mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (5)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:34:42 +01:00
parent 43b0f09b65
commit fcedbbfd95
Failed to generate hash of commit
122 changed files with 873 additions and 876 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
apparmor.d/profiles-g-l/gajim
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gajim @{exec_path} = @{bin}/gajim
profile gajim @{exec_path} { profile gajim @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -35,27 +35,27 @@ profile gajim @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix, @{bin}/ldconfig rix,
/{usr/,}{s,}bin/ldconfig rix, @{bin}/uname rix,
# To play sounds # To play sounds
/{usr/,}bin/aplay rix, @{bin}/aplay rix,
/{usr/,}bin/pacat rix, @{bin}/pacat rix,
# Needed for GPG/PGP support # Needed for GPG/PGP support
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg, @{bin}/gpgsm rCx -> gpg,
/{usr/,}bin/ccache rCx -> ccache, @{bin}/ccache rCx -> ccache,
/{usr/,}bin/{,@{multiarch}-}ld.bfd rCx -> ccache, @{bin}/{,@{multiarch}-}ld.bfd rCx -> ccache,
# External apps # External apps
/{usr/,}bin/xdg-settings rPx, @{bin}/xdg-settings rPx,
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx, @{bin}/spacefm rPx,
# Gajim plugins # Gajim plugins
/usr/share/gajim/plugins/{,**} r, /usr/share/gajim/plugins/{,**} r,
@ -99,13 +99,13 @@ profile gajim @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/ccache mr, @{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}ld.bfd rix, @{bin}/{,@{multiarch}-}ld.bfd rix,
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/collect2 rix, @{lib}/gcc/@{multiarch}/[0-9]*/collect2 rix,
owner /tmp/cc* rw, owner /tmp/cc* rw,
owner /tmp/tmp* rw, owner /tmp/tmp* rw,
@ -121,12 +121,12 @@ profile gajim @{exec_path} {
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
/{usr/,}bin/gpgconf mr, @{bin}/gpgconf mr,
/{usr/,}bin/gpgsm mr, @{bin}/gpgsm mr,
/{usr/,}bin/gpg-agent rix, @{bin}/gpg-agent rix,
/{usr/,}lib/gnupg/scdaemon rix, @{lib}/gnupg/scdaemon rix,
owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,

6
apparmor.d/profiles-g-l/games-wesnoth-sh
View file

@ -11,13 +11,13 @@ profile games-wesnoth-sh @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/usr/games/wesnoth{,-[0-9]*} rPx, /usr/games/wesnoth{,-[0-9]*} rPx,
# For the editor # For the editor
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

48
apparmor.d/profiles-g-l/ganyremote
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/ganyremote @{exec_path} = @{bin}/ganyremote
profile ganyremote @{exec_path} { profile ganyremote @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -23,33 +23,33 @@ profile ganyremote @{exec_path} {
network inet6 stream, network inet6 stream,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/tr rix, @{bin}/tr rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/anyremote rPx, @{bin}/anyremote rPx,
/{usr/,}bin/ps rPx, @{bin}/ps rPx,
/{usr/,}bin/killall rCx -> killall, @{bin}/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep, @{bin}/pgrep rCx -> pgrep,
/{usr/,}bin/pacmd rPUx, @{bin}/pacmd rPUx,
/{usr/,}bin/pactl rPUx, @{bin}/pactl rPUx,
# Players # Players
/{usr/,}bin/smplayer rPUx, @{bin}/smplayer rPUx,
/{usr/,}bin/amarok rPUx, @{bin}/amarok rPUx,
/{usr/,}bin/vlc rPUx, @{bin}/vlc rPUx,
/{usr/,}bin/mpv rPUx, @{bin}/mpv rPUx,
/{usr/,}bin/strawberry rPUx, @{bin}/strawberry rPUx,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw, owner @{HOME}/.anyRemote/{,*} rw,
@ -79,7 +79,7 @@ profile ganyremote @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/killall mr, @{bin}/killall mr,
# The /proc/ dir is needed to avoid the following error: # The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied # /proc: Permission denied
@ -92,7 +92,7 @@ profile ganyremote @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/pgrep mr, @{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r, @{PROC}/ r,

2
apparmor.d/profiles-g-l/gconfd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9] @{exec_path} = @{lib}/@{multiarch}/gconf/gconfd-[0-9]
profile gconfd @{exec_path} { profile gconfd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

2
apparmor.d/profiles-g-l/gdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gdisk @{exec_path} = @{bin}/gdisk
profile gdisk @{exec_path} { profile gdisk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

6
apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gdk-pixbuf-query-loaders @{exec_path} = @{bin}/gdk-pixbuf-query-loaders
profile gdk-pixbuf-query-loaders @{exec_path} { profile gdk-pixbuf-query-loaders @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -15,8 +15,8 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw, @{lib}/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw,
/{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw, @{lib}/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw,
include if exists <local/gdk-pixbuf-query-loaders> include if exists <local/gdk-pixbuf-query-loaders>
} }

6
apparmor.d/profiles-g-l/gio-querymodules
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gio-querymodules @{exec_path} = @{bin}/gio-querymodules
profile gio-querymodules @{exec_path} flags=(attach_disconnected) { profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/openssl> include <abstractions/openssl>
@ -16,8 +16,8 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, @{lib}/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
/{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} w, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,
deny /apparmor/.null rw, deny /apparmor/.null rw,

90
apparmor.d/profiles-g-l/git
View file

@ -7,13 +7,11 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/git @{exec_path} = @{bin}/git
@{exec_path} += /{usr/,}bin/git-* @{exec_path} += @{bin}/git-*
@{exec_path} += /{usr/,}lib/git-core/git @{exec_path} += @{lib}/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-* @{exec_path} += @{lib}/git-core/git-*
@{exec_path} += @{libexec}/git-core/git @{exec_path} += @{lib}/git-core/mergetools/*
@{exec_path} += @{libexec}/git-core/git-*
@{exec_path} += @{libexec}/git-core/mergetools/*
profile git @{exec_path} { profile git @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -34,47 +32,47 @@ profile git @{exec_path} {
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
# the most similar commands, which it thinks can be used instead. Git binaries are all under # the most similar commands, which it thinks can be used instead. Git binaries are all under
# /usr/bin/ , so allow only this location. # /usr/bin/ , so allow only this location.
/{usr/,}bin/ r, @{bin}/ r,
deny /{usr/,}sbin/ r, deny /{usr/,}sbin/ r,
deny /usr/local/{s,}bin/ r, deny /usr/local/{s,}bin/ r,
deny /usr/games/ r, deny /usr/games/ r,
deny /usr/local/games/ r, deny /usr/local/games/ r,
# These are needed for "git submodule update" # These are needed for "git submodule update"
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/date rix, @{bin}/date rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/envsubst rix, @{bin}/envsubst rix,
/{usr/,}bin/gettext rix, @{bin}/gettext rix,
/{usr/,}bin/gettext.sh rix, @{bin}/gettext.sh rix,
/{usr/,}bin/hostname rix, @{bin}/hostname rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/{usr/,}bin/whoami rix, @{bin}/whoami rix,
/{usr/,}bin/pager rPx -> child-pager, @{bin}/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager, @{bin}/more rPx -> child-pager,
/{usr/,}bin/man rPx, @{bin}/man rPx,
/{usr/,}bin/meld rPUx, @{bin}/meld rPUx,
/{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, @{lib}/code/extensions/git/dist/askpass.sh rPx,
/{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx, @{lib}/code/extensions/git/dist/git-editor.sh rPx,
/usr/share/aurpublish/*.hook rPx, /usr/share/aurpublish/*.hook rPx,
/{usr/,}bin/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
/{usr/,}bin/ssh rCx -> ssh, @{bin}/ssh rCx -> ssh,
/{usr/,}bin/sensible-editor rCx -> editor, @{bin}/sensible-editor rCx -> editor,
/{usr/,}bin/vim rCx -> editor, @{bin}/vim rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor, @{bin}/vim.* rCx -> editor,
/usr/share/git-core/{,**} r, /usr/share/git-core/{,**} r,
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,
@ -108,8 +106,8 @@ profile git @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/gpg{,2} mr, @{bin}/gpg{,2} mr,
/{usr/,}bin/gpg-agent rPx, @{bin}/gpg-agent rPx,
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -132,7 +130,7 @@ profile git @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
/{usr/,}bin/ssh mr, @{bin}/ssh mr,
/etc/ssh/ssh_config.d/{,*} r, /etc/ssh/ssh_config.d/{,*} r,
/etc/ssh/ssh_config r, /etc/ssh/ssh_config r,
@ -162,11 +160,11 @@ profile git @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr, @{bin}/sensible-editor mr,
/{usr/,}bin/vim mrix, @{bin}/vim mrix,
/{usr/,}bin/vim.* mrix, @{bin}/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/usr/share/vim/{,**} r, /usr/share/vim/{,**} r,
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,

