mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into thunderbird2

Browse source
This commit is contained in:
nobodysu 2022-08-12 14:35:53 +00:00 committed by GitHub
commit db8e881c06
Failed to generate hash of commit
467 changed files with 6300 additions and 2372 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitlab-ci.yml
View file

@ -50,7 +50,7 @@ tests:
archlinux: archlinux:
stage: build stage: build
image: registry.gitlab.com/archlex/packages/builders/arch image: registry.gitlab.com/archlex/packages/builders/archlinux
script: script:
- sudo pacman -Syu --noconfirm --noprogressbar lsb-release - sudo pacman -Syu --noconfirm --noprogressbar lsb-release
- makepkg -s --noconfirm --noprogressbar - makepkg -s --noconfirm --noprogressbar

53
CONTRIBUTING.md
View file

@ -30,6 +30,17 @@ in this page all the useful information needed to contribute.
you'll see a Compare & pull request button, fill and submit the pull request. you'll see a Compare & pull request button, fill and submit the pull request.
## Projects rules
A few rules:
1. As these are mandatory access control policies only what it explicitly required
should be authorized. Meaning, you should not allow everything (or a large area)
and blacklist some sub area.
2. A profile **should not break a normal usage of the confined software**. It can
be complex as simply running the program for your own use case is not alway
exhaustive of the program features and required permissions.
## Add a profile ## Add a profile
1. To add a new profile `foo`, add the file `foo` in `apparmor.d/profile-a-f`. 1. To add a new profile `foo`, add the file `foo` in `apparmor.d/profile-a-f`.
@ -64,37 +75,66 @@ profile foo @{exec_path} {
## Profile Guidelines ## Profile Guidelines
In order to ensure a common structure across the profiles, all new profile should try to follow the guideline presented here. > This profile guideline is still evloving, feel free to propose improvment
In order to ensure a common structure across the profiles, all new profile should
try to follow the guideline presented here.
The rules in the profile should be sorted as follow: The rules in the profile should be sorted as follow:
- include - include
- capability - capability
- ptrace
- signal
- network - network
- mount - mount
- remount
- umount
- ptrace
- signal
- unix
- dbus (send, receive) send receice
- @{exec_path} mr, - @{exec_path} mr,
- The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`... - The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
- The shared resources: `/usr/share`... - The shared resources: `/usr/share`...
- The system configuration: `/etc`... - The system configuration: `/etc`...
- The system data: `/var`...
- The user data: `owner @{HOME}/`... - The user data: `owner @{HOME}/`...
- The user configuration (all dotfiles) - The user configuration, cache and in general all dotfiles
- Temporary data: `/tmp/`, `@{run}/`... - Temporary data: `/tmp/`, `@{run}/`...
- Sys files: `@{sys}/`... - Sys files: `@{sys}/`...
- Proc files: `@{PROC}/`... - Proc files: `@{PROC}/`...
- Dev files: `/dev/`... - Dev files: `/dev/`...
- Deny rules: `deny`...
- Local include
**Other rules** **Other rules**
* Do not use: `/usr/lib` or `/usr/bin` but `/{usr/,}bin/` or `/{usr/,}lib/`. * Do not use: `/usr/lib` or `/usr/bin` but `/{usr/,}bin/` or `/{usr/,}lib/`.
* Do not use: `/usr/sbin` or `/sbin` but `/{usr/,}{s,}bin/`.
* Always use the apparmor variables. * Always use the apparmor variables.
* In a rule block, the rule shall be alphabetically sorted. * In a rule block, the rule shall be alphabetically sorted.
* When some file access share similar purpose, they shall be sorted together. Eg: * Subprofile should comes at the end of a profile.
* When some file access share similar purpose, they may be sorted together. Eg:
``` ```
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
``` ```
The included tool `aa-log` can be useful to explore the apparmor log
## Abstraction
This project and the apparmor profile official project provide a large selection
of abstraction to be included in profiles. They should be used.
For instance, instead of writting:
```sh
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
```
to allow download directory access, you should write
```sh
include <abstractions/user-download-strict>
```
## AppArmor variables ## AppArmor variables
**Included variables:** **Included variables:**
@ -119,10 +159,11 @@ The rules in the profile should be sorted as follow:
**Additional variables available with this project:** **Additional variables available with this project:**
* Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt` * Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt`
* Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*`
* Extended XDG user directories: * Extended XDG user directories:
- Projects: `@{XDG_PROJECTS_DIR}="Projects"` - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
- Books: `@{XDG_BOOKS_DIR}="Books"` - Books: `@{XDG_BOOKS_DIR}="Books"`
- Wallpapers: `@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"` - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
- Sync: `@{XDG_SYNC_DIR}="Sync"` - Sync: `@{XDG_SYNC_DIR}="Sync"`
- Vm: `@{XDG_VM_DIR}=".vm"` - Vm: `@{XDG_VM_DIR}=".vm"`
- SSH: `@{XDG_SSH_DIR}=".ssh"` - SSH: `@{XDG_SSH_DIR}=".ssh"`

19
README.md
View file

@ -11,7 +11,8 @@
## Description ## Description
A set of over 1000 AppArmor profiles which aims is to confine most of Linux base applications and processes. A set of over 1200 AppArmor profiles which aims is to confine most of Linux base
applications and processes.
**Goals & Purpose** **Goals & Purpose**
- Support all distributions that support AppArmor: - Support all distributions that support AppArmor:
@ -47,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
* An `apparmor` based linux distribution. * An `apparmor` based linux distribution.
* Base profiles and abstractions shipped with AppArmor are supposed to be * Base profiles and abstractions shipped with AppArmor are supposed to be
installed. installed.
* Go (build dependency only)
* rsync (build dependency only)
**Archlinux** **Archlinux**
@ -58,17 +61,18 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/tunables/xdg-user-dirs --overwrite etc/apparmor.d/tunables/xdg-user-dirs
``` ```
> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) > **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Debian** **Debian**
Build using standard Debian package build tools: Build using standard Debian package build tools:
```sh ```sh
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync
dpkg-buildpackage -b -d --no-sign dpkg-buildpackage -b -d --no-sign
sudo dpkg --install ../apparmor.d_*_all.deb sudo dpkg -i ../apparmor.d_*_all.deb
``` ```
> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) > **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Partial install** **Partial install**
@ -131,7 +135,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
**AppArmor configuration** **AppArmor configuration**
As they are a lot of rules, it is recommended to enable caching AppArmor profiles. As they are a lot of rules, it is recommended to enable caching AppArmor profiles.
In `/etc/apparmor/parser.conf`, uncomment `write-cache`. In `/etc/apparmor/parser.conf`, uncomment `write-cache` and `Optimize=compress-fast`.
See [Speed up AppArmor Start] on the Arch Wiki for more information. See [Speed up AppArmor Start] on the Arch Wiki for more information.
