mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(profiles): improve ubuntu compatibility.
This commit is contained in:
Alexandre Pujol
parent
0cbcbb29a4
commit
d998b1dd6e
29 changed files with 109 additions and 34 deletions
|
|
@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} {
|
|||
/{usr/,}bin/grep rix,
|
||||
/{usr/,}bin/plymouth rPx,
|
||||
|
||||
/etc/plymouth/{,*} r,
|
||||
|
||||
include if exists <local/plymouth-set-default-theme>
|
||||
}
|
||||
|
|
@ -12,6 +12,8 @@ profile xdg-document-portal @{exec_path} {
|
|||
|
||||
ptrace (read) peer=xdg-desktop-portal,
|
||||
|
||||
unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/flatpak rCx -> flatpak,
|
||||
|
|
@ -57,6 +59,8 @@ profile xdg-document-portal @{exec_path} {
|
|||
capability sys_admin,
|
||||
capability dac_read_search,
|
||||
|
||||
unix (send receive) type=stream peer=(label=xdg-document-portal),
|
||||
|
||||
# network inet stream,
|
||||
# network inet6 stream,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||
unix (send,receive) type=stream addr=none peer=(label=xwayland),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/X
|
||||
@{exec_path} += /{usr/,}bin/Xorg
|
||||
@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
|
||||
@{exec_path} += /{usr/,}lib/xorg/Xorg
|
||||
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
|
||||
profile xorg @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ profile xrdb @{exec_path} {
|
|||
/{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix,
|
||||
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
|
||||
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||
|
||||
/usr/include/stdc-predef.h r,
|
||||
|
||||
/etc/X11/Xresources/x11-common r,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term hup) peer=gdm*,
|
||||
signal (receive) set=(term hup) peer=gnome-shell,
|
||||
|
||||
unix (receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
||||
unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -22,9 +22,10 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/{usr/,}bin/Xorg rPx,
|
||||
/{usr/,}bin/dbus-run-session rPx,
|
||||
/etc/gdm/Xsession rPx,
|
||||
/etc/gdm{3,}/Xsession rPx,
|
||||
/etc/gdm{3,}/Prime/Default rix,
|
||||
|
||||
/etc/gdm/custom.conf r,
|
||||
/etc/gdm{3,}/custom.conf r,
|
||||
/usr/share/gdm/gdm.schemas r,
|
||||
|
||||
/var/lib/gdm/.cache/gdm/Xauthority rw,
|
||||
|
|
|
|||
|
|
@ -85,17 +85,24 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/bash rUx,
|
||||
/{usr/,}bin/bwrap rPUx,
|
||||
/{usr/,}bin/gcm-viewer rix,
|
||||
/{usr/,}bin/locale rix,
|
||||
/{usr/,}bin/openvpn rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}bin/{,b,d,rb}ash rUx,
|
||||
/{usr/,}bin/{c,k,tc,z}sh rUx,
|
||||
|
||||
/{usr/,}bin/gcm-viewer rix,
|
||||
/{usr/,}bin/grep rix,
|
||||
/{usr/,}bin/locale rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
|
||||
@{libexec}/gnome-control-center-goa-helper rPx,
|
||||
@{libexec}/gnome-control-center-print-renderer rPx,
|
||||
/{usr/,}bin/bwrap rPUx,
|
||||
/{usr/,}bin/openvpn rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
||||
/usr/share/language-tools/language2locale rix,
|
||||
|
||||
/usr/share/backgrounds/gnome/* r,
|
||||
/snap/*/[0-9]*/*.png r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gnome-background-properties/{,**} r,
|
||||
|
|
@ -106,6 +113,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/mime/{,**} r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/thumbnailers/{,*} r,
|
||||
/usr/share/ubuntu/applications/ r,
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/zoneinfo/{,**} r,
|
||||
|
||||
|
|
@ -115,6 +123,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
/var/lib/snapd/desktop/icons/ r,
|
||||
|
||||
owner @{HOME}/.cat_installer/ca.pem r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
|
|
@ -130,6 +139,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/systemd/sessions/ r,
|
||||
|
|
|
|||
|
|
@ -32,6 +32,8 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@ profile gnome-extension-ding @{exec_path} {
|
|||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={ListNames,ListActivatableNames},
|
||||
|
|
@ -34,15 +36,20 @@ profile gnome-extension-ding @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/env rix,
|
||||
/{usr/,}bin/gjs-console rix,
|
||||
/{usr/,}bin/nautilus rPx,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/env rix,
|
||||
/{usr/,}bin/gjs-console rix,
|
||||
/{usr/,}bin/gnome-control-center rPx,
|
||||
/{usr/,}bin/nautilus rPx,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
|
||||
/usr/share/thumbnailers/{,*.thumbnailer} r,
|
||||
/usr/share/ubuntu/applications/{,**} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
/etc/gnome/defaults.list r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/keyring/ rw,
|
||||
owner @{run}/user/@{uid}/keyring/* rw,
|
||||
owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
|
||||
@{run}/user/@{uid}/keyring/control r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
signal (send),
|
||||
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
|
||||
unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,login[0-9].*},
|
||||
|
|
@ -118,6 +119,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx,
|
||||
|
||||
/opt/*/**/*.png r,
|
||||
/snap/*/@{uid}/*.png r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/desktop-directories/{,*.directory} r,
|
||||
|
|
|
|||
|
|
@ -31,9 +31,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gnome-system-monitor/{,**} r,
|
||||
/usr/share/pixmaps/{,**} r,
|
||||
/usr/share/ubuntu/applications/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/ r,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{run}/user/@{uid}/doc/ rw,
|
||||
|
|
@ -50,10 +53,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/attr/current r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/io r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
@{PROC}/@{pids}/net/dev r,
|
||||
