mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): define more xdg variables.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-26 17:32:12 +01:00
parent b3a28da5e5
commit e087349662
Failed to generate hash of commit
35 changed files with 103 additions and 128 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
apparmor.d/abstractions/user-download-strict
View file

@ -4,14 +4,11 @@
abi <abi/3.0>, abi <abi/3.0>,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
owner @{user_download_dirs}/ r,
owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
# For SSHFS mounts (without owner as files in such mounts can be owned by different users) # For SSHFS mounts (without owner as files in such mounts can be owned by different users)
@{HOME}/mount-sshfs/ r, @{HOME}/mount-sshfs/ r,

31
apparmor.d/abstractions/user-read
View file

@ -2,20 +2,23 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r, # Give read access on all defined user directories. It should only be used if
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, # access to ALL folders is required.
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r, owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r, owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r, owner @{user_books_dirs}/{,**} r,
owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_documents_dirs}/{,**} r,
owner @{user_music_dirs}/{,**} r,
owner @{user_pictures_dirs}/{,**} r,
owner @{user_projects_dirs}/{,**} r,
owner @{user_publicshare_dirs}/{,**} r,
owner @{user_sync_dirs}/{,**} r,
owner @{user_templates_dirs}/{,**} r,
owner @{user_torrents_dirs}/{,**} r,
owner @{user_videos_dirs}/{,**} r,
include if exists <abstractions/user-read.d> include if exists <abstractions/user-read.d>

19
apparmor.d/abstractions/user-write.d/complete
View file

@ -2,17 +2,12 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_DOCUMENTS_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_VIDEOS_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_BOOKS_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
owner @{user_books_dirs}/{,**} rwl,
owner @{user_documents_dirs}/{,**} rwl,
owner @{user_music_dirs}/{,**} rwl,
owner @{user_pictures_dirs}/{,**} rwl,
owner @{user_projects_dirs}/{,**} rwl,
owner @{user_videos_dirs}/{,**} rwl,

4
apparmor.d/groups/apps/atom
View file

@ -88,8 +88,8 @@ profile atom @{exec_path} {
/ r, / r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
owner @{MOUNTS}/ r, owner @{MOUNTS}/ r,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, owner @{user_projects_dirs}/ r,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{user_config_dirs}/git/config r, owner @{user_config_dirs}/git/config r,

8
apparmor.d/groups/apps/calibre
View file

@ -75,12 +75,8 @@ profile calibre @{exec_path} {
/usr/share/calibre/{,**} r, /usr/share/calibre/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR} rw, owner @{user_books_dirs} rw,
owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl, owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**,
owner @{MOUNTS}/@{XDG_BOOKS_DIR}/ r,
owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/ rw,
owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/@{XDG_BOOKS_DIR}*/**,
owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk, owner @{user_config_dirs}/calibre/** rwk,

6
apparmor.d/groups/apps/code
View file

@ -64,10 +64,8 @@ profile code @{exec_path} {
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**, owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
# Git dirs # Git dirs
/ r, owner @{user_projects_dirs}/ r,
@{MOUNTS}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**,
/etc/fstab r, /etc/fstab r,

3
apparmor.d/groups/gnome/gnome-music
View file

@ -38,8 +38,7 @@ profile gnome-music @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, owner @{user_music_dirs}/{,**} r,
owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r,
owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/gnome-music/{,**} rwk,
owner @{user_cache_dirs}/media-art/album-*.jpeg rw, owner @{user_cache_dirs}/media-art/album-*.jpeg rw,

3
apparmor.d/groups/gnome/gnome-photos-thumbnailer
View file

@ -15,8 +15,7 @@ profile gnome-photos-thumbnailer @{exec_path} {
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, owner @{user_pictures_dirs}/{,**} r,
owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{user_cache_dirs}/babl/{,**} r, owner @{user_cache_dirs}/babl/{,**} r,
owner @{user_cache_dirs}/gegl-*/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r,

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -170,10 +170,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/var/lib/snapd/desktop/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r,
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
owner @{user_music_dirs}/**/*.jpg r,
owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/.goutputstream{,*} rw,
owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/monitors.xml{,~} rwl,

4
apparmor.d/groups/gpg/gpg
View file

@ -30,8 +30,8 @@ profile gpg @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/ rw, owner @{user_projects_dirs}/**/gnupg/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/ rw,
owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,

12
apparmor.d/groups/gpg/gpg-agent
View file

@ -36,12 +36,12 @@ profile gpg-agent @{exec_path} {
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,

2
apparmor.d/groups/gpg/gpgconf
View file

@ -24,7 +24,7 @@ profile gpgconf @{exec_path} {
/{usr/,}bin/pinentry-* rPx, /{usr/,}bin/pinentry-* rPx,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,

