mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-24 19:05:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat(profile): general update and fixes.
Some checks are pending
Ubuntu / build (default, ubuntu-22.04) (push) Waiting to run
Details
Ubuntu / build (default, ubuntu-24.04) (push) Waiting to run
Details
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Waiting to run
Details
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Waiting to run
Details
Ubuntu / tests (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-22 22:04:04 +01:00
parent 897302bc5b
commit d9208e0648
Failed to generate hash of commit
21 changed files with 78 additions and 79 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/abstractions/app/sudo
View file

@ -36,8 +36,6 @@
@{bin}/sudo mr, @{bin}/sudo mr,
@{lib}/sudo/** mr, @{lib}/sudo/** mr,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,
@{etc_ro}/sudo.conf r, @{etc_ro}/sudo.conf r,
@{etc_ro}/sudoers r, @{etc_ro}/sudoers r,
@{etc_ro}/sudoers.d/{,*} r, @{etc_ro}/sudoers.d/{,*} r,
@ -53,8 +51,8 @@
owner @{HOME}/.sudo_as_admin_successful rw, owner @{HOME}/.sudo_as_admin_successful rw,
# yubikey support # yubikey support
owner @{HOME}/.yubico/challenge-* rw,
@{HOME}/.yubico/ r, @{HOME}/.yubico/ r,
owner @{HOME}/.yubico/challenge-* rw,
@{run}/faillock/ rw, @{run}/faillock/ rw,
@{run}/faillock/@{user} rwk, @{run}/faillock/@{user} rwk,

4
apparmor.d/abstractions/app/systemctl
View file

@ -8,9 +8,9 @@
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/consoles> include <abstractions/consoles>
ptrace (read) peer=@{p_systemd}, ptrace read peer=@{p_systemd},
unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, unix bind type=stream addr=@@{hex16}/bus/systemctl/,
@{bin}/systemctl mr, @{bin}/systemctl mr,

7
apparmor.d/abstractions/common/bwrap
View file

@ -44,17 +44,16 @@
owner /tmp/newroot/ w, owner /tmp/newroot/ w,
owner /tmp/oldroot/ w, owner /tmp/oldroot/ w,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{att}/@{PROC}/sys/user/max_user_namespaces rw, @{att}/@{PROC}/sys/user/max_user_namespaces rw,
owner @{att}/@{PROC}/@{pid}/cgroup r, owner @{att}/@{PROC}/@{pid}/cgroup r,
owner @{att}/@{PROC}/@{pid}/fd/ r,
owner @{att}/@{PROC}/@{pid}/gid_map rw, owner @{att}/@{PROC}/@{pid}/gid_map rw,
owner @{att}/@{PROC}/@{pid}/mountinfo r, owner @{att}/@{PROC}/@{pid}/mountinfo r,
owner @{att}/@{PROC}/@{pid}/setgroups rw, owner @{att}/@{PROC}/@{pid}/setgroups rw,
owner @{att}/@{PROC}/@{pid}/uid_map rw, owner @{att}/@{PROC}/@{pid}/uid_map rw,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <abstractions/common/bwrap.d> include if exists <abstractions/common/bwrap.d>
# vim:syntax=apparmor # vim:syntax=apparmor

4
apparmor.d/abstractions/desktop
View file

@ -52,7 +52,7 @@
owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk, owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk,
owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/baloofilerc r,
owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/dolphinrc r,
@ -67,7 +67,7 @@
# else if @{DE} == xfce # else if @{DE} == xfce
/usr/share/xfce4/ r, /usr/share/xfce{,4}/ r,
owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,

2
apparmor.d/abstractions/disks-read
View file

@ -76,7 +76,7 @@
/dev/sr@{int} rk, /dev/sr@{int} rk,
# Lookup block device by major:minor numbers # Lookup block device by major:minor numbers
# See: https://apparmor.pujol.io/development/structure/#udev-rules # See: https://apparmor.pujol.io/development/internal/#udev-rules
@{sys}/block/ r, @{sys}/block/ r,
@{sys}/class/block/ r, @{sys}/class/block/ r,