@ -176,9 +180,9 @@ AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with `aa-
**System Recovery** **System Recovery**
Issue in some core profiles like the systemd tools, or the desktop environment Issue in some core profiles like the systemd suite, or the desktop environment
can fully break your system. This should not happen a lot, but if it does here can fully break your system. This should not happen a lot, but if it does here
is the procces to recover your system on Archlinux: is the process to recover your system on Archlinux:
1. Boot from a Archlinux live USB 1. Boot from a Archlinux live USB
1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/<your-disk-id> vg0` 1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/<your-disk-id> vg0`
1. Mount your root partition: `mount /dev/<your-plain-disk-id> /mnt` 1. Mount your root partition: `mount /dev/<your-plain-disk-id> /mnt`
@ -253,3 +257,4 @@ with this program; if not, write to the Free Software Foundation, Inc.,
[android_model]: https://arxiv.org/pdf/1904.05572 [android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/ [clipos]: https://clip-os.org/en/
[Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles
[write xor execute]: https://en.wikipedia.org/wiki/W%5EX

33
apparmor.d/abstractions/X-strict Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# The unix socket to use to connect to the display
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
/tmp/.X11-unix/* rw,
/tmp/.ICE-unix/* rw,
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,
# ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
owner @{run}/user/@{uid}/ICEauthority r,
# Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/X11/Xauthority r,
owner @{run}/user/@{uid}/xauth_* r,
# Xwayland
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
include if exists <abstractions/X-strict.d>

2
apparmor.d/abstractions/X.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Available Xsessions # Available Xsessions

5
apparmor.d/abstractions/app-launcher-root
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,5 +10,7 @@
/usr/ r, /usr/ r,
/{usr/,}{s,}bin/ r, /{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/[a-z0-9]* rPUx, /{usr/,}{s,}bin/[a-z0-9]* rPUx,
/usr/local/{s,}bin/ r,
/usr/local/{s,}bin/[a-zA-Z0-9]* rPUx,
include if exists <abstractions/app-launcher-root.d> include if exists <abstractions/app-launcher-root.d>

5
apparmor.d/abstractions/app-launcher-user
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,6 +10,8 @@
/usr/ r, /usr/ r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/[a-zA-Z0-9]* rPUx, /{usr/,}bin/[a-zA-Z0-9]* rPUx,
/usr/local/bin/ r,
/usr/local/bin/[a-zA-Z0-9]* rPUx,
# Firefox # Firefox
/{usr/,}lib/ r, /{usr/,}lib/ r,

4
apparmor.d/abstractions/audio.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
/usr/share/sounds/ r, /usr/share/sounds/ r,

11
apparmor.d/abstractions/base.d/complete
View file

@ -1,20 +1,21 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
/etc/writable/localtime r, /etc/writable/localtime r,
/usr/share/locale/ r, /usr/share/locale/ r,
# Allow to receive some signals # Allow to receive some signals
signal (receive) peer=top,
signal (receive) peer=htop, signal (receive) peer=htop,
signal (receive) peer=sudo,
signal (receive) peer=top,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,cont) peer=systemd, signal (receive) set=(term,cont) peer=systemd,
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown, signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
signal (receive) set=(term,kill) peer=gnome-shell,
signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=su, signal (receive) set=(term,kill) peer=su,
signal (receive) peer=sudo,
ptrace (readby) peer=systemd-coredump, ptrace (readby) peer=systemd-coredump,

2
apparmor.d/abstractions/chromium-common
View file

@ -39,3 +39,5 @@
owner @{HOME}/.pki/nssdb/pkcs11.txt rw, owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
include if exists <abstractions/chromium-common.d>

11
apparmor.d/abstractions/dbus-session-strict.d/complete Normal file
View file

@ -0,0 +1,11 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,

15
apparmor.d/abstractions/dconf-write Normal file
View file

@ -0,0 +1,15 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Permissions for querying dconf settings with write access; use the dconf
# abstraction first, and dconf-write only for specific application's profile.
/etc/dconf/** r,
owner @{user_config_dirs}/dconf/user r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <abstractions/dconf-write.d>

56
apparmor.d/abstractions/disks-read
View file

@ -7,6 +7,8 @@
# The /sys/ entries probably should be tightened # The /sys/ entries probably should be tightened
/dev/ r, /dev/ r,
/dev/block/ r,
/dev/disk/{,*/} r,
# Regular disk/partition devices # Regular disk/partition devices
/dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]* rk,
@ -35,14 +37,46 @@
# LUKS/LVM (device-mapper) devices # LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rk, /dev/dm-[0-9]* rk,
/dev/mapper/{,*} r,
@{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r, @{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZFS devices
/dev/zd[0-9]* rk,
/dev/zvol/{,*/} r,
/dev/*pool/ r,
@{sys}/devices/virtual/block/zd[0-9]*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/** r,
# ZRAM devices # ZRAM devices
/dev/zram[0-9]* rk, /dev/zram[0-9]* rk,
@{sys}/devices/virtual/block/zram[0-9]*/ r, @{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r, @{sys}/devices/virtual/block/zram[0-9]*/** r,
# Armbian / DietPi
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/} r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/ r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/ r,
@{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type r,
@{sys}/devices/virtual/block/ram[0-9]*/ r,
@{sys}/devices/virtual/block/ram[0-9]*/hidden r,
@{sys}/devices/virtual/block/ram[0-9]*/dev r,
@{sys}/devices/virtual/block/ram[0-9]*/size r,
@{sys}/devices/virtual/block/ram[0-9]*/ro r,
@{sys}/devices/virtual/block/ram[0-9]*/removable r,
@{sys}/devices/virtual/block/ram[0-9]*/holders/ r,
@{sys}/devices/virtual/block/ram[0-9]*/slaves/ r,
# investigate
# /dev/ram[0-9]* r,
# CD-ROM # CD-ROM
/dev/sr[0-9]* rk, /dev/sr[0-9]* rk,
@ -57,27 +91,15 @@
# changes, it's better to allow the whole range (240-254) instead of the single major numbers # changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file. # visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b24[0-9]:[0-9]* r,
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b25[0-4]:[0-9]* r,
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b259:[0-9]* r, @{run}/udev/data/b259:[0-9]* r,
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop* @{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

29
apparmor.d/abstractions/disks-write
View file

@ -39,6 +39,11 @@
@{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r, @{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZFS devices
/dev/zd[0-9]* rwk,
@{sys}/devices/virtual/block/zd[0-9]*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/** r,
# ZRAM devices # ZRAM devices
/dev/zram[0-9]* rwk, /dev/zram[0-9]* rwk,
@{sys}/devices/virtual/block/zram[0-9]*/ r, @{sys}/devices/virtual/block/zram[0-9]*/ r,
@ -63,28 +68,16 @@
# changes, it's better to allow the whole range (240-254) instead of the single major numbers # changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file. # visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b24[0-9]:[0-9]* r,
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b25[0-4]:[0-9]* r,
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b259:[0-9]* r, @{run}/udev/data/b259:[0-9]* r,
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/b2:[0-9]* r, # for /dev/fd* @{run}/udev/data/b2:[0-9]* r, # for /dev/fd*
@{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

4
apparmor.d/abstractions/freedesktop.org.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/.icons/default/index.theme r, owner @{HOME}/.icons/default/index.theme r,

8
apparmor.d/abstractions/ibus.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# abstract path in ibus < 1.5.22 uses /tmp # abstract path in ibus < 1.5.22 uses /tmp
@ -16,3 +16,7 @@
unix (connect, receive, send) unix (connect, receive, send)
type=stream type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"), peer=(addr="@/home/*/.cache/ibus/dbus-*"),
unix (connect, send, receive, accept, bind, listen)
type=stream
addr="@/home/*/.cache/ibus/dbus-*",

6
apparmor.d/abstractions/libvirt-lxc
View file

@ -3,7 +3,9 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# allow receiving signals from libvirtd include <abstractions/base>
# Allow receiving signals from libvirtd
signal (receive) peer=libvirtd, signal (receive) peer=libvirtd,
umount, umount,
@ -119,4 +121,4 @@
deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx, deny /sys/fs?*{,/**} wklx,
include if exists <local/abstractions/libvirt-lxc> include if exists <abstractions/libvirt-lxc.d>

9
apparmor.d/abstractions/libvirt-qemu
View file

@ -1,8 +1,12 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team # Copyright (C) Libvirt Team
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# required for reading disk images # required for reading disk images
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,
@ -251,5 +255,4 @@
owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
# Site-specific additions and overrides. See local/README for details. include if exists <abstractions/libvirt-qemu.d>
include if exists <local/abstractions/libvirt-qemu>

2
apparmor.d/abstractions/lxc/start-container
View file

@ -11,7 +11,7 @@
# currently blocked by apparmor bug # currently blocked by apparmor bug
mount -> /usr/lib*/*/lxc/{**,}, mount -> /usr/lib*/*/lxc/{**,},
mount -> /usr/lib*/lxc/{**,}, mount -> /usr/lib*/lxc/{**,},
mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**},
mount fstype=devpts -> /dev/pts/, mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**, mount options=bind /dev/pts/** -> /dev/**,

30
apparmor.d/abstractions/nameservice-strict
View file

@ -1,24 +1,30 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
/etc/hosts r, @{etc_ro}/default/nss r,
/etc/host.conf r, @{etc_ro}/gai.conf r,
/etc/resolv.conf r, @{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
@{etc_ro}/resolv.conf r,
@{etc_ro}/services r,
@{run}/systemd/resolve/stub-resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/gai.conf r,
/etc/group r,
/etc/protocols r,
/etc/default/nss r,
/etc/services r,
# NSS records from systemd-userdbd.service # NSS records from systemd-userdbd.service
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
include if exists <abstractions/nameservice-strict.d> include if exists <abstractions/nameservice-strict.d>

8
apparmor.d/abstractions/python.d/complete
View file

@ -1,11 +1,13 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
/{usr/,}bin/ r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r, /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r, /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/{,**/} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so} mr, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so} mr,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth} r,

33
apparmor.d/abstractions/tor
View file

@ -1,33 +0,0 @@
# vim:syntax=apparmor
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
network tcp,
network udp,
capability chown,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
/usr/bin/tor r,
/usr/sbin/tor r,
# Needed by obfs4proxy
/proc/sys/net/core/somaxconn r,
/proc/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/etc/tor/* r,
/usr/share/tor/** r,
/usr/bin/obfsproxy PUx,
/usr/bin/obfs4proxy Pix,
include if exists <abstractions/tor.d>

11
apparmor.d/abstractions/user-download-strict
View file

@ -4,14 +4,11 @@
abi <abi/3.0>, abi <abi/3.0>,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r,
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
owner @{user_download_dirs}/ r,
owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
# For SSHFS mounts (without owner as files in such mounts can be owned by different users) # For SSHFS mounts (without owner as files in such mounts can be owned by different users)
@{HOME}/mount-sshfs/ r, @{HOME}/mount-sshfs/ r,

31
apparmor.d/abstractions/user-read
View file

@ -2,20 +2,23 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r, # Give read access on all defined user directories. It should only be used if
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, # access to ALL folders is required.
