mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat: update profiles.
This commit is contained in:
Alexandre Pujol
parent
84dc85b82d
commit
e845a172c2
28 changed files with 84 additions and 96 deletions
|
|
@ -96,6 +96,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/firefox/{,**} r,
|
||||
/etc/fstab r,
|
||||
/etc/igfx_user_feature{,_next}.txt w,
|
||||
/etc/libva.conf r,
|
||||
/etc/mailcap r,
|
||||
/etc/mime.types r,
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/var/lib/gdm/.cache/dconf/ w,
|
||||
/var/lib/gdm/.cache/dconf/user rw,
|
||||
/var/lib/gdm/.config/dconf/user rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/evolution-addressbook-factory
|
||||
profile evolution-addressbook-factory @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
@ -26,7 +27,6 @@ profile evolution-addressbook-factory @{exec_path} {
|
|||
owner @{user_share_dirs}/evolution/{,**} rwk,
|
||||
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/evolution-calendar-factory
|
||||
profile evolution-calendar-factory @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
@ -28,7 +29,6 @@ profile evolution-calendar-factory @{exec_path} {
|
|||
owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
|
||||
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/evolution-source-registry
|
||||
profile evolution-source-registry @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
@ -27,7 +28,6 @@ profile evolution-source-registry @{exec_path} {
|
|||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_cache_dirs}/evolution/{,**} rwk,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/zsh>
|
||||
|
||||
|
|
@ -22,11 +23,11 @@ profile gdm-wayland-session @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/zsh rix,
|
||||
/{usr/,}bin/tty rix,
|
||||
/{usr/,}bin/grep rix,
|
||||
/{usr/,}bin/gnome-session rix,
|
||||
/{usr/,}bin/grep rix,
|
||||
/{usr/,}bin/gsettings rix,
|
||||
/{usr/,}bin/tty rix,
|
||||
/{usr/,}bin/zsh rix,
|
||||
|
||||
/{usr/,}bin/dbus-daemon rPx,
|
||||
/{usr/,}bin/dbus-run-session rPx,
|
||||
|
|
@ -42,14 +43,13 @@ profile gdm-wayland-session @{exec_path} {
|
|||
|
||||
@{run}/gdm/custom.conf r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
@{run}/gdm/custom.conf r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
# file_inherit
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/gdm-wayland-session>
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/mesa>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -32,7 +33,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/egl/{,**} r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||
/usr/share/gnome-shell/{,**} r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
|
|
@ -49,9 +49,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
@{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
|
||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -29,5 +29,7 @@ profile gnome-calendar @{exec_path} {
|
|||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
|
||||
include if exists <local/gnome-calendar>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,13 +18,13 @@ profile gnome-contacts @{exec_path} {
|
|||
include <abstractions/opencl>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||
/usr/share/applications/{,*.desktop} r,
|
||||
|
||||
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome>
|
||||
|
|
@ -20,6 +21,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/openssl>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -36,13 +38,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/locale rix,
|
||||
/{usr/,}bin/openvpn rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}lib/gnome-control-center-goa-helper rPx,
|
||||
/{usr/,}lib/gnome-control-center-print-renderer rPx,
|
||||
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
||||
|
||||
/usr/share/backgrounds/gnome/* r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||
/usr/share/gnome-background-properties/{,**} r,
|
||||
/usr/share/gnome-bluetooth/{,**} r,
|
||||
/usr/share/gnome-color-manager/{,**} r,
|
||||
|
|
@ -74,10 +76,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
|
||||
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
|
@ -98,9 +98,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/class/ r,
|
||||
@{sys}/class/input/ r,
|
||||
@{sys}/devices/**/{name,vendor,product,uevent} r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
|
||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
||||
@{sys}/devices/platform/**/uevent r,
|
||||
@{sys}/devices/virtual/**/uevent r,
|
||||
|
|
|
|||
|
|
