felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into ubuntu2204_3

Browse source
This commit is contained in:
nobodysu 2022-08-28 22:43:46 +00:00 committed by GitHub
commit 00d3eb5efd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
132 changed files with 1914 additions and 363 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitlab-ci.yml
View file

@ -42,6 +42,7 @@ tests:
stage: test
image: golang
script:
- echo '#!/usr/bin/env bash\nexit 0' > /usr/bin/journalctl
- go test ./cmd/aa-log -v -cover

5
.golangci.yaml Normal file
View file

@ -0,0 +1,5 @@
---
linters-settings:
staticcheck:
checks: ["all", "-SA1019" ]

111
CONTRIBUTING.md
View file

@ -1,8 +1,8 @@
# Contributing
You want to contribute to `apparmor.d`, **thank a lot for this.** You will find
in this page all the useful information needed to contribute.
You want to contribute to `apparmor.d`, **thank a lot for this.** Feedbacks,
contributors, pull requests are all very welcome. You will find in this page all
the useful information needed to contribute.
## How to contribute?
@ -75,7 +75,26 @@ profile foo @{exec_path} {
## Profile Guidelines
> This profile guideline is still evloving, feel free to propose improvment
**A common structure**
AppArmor profiles can be written without any specific guidelines. However, when
you work with over 1200 profiles, you need a common structure among all the profiles.
The logic behind it is that if a rule is present in a profile, it should only be
in one place, making profile review easier.
For example, if a program needs to run executables binary. The rules allowing it
can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It
is therefore easy to ensure some profile features such as:
* A profile has access to a given resource
* A profile enforces a strict [write xor execute] (W^X) policy.
It also improves compatibilities and makes personalization easier thanks to the use of more variables
**Guidelines**
> **Note**: This profile guideline is still evolving, feel free to propose improvment
> as long as it does not vary too much from the existing rules.
In order to ensure a common structure across the profiles, all new profile should
try to follow the guideline presented here.
@ -87,18 +106,20 @@ The rules in the profile should be sorted as follow:
- mount
- remount
- umount
- pivot_root
- ptrace
- signal
- unix
- dbus (send, receive) send receice
- @{exec_path} mr,
- @{exec_path} mr, the entry point of the profile
- The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules.
- The shared resources: `/usr/share`...
- The system configuration: `/etc`...
- The system data: `/var`...
- The user data: `owner @{HOME}/`...
- The user configuration, cache and in general all dotfiles
- Temporary data: `/tmp/`, `@{run}/`...
- Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`...
- Sys files: `@{sys}/`...
- Proc files: `@{PROC}/`...
- Dev files: `/dev/`...
@ -120,10 +141,10 @@ The rules in the profile should be sorted as follow:
The included tool `aa-log` can be useful to explore the apparmor log
## Abstraction
## Abstractions
This project and the apparmor profile official project provide a large selection
of abstraction to be included in profiles. They should be used.
of abstractions to be included in profiles. They should be used.
For instance, instead of writting:
```sh
@ -142,44 +163,61 @@ include <abstractions/user-download-strict>
* `@{PROC}=/proc/`
* `@{run}=/run/ /var/run/`
* `@{sys}=/sys/`
* The Home directory: `@{HOME}`
* The home root: `@{HOMEDIRS}=/home/`
* The home directories: `@{HOME}=@{HOMEDIRS}/*/ /root/`
* Process id(s): `@{pid}`, `@{pids}`
* User id: `@{uid}`
* Thread id: `@{tid}`
* Classic XDG user directories:
- Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
- Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
- Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
- Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
- Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
- Music: `@{XDG_MUSIC_DIR}="Music"`
- Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
- Videos: `@{XDG_VIDEOS_DIR}="Videos"`
- Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
- Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
- Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
- Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
- Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
- Music: `@{XDG_MUSIC_DIR}="Music"`
- Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
- Videos: `@{XDG_VIDEOS_DIR}="Videos"`
**Additional variables available with this project:**
* Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt`
* Mountpoints root: `@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/`
* Common mountpoints: `@{MOUNTS}=@{MOUNTDIRS}/*/`
* Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*`
* Hexadecimal: `@{hex}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]`
* Extended XDG user directories:
- Projects: `@{XDG_PROJECTS_DIR}="Projects"`
- Books: `@{XDG_BOOKS_DIR}="Books"`
- Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
- Sync: `@{XDG_SYNC_DIR}="Sync"`
- Vm: `@{XDG_VM_DIR}=".vm"`
- SSH: `@{XDG_SSH_DIR}=".ssh"`
- GPG: `@{XDG_GPG_DIR}=".gnupg"`
- Cache:` @{XDG_CACHE_HOME}=".cache"`
- Config: `@{XDG_CONFIG_HOME}=".config"`
- Data: `@{XDG_DATA_HOME}=".local/share"`
- Bin: `@{XDG_BIN_HOME}=".local/bin"`
- Lib: `@{XDG_LIB_HOME}=".local/lib"`
- Books: `@{XDG_BOOKS_DIR}="Books"`
- Projects: `@{XDG_PROJECTS_DIR}="Projects"`
- Screenshots: `@{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots"`
- Sync: `@{XDG_SYNC_DIR}="Sync"`
- Torrents: `@{XDG_TORRENTS_DIR}="Torrents"`
- Vm: `@{XDG_VM_DIR}=".vm"`
- Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
* Extended XDG dotfiles:
- SSH: `@{XDG_SSH_DIR}=".ssh"`
- GPG: `@{XDG_GPG_DIR}=".gnupg"`
- Cache:` @{XDG_CACHE_HOME}=".cache"`
- Config: `@{XDG_CONFIG_HOME}=".config"`
- Data: `@{XDG_DATA_HOME}=".local/share"`
- Bin: `@{XDG_BIN_HOME}=".local/bin"`
- Lib: `@{XDG_LIB_HOME}=".local/lib"`
* Full path of the user configuration directories
- Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
- Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
- Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
- Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
* Other full path user directories
- Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
- Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
- Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
- Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
- Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
* Full path user directories
- Books: `@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}`
- Documents: `@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}`
- Download: `@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}`
- Music: `@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}`
- Pictures: `@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}`
- Projects: `@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}`
- Public: `@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}`
- Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
- Templates: `@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}`
- Torrents: `@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}`
- Videos: `@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}`
- Vm: `@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
## Additional documentation
@ -187,3 +225,4 @@ include <abstractions/user-download-strict>
* https://presentations.nordisch.org/apparmor/#/
[git]: https://help.github.com/articles/set-up-git/
[write xor execute]: https://en.wikipedia.org/wiki/W%5EX

4
README.md
View file

@ -6,8 +6,8 @@
**Full set of AppArmor profiles**
> Warning: This project is still in early development.
