mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-02-11 12:45:10 +01:00
Merge branch 'roddhjav:main' into main
This commit is contained in:
Besanon
GitHub
commit
f5e0472124
168 changed files with 283 additions and 267 deletions
|
|
@ -36,8 +36,6 @@
|
|||
@{bin}/sudo mr,
|
||||
@{lib}/sudo/** mr,
|
||||
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*} r,
|
||||
@{etc_ro}/sudo.conf r,
|
||||
@{etc_ro}/sudoers r,
|
||||
@{etc_ro}/sudoers.d/{,*} r,
|
||||
|
|
@ -46,15 +44,15 @@
|
|||
/etc/machine-id r,
|
||||
|
||||
/var/db/sudo/lectured/ r,
|
||||
owner /var/lib/sudo/ts/ rw,
|
||||
owner /var/lib/sudo/ts/ rw,
|
||||
owner /var/lib/sudo/ts/@{uid} rwk,
|
||||
owner /var/log/sudo.log wk,
|
||||
|
||||
owner @{HOME}/.sudo_as_admin_successful rw,
|
||||
|
||||
# yubikey support
|
||||
owner @{HOME}/.yubico/challenge-* rw,
|
||||
@{HOME}/.yubico/ r,
|
||||
owner @{HOME}/.yubico/challenge-* rw,
|
||||
|
||||
@{run}/faillock/ rw,
|
||||
@{run}/faillock/@{user} rwk,
|
||||
|
|
|
|||
|
|
@ -8,9 +8,9 @@
|
|||
include <abstractions/bus-system>
|
||||
include <abstractions/consoles>
|
||||
|
||||
ptrace (read) peer=@{p_systemd},
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
unix (bind) type=stream addr=@@{hex16}/bus/systemctl/,
|
||||
unix bind type=stream addr=@@{hex16}/bus/systemctl/,
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Provide access to audio devices. It should only be used by audio servers that
|
||||
# need direct access to them.
|
||||
# need direct access to them.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name="@{busname}", label=geoclue),
|
||||
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# A minimal set of rules for sandboxed programs using bwrap.
|
||||
# A minimal set of rules for sandboxed programs using bwrap.
|
||||
# A profile using this abstraction still needs to set:
|
||||
# - the flag: attach_disconnected
|
||||
# - bwrap execution: '@{bin}/bwrap rix,'
|
||||
|
|
@ -44,17 +44,16 @@
|
|||
owner /tmp/newroot/ w,
|
||||
owner /tmp/oldroot/ w,
|
||||
|
||||
@{PROC}/sys/kernel/overflowgid r,
|
||||
@{PROC}/sys/kernel/overflowuid r,
|
||||
@{att}/@{PROC}/sys/user/max_user_namespaces rw,
|
||||
owner @{att}/@{PROC}/@{pid}/cgroup r,
|
||||
owner @{att}/@{PROC}/@{pid}/fd/ r,
|
||||
owner @{att}/@{PROC}/@{pid}/gid_map rw,
|
||||
owner @{att}/@{PROC}/@{pid}/mountinfo r,
|
||||
owner @{att}/@{PROC}/@{pid}/setgroups rw,
|
||||
owner @{att}/@{PROC}/@{pid}/uid_map rw,
|
||||
|
||||
@{PROC}/sys/kernel/overflowgid r,
|
||||
@{PROC}/sys/kernel/overflowuid r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <abstractions/common/bwrap.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Minimal set of rules for all electron based UI application. It works as a
|
||||
# *function* and requires some variables to be provided as *arguments* and set
|
||||
# Minimal set of rules for all electron based UI application. It works as a
|
||||
# *function* and requires some variables to be provided as *arguments* and set
|
||||
# in the header of the calling profile. Example:
|
||||
#
|
||||
# @{name} = spotify
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
owner @{share_dirs}/logs/* rwk,
|
||||
owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
|
||||
owner @{share_dirs}/steamapps/ r,
|
||||
owner @{share_dirs}/steamapps/appmanifest_* rw,
|
||||
owner @{share_dirs}/steamapps/appmanifest_* rw,
|
||||
owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
|
||||
|
||||
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
/usr/{local/,}share/ r,
|
||||
|
|
@ -52,7 +52,7 @@
|
|||
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk,
|
||||
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
owner @{user_config_dirs}/dolphinrc r,
|
||||
|
|
@ -67,7 +67,7 @@
|
|||
|
||||
# else if @{DE} == xfce
|
||||
|
||||
/usr/share/xfce4/ r,
|
||||
/usr/share/xfce{,4}/ r,
|
||||
|
||||
owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
|
||||
owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@
|
|||
/dev/sr@{int} rk,
|
||||
|
||||
# Lookup block device by major:minor numbers
|
||||
# See: https://apparmor.pujol.io/development/structure/#udev-rules
|
||||
# See: https://apparmor.pujol.io/development/internal/#udev-rules
|
||||
|
||||
@{sys}/block/ r,
|
||||
@{sys}/class/block/ r,
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# The Direct Rendering Infrastructure (DRI) is the framework comprising the modern
|
||||
