mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-30 23:05:11 +01:00
103 lines
3 KiB
Text
103 lines
3 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss}
|
|
|
|
@{exec_path} = @{lib}/electron@{int}/electron
|
|
profile code flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/chromium-common>
|
|
include <abstractions/dconf-write>
|
|
include <abstractions/desktop>
|
|
include <abstractions/fontconfig-cache-read>
|
|
include <abstractions/graphics>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/ssl_certs>
|
|
|
|
capability sys_ptrace,
|
|
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network inet dgram,
|
|
network inet6 dgram,
|
|
network netlink raw,
|
|
|
|
signal (send),
|
|
|
|
@{exec_path} mrix,
|
|
|
|
@{lib}/code/node_modules.asar.unpacked/**.node rm,
|
|
|
|
# Core tools
|
|
@{bin}/git rPx,
|
|
@{bin}/gpg{,2} rPx,
|
|
@{bin}/lsb_release rPx -> lsb_release,
|
|
@{bin}/rg rix,
|
|
@{open_path} rPx -> child-open,
|
|
|
|
# The shell is not confined on purpose.
|
|
@{bin}/@{shells} rUx,
|
|
|
|
# Confine some common tools
|
|
@{lib}/code/extensions/git/dist/askpass.sh rPx,
|
|
@{lib}/code/extensions/git/dist/git-editor.sh rPx,
|
|
|
|
# Do NOT confine most of the extensions
|
|
@{bin}/[a-z0-9]* rPUx,
|
|
@{code_config_dirs}/extensions/** rPUx,
|
|
@{HOME}/.go/bin/* rPUx,
|
|
@{lib}/go/bin/* rPUx,
|
|
@{bin}/python3.@{int} rUx,
|
|
|
|
/etc/shells r,
|
|
/etc/lsb-release r,
|
|
|
|
owner @{HOME}/@{XDG_SSH_DIR}/config r,
|
|
|
|
owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**,
|
|
|
|
owner @{user_projects_dirs}/ r,
|
|
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
|
|
|
|
owner /tmp/@{uuid} rw,
|
|
owner /tmp/vscode-*/{,**} rw,
|
|
owner /tmp/vscode-ipc-@{uuid}.sock rw,
|
|
|
|
owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
|
|
owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw,
|
|
owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw,
|
|
|
|
@{run}/systemd/inhibit/*.ref rw,
|
|
|
|
@{sys}/devices/system/cpu/present r,
|
|
@{sys}/devices/system/cpu/kernel_max r,
|
|
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
|
|
|
@{PROC}/ r,
|
|
@{PROC}/@{pid}/fd/ r,
|
|
@{PROC}/@{pid}/stat r,
|
|
@{PROC}/loadavg r,
|
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
|
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
|
@{PROC}/version r,
|
|
owner @{PROC}/@{pid}/cgroup r,
|
|
owner @{PROC}/@{pid}/cmdline r,
|
|
owner @{PROC}/@{pid}/comm w,
|
|
owner @{PROC}/@{pid}/mountinfo r,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/oom_score_adj rw,
|
|
owner @{PROC}/@{pid}/statm r,
|
|
owner @{PROC}/@{pids}/clear_refs w,
|
|
owner @{PROC}/@{pids}/task/ r,
|
|
owner @{PROC}/@{pids}/task/@{tid}/status r,
|
|
|
|
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
|
|
|
include if exists <local/code>
|
|
}
|