> **Warning**: This project is still in early development. Help is very welcome
> see [`CONTRIBUTING.md`](CONTRIBUTING.md)
## Description

2
apparmor.d/abstractions/disks-write
View file

@ -8,6 +8,8 @@
# The /sys/ entries probably should be tightened
/dev/ r,
/dev/block/ r,
/dev/disk/{,*/} r,
# Regular disk/partition devices
/dev/{s,v}d[a-z]* rwk,

14
apparmor.d/abstractions/lightdm
View file

@ -46,15 +46,15 @@
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/* mr,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
@{PROC}/asound mr,
@{PROC}/asound/** mr,
@{PROC}/ati mr,
@{PROC}/ati/** mr,
@{PROC}/sys/vm/overcommit_memory r,
owner @{PROC}/** rm,
owner @{PROC}/** mr,
# needed for gnome-keyring-daemon
@{PROC}/*/status r,
# needed for bamfdaemon and utilities such as ps and killall
@ -62,7 +62,7 @@
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
/sys/** mr,
# needed for confined trusted helpers, such as dbus-daemon
/sys/kernel/security/apparmor/.access rw,
/tmp/ rw,

8
apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
View file

@ -218,9 +218,9 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
profile gpg {
#include <abstractions/base>
/usr/bin/gpgconf rm,
/usr/bin/gpg rm,
/usr/bin/gpgsm rm,
/usr/bin/gpgconf mr,
/usr/bin/gpg mr,
/usr/bin/gpgsm mr,
owner @{HOME}/@{XDG_GPG_DIR}/* r,
owner @{HOME}/@{XDG_GPG_DIR}/random_seed rk,
@ -232,7 +232,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
owner @{user_config_dirs}/kdeglobals r,
/usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
/usr/share/qt5/translations/* r,
/usr/lib/*/qt5/plugins/** rm,
/usr/lib/*/qt5/plugins/** mr,
/usr/share/plasma/look-and-feel/**/contents/defaults r,
# TODO: remove when rules are available in abstractions/kde

5
apparmor.d/groups/apt/apt
View file

@ -28,6 +28,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
signal (send) peer=apt-methods-*,
@ -46,7 +47,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
member=Inhibit
peer=(name=org.freedesktop.login[0-9]),
dbus send bus=system path=/org/freedesktop/DBus
dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
interface=org.freedesktop.DBus{,.Introspectable}
member={RequestName,GetConnectionUnixProcessID,Introspect}
peer=(name=org.freedesktop.DBus),
@ -101,6 +102,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/usr/share/language-tools/language-options rPx,
# For editing the sources.list file
/{usr/,}bin/sensible-editor rCx -> editor,
@ -110,6 +112,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/sensible-pager rCx -> pager,
/usr/share/xml/iso-codes/{,**} r,
/usr/share/language-selector/data/pkg_depends r,
/etc/apt/sources.list rwk,
/etc/machine-id r,

2
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} {
# Local keyring storage
/etc/apt/keyrings/ r,
/etc/apt/keyrings/*.{gpg,asc} r,
/usr/share/keyrings/ r,
/usr/share/keyrings/*.{gpg,asc} r,
# Extrepo keyring storage
/var/lib/extrepo/keys/*.{gpg,asc} r,

1
apparmor.d/groups/apt/dpkg
View file

@ -76,6 +76,7 @@ profile dpkg @{exec_path} {
owner /tmp/apt-dpkg-install-*/ r,
/var/log/dpkg.log w,
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
@{run}/systemd/userdb/ r,

9
apparmor.d/groups/apt/unattended-upgrade
View file

@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged},
member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved},
@{exec_path} mr,
@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r,
/etc/debian_version r,
/etc/dpkg/origins/{debian,ubuntu,} r,
/etc/issue{.net,} r,
/etc/legal r,
/etc/lsb-release r,
/etc/profile.d/* r,
/etc/update-motd.d/* r,
/etc/update-manager/{,**} r,
/etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,

27
apparmor.d/groups/avahi/avahi-autoipd Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/avahi-autoipd
profile avahi-autoipd @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
signal receive set=(kill,term),
@{exec_path} mr,
/etc/avahi/avahi-autoipd.action rix,
include if exists <local/avahi-autoipd>
}

32
apparmor.d/groups/avahi/avahi-browse Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains
profile avahi-browse @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceTypeBrowser
member={ItemNew,CacheExhausted,AllForNow},
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/avahi/service-types.db rwk,
include if exists <local/avahi-browse>
}

23
apparmor.d/groups/avahi/avahi-daemon Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-daemon
profile avahi-daemon @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
/etc/avahi/** r,
include if exists <local/avahi-daemon>
}

18
apparmor.d/groups/avahi/avahi-publish Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service
profile avahi-publish @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/avahi-publish>
}

34
apparmor.d/groups/avahi/avahi-resolve Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name
profile avahi-resolve @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,AddressResolverNew},
dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
interface=org.freedesktop.Avahi.AddressResolver
member={Free,HostNameResolverNew,},
dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9]
interface=org.freedesktop.Avahi.AddressResolver
member={Failure,Found},
@{exec_path} mr,
include if exists <local/avahi-resolve>
}

18
apparmor.d/groups/avahi/avahi-set-host-name Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-set-host-name
profile avahi-set-host-name @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/avahi-set-host-name>
}

2
apparmor.d/groups/browsers/chromium-chromium
View file

@ -32,6 +32,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
ptrace (read) peer=browserpass,
ptrace (read) peer=chrome-gnome-shell,
ptrace (read) peer=gnome-browser-connector-host,
ptrace (read) peer=keepassxc-proxy,
ptrace (read) peer=lsb_release,
ptrace (read) peer=xdg-settings,
@ -49,6 +50,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/chrome-gnome-shell rPx,
/{usr/,}bin/gnome-browser-connector-host rPx,
/{usr/,}lib/chromium/chrome-sandbox rPx,
/{usr/,}lib/chromium/chrome_crashpad_handler rPx,

6
apparmor.d/groups/freedesktop/fc-cache
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,8 +10,9 @@ include <tunables/global>
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
