feat(profiles): general update.

This commit is contained in:
Alexandre Pujol 2022-05-07 11:42:18 +01:00
parent 6aadd82293
commit da1b3e1f1c
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
26 changed files with 114 additions and 126 deletions

View File

@ -23,7 +23,7 @@ profile accounts-daemon @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/accountsservice/{,**} r, /usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r, /usr/share/dbus-1/interfaces/*.xml r,
/etc/gdm/ r, /etc/gdm/ r,
/etc/gdm/custom.conf rw, /etc/gdm/custom.conf rw,

View File

@ -41,7 +41,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/video4linux/ r, @{sys}/class/video4linux/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP}-*/{enabled,edid} r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

View File

@ -33,6 +33,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
signal (send) set=(kill) peer=passwd, signal (send) set=(kill) peer=passwd,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/bash rUx,
/{usr/,}bin/bwrap rPUx, /{usr/,}bin/bwrap rPUx,
/{usr/,}bin/gcm-viewer rix, /{usr/,}bin/gcm-viewer rix,
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,

View File

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov # Copyright (C) 2021-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,11 +14,9 @@ profile gvfsd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/gvfs/gvfsd-* rpx,
# Don't strip env here. @{libexec}/gvfsd-* rpx,
/{usr/,}lib/gvfs/gvfsd-* rpx,
@{libexec}/gvfsd-* rpx,
/usr/share/gvfs/{,**} r, /usr/share/gvfs/{,**} r,

View File

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -41,17 +41,18 @@ profile systemd-journald @{exec_path} {
@{run}/host/container-manager r, @{run}/host/container-manager r,
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/c10:224 r, # for /dev/tpm0
@{run}/udev/data/c24[0-9]:[0-9]* r,
@{run}/udev/data/+usb:* r,
@{run}/udev/data/+pci:* r,
@{run}/udev/data/+hid:* r,
@{run}/udev/data/+acpi:* r, @{run}/udev/data/+acpi:* r,
@{run}/udev/data/+scsi:* r,
@{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+hid:* r,
@{run}/udev/data/+pci:* r,
@{run}/udev/data/+platform* r, @{run}/udev/data/+platform* r,
@{run}/udev/data/+scsi:* r,
@{run}/udev/data/+usb-serial:* r,
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c10:224 r, # for /dev/tpm0
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/c23[0-9]:[0-9]* r,
@{run}/udev/data/c24[0-9]:[0-9]* r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

View File

@ -7,9 +7,10 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-oomd @{exec_path} = /{usr/,}lib/systemd/systemd-oomd
profile systemd-oomd @{exec_path} { profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/systemd-common> include <abstractions/systemd-common>
include <abstractions/dbus-strict>
capability dac_override, capability dac_override,
capability kill, capability kill,
@ -18,7 +19,13 @@ profile systemd-oomd @{exec_path} {
/etc/systemd/oomd.conf r, /etc/systemd/oomd.conf r,
owner @{run}/systemd/notify rw,
owner @{run}/systemd/journal/socket w,
@{run}/systemd/io.system.ManagedOOM rw,
@{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/memory.pressure r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,
@{PROC}/pressure/{cpu,io,memory} r, @{PROC}/pressure/{cpu,io,memory} r,

View File

@ -15,10 +15,14 @@ profile systemd-random-seed @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r,
/var/lib/systemd/ r, /var/lib/systemd/ r,
/var/lib/systemd/random-seed rw, /var/lib/systemd/random-seed rw,
@{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/poolsize r,
/dev/urandom w,
include if exists <local/systemd-random-seed> include if exists <local/systemd-random-seed>
} }

