mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
19d005bf59
commit
ee83e1c33c
11 changed files with 39 additions and 13 deletions
|
|
@ -158,11 +158,11 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
||||||
owner @{HOME}/.* r,
|
owner @{HOME}/.* r,
|
||||||
owner @{HOME}/@{XDG_DATA_HOME}/ r,
|
owner @{HOME}/@{XDG_DATA_HOME}/ r,
|
||||||
|
|
||||||
|
@{run}/mount/utab r,
|
||||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||||
@{run}/mount/utab r,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -222,9 +222,11 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||||
owner @{user_config_dirs}/user-dirs.locale r,
|
owner @{user_config_dirs}/user-dirs.locale r,
|
||||||
owner @{user_share_dirs}/applications/ r,
|
owner @{user_share_dirs}/applications/ r,
|
||||||
|
owner @{user_share_dirs}/applications/defaults.list r,
|
||||||
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
||||||
owner @{user_share_dirs}/session_migration-ubuntu r,
|
|
||||||
owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
|
owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
|
||||||
|
owner @{user_share_dirs}/mime/mime.cache r,
|
||||||
|
owner @{user_share_dirs}/session_migration-ubuntu r,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
@{run}/systemd/sessions/* r,
|
@{run}/systemd/sessions/* r,
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,8 @@ profile blkid @{exec_path} {
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
|
||||||
|
capability sys_rawio,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/blkid.conf r,
|
/etc/blkid.conf r,
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,8 @@ profile evince @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/gio-launch-desktop rPx,
|
/{usr/,}bin/gio-launch-desktop rPx,
|
||||||
|
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||||
|
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
|
||||||
|
|
||||||
/usr/share/djvu/{,**} r,
|
/usr/share/djvu/{,**} r,
|
||||||
/usr/share/evince/{,**} r,
|
/usr/share/evince/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -13,13 +13,15 @@ profile lvm @{exec_path} {
|
||||||
include <abstractions/dbus-strict>
|
include <abstractions/dbus-strict>
|
||||||
include <abstractions/disks-write>
|
include <abstractions/disks-write>
|
||||||
|
|
||||||
|
capability mknod,
|
||||||
|
capability net_admin,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
capability sys_nice,
|
capability sys_nice,
|
||||||
capability net_admin,
|
capability sys_rawio,
|
||||||
|
|
||||||
@{exec_path} rm,
|
@{exec_path} rm,
|
||||||
|
|
||||||
@{etc_rw}/lvm/** r,
|
@{etc_rw}/lvm/** rwkl,
|
||||||
|
|
||||||
@{run}/lvm/** rwk,
|
@{run}/lvm/** rwk,
|
||||||
@{run}/lock/lvm/* rwk,
|
@{run}/lock/lvm/* rwk,
|
||||||
|
|
@ -33,6 +35,7 @@ profile lvm @{exec_path} {
|
||||||
@{PROC}/@{pid}/fd/ r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
|
/dev/**/ r,
|
||||||
/dev/mapper/control rw,
|
/dev/mapper/control rw,
|
||||||
|
|
||||||
include if exists <local/lvm>
|
include if exists <local/lvm>
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,8 @@ profile mke2fs @{exec_path} {
|
||||||
include <abstractions/disks-write>
|
include <abstractions/disks-write>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
|
|
||||||
|
capability sys_rawio,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# To check for badblocks
|
# To check for badblocks
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,8 @@ profile snap @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
|
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||||
|
|
||||||
/snap/{,**} rw,
|
/snap/{,**} rw,
|
||||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx,
|
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx,
|
||||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx,
|
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx,
|
||||||
|
|
@ -37,6 +39,7 @@ profile snap @{exec_path} {
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
|
||||||
owner @{run}/user/@{uid}/systemd/notify rw,
|
owner @{run}/user/@{uid}/systemd/notify rw,
|
||||||
|
|
||||||
@{run}/snapd.socket rw,
|
@{run}/snapd.socket rw,
