mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-06-10 23:58:44 +01:00
parent b4407fb7f8
commit d283ef5196
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
17 changed files with 62 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor.d/groups/apt/debsign
View File

@ -55,6 +55,7 @@ profile debsign @{exec_path} {
owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r,
owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw,
include if exists <local/debsign_gpg>
}
include if exists <local/debsign>

14
apparmor.d/groups/apt/debsums
View File

@ -20,13 +20,6 @@ profile debsums @{exec_path} {
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/var/lib/dpkg/info/* r,
/etc/locale.nopurge r,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
@ -35,6 +28,13 @@ profile debsums @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/dpkg-divert rPx -> child-dpkg-divert,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/etc/locale.nopurge r,
/var/lib/dpkg/info/* r,
# For shell pwd
/ r,
/root/ r,

2
apparmor.d/groups/apt/dpkg-divert
View File

@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {
/var/lib/dpkg/** r,
/usr/share/*/** w,
/usr/share/*/** rw,
/var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw,

10
apparmor.d/groups/browsers/firefox-minidump-analyzer
View File

@ -15,7 +15,7 @@ include <tunables/global>
@{cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = @{lib_dirs}/minidump-analyzer
profile firefox-minidump-analyzer @{exec_path} {
profile firefox-minidump-analyzer @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
signal (receive) set=(term, kill) peer=firefox,
@ -27,10 +27,10 @@ profile firefox-minidump-analyzer @{exec_path} {
owner "@{config_dirs}/firefox/Crash Reports/" rw,
owner "@{config_dirs}/firefox/Crash Reports/pending/" rw,
owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
owner @{config_dirs}/*.*/extensions/*.xpi r,
owner @{config_dirs}/*.*/minidumps/ rw,
owner @{config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw,
owner @{config_dirs}/*.*/storage/default/* r,
owner @{config_dirs}/{,firefox/}*.*/extensions/*.xpi r,
owner @{config_dirs}/{,firefox/}*.*/minidumps/ rw,
owner @{config_dirs}/{,firefox/}*.*/minidumps/@{uuid}.{dmp,extra} rw,
owner @{config_dirs}/{,firefox/}*.*/storage/default/* r,
owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r,

4
apparmor.d/groups/bus/ibus-memconf
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-memconf
profile ibus-memconf @{exec_path} {
profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -27,5 +27,7 @@ profile ibus-memconf @{exec_path} {
owner @{desktop_config_dirs}/ibus/bus/ r,
owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
owner /dev/tty@{int} rw,
include if exists <local/ibus-memconf>
}

41
apparmor.d/groups/cron/cron-popularity-contest
View File

@ -49,6 +49,7 @@ profile cron-popularity-contest @{exec_path} {
/var/log/popularity-contest{,.new} rw,
/var/log/popularity-contest{,.new}.gpg rw,
/var/log/popularity-contest.@{int} rw,
/var/log/popularity-contest.@{int}.gpg rw,
# Store last successful http submission timestamp
/var/lib/popularity-contest/ rw,
@ -66,15 +67,14 @@ profile cron-popularity-contest @{exec_path} {
@{bin}/savelog mr,
@{bin}/date rix,
@{bin}/basename rix,
@{bin}/which{,.debianutils} rix,
@{bin}/date rix,
@{bin}/dirname rix,
@{bin}/rm rix,
@{bin}/mv rix,
@{bin}/touch rix,
@{bin}/gzip rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/touch rix,
@{bin}/which{,.debianutils} rix,
@{sh_path} rix,
/var/log/ r,
@ -82,9 +82,9 @@ profile cron-popularity-contest @{exec_path} {
/var/log/popularity-contest.@{int} rw,
/var/log/popularity-contest rw,
# file_inherit
owner @{tmp}/#@{int} rw,
owner @{tmp}/#@{int} rw, # file_inherit
include if exists <local/cron-popularity-contest_savelog>
}
profile runuser {
@ -96,19 +96,18 @@ profile cron-popularity-contest @{exec_path} {
@{bin}/runuser mr,
@{sh_path} rix,
@{bin}/popularity-contest rPx,
owner @{PROC}/@{pids}/loginuid r,
@{PROC}/1/limits r,
@{bin}/popularity-contest rPx,
@{etc_ro}/security/limits.d/ r,
/var/log/popularity-contest.new w,
# file_inherit
owner @{tmp}/#@{int} rw,
@{PROC}/1/limits r,
owner @{PROC}/@{pids}/loginuid r,
owner @{tmp}/#@{int} rw, # file_inherit
include if exists <local/cron-popularity-contest_runuser>
}
profile gpg {
@ -126,9 +125,9 @@ profile cron-popularity-contest @{exec_path} {
owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**,
# file_inherit
owner @{tmp}/#@{int} rw,
owner @{tmp}/#@{int} rw, # file_inherit
include if exists <local/cron-popularity-contest_gpg>
}
profile popcon-upload {
@ -142,18 +141,18 @@ profile cron-popularity-contest @{exec_path} {
network inet6 stream,
network netlink raw,
/usr/share/popularity-contest/popcon-upload r,
@{bin}/perl r,
@{bin}/gzip rix,
/usr/share/popularity-contest/popcon-upload r,
/var/log/ r,
/var/log/popularity-contest.new.gpg r,
/var/log/popularity-contest.@{int}.gpg r,
# file_inherit
owner @{tmp}/#@{int} rw,
owner @{tmp}/#@{int} rw, # file_inherit
include if exists <local/cron-popularity-contest_/popcon-upload>
}
include if exists <local/cron-popularity-contest>

