mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): update & enable profiles in the apps group.

Browse Source 
see #471
This commit is contained in:
Alexandre Pujol 2024-09-09 19:40:42 +01:00
parent 2af1d06f18
commit d4e380ad46
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
12 changed files with 115 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
apparmor.d/groups/apps/calibre → apparmor.d/profiles-a-f/calibre
View File

@ -7,23 +7,22 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += @{bin}/calibredb
@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} = @{bin}/calibre{,-*} @{bin}/calibredb @{bin}/ebook{,-*}
@{exec_path} += @{bin}/fetch-ebook-metadata
@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer
@{exec_path} += @{bin}/web2disk
@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk
profile calibre @{exec_path} {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/common/chromium>
include <abstractions/bus/org.freedesktop.UDisks2>
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/qt5-compose-cache-write>
@ -45,20 +44,19 @@ profile calibre @{exec_path} {
unix (bind) type=stream addr="@calibre-*",
@{exec_path} mrix,
@{bin}/python3.@{int} r,
@{bin}/ldconfig{,.real} rix,
@{sh_path} rix,
@{python_path} rix,
@{bin}/file rix,
@{bin}/ldconfig{,.real} rix,
@{bin}/uname rix,
@{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
@{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix,
@{bin}/pdftoppm rPUx, # (#FIXME#)
@{bin}/pdfinfo rPUx,
@{bin}/pdftohtml rPUx,
@{bin}/xdg-open rPx -> child-open,
@{bin}/xdg-mime rPx,
@{open_path} rPx -> child-open,
/usr/share/calibre/{,**} r,
@ -79,16 +77,11 @@ profile calibre @{exec_path} {
owner @{user_config_dirs}/calibre/** rwk,
owner @{user_share_dirs}/calibre-ebook.com/ rw,
owner @{user_share_dirs}/calibre-ebook.com/calibre/ rw,
owner @{user_share_dirs}/calibre-ebook.com/calibre/** rwk,
owner @{user_share_dirs}/calibre-ebook.com/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/calibre/ rw,
owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
owner @{user_cache_dirs}/gstreamer-@{int}/ rw,
owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
owner @{tmp}/calibre_*_tmp_*/{,**} rw,
owner @{tmp}/calibre-*/{,**} rw,
owner @{tmp}/@{int}-*/ rw,
@ -98,18 +91,31 @@ profile calibre @{exec_path} {
@{sys}/devices/@{pci}/irq r,
@{PROC}/ r,
@{PROC}/@{pids}/net/route r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/ r,
@{PROC}/@{pids}/net/route r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/stat{,m} r,
owner @{PROC}/@{pid}/stat{,m} r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/stat{,m} r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,

14
apparmor.d/groups/apps/discord → apparmor.d/profiles-a-f/discord
View File

@ -16,6 +16,9 @@ include <tunables/global>
profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/common/electron>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
@ -28,23 +31,26 @@ profile discord @{exec_path} {
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/lsb_release rPx -> lsb_release,
@{lib_dirs}/chrome-sandbox rix,
@{lib_dirs}/chrome_crashpad_handler rix,
@{open_path} rPx -> child-open-browsers,
@{open_path} rPx -> child-open-strict,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{user_videos_dirs}/{,**} rwl,
owner @{user_pictures_dirs}/{,**} rwl,
owner @{tmp}/net-export/ rw,
owner @{tmp}/discord.sock rw,
owner "@{tmp}/Discord Crashes/" rw,
owner @{config_dirs}/*/modules/** rm,
audit owner @{config_dirs}/*/modules/** rm,
owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
owner @{PROC}/@{pid}/task/@{tid}/comm r,
include if exists <local/discord>
}

0
apparmor.d/groups/apps/discord-chrome-sandbox → apparmor.d/profiles-a-f/discord-chrome-sandbox
View File

5
apparmor.d/groups/apps/dropbox → apparmor.d/profiles-a-f/dropbox
View File

@ -15,6 +15,9 @@ include <tunables/global>
@{exec_path} = @{bin}/dropbox
profile dropbox @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.Notifications>
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
@ -35,7 +38,7 @@ profile dropbox @{exec_path} {
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}objdump rix,
@{bin}/xdg-open rCx -> child-open,
@{open_path} rPx -> child-open-strict,
@{bin}/lsb_release rPx -> lsb_release,
owner @{HOME}/ r,

26
apparmor.d/groups/apps/filezilla → apparmor.d/profiles-a-f/filezilla
View File

@ -10,13 +10,23 @@ include <tunables/global>
@{exec_path} = @{bin}/filezilla
profile filezilla @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.Notifications>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
signal (send) set=(term, kill) peer=fzsftp,
@{exec_path} mr,
@ -46,15 +56,15 @@ profile filezilla @{exec_path} {
owner @{user_cache_dirs}/filezilla/ rw,
owner @{user_cache_dirs}/filezilla/default_*.png rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/tmp/ r,
owner @{tmp}/fz[0-9]temp-@{int}/ rw,
owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk,
owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner /dev/tty@{int} rw,
include if exists <local/filezilla>