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r, owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r, owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r, owner @{user_books_dirs}/{,**} r,
owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_documents_dirs}/{,**} r,
owner @{user_music_dirs}/{,**} r,
owner @{user_pictures_dirs}/{,**} r,
owner @{user_projects_dirs}/{,**} r,
owner @{user_publicshare_dirs}/{,**} r,
owner @{user_sync_dirs}/{,**} r,
owner @{user_templates_dirs}/{,**} r,
owner @{user_torrents_dirs}/{,**} r,
owner @{user_videos_dirs}/{,**} r,
include if exists <abstractions/user-read.d> include if exists <abstractions/user-read.d>

19
apparmor.d/abstractions/user-write.d/complete
View file

@ -2,17 +2,12 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl, owner @{user_books_dirs}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl, owner @{user_documents_dirs}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl, owner @{user_music_dirs}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl, owner @{user_pictures_dirs}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl, owner @{user_projects_dirs}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{user_videos_dirs}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl,

4
apparmor.d/abstractions/wayland.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw,

4
apparmor.d/groups/apps/android-studio
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{AS_LIBDIR} = @{MOUNTS}/*/android-studio @{AS_LIBDIR} = @{MOUNTS}/android-studio
@{AS_SDKDIR} = @{MOUNTS}/*/SDK @{AS_SDKDIR} = @{MOUNTS}/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio* @{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects @{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects

11
apparmor.d/groups/apps/atom
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom @{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
profile atom @{exec_path} { profile atom @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -86,18 +87,14 @@ profile atom @{exec_path} {
# Git dirs # Git dirs
/ r, / r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
owner @{MOUNTS}/*/ r, owner @{MOUNTS}/ r,
owner @{MOUNTS}/*/atom/ r, owner @{user_projects_dirs}/ r,
owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{user_config_dirs}/git/config r, owner @{user_config_dirs}/git/config r,
/etc/fstab r, /etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or atom gets crash with the following error: # Needed or atom gets crash with the following error:

8
apparmor.d/groups/apps/calibre
View file

@ -75,12 +75,8 @@ profile calibre @{exec_path} {
/usr/share/calibre/{,**} r, /usr/share/calibre/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR} rw, owner @{user_books_dirs} rw,
owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl, owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,
owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk, owner @{user_config_dirs}/calibre/** rwk,

12
apparmor.d/groups/apps/code
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code @{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
profile code @{exec_path} { profile code @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -63,18 +64,11 @@ profile code @{exec_path} {
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**, owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
# Git dirs # Git dirs
/ r, owner @{user_projects_dirs}/ r,
@{MOUNTS}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/code/ r,
owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
/etc/fstab r, /etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or code gets crash with the following error: # Needed or code gets crash with the following error:

4
apparmor.d/groups/apps/filezilla
View file

@ -56,8 +56,8 @@ profile filezilla @{exec_path} {
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,
# FTP share folder # FTP share folder
owner @{MOUNTS}/*/ftp/ r, owner @{MOUNTS}/ftp/ r,
owner @{MOUNTS}/*/ftp/** rw, owner @{MOUNTS}/ftp/** rw,
# Silencer # Silencer
/ r, / r,

5
apparmor.d/groups/apps/freetube
View file

@ -15,6 +15,7 @@ include <tunables/global>
profile freetube @{exec_path} { profile freetube @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/fonts> include <abstractions/fonts>
@ -67,10 +68,6 @@ profile freetube @{exec_path} {
/etc/fstab r, /etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_share_dirs} r, owner @{user_share_dirs} r,

5
apparmor.d/groups/apps/telegram-desktop
View file

@ -12,6 +12,7 @@ include <tunables/global>
profile telegram-desktop @{exec_path} { profile telegram-desktop @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/fonts> include <abstractions/fonts>
@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} {
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Needed when saving files as, or otherwise the app crashes # Needed when saving files as, or otherwise the app crashes
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

1
apparmor.d/groups/apps/thunderbird
View file

@ -17,6 +17,7 @@ include <tunables/global>
profile thunderbird @{exec_path} { profile thunderbird @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/nvidia> include <abstractions/nvidia>

149
apparmor.d/groups/apt/apt
View file

@ -1,19 +1,22 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get @{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd
profile apt @{exec_path} flags=(attach_disconnected) { profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/dbus-strict>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/openssl>
include <abstractions/python>
capability chown, capability chown,
capability dac_override, capability dac_override,
@ -24,15 +27,46 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
capability setgid, capability setgid,
capability setuid, capability setuid,
capability sys_nice,
signal (send) peer=apt-methods-*, signal (send) peer=apt-methods-*,
unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.{DBus.Introspectable,PackageKit}
member={StateHasChanged,Introspect}
peer=(name=org.freedesktop.PackageKit),
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit
peer=(name=org.freedesktop.login[0-9]),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus{,.Introspectable}
member={RequestName,GetConnectionUnixProcessID,Introspect}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority}
member={CheckAuthorization,Introspect},
dbus bind bus=system
name= org.debian.apt,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix, /{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix, /{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix, /{usr/,}bin/test rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
@ -45,81 +79,95 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx, /{usr/,}bin/apt-show-versions rPx,
/{usr/,}bin/debtags rPx, /{usr/,}bin/debtags rPx,
/{usr/,}bin/df rPx,
/{usr/,}bin/dmesg rPx,
/{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source, /{usr/,}bin/dpkg-source rcx -> dpkg-source,
/{usr/,}bin/etckeeper rPx, /{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For building the source after the download process is finished (apt-get source --compile) # For building the source after the download process is finished (apt-get source --compile)
/{usr/,}bin/dpkg-buildpackage rPUx, /{usr/,}bin/dpkg-buildpackage rPUx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
# Ubuntu specificities
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# For editing the sources.list file # For editing the sources.list file
/etc/apt/sources.list rwk,
/{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor, /{usr/,}bin/vim.* rCx -> editor,
# For changelogs # For changelogs
/tmp/apt-changelog-*/ w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
/tmp/apt-changelog-*/*.changelog w,
/{usr/,}bin/sensible-pager rCx -> pager, /{usr/,}bin/sensible-pager rCx -> pager,
/var/lib/dpkg/** r, /usr/share/xml/iso-codes/{,**} r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r, /etc/apt/sources.list rwk,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r,
/tmp/ r,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
/var/crash/{,*.@{uid}.crash} rw,
/var/lib/apt/extended_states{,.*} rw,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/periodic/update-success-stamp rw,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/log/apt/{,**} rw,
# For package building # For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
/tmp/ r,
/tmp/apt-changelog-*/ w,
/tmp/apt-changelog-*/*.changelog w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
/dev/ptmx rw,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
profile editor flags=(complain) { profile editor flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sensible-editor mr, /{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix, /{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/which{,.debianutils} rix,
owner @{HOME}/.selected_editor r,
/usr/share/vim/{,**} r, /usr/share/vim/{,**} r,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
/etc/apt/sources.list rw, /etc/apt/sources.list rw,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.selected_editor r,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
} }
@ -130,39 +178,36 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/less rix, /{usr/,}bin/less rix,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/which{,.debianutils} rix,
/root/ r, # For shell pwd