2
apparmor.d/abstractions/gstreamer
View file

@ -6,7 +6,7 @@
abi <abi/4.0>, abi <abi/4.0>,
@{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
@{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr,
@{lib}/frei0r-@{int}/*.so mr, @{lib}/frei0r-@{int}/*.so mr,
@{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,

2
apparmor.d/abstractions/xfce
View file

@ -11,7 +11,7 @@
include <abstractions/X-strict> include <abstractions/X-strict>
include <abstractions/xdg-desktop> include <abstractions/xdg-desktop>
/usr/share/xfce4/ r, /usr/share/xfce{,4}/ r,
owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,

2
apparmor.d/groups/bus/dbus-system
View file

@ -16,7 +16,7 @@ include <tunables/global>
profile dbus-system flags=(attach_disconnected) { profile dbus-system flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/consoles> include <abstractions/attached/consoles>
include <abstractions/deny-sensitive-home> include <abstractions/deny-sensitive-home>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -65,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/task/@{tid}/status r,
include if exists <local/xdg-desktop-portal-gnome> include if exists <local/xdg-desktop-portal-gnome>

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-gtk @{exec_path} = @{lib}/xdg-desktop-portal-gtk
profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-accessibility> include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>

3
apparmor.d/groups/kde/sddm
View file

@ -172,12 +172,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/sddm-auth* rw, owner @{tmp}/sddm-auth* rw,
@{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
@{run}/faillock/@{user} rwk, @{run}/faillock/@{user} rwk,
@{run}/sddm.pid rw, @{run}/sddm.pid rw,
@{run}/sddm/\{@{uuid}\} rw, @{run}/sddm/\{@{uuid}\} rw,
@{run}/sddm/#@{int} rw, @{run}/sddm/#@{int} rw,
@{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int}, @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
@{run}/systemd/sessions/*.ref rw,
@{run}/user/@{uid}/xauth_@{rand6} rwl, @{run}/user/@{uid}/xauth_@{rand6} rwl,
owner @{run}/sddm/ rw, owner @{run}/sddm/ rw,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,

2
apparmor.d/groups/network/mullvad-daemon
View file

@ -59,9 +59,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/@{uuid} rw, owner @{tmp}/@{uuid} rw,
owner @{tmp}/talpid-openvpn-@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw,
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
/dev/net/tun rw, /dev/net/tun rw,

17
apparmor.d/groups/pacman/aurpublish
View file

@ -47,14 +47,15 @@ profile aurpublish @{exec_path} {
/etc/makepkg.conf r, /etc/makepkg.conf r,
/etc/makepkg.conf.d/{,**} r, /etc/makepkg.conf.d/{,**} r,
owner @{user_build_dirs}/**/ w, owner @{user_build_dirs}/{,**/} w,
owner @{user_projects_dirs}/** r, owner @{user_projects_dirs}/** r,
owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
owner @{user_projects_dirs}/**/.SRCINFO rw, owner @{user_projects_dirs}/**/.SRCINFO rw,
owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_cache_dirs}/makepkg/src/** rw,
owner @{user_config_dirs}/pacman/makepkg.conf r, owner @{user_config_dirs}/pacman/makepkg.conf r,
owner /tmp/*/src/ w,
owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand10} rw,
/dev/tty rw, /dev/tty rw,
@ -64,14 +65,26 @@ profile aurpublish @{exec_path} {
@{bin}/gpg{,2} mr, @{bin}/gpg{,2} mr,
@{bin}/gpgconf mr, @{bin}/gpgconf mr,
@{bin}/gpg-agent rix,
@{lib}/{,gnupg/}scdaemon rix,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{user_cache_dirs}/makepkg/src/*.asc r, owner @{user_cache_dirs}/makepkg/src/*.asc r,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/gnupg/ r,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w,
owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand10} rw,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/aurpublish_gpg> include if exists <local/aurpublish_gpg>
} }