profile fc-cache @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
@{exec_path} mr,
@ -19,6 +21,8 @@ profile fc-cache @{exec_path} {
/var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
/var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
/var/tmp/mkinitramfs_*/{**,} rwl,
# Silencer
deny network inet6 stream,
deny network inet stream,

1
apparmor.d/groups/freedesktop/pipewire
View file

@ -33,7 +33,6 @@ profile pipewire @{exec_path} {
/usr/share/pipewire/pipewire.conf r,
/etc/machine-id r,
/etc/pipewire/client.conf r,
/etc/pipewire/pipewire-pulse.conf.d/{,*} r,
/etc/pipewire/pipewire.conf r,

3
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile pipewire-media-session @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
@ -44,11 +45,11 @@ profile pipewire-media-session @{exec_path} {
owner @{HOME}/.local/state/ rw,
owner @{HOME}/.local/state/pipewire/{,**} rw,
owner @{user_config_dirs}/pipewire/ rw,
owner @{user_config_dirs}/pipewire/** rw,
owner @{user_config_dirs}/pulse/ rw,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
@{run}/udev/data/+sound:card[0-9]* r, # For sound

10
apparmor.d/groups/freedesktop/polkit-agent-helper
View file

@ -29,13 +29,15 @@ profile polkit-agent-helper @{exec_path} {
signal (receive) set=(term, kill) peer=gnome-shell,
signal (receive) set=(term, kill) peer=pkexec,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
member=GetAll
peer=(name=:*),
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=AuthenticationAgentResponse2,
member=AuthenticationAgentResponse2
peer=(name=:*),
@{exec_path} mr,

9
apparmor.d/groups/freedesktop/polkitd
View file

@ -23,13 +23,14 @@ profile polkitd @{exec_path} {
ptrace (read),
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*},
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
dbus send bus=system path=/org/freedesktop/DBus
dbus (send) bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName},
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}
peer=(name=org.freedesktop.DBus),
dbus bind bus=system
dbus (bind) bus=system
name=org.freedesktop.PolicyKit[0-9],
@{exec_path} mr,

7
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} {
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
dbus (send)
bus=system
path=/org.freedesktop.hostname[0-9]
interface=org.freedesktop.DBus.Prope
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
@{exec_path} mrix,
/{usr/,}@{libexec}/pulse/gsettings-helper mrix,

4
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-document-portal
profile xdg-document-portal @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
ptrace (read) peer=xdg-desktop-portal,
@ -23,7 +24,6 @@ profile xdg-document-portal @{exec_path} {
owner @{user_share_dirs}/flatpak/db/documents r,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/doc/ rw,
owner @{PROC}/@{pid}/fd/ r,
@ -36,7 +36,7 @@ profile xdg-document-portal @{exec_path} {
profile flatpak {
include <abstractions/base>
/{usr/,}bin/flatpak rm,
/{usr/,}bin/flatpak mr,
/ r,
/etc/flatpak/remotes.d/{,*} r,

5
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
@ -53,7 +54,6 @@ profile gdm-wayland-session @{exec_path} {
/etc/default/im-config r,
/etc/gdm{3,}/custom.conf r,
/etc/machine-id r,
/etc/shells r,
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r,
@ -61,8 +61,7 @@ profile gdm-wayland-session @{exec_path} {
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/bus rw,
@{run}/gdm/custom.conf r,
@{run}/gdm/custom.conf r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,

7
apparmor.d/groups/gnome/gjs-console
View file

@ -46,16 +46,17 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/ r,
/dev/tty rw,

2
apparmor.d/groups/gnome/gnome-characters-backgroudservice
View file

@ -24,6 +24,8 @@ profile gnome-characters-backgroudservice @{exec_path} {
/etc/gtk-3.0/settings.ini r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,

3
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -34,6 +34,9 @@ profile gnome-extension-ding @{exec_path} {
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus bind bus=session
name=com.rastersoft.ding,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,

17
apparmor.d/groups/gnome/gnome-extensions-app
View file

@ -9,6 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-extensions-app
profile gnome-extensions-app @{exec_path} {
include <abstractions/base>
# include <abstractions/vulkan>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/opencl>
@{exec_path} mr,
@ -16,6 +24,15 @@ profile gnome-extensions-app @{exec_path} {
/{usr/,}bin/gjs-console rix,
/usr/share/terminfo/x/xterm-256color r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/org.gnome.Extensions* r,
/usr/share/X11/xkb/{,**} r,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/task/@{tid}/stat r,
/dev/tty rw,

3
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gnome-terminal-server @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -34,8 +35,6 @@ profile gnome-terminal-server @{exec_path} {
/etc/shells r,
owner @{run}/user/@{uid}/at-spi/bus rw,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,

15
apparmor.d/groups/gnome/nautilus
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/gnome>
@ -21,6 +22,20 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*}
interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions},
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,List}
peer=(name=:*),
dbus bind bus=session
name=org.gnome.Nautilus,
dbus bind bus=session
name=org.freedesktop.FileManager1,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,

4
apparmor.d/groups/gnome/tracker-extract
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/tracker-extract-3
profile tracker-extract @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/disks-read>
include <abstractions/fonts>
@ -51,8 +52,7 @@ profile tracker-extract @{exec_path} {
owner /tmp/tracker-extract-3-files.*/{,*} rw,
owner @{run}/user/@{uid}/bus rw,
@{run}/blkid/blkid.tab r,
@{run}/blkid/blkid.tab r,
@{run}/udev/data/c235:* r,
@{run}/udev/data/c236:* r,

68
apparmor.d/groups/gpg/gpg
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2017-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,22 +11,25 @@ include <tunables/global>