owner @{HOME}/.less* rw, owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r, owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
} }
profile dpkg-source flags=(complain) { profile dpkg-source flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/perl>
/{usr/,}bin/dpkg-source mr, /{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix, /{usr/,}bin/bunzip2 rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/gunzip rix, /{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix, /{usr/,}bin/patch rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/xz rix,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,

13
apparmor.d/groups/apt/apt-cache
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,23 +10,23 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache @{exec_path} = /{usr/,}bin/apt-cache
profile apt-cache @{exec_path} { profile apt-cache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/dpkg/** r, /var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk, /var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
/var/lib/dbus/machine-id r, owner @{PROC}/@{pid}/fd/ r,
/etc/machine-id r,
include if exists <local/apt-cache> include if exists <local/apt-cache>
} }

16
apparmor.d/groups/apt/apt-cdrom
View file

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom @{exec_path} = /{usr/,}bin/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) { profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -21,6 +21,8 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/{usr/,}bin/mount rCx -> mount, /{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount, /{usr/,}bin/umount rCx -> umount,
/etc/fstab r,
# Are all of these needed? (#FIXME#) # Are all of these needed? (#FIXME#)
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/*/devices/ r, @{sys}/bus/*/devices/ r,
@ -29,8 +31,6 @@ profile apt-cdrom @{exec_path} flags=(complain) {
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{run}/udev/data/* r, @{run}/udev/data/* r,
/etc/fstab r,
# For cd-roms # For cd-roms
/media/cdrom[0-9]/ r, /media/cdrom[0-9]/ r,
/media/cdrom[0-9]/**/ r, /media/cdrom[0-9]/**/ r,
@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
# For pendrives # For pendrives
@{MOUNTS}/*/*/ r, @{MOUNTS}/ r,
@{MOUNTS}/*/*/**/ r, @{MOUNTS}/**/ r,
@{MOUNTS}/*/*/.disk/info r, @{MOUNTS}/.disk/info r,
@{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r, @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
@{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r, @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw, /var/lib/apt/lists/** rw,

7
apparmor.d/groups/apt/apt-config
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,13 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config @{exec_path} = /{usr/,}bin/apt-config
profile apt-config @{exec_path} { profile apt-config @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
owner /tmp/tmp*/apt.conf r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-config> include if exists <local/apt-config>

13
apparmor.d/groups/apt/apt-extracttemplates
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -16,15 +17,17 @@ profile apt-extracttemplates @{exec_path} {
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
owner /tmp/*.{config,template}.?????? rw,
# For package building # For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
owner /tmp/*.{config,template}.?????? rw,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-extracttemplates> include if exists <local/apt-extracttemplates>
} }

7
apparmor.d/groups/apt/apt-file
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -25,13 +26,13 @@ profile apt-file @{exec_path} {
/etc/apt/apt-file.conf r, /etc/apt/apt-file.conf r,
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd # For shell pwd
/root/ r, /root/ r,
# file_inherit # file_inherit
/var/log/cron-apt/temp w, /var/log/cron-apt/temp w,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-file> include if exists <local/apt-file>
} }

18
apparmor.d/groups/apt/apt-forktracer
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov # Copyright (C) 2021-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,8 +10,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-forktracer @{exec_path} = /{usr/,}bin/apt-forktracer
profile apt-forktracer @{exec_path} { profile apt-forktracer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/python>
@{exec_path} mr, @{exec_path} mr,
@ -19,21 +20,20 @@ profile apt-forktracer @{exec_path} {
/{usr/,}bin/apt-cache rPx, /{usr/,}bin/apt-cache rPx,
/usr/share/apt-forktracer/{,**} r, /usr/share/apt-forktracer/{,**} r,
/usr/share/distro-info/debian.csv r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/apt/lists/ r, /var/lib/apt/lists/ r,
/var/lib/apt/lists/*_InRelease r, /var/lib/apt/lists/*_InRelease r,
/var/cache/apt/pkgcache.bin{,.*} rw, /var/cache/apt/pkgcache.bin{,.*} rw,
/usr/share/distro-info/debian.csv r,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/debian r,
/etc/debian_version r, /etc/debian_version r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-forktracer> include if exists <local/apt-forktracer>
} }

43
apparmor.d/groups/apt/apt-key
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,21 +15,21 @@ profile apt-key @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/find rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sort rix, /{usr/,}bin/sort rix,
/{usr/,}bin/comm rix, /{usr/,}bin/touch rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/tr rix, /{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix, /{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix, /{usr/,}bin/wc rix,
@ -73,6 +74,11 @@ profile apt-key @{exec_path} {
/{usr/,}bin/gpg-agent rix, /{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix, /{usr/,}bin/gpg-connect-agent rix,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
/etc/apt/.#lk0x[a-f0-9]*.@{pid} rw, /etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid}, /etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg{,~,.tmp} rw, /etc/apt/trusted.gpg{,~,.tmp} rw,
@ -86,18 +92,13 @@ profile apt-key @{exec_path} {
owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
# File_inherit
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
} }
include if exists <local/apt-key> include if exists <local/apt-key>

8
apparmor.d/groups/apt/apt-methods-http
View file

@ -14,17 +14,15 @@ profile apt-methods-http @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get, signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude, signal (receive) peer=aptitude,
signal (receive) peer=synaptic, signal (receive) peer=synaptic,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

2
apparmor.d/groups/apt/dpkg-divert
View file

@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {
/var/lib/dpkg/** r, /var/lib/dpkg/** r,
/usr/share/*/**.dpkg-divert.tmp w, /usr/share/*/** w,
/var/lib/dpkg/diversions rw, /var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-new rw,

8
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -35,6 +36,9 @@ profile dpkg-preconfigure @{exec_path} {
owner /tmp/*.config.* rwPUx, owner /tmp/*.config.* rwPUx,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
@{run}/user/@{uid}/pk-debconf-socket rw,
# The following is needed when dpkg-preconfigure uses debcconf GUI frontends. # The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
include <abstractions/gtk> include <abstractions/gtk>
@ -44,9 +48,7 @@ profile dpkg-preconfigure @{exec_path} {
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix, /{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
include if exists <local/dpkg-preconfigure> include if exists <local/dpkg-preconfigure>

1
apparmor.d/groups/apt/dpkg-query
View file

@ -23,6 +23,7 @@ profile dpkg-query @{exec_path} {
# file_inherit # file_inherit
/tmp/#[0-9]*[0-9] rw, /tmp/#[0-9]*[0-9] rw,
/dev/tty[0-9]* rw,
include if exists <local/dpkg-query> include if exists <local/dpkg-query>
} }

5
apparmor.d/groups/apt/reportbug
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/reportbug @{exec_path} = /{usr/,}bin/reportbug
profile reportbug @{exec_path} { profile reportbug @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/fonts> include <abstractions/fonts>
@ -63,10 +64,6 @@ profile reportbug @{exec_path} {
/{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# For sending additional information # For sending additional information
/etc/** r, /etc/** r,

51
apparmor.d/groups/apt/unattended-upgrade
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,10 +10,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/unattended-upgrade @{exec_path} = /{usr/,}bin/unattended-upgrade
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python> include <abstractions/python>
include <abstractions/consoles>
capability chown, capability chown,
capability dac_override, capability dac_override,
@ -26,41 +29,64 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
signal (send) peer=apt-methods-http,
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.PackageKit
member=StateHasChanged,
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable
member=Introspect,
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,GetAll},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=StateChanged,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/uname rix,
/{usr/,}{s,}bin/dpkg-preconfigure rPx, /{usr/,}{s,}bin/dpkg-preconfigure rPx,
/{usr/,}{s,}bin/on_ac_power rPx, /{usr/,}{s,}bin/on_ac_power rPx,
