mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: update profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2022-04-26 22:05:29 +01:00
parent 84dc85b82d
commit e845a172c2
Failed to generate hash of commit
28 changed files with 84 additions and 96 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/browsers/firefox
View file

@ -96,6 +96,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/etc/firefox/{,**} r, /etc/firefox/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/igfx_user_feature{,_next}.txt w,
/etc/libva.conf r, /etc/libva.conf r,
/etc/mailcap r, /etc/mailcap r,
/etc/mime.types r, /etc/mime.types r,

1
apparmor.d/groups/bus/ibus-dconf
View file

@ -31,6 +31,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.cache/dconf/ w,
/var/lib/gdm/.cache/dconf/user rw,
/var/lib/gdm/.config/dconf/user rw, /var/lib/gdm/.config/dconf/user rw,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/evolution-addressbook-factory @{exec_path} = /{usr/,}lib/evolution-addressbook-factory
profile evolution-addressbook-factory @{exec_path} { profile evolution-addressbook-factory @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/p11-kit> include <abstractions/p11-kit>
@ -26,7 +27,6 @@ profile evolution-addressbook-factory @{exec_path} {
owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_share_dirs}/evolution/{,**} rwk,
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,

2
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/evolution-calendar-factory @{exec_path} = /{usr/,}lib/evolution-calendar-factory
profile evolution-calendar-factory @{exec_path} { profile evolution-calendar-factory @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/p11-kit> include <abstractions/p11-kit>
@ -28,7 +29,6 @@ profile evolution-calendar-factory @{exec_path} {
owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,

2
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/evolution-source-registry @{exec_path} = /{usr/,}lib/evolution-source-registry
profile evolution-source-registry @{exec_path} { profile evolution-source-registry @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/p11-kit> include <abstractions/p11-kit>
@ -27,7 +28,6 @@ profile evolution-source-registry @{exec_path} {
owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/{,**} rwk,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,

16
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bash> include <abstractions/bash>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/zsh> include <abstractions/zsh>
@ -22,11 +23,11 @@ profile gdm-wayland-session @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gnome-session rix, /{usr/,}bin/gnome-session rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gsettings rix, /{usr/,}bin/gsettings rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-daemon rPx,
/{usr/,}bin/dbus-run-session rPx, /{usr/,}bin/dbus-run-session rPx,
@ -42,14 +43,13 @@ profile gdm-wayland-session @{exec_path} {
@{run}/gdm/custom.conf r, @{run}/gdm/custom.conf r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{run}/gdm/custom.conf r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# file_inherit
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <local/gdm-wayland-session> include if exists <local/gdm-wayland-session>

5
apparmor.d/groups/gnome/gjs-console
View file

@ -18,6 +18,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/opencl-nvidia> include <abstractions/opencl-nvidia>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/vulkan>
network netlink raw, network netlink raw,
@ -32,7 +33,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/gnome-shell/{,**} r, /usr/share/gnome-shell/{,**} r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
@ -49,9 +49,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
@{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/pci[0-9]*/**/revision r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/gnome/gnome-calendar
View file

@ -29,5 +29,7 @@ profile gnome-calendar @{exec_path} {
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
include if exists <local/gnome-calendar> include if exists <local/gnome-calendar>
} }

2
apparmor.d/groups/gnome/gnome-contacts
View file

@ -18,13 +18,13 @@ profile gnome-contacts @{exec_path} {
include <abstractions/opencl> include <abstractions/opencl>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/vulkan>
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/applications/{,*.desktop} r, /usr/share/applications/{,*.desktop} r,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r,

