mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-11 12:45:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2025-02-09 00:11:09 +01:00
parent 5784ff83cf
commit da68c4f2d9
Failed to generate hash of commit
20 changed files with 65 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -41,8 +41,11 @@ profile dpkg-preconfigure @{exec_path} {
/etc/debconf.conf r, /etc/debconf.conf r,
/etc/default/grub r, /etc/default/grub r,
/etc/inputrc r, /etc/inputrc r,
/etc/locale.gen r,
/etc/shadow r, /etc/shadow r,
/var/lib/locales/supported.d/{,*} r,
owner @{tmp}/*.template.* rw, owner @{tmp}/*.template.* rw,
owner @{tmp}/*.config.* rwPUx, owner @{tmp}/*.config.* rwPUx,

1
apparmor.d/groups/bus/dbus-accessibility
View file

@ -76,6 +76,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/oom_score_adj r,

3
apparmor.d/groups/bus/dbus-session
View file

@ -74,8 +74,9 @@ profile dbus-session flags=(attach_disconnected) {
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/attr/apparmor/current r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj r,
/dev/ptmx rw, /dev/ptmx rw,
/dev/tty@{int} rw, /dev/tty@{int} rw,

2
apparmor.d/groups/freedesktop/polkitd
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/{,polkit-1/}polkitd @{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd
profile polkitd @{exec_path} flags=(attach_disconnected) { profile polkitd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>

8
apparmor.d/groups/gnome/gnome-shell
View file

@ -83,15 +83,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
# Talk with gnome-shell # Talk with gnome-shell
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
#aa:dbus talk bus=session name=org.gnome.* label=gnome-*
#aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
#aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
#aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus
# System bus # System bus
@ -163,10 +165,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
member=Introspect member=Introspect
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=session path=/org/gnome/*/SearchProvider
interface=org.gnome.Shell.SearchProvider2
peer=(name=@{busname}),
@{exec_path} mr, @{exec_path} mr,
@{bin}/unzip rix, @{bin}/unzip rix,

4
apparmor.d/groups/gnome/session-migration
View file

@ -9,12 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/session-migration @{exec_path} = @{bin}/session-migration
profile session-migration @{exec_path} { profile session-migration @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python>
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{python_path} rix,
@{bin}/gsettings rPx, @{bin}/gsettings rPx,
/usr/share/session-migration/scripts/*.sh rix, /usr/share/session-migration/scripts/* rix,
/usr/share/session-migration/{,**} r, /usr/share/session-migration/{,**} r,

1
apparmor.d/groups/gnome/yelp
View file

@ -14,6 +14,7 @@ profile yelp @{exec_path} {
network netlink raw, network netlink raw,
#aa:dbus own bus=accessibility name=org.gnome.Yelp
#aa:dbus own bus=session name=org.gnome.Yelp #aa:dbus own bus=session name=org.gnome.Yelp
@{exec_path} mr, @{exec_path} mr,

4
apparmor.d/groups/grub/grub-check-signatures
View file

@ -22,7 +22,9 @@ profile grub-check-signatures @{exec_path} {
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,
owner @{tmp}/tmp.*/ rw, owner @{tmp}/tmp.@{rand10}/ rw,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
include if exists <local/grub-check-signatures> include if exists <local/grub-check-signatures>
} }