profile gpg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/user-read>
capability dac_read_search,
network netlink raw,
@{exec_path} mrix,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/dirmngr rPx,
/{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/gpgsm rPx,
/{usr/,}lib/gnupg/scdaemon rPx,
# GPG config files
owner @{HOME}/ r,
/etc/inputrc r,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -39,54 +42,9 @@ profile gpg @{exec_path} {
owner /var/lib/*/.gnupg/ rw,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
# For flatpak
owner /tmp/ostree-gpg-*/ r,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
# For ToR Browser
owner @{user_share_dirs}/torbrowser/gnupg_homedir/ r,
owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
# For spamassassin
owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
# For lintian
owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r,
owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r,
owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw,
owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*/trustdb.gpg rw,
owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*/pubring.kbx rw,
owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/*.gpg rw,
owner /tmp/*.gpg~ w,
owner /tmp/*.gpg.tmp rw,
owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
# APT upstream/user keyrings
/usr/share/keyrings/*.{gpg,asc} r,
/etc/apt/keyrings/*.{gpg,asc} r,
# APT repositories
/var/lib/apt/lists/*_InRelease r,
# Verify files
owner @{HOME}/** r,
owner @{MOUNTS}/** r,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/fd/ r,
/etc/inputrc r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
include if exists <local/gpg>
}

2
apparmor.d/groups/gpg/gpgconf
View file

@ -12,6 +12,8 @@ profile gpgconf @{exec_path} {
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,
@{exec_path} mrix,
/{usr/,}bin/gpg-connect-agent rPx,

2
apparmor.d/groups/gpg/gpgsm
View file

@ -11,6 +11,8 @@ profile gpgsm @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_read_search,
@{exec_path} mr,
deny /usr/bin/.gnupg/ w,

18
apparmor.d/groups/grub/grub-bios-setup Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-bios-setup
profile grub-bios-setup @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-bios-setup>
}

20
apparmor.d/groups/grub/grub-editenv Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-editenv
profile grub-editenv @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/boot/grub/grubenv rw,
include if exists <local/grub-editenv>
}

18
apparmor.d/groups/grub/grub-file Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-file
profile grub-file @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-file>
}

18
apparmor.d/groups/grub/grub-fstest Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-fstest
profile grub-fstest @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-fstest>
}

18
apparmor.d/groups/grub/grub-glue-efi Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-glue-efi
profile grub-glue-efi @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-glue-efi>
}

18
apparmor.d/groups/grub/grub-install Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-install
profile grub-install @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-install>
}

18
apparmor.d/groups/grub/grub-kbdcomp Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-kbdcomp
profile grub-kbdcomp @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-kbdcomp>
}

18
apparmor.d/groups/grub/grub-macbless Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-macbless
profile grub-macbless @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-macbless>
}

18
apparmor.d/groups/grub/grub-menulst2cfg Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-menulst2cfg
profile grub-menulst2cfg @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-menulst2cfg>
}

78
apparmor.d/groups/grub/grub-mkconfig Normal file
View file

@ -0,0 +1,78 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkconfig
profile grub-mkconfig @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
@{exec_path} mr,
/etc/grub.d/{**,} rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/find rix,
/{usr/,}bin/findmnt rPx,
/{usr/,}bin/gettext rix,
/{usr/,}bin/{e,f,}grep rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/grub-mkrelpath rPx,
/{usr/,}bin/grub-script-check rPx,
/{usr/,}bin/head rix,
/{usr/,}bin/id rPx,
/{usr/,}bin/ls rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mount rPx,
/{usr/,}bin/mountpoint rix,
/{usr/,}bin/paste rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/umount rPx,
/{usr/,}bin/uname rix,
/{usr/,}bin/which{.debianutils,} rix,
/{usr/,}{s,}bin/dmsetup rPUx,
/{usr/,}{s,}bin/grub-probe rPx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
/{usr/,}{local/,}{s,}bin/zpool rPx,
/boot/{**,} r,
/boot/grub/{**,} rw,
/etc/default/grub r,
/etc/default/grub.d/{*,} r,
/usr/share/grub/{**,} r,
/.zfs/snapshot/*/etc/{machine-id,} r,
/.zfs/snapshot/*/{usr/,}lib/os-release r,
/ r,
owner /tmp/** rw,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r,
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
include if exists <local/grub-mkconfig>
}

18
apparmor.d/groups/grub/grub-mkdevicemap Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap
profile grub-mkdevicemap @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mkdevicemap>
}

18
apparmor.d/groups/grub/grub-mkfont Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkfont
profile grub-mkfont @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mkfont>
}

18
apparmor.d/groups/grub/grub-mkimage Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkimage
profile grub-mkimage @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mkimage>
}

18
apparmor.d/groups/grub/grub-mklayout Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mklayout
profile grub-mklayout @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mklayout>
}

18
apparmor.d/groups/grub/grub-mknetdir Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mknetdir
profile grub-mknetdir @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mknetdir>
}

18
apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2
profile grub-mkpasswd-pbkdf2 @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mkpasswd-pbkdf2>
}

20