1
apparmor.d/profiles-a-f/acpid
View file

@ -26,6 +26,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
/etc/acpi/{,**} r, /etc/acpi/{,**} r,
/etc/acpi/handler.sh rix, /etc/acpi/handler.sh rix,
@{run}/acpid.socket w,
owner @{run}/acpid.socket rw, owner @{run}/acpid.socket rw,
owner @{run}/acpid.pid rw, owner @{run}/acpid.pid rw,

3
apparmor.d/profiles-a-f/dfc
View file

@ -12,9 +12,8 @@ profile dfc @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
capability dac_override,
capability dac_read_search, capability dac_read_search,
# No visible effect
deny capability dac_override,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/profiles-a-f/dkms
View file

@ -30,6 +30,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{bin}/bc rix, @{bin}/bc rix,
@{bin}/gcc rix, @{bin}/gcc rix,
@{bin}/getconf rix, @{bin}/getconf rix,
@{bin}/kill rix,
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{bin}/ld rix, @{bin}/ld rix,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,

2
apparmor.d/profiles-a-f/foliate
View file

@ -40,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
/usr/share/com.github.johnfactotum.Foliate/{,**} r, /usr/share/com.github.johnfactotum.Foliate/{,**} r,
owner /bindfile@{rand6} rw, owner /bindfile@{rand6} rw,
owner @{att}/.flatpak-info r, owner /.flatpak-info r,
owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/{,**} r,
owner @{user_torrents_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r,

21
apparmor.d/profiles-a-f/fwupd
View file

@ -66,11 +66,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
/etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd-metadata/{,**} r,
/etc/pki/fwupd/{,**} r, /etc/pki/fwupd/{,**} r,
/var/cache/fwupd/{,**} rw, /etc/machine-id r,
/var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/dbus/machine-id r,
/var/lib/fwupd/{,**} rw,
/var/lib/fwupd/pending.db rwk,
/var/tmp/etilqs_@{hex16} rw,
/boot/{,**} r, /boot/{,**} r,
/boot/EFI/*/.goutputstream-@{rand6} rw, /boot/EFI/*/.goutputstream-@{rand6} rw,
@ -78,8 +75,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
/boot/EFI/*/fwupdx@{int}.efi rw, /boot/EFI/*/fwupdx@{int}.efi rw,
@{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
/etc/machine-id r, /var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/dbus/machine-id r, /var/tmp/etilqs_@{hex16} rw,
owner /var/cache/fwupd/ rw,
owner /var/cache/fwupd/** rwk,
owner /var/lib/fwupd/ rw,
owner /var/lib/fwupd/** rwk,
# In order to get to this file, the attach_disconnected flag has to be set # In order to get to this file, the attach_disconnected flag has to be set
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
@ -88,8 +89,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/**/ r, @{sys}/**/ r,
@{sys}/devices/** r, @{sys}/devices/** r,
@{sys}/bus/hid/drivers/*/uevent r,
@{sys}/bus/usb/drivers/usbhid/uevent r,
@{sys}/firmware/acpi/** r, @{sys}/firmware/acpi/** r,
@{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/DMI r,
@{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/dmi/tables/smbios_entry_point r,
@ -99,9 +98,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/fwupd-* rw,
@{sys}/kernel/security/lockdown r, @{sys}/kernel/security/lockdown r,
@{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r,
@{sys}/module/*/uevent r, @{sys}/**/uevent r,
@{sys}/module/uhid/uevent r,
@{sys}/module/usbhid/uevent r,
@{sys}/power/mem_sleep r, @{sys}/power/mem_sleep r,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