/{usr/,}{s,}bin/sendmail rPUx, /{usr/,}{s,}bin/sendmail rPUx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg rPx,
/{usr/,}bin/etckeeper rPx, /{usr/,}bin/etckeeper rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/apt/methods/http{,s} rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/distro-info/* r, /usr/share/distro-info/* r,
/usr/share/dpkg/*table r,
/etc/apt/*.list r, /etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r, /etc/apt/apt.conf.d/{,**} r,
/etc/apt/preferences.d/{,**} r,
/etc/apt/sources.list.d/{,**} r,
/etc/machine-id r, /etc/machine-id r,
/var/log/unattended-upgrades/*.log rw, /var/log/unattended-upgrades/*.log rw,
/var/lib/apt/extended_states r,
/var/lib/apt/lists/{,**} r,
/var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/lock rwk, /var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/status r,
/var/lib/dpkg/updates/ r, /var/lib/dpkg/updates/ r,
/var/cache/apt/{,**} rwk, /var/cache/apt/{,**} rwk,
@ -74,9 +100,12 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/resolvconf/resolv.conf r, @{run}/resolvconf/resolv.conf r,
owner /tmp/#[0-9]* rw, owner /tmp/apt-dpkg-install-*/{,*} rw,
owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
/dev/ptmx rw,
include if exists <local/unattended-upgrade> include if exists <local/unattended-upgrade>
} }

20
apparmor.d/groups/apt/unattended-upgrade-shutdown
View file

@ -9,11 +9,31 @@ include <tunables/global>
@{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown
profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.{Introspectable,Properties}
member={Introspect,Get},
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=PrepareForShutdown,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ischroot rix,
/usr/share/unattended-upgrades/{,*} r, /usr/share/unattended-upgrades/{,*} r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,

43
apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
View file

@ -1,43 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Felix Geyer <debfx@ubuntu.com>
# SPDX-License-Identifier: GPL-2.0-only
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
include <tunables/global>
profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r,
/etc/hosts.{deny,allow} r,
/usr/sbin/apt-cacher-ng mr,
/var/lib/apt-cacher-ng/** r,
/{,var/}run/apt-cacher-ng/* rw,
@{APT_CACHER_NG_CACHE_DIR}/ r,
@{APT_CACHER_NG_CACHE_DIR}/** rwl,
/var/log/apt-cacher-ng/ r,
/var/log/apt-cacher-ng/* rw,
/{,var/}run/systemd/notify w,
/{usr/,}bin/dash ixr,
/{usr/,}bin/ed ixr,
/{usr/,}bin/red ixr,
/{usr/,}bin/sed ixr,
/usr/lib/apt-cacher-ng/acngtool ixr,
# Allow serving local documentation
/etc/mime.types r,
/usr/share/doc/apt-cacher-ng/html/** r,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,
include if exists <local/usr.sbin.apt-cacher-ng>
}

5
apparmor.d/groups/browsers/brave
View file

@ -14,6 +14,7 @@ include <tunables/global>
profile brave @{exec_path} { profile brave @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -105,10 +106,6 @@ profile brave @{exec_path} {
/etc/fstab r, /etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or Brave crash with the following error: # Needed or Brave crash with the following error:

5
apparmor.d/groups/browsers/chrome-gnome-shell
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/chrome-gnome-shell @{exec_path} = /{usr/,}bin/chrome-gnome-shell
profile chrome-gnome-shell @{exec_path} { profile chrome-gnome-shell @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python> include <abstractions/python>
@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
deny @{HOME}/.* r, deny @{HOME}/.* r,

6
apparmor.d/groups/browsers/chromium-chromium
View file

@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/chromium-common> include <abstractions/chromium-common>
include <abstractions/dconf> include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -58,6 +58,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-desktop-menu rPx, /{usr/,}bin/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-email rPx,
/{usr/,}bin/xdg-icon-resource rPx, /{usr/,}bin/xdg-icon-resource rPx,
/{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
@ -106,9 +107,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
# owner @{HOME}/.mozilla/firefox/*/logins.json r, # owner @{HOME}/.mozilla/firefox/*/logins.json r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/ rw,
owner /tmp/tmp.*/** rwk, owner /tmp/tmp.*/** rwk,
owner /tmp/scoped_dir*/{,**} rw, owner /tmp/scoped_dir*/{,**} rw,

5
apparmor.d/groups/browsers/firefox
View file

@ -15,7 +15,7 @@ include <tunables/global>
profile firefox @{exec_path} flags=(attach_disconnected) { profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf> include <abstractions/dconf-write>
include <abstractions/enchant> include <abstractions/enchant>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/tmp/ r, /var/tmp/ r,
/tmp/ r, /tmp/ r,
owner /tmp/* rw, owner /tmp/* rw,

5
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -12,7 +12,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/firefox/crashreporter @{exec_path} = /{usr/,}lib/firefox/crashreporter
profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/mozilla/firefox/*.*/** r, owner @{user_cache_dirs}/mozilla/firefox/*.*/** r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/tmp/ r, /tmp/ r,
/var/tmp/ r, /var/tmp/ r,
owner /tmp/[0-9a-f]*.{dmp,extra} rw, owner /tmp/[0-9a-f]*.{dmp,extra} rw,

5
apparmor.d/groups/browsers/opera
View file

@ -13,6 +13,7 @@ include <tunables/global>
@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
profile opera @{exec_path} { profile opera @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel> include <abstractions/opencl-intel>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -83,10 +84,6 @@ profile opera @{exec_path} {
/etc/fstab r, /etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or opera crashes with the following error: # Needed or opera crashes with the following error:

18
apparmor.d/groups/bus/dbus-daemon
View file

@ -11,6 +11,9 @@ include <tunables/global>
profile dbus-daemon @{exec_path} flags=(attach_disconnected) { profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability audit_write, capability audit_write,
@ -34,14 +37,18 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ r,
@{libexec}/* rPUx, @{libexec}/* rPUx,
/{usr/,}lib/ibus/ibus-* rPx, /{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
# Xubuntu
/{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx,
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/etc/dbus-1/{,**} r, /etc/dbus-1/{,**} r,
/etc/machine-id r,
/usr/share/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r,
/usr/share/defaults/**.conf r, /usr/share/defaults/**.conf r,
@ -63,13 +70,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
owner /tmp/dbus-[0-9a-zA-Z]* rw, owner /tmp/dbus-[0-9a-zA-Z]* rw,
owner @{run}/user/@{uid}/bus w,
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/ rw,
owner @{run}/user/@{uid}/dbus-1/services/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/sessions/*.ref rw,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/.access rw,
@ -77,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/oom_score_adj rw,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,

6
apparmor.d/groups/bus/dbus-daemon-launch-helper
View file

@ -18,10 +18,16 @@ profile dbus-daemon-launch-helper @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
/{usr/,}lib/software-properties/software-properties-dbus rPx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/usr/share/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r,
/etc/dbus-1/{,**} r,
owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/oom_score_adj rw,
include if exists <local/dbus-daemon-launch-helper> include if exists <local/dbus-daemon-launch-helper>

4
apparmor.d/groups/bus/dbus-run-session
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session @{exec_path} = /{usr/,}bin/dbus-run-session
profile dbus-run-session @{exec_path} { profile dbus-run-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf-write>
signal (receive) set=(term, kill, hup) peer=gdm*, signal (receive) set=(term, kill, hup) peer=gdm*,
signal (send) set=term peer=dbus-daemon, signal (send) set=term peer=dbus-daemon,
@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.cache/dconf/ rw, /var/lib/gdm/.cache/dconf/ rw,

3
apparmor.d/groups/bus/ibus-daemon
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/ibus-daemon @{exec_path} = /{usr/,}bin/ibus-daemon
profile ibus-daemon @{exec_path} flags=(attach_disconnected) { profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/ibus>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=(usr1) peer=gnome-shell, signal (receive) set=(usr1) peer=gnome-shell,
@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/{,**} rw,
owner @{user_cache_dirs}/ibus/{,**} rw, owner @{user_cache_dirs}/ibus/{,**} rw,
/var/lib/gdm{3,}/.config/ibus/{,**} rw, /var/lib/gdm{3,}/.config/ibus/{,**} rw,
/var/lib/gdm{3,}/.cache/ibus/{,**} rw, /var/lib/gdm{3,}/.cache/ibus/{,**} rw,

4
apparmor.d/groups/bus/ibus-dconf
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-dconf @{exec_path} += @{libexec}/ibus-dconf
profile ibus-dconf @{exec_path} flags=(attach_disconnected) { profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=term peer=ibus-daemon, signal (receive) set=term peer=ibus-daemon,
@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.cache/dconf/ w,