# Linux graphics stack which allows unprivileged user-space programs to issue
|
||||
# Linux graphics stack which allows unprivileged user-space programs to issue
|
||||
# commands to graphics hardware without conflicting with other programs.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
/usr/share/desktop-base/{,**} r,
|
||||
|
|
|
|||
|
|
@ -6,10 +6,9 @@
|
|||
abi <abi/4.0>,
|
||||
|
||||
@{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
|
||||
@{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
|
||||
@{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr,
|
||||
@{lib}/frei0r-@{int}/*.so mr,
|
||||
|
||||
# FIXME: not compatible with FSP mode due conflicting x modifiers
|
||||
@{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
|
||||
@{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
|
||||
@{lib}/gstreamer-1.0/gst-plugin-scanner rix,
|
||||
|
|
@ -40,7 +39,7 @@
|
|||
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
|
||||
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
@{run}/udev/data/c189:@{int} r, # For USB serial converters
|
||||
@{run}/udev/data/c189:@{int} r, # For USB serial converters
|
||||
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
|
||||
|
||||
@{sys}/bus/ r,
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/lxqt/** r,
|
||||
|
||||
|
||||
owner @{HOME}/.Xdefaults r,
|
||||
|
||||
owner @{user_cache_dirs}/lxqt-notificationd/* r,
|
||||
|
|
|
|||
|
|
@ -6,12 +6,12 @@
|
|||
abi <abi/4.0>,
|
||||
|
||||
/usr/share/uim/* r,
|
||||
|
||||
|
||||
/var/lib/uim/* r,
|
||||
|
||||
|
||||
owner @{HOME}/.uim.d/customs/* r,
|
||||
owner @{HOME}/.XCompose r,
|
||||
|
||||
|
||||
owner @{run}/user/@{uid}/uim/socket/uim-helper rw,
|
||||
|
||||
include if exists <abstractions/uim.d>
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
||||
/usr/share/xfce4/ r,
|
||||
/usr/share/xfce{,4}/ r,
|
||||
|
||||
owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
|
||||
owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile akonadi_followupreminder_agent @{exec_path} {
|
|||
owner @{user_config_dirs}/akonadi_followupreminder_agentrc r,
|
||||
owner @{user_config_dirs}/akonadi/ rw,
|
||||
owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
|
||||
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/akonadi_followupreminder_agent>
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile akonadi_ical_resource @{exec_path} {
|
|||
owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
|
||||
|
||||
owner @{user_share_dirs}/apps/korganizer/{,**} rw,
|
||||
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/akonadi_ical_resource>
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
|
|||
owner @{user_config_dirs}/emailidentities* rwl,
|
||||
|
||||
owner @{user_config_dirs}/kmail2rc r,
|
||||
|
||||
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/akonadi_mailfilter_agent.* rwl,
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ profile akonadi_migration_agent @{exec_path} {
|
|||
owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
|
||||
|
||||
owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw,
|
||||
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/akonadi_migration_agent>
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile apt-helper @{exec_path} {
|
|||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/systemctl>
|
||||
|
||||
|
||||
capability net_admin,
|
||||
|
||||
include if exists <local/apt-helper_systemctl>
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ profile apt-key @{exec_path} {
|
|||
@{bin}/gpg-connect-agent rix,
|
||||
|
||||
/usr/share/gnupg/sks-keyservers.netCA.pem r,
|
||||
|
||||
|
||||
/etc/hosts r,
|
||||
/etc/inputrc r,
|
||||
|
||||
|
|
@ -96,7 +96,7 @@ profile apt-key @{exec_path} {
|
|||
owner @{tmp}/apt-key-gpghome.*/ rw,
|
||||
owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
|
||||
owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w,
|
||||
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile debsign @{exec_path} {
|
|||
@{bin}/stty rix,
|
||||
|
||||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
|
||||
|
||||
/etc/devscripts.conf r,
|
||||
|
||||
owner @{HOME}/.devscripts r,
|
||||
|
|
|
|||
|
|
@ -108,7 +108,7 @@ profile reportbug @{exec_path} {
|
|||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/systemctl>
|
||||
|
||||
|
||||
include if exists <local/reportbug_systemctl>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/tail ix,
