mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
parent
872b8fc30a
commit
d864f5c975
@ -9,11 +9,12 @@ include <tunables/global>
|
||||
@{exec_path} = @{bin}/xdg-user-dir
|
||||
profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/env rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/env rix,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/xhost
|
||||
profile xhost @{exec_path} {
|
||||
profile xhost @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/X-strict>
|
||||
|
@ -13,6 +13,7 @@ profile systemd-generator-fstab @{exec_path} {
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability mknod,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
@ -16,6 +16,8 @@ profile systemd-generator-user-autostart @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{system_share_dirs}/applications/*.desktop r,
|
||||
|
||||
@{etc_ro}/xdg/autostart/{,*.desktop} r,
|
||||
|
||||
owner @{user_config_dirs}/autostart/{,*.desktop} r,
|
||||
|
@ -49,6 +49,9 @@ profile systemd-machined @{exec_path} {
|
||||
@{PROC}/pressure/io r,
|
||||
@{PROC}/pressure/memory r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/pts/@{int} rw,
|
||||
|
||||
include if exists <local/systemd-machined>
|
||||
}
|
||||
|
||||
|
@ -17,10 +17,13 @@ profile dunst @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/xdg/dunst/dunstrc r,
|
||||
|
||||
owner @{user_config_dirs}/dunst/dunstrc r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner /dev/shm/dunst-@{rand6} rw,
|
||||
|
||||
include if exists <local/dunst>
|
||||
}
|
||||
|
||||
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/id
|
||||
profile id @{exec_path} {
|
||||
profile id @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
@ -37,6 +37,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
|
||||
@{sys}/devices/@{pci}/** r,
|
||||
@{sys}/module/compression r,
|
||||
|
||||
@{PROC}/bus/pci/devices r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/ioports r,
|
||||
|
||||
|
@ -11,15 +11,31 @@ include <tunables/global>
|
||||
profile nemo @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/trash-strict>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
# @{lib}/@{multiarch}/nemo/** mrix,
|
||||
/usr/share/nemo/** r,
|
||||
|
||||
# Full access to user's data
|
||||
/ r,
|
||||
/*/ r,
|
||||
@{bin}/ r,
|
||||
@{lib}/ r,
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/** rw,
|
||||
owner @{HOME}/{,**} rw,
|
||||
owner @{run}/user/@{uid}/{,**} rw,
|
||||
owner @{tmp}/{,**} rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
@ -35,13 +35,10 @@ profile pkexec @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
# Apps to be run via pkexec
|
||||
@{bin}/* rPUx,
|
||||
@{lib}/{,gvfs/}gvfsd-admin rPx,
|
||||
@{lib}/cc-remote-login-helper rPx,
|
||||
@{lib}/update-notifier/package-system-locked rPx,
|
||||
/usr/share/apport/apport-gtk rPx,
|
||||
#aa:exec polkit-agent-helper
|
||||
@{bin}/* PUx,
|
||||
@{lib}/** PUx,
|
||||
/opt/*/** PUx,
|
||||
/usr/share/** PUx,
|
||||
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*} r,
|
||||
|
@ -14,7 +14,9 @@ profile run-parts @{exec_path} {
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
capability mknod,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/anacron rix,
|
||||
@ -29,6 +31,7 @@ profile run-parts @{exec_path} {
|
||||
/etc/ r,
|
||||
/etc/anacrontab r,
|
||||
/etc/conf.d/snapper{,**} r,
|
||||
/etc/default/* r,
|
||||
/etc/snapper/configs/root r,
|
||||
|
||||
# Crontab
|
||||
@ -134,8 +137,12 @@ profile run-parts @{exec_path} {
|
||||
|
||||
/usr/share/landscape/landscape-sysinfo.wrapper rPUx,
|
||||
|
||||
/root/ r,
|
||||
|
||||
/var/spool/anacron/cron.daily k,
|
||||
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/$anacron* rw,
|
||||
owner @{tmp}/$anacron@{rand6} rw,
|
||||
owner @{tmp}/file@{rand6} rw,
|
||||
|
||||
owner @{sys}/class/power_supply/ r,
|
||||
|
@ -8,10 +8,11 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/strawberry
|
||||
profile strawberry @{exec_path} flags=(attach_disconnected) {
|
||||
profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
|
@ -84,8 +84,12 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/virtual/drm/ttm/uevent r,
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
|
||||
|
||||
@{PROC}/@{pids}/net/route r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
@ -306,6 +306,7 @@ steam-launch attach_disconnected,complain
|
||||
steam-launcher attach_disconnected,complain
|
||||
steam-runtime attach_disconnected,complain
|
||||
steamerrorreporter attach_disconnected,complain
|
||||
strawberry attach_disconnected,mediate_deleted,complain
|
||||
sulogin complain
|
||||
switcherooctl complain
|
||||
swtpm complain
|
||||
|
Loading…
Reference in New Issue
Block a user