Compare commits

...

12 Commits

Author SHA1 Message Date
barmogund
db6925af7c
Merge 83887799ff into a9a41ef810 2024-11-02 11:55:45 +00:00
Alexandre Pujol
a9a41ef810
feat(profile): pacman can restart any updated program.
Some checks failed
Ubuntu / build (default, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (default, ubuntu-24.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Has been cancelled
Ubuntu / tests (push) Has been cancelled
See #596
2024-11-01 11:59:30 +01:00
odomingao
3144c30c0c
Update nvtop (#595)
Some checks failed
Ubuntu / build (default, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (default, ubuntu-24.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Has been cancelled
Ubuntu / tests (push) Has been cancelled
2024-10-29 10:43:39 +00:00
beroal
a37e11f686
Writing locale.conf (#593)
Some checks are pending
Ubuntu / build (default, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (default, ubuntu-24.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Waiting to run
Ubuntu / tests (push) Blocked by required conditions
2024-10-28 14:59:54 +00:00
valoq
1dc8714cb2
various improvements (#590) 2024-10-28 14:41:41 +00:00
Besanon
6f586f1f46
Add lxqt-session, enable start in sddm (#580) 2024-10-28 14:39:41 +00:00
EricLin0509
be759e7c7c Apply suggestion
Some checks are pending
Ubuntu / build (default, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (default, ubuntu-24.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Waiting to run
Ubuntu / tests (push) Blocked by required conditions
2024-10-27 17:13:42 +00:00
EricLin0509
664b23677e Fix build error 2024-10-27 17:13:42 +00:00
EricLin0509
eef7e080f6 Initial support for Xray and V2ray 2024-10-27 17:13:42 +00:00
EricLin0509
0a8727e837 Fix gnome-boxes couldn't found VM that previously created 2024-10-27 14:20:17 +00:00
odomingao
ce4a178706 Update hyprland 2024-10-27 14:16:56 +00:00
Roman Beslik
d8da3147c9 /boot/EFI 2024-10-27 14:16:01 +00:00
21 changed files with 207 additions and 14 deletions

View File

@ -12,7 +12,7 @@
@{sh_path} rix,
@{bin}/nvim mix,
@{bin}/sensible-editor mr,
@{bin}/vim{,.*} mix,
@{bin}/vim{,.*} mrix,
@{bin}/which{,.debianutils} ix,
/usr/share/nvim/{,**} r,

View File

@ -92,7 +92,7 @@
owner @{cache_dirs}/ rw,
owner @{cache_dirs}/** rwk,
/tmp/ r,
/tmp/ rw,
/var/tmp/ r,
owner @{tmp}/@{name}/ rw,
owner @{tmp}/@{name}/* rwk,

View File

@ -11,6 +11,7 @@
/usr/share/openal/hrtf/{,**} r,
/usr/share/pipewire/client-rt.conf r,
/usr/share/pipewire/client.conf r,
/usr/share/pipewire/jack.conf r,
/usr/share/sounds/{,**} r,
/etc/alsa/conf.d/{,**} r,
@ -60,6 +61,8 @@
/dev/shm/ r,
owner /dev/shm/pulse-shm-@{int} rw,
/dev/snd/controlC@{int} r,
include if exists <abstractions/audio-client.d>
# vim:syntax=apparmor

View File

@ -58,6 +58,7 @@ profile gnome-boxes @{exec_path} {
owner @{tmp}/*.iso-@{rand6} rw,
owner @{tmp}/*.svg-@{rand6} rw,
owner @{run}/user/@{uid}/libvirt/ rw,
owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
@{run}/mount/utab r,

View File

@ -16,6 +16,7 @@ profile scdaemon @{exec_path} {
network netlink raw,
signal (send) peer=gpg-agent,
signal send set=usr2 peer=unconfined,
@{exec_path} mr,

View File

@ -25,7 +25,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/hyprland/{,*} r,
/usr/share/hypr{,land}/{,*} r,
/usr/share/libinput/{,*} r,
owner @{user_cache_dirs}/hyprland/{,**} rw,

