mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-06 10:15:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
2555 commits 6 branches 0 tags 16 MiB
Commit graph

1830 commits

Author SHA1 Message Date
Alexandre Pujol
8fe2bf4c20
feat(profile): add missing enchant abs. 2024-06-11 00:00:51 +01:00
Alexandre Pujol
d283ef5196
feat(profile): general update. 2024-06-10 23:58:44 +01:00
Alexandre Pujol
b4407fb7f8
feat(abs): wayland: add ibus shared file. 2024-06-10 23:53:31 +01:00
Alexandre Pujol
0d8afd21e3
feat(abs): vulkan: allow empty vulkan home dir. 2024-06-10 23:52:40 +01:00
Alexandre Pujol
222685c029
feat(profile): use the cups-client more often. 2024-06-10 23:51:38 +01:00
Alexandre Pujol
bb6df870bb
chore: cleanup opensc debian structure. 2024-06-10 23:43:55 +01:00
REmerald
e362aa9107 feat(profiles-m-r): vim syntax support 
Add vim modeline instructing the editor to use the syntax plugin provided by apparmor.
 2024-06-09 19:44:15 +03:00
Alexandre Pujol
5c8dda1ced
feat(profile): remove rule moved in the base or nameservice abstraction. 2024-06-08 22:49:28 +01:00
REmerald
8009c1b9b9
fix(authentication.d/complete): add missing copyright (#370) 
* fix(authentication.d/complete): add missing copyright

* fix(authentication.d/complete): remove first copyright author

Remove the original author from the copyright comment as his file is different and doesn't include his copyright as well. https://gitlab.com/morfikov/apparmemall/-/blob/master/apparmor.d/abstractions/authentication
 2024-06-07 23:04:25 +00:00
curiosityseeker
ec25a155db
Chromium based browsers: add stacking for chrashpad handler (#366) 
* Update chromium abs: remove crashpad-handler

* Update brave: add stacking for chrashpad-handler

* Update chrome: add stacking for crashpad-handler

* Update chromium: add stacking for crashpad-handler

* Update msedge: add stacking for crashpad-handler

* Rename msedge-crashpad-handlers to msedge-crashpad-handler
 2024-06-07 18:26:39 +00:00
Alexandre Pujol
921156c846
fix(profile): pavucontrol 
fix #371
 2024-06-07 19:25:22 +01:00
Alexandre Pujol
503e83a896
fix: steam support on flatpak. 
fix #368
 2024-06-07 17:10:54 +01:00
REmerald
b66274b2ca fix(systemd-oomd): remove double slash 
Double slash caused the path to not work
 2024-06-06 18:40:35 +01:00
REmerald
aa0e33804a fix(pacman): add attach_disconnected flag 
Fixes #350
 2024-06-06 11:50:01 +01:00
REmerald
46008e4edb fix(gvfsd-fuse): add abstractions/nameservice-strict 2024-06-06 11:48:28 +01:00
REmerald
ac86b5ac78 fix(gvfsd): add abstractions/nameservice-strict 2024-06-06 11:48:28 +01:00
REmerald
d1ec0b90fc fix(xdg-permission-store): add abstractions/nameservice-strict and @{HOME}/.local/ 2024-06-06 11:47:38 +01:00
REmerald
2ea558c146 fix(xdg-document-portal): use abstractions/nameservice-strict 2024-06-06 11:41:46 +01:00
REmerald
11e05037c3 fix(xdg-document-portal): add /etc/nsswitch.conf, /etc/passwd 2024-06-06 11:41:46 +01:00
valoq
0565558fe0 complete atool 2024-06-06 11:40:18 +01:00
REmerald
e937eabd4e fix(nm-dispatcher): add modem-manager-gui 2024-06-06 11:39:04 +01:00
REmerald
8f05f02356 fix(systemd-oomd): shorten paths 2024-06-06 11:38:21 +01:00
REmerald
281768667a fix(systemd-oomd): change to {,**/} 2024-06-06 11:38:21 +01:00
REmerald
6801ae1e0c fix(systemd-oomd): make org.a11y.atspi.Registry.slice as in apparmor.d/groups/gnome/epiphany-search-provider 2024-06-06 11:38:21 +01:00
REmerald
5a8510a1f7 fix(systemd-oomd): add cgroup/system.slice/ and app-dbus* paths 2024-06-06 11:38:21 +01:00
REmerald
37d0a36763 fix(polkit-gnome-authentication-agent): include dconf-write 2024-06-06 11:37:53 +01:00
Alexandre Pujol
8b60e56002
feat(profile): general update. 2024-06-04 20:13:40 +01:00
Alexandre Pujol
13d3b23a04
fix(opensuse): ensure integration on opensuse. 2024-06-04 19:52:56 +01:00
REmerald
c40c3e1c98 fix(lspci): add /run/modprobe.d 2024-06-03 21:19:10 +01:00
REmerald
789ba3836e fix(kmod): add /run/modprobe.d 2024-06-03 19:09:46 +01:00
Alexandre Pujol
951bf6a840
Merge branch 'main' of github.com:roddhjav/apparmor.d 
* 'main' of github.com:roddhjav/apparmor.d:
  fix(systemd-oomd): add `app.slice` and `session.slice` paths
  polkit-kde-authentication-agent update (#345)
  add multiple profiles (#341)
 2024-06-03 19:06:35 +01:00
Alexandre Pujol
ff16790421
feat(abs): general update. 2024-06-03 18:37:12 +01:00
Alexandre Pujol
a1fe682e7a
feat(profile): update btop. 2024-06-03 18:34:55 +01:00
REmerald
f9442e8258 fix(systemd-oomd): add app.slice and session.slice paths 2024-06-03 17:52:34 +01:00
curiosityseeker
8dff2ddd72
polkit-kde-authentication-agent update (#345) 
* Update polkit-kde-authentication-agent