|
||||
|
||||
@{lib_dirs}/execdesktop ix,
|
||||
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
|
||||
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
|
||||
@{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix,
|
||||
|
||||
/usr/share/file/** r,
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ include <tunables/global>
|
|||
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
|
||||
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
|
||||
|
||||
@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor
|
||||
@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor
|
||||
profile torbrowser-tor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
# Profile for system dbus, regardless of the dbus implementation used.
|
||||
# It does not specify an attachment path as it would be the same than
|
||||
# "dbus-session". It is intended to be used only via "Px ->" or via
|
||||
# "dbus-session". It is intended to be used only via "Px ->" or via
|
||||
# systemd drop-in AppArmorProfile= setting.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
@ -16,7 +16,7 @@ include <tunables/global>
|
|||
profile dbus-system flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# and load the the nvidia kernel module.
|
||||
|
||||
# Note: This profile does not specify an attachment path because it is
|
||||
# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions
|
||||
# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions
|
||||
# from other profiles.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ profile child-open-any flags=(attach_disconnected) {
|
|||
/ r,
|
||||
/usr/ r,
|
||||
/usr/local/bin/ r,
|
||||
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <usr/child-open-any.d>
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ profile cron-cracklib @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/logger rix,
|
||||
@{bin}/update-cracklib rPx,
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ profile cron-etckeeper @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/find rix,
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ profile cron-sysstat @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
|
||||
@{sh_path} rix,
|
||||
@{lib}/sysstat/sa2 rPx,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ profile lightdm-xsession @{exec_path} {
|
|||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/systemctl>
|
||||
|
||||
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/lightdm-xsession_systemctl>
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ profile x11-xsession @{exec_path} {
|
|||
|
||||
profile ssh-agent {
|
||||
include <abstractions/base>
|
||||
|
||||
|
||||
@{bin}/ssh-agent mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ profile xdm-xsession @{exec_path} {
|
|||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/systemctl>
|
||||
|
||||
|
||||
include if exists <local/xdm-xsession_systemctl>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/fc-list
|
||||
profile fc-list @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
|
|||
owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk,
|
||||
owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**,
|
||||
owner @{user_cache_dirs}/qtshadercache-*/* r,
|
||||
|
||||
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
|
||||
# owner /tmp/xauth_@{rand6} r,
|
||||
|
|
|
|||
|
|
@ -65,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
||||
|
||||
include if exists <local/xdg-desktop-portal-gnome>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
|
||||
profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/fuse rw,
|
||||
@{att}/dev/tty@{int} rw,
|
||||
|
||||
|
||||
include if exists <local/xdg-document-portal_fusermount>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/deja-dup/deja-dup-monitor
|
||||
@{exec_path} = @{lib}/deja-dup/deja-dup-monitor
|
||||
profile deja-dup-monitor @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ profile evolution-addressbook-factory @{exec_path} {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ profile gdm-xsession @{exec_path} {
|
|||
peer=(name=org.freedesktop.systemd1),
|
||||
|
||||
@{bin}/dbus-update-activation-environment mr,
|
||||
|
||||
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
/dev/tty rw,
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ profile gnome-boxes @{exec_path} {
|
|||
|
||||
@{bin}/virsh mr,
|
||||
@{bin}/pkttyagent r,
|
||||
|
||||
|
||||
owner @{run}/user/@{uid}/libvirt/ r,
|
||||
owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
|
||||
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} {
|
|||
|
||||
#aa:dbus own bus=session name=org.gnome.Calendar
|
||||
|
||||