@{PROC}/@{pids}/net/tcp{,6} r,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -38,15 +39,18 @@ profile tracker-extract @{exec_path} {
|
|||
/var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
/var/lib/snapd/desktop/applications/*.desktop r,
|
||||
|
||||
# Allow to search user files
|
||||
owner @{HOME}/{,**} r,
|
||||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/** r,
|
||||
|
||||
|
||||
owner /tmp/tracker-extract-3-files.*/{,*} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
@{run}/blkid/blkid.tab r,
|
||||
|
||||
|
|
@ -59,6 +63,7 @@ profile tracker-extract @{exec_path} {
|
|||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/renderD128 rw,
|
||||
/dev/media[0-9]* r,
|
||||
/dev/video[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -13,37 +13,39 @@ profile gvfsd-fuse @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),
|
||||
|
||||
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
|
||||
|
||||
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
|
||||
profile fusermount {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# To mount anything:
|
||||
capability sys_admin,
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_admin, # To mount anything
|
||||
|
||||
/{usr/,}bin/fusermount{,3} mr,
|
||||
unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse),
|
||||
|
||||
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
|
||||
umount @{run}/user/@{uid}/**/,
|
||||
|
||||
/{usr/,}bin/fusermount{,3} mr,
|
||||
|
||||
/etc/fuse.conf r,
|
||||
/etc/machine-id r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
}
|
||||
|
||||
include if exists <local/gvfsd-fuse>
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability kill,
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
|
|
@ -86,6 +87,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/resolvconf/resolv.conf r,
|
||||
@{run}/systemd/notify w,
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||
|
||||
@{sys}/fs/cgroup/*/user/*/[0-9]*/ rw,
|
||||
@{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile systemd-vconsole-setup @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
|
@ -18,10 +19,11 @@ profile systemd-vconsole-setup @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/loadkeys rix,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/gzip rix,
|
||||
/{usr/,}bin/loadkeys rix,
|
||||
|
||||
/ r,
|
||||
|
||||
/usr/share/kbd/keymaps/{,**} r,
|
||||
|
||||
/etc/vconsole.conf r,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile apt-esm-hook @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -17,6 +18,7 @@ profile apt-esm-hook @{exec_path} {
|
|||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/cache/apt/pkgcache.bin.* rw,
|
||||
/var/lib/ubuntu-advantage/messages/{,**} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} {
|
|||
include <abstractions/apt-common>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
|
@ -39,6 +40,8 @@ profile check-new-release-gtk @{exec_path} {
|
|||
|
||||
/etc/update-manager/{,**} r,
|
||||
|
||||
/var/lib/update-manager/{,**} rw,
|
||||
|
||||
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
|
|
|||
|
|
@ -18,9 +18,14 @@ profile list-oem-metapackages @{exec_path} {
|
|||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/ischroot rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/**/ r,
|
||||
@{sys}/devices/**/modalias r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/filesystems r,
|
||||
|
||||
include if exists <local/list-oem-metapackages>
|
||||
|
|
|
|||
|
|
@ -22,5 +22,7 @@ profile livepatch-notification @{exec_path} {
|
|||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
@{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
include if exists <local/livepatch-notification>
|
||||
}
|
||||
|
|
@ -43,6 +43,8 @@ profile update-motd-updates-available @{exec_path} {
|
|||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
|
||||
/tmp/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,8 +10,10 @@ include <tunables/global>
|
|||
profile update-notifier @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}{s,}bin/anacron
|
||||
profile anacron @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -18,7 +19,9 @@ profile anacron @{exec_path} {
|
|||
/ r,
|
||||
/etc/anacrontab r,
|
||||
|
||||
/var/spool/anacron/cron.* rw,
|
||||
/var/spool/anacron/cron.* rwk,
|
||||
|
||||
/tmp/file* rw,
|
||||
|
||||
include if exists <local/anacron>
|
||||
}
|
||||
|
|
@ -31,6 +31,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw,
|
||||
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -97,8 +97,9 @@ profile mkinitramfs @{exec_path} {
|
|||
|
||||
/{usr/,}bin/ldd mr,
|
||||
|
||||
/{usr/,}bin/kmod mr,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/kmod mr,
|
||||
/{usr/,}lib/initramfs-tools/bin/* mr,
|
||||
|
||||
/{usr/,}lib/@{multiarch}/ld-*.so* rix,
|
||||
/{usr/,}lib{,x}32/ld-*.so rix,
|
||||
|
|
|
|||
|
|
@ -10,8 +10,14 @@ include <tunables/global>
|
|||
profile qemu-ga @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
capability mknod,
|
||||
capability net_admin,
|
||||
capability sys_ptrace,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/systemctl rix,
|
||||
|
||||
/etc/qemu/qemu-ga.conf r,
|
||||
|
||||
owner @{run}/qga.state* rw,
|
||||
|
|
|
|||
|
|
@ -12,16 +12,15 @@ profile spice-vdagent @{exec_path} {
|
|||
include <abstractions/audio>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/pipewire/client.conf r,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
|
||||
@{run}/spice-vdagentd/spice-vdagent-sock rw,
|
||||
@{run}/spice-vdagentd/spice-vdagent-sock rw,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{device,vendor} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile umount @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability chown,
|
||||
|
|
@ -44,8 +45,6 @@ profile umount @{exec_path} flags=(complain) {
|
|||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
|
||||
|
||||
owner @{run}/mount/ rw,
|
||||
owner @{run}/mount/utab.lock wk,
|
||||
@{run}/mount/utab{,.*} rw,
|
||||
|
|
|
|||
Loading…
Reference in a new issue