|
||||||
|
|
|
||||||
|
|
@ -10,18 +10,26 @@ include <tunables/global>
|
||||||
profile snap-update-ns @{exec_path} {
|
profile snap-update-ns @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
|
capability dac_override,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
capability sys_chroot,
|
capability sys_chroot,
|
||||||
|
|
||||||
|
mount -> /snap/**/,
|
||||||
|
mount -> /usr/**/,
|
||||||
|
mount /snap/**/ -> /tmp/.snap/**,
|
||||||
|
umount /snap/**/,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/var/lib/snapd/mount/{,*} r,
|
/var/lib/snapd/mount/{,*} r,
|
||||||
|
|
||||||
|
/tmp/.snap/{,**} rwk,
|
||||||
|
|
||||||
@{run}/snapd/lock/*.lock rwk,
|
@{run}/snapd/lock/*.lock rwk,
|
||||||
@{run}/snapd/ns/{,**} rw,
|
@{run}/snapd/ns/{,**} rw,
|
||||||
|
|
||||||
@{sys}/fs/cgroup/{,**/} r,
|
@{sys}/fs/cgroup/{,**/} r,
|
||||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze r,
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,
|
||||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
|
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
|
|
|
||||||
|
|
@ -94,12 +94,13 @@ profile snapd @{exec_path} {
|
||||||
/etc/systemd/system/{,**/} r,
|
/etc/systemd/system/{,**/} r,
|
||||||
/etc/systemd/system/snap* rw,
|
/etc/systemd/system/snap* rw,
|
||||||
/etc/systemd/user/{,**/} r,
|
/etc/systemd/user/{,**/} r,
|
||||||
/etc/systemd/user/snap* rw,
|
/etc/systemd/user/**/*snap* rw,
|
||||||
|
/etc/systemd/user/*snap* rw,
|
||||||
/etc/udev/rules.d/{,*snap*} rw,
|
/etc/udev/rules.d/{,*snap*} rw,
|
||||||
|
|
||||||
/snap/{,**} rw,
|
/snap/{,**} rw,
|
||||||
/var/cache/snapd/{,**} rwk,
|
/var/cache/snapd/{,**} rwlk,
|
||||||
/var/lib/snapd/{,**} rwk,
|
/var/lib/snapd/{,**} rwlk,
|
||||||
/var/snap/{,**} rw,
|
/var/snap/{,**} rw,
|
||||||
|
|
||||||
/var/cache/apparmor/{,*/} r,
|
/var/cache/apparmor/{,*/} r,
|
||||||
|
|
@ -119,7 +120,8 @@ profile snapd @{exec_path} {
|
||||||
owner @{run}/mount/utab{,.*} rw,
|
owner @{run}/mount/utab{,.*} rw,
|
||||||
owner @{run}/mount/utab.lock wk,
|
owner @{run}/mount/utab.lock wk,
|
||||||
|
|
||||||
owner @{run}/user/{,@{uid}/} r,
|
owner @{run}/user/@{uid}/ r,
|
||||||
|
owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
|
||||||
owner @{run}/user/snap.*/{,**} rw,
|
owner @{run}/user/snap.*/{,**} rw,
|
||||||
|
|
||||||
@{run}/snapd*.socket rw,
|
@{run}/snapd*.socket rw,
|
||||||
|
|
@ -136,6 +138,8 @@ profile snapd @{exec_path} {
|
||||||
@{sys}/kernel/security/apparmor/features/ r,
|
@{sys}/kernel/security/apparmor/features/ r,
|
||||||
@{sys}/kernel/security/apparmor/profiles r,
|
@{sys}/kernel/security/apparmor/profiles r,
|
||||||
|
|
||||||
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
|
||||||
|
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
@{PROC}/@{pids}/stat r,
|
@{PROC}/@{pids}/stat r,
|
||||||
@{PROC}/cgroups r,
|
@{PROC}/cgroups r,
|
||||||
|
|
|
||||||
|
|
@ -37,8 +37,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
|
||||||
|
|
||||||
# Allow mounting of cdrom
|
# Allow mounting of cdrom
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
|
||||||
mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/,
|
mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/,
|
||||||
|
|
||||||
# Allow mounting od sd cards
|
# Allow mounting od sd cards
|
||||||
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/,
|
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/,
|
||||||
|
|
|
||||||
|
|
@ -68,8 +68,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{user_cache_dirs}/ rw,
|
owner @{user_cache_dirs}/ rw,
|
||||||
owner @{user_cache_dirs}/virt-manager/ rw,
|
owner @{user_cache_dirs}/virt-manager/{,**} rw,
|
||||||
owner @{user_cache_dirs}/virt-manager/** rw,
|
|
||||||
|
|
||||||
# For disk images
|
# For disk images
|
||||||
@{MOUNTS}/ r,
|
@{MOUNTS}/ r,
|
||||||
|
|
@ -87,6 +86,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{user_vm_dirs}/{,**} rw,
|
owner @{user_vm_dirs}/{,**} rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
||||||
|
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
@{run}/udev/data/c51[0-9]:[0-9]* r,
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue