mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-03 16:57:50 +00:00
parent 1edf507abf
commit dd1d9107e8
Failed to generate hash of commit
13 changed files with 41 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apt/apt
View file

@ -12,12 +12,12 @@ profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/bus/polkit> include <abstractions/bus/polkit>
include <abstractions/dbus-strict>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs>
capability chown, capability chown,
capability dac_override, capability dac_override,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -24,7 +24,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
dbus bind bus=session name=org.freedesktop.portal.Desktop, dbus bind bus=session name=org.freedesktop.portal.Desktop,
dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings interface=org.freedesktop.portal.Settings,
dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=:*), peer=(name=:*),

10
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -91,6 +91,9 @@ profile gnome-extension-ding @{exec_path} {
/usr/share/thumbnailers/{,*.thumbnailer} r, /usr/share/thumbnailers/{,*.thumbnailer} r,
/usr/share/X11/{,**} r, /usr/share/X11/{,**} r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,*} r,
/var/lib/snapd/desktop/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r,
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
@ -98,6 +101,13 @@ profile gnome-extension-ding @{exec_path} {
owner @{user_share_dirs}/nautilus/scripts/ r, owner @{user_share_dirs}/nautilus/scripts/ r,
owner @{user_config_dirs}/pulse/cookie rk,
/dev/shm/ r,
owner @{run}/user/@{uid}/pulse/ r,
owner @{run}/user/@{uid}/pulse/native rw,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,

1
apparmor.d/groups/gnome/gnome-shell
View file

@ -584,6 +584,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/.org.chromium.Chromium.* rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
/tmp/dbus-@{rand8} rw,
owner /tmp/.X[0-9]-lock rw, owner /tmp/.X[0-9]-lock rw,
owner /tmp/[0-9A-Z]*.shell-extension.zip rw, owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,

5
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -57,8 +57,10 @@ profile gnome-terminal-server @{exec_path} {
/etc/pulse/client.conf.d/{,**} r, /etc/pulse/client.conf.d/{,**} r,
/etc/shells r, /etc/shells r,
owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
owner @{user_config_dirs}/*xdg-terminals.list* rw, owner @{user_config_dirs}/*xdg-terminals.list* rw,
owner @{user_config_dirs}/pulse/cookie r, owner @{user_config_dirs}/pulse/cookie rk,
owner @{run}/user/@{uid}/pulse/ r, owner @{run}/user/@{uid}/pulse/ r,
owner @{run}/user/@{uid}/pulse/native rw, owner @{run}/user/@{uid}/pulse/native rw,
@ -67,6 +69,7 @@ profile gnome-terminal-server @{exec_path} {
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
/dev/ptmx rw, /dev/ptmx rw,
/dev/shm/ r,
include if exists <local/gnome-terminal-server> include if exists <local/gnome-terminal-server>
} }

1
apparmor.d/groups/systemd/systemd-logind
View file

@ -126,6 +126,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/virtual/tty/tty[0-9]*/active r,
@{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
@{sys}/fs/cgroup/memory.max r, @{sys}/fs/cgroup/memory.max r,

3
apparmor.d/groups/systemd/systemd-networkd
View file

@ -14,8 +14,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability net_admin, capability net_admin,
capability net_raw,
capability net_bind_service, capability net_bind_service,
capability net_broadcast,
capability net_raw,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

5
apparmor.d/groups/ubuntu/apport
View file

@ -16,6 +16,8 @@ profile apport @{exec_path} {
capability fsetid, capability fsetid,
ptrace (read) peer=snap.cups.cupsd,
@{exec_path} mr, @{exec_path} mr,
/usr/share/apport/ r, /usr/share/apport/ r,
@ -23,10 +25,13 @@ profile apport @{exec_path} {
/var/crash/ rw, /var/crash/ rw,
owner /var/log/apport.log rw, owner /var/log/apport.log rw,
@{run}/apport.lock rwk,
@{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/fs/suid_dumpable w,
@{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pattern w,
@{PROC}/sys/kernel/core_pipe_limit w, @{PROC}/sys/kernel/core_pipe_limit w,
owner @{PROC}/@{pid}/stat r,
include if exists <local/apport> include if exists <local/apport>
} }

4
apparmor.d/groups/ubuntu/apport-checkreports
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/apport/apport-checkreports @{exec_path} = /usr/share/apport/apport-checkreports
profile apport-checkreports @{exec_path} { profile apport-checkreports @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
@ -27,5 +27,7 @@ profile apport-checkreports @{exec_path} {
/var/crash/ r, /var/crash/ r,
@{run}/apport.lock rwk,
include if exists <local/apport-checkreports> include if exists <local/apport-checkreports>
} }

1
apparmor.d/profiles-a-f/e2scrub_all
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile e2scrub_all @{exec_path} flags=(attach_disconnected) { profile e2scrub_all @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict>
capability sys_admin, capability sys_admin,
capability sys_rawio, capability sys_rawio,

4
apparmor.d/profiles-s-z/snap
View file

@ -50,8 +50,8 @@ profile snap @{exec_path} {
@{bin}/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
/snap/{,**} rw, /snap/{,**} rw,
/snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx, /snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx -> /snap/snapd/@{int}/usr/lib/snapd/snap-confine,
@{lib}/snapd/snap-confine rPx, @{lib}/snapd/snap-confine rPx -> /usr/lib/snapd/snap-confine,
@{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snap-seccomp rPx,
@{lib_dirs}/snapd/snapd rPx, @{lib_dirs}/snapd/snapd rPx,

1
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -52,6 +52,7 @@ profile spice-vdagent @{exec_path} {
owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r,
@{run}/spice-vdagentd/spice-vdagent-sock rw, @{run}/spice-vdagentd/spice-vdagent-sock rw,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
@{sys}/devices/@{pci}/{device,vendor} r, @{sys}/devices/@{pci}/{device,vendor} r,

3
apparmor.d/profiles-s-z/wpa-supplicant
View file

@ -23,8 +23,9 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
capability net_raw, capability net_raw,
capability sys_module, capability sys_module,
network packet raw, network netlink raw,
network packet dgram, network packet dgram,
network packet raw,
dbus bind bus=system name=fi.w1.wpa_supplicant1, dbus bind bus=system name=fi.w1.wpa_supplicant1,
dbus receive bus=system path=/fi/w1/wpa_supplicant1 dbus receive bus=system path=/fi/w1/wpa_supplicant1