9
apparmor.d/groups/gnome/gnome-control-center
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome>
@ -20,6 +21,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/vulkan>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -36,13 +38,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,
/{usr/,}bin/openvpn rPx, /{usr/,}bin/openvpn rPx,
/{usr/,}bin/passwd rPx, /{usr/,}bin/passwd rPx,
/{usr/,}lib/gnome-control-center-goa-helper rPx,
/{usr/,}lib/gnome-control-center-print-renderer rPx, /{usr/,}lib/gnome-control-center-print-renderer rPx,
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/backgrounds/gnome/* r, /usr/share/backgrounds/gnome/* r,
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-background-properties/{,**} r,
/usr/share/gnome-bluetooth/{,**} r, /usr/share/gnome-bluetooth/{,**} r,
/usr/share/gnome-color-manager/{,**} r, /usr/share/gnome-color-manager/{,**} r,
@ -74,10 +76,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@ -98,9 +98,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/input/ r, @{sys}/class/input/ r,
@{sys}/devices/**/{name,vendor,product,uevent} r, @{sys}/devices/**/{name,vendor,product,uevent} r,
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
@{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/pci[0-9]*/**/revision r,
@{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/**/uevent r,
@{sys}/devices/virtual/**/uevent r, @{sys}/devices/virtual/**/uevent r,

10
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View file

@ -9,18 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-control-center-print-renderer @{exec_path} = /{usr/,}lib/gnome-control-center-print-renderer
profile gnome-control-center-print-renderer @{exec_path} { profile gnome-control-center-print-renderer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/opencl-nvidia> include <abstractions/opencl-nvidia>
include <abstractions/vulkan>
@{exec_path} mr, @{exec_path} mr,
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
/usr/share/pixmaps/{,**} r, /usr/share/pixmaps/{,**} r,
@ -31,15 +32,10 @@ profile gnome-control-center-print-renderer @{exec_path} {
owner @{user_share_dirs}/icons/{,**} r, owner @{user_share_dirs}/icons/{,**} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
@{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/pci[0-9]*/**/revision r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,

5
apparmor.d/groups/gnome/gnome-disks
View file

@ -9,20 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-disks @{exec_path} = /{usr/,}bin/gnome-disks
profile gnome-disks @{exec_path} { profile gnome-disks @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/gtk>
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r,
include if exists <local/gnome-disks> include if exists <local/gnome-disks>
} }

2
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -31,7 +31,7 @@ profile gnome-keyring-daemon @{exec_path} {
owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/keyring/* rw,
owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
@{PROC}/[0-9]*/fd/ r, owner @{PROC}/@{pid}/fd/ r,
include if exists <local/gnome-keyring-daemon> include if exists <local/gnome-keyring-daemon>
} }

11
apparmor.d/groups/gnome/gnome-music
View file

@ -10,13 +10,16 @@ include <tunables/global>
profile gnome-music @{exec_path} { profile gnome-music @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf>
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/vulkan>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
@ -44,14 +47,12 @@ profile gnome-music @{exec_path} {
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r, owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

9
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -13,6 +13,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet stream, network inet stream,
@ -73,7 +74,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/var/lib/flatpak/exports/share/applications/{,**} r, /var/lib/flatpak/exports/share/applications/{,**} r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r,
owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/ rw,
owner @{user_config_dirs}/gnome-session/saved-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw,
@ -86,9 +86,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
/tmp/.ICE-unix/[0-9]* rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
@ -98,6 +95,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/sessions/[0-9]*.ref rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
/tmp/.ICE-unix/[0-9]* rw,
@{sys}/devices/**/{vendor,device} r, @{sys}/devices/**/{vendor,device} r,
@{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/pci[0-9]*/**/revision r,
@ -106,9 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
/dev/null r,
/dev/tty rw, /dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,

5
apparmor.d/groups/gnome/gnome-shell
View file

@ -22,6 +22,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/vulkan>
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
@ -51,7 +52,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
/usr/share/gnome-shell/{,**} r, /usr/share/gnome-shell/{,**} r,
/usr/share/libgweather/Locations.xml r, /usr/share/libgweather/Locations.xml r,
/usr/share/libinput/ r, /usr/share/libinput/ r,
@ -158,9 +158,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/boot_vga r,
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
@{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/pci[0-9]*/**/revision r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,

8
apparmor.d/groups/gnome/nautilus
View file

@ -44,10 +44,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pids}/net/wireless r,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,
@ -56,6 +52,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pids}/net/wireless r,
/dev/tty rw, /dev/tty rw,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,

