mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): start using new abstractions (3)

Browse Source
This commit is contained in:
Alexandre Pujol 2023-12-19 23:49:30 +00:00
parent a79a3f3311
commit ef1776b8d5
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
20 changed files with 34 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apparmor.d/profiles-g-l/keepassxc
View File

@ -13,23 +13,16 @@ profile keepassxc @{exec_path} {
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/nvidia>
include <abstractions/openssl>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
include <abstractions/X-strict>
network inet dgram,
network inet6 dgram,
@ -47,7 +40,6 @@ profile keepassxc @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/usr/share/keepassxc/{,**} r,
/usr/share/libdrm/*.ids r,
/usr/share/qt*/{,**} r,
/etc/fstab r,

5
apparmor.d/profiles-m-r/mpv
View File

@ -15,13 +15,11 @@ profile mpv @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
network inet dgram,
network inet6 dgram,
@ -41,7 +39,6 @@ profile mpv @{exec_path} {
@{bin}/youtube-dl rPx,
@{bin}/yt-dlp rPx,
/usr/share/libdrm/{,**} r,
/usr/share/pipewire/client-rt.conf r,
/etc/libva.conf r,

5
apparmor.d/profiles-m-r/nvidia-settings
View File

@ -10,9 +10,8 @@ include <tunables/global>
profile nvidia-settings @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/opencl-nvidia>
include <abstractions/desktop>
include <abstractions/nvidia-strict>
@{exec_path} mr,

10
apparmor.d/profiles-m-r/nvtop
View File

@ -10,11 +10,8 @@ include <tunables/global>
profile nvtop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/graphics-full>
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/vulkan>
capability sys_ptrace,
@ -33,9 +30,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/devices/@{pci}/drm/card@{int}/gt_*_freq_mhz r,
@{sys}/devices/@{pci}/enable r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@ -48,8 +42,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/stat r,
@{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r,
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
/dev/dri/ r,
/dev/nvidia-caps/ rw,
/dev/nvidia-caps/nvidia-cap@{int} rw,

6
apparmor.d/profiles-s-z/scrcpy
View File

@ -9,11 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/scrcpy
profile scrcpy @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/opencl>
include <abstractions/vulkan>
include <abstractions/graphics>
network inet stream,
network inet6 stream,

6
apparmor.d/profiles-s-z/spice-vdagent
View File

@ -17,7 +17,7 @@ profile spice-vdagent @{exec_path} {
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
include <abstractions/dri-common>
include <abstractions/dri>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
@ -47,11 +47,7 @@ profile spice-vdagent @{exec_path} {
@{run}/spice-vdagentd/spice-vdagent-sock rw,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
@{sys}/devices/@{pci}/{device,vendor} r,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
/dev/dri/card@{int} rw,
include if exists <local/spice-vdagent>
}

14
apparmor.d/profiles-s-z/spotify
View File

@ -17,15 +17,11 @@ profile spotify @{exec_path} {
include <abstractions/base>
include <abstractions/chromium-common>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/desktop>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/vulkan>
network inet dgram,
network inet6 dgram,
@ -40,7 +36,6 @@ profile spotify @{exec_path} {
@{open_path} rPx -> child-open,
/etc/libva.conf r,
/etc/machine-id r,
/etc/spotify-adblock/* r,
/var/lib/dbus/machine-id r,
@ -61,18 +56,13 @@ profile spotify @{exec_path} {
owner @{run}/user/@{uid}/pulse/ r,
@{sys}/devices/@{pci}/irq r,
@{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r,
@{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/system/cpu/present r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/oom_score_adj w,
owner @{PROC}/@{pid}/statm r,