apparmor.d/groups/grub/grub-mkrelpath Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath
profile grub-mkrelpath @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}{local/,}{s,}bin/zpool rPx,
@{PROC}/@{pids}/mountinfo r,
include if exists <local/grub-mkrelpath>
}

18
apparmor.d/groups/grub/grub-mkrescue Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkrescue
profile grub-mkrescue @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mkrescue>
}

18
apparmor.d/groups/grub/grub-mkstandalone Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkstandalone
profile grub-mkstandalone @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mkstandalone>
}

18
apparmor.d/groups/grub/grub-mount Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mount
profile grub-mount @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-mount>
}

18
apparmor.d/groups/grub/grub-ntldr-img Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-ntldr-img
profile grub-ntldr-img @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-ntldr-img>
}

28
apparmor.d/groups/grub/grub-probe Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-probe
profile grub-probe @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/udevadm rPx,
/{usr/,}{local/,}{s,}bin/zpool rPx,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/devices r,
/dev/mapper/control rw,
include if exists <local/grub-probe>
}

18
apparmor.d/groups/grub/grub-reboot Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-reboot
profile grub-reboot @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-reboot>
}

18
apparmor.d/groups/grub/grub-render-label Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-render-label
profile grub-render-label @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-render-label>
}

19
apparmor.d/groups/grub/grub-script-check Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-script-check
profile grub-script-check @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/boot/grub/grub.cfg{.new,} rw,
include if exists <local/grub-script-check>
}

18
apparmor.d/groups/grub/grub-set-default Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-set-default
profile grub-set-default @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-set-default>
}

18
apparmor.d/groups/grub/grub-syslinux2cfg Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-syslinux2cfg
profile grub-syslinux2cfg @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
include if exists <local/grub-syslinux2cfg>
}

19
apparmor.d/groups/grub/update-grub Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
profile update-grub @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/grub-mkconfig rPx,
include if exists <local/update-grub>
}

2
apparmor.d/groups/gvfs/gvfsd
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd
profile gvfsd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@{exec_path} mr,
@ -20,7 +21,6 @@ profile gvfsd @{exec_path} {
/usr/share/gvfs/{,**} r,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/gvfs/ rw,
owner @{run}/user/@{uid}/gvfsd/ rw,

4
apparmor.d/groups/network/ModemManager
View file

@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus receive bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=Changed,

3
apparmor.d/groups/network/mullvad-gui
View file

@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} {
@{exec_path} mrix,
"/opt/Mullvad VPN/*.so*" rm,
"/opt/Mullvad VPN/*.so*" mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gsettings rix,
@ -53,6 +53,7 @@ profile mullvad-gui @{exec_path} {
@{sys}/bus/pci/devices/ r,
@{sys}/devices/virtual/tty/tty[0-9]*/active r,
@{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r,
@{sys}/devices/system/cpu/possible r,
@{PROC}/ r,
@{PROC}/sys/fs/inotify/max_user_watches r,

2
apparmor.d/groups/network/nm-dispatcher
View file

@ -8,7 +8,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/nm-dispatcher
@{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher
profile nm-dispatcher @{exec_path} {
profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

10
apparmor.d/groups/pacman/mkinitcpio
View file

@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/cp rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/find rix,
/{usr/,}bin/findmnt rix,
/{usr/,}bin/findmnt rPx,
/{usr/,}bin/fsck rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/grep rix,
@ -77,10 +77,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
# Can copy any program to the initframs
/{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rm,
/{usr/,}lib/plymouth/plymouthd-* rm,
/{usr/,}lib/systemd/systemd-* rm,
/{usr/,}lib/udev/[a-z0-9]* rm,
/{usr/,}bin/[a-z0-9]* mr,
/{usr/,}lib/plymouth/plymouthd-* mr,
/{usr/,}lib/systemd/systemd-* mr,
/{usr/,}lib/udev/[a-z0-9]* mr,
# Manage /boot
/ r,

1
apparmor.d/groups/ssh/sshd
View file

@ -83,6 +83,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
owner @{run}/sshd{,.init}.pid wl,
@{run}/motd.d/{,*} r,
@{run}/motd.dynamic rw,
@{run}/motd.dynamic.new rw,
@{run}/resolvconf/resolv.conf r,

4
apparmor.d/groups/systemd/child-systemctl
View file

@ -27,7 +27,7 @@ profile child-systemctl flags=(attach_disconnected) {
network inet stream,
network inet6 stream,
dbus send bus=system path=/org/freedesktop/systemd[0-9]
dbus send bus=system path=/org/freedesktop/systemd[0-9]/Unit
interface=org.freedesktop.systemd[0-9].Manager
member=GetUnitFileState,
@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) {
/etc/systemd/user/{,**} rwl,
@{run}/systemd/private rw,
owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,

13
apparmor.d/groups/systemd/networkctl
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/networkctl
profile networkctl @{exec_path} flags=(complain) {
profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -39,9 +39,6 @@ profile networkctl @{exec_path} flags=(complain) {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{run}/systemd/netif/links/[0-9]* r,
@{run}/systemd/netif/state r,
# To be able to read logs
@{run}/log/ r,
/{run,var}/log/journal/ r,
@ -50,12 +47,16 @@ profile networkctl @{exec_path} flags=(complain) {
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
@{run}/systemd/netif/links/[0-9]* r,
@{run}/systemd/netif/state r,
@{run}/systemd/notify w,