2
apparmor.d/groups/gpg/gpgsm
View file

@ -16,7 +16,7 @@ profile gpgsm @{exec_path} {
deny /usr/bin/.gnupg/ w, deny /usr/bin/.gnupg/ w,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,

4
apparmor.d/groups/ssh/ssh
View file

@ -30,8 +30,8 @@ profile ssh @{exec_path} {
owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/config r,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl,
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/ssh/{,*} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, owner @{user_projects_dirs}/**/config r,
/etc/ssh/ssh_config r, /etc/ssh/ssh_config r,
/etc/ssh/ssh_config.d/{,*} r, /etc/ssh/ssh_config.d/{,*} r,

2
apparmor.d/groups/ssh/ssh-agent
View file

@ -29,7 +29,7 @@ profile ssh-agent @{exec_path} {
# SSH keys # SSH keys
owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/ rw,
owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/* r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/ssh/{,*} r,
# When started via systemd # When started via systemd
@{run}/user/@{uid}/openssh_agent rw, @{run}/user/@{uid}/openssh_agent rw,

2
apparmor.d/groups/ssh/sshd
View file

@ -77,7 +77,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
/etc/ssh/sshd_config.d/{,*} r, /etc/ssh/sshd_config.d/{,*} r,
# For scp # For scp
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl,
owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,

6
apparmor.d/groups/virt/libvirtd
View file

@ -141,10 +141,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
# User VM images and share # User VM images and share
@{user_share_dirs}/ r, @{user_share_dirs}/ r,
@{user_share_dirs}/libvirt/{,**} rwk, @{user_share_dirs}/libvirt/{,**} rwk,
@{HOME}/@{XDG_VM_DIR}/{,**} rwk, @{user_vm_dirs}/{,**} rwk,
@{MOUNTS}/@{XDG_VM_DIR}/{,**} rwk, @{user_publicshare_dirs}/{,**} rw,
@{HOME}/@{XDG_PUBLICSHARE_DIR}/{,**} rw,
@{MOUNTS}/@{XDG_PUBLICSHARE_DIR}/{,**} rw,
@{run}/libvirt/ rw, @{run}/libvirt/ rw,
@{run}/libvirt/** rwk, @{run}/libvirt/** rwk,

6
apparmor.d/profiles-a-f/aurpublish
View file

@ -21,9 +21,9 @@ profile aurpublish @{exec_path} {
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/wc rix, /{usr/,}bin/wc rix,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.SRCINFO rw, owner @{user_projects_dirs}/**/.SRCINFO rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/PKGBUILD r, owner @{user_projects_dirs}/**/PKGBUILD r,
/dev/tty rw, /dev/tty rw,

2
apparmor.d/profiles-a-f/browserpass
View file

@ -34,7 +34,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
deny network inet, deny network inet,
deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r,
deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw,
deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, deny owner @{user_download_dirs}/{,**} rw,
deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
deny /dev/dri/* rw, deny /dev/dri/* rw,

8
apparmor.d/profiles-g-l/git
View file

@ -80,8 +80,8 @@ profile git @{exec_path} {
/etc/mailname r, /etc/mailname r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw, owner @{user_projects_dirs}/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/ rw,
owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**,
owner /tmp/** rwkl -> /tmp/**, owner /tmp/** rwkl -> /tmp/**,
@ -167,8 +167,8 @@ profile git @{exec_path} {
/etc/vimrc r, /etc/vimrc r,
/etc/vim/{,**} r, /etc/vim/{,**} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/[0-9]* rw, owner @{user_projects_dirs}/**/.git/[0-9]* rw,
owner @{HOME}/.fzf/plugin/ r, owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r, owner @{HOME}/.fzf/plugin/fzf.vim r,

4
apparmor.d/profiles-g-l/gitstatusd
View file

@ -12,8 +12,8 @@ profile gitstatusd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, owner @{user_projects_dirs}/{,**} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw, owner @{user_projects_dirs}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw,
owner @{HOME}/.gitconfig r, owner @{HOME}/.gitconfig r,
owner @{user_config_dirs}/git/{,*} r, owner @{user_config_dirs}/git/{,*} r,

4
apparmor.d/profiles-g-l/hugo
View file

@ -22,8 +22,8 @@ profile hugo @{exec_path} {
/etc/mime.types r, /etc/mime.types r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rw, owner @{user_projects_dirs}/{,**} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.hugo_build.lock rwk, owner @{user_projects_dirs}/**/.hugo_build.lock rwk,
owner /tmp/hugo_cache/ rw, owner /tmp/hugo_cache/ rw,
owner /tmp/hugo_cache/**/ rw, owner /tmp/hugo_cache/**/ rw,