@ -9,18 +9,19 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/gnome-control-center-print-renderer
|
||||
profile gnome-control-center-print-renderer @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/pixmaps/{,**} r,
|
||||
|
|
@ -31,15 +32,10 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||
|
||||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
|
||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -9,20 +9,19 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/gnome-disks
|
||||
profile gnome-disks @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/gtk>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
@{PROC}/1/cgroup r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/1/cgroup r,
|
||||
|
||||
include if exists <local/gnome-disks>
|
||||
}
|
||||
|
|
@ -31,7 +31,7 @@ profile gnome-keyring-daemon @{exec_path} {
|
|||
owner @{run}/user/@{uid}/keyring/* rw,
|
||||
owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
|
||||
|
||||
@{PROC}/[0-9]*/fd/ r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/gnome-keyring-daemon>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,13 +10,16 @@ include <tunables/global>
|
|||
profile gnome-music @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
@ -44,14 +47,12 @@ profile gnome-music @{exec_path} {
|
|||
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,
|
||||
|
||||
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
||||
owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network inet stream,
|
||||
|
|
@ -73,7 +74,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/var/lib/flatpak/exports/share/applications/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{user_config_dirs}/autostart/{,*.desktop} r,
|
||||
owner @{user_config_dirs}/gnome-session/ rw,
|
||||
owner @{user_config_dirs}/gnome-session/saved-session/ rw,
|
||||
|
|
@ -86,9 +86,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
/tmp/.ICE-unix/[0-9]* rw,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
|
||||
|
|
@ -98,6 +95,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/sessions/[0-9]*.ref rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
/tmp/.ICE-unix/[0-9]* rw,
|
||||
|
||||
@{sys}/devices/**/{vendor,device} r,
|
||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
||||
|
||||
|
|
@ -106,9 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
|
||||
/dev/null r,
|
||||
/dev/tty rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
|
@ -51,7 +52,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gdm/greeter/applications/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||
/usr/share/gnome-shell/{,**} r,
|
||||
/usr/share/libgweather/Locations.xml r,
|
||||
/usr/share/libinput/ r,
|
||||
|
|
@ -158,9 +158,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
|
||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
|
||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
||||
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
|
|
|||
|
|
@ -44,10 +44,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
@{PROC}/@{pids}/net/wireless r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
|
|
@ -56,6 +52,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
@{PROC}/@{pids}/net/wireless r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/dri/card[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/seahorse
|
||||
profile seahorse @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
|
|
@ -24,11 +25,10 @@ profile seahorse @{exec_path} {
|
|||
# Seahorse and SSH keys
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
@{PROC}/[0-9]*/fd/ r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/seahorse>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,53 +26,53 @@ profile gpg-agent @{exec_path} {
|
|||
owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r,
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
|
||||
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
|
||||
|
||||
owner /var/lib/*/.gnupg/ rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /var/lib/*/.gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/.gnupg/sshcontrol r,
|
||||
|
||||
owner /var/lib/*/gnupg/ rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/gnupg/sshcontrol r,
|
||||
|
||||
owner /tmp/tmp.*/gnupg/ rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /tmp/tmp.*/gnupg/S.gpg-agent rw,
|
||||
owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
|
||||
owner /tmp/tmp.*/gnupg/sshcontrol r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -11,8 +11,8 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-trash
|
||||