@{sys}/devices/**/net/**/uevent r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
include if exists <local/networkctl>
}

29
apparmor.d/groups/systemd/systemd-analyze
View file

@ -10,17 +10,32 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-analyze
profile systemd-analyze @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/systemd-common>
capability sys_resource,
capability net_admin,
signal (send) peer=child-pager,
network inet dgram,
network netlink raw,
signal (send) peer=child-pager,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=ListUnits,
dbus send bus=system path=/org/freedesktop/systemd1/unit/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
@{exec_path} mr,
/{usr/,}lib/systemd/system-environment-generators/* rix,
/{usr/,}bin/pager rPx -> child-pager,
@ -37,7 +52,10 @@ profile systemd-analyze @{exec_path} {
owner /tmp/systemd-temporary-*/ rw,
@{run}/systemd/generator/ r,
@{run}/systemd/private rw,
@{run}/systemd/system/ r,
@{run}/systemd/transient/ r,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
@{run}/udev/data/* r,
@{run}/udev/tags/systemd/ r,
@ -52,13 +70,12 @@ profile systemd-analyze @{exec_path} {
@{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/comm r,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/tty rw,
/dev/pts/1 rw,
include if exists <local/systemd-analyze>
}

10
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -17,11 +17,17 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName},
member={RequestName,ReleaseName,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1),
dbus receive bus=system path=/org/freedesktop/hostname[0-9]
interface=org.freedesktop.DBus.Properties
member={Get,GetAll},
member={Get,GetAll,SetHostname},
dbus bind bus=system
name=org.freedesktop.hostname[0-9],

1
apparmor.d/groups/systemd/systemd-hwdb
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-hwdb
profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,

59
apparmor.d/groups/systemd/systemd-networkd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -7,40 +8,68 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-networkd
profile systemd-networkd @{exec_path} flags=(complain) {
profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/systemd-common>
capability net_admin,
capability net_raw,
capability net_bind_service,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network netlink raw,
network packet dgram,
network packet raw,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/hostname[0-9]
interface=org.freedesktop.hostname1
member=SetHostname
peer=(name=org.freedesktop.hostname1),
dbus receive bus=system path=/org/freedesktop/network[0-9]
interface=org.freedesktop.DBus.Properties
member=Get,
dbus bind bus=system
name=org.freedesktop.network1,
@{exec_path} mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/systemd/networkd.conf r,
/etc/systemd/network/ r,
/etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
/etc/networkd-dispatcher/carrier.d/{,*} r,
@{run}/systemd/network/ r,
@{run}/systemd/network/*.network r,
owner @{run}/systemd/netif/.#state rw,
owner @{run}/systemd/netif/.#state* rw,
owner @{run}/systemd/netif/leases/.#* rw,
owner @{run}/systemd/netif/leases/[0-9]* rw,
owner @{run}/systemd/netif/links/.#* rw,
owner @{run}/systemd/netif/links/[0-9]* rw,
owner @{run}/systemd/netif/leases/[0-9]* rw,
owner @{run}/systemd/netif/leases/.#* rw,
owner @{run}/systemd/netif/.#state* rw,
owner @{run}/systemd/netif/.#state rw,
owner @{run}/systemd/netif/state rw,
# To be able to configure network interfaces
@{PROC}/sys/net/ipv{4,6}/** rw,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/**/net/** r,
@{run}/udev/data/n[0-9]* r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{sys}/devices/**/net/** r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{PROC}/sys/net/ipv{4,6}/** rw,
include if exists <local/systemd-networkd>
}

4
apparmor.d/groups/systemd/systemd-networkd-wait-online
View file

@ -11,6 +11,10 @@ profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/systemd-common>
capability net_admin,
network netlink raw,
@{exec_path} mr,
@{run}/systemd/netif/links/[0-9]* r,

21
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -17,9 +17,15 @@ profile apport-gtk @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
capability sys_ptrace,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
/{usr/,}{s,}bin/killall5 rix,
@ -50,21 +56,22 @@ profile apport-gtk @{exec_path} {
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/etc/apport/blacklist.d/apport r,
/etc/apport/blacklist.d/README.blacklist r,
/etc/apport/crashdb.conf r,
/etc/apport/{,**} r,
/etc/bash_completion.d/apport_completion r,
/etc/cron.daily/apport r,
/etc/default/apport r,
/etc/init.d/apport r,
/etc/logrotate.d/apport r,
/etc/xdg/autostart/*.desktop r,
/etc/gtk-3.0/settings.ini r,
/var/crash/{,*.@{uid}.crash} r,
/var/crash/{,*.@{uid}.crash} rw,
/var/lib/dpkg/info/ r,
/var/lib/dpkg/info/*.list r,
/var/lib/dpkg/info/*.md5sums r,
/var/log/installer/media-info r,
@{run}/snapd.socket rw,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
/tmp/[a-z0-9]* rw,
@ -83,8 +90,9 @@ profile apport-gtk @{exec_path} {
profile gdb {
include <abstractions/base>
include <abstractions/python>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/python>
/{usr/,}bin/gdb mr,
@ -92,6 +100,9 @@ profile apport-gtk @{exec_path} {
/{usr/,}{s,}bin/* r,
/usr/share/gdb/{,**} r,
/usr/share/themes/{,**} r,
/usr/share/gnome-shell/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/gdb/{,**} r,

1
apparmor.d/groups/ubuntu/notify-reboot-required
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/update-notifier/notify-reboot-required
profile notify-reboot-required @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,

9
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -14,7 +14,9 @@ profile software-properties-gtk @{exec_path} {
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager}
interface=org.freedesktop.DBus.Introspectable
@ -51,10 +53,13 @@ profile software-properties-gtk @{exec_path} {
/usr/share/X11/xkb/{,**} r,
/usr/share/xml/iso-codes/{,**} r,
/etc/apport/blacklist.d/{,*} r,
/etc/default/apport r,
/etc/gtk-3.0/settings.ini r,
/etc/machine-id r,
/etc/update-manager/release-upgrades r,
/var/crash/*software-properties-gtk.@{uid}.crash rw,
