From e6dc08caec6d355cd1142ffec700b51bb7a51b14 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 May 2021 00:34:57 +0100 Subject: [PATCH] Add some profiles. --- apparmor.d/profiles-a-l/fc-cache | 23 +++++++++++++ .../profiles-a-l/gdk-pixbuf-query-loaders | 18 +++++++++++ apparmor.d/profiles-a-l/gio-querymodules | 19 +++++++++++ apparmor.d/profiles-a-l/install-info | 22 +++++++++++++ apparmor.d/profiles-m-z/pwck | 32 +++++++++++++++++++ apparmor.d/profiles-m-z/update-mime-database | 18 +++++++++++ apparmor.d/profiles-m-z/vlc-cache-gen | 19 +++++++++++ 7 files changed, 151 insertions(+) create mode 100644 apparmor.d/profiles-a-l/fc-cache create mode 100644 apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders create mode 100644 apparmor.d/profiles-a-l/gio-querymodules create mode 100644 apparmor.d/profiles-a-l/install-info create mode 100644 apparmor.d/profiles-m-z/pwck create mode 100644 apparmor.d/profiles-m-z/update-mime-database create mode 100644 apparmor.d/profiles-m-z/vlc-cache-gen diff --git a/apparmor.d/profiles-a-l/fc-cache b/apparmor.d/profiles-a-l/fc-cache new file mode 100644 index 00000000..d7eae851 --- /dev/null +++ b/apparmor.d/profiles-a-l/fc-cache @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/fc-cache +profile fc-cache @{exec_path} { + include + include + include + + @{exec_path} mr, + + /var/cache/fontconfig/{,**} rw, + /var/cache/fontconfig/*.cache-[0-9]* rwk, + /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl, + /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, + + include if exists +} diff --git a/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders new file mode 100644 index 00000000..043b8a8c --- /dev/null +++ b/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/gdk-pixbuf-query-loaders +profile gdk-pixbuf-query-loaders @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache.* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-l/gio-querymodules b/apparmor.d/profiles-a-l/gio-querymodules new file mode 100644 index 00000000..56bba7b8 --- /dev/null +++ b/apparmor.d/profiles-a-l/gio-querymodules @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/gio-querymodules +profile gio-querymodules @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}/lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-l/install-info b/apparmor.d/profiles-a-l/install-info new file mode 100644 index 00000000..3ee11fb2 --- /dev/null +++ b/apparmor.d/profiles-a-l/install-info @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/install-info +profile install-info @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}/bin/gzip rix, + + /usr/share/info/{,**} r, + /usr/share/info/dir rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-z/pwck b/apparmor.d/profiles-m-z/pwck new file mode 100644 index 00000000..3dc62b72 --- /dev/null +++ b/apparmor.d/profiles-m-z/pwck @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pwck +profile pwck @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}{s,}bin/nscd rix, + + /etc/login.defs r, + /etc/.pwd.lock wk, + /etc/passwd rw, + /etc/passwd.[0-9]* rw, + /etc/passwd.lock wl, + /etc/shadow rw, + /etc/shadow.[0-9]* rw, + /etc/shadow.lock wl, + + @{run}/systemd/userdb/ r, + + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-z/update-mime-database b/apparmor.d/profiles-m-z/update-mime-database new file mode 100644 index 00000000..4b6428fb --- /dev/null +++ b/apparmor.d/profiles-m-z/update-mime-database @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/update-mime-database +profile update-mime-database @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/mime/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-z/vlc-cache-gen b/apparmor.d/profiles-m-z/vlc-cache-gen new file mode 100644 index 00000000..b9ace448 --- /dev/null +++ b/apparmor.d/profiles-m-z/vlc-cache-gen @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/vlc/vlc-cache-gen +profile vlc-cache-gen @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}lib/vlc/plugins/{,*} rw, + + include if exists +} \ No newline at end of file