mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 14:55:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/profiles-a-f/fwupd
Alexandre Pujol 26f838b73f
feat(profiles): general update.
2022-11-11 22:18:55 +00:00

156 lines
4.1 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability dac_override,
capability dac_read_search,
capability linux_immutable,
capability mknod,
capability sys_admin,
capability sys_nice,
capability sys_rawio,
capability syslog,
network netlink raw,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,RemoveMatch,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.{Properties,ObjectManager}
member={GetAll,GetManagedObjects},
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member={Changed,GetAll},
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/UDisks2/Manager
interface=org.freedesktop.{DBus.Properties,UDisks2.Manager}
member={GetAll,GetBlockDevices},
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/
interface=org.freedesktop.fwupd
member=Changed,
dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus bind bus=system
name=org.freedesktop.fwupd,
@{exec_path} mr,
/{usr/,}lib/fwupd/fwupd-detect-cet rix,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
/usr/share/fwupd/{,**} r,
/usr/share/mime/mime.cache r,
/etc/pki/fwupd/{,**} r,
/etc/pki/fwupd-metadata/{,**} r,
/etc/fwupd/{,**} rw,
/var/cache/fwupd/{,**} rw,
/var/lib/fwupd/{,**} rw,
/var/lib/fwupd/pending.db rwk,
/boot/{,**} r,
/boot/EFI/*/.goutputstream-* rw,
/boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
/boot/EFI/*/fwupdx[0-9]*.efi rw,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
# In order to get to this file, the attach_disconnected flag has to be set
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
@{sys}/**/ r,
@{sys}/devices/** r,
@{sys}/firmware/acpi/** r,
@{sys}/firmware/dmi/tables/DMI r,
@{sys}/firmware/dmi/tables/smbios_entry_point r,
@{sys}/firmware/efi/** r,
@{sys}/firmware/efi/efivars/BootNext-* rw,
@{sys}/firmware/efi/efivars/fwupd-* rw,
@{sys}/kernel/security/lockdown r,
@{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
@{sys}/power/mem_sleep r,
@{run}/motd.d/ r,
@{run}/motd.d/[0-9]*-fwupd* rw,
@{run}/motd.d/fwupd/{,**} rw,
@{run}/mount/utab r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/udev/data/* r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/modules r,
@{PROC}/swaps r,
@{PROC}/sys/kernel/tainted r,
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
/dev/cpu/[0-9]*/msr rw,
/dev/drm_dp_aux[0-9]* rw,
/dev/gpiochip[0-9]* r,
/dev/hidraw[0-9]* rw,
/dev/mei[0-9]* rw,
/dev/mem r,
/dev/mtd[0-9]* rw,
/dev/sd[a-z]* r,
/dev/tpm[0-9]* rw,
/dev/tpmrm[0-9]* rw,
/dev/wmi/* r,
profile gpg flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_read_search,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent mr,
owner /var/lib/fwupd/gnupg/ rw,
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
}
include if exists <local/fwupd>
}
Reference in a new issue View git blame Copy permalink