felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(fsp): sd/sdu: improve integration with stacked profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-06-17 00:19:43 +02:00
parent fc45e5ee66
commit 0478e62f56
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/_full/sd
View file

@ -165,6 +165,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
@{lib}/{,**} r, @{lib}/{,**} r,
@{sbin}/{,*} r, @{sbin}/{,*} r,
/usr/share/** r, /usr/share/** r,
/etc/*/ w,
/etc/** rk, /etc/** rk,
/home/ r, /home/ r,
@ -181,8 +182,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
/var/log/** rw, /var/log/** rw,
/var/log/journal/** rwl -> /var/log/journal/**, /var/log/journal/** rwl -> /var/log/journal/**,
@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,
@{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
@{att}/@{run}/systemd/notify rw, @{att}/@{run}/systemd/notify rw,

16
apparmor.d/groups/_full/sdu
View file

@ -24,6 +24,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/xdg-desktop>
network netlink raw, network netlink raw,
@ -71,16 +72,27 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
owner @{run}/user/@{uid}/pulse/pid rw, owner @{run}/user/@{uid}/pulse/pid rw,
owner @{user_state_dirs}/wireplumber/ r, owner @{user_state_dirs}/wireplumber/ rw,
owner @{user_state_dirs}/wireplumber/stream-properties rw, owner @{user_state_dirs}/wireplumber/stream-properties rw,
owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{run}/systemd/users/@{int} r, @{run}/systemd/users/@{int} r,
@{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/media/devices/ r,
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
@{sys}/devices/**/device:*/{,**/}path r,
@{sys}/devices/**/sound/**/pcm_class r,
@{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/sound/seq/uevent r, @{sys}/devices/virtual/sound/seq/uevent r,