mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
e942c057bd
commit
fcbe764ccf
36 changed files with 154 additions and 74 deletions
|
|
@ -17,6 +17,8 @@ profile apt-config @{exec_path} {
|
|||
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
|
||||
owner /tmp/tmp*/apt.conf r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/apt-config>
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2019-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -14,21 +15,21 @@ profile apt-key @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/chmod rix,
|
||||
/{usr/,}bin/cmp rix,
|
||||
/{usr/,}bin/comm rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/id rix,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/cmp rix,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/mktemp rix,
|
||||
/{usr/,}bin/chmod rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/sort rix,
|
||||
/{usr/,}bin/comm rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/id rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
/{usr/,}bin/tr rix,
|
||||
/{usr/,}bin/uniq rix,
|
||||
/{usr/,}bin/wc rix,
|
||||
|
|
@ -73,6 +74,11 @@ profile apt-key @{exec_path} {
|
|||
/{usr/,}bin/gpg-agent rix,
|
||||
/{usr/,}bin/gpg-connect-agent rix,
|
||||
|
||||
/usr/share/gnupg/sks-keyservers.netCA.pem r,
|
||||
|
||||
/etc/hosts r,
|
||||
/etc/inputrc r,
|
||||
|
||||
/etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
|
||||
/etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
|
||||
/etc/apt/trusted.gpg{,~,.tmp} rw,
|
||||
|
|
@ -86,18 +92,13 @@ profile apt-key @{exec_path} {
|
|||
|
||||
owner /tmp/apt-key-gpghome.*/ rw,
|
||||
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
|
||||
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/usr/share/gnupg/sks-keyservers.netCA.pem r,
|
||||
|
||||
/etc/hosts r,
|
||||
/etc/inputrc r,
|
||||
|
||||
# File_inherit
|
||||
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
|
||||
|
||||
}
|
||||
|
||||
include if exists <local/apt-key>
|
||||
|
|
|
|||
|
|
@ -38,6 +38,8 @@ profile dpkg-preconfigure @{exec_path} {
|
|||
owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
|
||||
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
|
||||
|
||||
owner @{run}/user/@{uid}/pk-debconf-socket rw,
|
||||
|
||||
# The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
member={PropertiesChanged,GetAll},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
|
|
|
|||
|
|
@ -18,10 +18,14 @@ profile dbus-daemon-launch-helper @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
|
||||
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
|
||||
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
|
||||
/{usr/,}lib/software-properties/software-properties-dbus rPx,
|
||||
|
||||
/usr/share/dbus-1/{,**} r,
|
||||
|
||||
/etc/dbus-1/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||
|
||||
include if exists <local/dbus-daemon-launch-helper>
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ profile cron-apport @{exec_path} {
|
|||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
|
||||
/ r,
|
||||
/var/crash/ r,
|
||||
|
|
|
|||
|
|
@ -23,18 +23,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
|
||||
interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member={CheckAuthorization,Changed},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={PropertiesChanged,GetAll},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]*
|
||||
interface=org.freedesktop.Accounts.User
|
||||
member={Changed,SetLanguage,SetInputSources},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
|
@ -44,14 +39,6 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
member={RequestName,GetConnectionUnixUser}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.Accounts
|
||||
member={FindUserByName,ListCachedUsers},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.Accounts,
|
||||
|
||||
|
|
|
|||
|
|
@ -35,11 +35,14 @@ profile xdg-settings @{exec_path} {
|
|||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/applications/ r,
|
||||
/usr/share/ubuntu/applications/ r,
|
||||
|
||||
/etc/xdg/xfce4/helpers.rc r,
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/lib/snapd/desktop/applications/{,*} r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ profile gdm-runtime-config @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{run}/gdm/ r,
|
||||
@{run}/gdm/ rw,
|
||||
@{run}/gdm/custom.conf* rw,
|
||||
|
||||
include if exists <local/gdm-runtime-config>
|
||||
|
|
|
|||
|
|
@ -82,6 +82,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
|
||||
owner @{PROC}/@{pid}/uid_map r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/1/limits r,
|
||||
@{PROC}/keys r,
|
||||
|
||||
|
|
|
|||
|
|
@ -110,6 +110,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus receive bus=system
|
||||
path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent
|
||||
interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent
|
||||
member=BeginAuthentication,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/Xwayland rPx,
|
||||
|
|
@ -234,7 +239,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/power_supply/**/{type,online} r,
|
||||
@{sys}/devices/**/power_supply/{,**} r,
|
||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
|
||||
|
|
|
|||
|
|
@ -37,7 +37,8 @@ profile goa-daemon @{exec_path} {
|
|||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
owner @{user_config_dirs}/goa-1.0/accounts.conf r,
|
||||
owner @{user_config_dirs}/goa-1.0/ rw,
|
||||
owner @{user_config_dirs}/goa-1.0/accounts.conf* rw,
|
||||
|
||||
include if exists <local/goa-daemon>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,11 +9,22 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/seahorse
|
||||
profile seahorse @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,ServiceBrowserNew}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={CacheExhausted,AllForNow},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/gpgconf rPx,
|
||||
|
|
@ -21,8 +32,10 @@ profile seahorse @{exec_path} {
|
|||
/{usr/,}bin/gpgsm rPx,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
# Seahorse and SSH keys
|
||||
/usr/share/ubuntu/applications/ r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/ r,
|
||||
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -56,9 +56,9 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
|
|||
owner @{PROC}/@{pid}/fdinfo/[0-9]* r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/net/* r,
|
||||
@{PROC}/@{pids}/net/* r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/locks r,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -11,6 +11,16 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-dnssd
|
||||
profile gvfsd-dnssd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={Ping,GetAPIVersion,GetState,ServiceBrowserNew},
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={CacheExhausted,AllForNow},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-network
|
||||
profile gvfsd-network @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/gvfsd-smb-browse
|
||||
profile gvfsd-smb-browse @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -92,6 +92,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
|
|||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/devices r,
|
||||
@{PROC}/driver/nvidia/gpus/ r,
|
||||
|
||||
/dev/ rw,
|
||||
/dev/** rwk,
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile systemd-vconsole-setup @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability dac_override,
|
||||
capability sys_ptrace,
|
||||
capability sys_resource,
|
||||
capability sys_tty_config,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ profile apt-esm-hook @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ profile list-oem-metapackages @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/ischroot rix,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}bin/ischroot rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ profile packagekitd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/dpkg/cputable r,
|
||||
|
|
|
|||
|
|
@ -12,10 +12,14 @@ profile release-upgrade-motd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/date rix,
|
||||
/{usr/,}bin/expr rix,
|
||||
/{usr/,}bin/stat rix,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/date rix,
|
||||
/{usr/,}bin/expr rix,
|
||||
/{usr/,}bin/stat rix,
|
||||
/{usr/,}bin/do-release-upgrade rPx,
|
||||
|
||||
/var/lib/ubuntu-release-upgrader/release-upgrade-available rw,
|
||||
|
||||
|
||||
include if exists <local/release-upgrade-motd>
|
||||
}
|
||||
|
|
@ -14,7 +14,7 @@ profile ubuntu-report @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
|
||||
owner @{user_cache_dirs}/ubuntu-report/{,*} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
|
@ -25,9 +26,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*}
|
||||
interface={org.debian{,.apt},org.freedesktop.DBus.{Introspectable,Properties}}
|
||||
interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}}
|
||||
member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
|
|
@ -46,9 +48,13 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.login[0-9].Manager
|
||||
member=Inhibit,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=StateChanged,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}bin/hwe-support-status rPx,
|
||||
/{usr/,}bin/ischroot rix,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
|
|
@ -56,12 +62,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/uname rix,
|
||||
/{usr/,}lib/apt/methods/http{,s} rPx,
|
||||
|
||||
/usr/share/applications/{,**} r,
|
||||
/usr/share/distro-info/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/pixmaps/{,*} r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/ubuntu-release-upgrader/{,**} r,
|
||||
/usr/share/ubuntu/applications/{,**} r,
|
||||
/usr/share/update-manager/{,**} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
|
|
@ -83,6 +88,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/inhibit/*.ref w,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
include if exists <local/update-manager>
|
||||
}
|
||||
|
|
@ -25,7 +25,7 @@ profile update-notifier @{exec_path} {
|
|||
/{usr/,}bin/ischroot rix,
|
||||
/{usr/,}bin/nice rix,
|
||||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/pkexec rPx,
|
||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/python3.[0-9]* r,
|
||||
@{libexec}/ r,
|
||||
|
||||
/var/lib/blueman/network.state rw,
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ profile blueman-rfcomm-watcher @{exec_path} {
|
|||
include <abstractions/python>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/python3.[0-9]* r,
|
||||
|
||||
@{libexec}/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ profile boltd @{exec_path} {
|
|||
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{authorized,generation} r,
|
||||
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{uevent,unique_id} r,
|
||||
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
|
||||
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
|
||||
@{sys}/devices/platform/**/uevent r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
|
|
|||
|
|
@ -59,7 +59,9 @@ profile etckeeper @{exec_path} {
|
|||
|
||||
@{run}/resolvconf/resolv.conf r,
|
||||
|
||||
/tmp/etckeeper-git* rw,
|
||||
owner /tmp/etckeeper-git* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/evince /{usr/,}bin/evinced
|
||||
@{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced
|
||||
profile evince @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
@ -33,9 +33,9 @@ profile evince @{exec_path} {
|
|||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
owner @{user_config_dirs}/evince/{,*} rw,
|
||||
|
||||
owner /tmp/*.pdf r,
|
||||
owner /tmp/evince-*/{,**} rw,
|
||||
/tmp/gtkprint* rw,
|
||||
/tmp/*.pdf r,
|
||||
owner /tmp/gtkprint* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_nice,
|
||||
|
||||
|
|
@ -41,8 +42,12 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/fprintd.conf r,
|
||||
|
||||
/var/lib/fprint/{,**} rw,
|
||||
|
||||
@{run}/systemd/journal/socket rw,
|
||||
@{run}/systemd/inhibit/*.ref w,
|
||||
|
||||
@{sys}/class/hidraw/ r,
|
||||
|
||||
include if exists <local/fprintd>
|
||||
}
|
||||
|
|
@ -10,18 +10,18 @@ include <tunables/global>
|
|||
profile freefall @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_nice,
|
||||
capability ipc_lock,
|
||||
capability mknod,
|
||||
capability sys_nice,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sys}/devices/**/unload_heads r,
|
||||
@{sys}/class/leds/**/brightness r,
|
||||
|
||||
/dev/freefall rw,
|
||||
/dev/sd[a-z]* rk,
|
||||
/dev/sd[a-z]*[0-9]* rk,
|
||||
|
||||
@{sys}/devices/**/unload_heads r,
|
||||
@{sys}/class/leds/**/brightness r,
|
||||
|
||||
include if exists <local/freefall>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,18 +14,20 @@ profile rngd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_admin,
|
||||
capability sys_nice,
|
||||
capability dac_read_search,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
/etc/opensc.conf r,
|
||||
/etc/conf.d/rngd r,
|
||||
/etc/opensc.conf r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
@{sys}/devices/virtual/misc/hw_random/rng_available r,
|
||||
|
||||
@{PROC}/sys/kernel/random/poolsize r,
|
||||
@{PROC}/sys/kernel/random/write_wakeup_threshold rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -96,6 +96,7 @@ profile run-parts @{exec_path} {
|
|||
/etc/kernel/postinst.d/initramfs-tools rCx -> kernel,
|
||||
/etc/kernel/postinst.d/unattended-upgrades rCx -> kernel,
|
||||
/etc/kernel/postinst.d/zz-update-grub rCx -> kernel,
|
||||
/etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel,
|
||||
|
||||
/etc/kernel/postrm.d/ r,
|
||||
/etc/kernel/postrm.d/initramfs-tools rCx -> kernel,
|
||||
|
|
@ -139,6 +140,8 @@ profile run-parts @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability sys_module,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
|
|
@ -180,6 +183,7 @@ profile run-parts @{exec_path} {
|
|||
/etc/modprobe.d/ r,
|
||||
/etc/modprobe.d/*.conf r,
|
||||
|
||||
@{run}/reboot-required w,
|
||||
@{run}/reboot-required.pkgs w,
|
||||
|
||||
@{PROC}/devices r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ include <tunables/global>
|
|||
@{exec_path} += /usr/share/system-config-printer/system-config-printer.py
|
||||
profile system-config-printer @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
|
|
@ -22,6 +24,19 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
|||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=CheckAuthorization,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
@ -33,15 +48,21 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
|||
/usr/share/cups/data/testprint r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/system-config-printer/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/etc/cups/cupsd.conf r,
|
||||
/etc/cupshelpers/preferreddrivers.xml r,
|
||||
/etc/fstab r,
|
||||
/etc/papersize r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/ r,
|
||||
|
||||
owner @{HOME}/.cups/ rw,
|
||||
owner @{HOME}/.cups/lpoptions rw,
|
||||
|
||||
owner @{run}/@{uid}/gvfsd/socket-* rw,
|
||||
@{run}/cups/cups.sock rw,
|
||||
|
||||
owner /tmp/* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
Loading…
Reference in a new issue