diff --git a/apparmor.d/profiles-a-f/anki b/apparmor.d/profiles-a-f/anki deleted file mode 100644 index 79febf5d..00000000 --- a/apparmor.d/profiles-a-f/anki +++ /dev/null @@ -1,210 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/anki -profile anki @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - signal (send) set=(term, kill) peer=anki//mpv, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} r, - @{bin}/python3.[0-9]* r, - - @{bin}/ldconfig rix, - - @{bin}/ r, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, - @{bin}/mpv rCx -> mpv, - # For recording sounds while creating decks - @{bin}/lame rCx -> lame, - - @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, - /usr/share/qt5/**/*.pak r, - owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - - owner @{HOME}/ r, - owner @{user_cache_dirs}/ rw, - - /usr/share/anki/{,**} r, - - /usr/share/javascript/**/*.js r, - - owner @{user_cache_dirs}/Anki/ rw, - owner @{user_cache_dirs}/Anki/** rw, - - owner @{user_share_dirs}/Anki{,2}/ rw, - owner @{user_share_dirs}/Anki{,2}/** rwk, - - owner @{HOME}/ r, - owner @{user_cache_dirs}/ rw, - - # To remove the following error: - # Error initializing NSS with a persistent database - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - - # If one is blocked, the others are probed. - deny owner @{HOME}/#@{int} mrw, - owner @{HOME}/.glvnd* mrw, - # owner /tmp/#@{int} mrw, - # owner /tmp/.glvnd* mrw, - - # The /proc/ dir is needed to avoid the following error: - # [:FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0) - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pids}/statm r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/fs/inotify/max_user_watches r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny owner @{PROC}/@{pid}/cmdline r, - # To remove the following error: - # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied - # (g-file-error-quark, 2) - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/vmstat r, - deny owner @{PROC}/@{pid}/setgroups w, - - /etc/fstab r, - - /var/tmp/ r, - /tmp/ r, - owner /tmp/* rw, - owner /tmp/anki_temp/ rw, - owner /tmp/anki_temp/** rwk, - owner /tmp/mozilla_*/*.apkg r, - - owner /dev/shm/.org.chromium.Chromium.* rw, - /dev/shm/#@{int} rw, - - @{sys}/devices/pci[0-9]*/**/irq r, - @{sys}/devices/pci[0-9]*/**/{vendor,device} r, - - /usr/share/hwdata/pnp.ids r, - - /etc/mime.types r, - - # SyncThread - @{bin}/{,ba,da}sh rix, - @{bin}/uname rix, - /etc/ r, - /etc/debian_version r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - - profile mpv { - include - include - include - include - - signal (receive) set=(term, kill) peer=anki, - - @{bin}/mpv mr, - - /etc/mpv/encoding-profiles.conf r, - - owner /tmp/mpv.* rw, - - # For playing sets' sounds - owner @{user_share_dirs}/Anki{,2}/*/collection.media/ r, - owner @{user_share_dirs}/Anki{,2}/*/collection.media/*.{mp3,wav} r, - owner @{user_share_dirs}/Anki{,2}/pulse/ r, - owner @{user_share_dirs}/Anki{,2}/pulse/cookie rk, - - owner @{HOME}/.Xauthority r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, - - } - - profile lame { - include - - @{bin}/lame mr, - - owner @{user_share_dirs}/Anki{,2}/*/collection.media/rec.{mp3,wav} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{bin}/{,ba,da}sh rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - - include if exists -} diff --git a/apparmor.d/profiles-a-f/curl b/apparmor.d/profiles-a-f/curl deleted file mode 100644 index 1ff09bec..00000000 --- a/apparmor.d/profiles-a-f/curl +++ /dev/null @@ -1,37 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/curl -profile curl @{exec_path} { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /usr/share/publicsuffix/public_suffix_list.* r, - - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/net/tcp{,6} r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/diskstats r, - @{PROC}/uptime r, - @{PROC}/loadavg r, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/uscan b/apparmor.d/profiles-s-z/uscan deleted file mode 100644 index e2fd9e9a..00000000 --- a/apparmor.d/profiles-s-z/uscan +++ /dev/null @@ -1,79 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/uscan -profile uscan @{exec_path} { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} r, - @{bin}/perl r, - - @{bin}/{,ba,da}sh rix, - @{bin}/pwd rix, - @{bin}/find rix, - @{bin}/file rix, - @{bin}/getconf rix, - - @{bin}/tar rix, - @{bin}/gzip rix, - @{bin}/bzip2 rix, - @{bin}/gunzip rix, - @{bin}/xz rix, - - @{bin}/uupdate rPUx, - - # To run custom maintainer scripts - owner @{user_build_dirs}/**/debian/* rPUx, - - /usr/share/*/debian/ r, - /usr/share/*/debian/changelog r, - - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgv rCx -> gpg, - - /etc/dpkg/origins/debian r, - - /etc/devscripts.conf r, - /etc/magic r, - - # For package building - owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - - # For GPG keys - owner /tmp/*/ rw, - owner /tmp/*/trustedkeys.gpg w, - - profile gpg { - include - - @{bin}/gpg{,2} mr, - @{bin}/gpgv mr, - - owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, - owner @{HOME}/@{XDG_GPG_DIR}/pubring.{gpg,kbx} r, - - owner /tmp/*/trustedkeys.gpg rw, - - owner @{user_build_dirs}/**/debian/upstream/signing-key.asc r, - owner @{user_build_dirs}/**/*.tar.* r, - - } - - include if exists -}