2
apparmor.d/groups/gnome/gdm-generate-config
View File

@ -41,7 +41,7 @@ profile gdm-generate-config @{exec_path} {
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/stat r,
@{PROC}/uptime r,

2
apparmor.d/groups/gnome/gnome-shell
View File

@ -407,6 +407,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/games/* PUx,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/gnome-shell_open>

3
apparmor.d/groups/gnome/gnome-software
View File

@ -99,6 +99,9 @@ profile gnome-software @{exec_path} {
owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
owner @{run}/user/@{uid}/app/{,*/} rw,
owner /dev/shm/flatpak-com.*/ rw,
owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
@{run}/systemd/inhibit/*.ref rw,
@{sys}/module/nvidia/version r,

1
apparmor.d/groups/virt/libvirtd
View File

@ -206,6 +206,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r,
@{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r,
@{sys}/devices/system/cpu/isolated r,
@{sys}/devices/system/cpu/present r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/ r,

3
apparmor.d/profiles-a-f/cups-notifier-dbus
View File

@ -11,14 +11,13 @@ profile cups-notifier-dbus @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/cups-client>
include <abstractions/nameservice-strict>
signal (receive) set=(term) peer=cupsd,
@{exec_path} mr,
/etc/cups/client.conf r,
owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
owner @{tmp}/cups-dbus-notifier-lockfile rwk,

3
apparmor.d/profiles-a-f/flatpak-portal
View File

@ -34,6 +34,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
/ r,
/.flatpak-info r,
owner @{HOME}/.var/app/*/**/.ref rw,
owner @{HOME}/.var/app/*/**/logs/* rw,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_share_dirs}/mime/mime.cache r,

2
apparmor.d/profiles-g-l/kodi-xrandr
View File

@ -16,7 +16,7 @@ profile kodi-xrandr @{exec_path} {
owner @{HOME}/.Xauthority r,
# file_inherit
@{sys}/devices/virtual/thermal/thermal_zone0/temp r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
@{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r,
owner @{HOME}/.kodi/temp/kodi.log w,

5
apparmor.d/profiles-g-l/libreoffice
View File

@ -52,13 +52,17 @@ profile libreoffice @{exec_path} {
@{lib}/libreoffice/share/uno_packages/cache/stamp.sys w,
@{lib}/libreoffice/{,**} rm,
/usr/share/hyphen/{,**} r,
/usr/share/libexttextcat/{,**} r,
/usr/share/liblangtag/{,**} r,
/usr/share/libreoffice/{,**} r,
/usr/share/mythes/{,**} r,
/etc/java-openjdk/{,**} r,
/etc/libreoffice/{,**} r,
/etc/paperspecs r,
owner @{user_cache_dirs}/libreoffice/{,**} rw,
owner @{user_config_dirs}/libreoffice/ rw,
owner @{user_config_dirs}/libreoffice/** rwk,
@ -75,6 +79,7 @@ profile libreoffice @{exec_path} {
@{sys}/kernel/mm/transparent_hugepage/enabled r,
@{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
@{PROC}/cgroups r,
owner @{PROC}/@{pid}/cgroup r,

2
apparmor.d/profiles-m-r/mkinitramfs
View File

@ -59,7 +59,7 @@ profile mkinitramfs @{exec_path} {
@{bin}/kmod rCx -> kmod,
@{bin}/ldconfig rCx -> ldconfig,
@{bin}/ldd rCx -> ldd,
@{lib}/ld-linux.so.2 rCx -> ldd,
@{lib}/ld-linux.so* rCx -> ldd,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/linux-version rPx,

4
apparmor.d/profiles-m-r/qpdfview
View File

@ -61,6 +61,4 @@ profile qpdfview @{exec_path} {
owner /dev/tty@{int} rw,
include if exists <local/qpdfview>
}
}

6
apparmor.d/profiles-s-z/wsdd
View File

@ -11,6 +11,10 @@ profile wsdd @{exec_path} {
include <abstractions/base>
include <abstractions/python>
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
@{bin}/env r,
@ -18,6 +22,8 @@ profile wsdd @{exec_path} {
/etc/machine-id r,
owner /var/lib/libuuid/clock.txt rw,
owner @{run}/user/@{uid}/gvfsd/wsdd w,
include if exists <local/wsdd>