12
apparmor.d/groups/grub/grub-install
View file

@ -25,20 +25,28 @@ profile grub-install @{exec_path} flags=(complain) {
@{bin}/udevadm rPx, @{bin}/udevadm rPx,
/usr/share/grub/{,**} r, /usr/share/grub/{,**} r,
/usr/share/locale-langpack/{,**} r,
/etc/default/grub.d/{,**} r, /etc/default/grub.d/{,**} r,
/etc/default/grub r, /etc/default/grub r,
/boot/efi/EFI/ubuntu/* w, /boot/efi/ r,
/boot/efi/EFI/BOOT/{,**} rw,
/boot/EFI/*/grubx*.efi rw, /boot/EFI/*/grubx*.efi rw,
/boot/efi/EFI/ r,
/boot/efi/EFI/BOOT/{,**} rw,
/boot/efi/EFI/ubuntu/* w,
/boot/grub/{,**} rw, /boot/grub/{,**} rw,
@{sys}/devices/**/hid r,
@{sys}/devices/**/path r,
@{sys}/devices/**/uid r,
@{sys}/firmware/efi/ r,
@{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
@{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
@{sys}/firmware/efi/efivars/Timeout-@{uuid} r, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r,
@{sys}/firmware/efi/w_platform_size r, @{sys}/firmware/efi/w_platform_size r,
@{PROC}/devices r, @{PROC}/devices r,

4
apparmor.d/groups/kde/dolphin
View file

@ -40,6 +40,7 @@ profile dolphin @{exec_path} {
/usr/share/kservices{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r,
/usr/share/kservicetypes5/{,**} r, /usr/share/kservicetypes5/{,**} r,
/usr/share/misc/termcap r, /usr/share/misc/termcap r,
/usr/share/thumbnailers/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/machine-id r, /etc/machine-id r,
@ -71,6 +72,7 @@ profile dolphin @{exec_path} {
owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/ rw,
owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int},
owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk,
owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk,
owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int},
@ -89,6 +91,8 @@ profile dolphin @{exec_path} {
owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},
owner @{tmp}/dolphin.@{rand6} rwl,
@{run}/issue r, @{run}/issue r,
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/#@{int} rw,

1
apparmor.d/groups/kde/kde-powerdevil
View file

@ -72,6 +72,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{sys}/devices/platform/*/i2c-@{int}/name r, @{sys}/devices/platform/*/i2c-@{int}/name r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
/dev/i2c-@{int} rwk, /dev/i2c-@{int} rwk,

7
apparmor.d/groups/systemd/systemd-networkd
View file

@ -68,9 +68,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/product_version r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/pressure/* r, @{PROC}/pressure/* r,
@{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/net/ipv{4,6}/** rw,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
include if exists <local/systemd-networkd> include if exists <local/systemd-networkd>
} }

1
apparmor.d/groups/systemd/systemd-udevd
View file

@ -95,6 +95,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
@{run}/systemd/seats/seat@{int} r, @{run}/systemd/seats/seat@{int} r,
@{att}/@{run}/systemd/notify w,
@{att}/@{run}/udev/control rw, @{att}/@{run}/udev/control rw,
@{run}/udev/ rw, @{run}/udev/ rw,

3
apparmor.d/profiles-a-f/boltd
View file

@ -25,7 +25,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
owner @{run}/boltd/{,**} rw, owner @{run}/boltd/{,**} rw,
@{run}/systemd/notify rw, @{att}/@{run}/systemd/notify w,
@{run}/udev/data/+thunderbolt:* r, @{run}/udev/data/+thunderbolt:* r,
@{sys}/bus/ r, @{sys}/bus/ r,

5
apparmor.d/profiles-a-f/frontend
View file

@ -74,9 +74,12 @@ profile frontend @{exec_path} flags=(complain) {
/etc/inputrc r, /etc/inputrc r,
/etc/shadow r, /etc/shadow r,
owner @{tmp}/file* w,
owner /var/cache/debconf/* rwk, owner /var/cache/debconf/* rwk,
owner @{tmp}/file* w,
owner @{tmp}/tmp.@{rand10} rw,
owner @{tmp}/updateppds.@{rand6} rw,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
@{run}/user/@{uid}/pk-debconf-socket rw, @{run}/user/@{uid}/pk-debconf-socket rw,