4
apparmor.d/groups/gnome/seahorse
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/seahorse @{exec_path} = /{usr/,}bin/seahorse
profile seahorse @{exec_path} { profile seahorse @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf>
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -24,11 +25,10 @@ profile seahorse @{exec_path} {
# Seahorse and SSH keys # Seahorse and SSH keys
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/[0-9]*/fd/ r, owner @{PROC}/@{pid}/fd/ r,
include if exists <local/seahorse> include if exists <local/seahorse>
} }

16
apparmor.d/groups/gpg/gpg-agent
View file

@ -26,53 +26,53 @@ profile gpg-agent @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw,
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r,
owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{run}/user/@{uid}/gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/sshcontrol r,
owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/ rw,
owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner /var/lib/*/.gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/.gnupg/sshcontrol r,
owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/ rw,
owner /var/lib/*/gnupg/private-keys-v1.d/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner /var/lib/*/gnupg/sshcontrol r, owner /var/lib/*/gnupg/sshcontrol r,
owner /tmp/tmp.*/gnupg/ rw, owner /tmp/tmp.*/gnupg/ rw,
owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner /tmp/tmp.*/gnupg/S.gpg-agent rw, owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
owner /tmp/tmp.*/gnupg/sshcontrol r, owner /tmp/tmp.*/gnupg/sshcontrol r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

22
apparmor.d/groups/gvfs/gvfsd-trash
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov # Copyright (C) 2021-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,8 +11,8 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-trash @{exec_path} += @{libexec}/gvfsd-trash
profile gvfsd-trash @{exec_path} { profile gvfsd-trash @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/trash> include <abstractions/trash>
# When mounting a SMB share # When mounting a SMB share
@ -21,17 +21,17 @@ profile gvfsd-trash @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
# Can restore all user files # Can restore all user files
owner @{HOME}/{,**} rw, owner @{HOME}/{,**} rw,
owner @{MOUNTS}/*/{,**} rw, owner @{MOUNTS}/*/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
@{run}/mount/utab r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/gvfsd-trash> include if exists <local/gvfsd-trash>
} }

6
apparmor.d/groups/pacman/pacman
View file

@ -37,6 +37,8 @@ profile pacman @{exec_path} {
unix (receive) type=stream, unix (receive) type=stream,
ptrace (read),
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
@ -117,10 +119,10 @@ profile pacman @{exec_path} {
owner /tmp/checkup-db-[0-9]*/db.lck rw, owner /tmp/checkup-db-[0-9]*/db.lck rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/@{pids}/stat r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{run}/utmp rk, @{run}/utmp rk,

2
apparmor.d/groups/systemd/systemd-journald
View file

@ -43,7 +43,7 @@ profile systemd-journald @{exec_path} {
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c10:224 r, # for /dev/tpm0
@{run}/udev/data/c243:0 r, @{run}/udev/data/c24[0-9]:[0-9]* r,
@{run}/udev/data/+usb:* r, @{run}/udev/data/+usb:* r,
@{run}/udev/data/+pci:* r, @{run}/udev/data/+pci:* r,
@{run}/udev/data/+hid:* r, @{run}/udev/data/+hid:* r,

10
apparmor.d/groups/systemd/systemd-udevd
View file

@ -49,11 +49,11 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
/{usr/,}{s,}bin/* rPUx, /{usr/,}{s,}bin/* rPUx,
/{usr/,}lib/udev/* rPUx, /{usr/,}lib/udev/* rPUx,
/{usr/,}lib/systemd/systemd-* rPUx, /{usr/,}lib/systemd/systemd-* rPx,
/{usr/,}lib/crda/* rPUx, /{usr/,}lib/crda/* rPUx,
/{usr/,}lib/gdm-runtime-config rPx,
/{usr,/}lib/pm-utils/power.d/* rPUx, /{usr,/}lib/pm-utils/power.d/* PUx,
/usr/share/hplip/config_usb_printer.py rPUx, /usr/share/hplip/config_usb_printer.py rPUx,

