mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
101 lines
2.5 KiB
Plaintext
101 lines
2.5 KiB
Plaintext
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2020-2021 Mikhail Morfikov
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = /{usr/,}bin/spacefm
|
|
profile spacefm @{exec_path} {
|
|
include <abstractions/base>
|
|
include <abstractions/gtk>
|
|
include <abstractions/fonts>
|
|
include <abstractions/fontconfig-cache-read>
|
|
include <abstractions/freedesktop.org>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/thumbnails-cache-read>
|
|
include <abstractions/disks-read>
|
|
include <abstractions/consoles>
|
|
|
|
# This should be tightened when the "profile has merged rule with conflicting x modifiers" error
|
|
# will be fixed. (#FIXME#)
|
|
include <abstractions/app-launcher-user>
|
|
include <abstractions/app-launcher-root>
|
|
|
|
# For root window
|
|
deny capability dac_read_search,
|
|
deny capability dac_override,
|
|
|
|
# Needed?
|
|
deny capability sys_nice,
|
|
|
|
# SpaceFM needs this for killing/terminating processes it initiates.
|
|
signal (send) set=(term, kill),
|
|
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network netlink raw,
|
|
|
|
@{exec_path} mr,
|
|
|
|
owner @{PROC}/@{pid}/mountinfo r,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/cgroup r,
|
|
|
|
@{sys}/bus/ r,
|
|
@{sys}/class/ r,
|
|
|
|
@{sys}/devices/system/node/ r,
|
|
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
|
|
|
@{sys}/fs/cgroup/{,**} r,
|
|
|
|
# To read/write files in the system. The read permission is granted for all files, the write
|
|
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
|
|
# the list.
|
|
/ r,
|
|
/boot/ r,
|
|
/boot/** r,
|
|
owner /boot/** rw,
|
|
/etc/ r,
|
|
/etc/** r,
|
|
owner /etc/** rw,
|
|
/home/ r,
|
|
/home/** r,
|
|
/home/** rw,
|
|
/lost+found/ r,
|
|
/lost+found/** r,
|
|
owner /lost+found/** rw,
|
|
/media/ r,
|
|
/media/** r,
|
|
owner /media/** rw,
|
|
/mnt/ r,
|
|
/mnt/** r,
|
|
owner /mnt/** rw,
|
|
/opt/ r,
|
|
/opt/** r,
|
|
owner /opt/** rw,
|
|
/root/ r,
|
|
/root/** r,
|
|
owner /root/** rw,
|
|
/run/ r,
|
|
/run/** r,
|
|
owner /run/** rw,
|
|
/srv/ r,
|
|
/srv/** r,
|
|
owner /srv/** rw,
|
|
/tmp/ r,
|
|
/tmp/** r,
|
|
owner /tmp/** rw,
|
|
/usr/ r,
|
|
/usr/** r,
|
|
owner /usr/** rw,
|
|
/var/ r,
|
|
/var/** r,
|
|
owner /var/** rw,
|
|
|
|
include if exists <local/spacefm>
|
|
}
|