/var/lib/snapd/desktop/icons/ r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@ -67,6 +72,10 @@ profile software-properties-gtk @{exec_path} {
@{sys}/devices/**/modalias r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/asound/cards r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -38,6 +38,8 @@ profile update-notifier @{exec_path} {
/usr/share/apport/apport-checkreports rPx,
/usr/share/apport/apport-gtk rPx,
/{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
/usr/share/applications/{,**} r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,

2
apparmor.d/groups/virt/cni-calico
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /opt/cni/bin/calico
@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
profile cni-calico @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

18
apparmor.d/groups/virt/cni-flannel Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
include <abstractions/base>
@{exec_path} mr,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/cni-flannel>
}

18
apparmor.d/groups/virt/cni-host-local Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
include <abstractions/base>
@{exec_path} mr,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/cni-host-local>
}

3
apparmor.d/groups/virt/cni-xtables-nft
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
profile cni-xtables-nft {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability net_admin,
@ -30,6 +31,4 @@ profile cni-xtables-nft {
/etc/nftables.conf rw,
@{PROC}/@{pids}/net/ip_tables_names r,
/dev/pts/[0-9]* rw,
}

5
apparmor.d/groups/virt/containerd
View file

@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
capability dac_override,
capability fsetid,
capability fowner,
capability mknod,
capability net_admin,
capability setfcap,
capability sys_admin,
network inet dgram,
@ -36,6 +38,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
umount /tmp/ctd-volume[0-9]*/,
umount @{run}/netns/cni-@{uuid},
signal (receive) set=term peer={dockerd,k3s},
@ -84,7 +87,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
owner /var/tmp/** rwkl,
owner /tmp/** rwkl,
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
/tmp/ctd-volume[0-9]*/ rw,
/tmp/ctd-volume[0-9]*/{data,} rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/profiles r,

100
apparmor.d/groups/virt/dockerd Normal file
View file

@ -0,0 +1,100 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dockerd
profile dockerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability net_admin,
capability sys_admin,
capability sys_chroot,
capability kill,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
mount options=(rw, bind) -> /run/docker/netns/*,
mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
mount options=(rw, rslave) -> /,
umount /.pivot_root[0-9]*/,
umount /run/docker/netns/*,
umount /var/lib/docker/overlay*/**/,
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
ptrace (read) peer=unconfined,
signal (send) set=kill peer=docker-*,
signal (send) set=term peer=containerd,
@{exec_path} mrix,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}{s,}bin/runc rUx,
/{usr/,}{s,}bin/xtables-nft-multi rix,
/{usr/,}bin/containerd rPx,
/{usr/,}bin/docker-init rix,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/unpigz rix,
# Docker needs full access of its containers.
# TODO: should be in a sub profile started with pivot_root, not supported yet.
/{,**} rw,
deny /boot/{,**} rw,
deny /dev/{,**} rw,
deny /media/{,**} rw,
deny /mnt/{,**} rw,
owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
owner /var/lib/docker/{,**} rwk,
owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,
@{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/cpuset.cpus.effective r,
@{sys}/fs/cgroup/cpuset.mems.effective r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/1/cgroup r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/keys/root_maxkeys r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/threads-max r,
@{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw,
@{PROC}/sys/net/ipv{4,6}/conf/docker[0-9]*/accept_ra rw,
@{PROC}/sys/net/ipv{4,6}/ip_forward rw,
@{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
owner @{PROC}/@{pids}/attr/current r,
owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pids}/net/ip_tables_names r,
owner @{PROC}/@{pids}/uid_map r,
include if exists <local/dockerd>
}

19
apparmor.d/groups/virt/k3s
View file

@ -26,7 +26,7 @@ profile k3s @{exec_path} {
capability sys_resource,
ptrace peer=@{profile_name},
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
# For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
@ -114,11 +114,6 @@ profile k3s @{exec_path} {
@{PROC}/loadavg r,
@{PROC}/modules r,
@{PROC}/sys/fs/pipe-max-size r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
@{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
@{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
@{PROC}/sys/net/netfilter/* rw,
@{PROC}/sys/kernel/keys/* r,
@{PROC}/sys/kernel/panic rw,
@{PROC}/sys/kernel/panic_on_oom rw,
@ -126,6 +121,11 @@ profile k3s @{exec_path} {
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/threads-max r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
@{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
@{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
@{PROC}/sys/net/netfilter/* rw,
@{PROC}/sys/vm/overcommit_memory rw,
@{PROC}/sys/vm/panic_on_oom r,
@ -138,14 +138,15 @@ profile k3s @{exec_path} {
@{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
@{sys}/devices/system/cpu/present{,/} r,
@{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
@{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/ r,
@{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r,
@{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r,
@{sys}/devices/virtual/block/*/** r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
@{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
@{sys}/fs/cgroup/{,*,*/} r,
@{sys}/fs/cgroup/cgroup.subtree_control rw,

3
apparmor.d/groups/virt/libvirtd
View file

@ -103,7 +103,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}{s,}bin/dnsmasq rPx,
/{usr/,}{s,}bin/virtiofsd rux, # TODO: WIP
/{usr/,}{s,}bin/virtlogd rPX,
/{usr/,}{s,}bin/virtlogd rPx,
/{usr/,}bin/lvm rUx,