1
apparmor.d/profiles-a-f/atd
View file

@ -14,6 +14,7 @@ profile atd @{exec_path} {
capability audit_write, capability audit_write,
capability chown, capability chown,
capability dac_override,
capability dac_read_search, capability dac_read_search,
capability setgid, capability setgid,
capability setuid, capability setuid,

12
apparmor.d/profiles-a-f/etckeeper
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/etckeeper @{exec_path} = /{usr/,}bin/etckeeper
profile etckeeper @{exec_path} { profile etckeeper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -20,20 +21,23 @@ profile etckeeper @{exec_path} {
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/chmod rix, /{usr/,}bin/chmod rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/getent rix, /{usr/,}bin/getent rix,
/{usr/,}bin/git* rix, /{usr/,}bin/git* rix,
/{usr/,}lib/git-core/git* rix,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/hostname rix, /{usr/,}bin/hostname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/perl rix, /{usr/,}bin/perl rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sort rix, /{usr/,}bin/sort rix,
/{usr/,}bin/tty rix, /{usr/,}bin/tty rix,
/{usr/,}bin/uniq rix, /{usr/,}bin/uniq rix,
/{usr/,}bin/whoami rix, /{usr/,}bin/whoami rix,
/{usr/,}lib/git-core/git* rix,
/etc/.git/hooks/* rix, /etc/.git/hooks/* rix,
/etc/etckeeper/*.d/* rix, /etc/etckeeper/*.d/* rix,
@ -42,6 +46,8 @@ profile etckeeper @{exec_path} {
/etc/ rw, /etc/ rw,
/etc/** rwkl -> /etc/**, /etc/** rwkl -> /etc/**,
/var/cache/etckeeper/{,**} rw,
owner @{HOME}/.gitconfig* r, owner @{HOME}/.gitconfig* r,
owner @{HOME}/.netrc r, owner @{HOME}/.netrc r,
owner @{user_config_dirs}/git/{,*} rw, owner @{user_config_dirs}/git/{,*} rw,
@ -61,11 +67,7 @@ profile etckeeper @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{user_config_dirs}/dotfiles/@{XDG_GPG_DIR}/** rwkl, # to remove, to depracate
# owner /tmp/.git_vtag_tmp* r,
# deny @{user_share_dirs}/gvfs-metadata/* r,
} }
include if exists <local/etckeeper> include if exists <local/etckeeper>

2
apparmor.d/profiles-m-r/mandb
View file

@ -30,7 +30,7 @@ profile mandb @{exec_path} flags=(complain) {
/usr/{,/share}/man/{,**} r, /usr/{,/share}/man/{,**} r,
/usr/local/{,/share/}/man/{,**} r, /usr/local/{,/share/}/man/{,**} r,
/usr/share/*/man/man[0-9]*/*.[0-9]*.gz r, /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r,
include if exists <local/mandb> include if exists <local/mandb>
} }

12
apparmor.d/profiles-m-r/mount
View file

@ -14,17 +14,11 @@ profile mount @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability chown, capability chown,
capability dac_read_search,
# To be able to mount anything
# mount("/dev/sdb1", "/mnt", "ext4", 0, NULL) = -1 EPERM (Operation not permitted)
# write(2, "/mnt: permission denied.", 24) = 24
capability sys_admin,
# For NTFS mounts
capability setgid, capability setgid,
capability setuid, capability setuid,
capability sys_admin,
capability dac_read_search, capability sys_rawio,
mount, mount,

1
apparmor.d/profiles-s-z/sudo
View file

@ -47,6 +47,7 @@ profile sudo @{exec_path} {
@{PATH}/[a-z0-9]* rPUx, @{PATH}/[a-z0-9]* rPUx,
/{usr/,}lib/cockpit/cockpit-askpass rPUx, /{usr/,}lib/cockpit/cockpit-askpass rPUx,
/{usr/,}lib/molly-guard/molly-guard rPx,
/etc/environment r, /etc/environment r,
/etc/machine-id r, /etc/machine-id r,