profile gvfsd-trash @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/trash>
|
||||
|
||||
# When mounting a SMB share
|
||||
|
|
@ -21,17 +21,17 @@ profile gvfsd-trash @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/ rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
|
||||
# Can restore all user files
|
||||
owner @{HOME}/{,**} rw,
|
||||
owner @{MOUNTS}/*/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/ rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
include if exists <local/gvfsd-trash>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,6 +37,8 @@ profile pacman @{exec_path} {
|
|||
|
||||
unix (receive) type=stream,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/gpg rCx -> gpg,
|
||||
|
|
@ -117,10 +119,10 @@ profile pacman @{exec_path} {
|
|||
owner /tmp/checkup-db-[0-9]*/db.lck rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
@{run}/utmp rk,
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ profile systemd-journald @{exec_path} {
|
|||
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c10:224 r, # for /dev/tpm0
|
||||
@{run}/udev/data/c243:0 r,
|
||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/+pci:* r,
|
||||
@{run}/udev/data/+hid:* r,
|
||||
|
|
|
|||
|
|
@ -49,11 +49,11 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
|||
|
||||
/{usr/,}{s,}bin/* rPUx,
|
||||
|
||||
/{usr/,}lib/udev/* rPUx,
|
||||
/{usr/,}lib/systemd/systemd-* rPUx,
|
||||
/{usr/,}lib/crda/* rPUx,
|
||||
|
||||
/{usr,/}lib/pm-utils/power.d/* rPUx,
|
||||
/{usr/,}lib/udev/* rPUx,
|
||||
/{usr/,}lib/systemd/systemd-* rPx,
|
||||
/{usr/,}lib/crda/* rPUx,
|
||||
/{usr/,}lib/gdm-runtime-config rPx,
|
||||
/{usr,/}lib/pm-utils/power.d/* PUx,
|
||||
|
||||
/usr/share/hplip/config_usb_printer.py rPUx,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ profile atd @{exec_path} {
|
|||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/etckeeper
|
||||
profile etckeeper @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
|
|
@ -20,20 +21,23 @@ profile etckeeper @{exec_path} {
|
|||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/chmod rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/dpkg-query rpx,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/getent rix,
|
||||
/{usr/,}bin/git* rix,
|
||||
/{usr/,}lib/git-core/git* rix,
|
||||
/{usr/,}bin/gpg rCx -> gpg,
|
||||
/{usr/,}bin/hostname rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/perl rix,
|
||||
/{usr/,}bin/ps rPx,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/sort rix,
|
||||
/{usr/,}bin/tty rix,
|
||||
/{usr/,}bin/uniq rix,
|
||||
/{usr/,}bin/whoami rix,
|
||||
/{usr/,}lib/git-core/git* rix,
|
||||
|
||||
/etc/.git/hooks/* rix,
|
||||
/etc/etckeeper/*.d/* rix,
|
||||
|
|
@ -42,6 +46,8 @@ profile etckeeper @{exec_path} {
|
|||
/etc/ rw,
|
||||
/etc/** rwkl -> /etc/**,
|
||||
|
||||
/var/cache/etckeeper/{,**} rw,
|
||||
|
||||
owner @{HOME}/.gitconfig* r,
|
||||
owner @{HOME}/.netrc r,
|
||||
owner @{user_config_dirs}/git/{,*} rw,
|
||||
|
|
@ -61,11 +67,7 @@ profile etckeeper @{exec_path} {
|
|||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{user_config_dirs}/dotfiles/@{XDG_GPG_DIR}/** rwkl, # to remove, to depracate
|
||||
|
||||
# owner /tmp/.git_vtag_tmp* r,
|
||||
|
||||
# deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
}
|
||||
|
||||
include if exists <local/etckeeper>
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ profile mandb @{exec_path} flags=(complain) {
|
|||
/usr/{,/share}/man/{,**} r,
|
||||
/usr/local/{,/share/}/man/{,**} r,
|
||||
|
||||
/usr/share/*/man/man[0-9]*/*.[0-9]*.gz r,
|
||||
/usr/share/**/man/man[0-9]*/*.[0-9]*.gz r,
|
||||
|
||||
include if exists <local/mandb>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,17 +14,11 @@ profile mount @{exec_path} flags=(complain) {
|
|||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability chown,
|
||||
|
||||
# To be able to mount anything
|
||||
# mount("/dev/sdb1", "/mnt", "ext4", 0, NULL) = -1 EPERM (Operation not permitted)
|
||||
# write(2, "/mnt: permission denied.", 24) = 24
|
||||
capability sys_admin,
|
||||
|
||||
# For NTFS mounts
|
||||
capability dac_read_search,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_admin,
|
||||
capability sys_rawio,
|
||||
|
||||
mount,
|
||||
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ profile sudo @{exec_path} {
|
|||
|
||||
@{PATH}/[a-z0-9]* rPUx,
|
||||
/{usr/,}lib/cockpit/cockpit-askpass rPUx,
|
||||
/{usr/,}lib/molly-guard/molly-guard rPx,
|
||||
|
||||
/etc/environment r,
|
||||
/etc/machine-id r,
|
||||
|
|
|
|||
Loading…
Reference in a new issue