/var/lib/gdm/.cache/dconf/user rw, /var/lib/gdm/.cache/dconf/user rw,
/var/lib/gdm/.config/dconf/user rw, /var/lib/gdm/.config/dconf/user rw,

3
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-engine-simple @{exec_path} += @{libexec}/ibus-engine-simple
profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/ibus>
signal (receive) set=term peer=ibus-daemon, signal (receive) set=term peer=ibus-daemon,
@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,

13
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -10,10 +10,12 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-extension-gtk3 @{exec_path} += @{libexec}/ibus-extension-gtk3
profile ibus-extension-gtk3 @{exec_path} { profile ibus-extension-gtk3 @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/ibus>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=term peer=ibus-daemon, signal (receive) set=term peer=ibus-daemon,
@ -32,17 +34,10 @@ profile ibus-extension-gtk3 @{exec_path} {
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/dconf/user r,
include if exists <local/ibus-extension-gtk3> include if exists <local/ibus-extension-gtk3>

5
apparmor.d/groups/bus/ibus-memconf
View file

@ -9,14 +9,15 @@ include <tunables/global>
@{exec_path} = @{libexec}/ibus-memconf @{exec_path} = @{libexec}/ibus-memconf
profile ibus-memconf @{exec_path} { profile ibus-memconf @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/ibus>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
include if exists <local/ibus-memconf> include if exists <local/ibus-memconf>
} }

4
apparmor.d/groups/bus/ibus-portal
View file

@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-portal @{exec_path} += @{libexec}/ibus-portal
profile ibus-portal @{exec_path} flags=(attach_disconnected) { profile ibus-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/ibus>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/ r, /var/lib/gdm/.config/ibus/bus/ r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
/dev/null rw, /dev/null rw,

7
apparmor.d/groups/bus/ibus-x11
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-x11 @{exec_path} += @{libexec}/ibus-x11
profile ibus-x11 @{exec_path} flags=(attach_disconnected) { profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/fonts>
@ -18,14 +19,14 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl> include <abstractions/opencl>
unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,

89
apparmor.d/groups/cron/cron
View file

@ -7,17 +7,18 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/cron @{exec_path} = /{usr/,}{s,}bin/cron
profile cron @{exec_path} { profile cron @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/app-launcher-root>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/nameservice-strict>
include <abstractions/wutmp> include <abstractions/wutmp>
capability setuid,
capability setgid,
capability dac_read_search,
capability audit_write, capability audit_write,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_resource, capability sys_resource,
network netlink raw, network netlink raw,
@ -29,33 +30,18 @@ profile cron @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix, /{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix, /{usr/,}bin/ionice rix,
/{usr/,}bin/run-parts rPx,
/etc/crontab r,
# All stuff that is executed via the /etc/cron.d/ dir
/etc/cron.d/{,*} r,
/{usr/,}sbin/cron-apt rPx,
/{usr/,}bin/debsecan rPx,
/{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
/{usr/,}sbin/e2scrub_all rPUx,
/etc/cron.daily/popularity-contest rPx,
/{usr/,}lib/sysstat/debian-sa1 rPUx, /{usr/,}lib/sysstat/debian-sa1 rPUx,
/{usr/,}{s,}bin/sendmail rPUx,
# All stuff that is executed via the user crontab files
/{usr/,}bin/apt-file rPx,
/{usr/,}bin/apt-key rPx,
/{usr/,}bin/rsync rPUx,
/usr/share/rsync/scripts/rrsync rPUx, /usr/share/rsync/scripts/rrsync rPUx,
/{usr/,}bin/gpg rPx, /usr/local/lib/pki/pki-realm rPUx, # TODO: FIXME: NO COMMIT ZENFRA ONLY
/{usr/,}sbin/update-pciids rPx,
/{usr/,}bin/borg rPx,
# Cron scripts in the /etc/cron.*/ dir to execute /etc/cron.d/{,*} r,
/{usr/,}bin/run-parts rCx -> run-parts, /etc/crontab r,
/etc/default/locale r,
# Send results using email /etc/environment r,
/{usr/,}sbin/exim4 rPx, /etc/security/limits.d/{,**} r,
/var/spool/cron/crontabs/{,*} r, /var/spool/cron/crontabs/{,*} r,
@ -66,56 +52,7 @@ profile cron @{exec_path} {
owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/loginuid rw,
/etc/environment r,
/etc/default/locale r,
@{PROC}/1/limits r, @{PROC}/1/limits r,
/etc/security/limits.d/ r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/cron.{hourly,daily,weekly,monthly}/ r,
/etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx,
/etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/debtags rPx,
/etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx,
/etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/plocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx,
/etc/cron.{hourly,daily,weekly,monthly}/debsums rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/man-db rPx,
/etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx,
/etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx,
/etc/cron.{hourly,daily,weekly,monthly}/tor rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx,
/etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx,
#/etc/cron.{hourly,daily,weekly,monthly}/opera-browser rPUx,
#/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable} rPUx,
#/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx,
#/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx,
#/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
include if exists <local/cron_run-parts>
}
include if exists <local/cron> include if exists <local/cron>
} }

19
apparmor.d/groups/cron/cron-anacron Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/0anacron
profile cron-anacron @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/anacron rPx,
include if exists <local/cron-anacron>
}

24
apparmor.d/groups/cron/cron-apport Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apport
profile cron-apport @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
/ r,
/var/crash/ r,
/var/crash/*.crash w,
include if exists <local/cron-apport>
}

0
apparmor.d/groups/apt/cron-apt → apparmor.d/groups/cron/cron-apt
View file

0
apparmor.d/groups/apt/cron-apt-compat → apparmor.d/groups/cron/cron-apt-compat
View file

0
apparmor.d/groups/apt/cron-apt-listbugs → apparmor.d/groups/cron/cron-apt-listbugs
View file

0
apparmor.d/groups/apt/cron-apt-show-versions → apparmor.d/groups/cron/cron-apt-show-versions
View file

0
apparmor.d/groups/apt/cron-apt-xapian-index → apparmor.d/groups/cron/cron-apt-xapian-index
View file

0
apparmor.d/groups/apt/cron-aptitude → apparmor.d/groups/cron/cron-aptitude
View file

0
apparmor.d/groups/apt/cron-debsums → apparmor.d/groups/cron/cron-debsums
View file

0
apparmor.d/groups/apt/cron-debtags → apparmor.d/groups/cron/cron-debtags
View file

0
apparmor.d/groups/apt/cron-popularity-contest → apparmor.d/groups/cron/cron-popularity-contest
View file

35
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -9,25 +9,50 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon @{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon
@{exec_path} += @{libexec}/accounts-daemon @{exec_path} += @{libexec}/accounts-daemon
profile accounts-daemon @{exec_path} { profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wutmp> include <abstractions/wutmp>
capability dac_read_search, capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}},
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member={CheckAuthorization,Changed},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus),
dbus bind bus=system
name=org.freedesktop.Accounts,
@{exec_path} mr, @{exec_path} mr,
/usr/share/language-tools/language-validate rPx,
/usr/share/accountsservice/{,**} r, /usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/*.xml r, /usr/share/dbus-1/interfaces/*.xml r,
/etc/gdm/ r, /etc/default/locale r,
/etc/gdm/custom.conf rw, /etc/gdm{3,}/ r,
/etc/gdm/custom.conf.* rw, /etc/gdm{3,}/custom.conf rw,
/etc/gdm{3,}/custom.conf.* rw,
/etc/machine-id r, /etc/machine-id r,
/etc/shadow r, /etc/shadow r,
/etc/shells r, /etc/shells r,
@ -35,6 +60,8 @@ profile accounts-daemon @{exec_path} {
owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw, owner /var/lib/AccountsService/** rw,
@{HOME}/ r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

7
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -11,11 +11,13 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi-bus-launcher @{exec_path} += @{libexec}/at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dbus-session>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=gdm*, signal (receive) set=(term hup kill) peer=gdm*,
signal (receive) set=(term hup kill) peer=gnome-session-binary,
signal (send) set=(term hup kill) peer=dbus-daemon, signal (send) set=(term hup kill) peer=dbus-daemon,
network inet stream, network inet stream,
@ -33,9 +35,6 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/at-spi/{,bus} rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/lightdm/.Xauthority r, /var/lib/lightdm/.Xauthority r,

12
apparmor.d/groups/freedesktop/at-spi2-registryd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,21 +11,20 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi2-registryd @{exec_path} += @{libexec}/at-spi2-registryd
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# Needed?
deny capability sys_nice,
signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/.Xauthority r,
/var/lib/lightdm/.Xauthority r, /var/lib/lightdm/.Xauthority r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
include if exists <local/at-spi2-registryd> include if exists <local/at-spi2-registryd>

25
apparmor.d/groups/freedesktop/colord
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,11 +11,30 @@ include <tunables/global>
@{exec_path} += @{libexec}/colord @{exec_path} += @{libexec}/colord
profile colord @{exec_path} flags=(attach_disconnected) { profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
network netlink raw, network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.{DBus.Properties,ColorManager*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=CheckAuthorization,
dbus bind bus=system
name=org.freedesktop.ColorManager,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/colord/colord-sane rPx, /{usr/,}lib/colord/colord-sane rPx,
@ -37,7 +56,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{user_share_dirs}/icc/edid-*.icc r, @{user_share_dirs}/icc/edid-*.icc r,
@{run}/systemd/sessions/[0-9]* r, @{run}/systemd/sessions/* r,
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/video4linux/ r, @{sys}/class/video4linux/ r,

27
apparmor.d/groups/freedesktop/colord-sane
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -8,25 +9,41 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-sane @{exec_path} = /{usr/,}lib/colord/colord-sane
@{exec_path} += @{libexec}/colord-sane @{exec_path} += @{libexec}/colord-sane
profile colord-sane @{exec_path} flags=(complain) { profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
network inet dgram,
network inet6 dgram,
network netlink raw, network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.{DBus.Properties,ColorManager},
dbus send bus=system path=/
interface=org.freedesktop.{DBus.Peer,Avahi.Server}
member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser
member={CacheExhausted,AllForNow},
@{exec_path} mr, @{exec_path} mr,
/etc/sane.d/{,**} r, /usr/share/snmp/mibs/{,*} r,
/etc/sane.d/{,**} r,
/etc/snmp/snmp.conf r, /etc/snmp/snmp.conf r,
/var/lib/snmp/{mib,cert}_indexes/ rw,
/var/lib/snmp/mibs/{iana,ietf}/ r, /var/lib/snmp/mibs/{iana,ietf}/ r,
/var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
/var/lib/snmp/{mib,cert}_indexes/ rw, @{run}/systemd/journal/socket rw,
/usr/share/snmp/mibs/{,*} r,
@{sys}/bus/scsi/devices/ r, @{sys}/bus/scsi/devices/ r,
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
@{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/ r,

3
apparmor.d/groups/freedesktop/colord-session
View file

@ -6,7 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session @{exec_path} = /{usr/,}lib/colord/colord-session
@{exec_path} += @{libexec}/colord-session
profile colord-session @{exec_path} flags=(complain) { profile colord-session @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>

5
apparmor.d/groups/freedesktop/dconf
View file

@ -9,17 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf @{exec_path} = /{usr/,}bin/dconf
profile dconf @{exec_path} flags=(attach_disconnected) { profile dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write>
capability sys_nice, capability sys_nice,
@{exec_path} mr, @{exec_path} mr,
/etc/dconf/{,**} r,
/etc/dconf/db/** rw, /etc/dconf/db/** rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw, owner @{user_config_dirs}/dconf/user{,.*} rw,

16
apparmor.d/groups/freedesktop/dconf-editor
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,16 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf-editor @{exec_path} = /{usr/,}bin/dconf-editor
profile dconf-editor @{exec_path} { profile dconf-editor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/dconf> include <abstractions/gtk>
@{exec_path} mr, @{exec_path} mr,
owner @{run}/user/@{uid}/dconf/ rw, /usr/share/glib-2.0/schemas/{,*} r,
owner @{run}/user/@{uid}/dconf/user rw,
# When GSETTINGS_BACKEND=keyfile # When GSETTINGS_BACKEND=keyfile
owner @{user_config_dirs}/glib-2.0/ rw, owner @{user_config_dirs}/glib-2.0/ rw,
@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} {
owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw, owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
/usr/share/glib-2.0/schemas/{,*} r,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
include if exists <local/dconf-editor> include if exists <local/dconf-editor>

8
apparmor.d/groups/freedesktop/dconf-service
View file

@ -9,18 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service @{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
profile dconf-service @{exec_path} flags=(attach_disconnected) { profile dconf-service @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
# Needed? include <abstractions/dconf-write>
deny capability sys_nice,
signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term kill hup) peer=dbus-daemon,
signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mr, @{exec_path} mr,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw, owner @{user_config_dirs}/dconf/user{,.*} rw,

16
apparmor.d/groups/freedesktop/desktop-file-install Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/desktop-file-install
profile desktop-file-install @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/desktop-file-install>
}

52
apparmor.d/groups/freedesktop/geoclue
View file

@ -7,15 +7,65 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/geoclue @{exec_path} = @{libexec}/geoclue
profile geoclue @{exec_path} { profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
network netlink raw, network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager}
interface=org.freedesktop.{DBus.Properties,GeoClue2*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged},
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged,
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser
member={AllForNow,CacheExhausted},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged,PropertiesChanged},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus bind bus=system
name=org.freedesktop.GeoClue2,
@{exec_path} mr, @{exec_path} mr,
/etc/geoclue/{,**} r, /etc/geoclue/{,**} r,
@{run}/systemd/journal/socket rw,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
include if exists <local/geoclue> include if exists <local/geoclue>

14
apparmor.d/groups/freedesktop/pipewire
View file

@ -11,12 +11,26 @@ include <tunables/global>
profile pipewire @{exec_path} { profile pipewire @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
ptrace (read), ptrace (read),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit[0-9]
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit[0-9]),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit[0-9]),
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/pipewire-media-session rPx,
/usr/share/pipewire/pipewire.conf r, /usr/share/pipewire/pipewire.conf r,
/etc/machine-id r, /etc/machine-id r,

11
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile pipewire-media-session @{exec_path} { profile pipewire-media-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dbus-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -19,6 +20,16 @@ profile pipewire-media-session @{exec_path} {
network bluetooth stream, network bluetooth stream,
network netlink raw, network netlink raw,
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit1
member=MakeThreadRealtime
peer=(name=org.freedesktop.RealtimeKit1),
@{exec_path} mr, @{exec_path} mr,
/usr/share/alsa-card-profile/{,**} r, /usr/share/alsa-card-profile/{,**} r,

2
apparmor.d/groups/freedesktop/plymouth-set-default-theme
View file

@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} {
/{usr/,}bin/grep rix, /{usr/,}bin/grep rix,
/{usr/,}bin/plymouth rPx, /{usr/,}bin/plymouth rPx,
/etc/plymouth/{,*} r,
include if exists <local/plymouth-set-default-theme> include if exists <local/plymouth-set-default-theme>
} }

51
apparmor.d/groups/freedesktop/plymouthd Normal file
View file

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/plymouthd
profile plymouthd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-common>
capability sys_admin,
capability sys_tty_config,
network netlink raw,
signal (send) peer=unconfined,
unix type=stream addr="@/org/freedesktop/plymouthd",
unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),
@{exec_path} mr,
/usr/share/plymouth/{,**} r,
/etc/default/keyboard r,
/etc/plymouth/plymouthd.conf r,
/etc/vconsole.conf r,
@{run}/udev/data/+drm:* r,
@{run}/udev/data/c226:* r,
@{run}/udev/data/c29:* r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/graphics/ r,
@{sys}/devices/pci[0-9]*/**/{,uevent} r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/acpi/bgrt/{,*} r,
@{PROC}/cmdline r,
/dev/ptmx rw,
/dev/tty[0-9]* rw,
include if exists <local/plymouthd>
}

10
apparmor.d/groups/freedesktop/polkit-agent-helper
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9] @{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
profile polkit-agent-helper @{exec_path} { profile polkit-agent-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/consoles> include <abstractions/consoles>