6
apparmor.d/groups/apps/freetube → apparmor.d/profiles-a-f/freetube
View File

@ -12,10 +12,12 @@ include <tunables/global>
@{config_dirs} = @{user_config_dirs}/@{name}
@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{lib_dirs}/@{name}
@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
profile freetube @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/common/electron>
include <abstractions/consoles>
include <abstractions/thumbnails-cache-read>
@ -27,6 +29,8 @@ profile freetube @{exec_path} {
network inet6 stream,
network netlink raw,
#aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2
@{exec_path} mrix,
@{open_path} rPx -> child-open-strict,

0
apparmor.d/groups/apps/freetube-chrome-sandbox → apparmor.d/profiles-a-f/freetube-chrome-sandbox
View File

29
apparmor.d/groups/apps/signal-desktop → apparmor.d/profiles-s-z/signal-desktop
View File

@ -8,14 +8,17 @@ abi <abi/3.0>,
include <tunables/global>
@{name} = signal-desktop{,-beta}
@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
@{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{lib_dirs}/@{name}
profile signal-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/common/electron>
include <abstractions/fontconfig-cache-read>
include <abstractions/user-download-strict>
@ -28,24 +31,28 @@ profile signal-desktop @{exec_path} {
@{exec_path} mrix,
@{bin}/getconf rix,
@{bin}/xdg-settings rPx,
@{bin}/basename rix,
@{bin}/getconf rix,
@{bin}/xdg-settings rix,
@{open_path} rPx -> child-open-strict,
@{lib_dirs}/chrome-sandbox rPx,
audit @{lib_dirs}/chrome-sandbox rPx,
@{lib_dirs}/chrome_crashpad_handler rix,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{run}/systemd/inhibit/@{int}.ref rw,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/vmstat r,
/dev/tty rw,
include if exists <local/signal-desktop>
}

4
apparmor.d/groups/apps/signal-desktop-chrome-sandbox → apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
View File

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
@{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
@{exec_path} = @{lib_dirs}/chrome-sandbox
profile signal-desktop-chrome-sandbox @{exec_path} {

26
apparmor.d/groups/apps/telegram-desktop → apparmor.d/profiles-s-z/telegram-desktop
View File

@ -11,14 +11,20 @@ include <tunables/global>
profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/electron>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-shader-cache>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
network inet dgram,
@ -28,22 +34,18 @@ profile telegram-desktop @{exec_path} {
network netlink dgram,
network netlink raw,
@{exec_path} mrix,
@{exec_path} mr,
@{sh_path} rix,
@{sh_path} rix,
@{open_path} rPx -> child-open-strict,
@{open_path} rPx -> child-open,
/usr/share/TelegramDesktop/{,**} r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{user_share_dirs}/TelegramDesktop/ rw,
owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**,
owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
owner @{tmp}/@{hex}-* rwk,
owner @{run}/user/@{uid}/@{hex}-* rwk,
owner /dev/shm/#@{int} rw,
owner @{tmp}/@{hex32}-?@{uuid}? rwk,
audit owner /dev/shm/#@{int} rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,

12
dists/flags/main.flags
View File

@ -47,6 +47,7 @@ avahi-set-host-name complain
baloo complain
baloorunner complain
busctl complain
calibre complain
cc-remote-login-helper complain
cctk complain
child-modprobe-nvidia attach_disconnected,complain
@ -88,6 +89,8 @@ cups-pk-helper-mechanism complain
cupsd attach_disconnected,complain
ddcutil complain
dino attach_disconnected,complain
discord complain
discord-chrome-sandbox complain
DiscoverNotifier complain
dkms attach_disconnected,complain
dmsetup complain
@ -106,6 +109,7 @@ evolution-user-prompter complain
fail2ban-client attach_disconnected,complain
fail2ban-server attach_disconnected,complain
fdisk complain
filezilla complain
firewall-applet attach_disconnected,complain
firewall-config complain
firewalld attach_disconnected,complain
@ -119,6 +123,11 @@ flatpak-system-helper complain
flatpak-validate-icon complain
foliate attach_disconnected,complain
fractal attach_disconnected,complain
freetube complain
freetube-chrome-sandbox complain
fstrim complain
freetube complain
freetube-chrome-sandbox complain
fuse-overlayfs complain
fusermount complain
gdm-generate-config complain
@ -291,6 +300,8 @@ sddm attach_disconnected,mediate_deleted,complain
sddm-greeter complain
secure-time-sync attach_disconnected,complain
sftp-server complain
signal-desktop attach_disconnected,complain
signal-desktop-chrome-sandbox complain
sing-box complain
slirp4netns attach_disconnected,complain
snap complain
@ -370,6 +381,7 @@ systemd-udevd attach_disconnected,complain
systemd-user-sessions complain
systemd-userwork attach_disconnected,complain
systemsettings complain
telegram-desktop complain
totem attach_disconnected,complain
tracker-writeback complain
udev-dmi-memory-id complain

5
dists/ignore/main.ignore
View File

@ -5,11 +5,6 @@
# when built with 'make full'
apparmor.d/groups/_full
# Apps that should be sandboxed
apparmor.d/groups/apps
code
code-wrapper
# Provided by other packages
man