22
apparmor.d/profiles-s-z/steam
View File

@ -14,17 +14,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
include <abstractions/chromium-common>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/disks-read>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/ssl_certs>
include <abstractions/vulkan>
capability sys_ptrace,
@ -104,8 +98,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
/usr/lib/os-release rk,
/usr/share/fonts/**.{ttf,otf} rk,
/usr/share/terminfo/** r,
/usr/share/themes/{,**} r,
/usr/share/X11/{,**} r,
/usr/share/zenity/* r,
/etc/lsb-release r,
@ -116,15 +108,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
@{bin}/ r,
@{lib}/ r,
/ r,
/{usr/,}{local/,} r,
/{usr/,}{local/,}share/ r,
/etc/ r,
/home/ r,
/run/ r,
/var/ r,
owner @{HOME}/ r,
owner @{HOME}/.local/ r,
owner @{HOME}/.steam/{,**} rw,
owner @{HOME}/.steam/registry.vdf rwk,
owner @{HOME}/.steampath rw,
@ -132,22 +121,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
owner @{user_games_dirs}/{,**} rwkl,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/cef_user_data/{,**} r,
owner @{user_config_dirs}/unity3d/{,**} rwk,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/applications/*.desktop w,
owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
owner @{user_share_dirs}/Steam/ rw,
owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**,
owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/shm/#@{int} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
@ -241,7 +225,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
@{sys}/bus/pci/devices/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/@{int}/address r,
@{sys}/devices/pci[0-9]*/** r,
@{sys}/devices/@{pci}/** r,
owner /dev/shm/ValveIPCSHM_@{uid} rw,

7
apparmor.d/profiles-s-z/steam-fossilize
View File

@ -10,11 +10,7 @@ include <tunables/global>
@{exec_path} = @{steam_lib_dirs}/fossilize_replay
profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/opencl>
include <abstractions/vulkan>
include <abstractions/graphics>
@{exec_path} mr,
@ -29,7 +25,6 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{PROC}/@{pids}/statm r,

14
apparmor.d/profiles-s-z/steam-game
View File

@ -24,17 +24,13 @@ include <tunables/global>
profile steam-game @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/vulkan>
capability dac_override,
capability dac_read_search,
@ -120,8 +116,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
@{run}/host/usr/lib{,32,64}/**.so* rm,
@{run}/host/usr/bin/localedef rix,
/usr/share/egl/{,**} r,
/usr/share/icons/{,**} r,
/usr/share/terminfo/** r,
/etc/machine-id r,
@ -140,14 +134,12 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
/tmp/ r,
owner @{HOME}/ r,
owner @{HOME}/.local/ r,
owner @{HOME}/.steam/steam.pid r,
owner @{HOME}/.steam/steam.pipe r,
owner @{user_games_dirs}/{,*/} r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/unity3d/{,**} rwk,
owner @{user_share_dirs}/ r,
@ -173,8 +165,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
@{run}/host/usr/{,**} r,
owner @{run}/pressure-vessel/{,**} rw,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer
owner /dev/shm/#@{int} rw,

1
apparmor.d/profiles-s-z/syncthing
View File

@ -27,7 +27,6 @@ profile syncthing @{exec_path} {
/usr/share/mime/{,*} r,
/etc/mime.types r,
/usr/share/mime/globs2 r,
owner @{HOME}/ r,
owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk,

14
apparmor.d/profiles-s-z/thunderbird
View File

@ -22,20 +22,15 @@ profile thunderbird @{exec_path} {
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
include <abstractions/wayland>
# userns,
@ -111,14 +106,10 @@ profile thunderbird @{exec_path} {
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_config_dirs}/kwalletrc r,
owner @{user_config_dirs}/mimeapps.list.* rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_share_dirs}/ r,
owner @{user_mail_dirs}/ rw,
owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
@ -150,7 +141,6 @@ profile thunderbird @{exec_path} {
@{PROC}/@{pids}/net/route r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1

9
apparmor.d/profiles-s-z/thunderbird-glxtest
View File

@ -13,12 +13,8 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/glxtest
profile thunderbird-glxtest @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/vulkan>
include <abstractions/X-strict>
@{exec_path} mr,
@ -27,9 +23,6 @@ profile thunderbird-glxtest @{exec_path} {
owner /tmp/thunderbird/.parentlock rw,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/@{pci}/class r,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/thunderbird-glxtest>

9
apparmor.d/profiles-s-z/thunderbird-vaapitest
View File

@ -14,23 +14,16 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/vaapitest
profile thunderbird-vaapitest @{exec_path} {
include <abstractions/base>
include <abstractions/dri-enumerate>
include <abstractions/dri-common>
include <abstractions/nvidia>
include <abstractions/vulkan>
include <abstractions/graphics>
network netlink raw,
@{exec_path} mr,
/etc/igfx_user_feature{,_next}.txt w,
/etc/libva.conf r,
owner /tmp/thunderbird/.parentlock rw,
@{sys}/devices/@{pci}/{irq,revision,resource} r,
@{sys}/devices/@{pci}/config r,
deny @{cache_dirs}/*/startupCache/** r,
deny @{config_dirs}/*/.parentlock rw,
deny @{config_dirs}/*/startupCache/** r,