5
apparmor.d/profiles-g-l/jdownloader-install
View file

@ -6,9 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{JD_INSTALLDIR} = /home/*/jd2 @{JD_INSTALLDIR} = @{HOME}/jd2
@{JD_SH_PATH} = /home/*/@{XDG_DOWNLOAD_DIR} @{JD_SH_PATH} = @{user_download_dirs} @{HOME}/@{XDG_DESKTOP_DIR}
@{JD_SH_PATH} += /home/*/@{XDG_DESKTOP_DIR}
@{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh @{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh
profile jdownloader-install @{exec_path} { profile jdownloader-install @{exec_path} {

3
apparmor.d/profiles-m-r/man
View file

@ -97,10 +97,9 @@ profile man_filter {
# do is feed data to the invoking man process. # do is feed data to the invoking man process.
/usr/** r, /usr/** r,
owner @{HOME}/@{XDG_DATA_HOME}/** r, owner @{HOME}/@{XDG_DATA_HOME}/** r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/** r, owner @{user_projects_dirs}/** r,
owner @{user_cache_dirs}/** r, owner @{user_cache_dirs}/** r,
owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r,
owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r,
/var/cache/man/** w, /var/cache/man/** w,
} }

2
apparmor.d/profiles-m-r/minitube
View file

@ -41,7 +41,7 @@ profile minitube @{exec_path} {
owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk,
# Snapshot # Snapshot
owner @{HOME}/@{XDG_PICTURES_DIR}/*.png rw, owner @{user_pictures_dirs}/*.png rw,
owner @{HOME}/vlcsnap-.png rw, owner @{HOME}/vlcsnap-.png rw,
/usr/share/minitube/{,**} r, /usr/share/minitube/{,**} r,

6
apparmor.d/profiles-m-r/ntfscp
View file

@ -17,10 +17,10 @@ profile ntfscp @{exec_path} {
# For writing files owned by users other than root, since ntfscp has to be started as root. # For writing files owned by users other than root, since ntfscp has to be started as root.
capability dac_read_search, capability dac_read_search,
@{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
@{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl -> @{HOME}/@{XDG_DOWNLOAD_DIR}/**,
@{HOME}/@{XDG_DESKTOP_DIR}/ r, @{HOME}/@{XDG_DESKTOP_DIR}/ r,
@{HOME}/@{XDG_DESKTOP_DIR}/** rwl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
@{user_download_dirs}/ r,
@{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

8
apparmor.d/profiles-m-r/pass
View file

@ -56,7 +56,7 @@ profile pass @{exec_path} {
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,
owner @{HOME}/.password-store/{,**} rw, owner @{HOME}/.password-store/{,**} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/password-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw,
owner /dev/shm/pass.*/{,*} rw, owner /dev/shm/pass.*/{,*} rw,
@ -84,7 +84,7 @@ profile pass @{exec_path} {
owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.password-store/ r, owner @{HOME}/.password-store/ r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ r, owner @{user_projects_dirs}/**/*-store/ r,
owner @{user_config_dirs}/password-store/ r, owner @{user_config_dirs}/password-store/ r,
owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_cache_dirs}/vim/{,**} rw,
@ -118,8 +118,8 @@ profile pass @{exec_path} {
owner @{HOME}/.password-store/ rw, owner @{HOME}/.password-store/ rw,
owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
owner @{user_config_dirs}/password-store/ rw, owner @{user_config_dirs}/password-store/ rw,
owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**, owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**,

2
apparmor.d/profiles-m-r/pass-import
View file

@ -27,7 +27,7 @@ profile pass-import @{exec_path} {
/usr/share/file/misc/magic.mgc r, /usr/share/file/misc/magic.mgc r,
owner @{HOME}/.password-store/{,**} rw, owner @{HOME}/.password-store/{,**} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/password-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw,
owner /tmp/[a-zA-Z0-9]* rw, owner /tmp/[a-zA-Z0-9]* rw,

8
apparmor.d/profiles-m-r/qbittorrent
View file

@ -7,8 +7,6 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{TORRENT_DIR} = @{MOUNTS}/torrent
@{exec_path} = /{usr/,}bin/qbittorrent @{exec_path} = /{usr/,}bin/qbittorrent
profile qbittorrent @{exec_path} { profile qbittorrent @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -71,10 +69,8 @@ profile qbittorrent @{exec_path} {
/usr/share/qt5ct/** r, /usr/share/qt5ct/** r,
# Torrent files # Torrent files
@{MOUNTS}/ r, owner @{user_torrents_dirs}/ r,
owner @{MOUNTS}/*/ r, owner @{user_torrents_dirs}/** rw,
owner @{TORRENT_DIR}/ r,
owner @{TORRENT_DIR}/** rw,
# GeoIP settings # GeoIP settings
/usr/share/GeoIP/GeoIP.dat r, /usr/share/GeoIP/GeoIP.dat r,