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
|
||||
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
|
||||
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory
|
||||
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory
|
||||
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry
|
||||
|
|
|
|||
|
|
@ -186,7 +186,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/common/bwrap>
|
||||
|
||||
@{bin}/bwrap mr,
|
||||
|
||||
|
||||
include if exists <local/gnome-control-center_bwrap>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
|
|||
include <abstractions/common/bwrap>
|
||||
|
||||
@{bin}/bwrap mr,
|
||||
|
||||
|
||||
include if exists <local/gnome-control-center-goa-helper_bwrap>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ profile gnome-extension-ding @{exec_path} {
|
|||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ profile gnome-session @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
|
||||
@{bin}/flatpak mr,
|
||||
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/gnome-session_flatpak>
|
||||
|
|
|
|||
|
|
@ -315,7 +315,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||
@{run}/udev/data/n@{int} r,
|
||||
|
||||
@{sys}/**/uevent r,
|
||||
|
|
@ -374,13 +374,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
profile shell flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{sh_path} mr,
|
||||
|
||||
|
||||
@{bin}/pmap rix,
|
||||
@{bin}/grep rix,
|
||||
|
||||
|
|
@ -414,7 +414,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ profile gnome-shell-calendar-server @{exec_path} {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -154,10 +154,10 @@ profile gnome-software @{exec_path} {
|
|||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
|
||||
owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
|
||||
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
|
||||
include if exists <local/gnome-software_gpg>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile gsd-disk-utility-notify @{exec_path} {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -79,7 +79,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/media@{int} r,
|
||||
/dev/video@{int} rw,
|
||||
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile yelp @{exec_path} {
|
|||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r,
|
||||
|
||||
|
||||
@{PROC}/zoneinfo r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gpg-agent
|
||||
profile gpg-agent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) peer=pinentry-*,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gpgsm
|
||||
profile gpgsm @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ profile gvfs-afc-volume-monitor @{exec_path} {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ profile gvfs-goa-volume-monitor @{exec_path} {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/OnlineAccounts
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile gvfsd-metadata @{exec_path} {
|
|||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile gvfsd-recent @{exec_path} {
|
|||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
include if exists <local/gvfsd-recent>
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/class/input/ r,
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile hyprpicker @{exec_path} {
|
|||
|
||||
owner @{run}/user/@{uid}/.hyprpicker* rw,
|
||||
owner /dev/shm/wlroots-@{rand6} r,
|
||||
|
||||
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/hyprpicker>
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ profile baloo @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/menus/{,applications-merged/} r,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
owner @{user_config_dirs}/session/* r,
|
||||
owner @{user_config_dirs}/session/* r,
|
||||
|
||||
owner @{user_share_dirs}/kscreen/* r,
|
||||
owner @{user_share_dirs}/kwin/scripts/{,**} r,
|
||||
|
|
|
|||
|
|
@ -81,7 +81,7 @@ profile okular @{exec_path} {
|
|||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int},
|
||||
owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},
|
||||
owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment,
|
||||
owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment,
|
||||
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
|
|
|||
|
|
@ -172,12 +172,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/sddm-auth* rw,
|
||||
|
||||
@{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
|
||||
|
||||
@{run}/faillock/@{user} rwk,
|
||||
@{run}/sddm.pid rw,
|
||||
@{run}/sddm/\{@{uuid}\} rw,
|
||||
@{run}/sddm/#@{int} rw,
|
||||
@{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rwl,
|
||||
owner @{run}/sddm/ rw,
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
|
@ -199,7 +200,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/systemctl>
|
||||
|
||||
|
||||
include if exists <local/sddm_systemctl>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 raw,
|
||||
network netlink raw,
|
||||
network packet raw,
|
||||
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_override,
|
||||
|
||||
|
||||
capability net_admin,
|
||||
capability fowner,
|
||||
capability fsetid,
|
||||
|
|
@ -59,9 +59,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{tmp}/@{uuid} rw,
|
||||
owner @{tmp}/talpid-openvpn-@{uuid} rw,
|
||||
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
|
||||
|
||||
/dev/net/tun rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{name} = Mullvad?VPN
|
||||
@{lib_dirs} = /opt/@{name}
|
||||
@{lib_dirs} = /opt/@{name}
|
||||
@{config_dirs} = @{user_config_dirs}/@{name}
|
||||
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ profile nm-online @{exec_path} {
|
|||
interface=org.freedesktop.NetworkManager.Connection.Active
|
||||
member=StateChanged
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
|
||||
interface=org.freedesktop.NetworkManager.Settings.Connection
|
||||
member=GetSettings
|
||||
|
|
|
|||
|
|
@ -79,7 +79,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability mknod,
|
||||
capability net_admin,
|
||||
|
||||
|
||||
network netlink raw,
|
||||
|
||||
/dev/net/tun rw,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile arch-audit @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
||||
/etc/arch-audit/settings.toml r,
|
||||
|
||||
/usr/share/terminfo/** r,
|
||||
|
|
|
|||
|
|
@ -47,14 +47,15 @@ profile aurpublish @{exec_path} {
|
|||
/etc/makepkg.conf r,
|
||||
/etc/makepkg.conf.d/{,**} r,
|
||||
|
||||
owner @{user_build_dirs}/**/ w,
|
||||
owner @{user_build_dirs}/{,**/} w,
|
||||
owner @{user_projects_dirs}/** r,
|
||||
owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
|
||||
owner @{user_projects_dirs}/**/.SRCINFO rw,
|
||||
|
||||
owner @{user_cache_dirs}/makepkg/src/* rw,
|
||||
owner @{user_cache_dirs}/makepkg/src/** rw,
|
||||
owner @{user_config_dirs}/pacman/makepkg.conf r,
|
||||
|
||||
owner /tmp/*/src/ w,
|
||||
owner @{tmp}/tmp.@{rand10} rw,
|
||||
|
||||
/dev/tty rw,
|
||||
|
|
@ -64,14 +65,26 @@ profile aurpublish @{exec_path} {
|
|||
|
||||
@{bin}/gpg{,2} mr,
|
||||
@{bin}/gpgconf mr,
|
||||
@{bin}/gpg-agent rix,
|
||||
@{lib}/{,gnupg/}scdaemon rix,
|
||||
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||
|
||||
owner @{user_cache_dirs}/makepkg/src/*.asc r,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/gnupg/ r,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w,
|
||||
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w,
|
||||
|
||||
owner @{tmp}/tmp.@{rand10} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/aurpublish_gpg>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ profile makepkg @{exec_path} {
|
|||
|
||||
ptrace read,
|
||||
|
||||
signal send set=winch peer=pacman,
|
||||
signal send set=winch peer=pacman,
|
||||
signal send set=winch peer=pacman//systemctl,
|
||||
|
||||
@{bin}/pacman Px,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/pacman.conf r,
|
||||
/etc/pacman.d/mirrorlist r,
|
||||
/etc/pacman.d/*-mirrorlist r,
|
||||
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
# Inherit Silencer
|
||||
|
|
|
|||
|
|
@ -55,11 +55,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
|
|||
capability dac_read_search,
|
||||
|
||||
@{bin}/pacman mr,
|
||||
|
||||
|
||||
@{bin}/gpg rix,
|
||||
@{bin}/gpgconf rix,
|
||||
@{bin}/gpgsm rix,
|
||||
|
||||
|
||||
/etc/pacman.conf r,
|
||||
/etc/pacman.d/{,**} r,
|
||||
/etc/pacman.d/gnupg/** rwkl,
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ profile pacman-key @{exec_path} {
|
|||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/pacman.d/gnupg/* rw,
|
||||
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
profile gpg {
|
||||
|
|
|
|||
|
|
@ -26,12 +26,12 @@ profile ssh-agent-launch @{exec_path} {
|
|||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=UpdateActivationEnvironment
|
||||
member=UpdateActivationEnvironment
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=SetEnvironment
|
||||
member=SetEnvironment
|
||||
peer=(name=org.freedesktop.systemd1),
|
||||
|
||||
@{bin}/dbus-update-activation-environment mr,
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
|
|||
|
||||
/etc/inputrc r,
|
||||
/etc/gdb/** r,
|
||||
|
||||
|
||||
owner /var/tmp/coredump-* rw,
|
||||
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile systemd-cryptsetup @{exec_path} {
|
|||
@{run}/cryptsetup/ r,
|
||||
@{run}/cryptsetup/* rwk,
|
||||
@{run}/systemd/ask-password/* rw,
|
||||
|
||||
|
||||
