felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(tunanle): add the sqlhex variable.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-18 13:09:06 +02:00
parent 3b1fe1f931
commit 053ce04c8e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
17 changed files with 30 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/common/app
View file

@ -59,9 +59,10 @@
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,
owner @{user_games_dirs}/** rmix, owner @{user_games_dirs}/** rmix,
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
owner @{tmp}/** rmwk, owner @{tmp}/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**, owner /dev/shm/** rwlk -> /dev/shm/**,
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
owner /var/tmp/etilqs_@{sqlhex} rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

1
apparmor.d/groups/flatpak/flatpak-app
View file

@ -82,7 +82,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
/var/lib/flatpak/app/{,**} r, /var/lib/flatpak/app/{,**} r,
/var/lib/flatpak/exports/** rw, /var/lib/flatpak/exports/** rw,
/var/tmp/etilqs_@{hex16} rw,
@{run}/.userns r, @{run}/.userns r,
@{run}/parent/** r, @{run}/parent/** r,

4
apparmor.d/groups/gnome/gnome-music
View file

@ -51,8 +51,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner /var/tmp/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{hex16} rw, owner /var/tmp/etilqs_@{sqlhex} rw,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

8
apparmor.d/groups/gnome/localsearch
View file

@ -47,12 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/ rw,
owner @{user_cache_dirs}/tracker3/files/** rwk, owner @{user_cache_dirs}/tracker3/files/** rwk,
owner /var/tmp/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{hex16} rw, owner /var/tmp/etilqs_@{sqlhex} rw,
owner @{tmp}/etilqs_@{hex12}@{h} rw,
owner @{tmp}/etilqs_@{hex12}@{hex2} rw,
owner @{tmp}/etilqs_@{hex15} rw,
owner @{tmp}/etilqs_@{hex16} rw,
@{run}/mount/utab r, @{run}/mount/utab r,

6
apparmor.d/groups/gnome/tracker-miner
View file

@ -63,10 +63,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
owner @{gdm_share_dirs}/applications/ r, owner @{gdm_share_dirs}/applications/ r,
owner /var/tmp/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{hex16} rw, owner /var/tmp/etilqs_@{sqlhex} rw,
owner @{tmp}/etilqs_@{hex15} rw,
owner @{tmp}/etilqs_@{hex16} rw,
# Allow to search user files # Allow to search user files
owner @{HOME}/{,**} r, owner @{HOME}/{,**} r,

3
apparmor.d/profiles-a-f/dropbox
View file

@ -61,7 +61,8 @@ profile dropbox @{exec_path} {
# Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/dropbox-antifreeze-* rw,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner /var/tmp/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{sqlhex} rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

2
apparmor.d/profiles-a-f/fractal
View file

@ -34,7 +34,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/.@{rand6} rw, owner @{tmp}/.@{rand6} rw,
owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw,
owner @{tmp}/@{rand6} rw, owner @{tmp}/@{rand6} rw,
owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner @{run}/user/@{uid}/fractal/{,**} rw, owner @{run}/user/@{uid}/fractal/{,**} rw,

2
apparmor.d/profiles-a-f/fwupd
View file

@ -67,7 +67,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
@{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
/var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r,
/var/tmp/etilqs_@{hex16} rw, /var/tmp/etilqs_@{sqlhex} rw,
owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/ rw,
owner /var/cache/fwupd/** rwk, owner /var/cache/fwupd/** rwk,
owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/ rw,

3
apparmor.d/profiles-g-l/gpo
View file

@ -36,7 +36,8 @@ profile gpo @{exec_path} {
owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/ rw,
owner @{HOME}/gPodder/** rwk, owner @{HOME}/gPodder/** rwk,
owner /var/tmp/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{sqlhex} rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

3
apparmor.d/profiles-g-l/gpodder
View file

@ -47,7 +47,8 @@ profile gpodder @{exec_path} {
owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/ rw,
owner @{HOME}/gPodder/** rwk, owner @{HOME}/gPodder/** rwk,
owner /var/tmp/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{sqlhex} rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

4
apparmor.d/profiles-m-r/protonmail-bridge-core
View file

@ -43,8 +43,8 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) {
owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw,
owner @{tmp}/bridge@{int} rw, owner @{tmp}/bridge@{int} rw,
owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{hex16} rw, owner /var/tmp/etilqs_@{sqlhex} rw,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,

2
apparmor.d/profiles-m-r/psi
View file

@ -54,7 +54,7 @@ profile psi @{exec_path} {
owner @{user_share_dirs}/psi/** rwk, owner @{user_share_dirs}/psi/** rwk,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, owner @{tmp}/Psi.* rwl -> /tmp/#@{int},
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

2
apparmor.d/profiles-m-r/psi-plus
View file

@ -54,7 +54,7 @@ profile psi-plus @{exec_path} {
owner @{user_share_dirs}/psi+/** rwk, owner @{user_share_dirs}/psi+/** rwk,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int},
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

3
apparmor.d/profiles-m-r/quiterss
View file

@ -47,7 +47,8 @@ profile quiterss @{exec_path} {
owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw,
owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk,
owner /var/tmp/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{sqlhex} rw,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,

2
apparmor.d/profiles-s-z/strawberry
View file

@ -68,7 +68,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{tmp}/.*/s rw, owner @{tmp}/.*/s rw,
owner @{tmp}/*= w, owner @{tmp}/*= w,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{sqlhex} rw,
owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w,
owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk,
owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,

6
apparmor.d/profiles-s-z/wechat-appimage
View file

@ -59,11 +59,13 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) {
@{tmp}/.mount_wechat@{word6}/ rw, @{tmp}/.mount_wechat@{word6}/ rw,
@{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr,
owner /var/tmp/etilqs_* rw,
@{HOME}/.xwechat/{,**} rwk, @{HOME}/.xwechat/{,**} rwk,
owner @{user_documents_dirs}/xwechat_files/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk,
owner @{tmp}/etilqs_@{sqlhex} rw,
owner /var/tmp/etilqs_@{sqlhex} rw,
/dev/fuse rw, /dev/fuse rw,
/dev/tty rw, /dev/tty rw,

3
apparmor.d/tunables/multiarch.d/system
View file

@ -54,6 +54,9 @@
# System Internal # System Internal
# --------------- # ---------------
# SQlite temporary files (hexadecimal from 12 to 16 characters)
@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16}
# Shortcut for PCI device # Shortcut for PCI device
@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}