15
apparmor.d/profiles-s-z/transmission-gtk
View File

@ -10,20 +10,13 @@ include <tunables/global>
profile transmission-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/desktop>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/nvidia>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/trash>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
include <abstractions/X-strict>
network inet dgram,
network inet6 dgram,
@ -35,8 +28,6 @@ profile transmission-gtk @{exec_path} {
@{open_path} rPx -> child-open,
/usr/share/X11/xkb/{,**} r,
owner @{user_torrents_dirs}/ r,
owner @{user_torrents_dirs}/** rw,
@ -47,8 +38,6 @@ profile transmission-gtk @{exec_path} {
owner @{user_cache_dirs}/transmission/ rw,
owner @{user_cache_dirs}/transmission/** rwk,
owner @{user_share_dirs}/ r,
@{run}/mount/utab r,
@{PROC}/@{pid}/net/route r,

15
apparmor.d/profiles-s-z/transmission-qt
View File

@ -9,20 +9,15 @@ include <tunables/global>
@{exec_path} = @{bin}/transmission-qt
profile transmission-qt @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/user-download-strict>
include <abstractions/private-files-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/qt5>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/private-files-strict>
include <abstractions/qt5-settings-write>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,

13
apparmor.d/profiles-s-z/virt-manager
View File

@ -13,22 +13,17 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
include <abstractions/wayland>
network inet stream,
network inet6 stream,
@ -51,7 +46,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
@{open_path} rPx -> child-open,
/usr/share/egl/{,**} r,
/usr/share/gtksourceview-4/{,**} r,
/usr/share/hwdata/*.ids r,
/usr/share/ladspa/rdf/{,ladspa.rdfs} r,
@ -67,10 +61,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
/etc/fstab r,
/etc/libnl/classid r,
/etc/libva.conf r,
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/virt-manager/{,**} rw,
# For disk images
@ -92,7 +84,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
@{sys}/devices/@{pci}/drm/ r,
@{sys}/devices/virtual/drm/ttm/uevent r,
owner @{PROC}/@{pid}/mountinfo r,

14
apparmor.d/profiles-s-z/vlc
View File

@ -16,19 +16,15 @@ profile vlc @{exec_path} {
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/gtk>
include <abstractions/ibus>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
network inet dgram,
network inet6 dgram,
@ -94,7 +90,6 @@ profile vlc @{exec_path} {
/usr/share/vlc/{,**} r,
/etc/fstab r,
/etc/libva.conf r,
owner @{HOME}/ r,
owner @{user_music_dirs}/{,**} rw,
@ -102,8 +97,6 @@ profile vlc @{exec_path} {
owner @{user_torrents_dirs}/{,**} rw,
owner @{user_videos_dirs}/{,**} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/vlc/ rw,
owner @{user_cache_dirs}/vlc/{,**} rw,
@ -117,12 +110,9 @@ profile vlc @{exec_path} {
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
@{sys}/devices/@{pci}/irq r,
@{PROC}/@{pids}/net/if_inet6 r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

7
apparmor.d/profiles-s-z/xfconfd
View File

@ -11,22 +11,19 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd
profile xfconfd @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-desktop>
@{exec_path} mr,
/etc/xdg/xfce4/xfconf/*/*.xml r,
owner @{HOME}/ r,
owner @{HOME}/.xsession-errors w,
owner @{user_cache_dirs}/ r,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/xfce4/ r,
owner @{user_config_dirs}/xfce4/xfconf/*/*.xml{,.new} rw,
owner @{user_share_dirs}/ r,
# file_inherit
owner /dev/tty@{int} rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/xfconfd>
}

3
apparmor.d/profiles-s-z/yt-dlp
View File

@ -16,6 +16,7 @@ profile yt-dlp @{exec_path} {
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/xdg-desktop>
network inet dgram,
network inet6 dgram,
@ -38,10 +39,8 @@ profile yt-dlp @{exec_path} {
owner @{user_music_dirs}/{,**} rwk,
owner @{user_videos_dirs}/{,**} rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/yt-dlp/{,**} rw,
owner @{user_config_dirs}/ rw,
owner @{user_config_dirs}/yt-dlp/{,**} rw,
owner @{PROC}/@{pid}/fd/ r,