# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}{s,}bin/gparted profile gparted @{exec_path} { include ptrace (read), @{exec_path} r, /{usr/,}{s,}bin/ r, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/cut rix, /{usr/,}bin/id rix, /{usr/,}bin/ls rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/pidof rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/touch rix, /{usr/,}{s,}bin/gpartedbin rPx, @{libexec}/gparted/gpartedbin rPx, @{libexec}/gpartedbin rPx, @{libexec}/{,udisks2/}udisks2-inhibit rix, @{run}/udev/rules.d/ rw, @{run}/udev/rules.d/90-udisks-inhibit.rules rw, /{usr/,}bin/udevadm rCx -> udevadm, /{usr/,}{s,}bin/killall5 rCx -> killall, /{usr/,}bin/ps rPx, /{usr/,}bin/xhost rPx, /{usr/,}bin/pkexec rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, # For shell pwd / r, /root/ r, /usr/local/bin/ r, /usr/local/sbin/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, # file_inherit owner /dev/tty[0-9]* rw, profile udevadm { include ptrace (read), /{usr/,}bin/udevadm mr, /etc/udev/udev.conf r, owner @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/1/sched r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, @{sys}/** r, @{sys}/devices/virtual/block/**/uevent rw, @{sys}/devices/pci[0-9]*/**/block/**/uevent rw, @{run}/udev/data/* r, } profile killall flags=(attach_disconnected) { include include capability sys_ptrace, signal (send) set=(int, term, kill), ptrace (read), /{usr/,}{s,}bin/killall5 mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied @{PROC}/ r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/cmdline r, } include if exists }