mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
102 lines
2.6 KiB
Plaintext
102 lines
2.6 KiB
Plaintext
# vim:syntax=apparmor
|
|
# ------------------------------------------------------------------
|
|
#
|
|
# Copyright (C) 2020 Mikhail Morfikov
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# ------------------------------------------------------------------
|
|
|
|
#abi <abi/3.0>,
|
|
|
|
#include <tunables/global>
|
|
|
|
@{exec_path} = /{usr/,}bin/spacefm
|
|
profile spacefm @{exec_path} {
|
|
#include <abstractions/base>
|
|
#include <abstractions/gtk>
|
|
#include <abstractions/fonts>
|
|
#include <abstractions/fontconfig-cache-read>
|
|
#include <abstractions/freedesktop.org>
|
|
#include <abstractions/nameservice-strict>
|
|
#include <abstractions/thumbnails-cache-read>
|
|
#include <abstractions/disks-read>
|
|
#include <abstractions/consoles>
|
|
|
|
# This should be tightened when the "profile has merged rule with conflicting x modifiers" error
|
|
# will be fixed. (#FIXME#)
|
|
#include <abstractions/app-launcher-user>
|
|
#include <abstractions/app-launcher-root>
|
|
|
|
# For root window
|
|
deny capability dac_read_search,
|
|
deny capability dac_override,
|
|
|
|
# Needed?
|
|
deny capability sys_nice,
|
|
|
|
# SpaceFM needs this for killing/terminating processes it initiates.
|
|
signal (send) set=(term, kill),
|
|
|
|
@{exec_path} mr,
|
|
|
|
owner @{PROC}/@{pid}/mountinfo r,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/cgroup r,
|
|
|
|
@{sys}/bus/ r,
|
|
@{sys}/class/ r,
|
|
|
|
@{sys}/devices/system/node/ r,
|
|
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
|
|
|
# To read/write files in the system. The read permission is granted for all files, the write
|
|
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
|
|
# the list.
|
|
/ r,
|
|
/boot/ r,
|
|
/boot/** r,
|
|
owner /boot/** rw,
|
|
/etc/ r,
|
|
/etc/** r,
|
|
owner /etc/** rw,
|
|
/home/ r,
|
|
/home/** r,
|
|
/home/** rw,
|
|
/lost+found/ r,
|
|
/lost+found/** r,
|
|
owner /lost+found/** rw,
|
|
/media/ r,
|
|
/media/** r,
|
|
owner /media/** rw,
|
|
/mnt/ r,
|
|
/mnt/** r,
|
|
owner /mnt/** rw,
|
|
/opt/ r,
|
|
/opt/** r,
|
|
owner /opt/** rw,
|
|
/root/ r,
|
|
/root/** r,
|
|
owner /root/** rw,
|
|
/run/ r,
|
|
/run/** r,
|
|
owner /run/** rw,
|
|
/srv/ r,
|
|
/srv/** r,
|
|
owner /srv/** rw,
|
|
/tmp/ r,
|
|
/tmp/** r,
|
|
owner /tmp/** rw,
|
|
/usr/ r,
|
|
/usr/** r,
|
|
owner /usr/** rw,
|
|
/var/ r,
|
|
/var/** r,
|
|
owner /var/** rw,
|
|
|
|
#include if exists <local/spacefm>
|
|
}
|