View File

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher
profile kscreen_backend_launcher @{exec_path} {
include <abstractions/base>
include <abstractions/lxqt>
include <abstractions/kde-strict>
@{exec_path} mr,

View File

@ -40,6 +40,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
ptrace (trace) peer=@{profile_name},
signal (receive) set=(hup) peer=@{p_systemd},
signal (send) set=(kill, term) peer=lxqt-session,
signal (send) set=(kill, term) peer=startplasma,
signal (send) set=(kill, term) peer=xorg,
signal (send) set=(kill, term) peer=xsetroot,
@ -94,6 +95,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/kwalletd{5,6} rPx,
@{bin}/kwin_wayland rPx,
@{bin}/sddm-greeter{,-qt6} rPx,
@{bin}/startlxqt rPx,
@{bin}/startplasma-wayland rPx,
@{bin}/startplasma-x11 rPx,
@{bin}/sway rPUx,

View File

@ -0,0 +1,98 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-session
profile lxqt-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/bus-accessibility>
include <abstractions/dconf>
include <abstractions/lxqt>
include <abstractions/qt5-shader-cache>
include <abstractions/nameservice-strict>
network netlink raw,
signal (send),
signal (receive) set=(kill, term) peer=startlxqt,
signal (receive) set=(kill, term) peer=sddm,
ptrace (read),
@{exec_path} mr,
@{sh_path} rix,
@{bin}/sed rix,
@{bin}/readlink rix,
@{bin}/dirname rix,
@{bin}/system-config-printer-applet rPx,
@{bin}/dbus-update-activation-environment rCx -> dbus,
@{bin}/systemctl rCx -> systemctl,
@{bin}/pavucontrol rPx,
@{lib}/geoclue-2.0/demos/agent rPx,
@{bin}/nm-connection-editor rPx,
@{bin}/nm-applet rPx,
@{bin}/openbox rix,
@{bin}/dconf-editor rPx,
@{bin}/setxkbmap rix,
@{bin}/start-pulseaudio-x11 rPx,
@{bin}/xrdb rPx,
@{bin}/xdg-user-dirs-update rPx,
/usr/share/ r,
/usr/share/mime/ r,
/usr/share/cursors/ r,
/usr/share/backintime/common/* r,
/usr/share/desktop-directories/* r,
/usr/share/system-config-printer/* r,
/etc/xdg/ r,
/etc/xdg/autostart/ r,
/etc/xdg/autostart/*.desktop r,
/etc/xdg/menus/lxqt-* r,
/etc/xdg/openbox/* r,
/etc/udev/udev.conf r,
owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/autostart/*.desktop r,
owner @{user_cache_dirs}/openbox/ rw,
owner @{user_cache_dirs}/openbox/sessions/ rw,
owner @{user_cache_dirs}/openbox/openbox.log rwk,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
owner @{user_config_dirs}/openbox/rc.xml r,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{PROC}/ r,
@{PROC}/uptime r,
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/stat r,
/dev/tty rw,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/lxqt-session_systemctl>
}
profile dbus {
include <abstractions/base>
include <abstractions/bus-session>
@{bin}/dbus-update-activation-environment mr,
include if exists <local/lxqt-session_dbus>
}
include if exists <local/lxqt-session>
}
# vim:syntax=apparmor

View File

@ -83,9 +83,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
# Manage /boot
/ r,
/boot/ r,
/boot/initramfs-*.img* rw,
/boot/vmlinuz-* r,
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} rw,
/{boot,efi}/initramfs-*.img* rw,
/{boot,efi}/vmlinuz-* r,
/usr/share/systemd/bootctl/** r,

View File

@ -39,7 +39,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
ptrace read,
signal send set=usr1 peer=gvfsd,
signal send,
signal receive set=winch peer=makepkg//sudo,
@{exec_path} mrix,

View File

@ -24,11 +24,12 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
/usr/share/systemd/*-map r,
/usr/share/X11/xkb/{,**} r,
/etc/.#locale.conf@{hex16} rw,
/etc/.#vconsole.conf* rw,
/etc/default/.#locale* rw,
/etc/default/keyboard r,
/etc/default/locale rw,
/etc/locale.conf r,
/etc/locale.conf rw,
/etc/vconsole.conf rw,
/etc/X11/xorg.conf.d/ r,
/etc/X11/xorg.conf.d/.#*.confd* rw,

