mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
feat(profile): general update.
This commit is contained in:
parent
e616b9b3fc
commit
ffb189ef65
@ -148,12 +148,13 @@
|
|||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/**/devices/ r,
|
@{sys}/bus/**/devices/ r,
|
||||||
@{sys}/class/**/ r,
|
@{sys}/class/**/ r,
|
||||||
@{sys}/devices/**/uevent r,
|
|
||||||
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
||||||
@{sys}/devices/@{pci}/boot_vga r,
|
@{sys}/devices/@{pci}/boot_vga r,
|
||||||
@{sys}/devices/@{pci}/report_descriptor r,
|
@{sys}/devices/@{pci}/report_descriptor r,
|
||||||
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/system/cpu/kernel_max r,
|
@{sys}/devices/system/cpu/kernel_max r,
|
||||||
@{sys}/devices/virtual/**/report_descriptor r,
|
@{sys}/devices/virtual/**/report_descriptor r,
|
||||||
|
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pid}/fd/ r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
|
@ -169,7 +169,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
|||||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
@{sys}/devices/virtual/dmi/id/product_version r,
|
@{sys}/devices/virtual/dmi/id/product_version r,
|
||||||
@{sys}/devices/virtual/tty/console/active r,
|
@{sys}/devices/virtual/tty/console/active r,
|
||||||
@{sys}/fs/**/ r,
|
@{sys}/fs/fuse/connections/ r,
|
||||||
|
@{sys}/fs/pstore/ r,
|
||||||
@{sys}/fs/cgroup/{,**} rw,
|
@{sys}/fs/cgroup/{,**} rw,
|
||||||
@{sys}/kernel/**/ r,
|
@{sys}/kernel/**/ r,
|
||||||
@{sys}/module/**/uevent r,
|
@{sys}/module/**/uevent r,
|
||||||
|
@ -23,6 +23,8 @@ profile pipewire-media-session @{exec_path} {
|
|||||||
network bluetooth stream,
|
network bluetooth stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
signal (receive) set=(cont term) peer=@{systemd_user},
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
|
@ -25,7 +25,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/DBus
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
|
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@ -37,6 +37,10 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||||
interface=org.freedesktop.impl.portal.Settings
|
interface=org.freedesktop.impl.portal.Settings
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||||
|
interface=org.freedesktop.impl.portal.Settings
|
||||||
|
member=SettingChanged
|
||||||
|
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/Notifications
|
dbus send bus=session path=/org/gtk/Notifications
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
@ -25,6 +25,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
signal (receive) set=(cont term) peer=@{systemd_user},
|
||||||
signal (receive) set=(term) peer=gdm,
|
signal (receive) set=(term) peer=gdm,
|
||||||
|
|
||||||
# dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Extract
|
# dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Extract
|
||||||
|
@ -25,6 +25,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
signal (receive) set=(cont term) peer=@{systemd_user},
|
||||||
signal (receive) set=(term, kill) peer=gdm,
|
signal (receive) set=(term, kill) peer=gdm,
|
||||||
signal (receive) set=(hup) peer=gdm-session-worker,
|
signal (receive) set=(hup) peer=gdm-session-worker,
|
||||||
|
|
||||||
|
@ -54,6 +54,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
ptrace (read,trace) peer=@{systemd},
|
ptrace (read,trace) peer=@{systemd},
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/sshd/system,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1
|
dbus send bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login1.Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
|
member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
|
||||||
|
@ -16,14 +16,16 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
|
|||||||
capability sys_module,
|
capability sys_module,
|
||||||
audit capability sys_resource,
|
audit capability sys_resource,
|
||||||
|
|
||||||
ptrace (read) peer=@{systemd},
|
|
||||||
|
|
||||||
signal send peer=child-pager,
|
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
signal send peer=child-pager,
|
||||||
|
|
||||||
|
ptrace (read) peer=@{systemd},
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,
|
||||||
|
|
||||||
# dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd
|
# dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@ -16,6 +16,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
capability sys_admin, # To set a hostname
|
capability sys_admin, # To set a hostname
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-hostnam/system,
|
||||||
|
|
||||||
# dbus: own bus=system name=org.freedesktop.hostname1
|
# dbus: own bus=system name=org.freedesktop.hostname1
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/DBus
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
|
@ -29,6 +29,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||||||
|
|
||||||
# mqueue r type=posix /,
|
# mqueue r type=posix /,
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-logind/system,
|
||||||
|
|
||||||
# dbus: own bus=system name=org.freedesktop.login1
|
# dbus: own bus=system name=org.freedesktop.login1
|
||||||
|
|
||||||
# dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
|
# dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
|
||||||
@ -131,10 +133,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||||||
@{PROC}/sysvipc/{shm,sem,msg} r,
|
@{PROC}/sysvipc/{shm,sem,msg} r,
|
||||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||||
|
|
||||||
/dev/dri/card@{int} rw,
|
/dev/dri/card@{int} rw,
|
||||||
/dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc)
|
/dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc)
|
||||||
/dev/mqueue/ r,
|
/dev/mqueue/ r,
|
||||||
/dev/tty@{int} rw,
|
/dev/tty@{int} rw,
|
||||||
owner /dev/shm/{,**/} rw,
|
owner /dev/shm/{,**/} rw,
|
||||||
|
|
||||||
include if exists <local/systemd-logind>
|
include if exists <local/systemd-logind>
|
||||||
|
@ -27,6 +27,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
|
|||||||
network packet dgram,
|
network packet dgram,
|
||||||
network packet raw,
|
network packet raw,
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-network/bus-api-network,
|
||||||
|
|
||||||
# dbus: own bus=system name=org.freedesktop.network1
|
# dbus: own bus=system name=org.freedesktop.network1
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/hostname1
|
dbus send bus=system path=/org/freedesktop/hostname1
|
||||||
|
@ -15,6 +15,8 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
capability sys_time,
|
capability sys_time,
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-timedat/system,
|
||||||
|
|
||||||
# dbus: own bus=system name=org.freedesktop.timedate1
|
# dbus: own bus=system name=org.freedesktop.timedate1
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/systemd1/unit/*
|
dbus send bus=system path=/org/freedesktop/systemd1/unit/*
|
||||||
|
@ -21,6 +21,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
|||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
|
||||||
|
|
||||||
# dbus: own bus=system name=org.freedesktop.timesync1
|
# dbus: own bus=system name=org.freedesktop.timesync1
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@ -17,6 +17,8 @@ profile systemd-update-utmp @{exec_path} {
|
|||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-update-/,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{run}/host/container-manager r,
|
@{run}/host/container-manager r,
|
||||||
|
@ -23,6 +23,8 @@ profile systemd-user-runtime-dir @{exec_path} {
|
|||||||
mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
|
mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
|
||||||
umount @{run}/user/@{uid}/,
|
umount @{run}/user/@{uid}/,
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-user-ru/system,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
@ -23,9 +23,12 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
|
# mqueue r type=posix /,
|
||||||
|
|
||||||
@{exec_path} rm,
|
@{exec_path} rm,
|
||||||
|
|
||||||
@{etc_rw}/lvm/** rwkl,
|
@{etc_rw}/lvm/** rwkl,
|
||||||
|
/etc/multipath.conf r,
|
||||||
|
|
||||||
@{run}/lock/ rw,
|
@{run}/lock/ rw,
|
||||||
@{run}/lock/lvm/ rw,
|
@{run}/lock/lvm/ rw,
|
||||||
|
@ -48,6 +48,8 @@ profile snapd @{exec_path} {
|
|||||||
ptrace (read) peer=snap,
|
ptrace (read) peer=snap,
|
||||||
ptrace (read) peer=@{systemd},
|
ptrace (read) peer=@{systemd},
|
||||||
|
|
||||||
|
unix (bind) type=stream addr=@@{hex}/bus/systemctl/,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/
|
dbus send bus=system path=/org/freedesktop/
|
||||||
interface=org.freedesktop.login1.Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member={SetWallMessage,ScheduleShutdown}
|
member={SetWallMessage,ScheduleShutdown}
|
||||||
|
@ -46,7 +46,7 @@
|
|||||||
@{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR}
|
@{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR}
|
||||||
|
|
||||||
# User build directories and output
|
# User build directories and output
|
||||||
@{user_build_dirs}="/tmp/"
|
@{user_build_dirs}="/tmp/build/"
|
||||||
@{user_pkg_dirs}="/tmp/pkg/"
|
@{user_pkg_dirs}="/tmp/pkg/"
|
||||||
@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
|
@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
|
||||||
@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}
|
@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}
|
||||||
|
@ -4,9 +4,11 @@
|
|||||||
|
|
||||||
# Define some paths for some commonly used programs
|
# Define some paths for some commonly used programs
|
||||||
|
|
||||||
# All the shells
|
# Default distribution shells
|
||||||
@{sh} = sh zsh bash dash
|
@{sh} = sh zsh bash dash
|
||||||
@{sh_path} = @{bin}/@{sh}
|
@{sh_path} = @{bin}/@{sh}
|
||||||
|
|
||||||
|
# All interactive shells users may want to use
|
||||||
@{shells} = sh zsh bash dash fish rbash ksh tcsh csh
|
@{shells} = sh zsh bash dash fish rbash ksh tcsh csh
|
||||||
@{shells_path} = @{bin}/@{shells}
|
@{shells_path} = @{bin}/@{shells}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user