View File

@ -1,17 +1,19 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-3.0-only # SPDX-License-Identifier: GPL-3.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-resolved @{exec_path} = /{usr/,}lib/systemd/systemd-resolved
profile systemd-resolved @{exec_path} { profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/systemd-common>
capability net_bind_service, capability net_bind_service,
capability net_raw, capability net_raw,
@ -28,20 +30,13 @@ profile systemd-resolved @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Runtime directories
/{,var/}run/systemd/netif/links/* r,
/{,var/}run/systemd/resolve/{,**} rw,
# Config
/etc/systemd/resolved.conf r, /etc/systemd/resolved.conf r,
/etc/systemd/resolved.conf.d/{,*} r, /etc/systemd/resolved.conf.d/{,*} r,
# Proc owner @{run}/systemd/journal/socket w,
owner @{PROC}/*/stat r, owner @{run}/systemd/notify rw,
@{PROC}/cmdline r, @{run}/systemd/netif/links/* r,
@{PROC}/sys/kernel/hostname r, @{run}/systemd/resolve/{,**} rw,
@{PROC}/sys/kernel/osrelease r,
# System access include if exists <local/systemd-timesyncd>
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
} }

View File

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -8,13 +8,11 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd @{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
profile systemd-timesyncd @{exec_path} { profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
network inet dgram, include <abstractions/dbus-strict>
network inet6 dgram,
capability sys_time, capability sys_time,
@ -29,6 +27,8 @@ profile systemd-timesyncd @{exec_path} {
owner /var/lib/systemd/timesync/clock rw, owner /var/lib/systemd/timesync/clock rw,
owner @{run}/systemd/journal/socket w,
owner @{run}/systemd/notify rw,
owner @{run}/systemd/timesync/synchronized rw, owner @{run}/systemd/timesync/synchronized rw,
@{run}/systemd/netif/state r, @{run}/systemd/netif/state r,
@{run}/resolvconf/*.conf r, @{run}/resolvconf/*.conf r,

View File

@ -20,6 +20,7 @@ profile systemd-update-utmp @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{run}/host/container-manager r, @{run}/host/container-manager r,
@{run}/systemd/private rw,
include if exists <local/systemd-update-utmp> include if exists <local/systemd-update-utmp>
} }

View File

@ -23,6 +23,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
owner /var/cache/apparmor/{,**} rw, owner /var/cache/apparmor/{,**} rw,
owner /var/lib/docker/tmp/docker-default[0-9]* r, owner /var/lib/docker/tmp/docker-default[0-9]* r,
owner /var/lib/snapd/apparmor/{,**} r,
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
@{sys}/kernel/security/apparmor/{,**} r, @{sys}/kernel/security/apparmor/{,**} r,

View File

@ -16,8 +16,9 @@ profile appstreamcli @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
# For file validation using the network
/{usr/,}bin/curl rCx -> curl, /{usr/,}bin/curl rCx -> curl,
/{usr/,}bin/gzip rix,
/{usr/,}bin/tar rix,
/usr/share/appdata/ r, /usr/share/appdata/ r,
/usr/share/applications/{,*.desktop} r, /usr/share/applications/{,*.desktop} r,
@ -33,15 +34,16 @@ profile appstreamcli @{exec_path} flags=(complain) {
owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, owner @{user_cache_dirs}/appstream/appcache-*.mdb rw,
owner @{user_share_dirs}/mime/mime.cache r, owner @{user_share_dirs}/mime/mime.cache r,
/var/lib/app-info/ w,
/var/lib/app-info/yaml/ r, /var/lib/app-info/yaml/ r,
/var/lib/app-info/yaml/*_Components-*.yml.gz w, /var/lib/app-info/yaml/*_Components-*.yml.gz w,
/var/lib/app-info/ w,
/var/lib/apt/lists/ r, /var/lib/apt/lists/ r,
/var/lib/apt/lists/*_Components-*.gz r, /var/lib/apt/lists/*_Components-*.gz r,
/var/lib/flatpak/appstream/{,**} r,
/var/lib/swcatalog/ rw, /var/lib/swcatalog/ rw,
/var/lib/swcatalog/icons/{,**} rw,
/var/lib/swcatalog/yaml/ rw, /var/lib/swcatalog/yaml/ rw,
/var/lib/swcatalog/yaml/*_Components-*.yml.gz w, /var/lib/swcatalog/yaml/*_Components-*.yml.gz w,
/var/lib/flatpak/appstream/{,**} r,
/var/cache/swcatalog/cache/{,**} rw, /var/cache/swcatalog/cache/{,**} rw,
owner /var/cache/app-info/{,**} rw, owner /var/cache/app-info/{,**} rw,

