mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-03-31 16:52:35 +01:00
parent 1131fdf412
commit e927145edb
Failed to generate hash of commit
10 changed files with 31 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/abstractions/deny-sensitive-home
View file

@ -13,6 +13,7 @@
deny @{HOME}/.*_history rwlk, deny @{HOME}/.*_history rwlk,
deny @{HOME}/.*age*{,/{,**}} rwlk, deny @{HOME}/.*age*{,/{,**}} rwlk,
deny @{HOME}/.*aws*{,/{,**}} rwkl,
deny @{HOME}/.*cert*{,/{,**}} rwlk, deny @{HOME}/.*cert*{,/{,**}} rwlk,
deny @{HOME}/.*key*{,/{,**}} rwlk, deny @{HOME}/.*key*{,/{,**}} rwlk,
deny @{HOME}/.*pass*{,/{,**}} rwlk, deny @{HOME}/.*pass*{,/{,**}} rwlk,

3
apparmor.d/groups/freedesktop/xdg-user-dirs-update
View file

@ -15,6 +15,7 @@ profile xdg-user-dirs-update @{exec_path} {
/etc/xdg/user-dirs.conf r, /etc/xdg/user-dirs.conf r,
/etc/xdg/user-dirs.defaults r, /etc/xdg/user-dirs.defaults r,
/var/lib/gdm{3,}/.config/ rw,
/var/lib/gdm{3,}/.config/user-dirs.dirs{,*} rw, /var/lib/gdm{3,}/.config/user-dirs.dirs{,*} rw,
/var/lib/gdm{3,}/.config/user-dirs.locale rw, /var/lib/gdm{3,}/.config/user-dirs.locale rw,
/var/lib/gdm{3,}/@{XDG_DESKTOP_DIR}/ rw, /var/lib/gdm{3,}/@{XDG_DESKTOP_DIR}/ rw,
@ -26,6 +27,7 @@ profile xdg-user-dirs-update @{exec_path} {
/var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw, /var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw, /var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw,
/var/lib/sddm/.config/ rw,
/var/lib/sddm/.config/user-dirs.dirs{,*} rw, /var/lib/sddm/.config/user-dirs.dirs{,*} rw,
/var/lib/sddm/.config/user-dirs.locale rw, /var/lib/sddm/.config/user-dirs.locale rw,
/var/lib/sddm/@{XDG_DESKTOP_DIR}/ rw, /var/lib/sddm/@{XDG_DESKTOP_DIR}/ rw,
@ -48,6 +50,7 @@ profile xdg-user-dirs-update @{exec_path} {
owner @{HOME}/@{XDG_VIDEOS_DIR}/ w, owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_config_dirs}/user-dirs.dirs?????? rw,
include if exists <local/xdg-user-dirs-update> include if exists <local/xdg-user-dirs-update>
} }

1
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -74,6 +74,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/mountinfo r,
@{run}/mount/utab r, @{run}/mount/utab r,

3
apparmor.d/groups/systemd/systemd-logind
View file

@ -67,8 +67,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
/etc/systemd/sleep.conf r, /etc/systemd/sleep.conf r,
/etc/systemd/logind.conf.d/{,**} r, /etc/systemd/logind.conf.d/{,**} r,
/swapfile r,
/boot/{,**} r, /boot/{,**} r,
/swap/swapfile r,
/swapfile r,
/var/lib/systemd/linger/ r, /var/lib/systemd/linger/ r,

6
apparmor.d/groups/systemd/systemd-machine-id-setup
View file

@ -13,10 +13,16 @@ profile systemd-machine-id-setup @{exec_path} {
capability dac_override, capability dac_override,
ptrace (read),
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id rw, /etc/machine-id rw,
/etc/ r,
/var/ r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
include if exists <local/systemd-machine-id-setup> include if exists <local/systemd-machine-id-setup>

4
apparmor.d/profiles-a-f/fwupd
View file

@ -150,11 +150,13 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/{usr/,}bin/gpg{,2} mr, /{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr, /{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent mr, /{usr/,}bin/gpg-agent mrix,
owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/ rw,
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
owner @{PROC}/@{pids}/fd/ r,
} }
include if exists <local/fwupd> include if exists <local/fwupd>

6
apparmor.d/profiles-g-l/groups
View file

@ -10,9 +10,13 @@ include <tunables/global>
profile groups @{exec_path} { profile groups @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
/etc/group r,
/etc/nsswitch.conf r,
/dev/tty[0-9]* rw,
include if exists <local/groups> include if exists <local/groups>
} }

8
apparmor.d/profiles-g-l/login
View file

@ -20,6 +20,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
capability dac_read_search, capability dac_read_search,
capability fowner, capability fowner,
capability fsetid, capability fsetid,
capability kill,
capability net_admin, capability net_admin,
capability setgid, capability setgid,
capability setuid, capability setuid,
@ -28,6 +29,8 @@ profile login @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
signal (send) set=(hup,term),
ptrace read, ptrace read,
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
@ -38,13 +41,14 @@ profile login @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,z,ba,da}sh rUx, /{usr/,}bin/{,z,ba,da}sh rUx,
/etc/default/locale r,
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,
/etc/default/locale r,
/etc/legal r, /etc/legal r,
/etc/machine-id r,
/etc/motd r, /etc/motd r,
/etc/security/group.conf r, /etc/security/group.conf r,
/etc/security/limits.conf r, /etc/security/limits.conf r,
@{etc_ro}/security/limits.d/{,*} r,
/etc/security/pam_env.conf r, /etc/security/pam_env.conf r,
/etc/shells r, /etc/shells r,

2
apparmor.d/profiles-m-r/mission-control
View file

@ -20,6 +20,8 @@ profile mission-control @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/telepathy/mission-control/*.cfg r, owner @{user_share_dirs}/telepathy/mission-control/*.cfg r,
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
include if exists <local/mission-control> include if exists <local/mission-control>

2
apparmor.d/profiles-m-r/qemu-ga
View file

@ -14,6 +14,8 @@ profile qemu-ga @{exec_path} {
capability net_admin, capability net_admin,
capability sys_ptrace, capability sys_ptrace,
network netlink raw,
ptrace peer=unconfined, ptrace peer=unconfined,
@{exec_path} mr, @{exec_path} mr,