
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
@ -73,17 +83,15 @@ profile qbittorrent @{exec_path} {
/dev/shm/#[0-9]*[0-9] rw, /dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pids}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r, deny owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/mounts r,
owner @{PROC}/@{pids}/comm r,
deny @{PROC}/sys/kernel/random/boot_id r, deny @{PROC}/sys/kernel/random/boot_id r,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# TMP # TMP
owner /tmp/qtsingleapp-qBitto-* rw, owner /tmp/qtsingleapp-qBitto-* rw,
owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, owner /tmp/qtsingleapp-qBitto-*-lockfile rwk,
@ -97,8 +105,102 @@ profile qbittorrent @{exec_path} {
owner /tmp/xauth-[0-9]*-_[0-9] rw, owner /tmp/xauth-[0-9]*-_[0-9] rw,
# file_inherit
owner /dev/tty[0-9]* rw,
# dconf write
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/ICEauthority r,
# DBus
deny dbus send
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo,
dbus send
bus=session
path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=ListMonitorImplementations,
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher),
dbus send
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=NewToolTip
peer=(name=org.freedesktop.DBus),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(name=:*),
dbus receive
bus=session
path=/MenuBar
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member=ItemsPropertiesUpdated
peer=(name=org.freedesktop.DBus),
dbus receive
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus bind
bus=session
name=org.kde.StatusNotifierItem-*,
# Launch external apps # Launch external apps
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-{open,mime} rCx -> open,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/spacefm rPx, /{usr/,}bin/spacefm rPx,
@ -110,10 +212,58 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/qpdfview rPx, /{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx, /{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx, /{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/nautilus rPx,
# file_inherit profile open {
owner /dev/tty[0-9]* rw, include <abstractions/base>
include <abstractions/xdg-open>
include if exists <abstractions/ubuntu-unity7-base>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{g,m,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/xfce4-mime-helper rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# file_inherit
owner @{MOUNTS}/*/torrent/** r,
owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw,
owner "@{MOUNTS}/*/torrent/**.!qB" rw,
owner @{HOME}/.xsession-errors w,
dbus send
bus=session
path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=ListMonitorImplementations,
dbus send
bus=session
path=/org/gnome/{Nautilus,Totem,gedit}
interface=org.freedesktop.Application
member=Open
peer=(name="org.gnome.{Nautilus,Totem,gedit}"),
include if exists <local/qbittorrent_open>
}
profile python3 { profile python3 {
include <abstractions/base> include <abstractions/base>
@ -132,7 +282,7 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
owner @{user_share_dirs}/qBittorrent/nova[0-9]/{,**} rw, owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw,
# Used while searching for torrents # Used while searching for torrents
owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9], owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9],
@ -146,41 +296,7 @@ profile qbittorrent @{exec_path} {
owner @{MOUNTS}/*/torrent/** r, owner @{MOUNTS}/*/torrent/** r,
deny /dev/dri/card[0-9]* rw, deny /dev/dri/card[0-9]* rw,
} include if exists <local/qbittorrent_python3>
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{MOUNTS}/*/torrent/** r,
owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw,
owner "@{MOUNTS}/*/torrent/**.!qB" rw,
owner @{HOME}/.xsession-errors w,
} }
include if exists <local/qbittorrent> include if exists <local/qbittorrent>