5
apparmor.d/profiles-g-l/libreoffice
View file

@ -49,11 +49,12 @@ profile libreoffice @{exec_path} {
@{bin}/gpgconf rPx, @{bin}/gpgconf rPx,
@{bin}/gpgsm rPx, @{bin}/gpgsm rPx,
@{lib}/jvm/java*/bin/java rix,
@{lib}/jvm/java*/lib/** rm,
@{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/javaldx rix,
@{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/oosplash rix,
@{lib}/libreoffice/program/soffice.bin rix, @{lib}/libreoffice/program/soffice.bin rix,
@{lib}/jvm/java*/bin/java rix, @{lib}/libreoffice/program/xpdfimport rix,
@{lib}/jvm/java*/lib/** rm,
@{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/{,**} rm,
@{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w,

1
apparmor.d/profiles-s-z/setpci
View file

@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) {
@{sys}/bus/pci/devices/ r, @{sys}/bus/pci/devices/ r,
@{sys}/devices/@{pci}/** r, @{sys}/devices/@{pci}/** r,
@{sys}/devices/@{pci}/config w,
include if exists <local/setpci> include if exists <local/setpci>
} }

10
apparmor.d/profiles-s-z/snap
View file

@ -14,6 +14,7 @@ profile snap @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -24,6 +25,8 @@ profile snap @{exec_path} {
network netlink raw, network netlink raw,
ptrace read peer=snap.snap-store.snap-store,
unix (send, receive) type=stream peer=(label=apt), unix (send, receive) type=stream peer=(label=apt),
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,
@ -32,6 +35,7 @@ profile snap @{exec_path} {
#aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.SessionAgent
#aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus own bus=session name=io.snapcraft.Settings
#aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store
#aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
dbus send bus=session path=/org/freedesktop/portal/documents dbus send bus=session path=/org/freedesktop/portal/documents
@ -39,6 +43,11 @@ profile snap @{exec_path} {
member=GetMountPoint member=GetMountPoint
peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/mount rix, @{bin}/mount rix,
@ -83,6 +92,7 @@ profile snap @{exec_path} {
@{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r, @{PROC}/version r,
owner @{PROC}/@{pid}/attr/apparmor/current r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/dev/tty@{int} rw, /dev/tty@{int} rw,

9
apparmor.d/profiles-s-z/snapd
View file

@ -47,8 +47,8 @@ profile snapd @{exec_path} {
umount /tmp/syscheck-mountpoint-@{int}/, umount /tmp/syscheck-mountpoint-@{int}/,
umount /snap/*/*/, umount /snap/*/*/,
ptrace (read) peer=snap, ptrace read peer=@{p_systemd},
ptrace (read) peer=@{p_systemd}, ptrace read peer=snap{,.*},
unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, unix (bind) type=stream addr=@@{udbus}/bus/systemctl/,
@ -155,16 +155,15 @@ profile snapd @{exec_path} {
@{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/{,*/} r,
@{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/system.slice/{,**/} r, @{sys}/fs/cgroup/system.slice/{,**/} r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/ r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
@{sys}/kernel/kexec_loaded r, @{sys}/kernel/kexec_loaded r,
@{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/.notify r,
@{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/features/{,**} r,
@{sys}/kernel/security/apparmor/profiles r, @{sys}/kernel/security/apparmor/profiles r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,

8
apparmor.d/profiles-s-z/syncthing
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/syncthing @{exec_path} = @{bin}/syncthing
profile syncthing @{exec_path} { profile syncthing @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -28,15 +29,14 @@ profile syncthing @{exec_path} {
/etc/mime.types r, /etc/mime.types r,
owner @{HOME}/ r, @{HOME}/ r,
owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, @{HOME}/** rwk,
owner @{user_config_dirs}/syncthing/{,**} rwk,
owner @{user_state_dirs}/syncthing/{,**} rwk,
/home/ r, /home/ r,
@{user_sync_dirs}/{,**} rw, @{user_sync_dirs}/{,**} rw,
@{PROC}/@{pids}/net/route r, @{PROC}/@{pids}/net/route r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,