/{usr/,}bin/mdevctl rPx,
/{usr/,}bin/swtpm rPx,
@ -155,6 +155,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+dmi:id r,
@{run}/udev/data/+drm:* r,
@{run}/udev/data/+hid:* r,
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci* r,

21
apparmor.d/profiles-a-f/aa-log
View file

@ -13,9 +13,30 @@ profile aa-log @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/journalctl rCx -> journalctl,
/var/log/audit/* r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
profile journalctl {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/journalctl mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r,
/{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/cap_last_cap r,
}
include if exists <local/aa-log>
}

2
apparmor.d/profiles-a-f/anyremote
View file

@ -18,7 +18,7 @@ profile anyremote @{exec_path} {
network inet stream,
network inet6 stream,
@{exec_path} rm,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,

21
apparmor.d/profiles-a-f/boltd
View file

@ -16,12 +16,32 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
network netlink raw,
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName,
dbus receive bus=system path=/org/freedesktop/bolt
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/bolt
interface=org.freedesktop.bolt1.Manager
member=ListDevices,
dbus bind bus=system
name=org.freedesktop.bolt,
@{exec_path} mr,
/var/lib/boltd/{,**} rw,
owner @{run}/boltd/{,**} rw,
@{run}/systemd/notify rw,
@{run}/systemd/journal/socket w,
@{run}/udev/data/+thunderbolt:* r,
@ -37,6 +57,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
@{sys}/devices/platform/**/uevent r,
@{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
include if exists <local/boltd>

7
apparmor.d/profiles-a-f/dkms
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,6 +12,7 @@ include <tunables/global>
profile dkms @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability dac_read_search,
@ -37,7 +39,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/rmdir rix,
/{usr/,}bin/find rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{,g,m}awk rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/ln rix,
@ -62,6 +64,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
/{usr/,}lib/modules/*/build/tools/objtool/objtool rix,
/var/lib/dkms/**/dkms.postbuild rix,
/ r,
/{usr/,}lib/modules/*/updates/ rw,
/{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw,
@ -103,6 +107,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/openssl>
/{usr/,}bin/kmod mr,

11
apparmor.d/profiles-a-f/dkms-autoinstaller
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -13,15 +14,13 @@ profile dkms-autoinstaller @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}{s,}bin/dkms rPx,
/{usr/,}bin/echo rix,
/{usr/,}{s,}bin/dkms rPx,
/{usr/,}bin/plymouth rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/tput rix,
# For shell pwd
/ r,

22
apparmor.d/profiles-a-f/findmnt Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/findmnt
profile findmnt @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/etc/fstab r,
/etc/mtab r,
@{PROC}/@{pids}/mountinfo r,
include if exists <local/findmnt>
}

23
apparmor.d/profiles-a-f/fwupdmgr
View file

@ -16,6 +16,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/openssl>
include <abstractions/ssl_certs>
capability sys_nice,
signal (send),
network inet stream,
@ -24,6 +26,26 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
network inet6 dgram,
network netlink raw,
dbus send bus=system path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/
interface=org.freedesktop.fwupd
member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.systemd[0-9].Manager
member={GetDefaultTarget,GetUnit},
dbus receive bus=system path=/
interface=org.freedesktop.fwupd
member=Changed,
@{exec_path} mr,
/{usr/,}bin/dbus-launch rCx -> dbus,
@ -37,6 +59,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
owner @{user_cache_dirs}/ rw,
@{user_cache_dirs}/dconf/user rw,
owner @{user_cache_dirs}/fwupd/ rw,
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,

2
apparmor.d/profiles-g-l/glib-compile-schemas
View file

@ -19,5 +19,7 @@ profile glib-compile-schemas @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled.[A-Z0-9]* rw,
/usr/share/glib-2.0/schemas/gschemas.compiled rw,
/usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
include if exists <local/glib-compile-schemas>
}

1
apparmor.d/profiles-g-l/install-info
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/install-info
profile install-info @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,

11
apparmor.d/profiles-g-l/language-validate
View file

@ -6,18 +6,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/language-tools/language-validate
@{exec_path} = /usr/share/language-tools/language-{options,validate}
profile language-validate @{exec_path} {
include <abstractions/base>
capability setgid,
@{exec_path} mr,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/locale rix,
/usr/share/language-tools/language-options rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/locale rix,
/usr/share/locale-langpack/{,*} r,
/usr/share/language-tools/{,*} r,

32
apparmor.d/profiles-m-r/man
View file

@ -58,14 +58,14 @@ profile man_groff {
signal peer=man,
/{usr/,}bin/eqn rm,
/{usr/,}bin/grap rm,
/{usr/,}bin/pic rm,
/{usr/,}bin/preconv rm,
/{usr/,}bin/refer rm,
/{usr/,}bin/tbl rm,
/{usr/,}bin/troff rm,
/{usr/,}bin/vgrind rm,
/{usr/,}bin/eqn mr,
/{usr/,}bin/grap mr,
/{usr/,}bin/pic mr,
/{usr/,}bin/preconv mr,
/{usr/,}bin/refer mr,
/{usr/,}bin/tbl mr,
/{usr/,}bin/troff mr,
/{usr/,}bin/vgrind mr,
/{usr/,}lib/groff/site-tmac/** r,
/usr/share/groff/** r,
@ -83,14 +83,14 @@ profile man_filter {
signal peer=man,
/{usr/,}bin/bzip2 rm,
/{usr/,}bin/gzip rm,
/{usr/,}bin/col rm,
/{usr/,}bin/compress rm,
/{usr/,}bin/iconv rm,
/{usr/,}bin/lzip.lzip rm,
/{usr/,}bin/tr rm,
/{usr/,}bin/xz rm,
/{usr/,}bin/bzip2 mr,
/{usr/,}bin/gzip mr,
/{usr/,}bin/col mr,
/{usr/,}bin/compress mr,
/{usr/,}bin/iconv mr,
/{usr/,}bin/lzip.lzip mr,
/{usr/,}bin/tr mr,
/{usr/,}bin/xz mr,
# Manual pages can be more or less anywhere, especially with "man -l", and
# there's no harm in allowing wide read access here since the worst it can

Some files were not shown because too many files have changed in this diff Show more