4
apparmor.d/profiles-g-l/glib-compile-resources
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/glib-compile-resources @{exec_path} = @{bin}/glib-compile-resources
profile glib-compile-resources @{exec_path} { profile glib-compile-resources @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/xmllint rix, @{bin}/xmllint rix,
/tmp/resource-* rw, /tmp/resource-* rw,

2
apparmor.d/profiles-g-l/glib-compile-schemas
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/glib-compile-schemas @{exec_path} = @{bin}/glib-compile-schemas
profile glib-compile-schemas @{exec_path} { profile glib-compile-schemas @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/glib-pacrunner
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/glib-pacrunner @{exec_path} = @{lib}/glib-pacrunner
profile glib-pacrunner @{exec_path} { profile glib-pacrunner @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

2
apparmor.d/profiles-g-l/globaltime
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/globaltime @{exec_path} = @{bin}/globaltime
profile globaltime @{exec_path} { profile globaltime @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>

2
apparmor.d/profiles-g-l/glxgears
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/glxgears @{exec_path} = @{bin}/glxgears
profile glxgears @{exec_path} { profile glxgears @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

2
apparmor.d/profiles-g-l/glxinfo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/glxinfo @{exec_path} = @{bin}/glxinfo
profile glxinfo @{exec_path} { profile glxinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-common> include <abstractions/dri-common>

12
apparmor.d/profiles-g-l/gpa
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gpa @{exec_path} = @{bin}/gpa
profile gpa @{exec_path} { profile gpa @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
@ -18,10 +18,10 @@ profile gpa @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/gpgconf rPx, @{bin}/gpgconf rPx,
/{usr/,}bin/gpg-connect-agent rPx, @{bin}/gpg-connect-agent rPx,
/{usr/,}bin/gpg{,2} rPx, @{bin}/gpg{,2} rPx,
/{usr/,}bin/gpgsm rPx, @{bin}/gpgsm rPx,
/usr/share/gpa/{,*} r, /usr/share/gpa/{,*} r,
@ -45,7 +45,7 @@ profile gpa @{exec_path} {
owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/xauth-[0-9]*-_[0-9] r,
# External apps # External apps
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

50
apparmor.d/profiles-g-l/gparted
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gparted @{exec_path} = @{bin}/gparted
profile gparted @{exec_path} { profile gparted @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -15,34 +15,34 @@ profile gparted @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}{s,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/ls rix, @{bin}/ls rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/pidof rix, @{bin}/pidof rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/touch rix, @{bin}/touch rix,
/{usr/,}{s,}bin/gpartedbin rPx, @{bin}/gpartedbin rPx,
@{libexec}/gparted/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx,
@{libexec}/gpartedbin rPx, @{lib}/gpartedbin rPx,
@{libexec}/{,udisks2/}udisks2-inhibit rix, @{lib}/{,udisks2/}udisks2-inhibit rix,
@{run}/udev/rules.d/ rw, @{run}/udev/rules.d/ rw,
@{run}/udev/rules.d/90-udisks-inhibit.rules rw, @{run}/udev/rules.d/90-udisks-inhibit.rules rw,
/{usr/,}bin/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/killall5 rCx -> killall, @{bin}/killall5 rCx -> killall,
/{usr/,}bin/ps rPx, @{bin}/ps rPx,
/{usr/,}bin/xhost rPx, @{bin}/xhost rPx,
/{usr/,}bin/pkexec rPx, @{bin}/pkexec rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
# For shell pwd # For shell pwd
/ r, / r,
@ -63,7 +63,7 @@ profile gparted @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/udevadm mr, @{bin}/udevadm mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
@ -91,7 +91,7 @@ profile gparted @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}{s,}bin/killall5 mr, @{bin}/killall5 mr,
# The /proc/ dir is needed to avoid the following error: # The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied # /proc: Permission denied

82
apparmor.d/profiles-g-l/gpartedbin
View file

@ -7,9 +7,9 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gpartedbin @{exec_path} = @{bin}/gpartedbin
@{exec_path} += @{libexec}/gpartedbin @{exec_path} += @{lib}/gpartedbin
@{exec_path} += @{libexec}/gparted/gpartedbin @{exec_path} += @{lib}/gparted/gpartedbin
profile gpartedbin @{exec_path} { profile gpartedbin @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -30,45 +30,45 @@ profile gpartedbin @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}{s,}bin/blkid rPx, @{bin}/blkid rPx,
/{usr/,}{s,}bin/dmidecode rPx, @{bin}/dmidecode rPx,
/{usr/,}{s,}bin/hdparm rPx, @{bin}/hdparm rPx,
/{usr/,}bin/kmod rPx, @{bin}/kmod rPx,
/{usr/,}bin/mount rCx -> mount, @{bin}/mount rCx -> mount,
/{usr/,}bin/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,
/{usr/,}bin/umount rCx -> umount, @{bin}/umount rCx -> umount,
/{usr/,}{s,}bin/dmraid rPUx, @{bin}/btrfs rPx,
/{usr/,}{s,}bin/dmsetup rPUx, @{bin}/btrfstune rPx,
/{usr/,}{s,}bin/dumpe2fs rPx, @{bin}/dmraid rPUx,
/{usr/,}{s,}bin/e2fsck rPx, @{bin}/dmsetup rPUx,
/{usr/,}{s,}bin/e2image rPx, @{bin}/dumpe2fs rPx,
/{usr/,}{s,}bin/fsck.btrfs rPx, @{bin}/e2fsck rPx,
/{usr/,}{s,}bin/fsck.fat rPx, @{bin}/e2image rPx,
/{usr/,}{s,}bin/lvm rPUx, @{bin}/fsck.btrfs rPx,
/{usr/,}{s,}bin/mke2fs rPx, @{bin}/fsck.fat rPx,
/{usr/,}{s,}bin/mkntfs rPx, @{bin}/lvm rPUx,
/{usr/,}{s,}bin/mkswap rPx, @{bin}/mdadm rPUx,
/{usr/,}{s,}bin/ntfslabel rPx, @{bin}/mke2fs rPx,
/{usr/,}{s,}bin/ntfsresize rPx, @{bin}/mkfs.* rPx,
/{usr/,}{s,}bin/resize2fs rPx, @{bin}/mkntfs rPx,
/{usr/,}{s,}bin/swaplabel rPx, @{bin}/mkswap rPx,
/{usr/,}{s,}bin/swapoff rPx, @{bin}/mtools rPx,
/{usr/,}{s,}bin/swapon rPx, @{bin}/ntfsinfo rPx,
/{usr/,}{s,}bin/tune2fs rPx, @{bin}/ntfslabel rPx,
/{usr/,}bin/btrfs rPx, @{bin}/ntfsresize rPx,
/{usr/,}bin/btrfstune rPx, @{bin}/resize2fs rPx,
/{usr/,}bin/mdadm rPUx, @{bin}/swaplabel rPx,
/{usr/,}bin/mkfs.* rPx, @{bin}/swapoff rPx,
/{usr/,}bin/mtools rPx, @{bin}/swapon rPx,
/{usr/,}bin/ntfsinfo rPx, @{bin}/tune2fs rPx,
/{usr/,}bin/xfs_io rPUx, @{bin}/xfs_io rPUx,
/{usr/,}bin/xdg-open rCx -> child-open, @{bin}/xdg-open rCx -> child-open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
owner @{HOME}/*.htm w, owner @{HOME}/*.htm w,
@ -98,7 +98,7 @@ profile gpartedbin @{exec_path} {
mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
/{usr/,}bin/mount mr, @{bin}/mount mr,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r,
@ -121,7 +121,7 @@ profile gpartedbin @{exec_path} {
umount @{MOUNTS}/, umount @{MOUNTS}/,
umount @{MOUNTS}/*/, umount @{MOUNTS}/*/,
/{usr/,}bin/umount mr, @{bin}/umount mr,
owner @{run}/mount/ rw, owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab{,.*} rw,
@ -137,7 +137,7 @@ profile gpartedbin @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/udevadm mr, @{bin}/udevadm mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,

2
apparmor.d/profiles-g-l/gpasswd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gpasswd @{exec_path} = @{bin}/gpasswd
profile gpasswd @{exec_path} { profile gpasswd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/profiles-g-l/gping
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gping @{exec_path} = @{bin}/gping
profile gping @{exec_path} { profile gping @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ping rPx, @{bin}/ping rPx,
include if exists <local/gping> include if exists <local/gping>
} }

16
apparmor.d/profiles-g-l/gpo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gpo @{exec_path} = @{bin}/gpo
profile gpo @{exec_path} { profile gpo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -22,14 +22,14 @@ profile gpo @{exec_path} {
network inet6 stream, network inet6 stream,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/pager rPx -> child-pager, @{bin}/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager, @{bin}/more rPx -> child-pager,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

38
apparmor.d/profiles-g-l/gpodder
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gpodder @{exec_path} = @{bin}/gpodder
profile gpodder @{exec_path} { profile gpodder @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -26,11 +26,11 @@ profile gpodder @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/ rw,
@ -50,18 +50,18 @@ profile gpodder @{exec_path} {
/usr/share/*/*.desktop r, /usr/share/*/*.desktop r,
/{usr/,}bin/xdg-settings rPUx, @{bin}/xdg-settings rPUx,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# A/V players # A/V players
/{usr/,}bin/smplayer rPUx, @{bin}/smplayer rPUx,
/{usr/,}bin/vlc rPUx, @{bin}/vlc rPUx,
/{usr/,}bin/mpv rPUx, @{bin}/mpv rPUx,
# Open in a web browser # Open in a web browser
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -71,20 +71,20 @@ profile gpodder @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

10
apparmor.d/profiles-g-l/gpodder-migrate2tres
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gpodder-migrate2tres @{exec_path} = @{bin}/gpodder-migrate2tres
profile gpodder-migrate2tres @{exec_path} { profile gpodder-migrate2tres @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-g-l/groupadd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupadd @{exec_path} = @{bin}/groupadd
profile groupadd @{exec_path} { profile groupadd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -20,7 +20,7 @@ profile groupadd @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/nscd rix, @{bin}/nscd rix,
/etc/login.defs r, /etc/login.defs r,

4
apparmor.d/profiles-g-l/groupdel
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupdel @{exec_path} = @{bin}/groupdel
profile groupdel @{exec_path} { profile groupdel @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -22,7 +22,7 @@ profile groupdel @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/nscd rix, @{bin}/nscd rix,
/etc/login.defs r, /etc/login.defs r,

2
apparmor.d/profiles-g-l/groupmod
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupmod @{exec_path} = @{bin}/groupmod
profile groupmod @{exec_path} { profile groupmod @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-g-l/groups
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/groups @{exec_path} = @{bin}/groups
profile groups @{exec_path} { profile groups @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-g-l/grpck
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grpck @{exec_path} = @{bin}/grpck
profile grpck @{exec_path} { profile grpck @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

2
apparmor.d/profiles-g-l/gsettings
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gsettings @{exec_path} = @{bin}/gsettings
profile gsettings @{exec_path} { profile gsettings @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>

2
apparmor.d/profiles-g-l/gsimplecal
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gsimplecal @{exec_path} = @{bin}/gsimplecal
profile gsimplecal @{exec_path} { profile gsimplecal @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>

24
apparmor.d/profiles-g-l/gsmartcontrol
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gsmartcontrol @{exec_path} = @{bin}/gsmartcontrol
profile gsmartcontrol @{exec_path} { profile gsmartcontrol @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
@ -22,8 +22,8 @@ profile gsmartcontrol @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/smartctl rPx, @{bin}/smartctl rPx,
/{usr/,}bin/xterm rCx -> terminal, @{bin}/xterm rCx -> terminal,
# When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes: # following root processes:
@ -31,10 +31,10 @@ profile gsmartcontrol @{exec_path} {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
# #
# Should this be allowed? Gsmartcontrol works fine without this. # Should this be allowed? Gsmartcontrol works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus, #@{bin}/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus, #@{bin}/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx, deny @{bin}/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx, deny @{bin}/dbus-send rx,
owner @{user_config_dirs}/gsmartcontrol/ rw, owner @{user_config_dirs}/gsmartcontrol/ rw,
owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw, owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw,
@ -62,16 +62,16 @@ profile gsmartcontrol @{exec_path} {
# The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
# root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
# hence this behavior should be blocked. # hence this behavior should be blocked.
deny /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,
profile dbus { profile dbus {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr, @{bin}/dbus-launch mr,
/{usr/,}bin/dbus-send mr, @{bin}/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx, @{bin}/dbus-daemon rPUx,
# for dbus-launch # for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@ -89,7 +89,7 @@ profile gsmartcontrol @{exec_path} {
capability setgid, capability setgid,
capability fsetid, capability fsetid,
/{usr/,}bin/xterm mr, @{bin}/xterm mr,
/usr/sbin/update-smart-drivedb rPx, /usr/sbin/update-smart-drivedb rPx,

8
apparmor.d/profiles-g-l/gsmartcontrol-root
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gsmartcontrol-root @{exec_path} = @{bin}/gsmartcontrol-root
profile gsmartcontrol-root @{exec_path} { profile gsmartcontrol-root @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/pkexec rPx, @{bin}/pkexec rPx,
include if exists <local/gsmartcontrol-root> include if exists <local/gsmartcontrol-root>
} }

2
apparmor.d/profiles-g-l/gssproxy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gssproxy @{exec_path} = @{bin}/gssproxy
profile gssproxy @{exec_path} { profile gssproxy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/authentication> include <abstractions/authentication>

6
apparmor.d/profiles-g-l/gtk-query-immodules
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk-query-immodules-{2,3}.0 @{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0
profile gtk-query-immodules @{exec_path} { profile gtk-query-immodules @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -15,8 +15,8 @@ profile gtk-query-immodules @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache w, @{lib}/gtk-{2,3,4}.0/**/immodules.cache w,
/{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w, @{lib}/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/profiles-g-l/gtk-update-icon-cache
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache @{exec_path} = @{bin}/gtk-update-icon-cache @{bin}/gtk4-update-icon-cache
profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

50
apparmor.d/profiles-g-l/gtk-youtube-viewer
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk{,2,3}-youtube-viewer @{exec_path} = @{bin}/gtk{,2,3}-youtube-viewer
profile gtk-youtube-viewer @{exec_path} { profile gtk-youtube-viewer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/fonts>
@ -25,23 +25,23 @@ profile gtk-youtube-viewer @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/xterm rCx -> xterm, @{bin}/xterm rCx -> xterm,
/{usr/,}bin/rxvt rCx -> xterm, @{bin}/rxvt rCx -> xterm,
/{usr/,}bin/urxvt rCx -> xterm, @{bin}/urxvt rCx -> xterm,
# Players # Players
/{usr/,}bin/mpv rPx, @{bin}/mpv rPx,
/{usr/,}bin/vlc rPx, @{bin}/vlc rPx,
/{usr/,}bin/smplayer rPx, @{bin}/smplayer rPx,
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
owner @{user_config_dirs}/youtube-viewer/{,*} rw, owner @{user_config_dirs}/youtube-viewer/{,*} rw,
@ -65,14 +65,14 @@ profile gtk-youtube-viewer @{exec_path} {
signal (send) set=(hup, winch) peer=youtube-viewer, signal (send) set=(hup, winch) peer=youtube-viewer,
signal (send) set=(hup, winch) peer=youtube-viewer//wget, signal (send) set=(hup, winch) peer=youtube-viewer//wget,
/{usr/,}bin/xterm mr, @{bin}/xterm mr,
/{usr/,}bin/rxvt mr, @{bin}/rxvt mr,
/{usr/,}bin/urxvt mr, @{bin}/urxvt mr,
/{usr/,}bin/zsh rix, @{bin}/zsh rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/youtube-viewer rPx, @{bin}/youtube-viewer rPx,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
@ -97,20 +97,20 @@ profile gtk-youtube-viewer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

12
apparmor.d/profiles-g-l/gzdoom
View file

@ -27,13 +27,13 @@ profile gzdoom @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/zsh rix, @{bin}/zsh rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/xmessage rix, @{bin}/xmessage rix,
/{usr/,}bin/gdb rix, @{bin}/gdb rix,
/{usr/,}bin/iconv rix, @{bin}/iconv rix,
/opt/gzdoom/ r, /opt/gzdoom/ r,
/opt/gzdoom/** mr, /opt/gzdoom/** mr,

90
apparmor.d/profiles-g-l/hardinfo
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hardinfo @{exec_path} = @{bin}/hardinfo
profile hardinfo @{exec_path} { profile hardinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/python> include <abstractions/python>
include <abstractions/user-download-strict>
# This is needed to display some content of devices -> resources # This is needed to display some content of devices -> resources
capability sys_admin, capability sys_admin,
@ -31,36 +31,36 @@ profile hardinfo @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/locale rix, @{bin}/gdb rix,
/{usr/,}bin/ldd rix, @{bin}/iconv rix,
/{usr/,}bin/tr rix, @{bin}/last rix,
/{usr/,}bin/python2.[0-9]* rix, @{bin}/ldd rix,
/{usr/,}bin/python3.[0-9]* rix, @{bin}/locale rix,
/{usr/,}bin/perl rix, @{bin}/make rix,
/{usr/,}bin/ruby[0-9].[0-9]* rix, @{bin}/perl rix,
/{usr/,}bin/make rix, @{bin}/python2.[0-9]* rix,
/{usr/,}bin/strace rix, @{bin}/python3.[0-9]* rix,
/{usr/,}bin/gdb rix, @{bin}/route rix,
/{usr/,}bin/last rix, @{bin}/ruby[0-9].[0-9]* rix,
/{usr/,}bin/iconv rix, @{bin}/strace rix,
/{usr/,}{s,}bin/route rix, @{bin}/tr rix,
/{usr/,}bin/valgrind{,.bin} rix, @{bin}/valgrind{,.bin} rix,
/{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}bin/ccache rCx -> ccache, @{bin}/ccache rCx -> ccache,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
/{usr/,}bin/glxinfo rPx, @{bin}/glxinfo rPx,
/{usr/,}bin/xdpyinfo rPx, @{bin}/xdpyinfo rPx,
/{usr/,}bin/lspci rPx, @{bin}/lspci rPx,
/{usr/,}bin/lsusb rPx, @{bin}/lsusb rPx,
/{usr/,}bin/netstat rPx, @{bin}/netstat rPx,
/{usr/,}bin/qtchooser rPx, @{bin}/qtchooser rPx,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac,
/usr/share/hardinfo/{,**} r, /usr/share/hardinfo/{,**} r,
@ -112,7 +112,7 @@ profile hardinfo @{exec_path} {
owner /tmp/#[0-9]*[0-9] rw, owner /tmp/#[0-9]*[0-9] rw,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# Silencer # Silencer
deny /usr/share/gdb/python/** w, deny /usr/share/gdb/python/** w,
@ -124,11 +124,11 @@ profile hardinfo @{exec_path} {
profile ccache { profile ccache {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/ccache mr, @{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw, /media/ccache/*/** rw,
@ -140,9 +140,9 @@ profile hardinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr,
/etc/java-[0-9]*-openjdk/** r, /etc/java-[0-9]*-openjdk/** r,
@ -163,19 +163,19 @@ profile hardinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
@ -185,7 +185,7 @@ profile hardinfo @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
@{sys}/module/** r, @{sys}/module/** r,

2
apparmor.d/profiles-g-l/haveged
View file

@ -9,7 +9,7 @@
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/haveged @{exec_path} = @{bin}/haveged
profile haveged @{exec_path} { profile haveged @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/hciconfig
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hciconfig @{exec_path} = @{bin}/hciconfig
profile hciconfig @{exec_path} { profile hciconfig @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/hddtemp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hddtemp @{exec_path} = @{bin}/hddtemp
profile hddtemp @{exec_path} { profile hddtemp @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/hdparm
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hdparm @{exec_path} = @{bin}/hdparm
profile hdparm @{exec_path} flags=(complain) { profile hdparm @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>

8
apparmor.d/profiles-g-l/hexchat
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hexchat @{exec_path} = @{bin}/hexchat
profile hexchat @{exec_path} { profile hexchat @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
@ -31,8 +31,8 @@ profile hexchat @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Hexchat plugins # Hexchat plugins
/{usr/,}lib/@{multiarch}/hexchat/** r, @{lib}/@{multiarch}/hexchat/** r,
/{usr/,}lib/@{multiarch}/hexchat/plugins/*.so mr, @{lib}/@{multiarch}/hexchat/plugins/*.so mr,
# Hexchat home files # Hexchat home files
owner @{HOME}/ r, owner @{HOME}/ r,
@ -45,7 +45,7 @@ profile hexchat @{exec_path} {
/etc/fstab r, /etc/fstab r,
# External apps # External apps
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

2
apparmor.d/profiles-g-l/hostname
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} @{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
profile hostname @{exec_path} { profile hostname @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/profiles-g-l/htop
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/htop @{exec_path} = @{bin}/htop
profile htop @{exec_path} { profile htop @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -25,7 +25,7 @@ profile htop @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/lsof rix, @{bin}/lsof rix,
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,

2
apparmor.d/profiles-g-l/hugeadm
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hugeadm @{exec_path} = @{bin}/hugeadm
profile hugeadm @{exec_path} { profile hugeadm @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

8
apparmor.d/profiles-g-l/hugo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hugo @{exec_path} = @{bin}/hugo
profile hugo @{exec_path} { profile hugo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -21,9 +21,9 @@ profile hugo @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/git rix, @{bin}/git rix,
/{usr/,}lib/go/bin/go rix, @{lib}/go/bin/go rix,
/{usr/,}lib/git-core/git-remote-http rix, @{lib}/git-core/git-remote-http rix,
/usr/share/git-core/{,**} r, /usr/share/git-core/{,**} r,
/usr/share/mime/{,**} r, /usr/share/mime/{,**} r,

142
apparmor.d/profiles-g-l/hw-probe
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hw-probe @{exec_path} = @{bin}/hw-probe
profile hw-probe @{exec_path} { profile hw-probe @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@ -17,72 +17,72 @@ profile hw-probe @{exec_path} {
network inet6 dgram, network inet6 dgram,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/pwd rix, @{bin}/pwd rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/sleep rix, @{bin}/sleep rix,
/{usr/,}bin/md5sum rix, @{bin}/md5sum rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/dd rix, @{bin}/dd rix,
/{usr/,}bin/tar rix, @{bin}/tar rix,
/{usr/,}bin/efivar rix, @{bin}/efivar rix,
/{usr/,}bin/efibootmgr rix, @{bin}/efibootmgr rix,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
/{usr/,}{s,}bin/dkms rPx, @{bin}/acpi rPx,
/{usr/,}{s,}bin/fdisk rPx, @{bin}/amixer rPx,
/{usr/,}bin/upower rPx, @{bin}/aplay rPx,
/{usr/,}{s,}bin/hdparm rPx, @{bin}/biosdecode rPx,
/{usr/,}{s,}bin/smartctl rPx, @{bin}/cpuid rPx,
/{usr/,}bin/sensors rPx, @{bin}/cpupower rPx,
/{usr/,}bin/lsblk rPx, @{bin}/df rPx,
/{usr/,}bin/dmesg rPx, @{bin}/dkms rPx,
/{usr/,}bin/hciconfig rPx, @{bin}/dmesg rPx,
/{usr/,}bin/uptime rPx, @{bin}/dmidecode rPx,
/{usr/,}{s,}bin/rfkill rPx, @{bin}/edid-decode rPx,
/{usr/,}{s,}bin/biosdecode rPx, @{bin}/fdisk rPx,
/{usr/,}{s,}bin/dmidecode rPx, @{bin}/glxgears rPx,
/{usr/,}bin/edid-decode rPx, @{bin}/glxinfo rPx,
/{usr/,}bin/cpupower rPx, @{bin}/hciconfig rPx,
/{usr/,}bin/acpi rPx, @{bin}/hdparm rPx,
/{usr/,}bin/lspci rPx, @{bin}/hwinfo rPx,
/{usr/,}bin/lscpu rPx, @{bin}/i2cdetect rPx,
/{usr/,}bin/lsusb rPx, @{bin}/inxi rPx,
/{usr/,}bin/usb-devices rPx, @{bin}/lsblk rPx,
/{usr/,}{s,}bin/hwinfo rPx, @{bin}/lscpu rPx,
/{usr/,}bin/glxinfo rPx, @{bin}/lspci rPx,
/{usr/,}{s,}bin/i2cdetect rPx, @{bin}/lsusb rPx,
/{usr/,}bin/glxgears rPx, @{bin}/memtester rPx,
/{usr/,}{s,}bin/memtester rPx, @{bin}/rfkill rPx,
/{usr/,}bin/xrandr rPx, @{bin}/sensors rPx,
/{usr/,}bin/inxi rPx, @{bin}/smartctl rPx,
/{usr/,}bin/aplay rPx, @{bin}/upower rPx,
/{usr/,}bin/amixer rPx, @{bin}/uptime rPx,
/{usr/,}bin/xdpyinfo rPx, @{bin}/usb-devices rPx,
/{usr/,}bin/df rPx, @{bin}/xdpyinfo rPx,
/{usr/,}bin/cpuid rPx, @{bin}/xinput rPx,
/{usr/,}bin/xinput rPx, @{bin}/xrandr rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
/{usr/,}bin/find rCx -> find, @{bin}/curl rCx -> curl,
/{usr/,}bin/journalctl rCx -> journalctl, @{bin}/ethtool rCx -> netconfig,
/{usr/,}bin/systemd-analyze rCx -> systemd-analyze, @{bin}/find rCx -> find,
/{usr/,}bin/killall rCx -> killall, @{bin}/ifconfig rCx -> netconfig,
/{usr/,}bin/udevadm rCx -> udevadm, @{bin}/iw rCx -> netconfig,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/iwconfig rCx -> netconfig,
/{usr/,}{s,}bin/iw rCx -> netconfig, @{bin}/journalctl rCx -> journalctl,
/{usr/,}{s,}bin/ifconfig rCx -> netconfig, @{bin}/killall rCx -> killall,
/{usr/,}{s,}bin/iwconfig rCx -> netconfig, @{bin}/kmod rCx -> kmod,
/{usr/,}{s,}bin/ethtool rCx -> netconfig, @{bin}/systemd-analyze rCx -> systemd-analyze,
/{usr/,}bin/curl rCx -> curl, @{bin}/udevadm rCx -> udevadm,
owner /root/HW_PROBE/{,**} rw, owner /root/HW_PROBE/{,**} rw,
@ -117,7 +117,7 @@ profile hw-probe @{exec_path} {
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/find mr, @{bin}/find mr,
/dev/{,**} r, /dev/{,**} r,
@ -128,7 +128,7 @@ profile hw-probe @{exec_path} {
profile journalctl { profile journalctl {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/journalctl mr, @{bin}/journalctl mr,
@{run}/log/ rw, @{run}/log/ rw,
/{run,var}/log/journal/ rw, /{run,var}/log/journal/ rw,
@ -147,7 +147,7 @@ profile hw-probe @{exec_path} {
profile systemd-analyze { profile systemd-analyze {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/systemd-analyze mr, @{bin}/systemd-analyze mr,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
@ -162,7 +162,7 @@ profile hw-probe @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/killall mr, @{bin}/killall mr,
# The /proc/ dir is needed to avoid the following error: # The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied # /proc: Permission denied
@ -174,7 +174,7 @@ profile hw-probe @{exec_path} {
profile udevadm { profile udevadm {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/udevadm mr, @{bin}/udevadm mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
@ -196,7 +196,7 @@ profile hw-probe @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/modules r, @{PROC}/modules r,
@ -221,10 +221,10 @@ profile hw-probe @{exec_path} {
network appletalk dgram, network appletalk dgram,
network netlink raw, network netlink raw,
/{usr/,}{s,}bin/iw mr, @{bin}/iw mr,
/{usr/,}{s,}bin/ifconfig mr, @{bin}/ifconfig mr,
/{usr/,}{s,}bin/iwconfig mr, @{bin}/iwconfig mr,
/{usr/,}{s,}bin/ethtool mr, @{bin}/ethtool mr,
owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/dev r,
@ -237,7 +237,7 @@ profile hw-probe @{exec_path} {
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
/{usr/,}bin/curl mr, @{bin}/curl mr,
} }

14
apparmor.d/profiles-g-l/hwinfo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hwinfo @{exec_path} = @{bin}/hwinfo
profile hwinfo @{exec_path} { profile hwinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read> include <abstractions/disks-read>
@ -31,12 +31,12 @@ profile hwinfo @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
/{usr/,}bin/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/dmraid rPUx, @{bin}/dmraid rPUx,
@{PROC}/version r, @{PROC}/version r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@ -77,7 +77,7 @@ profile hwinfo @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
/etc/modprobe.d/{,*.conf} r, /etc/modprobe.d/{,*.conf} r,
@ -94,7 +94,7 @@ profile hwinfo @{exec_path} {
profile udevadm { profile udevadm {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/udevadm mr, @{bin}/udevadm mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,

40
apparmor.d/profiles-g-l/hypnotix
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/hypnotix @{exec_path} = @{bin}/hypnotix
@{exec_path} += /{usr/,}lib/hypnotix/hypnotix.py @{exec_path} += @{lib}/hypnotix/hypnotix.py
profile hypnotix @{exec_path} { profile hypnotix @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
@ -36,17 +36,17 @@ profile hypnotix @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} rix, @{exec_path} rix,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/ldconfig rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, @{bin}/xdg-screensaver rCx -> xdg-screensaver,
/{usr/,}bin/youtube-dl rPUx, @{bin}/youtube-dl rPUx,
/{usr/,}bin/yt-dlp rPUx, @{bin}/yt-dlp rPUx,
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/usr/share/hypnotix/{,**} r, /usr/share/hypnotix/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -69,22 +69,22 @@ profile hypnotix @{exec_path} {
/dev/ r, /dev/ r,
# Silencer # Silencer
deny /{usr/,}lib/hypnotix/** w, deny @{lib}/hypnotix/** w,
profile xdg-screensaver { profile xdg-screensaver {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr, @{bin}/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/xset rix, @{bin}/xset rix,
/{usr/,}bin/xautolock rix, @{bin}/xautolock rix,
/{usr/,}bin/dbus-send rix, @{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,

2
apparmor.d/profiles-g-l/i2cdetect
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/i2cdetect @{exec_path} = @{bin}/i2cdetect
profile i2cdetect @{exec_path} { profile i2cdetect @{exec_path} {
include <abstractions/base> include <abstractions/base>

4
apparmor.d/profiles-g-l/i3lock
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/i3lock @{exec_path} = @{bin}/i3lock
profile i3lock @{exec_path} { profile i3lock @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/fonts>
@ -19,7 +19,7 @@ profile i3lock @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}sbin/unix_chkpwd rPx, @{bin}/unix_chkpwd rPx,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,

34
apparmor.d/profiles-g-l/i3lock-fancy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/i3lock-fancy @{exec_path} = @{bin}/i3lock-fancy
profile i3lock-fancy @{exec_path} { profile i3lock-fancy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -14,22 +14,22 @@ profile i3lock-fancy @{exec_path} {
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/fc-match rix, @{bin}/fc-match rix,
/{usr/,}bin/getopt rix, @{bin}/getopt rix,
/{usr/,}bin/mktemp rix, @{bin}/mktemp rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/env rix, @{bin}/env rix,
/{usr/,}bin/i3lock rPx, @{bin}/i3lock rPx,
/{usr/,}bin/xrandr rPx, @{bin}/xrandr rPx,
/{usr/,}bin/convert-im6.q16 rCx -> imagemagic, @{bin}/convert-im6.q16 rCx -> imagemagic,
/{usr/,}bin/import-im6.q16 rCx -> imagemagic, @{bin}/import-im6.q16 rCx -> imagemagic,
/{usr/,}bin/scrot rCx -> imagemagic, @{bin}/scrot rCx -> imagemagic,
owner /tmp/tmp.*.png rw, owner /tmp/tmp.*.png rw,
owner /tmp/tmp.* rw, owner /tmp/tmp.* rw,
@ -46,9 +46,9 @@ profile i3lock-fancy @{exec_path} {
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
/{usr/,}bin/convert-im6.q16 mr, @{bin}/convert-im6.q16 mr,
/{usr/,}bin/import-im6.q16 mr, @{bin}/import-im6.q16 mr,
/{usr/,}bin/scrot mr, @{bin}/scrot mr,
/usr/share/ImageMagick-[0-9]/*.xml r, /usr/share/ImageMagick-[0-9]/*.xml r,
/etc/ImageMagick-[0-9]/*.xml r, /etc/ImageMagick-[0-9]/*.xml r,

2
apparmor.d/profiles-g-l/id
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/id @{exec_path} = @{bin}/id
profile id @{exec_path} { profile id @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-g-l/ifconfig
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ifconfig @{exec_path} = @{bin}/ifconfig
profile ifconfig @{exec_path} { profile ifconfig @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

34
apparmor.d/profiles-g-l/ifup
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{ifup,ifdown,ifquery} @{exec_path} = @{bin}/{ifup,ifdown,ifquery}
profile ifup @{exec_path} { profile ifup @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -18,21 +18,21 @@ profile ifup @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/route rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/ip rix,
/{usr/,}bin/ip rix, @{bin}/route rix,
/{usr/,}bin/seq rix, @{bin}/seq rix,
/{usr/,}bin/sleep rix, @{bin}/sleep rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/{usr/,}{s,}bin/dhclient rPx, @{bin}/dhclient rPx,
/{usr/,}bin/macchanger rPx, @{bin}/macchanger rPx,
/{usr/,}lib/ifupdown/*.sh rix, @{lib}/ifupdown/*.sh rix,
/{usr/,}bin/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
/{usr/,}{s,}bin/sysctl rCx -> sysctl, @{bin}/sysctl rCx -> sysctl,
/etc/network/interfaces r, /etc/network/interfaces r,
/etc/network/interfaces.d/{,*} r, /etc/network/interfaces.d/{,*} r,
@ -50,9 +50,9 @@ profile ifup @{exec_path} {
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/run-parts mr, @{bin}/run-parts mr,
/{usr/,}lib/bridge-utils/ifupdown.sh rPUx, @{lib}/bridge-utils/ifupdown.sh rPUx,
/etc/network/if-down.d/ r, /etc/network/if-down.d/ r,
/etc/network/if-down.d/resolvconf rPUx, /etc/network/if-down.d/resolvconf rPUx,
@ -95,7 +95,7 @@ profile ifup @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
@{sys}/module/** r, @{sys}/module/** r,
@ -115,7 +115,7 @@ profile ifup @{exec_path} {
capability sys_admin, capability sys_admin,
# capability sys_resource, # capability sys_resource,
/{usr/,}{s,}bin/sysctl mr, @{bin}/sysctl mr,
@{PROC}/sys/ r, @{PROC}/sys/ r,
@{PROC}/sys/** r, @{PROC}/sys/** r,

18
apparmor.d/profiles-g-l/im-launch
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/im-launch @{exec_path} = @{bin}/im-launch
profile im-launch @{exec_path} { profile im-launch @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/gnome-session rix, @{bin}/gnome-session rix,
/{usr/,}bin/env rix, @{bin}/env rix,
/{usr/,}bin/locale rix, @{bin}/locale rix,
/{usr/,}bin/gettext{,.sh} rix, @{bin}/gettext{,.sh} rix,
/{usr/,}bin/true rix, @{bin}/true rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
/usr/share/im-config/{,**} r, /usr/share/im-config/{,**} r,

22
apparmor.d/profiles-g-l/initd-kexec
View file

@ -11,17 +11,17 @@ profile initd-kexec @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/tput rix, @{bin}/tput rix,
/{usr/,}bin/echo rix, @{bin}/echo rix,
/{usr/,}{s,}bin/kexec rPx, @{bin}/kexec rPx,
/{usr/,}bin/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
/etc/default/kexec r, /etc/default/kexec r,
@ -30,7 +30,7 @@ profile initd-kexec @{exec_path} {
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/run-parts mr, @{bin}/run-parts mr,
/etc/default/kexec.d/ r, /etc/default/kexec.d/ r,
@ -43,9 +43,9 @@ profile initd-kexec @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/systemctl mr, @{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix, @{bin}/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

34
apparmor.d/profiles-g-l/initd-kexec-load
View file

@ -11,23 +11,23 @@ profile initd-kexec-load @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/tail rix, @{bin}/tail rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/head rix, @{bin}/head rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/tput rix, @{bin}/tput rix,
/{usr/,}{s,}bin/kexec rPx, @{bin}/kexec rPx,
/{usr/,}bin/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
/no-kexec-reboot rw, /no-kexec-reboot rw,
@ -43,7 +43,7 @@ profile initd-kexec-load @{exec_path} {
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/run-parts mr, @{bin}/run-parts mr,
/etc/default/kexec.d/ r, /etc/default/kexec.d/ r,
@ -57,9 +57,9 @@ profile initd-kexec-load @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/systemctl mr, @{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix, @{bin}/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

24
apparmor.d/profiles-g-l/initd-kmod
View file

@ -11,18 +11,18 @@ profile initd-kmod @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/tput rix, @{bin}/tput rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/echo rix, @{bin}/echo rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/kmod rPx, @{bin}/kmod rPx,
/{usr/,}bin/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
/etc/modules-load.d/*.conf r, /etc/modules-load.d/*.conf r,
/etc/modules r, /etc/modules r,
@ -31,7 +31,7 @@ profile initd-kmod @{exec_path} {
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/run-parts mr, @{bin}/run-parts mr,
/etc/modules-load.d/ r, /etc/modules-load.d/ r,
@ -44,9 +44,9 @@ profile initd-kmod @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/systemctl mr, @{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix, @{bin}/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

14
apparmor.d/profiles-g-l/install-catalog
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/install-catalog @{exec_path} = @{bin}/install-catalog
profile install-catalog @{exec_path} { profile install-catalog @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -14,12 +14,12 @@ profile install-catalog @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba}sh rix, @{bin}/{,ba}sh rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/grep rix, @{bin}/grep rix,
/{usr/,}bin/mv rix, @{bin}/mv rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/etc/sgml/catalog{,.new} rw, /etc/sgml/catalog{,.new} rw,
/etc/sgml/sgml-docbook.cat{,.new} rw, /etc/sgml/sgml-docbook.cat{,.new} rw,

6
apparmor.d/profiles-g-l/install-info
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/install-info @{exec_path} = @{bin}/install-info
profile install-info @{exec_path} { profile install-info @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -15,8 +15,8 @@ profile install-info @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/gzip rix, @{bin}/gzip rix,
/usr/share/info/{,**} r, /usr/share/info/{,**} r,
/usr/share/info/dir rw, /usr/share/info/dir rw,

6
apparmor.d/profiles-g-l/install-printerdriver
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/install-printerdriver @{exec_path} = @{bin}/install-printerdriver
@{exec_path} += /usr/share/system-config-printer/install-printerdriver.py @{exec_path} += /usr/share/system-config-printer/install-printerdriver.py
profile install-printerdriver @{exec_path} flags=(complain) { profile install-printerdriver @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
@ -14,8 +14,8 @@ profile install-printerdriver @{exec_path} flags=(complain) {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/usr/share/system-config-printer/{,**} r, /usr/share/system-config-printer/{,**} r,

84
apparmor.d/profiles-g-l/inxi
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/inxi @{exec_path} = @{bin}/inxi
profile inxi @{exec_path} { profile inxi @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -20,52 +20,52 @@ profile inxi @{exec_path} {
network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/zsh rix, @{bin}/zsh rix,
/{usr/,}bin/tty rix, @{bin}/tty rix,
/{usr/,}bin/tput rix, @{bin}/tput rix,
/{usr/,}bin/getconf rix, @{bin}/getconf rix,
/{usr/,}bin/file rix, @{bin}/file rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/ip rCx -> ip, @{bin}/ip rCx -> ip,
/{usr/,}lib/systemd/systemd rCx -> systemd, @{lib}/systemd/systemd rCx -> systemd,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
/{usr/,}bin/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,
/{usr/,}bin/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored. # shared object file): ignored.
/{usr/,}bin/dpkg-query rpx, @{bin}/dpkg-query rpx,
/{usr/,}bin/compton rPx, @{bin}/blockdev rPx,
/{usr/,}bin/xrandr rPx, @{bin}/compton rPx,
/{usr/,}bin/glxinfo rPx, @{bin}/df rPx,
/{usr/,}bin/lspci rPx, @{bin}/dig rPx,
/{usr/,}bin/lsusb rPx, @{bin}/dmidecode rPx,
/{usr/,}bin/lsblk rPx, @{bin}/glxinfo rPx,
/{usr/,}bin/sensors rPx, @{bin}/hddtemp rPx,
/{usr/,}bin/uptime rPx, @{bin}/lsblk rPx,
/{usr/,}{s,}bin/dmidecode rPx, @{bin}/lspci rPx,
/{usr/,}bin/xdpyinfo rPx, @{bin}/lsusb rPx,
/{usr/,}bin/who rPx, @{bin}/openbox rPx,
/{usr/,}bin/xprop rPx, @{bin}/ps rPx,
/{usr/,}bin/df rPx, @{bin}/sensors rPx,
/{usr/,}{s,}bin/blockdev rPx, @{bin}/smartctl rPx,
/{usr/,}bin/dig rPx, @{bin}/sudo rPx,
/{usr/,}bin/ps rPx, @{bin}/uptime rPx,
/{usr/,}bin/sudo rPx, @{bin}/who rPx,
/{usr/,}bin/openbox rPx, @{bin}/xdpyinfo rPx,
/{usr/,}bin/xset rPx, @{bin}/xprop rPx,
/{usr/,}{s,}bin/smartctl rPx, @{bin}/xrandr rPx,
/{usr/,}{s,}bin/hddtemp rPx, @{bin}/xset rPx,
/etc/ r, /etc/ r,
/etc/inxi.conf r, /etc/inxi.conf r,
@ -118,7 +118,7 @@ profile inxi @{exec_path} {
network netlink raw, network netlink raw,
/{usr/,}bin/ip mr, @{bin}/ip mr,
@{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r, @{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r,
@ -129,7 +129,7 @@ profile inxi @{exec_path} {
profile systemd { profile systemd {
include <abstractions/base> include <abstractions/base>
/{usr/,}lib/systemd/systemd mr, @{lib}/systemd/systemd mr,
/etc/systemd/user.conf r, /etc/systemd/user.conf r,
@ -143,7 +143,7 @@ profile inxi @{exec_path} {
profile udevadm { profile udevadm {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/udevadm mr, @{bin}/udevadm mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
@ -161,7 +161,7 @@ profile inxi @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/modules r, @{PROC}/modules r,

2
apparmor.d/profiles-g-l/ioping
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/ioping @{exec_path} = @{bin}/ioping
profile ioping @{exec_path} { profile ioping @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read> include <abstractions/disks-read>

8
apparmor.d/profiles-g-l/iotop
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iotop @{exec_path} = @{bin}/iotop
profile iotop @{exec_path} { profile iotop @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@ -19,11 +19,11 @@ profile iotop @{exec_path} {
capability sys_nice, capability sys_nice,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/file rix, @{bin}/file rix,
/{usr/,}{s,}bin/ r, @{bin}/ r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/vmstat r, @{PROC}/vmstat r,

2
apparmor.d/profiles-g-l/ip
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ip @{exec_path} = @{bin}/ip
profile ip @{exec_path} flags=(attach_disconnected) { profile ip @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

4
apparmor.d/profiles-g-l/ipcalc
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/ipcalc @{exec_path} = @{bin}/ipcalc
profile ipcalc @{exec_path} { profile ipcalc @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, @{bin}/perl r,
include if exists <local/ipcalc> include if exists <local/ipcalc>
} }

2
apparmor.d/profiles-g-l/irqbalance
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/irqbalance @{exec_path} = @{bin}/irqbalance
profile irqbalance @{exec_path} { profile irqbalance @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/iw
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iw @{exec_path} = @{bin}/iw
profile iw @{exec_path} { profile iw @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/iwconfig
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iwconfig @{exec_path} = @{bin}/iwconfig
profile iwconfig @{exec_path} { profile iwconfig @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/iwlist
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iwlist @{exec_path} = @{bin}/iwlist
profile iwlist @{exec_path} { profile iwlist @{exec_path} {
include <abstractions/base> include <abstractions/base>

6
apparmor.d/profiles-g-l/jami-gnome
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/jami-gnome @{exec_path} = @{bin}/jami-gnome
profile jami-gnome @{exec_path} { profile jami-gnome @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -38,8 +38,8 @@ profile jami-gnome @{exec_path} {
owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v0 w, owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v0 w,
owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v1/ w, owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v1/ w,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
/usr/share/ring/{,**} r, /usr/share/ring/{,**} r,
/usr/share/sounds/jami-gnome/{,**} r, /usr/share/sounds/jami-gnome/{,**} r,

52
apparmor.d/profiles-g-l/jdownloader
View file

@ -20,24 +20,24 @@ profile jdownloader @{exec_path} {
@{exec_path} rix, @{exec_path} rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/dirname rix, @{bin}/dirname rix,
/{usr/,}bin/expr rix, @{bin}/expr rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/ls rix, @{bin}/ls rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/sed rix, @{bin}/sed rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/ffmpeg rPx, @{bin}/ffmpeg rPx,
# These are needed when the above tools are in some nonstandard locations # These are needed when the above tools are in some nonstandard locations
#/{usr/,}bin/which{,.debianutils} rix, #@{bin}/which{,.debianutils} rix,
#/usr/ r, #/usr/ r,
#/usr/local/ r, #/usr/local/ r,
#/{usr/,}bin/ r, #@{bin}/ r,
#/{usr/,}lib/ r, #@{lib}/ r,
deny /opt/ r, deny /opt/ r,
@ -86,35 +86,35 @@ profile jdownloader @{exec_path} {
deny @{PROC}/asound/version r, deny @{PROC}/asound/version r,
# For Reconnect -> Share Settings/Get Route # For Reconnect -> Share Settings/Get Route
#/{usr/,}bin/netstat rix, #@{bin}/netstat rix,
#/{usr/,}{s,}bin/route rix, #@{bin}/route rix,
#/{usr/,}bin/ping rix, #@{bin}/ping rix,
#/{usr/,}bin/ip rix, #@{bin}/ip rix,
#@{PROC}/@{pid}/net/route r, #@{PROC}/@{pid}/net/route r,
# To open a web browser for CAPTCHA # To open a web browser for CAPTCHA
/{usr/,}bin/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr, @{bin}/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/readlink rix, @{bin}/readlink rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, @{lib}/firefox/firefox rPUx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

10
apparmor.d/profiles-g-l/jekyll
View file

@ -7,18 +7,18 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/jekyll @{exec_path} = @{bin}/jekyll
profile jekyll @{exec_path} { profile jekyll @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/ruby> include <abstractions/ruby>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix, @{bin}/ruby[0-9].[0-9]* rix,
/{usr/,}lib/ruby/gems/*/specifications/ r, @{lib}/ruby/gems/*/specifications/ r,
/{usr/,}lib/ruby/gems/*/specifications/** r, @{lib}/ruby/gems/*/specifications/** r,
/{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, @{lib}/ruby/gems/*/specifications/**.gemspec rwk,
/usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/*.gemspec rwk, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,

16
apparmor.d/profiles-g-l/jgmenu
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/jgmenu{,_run} @{exec_path} = @{bin}/jgmenu{,_run}
profile jgmenu @{exec_path} { profile jgmenu @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -19,14 +19,14 @@ profile jgmenu @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/zsh rix, @{bin}/zsh rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/wc rix, @{bin}/wc rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}lib/jgmenu/jgmenu-* rix, @{lib}/jgmenu/jgmenu-* rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.jgmenu-lockfile rwk, owner @{HOME}/.jgmenu-lockfile rwk,

6
apparmor.d/profiles-g-l/jmtpfs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/jmtpfs @{exec_path} = @{bin}/jmtpfs
profile jmtpfs @{exec_path} { profile jmtpfs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -15,7 +15,7 @@ profile jmtpfs @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount, @{bin}/fusermount{,3} rCx -> fusermount,
owner /tmp/tmp* rw, owner /tmp/tmp* rw,
owner /tmp/#[0-9]* rw, owner /tmp/#[0-9]* rw,
@ -45,7 +45,7 @@ profile jmtpfs @{exec_path} {
# #
capability dac_read_search, capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr, @{bin}/fusermount{,3} mr,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,

50
apparmor.d/profiles-g-l/kanyremote
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/kanyremote @{exec_path} = @{bin}/kanyremote
profile kanyremote @{exec_path} { profile kanyremote @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -27,34 +27,34 @@ profile kanyremote @{exec_path} {
network inet6 stream, network inet6 stream,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/ r, @{bin}/ r,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
/{usr/,}bin/tr rix, @{bin}/tr rix,
/{usr/,}bin/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
/{usr/,}bin/head rix, @{bin}/head rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/anyremote rPx, @{bin}/anyremote rPx,
/{usr/,}bin/ps rPx, @{bin}/ps rPx,
/{usr/,}bin/killall rCx -> killall, @{bin}/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep, @{bin}/pgrep rCx -> pgrep,
/{usr/,}bin/pacmd rPUx, @{bin}/pacmd rPUx,
/{usr/,}bin/pactl rPUx, @{bin}/pactl rPUx,
# Players # Players
/{usr/,}bin/smplayer rPUx, @{bin}/smplayer rPUx,
/{usr/,}bin/amarok rPUx, @{bin}/amarok rPUx,
/{usr/,}bin/vlc rPUx, @{bin}/vlc rPUx,
/{usr/,}bin/mpv rPUx, @{bin}/mpv rPUx,
/{usr/,}bin/strawberry rPUx, @{bin}/strawberry rPUx,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw, owner @{HOME}/.anyRemote/{,*} rw,
@ -91,7 +91,7 @@ profile kanyremote @{exec_path} {
ptrace (read), ptrace (read),
/{usr/,}bin/killall mr, @{bin}/killall mr,
# The /proc/ dir is needed to avoid the following error: # The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied # /proc: Permission denied
@ -104,7 +104,7 @@ profile kanyremote @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
/{usr/,}bin/pgrep mr, @{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r, @{PROC}/ r,

4
apparmor.d/profiles-g-l/kcheckpass
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass @{exec_path} = @{lib}/@{multiarch}/libexec/kcheckpass
profile kcheckpass @{exec_path} { profile kcheckpass @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -17,7 +17,7 @@ profile kcheckpass @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/unix_chkpwd rPx, @{bin}/unix_chkpwd rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

6
apparmor.d/profiles-g-l/kconfig-hardened-check
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/kconfig-hardened-check @{exec_path} = @{bin}/kconfig-hardened-check
profile kconfig-hardened-check @{exec_path} { profile kconfig-hardened-check @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
/{usr/,}bin/ r, @{bin}/ r,
# The usual kernel config locations # The usual kernel config locations

8
apparmor.d/profiles-g-l/keepassxc
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc @{exec_path} = @{bin}/keepassxc
profile keepassxc @{exec_path} { profile keepassxc @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -39,9 +39,9 @@ profile keepassxc @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/geany rPUx, @{bin}/geany rPUx,
/{usr/,}bin/xdg-open rCx -> child-open, @{bin}/xdg-open rCx -> child-open,
/{usr/,}lib/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
/usr/share/keepassxc/{,**} r, /usr/share/keepassxc/{,**} r,

2
apparmor.d/profiles-g-l/keepassxc-cli
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc-cli @{exec_path} = @{bin}/keepassxc-cli
profile keepassxc-cli @{exec_path} { profile keepassxc-cli @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/keepassxc-proxy
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc-proxy @{exec_path} = @{bin}/keepassxc-proxy
profile keepassxc-proxy @{exec_path} { profile keepassxc-proxy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

32
apparmor.d/profiles-g-l/kernel-install
View file

@ -6,28 +6,28 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/kernel-install @{exec_path} = @{bin}/kernel-install
profile kernel-install @{exec_path} { profile kernel-install @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/mountpoint rix, @{bin}/mountpoint rix,
/{usr/,}bin/sort rix, @{bin}/sort rix,
/{usr/,}bin/rm rix, @{bin}/rm rix,
/{usr/,}bin/mkdir rix, @{bin}/mkdir rix,
/{usr/,}bin/cp rix, @{bin}/cp rix,
/{usr/,}bin/chown rix, @{bin}/chown rix,
/{usr/,}bin/chmod rix, @{bin}/chmod rix,
/{usr/,}bin/basename rix, @{bin}/basename rix,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
/{usr/,}lib/kernel/install.d/ r, @{lib}/kernel/install.d/ r,
/{usr/,}lib/kernel/install.d/[0-9][0-9]-*.install rix, @{lib}/kernel/install.d/[0-9][0-9]-*.install rix,
/etc/kernel/install.d/ r, /etc/kernel/install.d/ r,
/etc/kernel/install.d/*.install rix, /etc/kernel/install.d/*.install rix,
@ -41,10 +41,10 @@ profile kernel-install @{exec_path} {
owner /boot/loader/entries/ rw, owner /boot/loader/entries/ rw,
owner /boot/loader/entries/*.conf w, owner /boot/loader/entries/*.conf w,
/{usr/,}lib/modules/*/modules.* w, @{lib}/modules/*/modules.* w,
/etc/os-release r, /etc/os-release r,
/{usr/,}lib/os-release r, @{lib}/os-release r,
/etc/kernel/tries r, /etc/kernel/tries r,
@ -58,7 +58,7 @@ profile kernel-install @{exec_path} {
profile kmod flags=(complain) { profile kmod flags=(complain) {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
} }

2
apparmor.d/profiles-g-l/kerneloops
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kerneloops @{exec_path} = @{bin}/kerneloops
profile kerneloops @{exec_path} { profile kerneloops @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

2
apparmor.d/profiles-g-l/kerneloops-applet
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/kerneloops-applet @{exec_path} = @{bin}/kerneloops-applet
profile kerneloops-applet @{exec_path} { profile kerneloops-applet @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>

2
apparmor.d/profiles-g-l/kexec
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kexec @{exec_path} = @{bin}/kexec
profile kexec @{exec_path} flags=(complain) { profile kexec @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>

20
apparmor.d/profiles-g-l/kmod
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/{kmod,lsmod} @{exec_path} = @{bin}/{kmod,lsmod}
@{exec_path} += /{usr/,}{s,}bin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe} @{exec_path} += @{bin}/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
profile kmod @{exec_path} flags=(attach_disconnected) { profile kmod @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -25,15 +25,15 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}{s,}bin/sysctl rPx, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/basename rix,
/{usr/,}bin/basename rix, @{bin}/false rix,
/{usr/,}bin/false rix, @{bin}/id rix,
/{usr/,}bin/id rix, @{bin}/sysctl rPx,
/{usr/,}bin/true rix, @{bin}/true rix,
/{usr/,}lib/modprobe.d/{,*.conf} r, @{lib}/modprobe.d/{,*.conf} r,
/{usr/,}lib/modules/*/modules.* rw, @{lib}/modules/*/modules.* rw,
/etc/depmod.d/{,**} r, /etc/depmod.d/{,**} r,
/etc/modprobe.d/{,*.conf} r, /etc/modprobe.d/{,*.conf} r,

32
apparmor.d/profiles-g-l/kodi
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/kodi /{usr/,}lib/@{multiarch}/kodi/kodi.bin @{exec_path} = @{bin}/kodi @{lib}/@{multiarch}/kodi/kodi.bin
profile kodi @{exec_path} { profile kodi @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/X>
@ -20,22 +20,22 @@ profile kodi @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/@{multiarch}/kodi/kodi.bin mrix, @{lib}/@{multiarch}/kodi/kodi.bin mrix,
/{usr/,}lib/@{multiarch}/kodi/kodi-xrandr rPx, @{lib}/@{multiarch}/kodi/kodi-xrandr rPx,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/mv rix, @{bin}/basename rix,
/{usr/,}bin/find rix, @{bin}/cat rix,
/{usr/,}bin/date rix, @{bin}/cut rix,
/{usr/,}bin/uname rix, @{bin}/date rix,
/{usr/,}bin/basename rix, @{bin}/dirname rix,
/{usr/,}bin/cat rix, @{bin}/find rix,
/{usr/,}bin/cut rix, @{bin}/ldconfig rix,
/{usr/,}bin/dirname rix, @{bin}/mv rix,
/{usr/,}{s,}bin/ldconfig rix, @{bin}/uname rix,
/{usr/,}bin/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/{usr/,}bin/df rCx -> df, @{bin}/df rCx -> df,
/usr/share/kodi/{,**} r, /usr/share/kodi/{,**} r,
@ -77,7 +77,7 @@ profile kodi @{exec_path} {
profile df { profile df {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/df mr, @{bin}/df mr,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/profiles-g-l/kodi-xrandr
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr @{exec_path} = @{lib}/@{multiarch}/kodi/kodi-xrandr
profile kodi-xrandr @{exec_path} { profile kodi-xrandr @{exec_path} {
include <abstractions/base> include <abstractions/base>

20
apparmor.d/profiles-g-l/kvm-ok
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kvm-ok @{exec_path} = @{bin}/kvm-ok
profile kvm-ok @{exec_path} { profile kvm-ok @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix, @{bin}/uname rix,
/{usr/,}bin/{,e}grep rix, @{bin}/{,e}grep rix,
/{usr/,}bin/id rix, @{bin}/id rix,
/{usr/,}bin/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
/{usr/,}{s,}bin/rdmsr rPx, @{bin}/rdmsr rPx,
#/proc/cpuinfo r, #/proc/cpuinfo r,
#/dev/kvm r, #/dev/kvm r,
@ -32,12 +32,12 @@ profile kvm-ok @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
/{usr/,}bin/kmod mr, @{bin}/kmod mr,
/etc/modprobe.d/ r, /etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r, /etc/modprobe.d/*.conf r,
/{usr/,}lib/modprobe.d/ r, @{lib}/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r, @{lib}/modprobe.d/*.conf r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

7
apparmor.d/profiles-g-l/labwc
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/labwc @{exec_path} = @{bin}/labwc
profile labwc @{exec_path} flags=(attach_disconnected) { profile labwc @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@ -26,9 +26,8 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
# Apps allowed to run # Apps allowed to run
/{usr/,}{s,}bin/* rPUx, @{bin}/* rPUx,
/{usr/,}bin/* rPUx, @{lib}/* rPUx,
@{libexec}/* rPUx,
/usr/share/libinput/ r, /usr/share/libinput/ r,
/usr/share/libinput/*.quirks r, /usr/share/libinput/*.quirks r,

4
apparmor.d/profiles-g-l/landscape-sysinfo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/landscape-sysinfo @{exec_path} = @{bin}/landscape-sysinfo
profile landscape-sysinfo @{exec_path} { profile landscape-sysinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -25,7 +25,7 @@ profile landscape-sysinfo @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/who rix, @{bin}/who rix,
/var/log/landscape/{,**} rw, /var/log/landscape/{,**} rw,

16
apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
View file

@ -12,14 +12,14 @@ profile landscape-sysinfo.wrapper @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/bc rix, @{bin}/bc rix,
/{usr/,}bin/cat rix, @{bin}/cat rix,
/{usr/,}bin/cut rix, @{bin}/cut rix,
/{usr/,}bin/date rix, @{bin}/date rix,
/{usr/,}bin/find rix, @{bin}/find rix,
/{usr/,}bin/grep rix, @{bin}/grep rix,
/{usr/,}bin/landscape-sysinfo rPx, @{bin}/landscape-sysinfo rPx,
/ r, / r,
/etc/default/locale r, /etc/default/locale r,

6
apparmor.d/profiles-g-l/language-validate
View file

@ -14,9 +14,9 @@ profile language-validate @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}bin/grep rix, @{bin}/grep rix,
/{usr/,}bin/locale rix, @{bin}/locale rix,
/usr/share/locale-langpack/{,*} r, /usr/share/locale-langpack/{,*} r,
/usr/share/language-tools/{,*} r, /usr/share/language-tools/{,*} r,

2
apparmor.d/profiles-g-l/last
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/last{,b} @{exec_path} = @{bin}/last{,b}
profile last @{exec_path} { profile last @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-g-l/lastlog
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/lastlog @{exec_path} = @{bin}/lastlog
profile lastlog @{exec_path} { profile lastlog @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-g-l/light
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/light @{exec_path} = @{bin}/light
profile light @{exec_path} { profile light @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-g-l/light-locker
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/light-locker @{exec_path} = @{bin}/light-locker
profile light-locker @{exec_path} { profile light-locker @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>

2
apparmor.d/profiles-g-l/light-locker-command
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/light-locker-command @{exec_path} = @{bin}/light-locker-command
profile light-locker-command @{exec_path} { profile light-locker-command @{exec_path} {
include <abstractions/base> include <abstractions/base>

16
apparmor.d/profiles-g-l/lightdm
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/lightdm @{exec_path} = @{bin}/lightdm
profile lightdm @{exec_path} { profile lightdm @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/X>
@ -64,16 +64,16 @@ profile lightdm @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/plymouth mrix, @{bin}/plymouth mrix,
/{usr/,}bin/Xorg rPx, @{bin}/lightdm-gtk-greeter rPx,
/{usr/,}{s,}bin/lightdm-gtk-greeter rPx, @{bin}/startx rPx,
/{usr/,}bin/startx rPx, @{bin}/Xorg rPx,
/etc/X11/Xsession rPUx, /etc/X11/Xsession rPUx,
/{usr/,}bin/gnome-keyring-daemon rPUx, @{bin}/gnome-keyring-daemon rPUx,
/{usr/,}bin/rm rix, @{bin}/rm rix,
# LightDM files # LightDM files
/usr/share/lightdm/{,**} r, /usr/share/lightdm/{,**} r,
@ -116,7 +116,7 @@ profile lightdm @{exec_path} {
owner @{HOME}/.dmrc* rw, owner @{HOME}/.dmrc* rw,
/var/cache/lightdm/dmrc/*.dmrc* rw, /var/cache/lightdm/dmrc/*.dmrc* rw,
@{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
include if exists <local/lightdm> include if exists <local/lightdm>
} }

Some files were not shown because too many files have changed in this diff Show more