mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-07 02:35:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/profiles-a-f/fwupd
Alexandre Pujol 275d6b6e62
feat(profiles): replace old [0-9]* glob by @{int} 
Beware some [0-9]* glob are actually not proper @{int}.
2023-08-18 17:09:53 +01:00

180 lines
4.8 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/{,fwupd/}fwupd
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/disks-read>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability dac_override,
capability dac_read_search,
capability linux_immutable,
capability mknod,
capability sys_admin,
capability sys_nice,
capability sys_rawio,
capability syslog,
network netlink raw,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,RemoveMatch,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.{Properties,ObjectManager}
member={GetAll,GetManagedObjects},
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member={Changed,GetAll}
peer=(label=polkitd),
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/UDisks2/Manager
interface=org.freedesktop.{DBus.Properties,UDisks2.Manager}
member={GetAll,GetBlockDevices},
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/
interface=org.freedesktop.fwupd
member=Changed
peer=(label=fwupdmgr),
dbus send bus=system path=/
interface=org.freedesktop.DBus
member=Changed
peer=(label=fwupdmgr),
dbus receive bus=system path=/
interface=org.freedesktop.fwupd,
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member={Changed,GetAll}
peer=(label=polkitd),
dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties
member={GetAll,SetHints,GetPlugins,GetRemotes}
peer=(name=:*, label=fwupdmgr),
dbus bind bus=system
name=org.freedesktop.fwupd,
@{exec_path} mr,
@{lib}/fwupd/fwupd-detect-cet rix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
/usr/share/fwupd/{,**} r,
/usr/share/mime/mime.cache r,
/etc/fwupd/{,**} rw,
/etc/lsb-release r,
/etc/pki/fwupd-metadata/{,**} r,
/etc/pki/fwupd/{,**} r,
/var/cache/fwupd/{,**} rw,
/var/lib/fwupd/{,**} rw,
/var/lib/fwupd/pending.db rwk,
/var/tmp/etilqs_@{hex} rw,
/boot/{,**} r,
/boot/EFI/*/.goutputstream-@{rand6} rw,
/boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
/boot/EFI/*/fwupdx@{int}.efi rw,
@{lib}/fwupd/efi/fwupdx@{int}.efi r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
# In order to get to this file, the attach_disconnected flag has to be set
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r,
@{sys}/**/ r,
@{sys}/devices/** r,
@{sys}/firmware/acpi/** r,
@{sys}/firmware/dmi/tables/DMI r,
@{sys}/firmware/dmi/tables/smbios_entry_point r,
@{sys}/firmware/efi/** r,
@{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
@{sys}/firmware/efi/efivars/fwupd-* rw,
@{sys}/kernel/security/lockdown r,
@{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
@{sys}/power/mem_sleep r,
@{run}/motd.d/ r,
@{run}/motd.d/@{int}-fwupd* rw,
@{run}/motd.d/fwupd/{,**} rw,
@{run}/mount/utab r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/udev/data/* r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/modules r,
@{PROC}/swaps r,
@{PROC}/sys/kernel/tainted r,
/dev/bus/usb/ r,
/dev/bus/usb/@{int}/@{int} rw,
/dev/cpu/@{int}/msr rw,
/dev/drm_dp_aux@{int} rw,
/dev/gpiochip@{int} r,
/dev/hidraw@{int} rw,
/dev/mei@{int} rw,
/dev/mem r,
/dev/mtd@{int} rw,
/dev/sd[a-z]* r,
/dev/tpm@{int} rw,
/dev/tpmrm@{int} rw,
/dev/wmi/* r,
profile gpg flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_read_search,
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
@{bin}/gpg-agent mrix,
owner /var/lib/fwupd/gnupg/ rw,
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
owner @{PROC}/@{pids}/fd/ r,
}
include if exists <local/fwupd>
}
Reference in a new issue View git blame Copy permalink