@ -28,6 +29,14 @@ profile polkit-agent-helper @{exec_path} {
signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=gnome-shell,
signal (receive) set=(term, kill) peer=pkexec, signal (receive) set=(term, kill) peer=pkexec,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=AuthenticationAgentResponse2,
@{exec_path} mr, @{exec_path} mr,
# file_inherit # file_inherit
@ -35,7 +44,6 @@ profile polkit-agent-helper @{exec_path} {
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
@{run}/faillock/[a-zA-z0-9]* rwk, @{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
include if exists <local/polkit-agent-helper> include if exists <local/polkit-agent-helper>
} }

32
apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,14 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9] @{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
profile polkit-mate-authentication-agent @{exec_path} { profile polkit-mate-authentication-agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict>
signal (send) set=(term, kill) peer=polkit-agent-helper, signal (send) set=(term, kill) peer=polkit-agent-helper,
@ -24,25 +26,19 @@ profile polkit-mate-authentication-agent @{exec_path} {
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{PROC}/1/cgroup r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/cgroup r, /usr/share/X11/xkb/** r,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/** r,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/polkit-mate-authentication-agent> include if exists <local/polkit-mate-authentication-agent>
} }

35
apparmor.d/groups/freedesktop/polkitd
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,24 +11,28 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkitd @{exec_path} += @{libexec}/polkitd
profile polkitd @{exec_path} { profile polkitd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability setuid,
capability setgid, capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
audit deny capability net_admin, audit capability net_admin,
ptrace (read), ptrace (read),
@{exec_path} mr, dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*},
@{PROC}/@{pids}/stat r, dbus send bus=system path=/org/freedesktop/DBus
@{PROC}/@{pids}/cmdline r, interface=org.freedesktop.DBus
@{PROC}/@{pids}/task/@{tid}/stat r, member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName},
@{PROC}/@{pids}/cgroup r,
@{PROC}/sys/kernel/osrelease r, dbus bind bus=system
@{PROC}/1/environ r, name=org.freedesktop.PolicyKit[0-9],
@{PROC}/cmdline r,
@{exec_path} mr,
/etc/machine-id r, /etc/machine-id r,
@ -52,7 +56,14 @@ profile polkitd @{exec_path} {
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
# Silencer # Silencer
deny /.cache/ rw, deny /.cache/ rw,

148
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,9 +15,13 @@ profile pulseaudio @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gstreamer>
include <abstractions/hosts_access>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/X-strict>
ptrace (trace) peer=@{profile_name}, ptrace (trace) peer=@{profile_name},
@ -29,65 +34,20 @@ profile pulseaudio @{exec_path} {
network bluetooth stream, network bluetooth stream,
network bluetooth seqpacket, network bluetooth seqpacket,
@{exec_path} mrix, dbus (send)
bus=session
path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member={GetState,AddService,AddServiceSubtype,Commit}
peer=(name=org.freedesktop.Avahi),
/{usr/,}lib{exec,}/pulse/gsettings-helper mrix, dbus (receive)
/{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix, bus=session
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member=StateChanged
peer=(name=org.freedesktop.Avahi),
# PulseAudio files
/usr/share/pulseaudio/{,**} r,
/{usr/,}lib/pulse-*/modules/*.so mr,
# PulseAudio home config files
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
# Needed when PulseAudio is started via the start-pulseaudio-x11 script
owner @{HOME}/.Xauthority r,
# Needed when PulseAudio is started via gdm
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
owner @{HOME}/.ICEauthority r,
# TCP wrap
/etc/hosts.{allow,deny} r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
deny @{sys}/module/apparmor/parameters/enabled r,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# DBus
dbus (send) dbus (send)
bus=session bus=session
path=/org/freedesktop/DBus path=/org/freedesktop/DBus
@ -139,14 +99,46 @@ profile pulseaudio @{exec_path} {
member=GetManagedObjects member=GetManagedObjects
peer=(name=org.bluez), peer=(name=org.bluez),
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), dbus (send)
unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
# The orcexec.* file is JIT compiled code for various GStreamer elements. dbus (send)
# If one is blocked the next is used instead. bus=system
owner @{run}/user/@{uid}/orcexec.* mrw, path=/
#owner @{HOME}/orcexec.* mrw, interface=org.freedesktop.Avahi.Server
#owner /tmp/orcexec.* mrw, member={GetAPIVersion,GetState,EntryGroupNew}
peer=(name=org.freedesktop.Avahi),
dbus (receive)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus (send)
bus=system
path=/
interface=org.freedesktop.hostname[0-9]
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
@{exec_path} mrix,
/{usr/,}@{libexec}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
/{usr/,}lib/pulse-*/modules/*.so mr,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pulseaudio/{,**} r,
/usr/share/ubuntu/applications/{,*} r,
/var/lib/snapd/desktop/applications/ r,
# For GDM # For GDM
owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw,
@ -164,13 +156,33 @@ profile pulseaudio @{exec_path} {
owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k, owner /var/lib/lightdm/.config/pulse/cookie k,
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
deny @{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
# Snap
/var/lib/snapd/desktop/applications/ r,
/usr/{local/,}share/ubuntu/applications/{,*} r,
include if exists <local/pulseaudio> include if exists <local/pulseaudio>
} }

13
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -24,12 +24,15 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
/usr/share/*/*.desktop r, /usr/share/*/*.desktop r,
/var/lib/flatpak/exports/share/applications/{,**/} r, /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
/var/lib/flatpak/exports/share/applications/**.desktop r, /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
/var/lib/flatpak/exports/share/applications/.mimeinfo.cache.* rw, /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache w, /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,
/var/lib/flatpak/app/**/export/share/applications/**.desktop r, /var/lib/snapd/desktop/applications/{,**/} r,
/var/lib/snapd/desktop/applications/**.desktop r,
/var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
/var/lib/snapd/desktop/applications/mimeinfo.cache w,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/freedesktop/upower
View file

@ -11,7 +11,7 @@ profile upower @{exec_path} {
include <abstractions/base> include <abstractions/base>
# Needed? # Needed?
deny capability sys_nice, audit capability sys_nice,
@{exec_path} mr, @{exec_path} mr,

60
apparmor.d/groups/freedesktop/upowerd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,36 +11,42 @@ include <tunables/global>
@{exec_path} += @{libexec}/upowerd @{exec_path} += @{libexec}/upowerd
profile upowerd @{exec_path} flags=(attach_disconnected) { profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
network netlink raw, network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.{DBus.Properties,UPower*},
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,GetAll},
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member={SessionNew,SessionRemoved,PrepareForShutdown},
dbus bind bus=system
name=org.freedesktop.UPower,
@{exec_path} mr, @{exec_path} mr,
# UPower config file
/etc/UPower/ r, /etc/UPower/ r,
/etc/UPower/UPower.conf r, /etc/UPower/UPower.conf r,
# The history data for the power device
/var/lib/upower/ r, /var/lib/upower/ r,
/var/lib/upower/history-*.dat{,.*} rw, /var/lib/upower/history-*.dat{,.*} rw,
# Are all of these needed? (#FIXME#)
/dev/input/event* r,
@{sys}/bus/hid/devices/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@{sys}/devices/platform/**/leds/**/brightness rw,
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
@{run}/udev/data/ r, @{run}/udev/data/ r,
@{run}/udev/data/+power_supply* r, @{run}/udev/data/+power_supply* r,
@{run}/udev/data/+input* r, @{run}/udev/data/+input* r,
@ -48,5 +55,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{sys}/bus/hid/devices/ r,
@{sys}/class/input/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/ r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/platform/**/leds/**/brightness rw,
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@{sys}/devices/virtual/dmi/id/product_name r,
/dev/input/event* r,
include if exists <local/upowerd> include if exists <local/upowerd>
} }

Some files were not shown because too many files have changed in this diff Show more