View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/auditd @{exec_path} = /{usr/,}{s,}bin/auditd
profile auditd @{exec_path} { profile auditd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -29,7 +29,8 @@ profile auditd @{exec_path} {
owner @{run}/auditd.pid rwl, owner @{run}/auditd.pid rwl,
owner @{run}/auditd.state rw, owner @{run}/auditd.state rw,
@{run}/systemd/userdb/ r, @{run}/systemd/journal/dev-log w,
@{run}/systemd/userdb/ r,
owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/attr/current r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,

View File

@ -19,8 +19,11 @@ profile etckeeper @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix, /{usr/,}bin/chmod rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/diff rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/getent rix, /{usr/,}bin/getent rix,
@ -34,9 +37,11 @@ profile etckeeper @{exec_path} {
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sort rix, /{usr/,}bin/sort rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/tty rix, /{usr/,}bin/tty rix,
/{usr/,}bin/uniq rix, /{usr/,}bin/uniq rix,
/{usr/,}bin/whoami rix, /{usr/,}bin/whoami rix,
/{usr/,}bin/xargs rix,
/{usr/,}lib/git-core/git* rix, /{usr/,}lib/git-core/git* rix,
/etc/.git/hooks/* rix, /etc/.git/hooks/* rix,
@ -54,7 +59,7 @@ profile etckeeper @{exec_path} {
@{run}/resolvconf/resolv.conf r, @{run}/resolvconf/resolv.conf r,
owner /tmp/etckeeper-git* rw, /tmp/etckeeper-git* rw,
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>

View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -13,6 +14,7 @@ profile fsck @{exec_path} {
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,
capability sys_rawio,
@{exec_path} mr, @{exec_path} mr,
@ -21,19 +23,20 @@ profile fsck @{exec_path} {
/etc/fstab r, /etc/fstab r,
@{PROC}/partitions r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{run}/fsck/ rw,
owner @{run}/fsck/*.lock rwk,
# When a mount dir is passed to fsck as an argument. # When a mount dir is passed to fsck as an argument.
@{MOUNTS}/*/ r, @{MOUNTS}/*/ r,
/boot/ r, /boot/ r,
/home/ r, /home/ r,
owner @{run}/fsck/ rw,
owner @{run}/fsck/*.lock rwk,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
owner @{run}/systemd/fsck.progress w,
@{run}/mount/utab r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/partitions r,
include if exists <local/fsck> include if exists <local/fsck>
} }

View File

@ -20,5 +20,7 @@ profile fsck-fat @{exec_path} {
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{run}/systemd/fsck.progress rw,
include if exists <local/fsck-fat> include if exists <local/fsck-fat>
} }

View File

@ -86,6 +86,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/dev/bus/usb/ r, /dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw, /dev/bus/usb/[0-9]*/[0-9]* rw,
/dev/drm_dp_aux[0-9]* rw, /dev/drm_dp_aux[0-9]* rw,
/dev/hidraw[0-9]* rw,
/dev/mei[0-9]* rw, /dev/mei[0-9]* rw,
/dev/mem r, /dev/mem r,
/dev/sd[a-z]* r, /dev/sd[a-z]* r,

View File

@ -56,6 +56,7 @@ profile htop @{exec_path} {
@{PROC}/@{pids}/comm r, @{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/environ r, @{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/io r, @{PROC}/@{pids}/io r,
@{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/oom_{,score_}adj r, @{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/oom_score r,