8
apparmor.d/profiles-m-r/qbittorrent-nox
View file

@ -6,8 +6,6 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{TORRENT_DIR} = @{MOUNTS}/*/torrent
@{exec_path} = /{usr/,}bin/qbittorrent-nox @{exec_path} = /{usr/,}bin/qbittorrent-nox
profile qbittorrent-nox @{exec_path} { profile qbittorrent-nox @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -38,10 +36,8 @@ profile qbittorrent-nox @{exec_path} {
owner @{user_cache_dirs}/qBittorrent/{,**} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw,
# Torrent files # Torrent files
@{MOUNTS}/ r, owner @{user_torrents_dirs}/ r,
owner @{MOUNTS}/*/ r, owner @{user_torrents_dirs}/** rw,
owner @{TORRENT_DIR}/ r,
owner @{TORRENT_DIR}/** rw,
/dev/disk/by-label/ r, /dev/disk/by-label/ r,

9
apparmor.d/profiles-s-z/strawberry
View file

@ -6,8 +6,6 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{MEDIA_LIB} = @{MOUNTS}/mp3/
@{exec_path} = /{usr/,}bin/strawberry @{exec_path} = /{usr/,}bin/strawberry
profile strawberry @{exec_path} { profile strawberry @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -46,11 +44,8 @@ profile strawberry @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
# Media library # Media library
/ r, owner @{user_music_dirs}/ r,
@{MOUNTS}/ r, owner @{user_music_dirs}/** rw,
owner @{MOUNTS}/*/ r,
owner @{MEDIA_LIB}/ r,
owner @{MEDIA_LIB}/** rw,
# Playlists # Playlists
owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw,

6
apparmor.d/profiles-s-z/strawberry-tagreader
View file

@ -6,8 +6,6 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{MEDIA_LIB} = @{MOUNTS}/mp3/
@{exec_path} = /{usr/,}bin/strawberry-tagreader @{exec_path} = /{usr/,}bin/strawberry-tagreader
profile strawberry-tagreader @{exec_path} { profile strawberry-tagreader @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -21,8 +19,8 @@ profile strawberry-tagreader @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Media library # Media library
owner @{MEDIA_LIB}/ r, owner @{user_music_dirs}/ r,
owner @{MEDIA_LIB}/** rw, owner @{user_music_dirs}/** rw,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

8
apparmor.d/profiles-s-z/transmission-qt
View file

@ -6,8 +6,6 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{TORRENT_DIR} = /media/*/torrent
@{exec_path} = /{usr/,}bin/transmission-qt @{exec_path} = /{usr/,}bin/transmission-qt
profile transmission-qt @{exec_path} { profile transmission-qt @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -36,10 +34,8 @@ profile transmission-qt @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Torrent files # Torrent files
/media/ r, owner @{user_torrents_dirs}/ r,
owner /media/*/ r, owner @{user_torrents_dirs}/** rw,
owner @{TORRENT_DIR}/ r,
owner @{TORRENT_DIR}/** rw,
owner @{HOME}/.config/transmission/ rw, owner @{HOME}/.config/transmission/ rw,
owner @{HOME}/.config/transmission/** rwk, owner @{HOME}/.config/transmission/** rwk,

3
apparmor.d/profiles-s-z/virt-manager
View file

@ -84,8 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
# User VM images # User VM images
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/libvirt/{,**} rw, owner @{user_share_dirs}/libvirt/{,**} rw,
owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, owner @{user_vm_dirs}/{,**} rw,
owner @{MOUNTS}/@{XDG_VM_DIR}/{,**} rw,
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
@{run}/mount/utab r, @{run}/mount/utab r,

17
apparmor.d/tunables/xdg-user-dirs
View file

@ -21,13 +21,13 @@
@{XDG_VIDEOS_DIR}="Videos" @{XDG_VIDEOS_DIR}="Videos"
# Extra user personal directories # Extra user personal directories
@{XDG_PROJECTS_DIR}="Projects"
@{XDG_BOOKS_DIR}="Books" @{XDG_BOOKS_DIR}="Books"
@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" @{XDG_PROJECTS_DIR}="Projects"
@{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots" @{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots"
@{XDG_SYNC_DIR}="Sync" @{XDG_SYNC_DIR}="Sync"
@{XDG_TORRENTS_DIR}="Torrents"
@{XDG_VM_DIR}=".vm" @{XDG_VM_DIR}=".vm"
@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"
# User personal keyrings # User personal keyrings
@{XDG_SSH_DIR}=".ssh" @{XDG_SSH_DIR}=".ssh"
@ -52,7 +52,18 @@
@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
# Other user directories # Other user directories
@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}
@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}
@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}
@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}
@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}
@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}
@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}
@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} @{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}
@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}
@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}
@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}
@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}
# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
# to the various XDG directories # to the various XDG directories