mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-27 13:28:09 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
70c06a0547
commit
fa85d909d7
19 changed files with 61 additions and 31 deletions
|
|
@ -130,6 +130,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/update-notifier/dpkg-run-stamp rw,
|
||||
|
||||
/var/log/apt/{,**} rw,
|
||||
/var/log/ubuntu-advantage-apt-hook.log w,
|
||||
|
||||
# For package building
|
||||
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
|
|
|
|||
|
|
@ -26,6 +26,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term hup kill) peer=dbus-session,
|
||||
signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
|
||||
|
||||
unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0),
|
||||
|
||||
#aa:dbus own bus=accessibility name=org.freedesktop.DBus
|
||||
#aa:dbus own bus=session name=org.a11y.{B,b}us
|
||||
dbus receive bus=accessibility path=/org/freedesktop/DBus
|
||||
|
|
|
|||
|
|
@ -45,6 +45,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1/session/*
|
||||
interface=org.freedesktop.login1.Session
|
||||
member=ReleaseControl
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/plymouth rPx,
|
||||
@{bin}/prime-switch rPUx,
|
||||
@{bin}/sleep rix,
|
||||
@{bin}/systemd-cat rPx,
|
||||
@{bin}/systemd-cat rix,
|
||||
@{lib}/{,gdm/}gdm-session-worker rPx,
|
||||
/etc/gdm{3,}/PrimeOff/Default rix,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,9 @@ profile gdm-prime-defaut @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} r,
|
||||
@{bin}/prime-offload ix,
|
||||
|
||||
include if exists <local/gdm-prime-defaut>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
#aa:dbus own bus=system name=org.freedesktop.NetworkManager
|
||||
|
||||
#aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant
|
||||
#aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld
|
||||
#aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
|
||||
#aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/run-parts rCx -> run-parts,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-cat rPx,
|
||||
@{bin}/systemd-cat rix,
|
||||
@{bin}/tr rix,
|
||||
/usr/share/tlp/tlp-readconfs rPUx,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,10 @@ profile sshfs @{exec_path} flags=(complain) {
|
|||
|
||||
mount fstype=fuse.sshfs -> @{HOME}/*/,
|
||||
mount fstype=fuse.sshfs -> @{HOME}/*/*/,
|
||||
mount fstype=fuse.sshfs -> @{MOUNTDIRS}/,
|
||||
mount fstype=fuse.sshfs -> @{MOUNTS}/,
|
||||
mount fstype=fuse.sshfs -> @{MOUNTS}/*/,
|
||||
mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/,
|
||||
|
||||
unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
|
||||
|
||||
|
|
@ -33,6 +37,17 @@ profile sshfs @{exec_path} flags=(complain) {
|
|||
|
||||
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
|
||||
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
|
||||
mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/,
|
||||
mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/,
|
||||
mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/,
|
||||
mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/,
|
||||
|
||||
umount @{HOME}/*/,
|
||||
umount @{HOME}/*/*/,
|
||||
umount @{MOUNTDIRS}/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
|
||||
unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
|
|||
include <abstractions/common/systemd>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
|
|
|
|||
|
|
@ -95,6 +95,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
@{run}/systemd/notify rw,
|
||||
@{run}/systemd/seats/seat@{int} r,
|
||||
|
||||
@{att}/@{run}/udev/control rw,
|
||||
|
||||
@{run}/udev/ rw,
|
||||
@{run}/udev/** rwk,
|
||||
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ profile cockpit-bridge @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/app/sudo>
|
||||
|
||||
signal (send receive) set=term peer=cockpit-bridge,
|
||||
signal (send receive) set=(cont hup term) peer=cockpit-bridge,
|
||||
|
||||
@{bin}/cockpit-bridge Px,
|
||||
@{lib}/cockpit/cockpit-askpass Px,
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile anondate @{exec_path} {
|
|||
@{bin}/grep rix,
|
||||
@{bin}/minimum-unixtime-show rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/systemd-cat rPx,
|
||||
@{bin}/systemd-cat rix,
|
||||
@{bin}/tee rix,
|
||||
@{bin}/timeout rix,
|
||||
@{bin}/tor-circuit-established-check rix,
|
||||
|
|
|
|||
|
|
@ -25,20 +25,15 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
#aa:dbus own bus=system name=org.bluez
|
||||
|
||||
dbus receive bus=system path=/
|
||||
dbus send bus=system path=/{,MediaEndpoint}
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"),
|
||||
|
||||
dbus send bus=system path=/MediaEndpoint
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label=pulseaudio),
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=InterfacesRemoved
|
||||
peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"),
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,17 +38,13 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
network netlink raw,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.fwupd path=/
|
||||
#aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UDisks2/Manager
|
||||
interface=org.freedesktop.UDisks2.Manager
|
||||
member=GetBlockDevices
|
||||
peer=(name=:*, label=udisksd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/fwupd/fwupd-detect-cet rix,
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ profile gpu-manager @{exec_path} {
|
|||
/var/lib/ubuntu-drivers-common/* rw,
|
||||
|
||||
/var/log/gpu-manager.log w,
|
||||
/var/log/gpu-manager-switch.log w,
|
||||
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/module/compression r,
|
||||
|
|
|
|||
|
|
@ -12,16 +12,29 @@ profile mount-cifs @{exec_path} flags=(complain) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# To mount anything.
|
||||
capability sys_admin,
|
||||
|
||||
# (#FIXME#)
|
||||
capability setpcap,
|
||||
|
||||
network inet dgram,
|
||||
network inet stream,
|
||||
network inet6 dgram,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=cifs -> @{HOME}/*/,
|
||||
mount fstype=cifs -> @{HOME}/*/*/,
|
||||
mount fstype=cifs -> @{MOUNTDIRS}/,
|
||||
mount fstype=cifs -> @{MOUNTS}/,
|
||||
mount fstype=cifs -> @{MOUNTS}/*/,
|
||||
mount fstype=cifs -> @{MOUNTS}/*/*/,
|
||||
|
||||
umount @{HOME}/*/,
|
||||
umount @{HOME}/*/*/,
|
||||
umount @{MOUNTDIRS}/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/*/*/,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/systemd-ask-password rPUx,
|
||||
|
|
@ -31,18 +44,12 @@ profile mount-cifs @{exec_path} flags=(complain) {
|
|||
owner @{HOME}/.smbcredentials r,
|
||||
|
||||
# Mount points
|
||||
@{HOME}/*/ r,
|
||||
@{HOME}/*/*/ r,
|
||||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
@{MOUNTS}/*/ r,
|
||||
|
||||
# Allow to mount smb/cifs disks only under the /media/ dirs
|
||||
mount fstype=cifs -> @{MOUNTDIRS}/,
|
||||
mount fstype=cifs -> @{MOUNTS}/,
|
||||
mount fstype=cifs -> @{MOUNTS}/*/,
|
||||
|
||||
umount @{MOUNTDIRS}/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
@{MOUNTS}/*/*/ r,
|
||||
|
||||
include if exists <local/mount-cifs>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -132,7 +132,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/class/nvme/ r,
|
||||
@{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
|
||||
@{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
|
||||
@{sys}/devices/@{pci}/uevent r,
|
||||
@{sys}/devices/@{pci}/uevent rw,
|
||||
@{sys}/devices/**/net/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ profile wireplumber @{exec_path} {
|
|||
network bluetooth stream,
|
||||
network netlink raw,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0
|
||||
#aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int}
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/xinit
|
||||
profile xinit @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(usr1) peer=xorg,
|
||||
|
|
|
|||
Loading…
Reference in a new issue