View File

@ -1,33 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-3.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/less
profile less @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
capability dac_read_search,
capability dac_override,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/source-highlight rix,
/{usr/,}bin/src-hilite-lesspipe.sh rix,
@{system_share_dirs}/terminfo/{,**} r,
@{user_cache_dirs}/lesshs* rw,
owner /root/.lesshs* rw,
/{,**} r,
deny /{,**} w,
include if exists <local/less>
}

View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -67,35 +68,33 @@ profile run-parts @{exec_path} {
/etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix, /{usr/,}bin/chmod rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/kmod rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
/{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/kmod rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}sbin/dkms rPx,
/{usr/,}sbin/update-initramfs rPx,
/{usr/,}lib/dkms/dkms_autoinstaller rPx,
/{usr/,}bin/apt-config rPx, /{usr/,}bin/apt-config rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
# (#FIXME#) /{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}lib/dkms/dkms_autoinstaller rPx,
/{usr/,}sbin/dkms rPx,
/{usr/,}sbin/update-grub rPUx, /{usr/,}sbin/update-grub rPUx,
/{usr/,}bin/systemd-detect-virt rPUx, /{usr/,}sbin/update-initramfs rPx,
/{usr/,}lib/modules/*/updates/ w,
/{usr/,}lib/modules/*/updates/dkms/ w,
# For shell pwd # For shell pwd
/ r, / r,
@ -103,15 +102,13 @@ profile run-parts @{exec_path} {
/etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/ r,
/etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,
# For kmod
@{PROC}/cmdline r,
/etc/modprobe.d/ r, /etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r, /etc/modprobe.d/*.conf r,
/{usr/,}lib/modules/*/updates/ w,
/{usr/,}lib/modules/*/updates/dkms/ w, @{run}/reboot-required.pkgs w,
@{PROC}/devices r, @{PROC}/devices r,
@{PROC}/cmdline r,
} }

View File

@ -13,6 +13,7 @@ profile scrcpy @{exec_path} {
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/opencl> include <abstractions/opencl>
include <abstractions/vulkan>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,

View File

@ -22,6 +22,7 @@ profile swtpm_setup @{exec_path} {
/var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r,
owner /tmp/swtpm_setup.certs.*/ w, owner /tmp/swtpm_setup.certs.*/ w,
owner /tmp/swtpm_setup.certs.*/*.cert rw,
owner /tmp/.swtpm_setup.pidfile* rw, owner /tmp/.swtpm_setup.pidfile* rw,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,

View File

@ -102,6 +102,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/net/route r, @{PROC}/@{pids}/net/route r,
/dev/media[0-9]* r,
/dev/video[0-9]* rw, /dev/video[0-9]* rw,
# Silence the noise # Silence the noise

View File

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal @{exec_path} = @{libexec}/xdg-desktop-portal
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/dconf>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
capability sys_ptrace, capability sys_ptrace,
@ -40,8 +41,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
/var/lib/flatpak/exports/share/applications/{**,} r, /var/lib/flatpak/exports/share/applications/{**,} r,
owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,

View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome @{exec_path} = @{libexec}/xdg-desktop-portal-gnome
profile xdg-desktop-portal-gnome @{exec_path} { profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/gtk> include <abstractions/gtk>
@ -19,10 +20,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
include if exists <local/xdg-desktop-portal-gnome> include if exists <local/xdg-desktop-portal-gnome>
} }

View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk @{exec_path} = @{libexec}/xdg-desktop-portal-gtk
profile xdg-desktop-portal-gtk @{exec_path} { profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -27,12 +28,10 @@ profile xdg-desktop-portal-gtk @{exec_path} {
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.* r, owner @{HOME}/.* r,
owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{HOME}/@{XDG_DATA_HOME}/ r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
@{run}/mount/utab r,
@{run}/mount/utab r,
owner @{PROC}/@{uid}/mountinfo r, owner @{PROC}/@{uid}/mountinfo r,