mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
update apparmor profiles
This commit is contained in:
parent
2cd06e74d6
commit
f73da4a046
@ -22,11 +22,12 @@
|
||||
# .Xauthority files required for X connections, per user
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{HOME}/.local/share/sddm/.Xauthority r,
|
||||
owner /{,var/}run/gdm{,3}/*/database r,
|
||||
owner /{,var/}run/lightdm/authority/[0-9]* r,
|
||||
owner /{,var/}run/lightdm/*/xauthority r,
|
||||
owner /{,var/}run/user/*/gdm/Xauthority r,
|
||||
owner /{,var/}run/user/*/X11/Xauthority r,
|
||||
owner @{run}/gdm{,3}/*/database r,
|
||||
owner @{run}/lightdm/authority/[0-9]* r,
|
||||
owner @{run}/lightdm/*/xauthority r,
|
||||
owner @{run}/user/*/gdm/Xauthority r,
|
||||
owner @{run}/user/*/X11/Xauthority r,
|
||||
owner @{run}/user/*/xauth_* r,
|
||||
|
||||
# the unix socket to use to connect to the display
|
||||
/tmp/.X11-unix/* rw,
|
||||
|
45
apparmor.d/abstractions/dbus-network-manager-strict
Normal file
45
apparmor.d/abstractions/dbus-network-manager-strict
Normal file
@ -0,0 +1,45 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=GetDevices
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/Settings
|
||||
interface=org.freedesktop.NetworkManager.Settings
|
||||
member={GetDevices,ListConnections}
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
|
||||
interface=org.freedesktop.NetworkManager.Settings.Connection
|
||||
member=GetSettings
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
#include if exists <abstractions/dbus-network-manager-strict.d>
|
@ -16,7 +16,7 @@
|
||||
# When this is blocked, expect lots of the following errors:
|
||||
# dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
|
||||
# dconf will not work properly.
|
||||
deny owner /{var/,}run/user/[0-9]*/dconf/{,**} rw,
|
||||
deny owner @{run}/user/[0-9]*/dconf/{,**} rw,
|
||||
|
||||
deny owner @{HOME}/.config/dconf/{,**} rw,
|
||||
deny owner @{HOME}/.cache/dconf/{,**} rw,
|
||||
|
@ -60,27 +60,27 @@
|
||||
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
|
||||
# visible in the /proc/devices file.
|
||||
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||
/{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
|
||||
/{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
/{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
|
||||
/{var/,}run/udev/data/+usb:* r, # for ?
|
||||
@{run}/udev/data/+usb:* r, # for ?
|
||||
|
@ -60,27 +60,27 @@
|
||||
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
|
||||
# visible in the /proc/devices file.
|
||||
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||
/{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
|
||||
/{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
/{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
|
||||
/{var/,}run/udev/data/+usb:* r, # for ?
|
||||
@{run}/udev/data/+usb:* r, # for ?
|
||||
|
@ -65,7 +65,10 @@
|
||||
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
|
||||
|
||||
# User files
|
||||
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{HOME}/.config/xfce4/helpers.rc r,
|
||||
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/exo-open.d>
|
||||
|
@ -14,8 +14,7 @@
|
||||
|
||||
/usr/lib/xorg/modules/fonts/**.so* mr,
|
||||
|
||||
/usr/share/fonts/ r,
|
||||
/usr/share/fonts/** r,
|
||||
/usr/share/fonts/{,**} r,
|
||||
/usr/share/fonts-*/{,**} r,
|
||||
|
||||
/etc/fonts/** r,
|
||||
|
@ -52,3 +52,6 @@
|
||||
owner @{HOME}/.config/mimeapps.list r,
|
||||
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/gio-open.d>
|
||||
|
@ -26,6 +26,7 @@
|
||||
/usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
|
||||
/usr/share/themes/ r,
|
||||
/usr/share/themes/** r,
|
||||
/usr/share/gtk-3.0/settings.ini r,
|
||||
|
||||
# for gnome 1 applications
|
||||
/etc/orbitrc r,
|
||||
@ -87,6 +88,7 @@
|
||||
/usr/share/gvfs/remote-volume-monitors/ r,
|
||||
/usr/share/gvfs/remote-volume-monitors/* r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
/run/mount/utab r,
|
||||
|
||||
# printing
|
||||
/etc/papersize r,
|
||||
|
@ -40,3 +40,6 @@
|
||||
|
||||
/usr/bin/gvfs-open r,
|
||||
/{,usr/}bin/dash mr,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/gvfs-open.d>
|
||||
|
13
apparmor.d/abstractions/hosts_access
Normal file
13
apparmor.d/abstractions/hosts_access
Normal file
@ -0,0 +1,13 @@
|
||||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2020 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/etc/hosts.deny r,
|
||||
/etc/hosts.allow r,
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
# # Add if audio support for message box is
|
||||
# # considered as required.
|
||||
# include if exists <abstractions/gstreamer>
|
||||
# #include if exists <abstractions/gstreamer>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
@ -100,3 +100,5 @@
|
||||
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
|
||||
owner @{HOME}/.cache/kio_http/ rw,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/kde-open5.d>
|
||||
|
@ -28,8 +28,8 @@
|
||||
# includes this abstraction)
|
||||
#owner @{HOME}/.config/#[0-9]*[0-9] rwk,
|
||||
#owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9],
|
||||
#owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw,
|
||||
#owner /{var/,}run/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9],
|
||||
#owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
|
||||
#owner @{run}/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
|
||||
|
||||
# Common KDE config files
|
||||
#owner @{HOME}/.config/#[0-9]*[0-9] rw,
|
||||
@ -57,9 +57,9 @@
|
||||
#deny @{sys}/bus/ r,
|
||||
#deny @{sys}/bus/usb/devices/ r,
|
||||
#deny @{sys}/class/ r,
|
||||
#deny /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc.
|
||||
#deny /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
|
||||
#deny /{var/,}run/udev/data/+usb:* r, #
|
||||
#deny @{run}/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc.
|
||||
#deny @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
|
||||
#deny @{run}/udev/data/+usb:* r, #
|
||||
#/etc/exports r,
|
||||
#/etc/xdg/menus/ r,
|
||||
#/usr/share/mime/ r,
|
||||
|
@ -9,5 +9,6 @@
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# mdnsd
|
||||
/etc/mdns.allow r,
|
||||
/etc/nss_mdns.conf r,
|
||||
/{,var/}run/mdnsd w,
|
||||
|
@ -30,8 +30,8 @@
|
||||
/var/lib/extrausers/passwd r,
|
||||
|
||||
# NSS records from systemd-userdbd.service
|
||||
/{,var/}run/systemd/userdb/ r,
|
||||
/{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
|
||||
@{run}/systemd/userdb/ r,
|
||||
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
# When using sssd, the passwd and group files are stored in an alternate path
|
||||
|
@ -1,7 +1,8 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2015 Canonical, Ltd.
|
||||
# Copyright (C) 2015-2018 Canonical, Ltd.
|
||||
# Copyright (C) 2020 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@ -31,6 +32,7 @@
|
||||
/usr/lib{,32,64}/sasl2/ r,
|
||||
/usr/lib/@{multiarch}/sasl2/* mr,
|
||||
/usr/lib/@{multiarch}/sasl2/ r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
||||
/var/spool/postfix/etc/* r,
|
||||
/var/spool/postfix/lib/lib*.so* mr,
|
||||
|
@ -16,8 +16,8 @@
|
||||
owner @{HOME}/.config/#[0-9]*[0-9] rwk,
|
||||
owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
|
||||
|
||||
owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw,
|
||||
owner /{var/,}run/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9],
|
||||
owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
|
||||
owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
|
||||
|
||||
# Home trash location
|
||||
owner @{HOME}/.local/share/Trash/ rw,
|
||||
|
@ -3,10 +3,15 @@
|
||||
|
||||
# System files
|
||||
/dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
|
||||
/etc/glvnd/egl_vendor.d/{*,.json} r,
|
||||
/etc/vulkan/icd.d/{,*.json} r,
|
||||
/etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
|
||||
# for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
|
||||
@{sys}/devices/pci[0-9]*/*/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
|
||||
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
|
||||
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
|
||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||
/usr/share/vulkan/icd.d/{,*.json} r,
|
||||
/usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
|
||||
|
||||
|
@ -12,6 +12,6 @@
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
owner /{,var/}run/user/[0-9]*/weston-shared-* rw,
|
||||
owner /{,var/}run/user/[0-9]*/wayland-[0-9]* rw,
|
||||
owner /{,var/}run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
|
||||
owner @{run}/user/[0-9]*/weston-shared-* rw,
|
||||
owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
|
||||
owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
|
||||
|
@ -24,7 +24,7 @@
|
||||
#
|
||||
# # Enable gstreamer support if considered required by
|
||||
# # profile author for (rare) error message boxes.
|
||||
# include if exists <abstractions/gstreamer>
|
||||
# #include if exists <abstractions/gstreamer>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
@ -79,3 +79,6 @@
|
||||
# Usr files
|
||||
|
||||
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/xdg-open.d>
|
||||
|
@ -142,7 +142,7 @@ profile amarok @{exec_path} {
|
||||
|
||||
/usr/share/icons/*/index.theme rk,
|
||||
|
||||
/{var/,}run/user/[0-9]*/ksocket-*/amarok*.slave-socket rw,
|
||||
@{run}/user/[0-9]*/ksocket-*/amarok*.slave-socket rw,
|
||||
|
||||
# What's this for?
|
||||
deny /etc/mysql/** r,
|
||||
@ -162,7 +162,7 @@ profile amarok @{exec_path} {
|
||||
deny @{sys}/devices/virtual/sound/seq/uevent r,
|
||||
deny @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{manufacturer,product,uevent,type} r,
|
||||
deny @{sys}/devices/system/node/ r,
|
||||
deny /{,var/}run/udev/data/* r,
|
||||
deny @{run}/udev/data/* r,
|
||||
|
||||
# To generate the crash log info in Amarok
|
||||
/{usr/,}bin/gdb rCx -> gdb,
|
||||
|
@ -34,7 +34,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
/{var/,}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
@ -80,8 +80,8 @@ profile apt-cdrom @{exec_path} flags=(complain) {
|
||||
|
||||
/{usr/,}bin/umount mr,
|
||||
|
||||
/{var/,}run/mount/utab{,.*} rw,
|
||||
/{var/,}run/mount/utab.lock rwk,
|
||||
@{run}/mount/utab{,.*} rw,
|
||||
@{run}/mount/utab.lock rwk,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
|
@ -146,7 +146,7 @@ profile aptitude @{exec_path} flags=(complain) {
|
||||
/var/lib/debtags/vocabulary r,
|
||||
/{usr/,}bin/su rPx,
|
||||
|
||||
/{var/,}run/lock/aptitude rwk,
|
||||
@{run}/lock/aptitude rwk,
|
||||
/usr/share/aptitude/ r,
|
||||
/usr/share/aptitude/* r,
|
||||
/var/lib/aptitude/pkgstates{,.old,.new} rw,
|
||||
|
@ -25,8 +25,8 @@ profile blkid @{exec_path} {
|
||||
|
||||
# The standard location of the cache file
|
||||
# Without owner here if this tool should be used as a regular user
|
||||
/{,var/}run/blkid/blkid.tab{,-*} rw,
|
||||
/{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
|
||||
@{run}/blkid/blkid.tab{,-*} rw,
|
||||
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
# When the system doesn't have the /run/ dir, the cache file is placed under /etc/
|
||||
/etc/blkid.tab{,-*} rw,
|
||||
/etc/blkid.tab.old rwl -> /etc/blkid.tab,
|
||||
|
@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} {
|
||||
/dev/rfkill rw,
|
||||
/dev/hidraw[0-9]* rw,
|
||||
|
||||
/{,var/}run/sdp rw,
|
||||
@{run}/sdp rw,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/devices/platform/**/rfkill/**/name r,
|
||||
|
@ -172,7 +172,7 @@ profile brave @{exec_path} {
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/**/ r,
|
||||
/{,var/}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
|
||||
|
||||
|
@ -25,8 +25,8 @@ profile btrfs @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{var/,}run/blkid/blkid.tab{,-*} rw,
|
||||
/{var/,}run/blkid/blkid.tab.old rwl -> /run/blkid/blkid.tab,
|
||||
@{run}/blkid/blkid.tab{,-*} rw,
|
||||
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/partitions r,
|
||||
|
@ -23,8 +23,8 @@ profile btrfstune @{exec_path} {
|
||||
@{PROC}/partitions r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
owner /{,var/}run/blkid/blkid.tab{,-*} rw,
|
||||
owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
|
||||
owner @{run}/blkid/blkid.tab{,-*} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
#include if exists <local/btrfstune>
|
||||
}
|
||||
|
@ -156,8 +156,8 @@ profile calibre @{exec_path} {
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/irq r,
|
||||
|
||||
/{,var/}run/udev/data/+usb* r, #
|
||||
/{,var/}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/+usb* r, #
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
|
||||
/dev/shm/ r,
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
|
@ -50,7 +50,7 @@ profile cawbird @{exec_path} {
|
||||
|
||||
# This is needed as cawbird stores its settings in the dconf database.
|
||||
#include <abstractions/dconf>
|
||||
/{var/,}run/user/[0-9]*/dconf/user rw,
|
||||
@{run}/user/[0-9]*/dconf/user rw,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
@ -60,7 +60,7 @@ profile cawbird @{exec_path} {
|
||||
|
||||
# The orcexec.* file is JIT compiled code for various GStreamer elements.
|
||||
# If one is blocked the next is used instead.
|
||||
owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
|
||||
owner @{run}/user/[0-9]*/orcexec.* mrw,
|
||||
#owner @{HOME}/orcexec.* mrw,
|
||||
#owner /tmp/orcexec.* mrw,
|
||||
|
||||
|
@ -27,8 +27,8 @@ profile cfdisk @{exec_path} {
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
owner /{,var/}run/blkid/blkid.tab{,-*} rw,
|
||||
owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
|
||||
owner @{run}/blkid/blkid.tab{,-*} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
|
@ -43,7 +43,7 @@ profile cgrulesengd @{exec_path} {
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/cgroups r,
|
||||
|
||||
owner /{var/,}run/cgred.socket w,
|
||||
owner @{run}/cgred.socket w,
|
||||
|
||||
/etc/cgconfig.conf r,
|
||||
/etc/cgrules.conf r,
|
||||
|
@ -149,7 +149,7 @@ profile chromium-chromium @{exec_path} {
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/**/ r,
|
||||
/{,var/}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
|
||||
|
||||
|
@ -133,8 +133,8 @@ profile code @{exec_path} {
|
||||
owner "/tmp/VSCode Crashes/" rw,
|
||||
owner /tmp/vscode-typescript[0-9]*/ rw,
|
||||
|
||||
owner /{var/,}run/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
|
||||
owner /{var/,}run/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
|
||||
owner @{run}/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
|
||||
owner @{run}/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
|
||||
|
||||
owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw,
|
||||
# For installing extensions
|
||||
|
@ -39,8 +39,8 @@ profile colord @{exec_path} {
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
/{var/,}run/udev/data/+usb:* r, #
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/+usb:* r, #
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
|
@ -38,8 +38,8 @@ profile colord-sane @{exec_path} flags=(complain) {
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,busnum,devnum,speed,descriptors} r,
|
||||
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
/{var/,}run/udev/data/+usb:* r, #
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/+usb:* r, #
|
||||
|
||||
@{PROC}/sys/dev/parport/ r,
|
||||
|
||||
|
@ -61,8 +61,8 @@ profile cron @{exec_path} {
|
||||
|
||||
/var/spool/cron/crontabs/{,*} r,
|
||||
|
||||
owner /{,var/}run/crond.pid rwk,
|
||||
owner /{,var/}run/crond.reboot rw,
|
||||
owner @{run}/crond.pid rwk,
|
||||
owner @{run}/crond.reboot rw,
|
||||
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
|
||||
|
@ -22,7 +22,7 @@ profile cron-apt-listbugs @{exec_path} {
|
||||
|
||||
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
|
||||
|
||||
/{var/,}run/systemd/system r,
|
||||
@{run}/systemd/system r,
|
||||
|
||||
|
||||
profile prefclean {
|
||||
|
@ -31,7 +31,7 @@ profile cron-mlocate @{exec_path} {
|
||||
/{usr/,}bin/updatedb.mlocate rPx,
|
||||
/{usr/,}sbin/on_ac_power rPx,
|
||||
|
||||
/{var/,}run/mlocate.daily.lock rwk,
|
||||
@{run}/mlocate.daily.lock rwk,
|
||||
|
||||
#include if exists <local/cron-mlocate>
|
||||
}
|
||||
|
@ -40,9 +40,9 @@ profile dbus-daemon @{exec_path} {
|
||||
|
||||
/usr/share/defaults/**.conf r,
|
||||
|
||||
/{var/,}run/systemd/users/[0-9]* r,
|
||||
owner /{var/,}run/user/[0-9]*/dbus-1/ rw,
|
||||
owner /{var/,}run/user/[0-9]*/dbus-1/services/ rw,
|
||||
@{run}/systemd/users/[0-9]* r,
|
||||
owner @{run}/user/[0-9]*/dbus-1/ rw,
|
||||
owner @{run}/user/[0-9]*/dbus-1/services/ rw,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
@ -25,8 +25,8 @@ profile dconf-editor @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /{var/,}run/user/[0-9]*/dconf/ rw,
|
||||
owner /{var/,}run/user/[0-9]*/dconf/user rw,
|
||||
owner @{run}/user/[0-9]*/dconf/ rw,
|
||||
owner @{run}/user/[0-9]*/dconf/user rw,
|
||||
|
||||
# When GSETTINGS_BACKEND=keyfile
|
||||
owner @{HOME}/.config/glib-2.0/ rw,
|
||||
|
@ -22,8 +22,8 @@ profile dconf-service @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /{,var/}run/user/[0-9]*/dconf/ rw,
|
||||
owner /{,var/}run/user/[0-9]*/dconf/user rw,
|
||||
owner @{run}/user/[0-9]*/dconf/ rw,
|
||||
owner @{run}/user/[0-9]*/dconf/user rw,
|
||||
|
||||
owner @{HOME}/.config/dconf/ rw,
|
||||
owner @{HOME}/.config/dconf/user{,.*} rw,
|
||||
|
@ -29,7 +29,7 @@ profile ddclient @{exec_path} {
|
||||
|
||||
/etc/ddclient.conf r,
|
||||
|
||||
/{,var/}run/ddclient.pid rw,
|
||||
@{run}/ddclient.pid rw,
|
||||
|
||||
/var/cache/ddclient/ddclient.cache rw,
|
||||
|
||||
|
@ -40,8 +40,8 @@ profile dhclient @{exec_path} {
|
||||
/etc/dhcp/{,**} r,
|
||||
|
||||
/var/lib/dhcp{,3}/dhclient* rw,
|
||||
owner /{,var/}run/dhclient*.pid rw,
|
||||
owner /{,var/}run/dhclient*.lease* rw,
|
||||
owner @{run}/dhclient*.pid rw,
|
||||
owner @{run}/dhclient*.lease* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
|
@ -86,7 +86,7 @@ profile dhclient-script @{exec_path} {
|
||||
owner /tmp/variables.txt w,
|
||||
|
||||
# For ntpd/ntpsec
|
||||
/{var/,}run/systemd/netif/leases/ r,
|
||||
@{run}/systemd/netif/leases/ r,
|
||||
|
||||
# file_inherit
|
||||
/var/lib/dhcp/dhclient.leases r,
|
||||
|
@ -29,8 +29,8 @@ profile dirmngr @{exec_path} {
|
||||
|
||||
/usr/share/gnupg/sks-keyservers.netCA.pem r,
|
||||
|
||||
owner /{var/,}run/user/[0-9]*/gnupg/ rw,
|
||||
owner /{var/,}run/user/[0-9]*/gnupg/S.dirmngr rw,
|
||||
owner @{run}/user/[0-9]*/gnupg/ rw,
|
||||
owner @{run}/user/[0-9]*/gnupg/S.dirmngr rw,
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
|
@ -125,7 +125,7 @@ profile discord @{exec_path} {
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||
|
||||
owner /{var/,}run/user/[0-9]*/discord-ipc-[0-9] rw,
|
||||
owner @{run}/user/[0-9]*/discord-ipc-[0-9] rw,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
@ -66,10 +66,16 @@ profile dpkg-buildpackage @{exec_path} flags=(complain) {
|
||||
/{usr/,}bin/patch rix,
|
||||
/{usr/,}bin/diff rix,
|
||||
|
||||
/{usr/,}bin/gpg rix,
|
||||
/{usr/,}bin/gpgv rix,
|
||||
/{usr/,}bin/gpg-agent rix,
|
||||
|
||||
/etc/dpkg/origins/debian r,
|
||||
|
||||
owner /tmp/*.diff.* rw,
|
||||
owner /tmp/* rw,
|
||||
owner /tmp/** rwkl -> /tmp/**,
|
||||
owner @{run}/user/[0-9]*/gnupg/** w,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/dpkg/cputable r,
|
||||
|
@ -83,7 +83,7 @@ profile dropbox @{exec_path} {
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]/ r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
|
||||
/{,var/}run/mount/utab r,
|
||||
@{run}/mount/utab r,
|
||||
|
||||
deny @{PROC}/ r,
|
||||
# Dropbox doesn't sync without the 'stat' file
|
||||
@ -117,7 +117,7 @@ profile dropbox @{exec_path} {
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /var/tmp/etilqs_* rw,
|
||||
|
||||
/{,var/}run/systemd/users/[0-9]* r,
|
||||
@{run}/systemd/users/[0-9]* r,
|
||||
|
||||
deny @{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
|
@ -21,8 +21,8 @@ profile dumpe2fs @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /{,var/}run/blkid/blkid.tab{,-*} rw,
|
||||
owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
|
||||
owner @{run}/blkid/blkid.tab{,-*} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
# Image files
|
||||
@{HOME}/** r,
|
||||
|
@ -25,8 +25,8 @@ profile e2fsck @{exec_path} {
|
||||
/{usr/,}bin/dash rix,
|
||||
/{usr/,}sbin/badblocks rPx,
|
||||
|
||||
owner /{,var/}run/blkid/blkid.tab{,-*} rw,
|
||||
owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
|
||||
owner @{run}/blkid/blkid.tab{,-*} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
@{PROC}/swaps r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
@ -51,9 +51,9 @@ profile exim4 @{exec_path} {
|
||||
owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w,
|
||||
owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*,
|
||||
|
||||
owner /{,var/}run/exim4/exim.pid rw,
|
||||
owner @{run}/exim4/exim.pid rw,
|
||||
|
||||
owner /{,var/}run/dbus/system_bus_socket rw,
|
||||
owner @{run}/dbus/system_bus_socket rw,
|
||||
|
||||
# file_inherit
|
||||
/tmp/#[0-9]*[0-9] rw,
|
||||
|
@ -22,7 +22,7 @@ profile exo-compose-mail @{exec_path} {
|
||||
/{usr/,}bin/perl r,
|
||||
|
||||
# Mail clients
|
||||
/usr/bin/thunderbird rPx,
|
||||
/{usr/,}bin/thunderbird rPx,
|
||||
/{usr/,}lib/thunderbird/thunderbird rPx,
|
||||
/{usr/,}lib/thunderbird/thunderbird-bin rPx,
|
||||
|
||||
|
@ -204,7 +204,7 @@ profile firefox @{exec_path} {
|
||||
/{usr/,}bin/telegram-desktop rPx,
|
||||
/{usr/,}bin/spacefm rPx,
|
||||
/{usr/,}bin/qpdfview rPx,
|
||||
/{usr/,}share/xfce4/exo/exo-compose-mail rPx,
|
||||
/usr/share/xfce4/exo/exo-compose-mail rPx,
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
@ -2,6 +2,10 @@
|
||||
# Generic Firejail AppArmor profile
|
||||
#########################################
|
||||
|
||||
# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
|
||||
# and <abstractions/dbus-session-strict>.
|
||||
#include <tunables/global>
|
||||
|
||||
##########
|
||||
# A simple PID declaration based on Ubuntu's @{pid}
|
||||
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
|
||||
@ -19,6 +23,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
|
||||
#include <abstractions/dbus-strict>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
dbus,
|
||||
# Add rule in order to avoid dbus-*=filter breakage (#3432)
|
||||
owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
|
||||
|
||||
##########
|
||||
# With ptrace it is possible to inspect and hijack running programs.
|
||||
@ -47,6 +53,10 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
|
||||
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
|
||||
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
|
||||
|
||||
# Allow writing to /var/mail and /var/spool/mail (for mail clients)
|
||||
# Uncomment to enable
|
||||
#owner /var/{mail,spool/mail}/** w,
|
||||
|
||||
# Allow writing to removable media
|
||||
owner /{,var/}run/media/** w,
|
||||
|
||||
@ -60,18 +70,17 @@ owner /{,var/}run/media/** w,
|
||||
# Allow access to pcscd socket (smartcards)
|
||||
/{,var/}run/pcscd/pcscd.comm w,
|
||||
|
||||
# Needed for firefox sandbox
|
||||
/proc/@{PID}/{uid_map,gid_map,setgroups} w,
|
||||
# Needed for browser self-sandboxing
|
||||
owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
|
||||
|
||||
# Needed for electron apps
|
||||
/proc/@{PID}/comm w,
|
||||
# Needed for nslookup, dig, host
|
||||
/proc/@{PID}/task/@{PID}/comm w,
|
||||
|
||||
# Silence noise
|
||||
deny /proc/@{PID}/oom_adj w,
|
||||
deny /proc/@{PID}/oom_score_adj w,
|
||||
|
||||
# Uncomment to silence all denied write warnings
|
||||
#deny /sys/** w,
|
||||
# Used by chromium
|
||||
owner /proc/@{PID}/oom_score_adj w,
|
||||
owner /proc/@{PID}/clear_refs w,
|
||||
|
||||
##########
|
||||
# Allow running programs only from well-known system directories. If you need
|
||||
@ -80,7 +89,7 @@ deny /proc/@{PID}/oom_score_adj w,
|
||||
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
|
||||
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
|
||||
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
|
||||
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
|
||||
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
|
||||
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
|
||||
#/{,run/firejail/mnt/oroot/}home/** ix,
|
||||
|
||||
|
@ -28,16 +28,16 @@ profile fsck @{exec_path} {
|
||||
@{PROC}/partitions r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
owner /{,var/}run/fsck/ rw,
|
||||
owner /{,var/}run/fsck/*.lock rwk,
|
||||
owner @{run}/fsck/ rw,
|
||||
owner @{run}/fsck/*.lock rwk,
|
||||
|
||||
# When a mount dir is passed to fsck as an argument.
|
||||
/media/*/ r,
|
||||
/boot/ r,
|
||||
/home/ r,
|
||||
|
||||
owner /{,var/}run/blkid/blkid.tab{,-*} rw,
|
||||
owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
|
||||
owner @{run}/blkid/blkid.tab{,-*} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
#include if exists <local/fsck>
|
||||
}
|
||||
|
@ -32,8 +32,8 @@ profile gnome-keyring-daemon @{exec_path} {
|
||||
owner @{HOME}/.ssh/ r,
|
||||
owner @{HOME}/.ssh/** r,
|
||||
|
||||
owner /{,var/}run/user/[0-9]*/keyring/ rw,
|
||||
owner /{,var/}run/user/[0-9]*/keyring/* rw,
|
||||
owner @{run}/user/[0-9]*/keyring/ rw,
|
||||
owner @{run}/user/[0-9]*/keyring/* rw,
|
||||
|
||||
#include if exists <local/gnome-keyring-daemon>
|
||||
}
|
||||
|
@ -157,7 +157,7 @@ profile google-chrome-chrome @{exec_path} {
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/**/ r,
|
||||
/{,var/}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
|
||||
|
||||
|
@ -29,8 +29,8 @@ profile gparted @{exec_path} {
|
||||
|
||||
/{usr/,}lib/udisks2/udisks2-inhibit rix,
|
||||
/usr/libexec/udisks2/udisks2-inhibit rix,
|
||||
/{var/,}run/udev/rules.d/ rw,
|
||||
/{var/,}run/udev/rules.d/90-udisks-inhibit.rules rw,
|
||||
@{run}/udev/rules.d/ rw,
|
||||
@{run}/udev/rules.d/90-udisks-inhibit.rules rw,
|
||||
|
||||
/{usr/,}bin/udevadm rCx -> udevadm,
|
||||
|
||||
@ -63,7 +63,7 @@ profile gparted @{exec_path} {
|
||||
@{sys}/** r,
|
||||
@{sys}/devices/virtual/block/**/uevent rw,
|
||||
@{sys}/devices/pci[0-9]*/**/block/**/uevent rw,
|
||||
/{var/,}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
}
|
||||
|
||||
|
@ -134,7 +134,7 @@ profile gpartedbin @{exec_path} {
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
/{var/,}run/mount/utab r,
|
||||
@{run}/mount/utab r,
|
||||
|
||||
# For fsck of the btrfs filesystem
|
||||
owner /tmp/gparted-*/ rw,
|
||||
@ -181,9 +181,9 @@ profile gpartedbin @{exec_path} {
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
owner /{,var/}run/mount/ rw,
|
||||
owner /{,var/}run/mount/utab{,.*} rw,
|
||||
owner /{,var/}run/mount/utab.lock wk,
|
||||
owner @{run}/mount/ rw,
|
||||
owner @{run}/mount/utab{,.*} rw,
|
||||
owner @{run}/mount/utab.lock wk,
|
||||
|
||||
}
|
||||
|
||||
|
@ -51,6 +51,24 @@ profile gpg @{exec_path} {
|
||||
# For spamassassin
|
||||
owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
|
||||
|
||||
# For lintian
|
||||
owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r,
|
||||
owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r,
|
||||
owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw,
|
||||
owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/*/trustdb.gpg rw,
|
||||
owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/*/pubring.kbx rw,
|
||||
owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/*.gpg rw,
|
||||
owner /tmp/*.gpg~ w,
|
||||
owner /tmp/*.gpg.tmp rw,
|
||||
owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
|
||||
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
|
||||
|
||||
# Verify files
|
||||
owner @{HOME}/** r,
|
||||
owner /media/*/** r,
|
||||
|
@ -43,7 +43,7 @@ profile gpg-agent @{exec_path} {
|
||||
|
||||
# For debuild
|
||||
owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,
|
||||
owner /{var/,}run/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
|
||||
owner @{run}/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
@ -130,7 +130,7 @@ profile hw-probe @{exec_path} {
|
||||
|
||||
/{usr/,}bin/journalctl mr,
|
||||
|
||||
/{var/,}run/log/ rw,
|
||||
@{run}/log/ rw,
|
||||
/{run,var}/log/journal/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
|
||||
@ -189,7 +189,7 @@ profile hw-probe @{exec_path} {
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
/{var/,}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
}
|
||||
|
||||
|
@ -108,7 +108,7 @@ profile hwinfo @{exec_path} {
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
@{sys}/** r,
|
||||
/{var/,}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
# file_inherit
|
||||
owner /tmp/hwinfo*.txt rw,
|
||||
|
@ -37,9 +37,9 @@ profile ifup @{exec_path} {
|
||||
/etc/network/interfaces r,
|
||||
/etc/network/interfaces.d/{,*} r,
|
||||
|
||||
/{var/,}run/network/ rw,
|
||||
/{var/,}run/network/{.,}ifstate* rwk,
|
||||
/{var/,}run/network/{ifup,ifdown}-*.pid rw,
|
||||
@{run}/network/ rw,
|
||||
@{run}/network/{.,}ifstate* rwk,
|
||||
@{run}/network/{ifup,ifdown}-*.pid rw,
|
||||
|
||||
# For setting a USB modem
|
||||
owner /dev/ttyUSB[0-9]* rw,
|
||||
|
@ -63,8 +63,8 @@ profile initd-kexec @{exec_path} {
|
||||
|
||||
/dev/kmsg w,
|
||||
|
||||
owner /{var/,}run/systemd/ask-password/ rw,
|
||||
owner /{var/,}run/systemd/ask-password-block/* rw,
|
||||
owner @{run}/systemd/ask-password/ rw,
|
||||
owner @{run}/systemd/ask-password-block/* rw,
|
||||
|
||||
}
|
||||
|
||||
|
@ -78,8 +78,8 @@ profile initd-kexec-load @{exec_path} {
|
||||
|
||||
/dev/kmsg w,
|
||||
|
||||
owner /{var/,}run/systemd/ask-password/ rw,
|
||||
owner /{var/,}run/systemd/ask-password-block/* rw,
|
||||
owner @{run}/systemd/ask-password/ rw,
|
||||
owner @{run}/systemd/ask-password-block/* rw,
|
||||
|
||||
}
|
||||
|
||||
|
@ -58,8 +58,8 @@ profile initd-kmod @{exec_path} {
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
owner /{var/,}run/systemd/ask-password/ rw,
|
||||
owner /{var/,}run/systemd/ask-password-block/* rw,
|
||||
owner @{run}/systemd/ask-password/ rw,
|
||||
owner @{run}/systemd/ask-password-block/* rw,
|
||||
|
||||
}
|
||||
|
||||
|
@ -77,7 +77,7 @@ profile inxi @{exec_path} {
|
||||
@{HOME}/.local/share/xorg/ r,
|
||||
@{HOME}/.local/share/xorg/Xorg.[0-9]*.log r,
|
||||
|
||||
/{var/,}run/ r,
|
||||
@{run}/ r,
|
||||
|
||||
@{PROC}/asound/ r,
|
||||
@{PROC}/asound/version r,
|
||||
@ -144,7 +144,7 @@ profile inxi @{exec_path} {
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/block/**/uevent r,
|
||||
/{var/,}run/udev/data/b* r,
|
||||
@{run}/udev/data/b* r,
|
||||
|
||||
}
|
||||
|
||||
|
@ -35,14 +35,14 @@ profile ip @{exec_path} flags=(attach_disconnected) {
|
||||
mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf,
|
||||
mount fstype=sysfs -> /sys/,
|
||||
|
||||
umount /{var/,}run/netns/*,
|
||||
umount @{run}/netns/*,
|
||||
umount /sys/,
|
||||
|
||||
/etc/iproute2/{,**} r,
|
||||
|
||||
/ r,
|
||||
owner /{var/,}run/netns/ rw,
|
||||
/{var/,}run/netns/* rw,
|
||||
owner @{run}/netns/ rw,
|
||||
@{run}/netns/* rw,
|
||||
/etc/netns/*/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
@ -23,8 +23,13 @@ profile kconfig-hardened-check @{exec_path} {
|
||||
|
||||
/{usr/,}bin/ r,
|
||||
|
||||
|
||||
# The usual kernel config locations
|
||||
/boot/config-* r,
|
||||
@{PROC}/config.gz r,
|
||||
|
||||
# This is for kernels, which are built manually
|
||||
owner /**/.config r,
|
||||
|
||||
#include if exists <local/kconfig-hardened-check>
|
||||
}
|
||||
|
@ -89,8 +89,8 @@ profile keepassxc @{exec_path} {
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,speed,descriptors} r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
/{var/,}run/udev/data/+usb:* r, #
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/+usb:* r, #
|
||||
|
||||
/dev/bus/usb/ r,
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
@ -100,10 +100,10 @@ profile keepassxc @{exec_path} {
|
||||
owner @{HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
|
||||
owner /{var/,}run/user/[0-9]*/kpxc_server rw,
|
||||
owner @{run}/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
|
||||
owner @{run}/user/[0-9]*/kpxc_server rw,
|
||||
|
||||
owner /{var/,}run/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w,
|
||||
owner @{run}/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
@ -24,8 +24,8 @@ profile keepassxc-proxy @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
# file_inherit
|
||||
deny owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
|
||||
deny owner /{var/,}run/user/[0-9]*/kpxc_server rw,
|
||||
deny owner @{run}/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
|
||||
deny owner @{run}/user/[0-9]*/kpxc_server rw,
|
||||
deny /dev/shm/org.chromium.* rw,
|
||||
deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw,
|
||||
#
|
||||
|
@ -87,7 +87,7 @@ profile kodi @{exec_path} {
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
|
||||
|
||||
/{var/,}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
@ -33,14 +33,14 @@ profile light-locker @{exec_path} {
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
# when locking the screen and switching/closing sessions
|
||||
/{,var/}run/systemd/sessions/[0-9]* r,
|
||||
@{run}/systemd/sessions/[0-9]* r,
|
||||
|
||||
# To silecne the following error:
|
||||
# dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
|
||||
# dconf will not work properly.
|
||||
##include <abstractions/dconf>
|
||||
#owner /{var/,}run/user/[0-9]*/dconf/ w,
|
||||
#owner /{var/,}run/user/[0-9]*/dconf/user rw,
|
||||
#owner @{run}/user/[0-9]*/dconf/ w,
|
||||
#owner @{run}/user/[0-9]*/dconf/user rw,
|
||||
#include <abstractions/deny-dconf>
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/uevent r,
|
||||
|
@ -99,8 +99,8 @@ profile lightdm @{exec_path} {
|
||||
/var/log/lightdm/{,**} rw,
|
||||
/var/log/btmp wk,
|
||||
|
||||
/{,var/}run/lightdm/{,**} rw,
|
||||
/{,var/}run/lightdm.pid rw,
|
||||
@{run}/lightdm/{,**} rw,
|
||||
@{run}/lightdm.pid rw,
|
||||
|
||||
@{PROC}/1/limits r,
|
||||
/etc/security/limits.d/ r,
|
||||
|
@ -53,6 +53,7 @@ profile lintian @{exec_path} flags=(complain) {
|
||||
/{usr/,}bin/filterdiff rix,
|
||||
/{usr/,}bin/lexgrog rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
/usr/bin/cp rix,
|
||||
|
||||
/{usr/,}bin/{,@{multiarch}-}ar rix,
|
||||
/{usr/,}bin/{,@{multiarch}-}readelf rix,
|
||||
@ -65,6 +66,8 @@ profile lintian @{exec_path} flags=(complain) {
|
||||
/{usr/,}bin/man rPx,
|
||||
/{usr/,}bin/dpkg-architecture rPx,
|
||||
|
||||
/usr/share/intltool-debian/* rCx -> intltool,
|
||||
|
||||
/usr/share/lintian/{,**} rk,
|
||||
|
||||
/etc/lintianrc r,
|
||||
@ -85,6 +88,8 @@ profile lintian @{exec_path} flags=(complain) {
|
||||
owner /tmp/*/random_seed w,
|
||||
|
||||
owner /tmp/* rw,
|
||||
owner /tmp/lintian-po-debconf-*/ rw,
|
||||
owner /tmp/lintian-po-debconf-*/** rw,
|
||||
|
||||
# For pbuilder
|
||||
owner @{BUILD_DIR}/**.{changes,dsc,buildinfo,tar.*,deb} rk,
|
||||
@ -158,7 +163,27 @@ profile lintian @{exec_path} flags=(complain) {
|
||||
owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
|
||||
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /{var/,}run/user/[0-9]*/gnupg/d.*/ rw,
|
||||
owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
|
||||
|
||||
# file_inherit
|
||||
owner /tmp/* rw,
|
||||
|
||||
}
|
||||
|
||||
|
||||
profile intltool flags=(complain) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/perl>
|
||||
|
||||
/usr/share/intltool-debian/* mrix,
|
||||
|
||||
/usr/bin/dash rix,
|
||||
/usr/bin/xgettext rix,
|
||||
|
||||
/usr/share/gettext/** r,
|
||||
/usr/share/gettext-*/** r,
|
||||
|
||||
owner /tmp/lintian-po-debconf-*/** rw,
|
||||
|
||||
# file_inherit
|
||||
owner /tmp/* rw,
|
||||
|
@ -24,7 +24,7 @@ profile lsblk @{exec_path} {
|
||||
@{PROC}/swaps r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
/{var/,}run/mount/utab r,
|
||||
@{run}/mount/utab r,
|
||||
|
||||
#include if exists <local/lsblk>
|
||||
}
|
||||
|
@ -28,8 +28,8 @@ profile lsusb @{exec_path} {
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r,
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
/{var/,}run/udev/data/+usb:* r, #
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/+usb:* r, #
|
||||
|
||||
/etc/udev/hwdb.bin r,
|
||||
|
||||
|
@ -30,8 +30,8 @@ profile mke2fs @{exec_path} {
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/swaps r,
|
||||
|
||||
owner /{,var/}run/blkid/blkid.tab{,-*} rw,
|
||||
owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
|
||||
owner @{run}/blkid/blkid.tab{,-*} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
|
||||
# A place for file images
|
||||
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
|
||||
|
@ -56,9 +56,9 @@ profile mount @{exec_path} flags=(complain) {
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
owner /{,var/}run/mount/ rw,
|
||||
owner /{,var/}run/mount/utab{,.*} rw,
|
||||
owner /{,var/}run/mount/utab.lock wk,
|
||||
owner @{run}/mount/ rw,
|
||||
owner @{run}/mount/utab{,.*} rw,
|
||||
owner @{run}/mount/utab.lock wk,
|
||||
|
||||
#include if exists <local/mount>
|
||||
}
|
||||
|
@ -132,14 +132,14 @@ profile mpv @{exec_path} {
|
||||
@{sys}/devices/**/input/**/uevent r,
|
||||
@{sys}/devices/**/input/**/capabilities/* r,
|
||||
/dev/input/event[0-9]* r,
|
||||
/{var/,}run/udev/data/+input:input[0-9]* r,
|
||||
/{var/,}run/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||
@{run}/udev/data/+input:input[0-9]* r,
|
||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||
#
|
||||
@{sys}/class/sound/ r,
|
||||
@{sys}/devices/**/sound/**/uevent r,
|
||||
@{sys}/devices/**/sound/**/capabilities/* r,
|
||||
/{var/,}run/udev/data/+sound:* r,
|
||||
/{var/,}run/udev/data/c116:[0-9]* r, # for ALSA
|
||||
@{run}/udev/data/+sound:* r,
|
||||
@{run}/udev/data/c116:[0-9]* r, # for ALSA
|
||||
|
||||
# Be able to turn off the screensaver while playing movies
|
||||
/{usr/,}bin/xdg-screensaver rPUx,
|
||||
|
@ -55,8 +55,8 @@ profile mumble @{exec_path} {
|
||||
/dev/shm/MumbleLink.[0-9]*[0-9] rw,
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
|
||||
owner /{var/,}run/user/[0-9]*/MumbleSocket rw,
|
||||
owner /{var/,}run/user/[0-9]*/MumbleOverlayPipe rw,
|
||||
owner @{run}/user/[0-9]*/MumbleSocket rw,
|
||||
owner @{run}/user/[0-9]*/MumbleOverlayPipe rw,
|
||||
|
||||
deny owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
@ -34,8 +34,8 @@ profile networkctl @{exec_path} flags=(complain) {
|
||||
|
||||
@{sys}/devices/**/net/**/uevent r,
|
||||
|
||||
/{var/,}run/systemd/netif/links/[0-9]* r,
|
||||
/{var/,}run/systemd/netif/state r,
|
||||
@{run}/systemd/netif/links/[0-9]* r,
|
||||
@{run}/systemd/netif/state r,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@ -43,7 +43,7 @@ profile networkctl @{exec_path} flags=(complain) {
|
||||
/etc/udev/hwdb.bin r,
|
||||
|
||||
# To be able to read logs
|
||||
/{var/,}run/log/ r,
|
||||
@{run}/log/ r,
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
|
||||
|
@ -22,11 +22,13 @@ profile nvidia_modprobe {
|
||||
|
||||
# System files
|
||||
|
||||
/dev/nvidia-modeset w,
|
||||
/dev/nvidia-uvm w,
|
||||
/dev/nvidia-uvm-tools w,
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/config r,
|
||||
@{PROC}/devices r,
|
||||
@{PROC}/driver/nvidia/params r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/kernel/modprobe r,
|
||||
|
||||
|
@ -43,7 +43,7 @@ profile openvpn @{exec_path} {
|
||||
|
||||
/var/log/openvpn/*.log w,
|
||||
|
||||
/{,var/}run/openvpn/*.{pid,status} rw,
|
||||
@{run}/openvpn/*.{pid,status} rw,
|
||||
|
||||
/{usr/,}bin/ip rix,
|
||||
/{usr/,}bin/systemd-ask-password rCx -> systemd-ask-password,
|
||||
|
@ -149,7 +149,7 @@ profile opera @{exec_path} {
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/**/ r,
|
||||
/{,var/}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
|
||||
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
|
||||
|
||||
|
@ -43,8 +43,8 @@ profile polkitd @{exec_path} {
|
||||
|
||||
owner /var/lib/polkit-1/.cache/ rw,
|
||||
|
||||
/{,var/}run/systemd/sessions/* r,
|
||||
/{,var/}run/systemd/users/[0-9]* r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/[0-9]* r,
|
||||
|
||||
#include if exists <local/polkitd>
|
||||
}
|
||||
|
@ -57,7 +57,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
|
||||
@{PROC}/tty/drivers r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
/{var/,}run/systemd/sessions/[0-9]* r,
|
||||
@{run}/systemd/sessions/[0-9]* r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
|
@ -89,7 +89,7 @@ profile psi-plus @{exec_path} {
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],
|
||||
|
||||
/{var/,}run/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
||||
|
@ -42,8 +42,8 @@ profile pulseaudio @{exec_path} {
|
||||
# TCP wrap
|
||||
/etc/hosts.{allow,deny} r,
|
||||
|
||||
owner /{,var/}run/user/[0-9]*/ rw,
|
||||
owner /{,var/}run/user/[0-9]*/pulse/{,*} rw,
|
||||
owner @{run}/user/[0-9]*/ rw,
|
||||
owner @{run}/user/[0-9]*/pulse/{,*} rw,
|
||||
|
||||
/usr/share/applications/{,**} r,
|
||||
|
||||
@ -51,14 +51,14 @@ profile pulseaudio @{exec_path} {
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/sound/ r,
|
||||
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
|
||||
/{,var/}run/udev/data/+sound* r,
|
||||
/{,var/}run/udev/data/c116:[0-9]* r, # For ALSA
|
||||
@{run}/udev/data/+sound* r,
|
||||
@{run}/udev/data/c116:[0-9]* r, # For ALSA
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]/meminfo r,
|
||||
|
||||
/{,var/}run/systemd/users/[0-9]* r,
|
||||
@{run}/systemd/users/[0-9]* r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@ -68,7 +68,7 @@ profile pulseaudio @{exec_path} {
|
||||
|
||||
# The orcexec.* file is JIT compiled code for various GStreamer elements.
|
||||
# If one is blocked the next is used instead.
|
||||
owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
|
||||
owner @{run}/user/[0-9]*/orcexec.* mrw,
|
||||
#owner @{HOME}/orcexec.* mrw,
|
||||
#owner /tmp/orcexec.* mrw,
|
||||
|
||||
|
@ -71,7 +71,7 @@ profile quiterss @{exec_path} {
|
||||
|
||||
# The orcexec.* file is JIT compiled code for various GStreamer elements.
|
||||
# If one is blocked the next is used instead.
|
||||
owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
|
||||
owner @{run}/user/[0-9]*/orcexec.* mrw,
|
||||
#owner @{HOME}/orcexec.* mrw,
|
||||
#owner /tmp/orcexec.* mrw,
|
||||
|
||||
|
@ -44,8 +44,8 @@ profile rsyslogd @{exec_path} {
|
||||
/var/spool/rsyslog/ r,
|
||||
/var/spool/rsyslog/** rw,
|
||||
|
||||
owner /{,var/}run/rsyslogd.pid{,.tmp} rwk,
|
||||
owner /{,var/}run/systemd/journal/syslog w,
|
||||
owner @{run}/rsyslogd.pid{,.tmp} rwk,
|
||||
owner @{run}/systemd/journal/syslog w,
|
||||
|
||||
# log files and devices
|
||||
/var/log/** rw,
|
||||
|
@ -21,12 +21,12 @@ profile scdaemon @{exec_path} {
|
||||
|
||||
owner @{HOME}/.gnupg/scdaemon.conf r,
|
||||
|
||||
owner /{,var/}run/user/[0-9]*/gnupg/S.scdaemon rw,
|
||||
owner @{run}/user/[0-9]*/gnupg/S.scdaemon rw,
|
||||
|
||||
@{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
/{var/,}run/udev/data/+usb:* r, #
|
||||
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/+usb:* r, #
|
||||
|
||||
/dev/bus/usb/ r,
|
||||
@{sys}/bus/ r,
|
||||
|
@ -100,7 +100,7 @@ profile sddm @{exec_path} {
|
||||
owner @{HOME}/.local/share/kwalletd/ rw,
|
||||
owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw,
|
||||
@{HOME}/.local/share/kwalletd/kdewallet.salt r,
|
||||
owner /{,var/}run/user/[0-9]*/kwallet5.socket rw,
|
||||
owner @{run}/user/[0-9]*/kwallet5.socket rw,
|
||||
/var/log/btmp wk,
|
||||
|
||||
# Themes
|
||||
@ -135,8 +135,8 @@ profile sddm @{exec_path} {
|
||||
/tmp/sddm-* rw,
|
||||
owner /tmp/*/{,s} rw,
|
||||
|
||||
owner /{,var/}run/sddm/ rw,
|
||||
/{,var/}run/sddm/* w,
|
||||
owner @{run}/sddm/ rw,
|
||||
@{run}/sddm/* w,
|
||||
|
||||
# Session error logs
|
||||
# Creating the dir structure is needed when a new user is logging in for the very first time
|
||||
@ -165,7 +165,7 @@ profile sddm @{exec_path} {
|
||||
# Run SDDM on a specific TTY
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
/{,var/}run/systemd/sessions/[0-9]*.ref rw,
|
||||
@{run}/systemd/sessions/[0-9]*.ref rw,
|
||||
|
||||
|
||||
profile sddm-scripts {
|
||||
@ -201,10 +201,10 @@ profile sddm @{exec_path} {
|
||||
owner @{HOME}/.Xauthority-n rw,
|
||||
owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n,
|
||||
|
||||
owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w,
|
||||
owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c,
|
||||
owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw,
|
||||
owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n,
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w,
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c,
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw,
|
||||
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n,
|
||||
|
||||
}
|
||||
|
||||
|
@ -92,7 +92,7 @@ profile sddm-greeter @{exec_path} {
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
||||
owner /{,var/}run/sddm/{,*} rw,
|
||||
owner @{run}/sddm/{,*} rw,
|
||||
|
||||
/{usr/,}lib/@{multiarch}/ld-*.so mr,
|
||||
|
||||
|
@ -136,7 +136,7 @@ profile sddm-xsession @{exec_path} {
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
/{var/,}run/udev/data/* r,
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
}
|
||||
|
||||
|
@ -30,7 +30,7 @@ profile ssh-agent @{exec_path} {
|
||||
/{usr/,}bin/enlightenment_start rPUx,
|
||||
|
||||
# When started via systemd
|
||||
/{var/,}run/user/[0-9]*/openssh_agent rw,
|
||||
@{run}/user/[0-9]*/openssh_agent rw,
|
||||
|
||||
# askpass apps
|
||||
#/{usr/,}lib/ssh/x11-ssh-askpass rPUx,
|
||||
|
@ -76,7 +76,7 @@ profile strawberry @{exec_path} {
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
deny @{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/{var/,}run/mount/utab r,
|
||||
@{run}/mount/utab r,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
@ -89,7 +89,7 @@ profile strawberry @{exec_path} {
|
||||
|
||||
# The orcexec.* file is JIT compiled code for various GStreamer elements.
|
||||
# If one is blocked the next is used instead.
|
||||
owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
|
||||
owner @{run}/user/[0-9]*/orcexec.* mrw,
|
||||
#owner @{HOME}/orcexec.* mrw,
|
||||
#owner /tmp/orcexec.* mrw,
|
||||
|
||||
|
@ -52,9 +52,9 @@ profile sudo @{exec_path} {
|
||||
/dev/ r,
|
||||
|
||||
# For timestampdir
|
||||
owner /{var/,}run/sudo/ rw,
|
||||
owner /{var/,}run/sudo/ts/ rw,
|
||||
owner /{var/,}run/sudo/ts/* rwk,
|
||||
owner @{run}/sudo/ rw,
|
||||
owner @{run}/sudo/ts/ rw,
|
||||
owner @{run}/sudo/ts/* rwk,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user