mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 17:08:09 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
c04363c1b6
commit
e69182e1df
9 changed files with 41 additions and 7 deletions
|
|
@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/usr/share/*/*.desktop r,
|
/usr/share/*/*.desktop r,
|
||||||
|
|
||||||
/var/lib/flatpak/{app/**,}exports/share/applications/{,**/} r,
|
/var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
|
||||||
/var/lib/flatpak/{app/**,}exports/share/applications/**.desktop r,
|
/var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
|
||||||
/var/lib/flatpak/{app/**,}exports/share/applications/.mimeinfo.cache.* rw,
|
/var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
|
||||||
/var/lib/flatpak/{app/**,}exports/share/applications/mimeinfo.cache w,
|
/var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,
|
||||||
|
|
||||||
/var/lib/snapd/desktop/applications/{,**/} r,
|
/var/lib/snapd/desktop/applications/{,**/} r,
|
||||||
/var/lib/snapd/desktop/applications/**.desktop r,
|
/var/lib/snapd/desktop/applications/**.desktop r,
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
|
@{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/flatpak/db/ rw,
|
||||||
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
|
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
|
||||||
owner @{user_share_dirs}/flatpak/db/background rw,
|
owner @{user_share_dirs}/flatpak/db/background rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -74,6 +74,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||||
@{run}/gdm/custom.conf r,
|
@{run}/gdm/custom.conf r,
|
||||||
|
@{run}/systemd/sessions/* r,
|
||||||
@{run}/systemd/sessions/*.ref rw,
|
@{run}/systemd/sessions/*.ref rw,
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
@{run}/utmp rwk,
|
@{run}/utmp rwk,
|
||||||
|
|
|
||||||
|
|
@ -23,8 +23,9 @@ profile gnome-calendar @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/libgweather/Locations.xml r,
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
/usr/share/libgweather/Locations.xml r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -103,6 +103,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/snap/*/[0-9]*/*.png r,
|
/snap/*/[0-9]*/*.png r,
|
||||||
/usr/share/backgrounds/{,**} r,
|
/usr/share/backgrounds/{,**} r,
|
||||||
|
/usr/share/cups/data/testprint r,
|
||||||
/usr/share/egl/{,**} r,
|
/usr/share/egl/{,**} r,
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/gnome-background-properties/{,**} r,
|
/usr/share/gnome-background-properties/{,**} r,
|
||||||
|
|
@ -123,8 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
/var/lib/snapd/desktop/icons/ r,
|
/var/lib/snapd/desktop/icons/ r,
|
||||||
|
|
||||||
|
/var/cache/samba/ rw,
|
||||||
|
|
||||||
owner @{HOME}/.cat_installer/ca.pem r,
|
owner @{HOME}/.cat_installer/ca.pem r,
|
||||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||||
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
|
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ profile tailscaled @{exec_path} {
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability mknod,
|
capability mknod,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
capability net_raw,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
|
|
@ -30,10 +31,14 @@ profile tailscaled @{exec_path} {
|
||||||
/{usr/,}bin/ip rix,
|
/{usr/,}bin/ip rix,
|
||||||
/{usr/,}{s,}bin/xtables-nft-multi rix,
|
/{usr/,}{s,}bin/xtables-nft-multi rix,
|
||||||
|
|
||||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
/{usr/,}bin/systemctl rCx -> systemctl,
|
||||||
|
|
||||||
/etc/iproute2/rt_tables r,
|
/etc/iproute2/rt_tables r,
|
||||||
|
|
||||||
|
/etc/resolv.*.conf rw,
|
||||||
|
/etc/resolv.conf rw,
|
||||||
|
/etc/resolv.conf.*.tmp rw,
|
||||||
|
|
||||||
owner /var/lib/tailscale/{,**} rw,
|
owner /var/lib/tailscale/{,**} rw,
|
||||||
owner @{run}/tailscale/{,**} rw,
|
owner @{run}/tailscale/{,**} rw,
|
||||||
|
|
||||||
|
|
@ -54,5 +59,21 @@ profile tailscaled @{exec_path} {
|
||||||
|
|
||||||
/dev/net/tun rw,
|
/dev/net/tun rw,
|
||||||
|
|
||||||
|
profile systemctl {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
capability mknod,
|
||||||
|
capability net_admin,
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
ptrace (read),
|
||||||
|
|
||||||
|
/{usr/,}bin/systemctl mr,
|
||||||
|
|
||||||
|
/dev/net/tun rw,
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
include if exists <local/tailscaled>
|
include if exists <local/tailscaled>
|
||||||
}
|
}
|
||||||
|
|
@ -225,7 +225,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{PROC}/mtrr w,
|
@{PROC}/mtrr w,
|
||||||
@{PROC}/sys/net/ipv{4,6}/** rw,
|
@{PROC}/sys/net/ipv{4,6}/** rw,
|
||||||
|
|
||||||
/dev/dri/ r, # include <abstractions/dri-common> ?
|
/dev/dri/ r,
|
||||||
/dev/hugepages/{,**} w,
|
/dev/hugepages/{,**} w,
|
||||||
/dev/kvm r,
|
/dev/kvm r,
|
||||||
/dev/mapper/ r,
|
/dev/mapper/ r,
|
||||||
|
|
|
||||||
|
|
@ -49,9 +49,13 @@ profile flatpak-system-helper @{exec_path} {
|
||||||
/{usr/,}bin/gpgconf mr,
|
/{usr/,}bin/gpgconf mr,
|
||||||
/{usr/,}bin/gpgsm mr,
|
/{usr/,}bin/gpgsm mr,
|
||||||
|
|
||||||
|
/{usr/,}bin/gpg-agent rix,
|
||||||
|
|
||||||
owner /tmp/ostree-gpg-*/ r,
|
owner /tmp/ostree-gpg-*/ r,
|
||||||
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
|
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
|
||||||
|
|
||||||
|
owner @{PROC}/@{uid}/fd/ r,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
include if exists <local/flatpak-system-helper>
|
include if exists <local/flatpak-system-helper>
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile nvtop @{exec_path} {
|
profile nvtop @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl-nvidia>
|
include <abstractions/opencl-nvidia>
|
||||||
|
|
||||||
|
|
@ -25,6 +26,7 @@ profile nvtop @{exec_path} {
|
||||||
@{PROC}/@{pids}/stat r,
|
@{PROC}/@{pids}/stat r,
|
||||||
@{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r,
|
@{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r,
|
||||||
|
|
||||||
|
/dev/dri/ r,
|
||||||
/dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
|
/dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
|
||||||
|
|
||||||
include if exists <local/nvtop>
|
include if exists <local/nvtop>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue