mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
feat(profile): add all major xfce profiles.
This commit is contained in:
parent
7a3a856180
commit
f4a66a3b8e
@ -16,6 +16,8 @@ profile startxfce @{exec_path} {
|
|||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/cat rix,
|
@{bin}/cat rix,
|
||||||
|
@{bin}/mkdir rix,
|
||||||
|
@{bin}/id rix,
|
||||||
|
|
||||||
@{bin}/xfce4-session rPx,
|
@{bin}/xfce4-session rPx,
|
||||||
@{bin}/xrdb rPx,
|
@{bin}/xrdb rPx,
|
||||||
|
50
apparmor.d/groups/xfce/thunar
Normal file
50
apparmor.d/groups/xfce/thunar
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/thunar
|
||||||
|
profile thunar @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/deny-sensitive-home>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/trash-strict>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/thunar-volman rPx,
|
||||||
|
@{open_path} rPx -> child-open,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
/etc/timezone r,
|
||||||
|
|
||||||
|
# Full access to user's data
|
||||||
|
/ r,
|
||||||
|
/*/ r,
|
||||||
|
@{bin}/ r,
|
||||||
|
@{lib}/ r,
|
||||||
|
@{MOUNTDIRS}/ r,
|
||||||
|
@{MOUNTS}/ r,
|
||||||
|
@{MOUNTS}/** rw,
|
||||||
|
owner @{HOME}/{,**} rw,
|
||||||
|
owner @{run}/user/@{uid}/{,**} rw,
|
||||||
|
owner /tmp/{,**} rw,
|
||||||
|
|
||||||
|
# Silence non user's data
|
||||||
|
deny /boot/{,**} r,
|
||||||
|
deny /opt/{,**} r,
|
||||||
|
deny /root/{,**} r,
|
||||||
|
deny /tmp/.* rw,
|
||||||
|
deny /tmp/.*/{,**} rw,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
include if exists <local/thunar>
|
||||||
|
}
|
29
apparmor.d/groups/xfce/thunar-volman
Normal file
29
apparmor.d/groups/xfce/thunar-volman
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/thunar-volman
|
||||||
|
profile thunar-volman @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/input/input@{int}/{,**/}uevent r,
|
||||||
|
|
||||||
|
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||||
|
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
include if exists <local/thunar-volman>
|
||||||
|
}
|
29
apparmor.d/groups/xfce/tumblerd
Normal file
29
apparmor.d/groups/xfce/tumblerd
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd
|
||||||
|
profile tumblerd @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/gstreamer>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/thumbnails-cache-write>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/backgrounds/xfce/{,**} r,
|
||||||
|
/usr/share/thumbnailers/{,**} r,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
/etc/xdg/tumbler/* r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
/dev/ r,
|
||||||
|
|
||||||
|
include if exists <local/tumblerd>
|
||||||
|
}
|
24
apparmor.d/groups/xfce/xfce-appfinder
Normal file
24
apparmor.d/groups/xfce/xfce-appfinder
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfce4-appfinder
|
||||||
|
profile xfce-appfinder @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/app-launcher-user>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/desktop-directories/{,**} r,
|
||||||
|
|
||||||
|
/etc/xdg/menus/{,**} r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/xfce4/appfinder/{,**} rw,
|
||||||
|
|
||||||
|
include if exists <local/xfce-appfinder>
|
||||||
|
}
|
21
apparmor.d/groups/xfce/xfce-clipman-settings
Normal file
21
apparmor.d/groups/xfce/xfce-clipman-settings
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfce4-clipman-settings
|
||||||
|
profile xfce-clipman-settings @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/xfce4/panel/xfce4-clipman-actions.xml rw,
|
||||||
|
|
||||||
|
include if exists <local/xfce-clipman-settings>
|
||||||
|
}
|
17
apparmor.d/groups/xfce/xfce-mime-helper
Normal file
17
apparmor.d/groups/xfce/xfce-mime-helper
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfce-mime-helper
|
||||||
|
profile xfce-mime-helper @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
include if exists <local/xfce-mime-helper>
|
||||||
|
}
|
55
apparmor.d/groups/xfce/xfce-panel
Normal file
55
apparmor.d/groups/xfce/xfce-panel
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0
|
||||||
|
profile xfce-panel @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/app-launcher-user>
|
||||||
|
include <abstractions/audio-client>
|
||||||
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/exo-open rix,
|
||||||
|
@{bin}/xfce4-mime-helper rix,
|
||||||
|
@{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix,
|
||||||
|
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,
|
||||||
|
@{lib}/gio-launch-desktop rix,
|
||||||
|
|
||||||
|
@{bin}/sudo rCx -> root,
|
||||||
|
|
||||||
|
/usr/share/desktop-directories/{,**} r,
|
||||||
|
/usr/share/livecheck/** r,
|
||||||
|
/usr/share/xfce4/{,**} r,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
/etc/timezone r,
|
||||||
|
/etc/xdg/menus/{,**} r,
|
||||||
|
/etc/xdg/xfce4/{,**} r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw,
|
||||||
|
owner @{user_config_dirs}/xfce4/panel/{,**} rw,
|
||||||
|
|
||||||
|
@{PROC}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
profile root {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/app/sudo>
|
||||||
|
|
||||||
|
@{bin}/lsblk rPx,
|
||||||
|
|
||||||
|
include if exists <local/xfce-panel-wrapper_root>
|
||||||
|
}
|
||||||
|
|
||||||
|
include if exists <local/xfce-panel>
|
||||||
|
}
|
27
apparmor.d/groups/xfce/xfce-power-manager
Normal file
27
apparmor.d/groups/xfce/xfce-power-manager
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfce4-power-manager
|
||||||
|
profile xfce-power-manager @{exec_path} flags=(attach_disconnected) {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/xfpm-power-backlight-helper rPx,
|
||||||
|
|
||||||
|
/etc/xdg/autostart/xfce4-power-manager.desktop r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
|
|
||||||
|
include if exists <local/xfce-power-manager>
|
||||||
|
}
|
31
apparmor.d/groups/xfce/xfce-screensaver
Normal file
31
apparmor.d/groups/xfce/xfce-screensaver
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfce4-screensaver
|
||||||
|
profile xfce-screensaver @{exec_path} flags=(attach_disconnected) {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/authentication>
|
||||||
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{sh_path} rix,
|
||||||
|
@{bin}/pidof rix,
|
||||||
|
@{bin}/wc rix,
|
||||||
|
|
||||||
|
@{lib}/xfce4-screensaver-dialog rix,
|
||||||
|
@{lib}/xfce4-screensaver-gl-helper rix,
|
||||||
|
|
||||||
|
/etc/xdg/menus/xfce4-screensavers.menu r,
|
||||||
|
|
||||||
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
|
|
||||||
|
include if exists <local/xfce-screensaver>
|
||||||
|
}
|
34
apparmor.d/groups/xfce/xfdesktop
Normal file
34
apparmor.d/groups/xfce/xfdesktop
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfdesktop
|
||||||
|
profile xfdesktop @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/app-launcher-user>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/xfce4-mime-helper rix,
|
||||||
|
|
||||||
|
/usr/share/backgrounds/xfce/{,**} r,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
|
||||||
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/Thunar/{,**} rw,
|
||||||
|
owner @{user_config_dirs}/xfce4/desktop/{,**} rw,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
deny @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
|
include if exists <local/xfdesktop>
|
||||||
|
}
|
30
apparmor.d/groups/xfce/xfpm-power-backlight-helper
Normal file
30
apparmor.d/groups/xfce/xfpm-power-backlight-helper
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfpm-power-backlight-helper
|
||||||
|
profile xfpm-power-backlight-helper @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
owner @{HOME}/.xsession-errors w,
|
||||||
|
|
||||||
|
@{sys}/class/backlight/ r,
|
||||||
|
@{sys}/class/leds/ r,
|
||||||
|
@{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r,
|
||||||
|
@{sys}/devices/@{pci}/backlight/**/{uevent,type} r,
|
||||||
|
@{sys}/devices/@{pci}/backlight/**/brightness rw,
|
||||||
|
@{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r,
|
||||||
|
@{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r,
|
||||||
|
@{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw,
|
||||||
|
@{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw,
|
||||||
|
@{sys}/devices/@{pci}/intel_backlight/type r,
|
||||||
|
|
||||||
|
include if exists <local/xfpm-power-backlight-helper>
|
||||||
|
}
|
22
apparmor.d/groups/xfce/xfsettingsd
Normal file
22
apparmor.d/groups/xfce/xfsettingsd
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfsettingsd
|
||||||
|
profile xfsettingsd @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/xdg/autostart/xfsettingsd.desktop r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
|
||||||
|
include if exists <local/xfsettingsd>
|
||||||
|
}
|
25
apparmor.d/groups/xfce/xfwm
Normal file
25
apparmor.d/groups/xfce/xfwm
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/xfwm4
|
||||||
|
profile xfwm @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/audio-client>
|
||||||
|
include <abstractions/fontconfig-cache-write>
|
||||||
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/xfce>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/xfwm4/{,**} r,
|
||||||
|
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
include if exists <local/xfwm>
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user