mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
Profiles update.
This commit is contained in:
parent
fd1dce916d
commit
ea366754d7
7
apparmor.d/abstractions/nvidia.d/complete
Normal file
7
apparmor.d/abstractions/nvidia.d/complete
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/nvidia/ w,
|
||||||
|
owner @{user_cache_dirs}/nvidia/GLCache/ rw,
|
||||||
|
owner @{user_cache_dirs}/nvidia/GLCache/** rwk,
|
@ -10,12 +10,12 @@
|
|||||||
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r,
|
||||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||||
|
|
||||||
owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} r,
|
owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r,
|
||||||
owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r,
|
owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r,
|
||||||
owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r,
|
owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r,
|
||||||
owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} r,
|
owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r,
|
||||||
owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} r,
|
owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r,
|
||||||
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} r,
|
owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r,
|
||||||
owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||||
|
|
||||||
include if exists <abstractions/user-read.d>
|
include if exists <abstractions/user-read.d>
|
@ -26,6 +26,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/user-read>
|
include <abstractions/user-read>
|
||||||
|
include <abstractions/vulkan>
|
||||||
|
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
@ -128,6 +129,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||||
owner @{PROC}/@{pids}/clear_refs w,
|
owner @{PROC}/@{pids}/clear_refs w,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
@{run}/udev/data/* r,
|
@{run}/udev/data/* r,
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ profile bluetoothd @{exec_path} {
|
|||||||
|
|
||||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||||
@{sys}/devices/platform/**/rfkill/**/name r,
|
@{sys}/devices/platform/**/rfkill/**/name r,
|
||||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r,
|
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r,
|
||||||
|
|
||||||
/var/lib/bluetooth/{,**} rw,
|
/var/lib/bluetooth/{,**} rw,
|
||||||
|
|
||||||
|
@ -83,6 +83,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||||
@{run}/udev/data/c235:[0-9]* r,
|
@{run}/udev/data/c235:[0-9]* r,
|
||||||
@{run}/udev/data/c236:[0-9]* r,
|
@{run}/udev/data/c236:[0-9]* r,
|
||||||
|
@{run}/udev/data/c50[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
||||||
@{run}/udev/data/n[0-9]* r,
|
@{run}/udev/data/n[0-9]* r,
|
||||||
|
|
||||||
|
@ -14,6 +14,12 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
signal (send) set=(term) peer=gsd-*,
|
signal (send) set=(term) peer=gsd-*,
|
||||||
signal (receive) set=(term, hup) peer=gdm*,
|
signal (receive) set=(term, hup) peer=gdm*,
|
||||||
|
|
||||||
|
@ -176,6 +176,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
/dev/tty[0-9]* rw,
|
/dev/tty[0-9]* rw,
|
||||||
|
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||||
|
|
||||||
include if exists <local/gnome-shell>
|
include if exists <local/gnome-shell>
|
||||||
}
|
}
|
||||||
|
@ -15,6 +15,7 @@ profile gnome-shell-hotplug-sniffer @{exec_path} {
|
|||||||
/usr/share/mime/mime.cache r,
|
/usr/share/mime/mime.cache r,
|
||||||
|
|
||||||
owner @{MOUNTS}/*/ r,
|
owner @{MOUNTS}/*/ r,
|
||||||
|
owner @{MOUNTS}/**/ r,
|
||||||
owner @{MOUNTS}/** r,
|
owner @{MOUNTS}/** r,
|
||||||
|
|
||||||
include if exists <local/gnome-shell-hotplug-sniffer>
|
include if exists <local/gnome-shell-hotplug-sniffer>
|
||||||
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}lib/gnome-terminal-server
|
@{exec_path} = /{usr/,}lib/gnome-terminal-server
|
||||||
profile gnome-terminal-server @{exec_path} {
|
profile gnome-terminal-server @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
@ -31,10 +32,12 @@ profile gnome-terminal-server @{exec_path} {
|
|||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
|
||||||
|
owner /tmp/#[0-9]* rw,
|
||||||
|
|
||||||
|
@{PROC}/@{pids}/cmdline r,
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
|
|
||||||
/dev/ptmx rw,
|
/dev/ptmx rw,
|
||||||
owner /dev/pts/[0-9]* rw,
|
|
||||||
|
|
||||||
include if exists <local/gnome-terminal-server>
|
include if exists <local/gnome-terminal-server>
|
||||||
}
|
}
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}bin/htop
|
@{exec_path} = /{usr/,}bin/htop
|
||||||
profile htop @{exec_path} {
|
profile htop @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
@ -41,7 +41,7 @@ profile pass @{exec_path} {
|
|||||||
/{usr/,}bin/tty rix,
|
/{usr/,}bin/tty rix,
|
||||||
/{usr/,}bin/which rix,
|
/{usr/,}bin/which rix,
|
||||||
|
|
||||||
/{usr/,}bin/git rPx,
|
/{usr/,}bin/git rCx -> git,
|
||||||
/{usr/,}bin/gpg{2,} rUx,
|
/{usr/,}bin/gpg{2,} rUx,
|
||||||
/{usr/,}bin/vim rCx -> editor,
|
/{usr/,}bin/vim rCx -> editor,
|
||||||
/{usr/,}bin/wl-{copy,paste} rPx,
|
/{usr/,}bin/wl-{copy,paste} rPx,
|
||||||
@ -89,6 +89,37 @@ profile pass @{exec_path} {
|
|||||||
deny owner @{HOME}/ r,
|
deny owner @{HOME}/ r,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
profile git {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/openssl>
|
||||||
|
include <abstractions/ssl_certs>
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
/{usr/,}bin/git* mrix,
|
||||||
|
/{usr/,}@{libexec}/git-core/git* mrix,
|
||||||
|
|
||||||
|
/{usr/,}bin/gpg{2,} rUx,
|
||||||
|
|
||||||
|
/usr/share/git-core/{,**} r,
|
||||||
|
|
||||||
|
owner @{HOME}/.gitconfig r,
|
||||||
|
owner @{user_config_dirs}/git/{,*} r,
|
||||||
|
|
||||||
|
owner @{HOME}/.password-store/ rw,
|
||||||
|
owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**,
|
||||||
|
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ rw,
|
||||||
|
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**,
|
||||||
|
owner @{user_config_dirs}/password-store/ rw,
|
||||||
|
owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**,
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
include if exists <usr/pass.d>
|
include if exists <usr/pass.d>
|
||||||
include if exists <local/pass>
|
include if exists <local/pass>
|
||||||
}
|
}
|
||||||
|
@ -18,14 +18,16 @@ profile resolvconf @{exec_path} {
|
|||||||
/{usr/,}bin/flock rix,
|
/{usr/,}bin/flock rix,
|
||||||
/{usr/,}bin/mkdir rix,
|
/{usr/,}bin/mkdir rix,
|
||||||
/{usr/,}bin/mv rix,
|
/{usr/,}bin/mv rix,
|
||||||
|
/{usr/,}bin/readlink rix,
|
||||||
/{usr/,}bin/rm rix,
|
/{usr/,}bin/rm rix,
|
||||||
/{usr/,}bin/run-parts rix,
|
/{usr/,}bin/run-parts rix,
|
||||||
/{usr/,}bin/sed rix,
|
/{usr/,}bin/sed rix,
|
||||||
|
/{usr/,}lib/resolvconf/list-records rix,
|
||||||
|
|
||||||
/usr/lib/resolvconf/{,**} r,
|
/usr/lib/resolvconf/{,**} r,
|
||||||
|
|
||||||
/etc/resolv.conf rw,
|
/etc/resolv.conf rw,
|
||||||
/etc/resolvconf/update.d/libc mr,
|
/etc/resolvconf/update.d/libc rix,
|
||||||
|
|
||||||
owner @{run}/resolvconf/{,**} rw,
|
owner @{run}/resolvconf/{,**} rw,
|
||||||
owner @{run}/resolvconf/run-lock wk,
|
owner @{run}/resolvconf/run-lock wk,
|
||||||
|
@ -18,7 +18,7 @@ profile scrcpy @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/adb rix,
|
/{usr/,}bin/adb rPx,
|
||||||
|
|
||||||
/usr/share/scrcpy/{,*} r,
|
/usr/share/scrcpy/{,*} r,
|
||||||
/usr/share/icons/**/scrcpy.png r,
|
/usr/share/icons/**/scrcpy.png r,
|
||||||
|
@ -34,7 +34,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
/{usr/,}{s,}bin/dmidecode rPx,
|
/{usr/,}{s,}bin/dmidecode rPx,
|
||||||
/{usr/,}{s,}bin/dumpe2fs rPx,
|
/{usr/,}{s,}bin/dumpe2fs rPx,
|
||||||
|
/{usr/,}{s,}bin/fsck.fat rPx,
|
||||||
/{usr/,}{s,}bin/lvm rPUx,
|
/{usr/,}{s,}bin/lvm rPUx,
|
||||||
|
/{usr/,}{s,}bin/mke2fs rPx,
|
||||||
|
/{usr/,}{s,}bin/mkfs.btrfs rPx,
|
||||||
|
/{usr/,}{s,}bin/mkfs.fat rPx,
|
||||||
/{usr/,}bin/eject rPx,
|
/{usr/,}bin/eject rPx,
|
||||||
/{usr/,}bin/ntfs-3g rPx,
|
/{usr/,}bin/ntfs-3g rPx,
|
||||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||||
|
@ -46,8 +46,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pids}/cgroup r,
|
owner @{PROC}/@{pids}/cgroup r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/1/cgroup r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
|
||||||
include if exists <local/xdg-desktop-portal>
|
include if exists <local/xdg-desktop-portal>
|
||||||
}
|
}
|
@ -65,11 +65,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{user_share_dirs}/xorg/Xorg.[0-9].log{,.old} rw,
|
owner @{user_share_dirs}/xorg/Xorg.[0-9].log{,.old} rw,
|
||||||
owner @{user_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw,
|
owner @{user_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw,
|
||||||
|
|
||||||
/var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
|
|
||||||
owner /var/log/lightdm/x-*.log* rw,
|
owner /var/log/lightdm/x-*.log* rw,
|
||||||
owner /var/log/Xorg.[0-9].log{,.old} rw,
|
owner /var/log/Xorg.[0-9].log{,.old} rw,
|
||||||
owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,
|
owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,
|
||||||
|
|
||||||
|
/var/lib/gdm/.local/share/xorg/Xorg.[0-9].log{,.old} rw,
|
||||||
|
/var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
|
||||||
|
|
||||||
@{run}/nvidia-xdriver-* rw,
|
@{run}/nvidia-xdriver-* rw,
|
||||||
@{run}/sddm/{,**} rw,
|
@{run}/sddm/{,**} rw,
|
||||||
@{run}/lightdm/{,**} rw,
|
@{run}/lightdm/{,**} rw,
|
||||||
|
Loading…
Reference in New Issue
Block a user