mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(profiles): dbus abstactions and related rules.
This commit is contained in:
Alexandre Pujol
parent
63e5980d8d
commit
e949654614
62 changed files with 101 additions and 66 deletions
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile apt @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown
|
||||
profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/ibus-daemon
|
||||
profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(usr1) peer=gnome-shell,
|
||||
|
|
@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/{,**} rw,
|
||||
owner @{user_cache_dirs}/ibus/{,**} rw,
|
||||
/var/lib/gdm{3,}/.config/ibus/{,**} rw,
|
||||
/var/lib/gdm{3,}/.cache/ibus/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/ibus-engine-simple
|
||||
profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/ibus>
|
||||
|
||||
signal (receive) set=term peer=ibus-daemon,
|
||||
|
||||
|
|
@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,10 +10,12 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/ibus-extension-gtk3
|
||||
profile ibus-extension-gtk3 @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=term peer=ibus-daemon,
|
||||
|
|
@ -35,11 +37,10 @@ profile ibus-extension-gtk3 @{exec_path} {
|
|||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
|
|
|||
|
|
@ -9,14 +9,15 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/ibus-memconf
|
||||
profile ibus-memconf @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
|
||||
include if exists <local/ibus-memconf>
|
||||
}
|
||||
|
|
@ -10,6 +10,8 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/ibus-portal
|
||||
profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/ibus>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/dbus/machine-id r,
|
||||
/var/lib/gdm/.config/ibus/bus/ r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
/dev/null rw,
|
||||
|
|
|
|||
|
|
@ -18,16 +18,21 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/at-spi2-registryd
|
||||
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/colord-sane
|
||||
profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
|
|
@ -9,9 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
|
||||
profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
# Needed?
|
||||
deny capability sys_nice,
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
signal (receive) set=(term kill hup) peer=dbus-daemon,
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile pipewire @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
|
||||
profile polkit-agent-helper @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/xdg-desktop-portal
|
||||
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/freedesktop.org>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
|
||||
profile xdg-desktop-portal-gnome @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
|
|
@ -31,6 +32,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
owner @{user_share_dirs}/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
include if exists <local/xdg-desktop-portal-gnome>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
|
||||
profile xdg-desktop-portal-gtk @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
|
|
@ -31,7 +32,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
owner @{HOME}/@{XDG_DATA_HOME}/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{uid}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/xdg-permission-store
|
||||
profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
signal (receive) set=(term hup kill) peer=dbus-daemon,
|
||||
signal (receive) set=(term hup kill) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/evolution-addressbook-factory
|
||||
profile evolution-addressbook-factory @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify
|
||||
profile evolution-alarm-notify @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/gnome>
|
||||
|
|
@ -23,6 +24,7 @@ profile evolution-alarm-notify @{exec_path} {
|
|||
/usr/share/ubuntu/applications/ r,
|
||||
/usr/share/zoneinfo-icu/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/evolution-calendar-factory
|
||||
profile evolution-calendar-factory @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/evolution-source-registry
|
||||
profile evolution-source-registry @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/zsh>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/gjs-console
|
||||
profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js
|
||||
profile gnome-extension-ding @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
|
|
@ -36,7 +37,6 @@ profile gnome-extension-ding @{exec_path} {
|
|||
owner @{user_share_dirs}/gvfs-metadata/home r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
|
||||
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
|
||||
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gnome-remote-desktop-daemon
|
||||
profile gnome-remote-desktop-daemon @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/vulkan>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gnome-session-binary
|
||||
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gnome-shell-calendar-server
|
||||
profile gnome-shell-calendar-server @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/goa-daemon
|
||||
profile goa-daemon @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile goa-identity-service @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-a11y-settings
|
||||
profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-color
|
||||
profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
|
|
@ -35,9 +36,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/icc/ r,
|
||||
owner @{user_share_dirs}/icc/edid-*.icc rw,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-datetime
|
||||
profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-disk-utility-notify
|
||||
profile gsd-disk-utility-notify @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-keyboard
|
||||
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
|
|
@ -31,9 +32,11 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
|
||||
owner @{user_share_dirs}/gnome-settings-daemon/ rw,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
|
|
@ -30,9 +31,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/pulse/ rw,
|
||||
|
||||
owner @{user_share_dirs}/ r,
|
||||
|
|
@ -43,9 +41,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm/.config/pulse/client.conf r,
|
||||
/var/lib/gdm/.config/pulse/cookie rk,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
|
|
@ -28,15 +29,15 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/icons/{,**} r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
/var/lib/gdm/.cache/event-sound-cache.tdb.* rwk,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
/var/lib/gdm/.config/pulse/client.conf r,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
@{run}/udev/data/+backlight:* r,
|
||||
@{run}/udev/data/+leds:*backlight* r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-print-notifications
|
||||
profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-printer
|
||||
profile gsd-printer @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-rfkill
|
||||
profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-screensaver-proxy
|
||||
profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-sharing
|
||||
profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-smartcard
|
||||
profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/p11-kit>
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gsd-sound @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-wacom
|
||||
profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
|
|
@ -28,9 +29,11 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-xsettings
|
||||
profile gsd-xsettings @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
|
|
@ -49,13 +50,14 @@ profile gsd-xsettings @{exec_path} {
|
|||
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||
|
||||
owner @{run}/systemd/users/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile nautilus @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3
|
||||
profile tracker-miner @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/disks-read>
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfs-afc-volume-monitor
|
||||
profile gvfs-afc-volume-monitor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfs-goa-volume-monitor
|
||||
profile gvfs-goa-volume-monitor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor
|
||||
profile gvfs-gphoto2-volume-monitor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfs-mtp-volume-monitor
|
||||
profile gvfs-mtp-volume-monitor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor
|
||||
profile gvfs-udisks2-volume-monitor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/devices-usb>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-fuse
|
||||
profile gvfsd-fuse @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -10,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-metadata
|
||||
profile gvfsd-metadata @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/disks-read>
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-trash
|
||||
profile gvfsd-trash @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/trash>
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ profile networkd-dispatcher @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/ r,
|
||||
/{usr/,}bin/networkctl rPx,
|
||||
|
||||
@{run}/systemd/notify rw,
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ include <tunables/global>
|
|||
profile sshd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/hosts_access>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -98,24 +99,5 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/ptmx rw,
|
||||
|
||||
@{run}/systemd/userdb/io.systemd.DynamicUser w,
|
||||
|
||||
# DBus
|
||||
@{run}/dbus/system_bus_socket rw,
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=Hello
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={CreateSession,ReleaseSession}
|
||||
peer=(name=org.freedesktop.login1),
|
||||
|
||||
include if exists <local/sshd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/fwupdmgr
|
||||
profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile spice-vdagent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/gtk>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
|
|
@ -21,6 +22,7 @@ profile spice-vdagent @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
|
||||
@{run}/spice-vdagentd/spice-vdagent-sock rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile su @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wutmp>
|
||||
# include <pam/mappings>
|
||||
|
|
@ -54,28 +55,7 @@ profile su @{exec_path} {
|
|||
@{PROC}/cmdline r,
|
||||
@{sys}/devices/virtual/tty/console/active r,
|
||||
|
||||
# pseudo-terminal
|
||||
capability chown,
|
||||
|
||||
/dev/{,pts/}ptmx rw,
|
||||
|
||||
@{run}/dbus/system_bus_socket rw,
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=Hello
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login[0-9].Manager
|
||||
member={CreateSession,ReleaseSession},
|
||||
|
||||
unix (bind) type=dgram,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/su>
|
||||
|
|
|
|||
Loading…
Reference in a new issue