@{sys}/devices/virtual/bdi/*/read_ahead_kb r,
|
||||
@{sys}/fs/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/systemd-escape
|
||||
profile systemd-escape @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator
|
||||
@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator
|
||||
profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{lib}/udev/#@{int} rwl,
|
||||
@{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int},
|
||||
@{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int},
|
||||
@{lib}/udev/hwdb.bin w,
|
||||
|
||||
/etc/udev/.#hwdb.bind* rw,
|
||||
/etc/udev/hwdb.bin rw,
|
||||
/etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int},
|
||||
/etc/udev/hwdb.bin w,
|
||||
/etc/udev/hwdb.d/{,*} r,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ profile systemd-journald @{exec_path} {
|
|||
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
||||
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||
@{run}/udev/data/b8:@{int} r, # for /dev/sd*
|
||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
||||
@{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
mount options=(rw rshared) -> /,
|
||||
mount options=(rw rshared) -> /,
|
||||
mount options=(rw rslave) -> /,
|
||||
umount /etc/machine-id,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,9 +19,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
# Config file locations
|
||||
/etc/sysusers.d/*.conf r,
|
||||
@{run}/sysusers.d/*.conf r,
|
||||
/usr/lib/sysusers.d/*.conf r,
|
||||
/etc/sysusers.d/{,*.conf} r,
|
||||
@{run}/sysusers.d/{,*.conf} r,
|
||||
/usr/lib/sysusers.d/{,*.conf} r,
|
||||
|
||||
# Where the users can be created,
|
||||
/home/{,*} rw,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
|
|||
@{run}/utmp rk,
|
||||
|
||||
@{PROC}/@{pids}/stat r,
|
||||
|
||||
|
||||
@{sys}/devices/virtual/tty/console/active r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile userdbctl @{exec_path} {
|
|||
signal send set=cont peer=child-pager,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
||||
@{pager_path} rPx -> child-pager,
|
||||
|
||||
/etc/shadow r,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /usr/share/apport/apport
|
||||
@{exec_path} = /usr/share/apport/apport
|
||||
profile apport @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/apt>
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ profile apport-gtk @{exec_path} {
|
|||
include <abstractions/python>
|
||||
|
||||
@{bin}/gdb mr,
|
||||
|
||||
|
||||
@{bin}/iconv rix,
|
||||
@{bin}/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ profile ubuntu-advantage @{exec_path} {
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
capability dac_read_search,
|
||||
capability setgid,
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth
|
||||
profile cni-bandwidth @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
|
|
@ -17,7 +17,7 @@ profile cni-bandwidth @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
||||
include if exists <local/cni-bandwidth>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -25,15 +25,15 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path}-ipam rix,
|
||||
|
||||
/ r,
|
||||
|
||||
|
||||
/etc/cni/net.d/{,**} r,
|
||||
|
||||
|
||||
/var/lib/calico/{,**} r,
|
||||
/var/log/calico/cni/ r,
|
||||
/var/log/calico/cni/*.log rw,
|
||||
|
||||
|
||||
/usr/share/mime/globs2 r,
|
||||
|
||||
|
||||
@{run}/calico/ rw,
|
||||
@{run}/calico/ipam.lock rwk,
|
||||
@{run}/netns/cni-@{uuid} r,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/netns/ r,
|
||||
@{run}/netns/cni-@{uuid} rw,
|
||||
|
||||
|
||||
include if exists <local/cni-loopback>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile cni-portmap @{exec_path} {
|
|||
@{bin}/xtables-nft-multi rPx -> cni-xtables-nft,
|
||||
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw,
|
||||
|
||||
|
||||
include if exists <local/cni-portmap>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ profile cockpit-bridge @{exec_path} {
|
|||
/etc/shadow r,
|
||||
/etc/shells r,
|
||||
|
||||
/ r,
|
||||
/ r,
|
||||
@{HOME}/ r,
|
||||
|
||||
owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile cockpit-update-motd @{exec_path} {
|
|||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/systemctl>
|
||||
|
||||
|
||||
capability net_admin,
|
||||
capability sys_ptrace,
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile virt-aa-helper @{exec_path} {
|
|||
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
|
||||
|
||||
/etc/libnl{,-3}/classid r, # Allow reading libnl's classid file
|
||||
|
||||
|
||||
# System VM images
|
||||
/var/lib/libvirt/images/{,**} r,
|
||||
/var/lib/nova/instances/_base/* r,
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue