mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-02-29 00:32:40 +00:00
parent e616b9b3fc
commit ffb189ef65
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
20 changed files with 48 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor.d/abstractions/chromium
View File

@ -148,12 +148,13 @@
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/**/devices/ r, @{sys}/bus/**/devices/ r,
@{sys}/class/**/ r, @{sys}/class/**/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
@{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/@{pci}/report_descriptor r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,

3
apparmor.d/groups/_full/systemd
View File

@ -169,7 +169,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/console/active r,
@{sys}/fs/**/ r, @{sys}/fs/fuse/connections/ r,
@{sys}/fs/pstore/ r,
@{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/{,**} rw,
@{sys}/kernel/**/ r, @{sys}/kernel/**/ r,
@{sys}/module/**/uevent r, @{sys}/module/**/uevent r,

2
apparmor.d/groups/freedesktop/pipewire-media-session
View File

@ -23,6 +23,8 @@ profile pipewire-media-session @{exec_path} {
network bluetooth stream, network bluetooth stream,
network netlink raw, network netlink raw,
signal (receive) set=(cont term) peer=@{systemd_user},
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect

2
apparmor.d/groups/freedesktop/polkitd
View File

@ -25,7 +25,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser} member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
@{exec_path} mr, @{exec_path} mr,

4
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View File

@ -37,6 +37,10 @@ profile xdg-desktop-portal-gtk @{exec_path} {
dbus receive bus=session path=/org/freedesktop/portal/desktop dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings interface=org.freedesktop.impl.portal.Settings
peer=(name=:*), peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member=SettingChanged
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
dbus send bus=session path=/org/gtk/Notifications dbus send bus=session path=/org/gtk/Notifications
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

1
apparmor.d/groups/gnome/tracker-extract
View File

@ -25,6 +25,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
signal (receive) set=(cont term) peer=@{systemd_user},
signal (receive) set=(term) peer=gdm, signal (receive) set=(term) peer=gdm,
# dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Extract # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Extract

1
apparmor.d/groups/gnome/tracker-miner
View File

@ -25,6 +25,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
signal (receive) set=(cont term) peer=@{systemd_user},
signal (receive) set=(term, kill) peer=gdm, signal (receive) set=(term, kill) peer=gdm,
signal (receive) set=(hup) peer=gdm-session-worker, signal (receive) set=(hup) peer=gdm-session-worker,

2
apparmor.d/groups/ssh/sshd
View File

@ -54,6 +54,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
ptrace (read,trace) peer=@{systemd}, ptrace (read,trace) peer=@{systemd},
unix (bind) type=stream addr=@@{hex}/bus/sshd/system,
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}

10
apparmor.d/groups/systemd/networkctl
View File

@ -16,14 +16,16 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
capability sys_module, capability sys_module,
audit capability sys_resource, audit capability sys_resource,
ptrace (read) peer=@{systemd},
signal send peer=child-pager,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
signal send peer=child-pager,
ptrace (read) peer=@{systemd},
unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,
# dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd # dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-hostnamed
View File

@ -16,6 +16,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
capability sys_admin, # To set a hostname capability sys_admin, # To set a hostname
unix (bind) type=stream addr=@@{hex}/bus/systemd-hostnam/system,
# dbus: own bus=system name=org.freedesktop.hostname1 # dbus: own bus=system name=org.freedesktop.hostname1
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus

10
apparmor.d/groups/systemd/systemd-logind
View File

@ -29,6 +29,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
# mqueue r type=posix /, # mqueue r type=posix /,
unix (bind) type=stream addr=@@{hex}/bus/systemd-logind/system,
# dbus: own bus=system name=org.freedesktop.login1 # dbus: own bus=system name=org.freedesktop.login1
# dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
@ -131,10 +133,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
@{PROC}/sysvipc/{shm,sem,msg} r, @{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
/dev/dri/card@{int} rw, /dev/dri/card@{int} rw,
/dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc)
/dev/mqueue/ r, /dev/mqueue/ r,
/dev/tty@{int} rw, /dev/tty@{int} rw,
owner /dev/shm/{,**/} rw, owner /dev/shm/{,**/} rw,
include if exists <local/systemd-logind> include if exists <local/systemd-logind>

2
apparmor.d/groups/systemd/systemd-networkd
View File

@ -27,6 +27,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
network packet dgram, network packet dgram,
network packet raw, network packet raw,
unix (bind) type=stream addr=@@{hex}/bus/systemd-network/bus-api-network,
# dbus: own bus=system name=org.freedesktop.network1 # dbus: own bus=system name=org.freedesktop.network1
dbus send bus=system path=/org/freedesktop/hostname1 dbus send bus=system path=/org/freedesktop/hostname1

2
apparmor.d/groups/systemd/systemd-timedated
View File

@ -15,6 +15,8 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
capability sys_time, capability sys_time,
unix (bind) type=stream addr=@@{hex}/bus/systemd-timedat/system,
# dbus: own bus=system name=org.freedesktop.timedate1 # dbus: own bus=system name=org.freedesktop.timedate1
dbus send bus=system path=/org/freedesktop/systemd1/unit/* dbus send bus=system path=/org/freedesktop/systemd1/unit/*

2
apparmor.d/groups/systemd/systemd-timesyncd
View File

@ -21,6 +21,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
# dbus: own bus=system name=org.freedesktop.timesync1 # dbus: own bus=system name=org.freedesktop.timesync1
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-update-utmp
View File

@ -17,6 +17,8 @@ profile systemd-update-utmp @{exec_path} {
network netlink raw, network netlink raw,
unix (bind) type=stream addr=@@{hex}/bus/systemd-update-/,
@{exec_path} mr, @{exec_path} mr,
@{run}/host/container-manager r, @{run}/host/container-manager r,

2
apparmor.d/groups/systemd/systemd-user-runtime-dir
View File

@ -23,6 +23,8 @@ profile systemd-user-runtime-dir @{exec_path} {
mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
umount @{run}/user/@{uid}/, umount @{run}/user/@{uid}/,
unix (bind) type=stream addr=@@{hex}/bus/systemd-user-ru/system,
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r, /etc/machine-id r,

3
apparmor.d/profiles-g-l/lvm
View File

@ -23,9 +23,12 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
ptrace (read), ptrace (read),
# mqueue r type=posix /,
@{exec_path} rm, @{exec_path} rm,
@{etc_rw}/lvm/** rwkl, @{etc_rw}/lvm/** rwkl,
/etc/multipath.conf r,
@{run}/lock/ rw, @{run}/lock/ rw,
@{run}/lock/lvm/ rw, @{run}/lock/lvm/ rw,

2
apparmor.d/profiles-s-z/snapd
View File

@ -48,6 +48,8 @@ profile snapd @{exec_path} {
ptrace (read) peer=snap, ptrace (read) peer=snap,
ptrace (read) peer=@{systemd}, ptrace (read) peer=@{systemd},
unix (bind) type=stream addr=@@{hex}/bus/systemctl/,
dbus send bus=system path=/org/freedesktop/ dbus send bus=system path=/org/freedesktop/
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member={SetWallMessage,ScheduleShutdown} member={SetWallMessage,ScheduleShutdown}

2
apparmor.d/tunables/home.d/apparmor.d
View File

@ -46,7 +46,7 @@
@{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR}
# User build directories and output # User build directories and output
@{user_build_dirs}="/tmp/" @{user_build_dirs}="/tmp/build/"
@{user_pkg_dirs}="/tmp/pkg/" @{user_pkg_dirs}="/tmp/pkg/"
@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} @{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}

4
apparmor.d/tunables/multiarch.d/paths
View File

@ -4,9 +4,11 @@
# Define some paths for some commonly used programs # Define some paths for some commonly used programs
# All the shells # Default distribution shells
@{sh} = sh zsh bash dash @{sh} = sh zsh bash dash
@{sh_path} = @{bin}/@{sh} @{sh_path} = @{bin}/@{sh}
# All interactive shells users may want to use
@{shells} = sh zsh bash dash fish rbash ksh tcsh csh @{shells} = sh zsh bash dash fish rbash ksh tcsh csh
@{shells_path} = @{bin}/@{shells} @{shells_path} = @{bin}/@{shells}