mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-20 17:05:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-09-13 19:47:07 +01:00
parent 5474a5fa69
commit db064b651e
Failed to generate hash of commit
13 changed files with 32 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/abstractions/app-open
View file

@ -38,6 +38,7 @@
@{bin}/gnome-calculator rPUx,
@{bin}/gnome-disk-image-mounter rPx,
@{bin}/gnome-disks rPx,
@{bin}/gnome-software rPx,
@{bin}/gwenview rPUx,
@{bin}/kgx rPx,
@{bin}/qbittorrent rPx,

2
apparmor.d/abstractions/app/chromium
View file

@ -26,6 +26,8 @@
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.kde.kwalletd>
include <abstractions/dconf-write>

6
apparmor.d/groups/_full/systemd
View file

@ -155,13 +155,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{lib}/ r,
/ r,
/boot/ r,
/*/ r,
/boot/efi/ r,
/efi/ r,
/snap/ r,
/snap/*/@{int}/ r,
/tmp/ r,
/usr/ r,
/var/cache/*/ r,
/var/lib/*/ r,
/var/tmp/ r,

2
apparmor.d/groups/gnome/evolution-user-prompter
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile evolution-user-prompter @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
#aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0

4
apparmor.d/groups/gnome/gjs-console
View file

@ -35,9 +35,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.Shell.Notifications
#aa:dbus own bus=session name=org.gnome.Shell.Screencast
dbus send bus=session path=/org/gnome/Mutter/ScreenCast
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=gnome-shell),
#aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell
dbus send bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties

2
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -62,8 +62,6 @@ profile gnome-extension-gsconnect @{exec_path} {
owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/shm/ r,
include if exists <local/gnome-extension-gsconnect>
}

7
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -14,7 +14,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.login1.Session>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.systemd1-session>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver>
@ -33,17 +32,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
signal (send) set=(term) peer=gsd-*,
#aa:dbus own bus=session name=org.gnome.SessionManager
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
peer=(name=org.freedesktop.DBus label=dbus-session),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CanPowerOff,PowerOff,Reboot}
peer=(name=:*, label=systemd-logind),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

23
apparmor.d/groups/gnome/gnome-software
View file

@ -75,8 +75,11 @@ profile gnome-software @{exec_path} {
owner @{HOME}/.var/app/{,**} rw,
owner @{user_download_dirs}/*.flatpakref r,
owner @{user_cache_dirs}/flatpak/{,**} rwl,
owner @{user_cache_dirs}/gnome-software/{,**} rw,
owner @{user_cache_dirs}/gnome-software/ rw,
owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**,
owner @{user_config_dirs}/flatpak/{,**} r,
owner @{user_config_dirs}/pulse/*.conf r,
@ -124,6 +127,8 @@ profile gnome-software @{exec_path} {
/dev/fuse rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
profile gpg {
include <abstractions/base>
@ -131,14 +136,26 @@ profile gnome-software @{exec_path} {
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
@{bin}/gpg-agent rix,
@{bin}/gpg-connect-agent rix,
@{lib}/{,gnupg/}scdaemon rix,
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
@{tmp}/ r,
owner @{tmp}/ostree-gpg-@{rand6}/ r,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
owner @{run}/user/@{uid}/gnupg/ w,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/gnome-software_gpg>
}

6
apparmor.d/groups/gnome/gsd-power
View file

@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager>
@ -37,10 +36,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*, label=gnome-shell),
#aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
interface=org.freedesktop.UPower.KbdBacklight

1
apparmor.d/groups/whonix/msgdispatcher
View file

@ -39,7 +39,6 @@ profile msgdispatcher @{exec_path} {
include <abstractions/base>
include <abstractions/app/sudo>
@{bin}/sudo mr,
@{lib}/msgcollector/* rPx,
owner @{run}/msgcollector/user/msgdispatcher_x_* r,

2
apparmor.d/profiles-a-f/aa-enforce
View file

@ -32,7 +32,7 @@ profile aa-enforce @{exec_path} {
owner @{tmp}/@{rand8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
owner @{PROC}/@{pid}/fd r,
@{PROC}/@{pid}/fd r,
include if exists <local/aa-enforce>
}

29
apparmor.d/profiles-m-r/minitube
View file

@ -30,9 +30,7 @@ profile minitube @{exec_path} {
@{exec_path} mr,
# Be able to turn off the screensaver while playing movies
@{bin}/xdg-screensaver rCx -> xdg-screensaver,
@{bin}/xdg-screensaver rPx,
@{open_path} rPx -> child-open,
/usr/share/minitube/{,**} r,
@ -69,31 +67,6 @@ profile minitube @{exec_path} {
/dev/shm/#@{int} rw,
owner /dev/tty@{int} rw,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/xdg-screensaver mr,
@{sh_path} rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xset rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card@{int} rw,
network inet stream,
network inet6 stream,
include if exists <local/minitube_xdg-screensaver>
}
include if exists <local/minitube>
}

3
apparmor.d/profiles-s-z/signal-desktop
View file

@ -31,9 +31,8 @@ profile signal-desktop @{exec_path} {
@{exec_path} mrix,
# @{bin}/basename rix,
@{bin}/getconf rix,
@{open_path} rPx -> child-open-strict,
@{open_path} rPx -> child-open-strict,
#aa:stack X xdg-settings
@{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings,