mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-08-28 18:52:55 +01:00
parent c13aa711da
commit ec7715aaf3
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
16 changed files with 44 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor.d/groups/gnome/gnome-music
View File

@ -48,6 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner /var/tmp/etilqs_@{hex15} rw,
owner /var/tmp/etilqs_@{hex16} rw,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

3
apparmor.d/groups/gnome/gnome-session
View File

@ -17,8 +17,8 @@ profile gnome-session @{exec_path} {
@{shells_path} rix,
@{bin}/cat rix,
@{bin}/gettext.sh r,
@{bin}/gettext rix,
@{bin}/gettext.sh r,
@{bin}/grep rix,
@{bin}/head rix,
@{bin}/id rix,
@ -28,6 +28,7 @@ profile gnome-session @{exec_path} {
@{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/sed rix,
@{bin}/tput rix,
@{bin}/tr rix,
@{bin}/tty rix,
@{bin}/uname rPx,

3
apparmor.d/groups/gnome/gnome-software
View File

@ -109,9 +109,12 @@ profile gnome-software @{exec_path} {
owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
@{run}/systemd/inhibit/*.ref rw,
@{run}/systemd/sessions/@{int} r,
@{run}/systemd/users/@{uid} r,
@{sys}/module/nvidia/version r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pids}/mounts r,
@{PROC}/sys/fs/pipe-max-size r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

3
apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
View File

@ -39,9 +39,11 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/devices/system/node/node@{int}/cpumap r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
@{PROC}/devices r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/cmdline r,
@ -51,6 +53,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/media@{int} r,
/dev/nvidia-uvm rw,
include if exists <local/org.gnome.NautilusPreviewer>
}

2
apparmor.d/groups/gnome/tracker-miner
View File

@ -87,8 +87,10 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pid}/cmdline r,
@{PROC}/sys/fs/fanotify/max_user_marks r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/vm/mmap_min_addr r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/media@{int} rw,
/dev/video@{int} rw,

7
apparmor.d/groups/kde/kreadconfig
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/kreadconfig5
profile kreadconfig @{exec_path} {
include <abstractions/base>
include <abstractions/kde-strict>
capability dac_read_search,
@ -16,14 +17,8 @@ profile kreadconfig @{exec_path} {
@{exec_path} mr,
/usr/share/icu/@{int}.@{int}/*.dat r,
/etc/xdg/kdeglobals r,
/etc/xdg/kioslaverc r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
include if exists <local/kreadconfig>
}

16
apparmor.d/groups/virt/cockpit-bridge
View File

@ -35,9 +35,18 @@ profile cockpit-bridge @{exec_path} {
@{exec_path} mr,
@{bin}/journalctl rPx,
@{lib}/cockpit/cockpit-pcp rPx,
@{lib}/cockpit/cockpit-ssh rPx,
@{bin}/cat ix,
@{bin}/date ix,
@{bin}/findmnt Px,
@{bin}/journalctl Px,
@{bin}/python3.@{int} ix,
@{bin}/ssh-agent Px,
@{bin}/sudo Px, # TODO: rCx -> privilieged ? or rix?
@{lib}/cockpit/cockpit-pcp Px,
@{lib}/cockpit/cockpit-ssh Px,
# The shell is not confined on purpose.
@{bin}/@{shells} Ux,
/usr/share/cockpit/{,**} r,
/usr/{,local/}share/ r,
@ -64,6 +73,7 @@ profile cockpit-bridge @{exec_path} {
@{sys}/fs/cgroup/**/ r,
@{sys}/fs/cgroup/**/cpu.{stat,weight} r,
@{sys}/fs/cgroup/**/memory* r,
@{sys}/kernel/kexec_crash_size r,
@{PROC}/ r,
@{PROC}/@{pids}/cgroup r,

3
apparmor.d/profiles-a-f/element-desktop
View File

@ -31,7 +31,8 @@ profile element-desktop @{exec_path} {
@{exec_path} mr,
@{sh_path} r,
@{open_path} rPx -> child-open-strict,
@{open_path} rPx -> child-open-strict,
@{bin}/xdg-settings rPx,
/usr/share/webapps/element/{,**} r,

2
apparmor.d/profiles-g-l/keepassxc
View File

@ -43,6 +43,8 @@ profile keepassxc @{exec_path} {
/etc/fstab r,
@{bin}/ r,
owner @{HOME}/ r,
owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
owner @{HOME}/@{XDG_SSH_DIR}/ r,

27
apparmor.d/profiles-m-r/pinentry-kwallet
View File

@ -11,42 +11,31 @@ include <tunables/global>
profile pinentry-kwallet @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
include <abstractions/kde-strict>
signal (send) set=(term, kill) peer=gpg-agent,
@{exec_path} mr,
@{bin}/pinentry-* rPx,
@{bin}/kwalletcli_getpin rix,
@{bin}/kwalletcli rCx -> kwalletcli,
# when wrong PIN is provided
@{bin}/date rix,
@{bin}/mksh rix,
@{bin}/env rix,
owner @{HOME}/.Xauthority r,
/usr/share/hwdata/pnp.ids r,
@{bin}/kwalletcli rCx -> kwalletcli,
@{bin}/kwalletcli_getpin rix,
@{bin}/mksh rix,
@{bin}/pinentry-* rPx,
profile kwalletcli {
include <abstractions/base>
include <abstractions/kde-strict>
@{bin}/kwalletcli mr,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwalletrc r,
@{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr,
@{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
owner @{HOME}/.Xauthority r,
/usr/share/hwdata/pnp.ids r,
owner @{user_config_dirs}/kwalletrc r,
include if exists <local/pinentry-kwallet_kwalletcli>
}
include if exists <local/pinentry-kwallet>

2
apparmor.d/profiles-m-r/qt5ct
View File

@ -28,8 +28,6 @@ profile qt5ct @{exec_path} {
owner @{user_config_dirs}/fontconfig/** rw,
owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int},
owner @{user_config_dirs}/kdeglobals r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,

3
apparmor.d/profiles-s-z/YACReaderLibrary
View File

@ -34,9 +34,8 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
/etc/machine-id r,
owner @{user_books_dirs}/{,**} r,
owner @{user_books_dirs}/{,**} rw,
owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk,
owner @{user_books_dirs}/**/None rw,
owner @{user_cache_dirs}/YACReader/ rw,
owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw,

3
apparmor.d/profiles-s-z/steam-launch
View File

@ -23,6 +23,7 @@ profile steam-launch @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cmp rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/env rix,
@ -33,6 +34,8 @@ profile steam-launch @{exec_path} {
@{lib}/steam/bin_steam.sh rix,
@{share_dirs}/steam.sh rPx,
@{runtime_dirs}/@{arch}/steam-runtime-steam-remote rPUx,
/usr/ r,
/usr/local/ r,

2
apparmor.d/profiles-s-z/thunderbird-vaapitest
View File

@ -12,7 +12,7 @@ include <tunables/global>
@{cache_dirs} = @{user_cache_dirs}/@{name}/
@{exec_path} = @{lib_dirs}/vaapitest
profile thunderbird-vaapitest @{exec_path} {
profile thunderbird-vaapitest @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/graphics>

1
apparmor.d/profiles-s-z/waybar
View File

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 odomingao
# SPDX-License-Identifier: GPL-2.0-only

2
apparmor.d/profiles-s-z/whereis
View File

@ -30,7 +30,7 @@ profile whereis @{exec_path} {
/opt/cni/bin/ r,
/opt/containerd/bin/ r,
/etc/ r,
@{etc_ro}/ r,
/snap/bin/ r,
/var/lib/flatpak/exports/bin/ r,