needs mediate_deleted

* Update main.flags

* Update polkit-kde-authentication-agent

* Update polkit-kde-authentication-agent
 2024-06-02 20:19:43 +00:00
valoq
bb772167f0
add multiple profiles (#341) 
* add multiple profiles
 2024-05-31 10:47:01 +00:00
Alexandre Pujol
45ae8f5d27
feat(abs): add pgrep. 2024-05-30 21:08:03 +01:00
Alexandre Pujol
3f688be7a0
feat(profile): general update. 2024-05-30 21:03:39 +01:00
Alexandre Pujol
89abbae6bd
Merge branch 'feat/aa' 
Improve go apparmor lib.

* aa: (62 commits)
  feat(aa): handle appending value to defined variables.
  chore(aa): cosmetic.
  fix: userspace prebuild test.
  chore: cleanup unit test.
  feat(aa): improve log conversion.
  feat(aa): move conversion function to its own file & add unit tests.
  fix: go linter issue & not defined variables.
  tests(aa): improve aa unit tests.
  tests(aa): improve rules unit tests.
  feat(aa): ensure the prebuild jobs are working.
  feat(aa): add more unit tests.
  chore(aa): cleanup.
  feat(aa): Move sort, merge and format methods to the rules interface.
  feat(aa): add the hat template.
  feat(aa): add the Kind struct to manage aa rules.
  feat(aa): cleanup rules methods.
  feat(aa): add function to resolve include preamble.
  feat(aa): updaqte mount flags order.
  feat(aa): update default tunable selection.
  feat(aa): parse apparmor preamble files.
  ...
 2024-05-30 19:29:34 +01:00
fira959
d12db8a8dc
Minor improvements (#336) 
* Update audio-client

* Update mpv

* Update mutt

add common mail dir

* Update apparmor.d

* Update mutt

* Update mutt

* Update mutt

* Update mutt

* Update mutt
 2024-05-30 17:51:57 +00:00
Alexandre Pujol
bc216176a3
fix: go linter issue & not defined variables. 2024-05-30 12:28:12 +01:00
curiosityseeker
adccd0066a
Fix typo in @{text_edirors} (#338) 
* Fix typo in multiarch.d/programs

* Fix typo in multirach.d/paths

* Fix typo in abstractions/app-open
 2024-05-29 20:41:23 +00:00
curiosityseeker
94d9570230
Firefox: using stacking for glxtest and vaapitest (#337) 
The current implementation results in the following errors for the Firefox profile:

 @{lib}/firefox/glxtest rix -> firefox-glxtest,  # no new privs

@{lib}/firefox/vaapitest rix -> firefox-vaapitest,   # no new privs

Using stacking as suggested on https://apparmor.pujol.io/development/structure/#no-new-privileges gets rid of these errors.
 2024-05-29 20:41:01 +00:00
Alexandre Pujol
c785b41451
feat(profile): general update. 2024-05-18 22:35:05 +01:00
Alexandre Pujol
7d1380530a
feat(profile): update steam profiles. 
- Still a wip stage
- Not shipped by default
 2024-05-18 15:02:20 +01:00
Alexandre Pujol
5e6af16580
feat(profile): small improvment on systemd profiles. 2024-05-18 13:09:25 +01:00
fira959
d40812ec2f
Profile fixes (#334) 
* Update discord

fix path

* Update signal-desktop-chrome-sandbox

* Update signal-desktop
 2024-05-17 11:44:15 +00:00
doublez13
9349baaff4 vipw-vigr: Use editor abstraction 2024-05-16 15:44:29 +01:00
doublez13
ce329175da pass: Use editor abstraction 2024-05-16 15:44:29 +01:00
doublez13
a291ce373a git: Use editor abstraction 2024-05-16 15:44:29 +01:00
doublez13
192d227c50 crontab: Use editor abstraction 2024-05-16 15:44:29 +01:00
doublez13
98ea2fa47b apt: Use editor abstraction 2024-05-16 15:44:29 +01:00
doublez13
4256e11492 editor abstraction: minor additions 
Add any one-off rules covered in the other editor profiles before converting those to the abstraction.
 2024-05-16 15:44:29 +01:00
fira959
f86b305a66
Update discord profile (#332) 
---------

Co-authored-by: Alex <roddhjav@users.noreply.github.com>
 2024-05-16 10:33:24 +00:00
Alexandre Pujol
41b814675b
fix: syntax error. 2024-05-15 23:53:17 +01:00
Alexandre Pujol
58e458f4ab
feat(profile): add the app/firefox abstraction. 2024-05-15 23:13:23 +01:00
Alexandre Pujol
f5ac8cd4a1
feat(profile): improve dbus rule in chromium based profiles. 2024-05-15 23:07:05 +01:00
Alexandre Pujol
ad960d477b
feat(profile): replace former regex by the new @{user} variable. 2024-05-15 17:22:20 +01:00
Alexandre Pujol
407c71b133
feat(profile): modernize a few app profiles. 2024-05-15 14:50:50 +01:00
fira959
acd6a9794d
Update signal-desktop (#331) 
* Update signal-desktop

* Update signal-desktop-chrome-sandbox

* Update signal-desktop

* Update apparmor.d/groups/apps/signal-desktop

Co-authored-by: Alex <roddhjav@users.noreply.github.com>

* Update signal-desktop

---------

Co-authored-by: Alex <roddhjav@users.noreply.github.com>
 2024-05-14 21:54:31 +00:00
Alexandre Pujol
855f25da9b
feat(tunable): add hex38. 2024-05-14 12:55:57 +01:00
Alexandre Pujol
7b25ed1913
Merge branch 'main' of github.com:roddhjav/apparmor.d 
* 'main' of github.com:roddhjav/apparmor.d:
  Task: Update abstraction path
  Mutt: Update abstraction path
  Update and move abstractions/editor to abstractions/app/editor
  Task: Use editor abstraction
  Mutt: Use editor abstraction
  Create editor abstraction
 2024-05-13 20:37:12 +01:00
Alexandre Pujol
00fd9ddec1
feat(profile): add iceauth 2024-05-13 20:36:46 +01:00
Alexandre Pujol
8f102dea0a
feat(profile): general update. 2024-05-13 20:35:11 +01:00
doublez13
8594700f9a Task: Update abstraction path 2024-05-12 17:34:33 +01:00
doublez13
533bff8583 Mutt: Update abstraction path 2024-05-12 17:34:33 +01:00
doublez13
479d04abac Update and move abstractions/editor to abstractions/app/editor 2024-05-12 17:34:33 +01:00
doublez13
eb32db16c6 Task: Use editor abstraction 2024-05-12 17:34:33 +01:00
doublez13
769b4a7cec Mutt: Use editor abstraction 2024-05-12 17:34:33 +01:00
doublez13
e38f2ac721 Create editor abstraction 
I'm counting seven profiles that have a child profile named "editor" that all include roughly the same boiler plate policies. Let's abstract it out.
 2024-05-12 17:34:33 +01:00
Alexandre Pujol
1739c07ca1
feat(profile): general update. 2024-05-11 17:38:43 +01:00
Alexandre Pujol
533b7ac937
feat(profile): update steam internal 
This is still a wip stage and the profile is not installed by default.
 2024-05-11 17:28:44 +01:00
Alexandre Pujol
4d29127d57
feat(profile): rewrite the child-open* profiles. 2024-05-11 12:13:57 +01:00
Jose Maldonado aka Yukiteru
60ba9ae965 Fix and optimizations for flameshot profile 
Profile simplification PATH and better use for abstractions.
Add permission for @{user_cache_dirs}
 2024-05-11 12:10:59 +01:00
Jose Maldonado aka Yukiteru
3748a13710 Fix access to translations and /tmp in run-time 
Flameshot access to /usr/share/flameshot for search translations for UI.
And have access to /tmp for create tempfile for other apps (ex: send image to GIMP)
 2024-05-11 12:10:59 +01:00
Jose Maldonado aka Yukiteru
31cb3e962d Enable flameshot profile 
I tested in enforce mode the flameshot profile and
fix a little problem with access resources for this app.

All work OK in Debian Stable.
 2024-05-11 12:10:59 +01:00
Alexandre Pujol
2b6fb63245
feat(profile): add foliate. 2024-05-08 21:15:27 +01:00
Alexandre Pujol
bed9545082
feat(profile): general update. 2024-05-08 20:08:41 +01:00
Alexandre Pujol
da7747e0fe
feat(tunable): add all int, hex and read variable from 2 to 64. 2024-05-08 18:27:16 +01:00
Alexandre Pujol
7963a65a88
feat(profile): add support for terminal in flatpak app. 
- Sandbox's security is managed by flatpak
- The app stays confined under the (not really strict) flatpak-app profile
- User shell runs unconfined (under the `user_unconfined` profile)

Running terminal as a flatpak app provides less security than as a normal app.
This is because the shell runs as user_unconfined profile that will purposely
not transition to any other profile. While a shell from a classic terminal will
transition to any profile it can, and thus would get restricted. In other words,
running `apt` inside flatpak would run under the `user_unconfined` while it
would use the `apt` profile outside the sandbox.

fix #314
 2024-05-08 15:48:14 +01:00
Alexandre Pujol
538a73e21e
feat(profile): add user_unconfined profile & reorganise pam profiles. 2024-05-08 15:34:39 +01:00
Alexandre Pujol
66c8f42d94
feat(tunable): add the new @{user} variable 2024-05-07 17:41:34 +01:00
Alexandre Pujol
1842f8a4d5
feat(profile): add some new profile (2). 2024-05-07 17:32:36 +01:00
Alexandre Pujol
fe1e3c3be8
feat(profile): add some new profile. 2024-05-07 17:25:43 +01:00
Alexandre Pujol
239d5efe63
feat(profile): general update. 2024-05-07 16:19:29 +01:00
Alexandre Pujol
4ada6f5879
feat(profile): improve dpkg deb & split. 2024-05-07 16:12:29 +01:00
Alexandre Pujol
9a2f4b5dbe
feat(abs): improve some common user abstraction. 2024-05-07 16:10:09 +01:00
Alexandre Pujol
37bb51ccb5
fix: remove duplicate program name. 2024-05-07 15:57:57 +01:00
Jose Maldonado aka Yukiteru
1c6f7dd1c2 Fix recent error in abstractions/thumbnails-cache-read 
Sorry, in the previous commit I introduced an error in
abstractions/thumbnails-cache-read that prevented this abstractions
from working correctly after a restart and complete reload of
the profiles (after a new installation from Git).

This commit fixes the bug and with it must also pass the repository tests.
 2024-05-07 15:55:09 +01:00
Jose Maldonado aka Yukiteru
92a370210d Fix exec for exim4 for anacron (default config Debian Stable) 
On default installation on Debian Stable (12) anacron run tasks
and when finish all them, run exim4 for send info via mail.

The actual profile don´t permit this behaviour and fail sending
info for all task finished for mail configurated.
 2024-05-07 15:55:09 +01:00
Jose Maldonado aka Yukiteru
0d5655ba76 Noise reduction in exim4 profile 
exim4 profile access to /proc/sys/net/ipv6/conf/all/disable_ipv6
in read mode searching information over IPv6 connection in the host.

In the actual profile this access is denied, this change fix this
and reduce noise in log.
 2024-05-07 15:55:09 +01:00
Jose Maldonado aka Yukiteru
2f3c4574ec Fix access to thumbnail cache dirs in abstractions 
gsd-housekeepin in GNOME have access to @{user_cache_dirs} for
searching thumbnail files and executing one task
for cleaning these files every day.

The actual abstractions/thumbnails-cache-write fail in granted
this access, specially to various folders in
the thumbnail cache (ex: fail folder).

These changes fix this access. For convenience
abstractions/thumbnails-cache-read, have the same access
structure also for files/folders, but only read permissions.
 2024-05-07 15:55:09 +01:00
Alexandre Pujol
18d1ee66a2
feat(profile): update zram generator. 2024-05-07 13:19:41 +01:00
Alexandre Pujol
7cb006d20c
feat(tunable): add torbrowser download dir. 2024-05-07 00:05:20 +01:00
Alexandre Pujol
03dd5fe4cd
feat(profile): improve xfce profiles stack. 2024-05-07 00:04:07 +01:00
Alexandre Pujol
c84b48b0b4
feat(profile): add torbrowser-updater. 2024-05-06 23:53:17 +01:00
Alexandre Pujol
eeb990a934
feat(profile): add some whonix specific profiles. 2024-05-06 23:52:38 +01:00
Alexandre Pujol
c5ed997b6d
feat(profile): improve whonix specific profiles. 2024-05-06 23:51:46 +01:00
Alexandre Pujol
301ffb6065
fix(profile): link rule format. 2024-05-06 20:53:29 +01:00
Alexandre Pujol
f567c0eff7
fix(profile): do not use aa:exec in flatpak-app to avoid conflicting x. 2024-05-06 20:49:30 +01:00