45
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -50,6 +50,7 @@ profile mkinitramfs @{exec_path} {
@{bin}/touch rix, @{bin}/touch rix,
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/tsort rix, @{bin}/tsort rix,
@{bin}/uniq rix,
@{bin}/xargs rix, @{bin}/xargs rix,
@{bin}/xz rix, @{bin}/xz rix,
@{bin}/zstd rix, @{bin}/zstd rix,
@ -85,13 +86,15 @@ profile mkinitramfs @{exec_path} {
owner /boot/initrd.img-*.new rw, owner /boot/initrd.img-*.new rw,
/var/tmp/ r, /var/tmp/ r,
/var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, /var/tmp/modules_@{rand6} rw,
owner /var/tmp/mkinitramfs_*/ rw, /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw,
owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, owner /var/tmp/mkinitramfs_@{rand6} rw,
owner /var/tmp/mkinitramfs-* rw, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**,
owner /var/tmp/mkinitramfs-@{rand6} rw,
@{sys}/devices/platform/ r, @{sys}/devices/platform/ r,
@{sys}/devices/platform/reg-dummy/{,**}/ r, @{sys}/devices/platform/**/ r,
@{sys}/devices/platform/**/modalias r,
@{sys}/module/compression r, @{sys}/module/compression r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@ -126,18 +129,18 @@ profile mkinitramfs @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/ldconfig.real rix, @{bin}/ldconfig.real rix,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r, owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r, owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw, owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw,
owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw, owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw,
owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw,
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw, owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw,
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw, owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw,
include if exists <local/mkinitramfs_ldconfig> include if exists <local/mkinitramfs_ldconfig>
} }
@ -156,7 +159,7 @@ profile mkinitramfs @{exec_path} {
/usr/share/initramfs-tools/scripts/{,**/} r, /usr/share/initramfs-tools/scripts/{,**/} r,
/etc/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r,
owner /var/tmp/mkinitramfs_*/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r,
include if exists <local/mkinitramfs_find> include if exists <local/mkinitramfs_find>
} }
@ -165,11 +168,13 @@ profile mkinitramfs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_@{rand6}usr/lib/modules/*/updates/{,**} r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r,
@{sys}/module/compression r,
include if exists <local/mkinitramfs_kmod> include if exists <local/mkinitramfs_kmod>
} }

1
apparmor.d/profiles-s-z/vesktop
View file

@ -4,6 +4,7 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{name} = vesktop @{name} = vesktop

28
apparmor.d/profiles-s-z/vnstat
View file

@ -12,35 +12,17 @@ profile vnstat @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
# The following rules are needed when adding a new interface to the vnstat database. Usually this
# action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the
# database files under /var/lib/vnstat/ are owned by vnstat:vnstat. Because of the above, the
# dac_override CAP is needed to allow writing files in that dir.
#
# If this CAP was denied, then the following error is printed when adding new interfaces:
#
# Error: Exec step failed (8: attempt to write a readonly database): "insert into interface
# (name, active, created, updated, rxcounter, txcounter, rxtotal, txtotal) values ('eth0', 1,
# datetime('now', 'localtime'), datetime('now', 'localtime'), 0, 0, 0, 0)"
# Error: Adding interface "ifb0" to database failed.
#
capability dac_override,
#
# Also the vnstat.db file has to have the write permission:
/var/lib/vnstat/vnstat.db w,
/var/lib/vnstat/vnstat.db-journal rw,
#
# This is needed to change the owner:group to vnstat:vnstat of the database file.
capability chown, capability chown,
capability dac_override,
@{exec_path} mr, @{exec_path} mr,
# Many apps/users can query vnstat database, so don't use owner here.
/var/lib/vnstat/ r,
/var/lib/vnstat/vnstat.db rk,
/etc/vnstat.conf r, /etc/vnstat.conf r,
/var/lib/vnstat/ r,
/var/lib/vnstat/vnstat.db rwk,
/var/lib/vnstat/vnstat.db-journal rw,
@{sys}/class/net/ r, @{sys}/class/net/ r,
@{sys}/devices/@{pci}/net/*/statistics/{tx,rx}_{bytes,packets} r, @{sys}/devices/@{pci}/net/*/statistics/{tx,rx}_{bytes,packets} r,