View File

@ -62,6 +62,7 @@ profile mutt @{exec_path} {
owner @{HOME}/.mutthistory rwk,
owner @{HOME}/.muttrc* r,
owner @{HOME}/.signature r, # Mutt signature file
owner @{HOME}/ r,
# User mbox
# Could be a file or dir depending on mbox_type variable
@ -91,11 +92,14 @@ profile mutt @{exec_path} {
@{bin}/w3m mrix,
@{bin}/lynx mrix,
owner @{HOME}/.w3m/* rw,
owner @{HOME}/.w3m/{,**} rw,
owner @{user_mail_dirs}/{,**} r,
owner @{user_mail_dirs}/tmp/{,**} rw,
owner /{var/,}tmp/mutt* rw,
owner /tmp/w3m-@{rand6} rw,
owner /tmp/w3m-@{rand6}/{,**} rw,
include if exists <local/mutt_html-renderer>
}

View File

@ -31,7 +31,16 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r,
@{sys}/devices/@{pci}/ r,
@{sys}/devices/@{pci}/current_link_{speed,width} r,
@{sys}/devices/@{pci}/enable r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/fan@{int}_{enable,max} r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/power@{int}_cap r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int} r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int}_{enable,max} r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp@{int}_crit r,
@{sys}/devices/@{pci}/max_link_{speed,width} r,
@{sys}/devices/@{pci}/pcie_bw r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{PROC}/ r,

View File

@ -15,6 +15,7 @@ profile ouch @{exec_path} {
@{exec_path} mr,
owner @{HOME}/.tmp@{rand6}/{,**} rw,
owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,

View File

@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} {
/usr/share/terminfo/** r,
owner /dev/tty@{int} r,
include if exists <local/pinentry-curses>
}

View File

@ -7,9 +7,10 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pinentry-gtk-2
profile pinentry-gtk-2 @{exec_path} {
@{exec_path} = @{bin}/pinentry-gtk{,-2}
profile pinentry-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@ -17,11 +18,13 @@ profile pinentry-gtk-2 @{exec_path} {
@{exec_path} mr,
/usr/share/gtk-2.0/gtkrc r,
/usr/share/gtk-@{int}.@{int}/{,**} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
include if exists <local/pinentry-gtk-2>
owner /dev/tty@{int} r,
include if exists <local/pinentry-gtk>
}
# vim:syntax=apparmor

View File

@ -18,6 +18,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
capability sys_admin,
capability sys_chroot,
capability dac_override,
@{exec_path} mr,
@ -27,6 +28,9 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
@{PROC}/@{pid}/oom_adj w,
@{PROC}/@{pid}/oom_score_adj w,
# Silencer
deny /dev/pts/@{int} rw, # file_inherit
include if exists <local/signal-desktop-chrome-sandbox>
}

View File

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 EricLin
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/v2ray
profile v2ray @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
network inet dgram,
network inet stream,
network inet raw,
network inet6 dgram,
network inet6 raw,
network netlink raw,
@{exec_path} mr,
/etc/v2ray/{,*} r,
/usr/share/v2ray/**.dat r,
@{PROC}/sys/net/core/somaxconn r,
include if exists <local/v2ray>
}
# vim:syntax=apparmor

View File

@ -36,7 +36,7 @@ profile w3m @{exec_path} {
owner @{user_config_dirs}/w3m/{,**} rw,
owner @{tmp}/@{rand6}/{,**} rw,
owner @{tmp}/w3m-@{rand6}/{,**} rw,
include if exists <local/w3m>
}

View File

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 EricLin
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/xray
profile xray @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
network inet dgram,
network inet stream,
network inet raw,
network inet6 dgram,
network inet6 raw,
network netlink raw,
@{exec_path} mr,
/etc/xray/{,*} r,
/usr/share/xray/**.dat r,
@{PROC}/sys/net/core/somaxconn r,
include if exists <local/xray>
}
# vim:syntax=apparmor