mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-21 17:35:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-09-13 19:47:07 +01:00
parent 5474a5fa69
commit db064b651e
Failed to generate hash of commit
13 changed files with 32 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/abstractions/app-open
View file

@ -38,6 +38,7 @@
@{bin}/gnome-calculator rPUx, @{bin}/gnome-calculator rPUx,
@{bin}/gnome-disk-image-mounter rPx, @{bin}/gnome-disk-image-mounter rPx,
@{bin}/gnome-disks rPx, @{bin}/gnome-disks rPx,
@{bin}/gnome-software rPx,
@{bin}/gwenview rPUx, @{bin}/gwenview rPUx,
@{bin}/kgx rPx, @{bin}/kgx rPx,
@{bin}/qbittorrent rPx, @{bin}/qbittorrent rPx,

2
apparmor.d/abstractions/app/chromium
View file

@ -26,6 +26,8 @@
include <abstractions/bus/org.freedesktop.ScreenSaver> include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.freedesktop.secrets> include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.freedesktop.UPower> include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.kde.kwalletd> include <abstractions/bus/org.kde.kwalletd>
include <abstractions/dconf-write> include <abstractions/dconf-write>

6
apparmor.d/groups/_full/systemd
View file

@ -155,13 +155,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{lib}/ r, @{lib}/ r,
/ r, / r,
/boot/ r, /*/ r,
/boot/efi/ r, /boot/efi/ r,
/efi/ r,
/snap/ r,
/snap/*/@{int}/ r, /snap/*/@{int}/ r,
/tmp/ r,
/usr/ r,
/var/cache/*/ r, /var/cache/*/ r,
/var/lib/*/ r, /var/lib/*/ r,
/var/tmp/ r, /var/tmp/ r,

2
apparmor.d/groups/gnome/evolution-user-prompter
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile evolution-user-prompter @{exec_path} { profile evolution-user-prompter @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
#aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0 #aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0

4
apparmor.d/groups/gnome/gjs-console
View file

@ -35,9 +35,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.Shell.Notifications #aa:dbus own bus=session name=org.gnome.Shell.Notifications
#aa:dbus own bus=session name=org.gnome.Shell.Screencast #aa:dbus own bus=session name=org.gnome.Shell.Screencast
dbus send bus=session path=/org/gnome/Mutter/ScreenCast #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell dbus send bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

2
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -62,8 +62,6 @@ profile gnome-extension-gsconnect @{exec_path} {
owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/shm/ r,
include if exists <local/gnome-extension-gsconnect> include if exists <local/gnome-extension-gsconnect>
} }

7
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -14,7 +14,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.login1.Session> include <abstractions/bus/org.freedesktop.login1.Session>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.systemd1-session> include <abstractions/bus/org.freedesktop.systemd1-session>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor> include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver> include <abstractions/bus/org.gnome.ScreenSaver>
@ -33,17 +32,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
signal (send) set=(term) peer=gsd-*, signal (send) set=(term) peer=gsd-*,
#aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus own bus=session name=org.gnome.SessionManager
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
peer=(name=org.freedesktop.DBus label=dbus-session), peer=(name=org.freedesktop.DBus label=dbus-session),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CanPowerOff,PowerOff,Reboot}
peer=(name=:*, label=systemd-logind),
dbus send bus=session path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

23
apparmor.d/groups/gnome/gnome-software
View file

@ -75,8 +75,11 @@ profile gnome-software @{exec_path} {
owner @{HOME}/.var/app/{,**} rw, owner @{HOME}/.var/app/{,**} rw,
owner @{user_download_dirs}/*.flatpakref r,
owner @{user_cache_dirs}/flatpak/{,**} rwl, owner @{user_cache_dirs}/flatpak/{,**} rwl,
owner @{user_cache_dirs}/gnome-software/{,**} rw, owner @{user_cache_dirs}/gnome-software/ rw,
owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**,
owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/flatpak/{,**} r,
owner @{user_config_dirs}/pulse/*.conf r, owner @{user_config_dirs}/pulse/*.conf r,
@ -124,6 +127,8 @@ profile gnome-software @{exec_path} {
/dev/fuse rw, /dev/fuse rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
@ -131,14 +136,26 @@ profile gnome-software @{exec_path} {
@{bin}/gpgconf mr, @{bin}/gpgconf mr,
@{bin}/gpgsm mr, @{bin}/gpgsm mr,
@{bin}/gpg-agent rix,
@{bin}/gpg-connect-agent rix,
@{lib}/{,gnupg/}scdaemon rix,
@{HOME}/@{XDG_GPG_DIR}/*.conf r, @{HOME}/@{XDG_GPG_DIR}/*.conf r,
@{tmp}/ r, @{tmp}/ r,
owner @{tmp}/ostree-gpg-@{rand6}/ r, owner @{tmp}/ostree-gpg-@{rand6}/ r,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/gnome-software_gpg> include if exists <local/gnome-software_gpg>
} }

6
apparmor.d/groups/gnome/gsd-power
View file

@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.freedesktop.login1> include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.systemd1> include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/bus/org.freedesktop.UPower> include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor> include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver> include <abstractions/bus/org.gnome.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
@ -37,10 +36,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*, label=gnome-shell),
dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
interface=org.freedesktop.UPower.KbdBacklight interface=org.freedesktop.UPower.KbdBacklight

1
apparmor.d/groups/whonix/msgdispatcher
View file

@ -39,7 +39,6 @@ profile msgdispatcher @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/sudo> include <abstractions/app/sudo>
@{bin}/sudo mr,
@{lib}/msgcollector/* rPx, @{lib}/msgcollector/* rPx,
owner @{run}/msgcollector/user/msgdispatcher_x_* r, owner @{run}/msgcollector/user/msgdispatcher_x_* r,

2
apparmor.d/profiles-a-f/aa-enforce
View file

@ -32,7 +32,7 @@ profile aa-enforce @{exec_path} {
owner @{tmp}/@{rand8} rw, owner @{tmp}/@{rand8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
owner @{PROC}/@{pid}/fd r, @{PROC}/@{pid}/fd r,
include if exists <local/aa-enforce> include if exists <local/aa-enforce>
} }

29
apparmor.d/profiles-m-r/minitube
View file

@ -30,9 +30,7 @@ profile minitube @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Be able to turn off the screensaver while playing movies @{bin}/xdg-screensaver rPx,
@{bin}/xdg-screensaver rCx -> xdg-screensaver,
@{open_path} rPx -> child-open, @{open_path} rPx -> child-open,
/usr/share/minitube/{,**} r, /usr/share/minitube/{,**} r,
@ -69,31 +67,6 @@ profile minitube @{exec_path} {
/dev/shm/#@{int} rw, /dev/shm/#@{int} rw,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/xdg-screensaver mr,
@{sh_path} rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xset rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card@{int} rw,
network inet stream,
network inet6 stream,
include if exists <local/minitube_xdg-screensaver>
}
include if exists <local/minitube> include if exists <local/minitube>
} }

3
apparmor.d/profiles-s-z/signal-desktop
View file

@ -31,9 +31,8 @@ profile signal-desktop @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
# @{bin}/basename rix,
@{bin}/getconf rix, @{bin}/getconf rix,
@{open_path} rPx -> child-open-strict, @{open_path} rPx -> child-open-strict,
#aa:stack X xdg-settings #aa:stack X xdg-settings
@{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings,