felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reorganise the directories.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 17:02:49 +01:00
parent 91b15fcc73
commit 091d20d086
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
715 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

300
apparmor.d/groups/apps/android-studio Normal file
View file

@ -0,0 +1,300 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{AS_LIBDIR} = /media/*/android-studio
@{AS_SDKDIR} = /media/*/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects
@{exec_path} = @{AS_LIBDIR}/bin/studio.sh
profile android-studio @{exec_path} {
include <abstractions/base>
#icnlude <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/ssl_certs>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
capability sys_ptrace,
signal (send) set=(term, kill) peer=android-studio//lsb-release,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/which rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/chattr rix,
/{usr/,}bin/setsid rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/kill rix,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/git rPx,
/{usr/,}bin/lsb_release rCx -> lsb-release,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/etc/java-[0-9]*-openjdk/** r,
/usr/share/java/java-atk-wrapper.jar r,
/etc/ssl/certs/java/cacerts r,
/ r,
/home/ r,
/media/ r,
/media/*/ r,
/usr/ r,
/{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,
@{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix,
# A standard system android SDK location.
# Currently there is only the target platform of API Level 23 packaged, so only apps targeted at
# android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in
# order to use the SDK, build scripts need to be modified.
/{usr/,}lib/android-sdk/ r,
/{usr/,}lib/android-sdk/** mrkix,
/usr/share/android-sdk-platform-*/{,**} r,
deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w,
deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w,
deny /{usr/,}lib/android-sdk/.knownPackages w,
# This one is used if the standard android SDK location is missing
@{AS_SDKDIR}/ rw,
@{AS_SDKDIR}/** mrwkix,
owner @{AS_HOMEDIR}/ rw,
owner @{AS_HOMEDIR}/** mrwkix,
owner @{AS_PROJECTDIR}/ rw,
owner @{AS_PROJECTDIR}/** rwk,
owner @{HOME}/AndroidStudio/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/** rw,
owner @{HOME}/Android/ rw,
owner @{HOME}/Android/** mrwkix,
owner "@{HOME}/.config/Android Open Source Project/" rw,
owner "@{HOME}/.config/Android Open Source Project/**" rwk,
owner @{HOME}/.config/Google/ rw,
owner @{HOME}/.config/Google/** rwk,
owner @{HOME}/.cache/ rw,
owner "@{HOME}/.cache/Android Open Source Project/" rw,
owner "@{HOME}/.cache/Android Open Source Project/**" rw,
owner @{HOME}/.cache/Google/ rw,
owner @{HOME}/.cache/Google/** rwk,
# To remove the following error:
# Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp
# java.io.IOException: Cannot run program
# "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix,
#
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk,
owner @{HOME}/.cache/JNA/ rw,
owner @{HOME}/.cache/JNA/** rw,
owner @{HOME}/.gradle/ rw,
owner @{HOME}/.gradle/** mrwkix,
owner @{HOME}/ r,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**,
owner @{HOME}/.local/share/Google/ rw,
owner @{HOME}/.local/share/Google/** rw,
owner @{HOME}/.local/share/kotlin/ rw,
owner @{HOME}/.local/share/kotlin/** rw,
owner "@{HOME}/.local/share/Android Open Source Project/" rw,
owner "@{HOME}/.local/share/Android Open Source Project/**" rwk,
owner @{HOME}/.java/ rw,
owner @{HOME}/.java/fonts/ rw,
owner @{HOME}/.java/fonts/*/ rw,
owner @{HOME}/.java/fonts/*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/*/fcinfo*.properties rw,
owner @{HOME}/.java/.userPrefs/ rw,
owner @{HOME}/.java/.userPrefs/** rwk,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{HOME}/.emulator_console_auth_token rw,
deny owner @{HOME}/Desktop/* rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/stat r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/partitions r,
@{PROC}/vmstat r,
@{PROC}/loadavg r,
@{sys}/fs/cgroup/{,**} r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/** rwk,
owner /tmp/native-platform[0-9]*dir/*.so rwm,
owner /{var,}run/user/[0-9]*/avd/ rw,
owner /{var,}run/user/[0-9]*/avd/running/ rw,
owner /{var,}run/user/[0-9]*/avd/running/pid_@{pid}.ini rw,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/dev/kvm rw,
@{sys}/devices/virtual/block/**/rotational r,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
}
profile lsb-release {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
signal (receive) set=(term, kill) peer=android-studio,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
/etc/dpkg/origins/** r,
/etc/debian_version r,
/usr/share/distro-info/*.csv r,
owner /tmp/android-*/emulator-* w,
owner /tmp/android-*/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/opengl_* w,
# file_inherit
owner @{HOME}/.android/avd/** r,
/dev/dri/card[0-9]* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/android-studio>
}

205
apparmor.d/groups/apps/atom Normal file
View file

@ -0,0 +1,205 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/enchant>
# The following doesn't seem to be needed
##include <abstractions/mesa>
##include <abstractions/consoles>
##include <abstractions/audio>
##include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
##include <abstractions/zsh>
##include <abstractions/fzf>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace (read) peer=child-lsb_release,
ptrace (read) peer=xdg-settings,
@{exec_path} mrix,
/usr/share/atom/** r,
/usr/share/atom/libffmpeg.so mr,
/usr/share/atom/libnode.so mr,
/usr/share/atom/resources/**/bin/* rix,
/usr/share/atom/resources/**.node mr,
/usr/share/atom/resources/**/libexec/** rix,
deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/ r,
#/{usr/,}bin/{,ba,da}sh rix,
#/{usr/,}bin/zsh rix,
#/{usr/,}bin/env rix,
#/{usr/,}bin/rmdir rix,
#/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/ls rix,
#/{usr/,}bin/gawk rix,
#/{usr/,}bin/tty rix,
#/{usr/,}bin/dircolors rix,
#/{usr/,}bin/cut rix,
#/{usr/,}bin/xwininfo rix,
#/{usr/,}bin/date rix,
# The expr and uname tools are needed or Atom won't start with the following error:
# Your platform () is not supported.
/{usr/,}bin/expr rix,
/{usr/,}bin/uname rix,
# The following also are needed to start Atom
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/nohup rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/git rPUx,
# Needed to sign commits
/{usr/,}bin/gpg rCx -> gpg,
# /home/ r,
# Reading of the user home dir is required or the following error will be printed:
# Unexpected end of JSON input:
#owner @{HOME}/ r,
owner @{HOME}/.atom/ rw,
owner @{HOME}/.atom/** rwkl -> @{HOME}/.atom/**,
owner @{HOME}/.config/Atom/ rw,
owner @{HOME}/.config/Atom/** rwkl -> @{HOME}/.config/Atom/**,
# Git dirs
/ r,
/media/ r,
owner /media/*/ r,
owner /media/*/atom/ r,
owner /media/*/atom/** rwkl -> /media/*/atom/**,
owner @{HOME}/.config/git/config r,
# To remove the following error:
# Error initializing NSS with a persistent database
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/nssdb/ rw,
deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or atom gets crash with the following error:
# FATAL:proc_util.cc(36)] : Permission denied (13)
@{PROC}/ r,
#
deny @{PROC}/vmstat r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/@{pid}/fd/ r,
# Needed to remove the following error:
# Failed to activate the metrics package
# EACCES: permission denied, uv_resident_set_memory
@{PROC}/@{pids}/stat r,
# To remove the following error:
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/loginuid r,
deny /dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@{sys}/kernel/mm/transparent_hugepage/enabled r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
deny @{sys}/devices/pci[0-9]*/**/irq r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/atom-[0-9a-f]*.sock rw,
owner "/tmp/Atom Crashes/" rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/git-{credential,askpass}-atom.{js,sh} rwix,
owner /tmp/github-[0-9]*-[0-9]*-*.*/linux-ssh-wrapper.sh rwix,
owner /tmp/github-[0-9]*-[0-9]*-*.*/gpg-wrapper.sh rwix,
owner /tmp/apm-install-dir-[0-9]*-[0-9]*-*.*/ rw,
owner /tmp/apm-install-dir-[0-9]*-[0-9]*-*.*/** rw,
owner /tmp/net-export/ rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
# file_inherit
owner @{HOME}/.xsession-errors w,
/usr/share/atom/** r,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/atom>
}

191
apparmor.d/groups/apps/calibre Normal file
View file

@ -0,0 +1,191 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# PDF extensions
# pdf, epub, txt, html, mhtml, ps, mobi, djvu
@{calibre_ext} = [pP][dF][fF]
@{calibre_ext} += [eE][pP][uU][bB]
@{calibre_ext} += [tT][xX][tT]
@{calibre_ext} += {[mM],}[hH][tT][mM][lL]
@{calibre_ext} += [pP][sS]
@{calibre_ext} += [mM][oO][bB][iI]
@{calibre_ext} += [dD][jJ][vV][uU]
@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += /{usr/,}bin/calibredb
@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} += /{usr/,}bin/fetch-ebook-metadata
@{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer
@{exec_path} += /{usr/,}bin/web2disk
profile calibre @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/trash>
include <abstractions/python>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
capability sys_ptrace,
network netlink raw,
@{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r,
#/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/file rix,
/{usr/,}bin/pdftoppm rPUx, # (#FIXME#)
/{usr/,}bin/pdfinfo rPUx,
/{usr/,}bin/pdftohtml rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-mime rPx,
# Which files calibre should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
owner /{home,media}/**.@{calibre_ext} rw,
/usr/share/calibre/{,**} r,
owner /media/*/Calibre_Library/ r,
owner /media/*/Calibre_Library*/ rw,
owner /media/*/Calibre_Library*/** rwkl -> /media/*/Calibre_Library*/**,
owner @{HOME}/.config/calibre/ rw,
owner @{HOME}/.config/calibre/** rwk,
owner @{HOME}/.local/share/calibre-ebook.com/ rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/ rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/** rwk,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/calibre/ rw,
owner @{HOME}/.cache/calibre/** rwkl -> @{HOME}/.cache/calibre/**,
owner @{HOME}/.cache/qtshadercache/ rw,
owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner /tmp/calibre_*_tmp_*/{,**} rw,
owner /tmp/calibre-*/{,**} rw,
owner /tmp/[0-9]*-*/ rw,
owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**,
owner /tmp/* rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/route r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/vmstat r,
/etc/fstab r,
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# no new privs
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**.pak r,
@{sys}/devices/pci[0-9]*/**/irq r,
/dev/shm/ r,
/dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
/etc/mime.types r,
/etc/inputrc r,
/etc/magic r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/chromium rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}bin/ebook-edit rPx,
owner /{home,media}/**.@{calibre_ext} rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/calibre>
}

140
apparmor.d/groups/apps/code Normal file
View file

@ -0,0 +1,140 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
profile code @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# The following doesn't seem to be needed
##include <abstractions/mesa>
##include <abstractions/consoles>
##include <abstractions/audio>
##include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace (read) peer=child-lsb_release,
@{exec_path} mrix,
/usr/share/code/** r,
/usr/share/code/libffmpeg.so mr,
/usr/share/code/resources/**/bin/* rix,
/usr/share/code/resources/**.node mr,
# The bash shell is needed only when you want to start code via bin/code. Also the shells are
# needed if you plan to operate on the built in terminal. If you don't need the built in terminal
# and want to use the linux one, the following three lines can be commented out.
#/{usr/,}bin/{,ba,da}sh rix,
# /{usr/,}bin/zsh rix,
#/{usr/,}bin/dirname rix,
#/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/id rix,
#/{usr/,}bin/readlink rix,
#/{usr/,}bin/which rix,
#/{usr/,}sbin/ifconfig rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/git rPUx,
# Needed to sign commits
/{usr/,}bin/gpg rPUx -> gpg,
# /home/ r,
# Reading of the user home dir is required or the following error will be printed:
# Unexpected end of JSON input:
#owner @{HOME}/ r,
owner @{HOME}/.config/Code/ rw,
owner @{HOME}/.config/Code/** rwkl -> {HOME}/.config/Code/**,
owner @{HOME}/.vscode/ rw,
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
# Git dirs
/ r,
/media/ r,
owner /media/*/ r,
owner /media/*/code/ r,
owner /media/*/code/** rwkl -> /media/*/code/**,
# To remove the following error:
# Error initializing NSS with a persistent database
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/nssdb/ rw,
deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or code gets crash with the following error:
# FATAL:proc_util.cc(36)] : Permission denied (13)
@{PROC}/ r,
#
deny @{PROC}/version r,
#
deny @{PROC}/vmstat r,
@{PROC}/@{pid}/fd/ r,
# Needed to remove the following error:
# Failed to activate the metrics package
# EACCES: permission denied, uv_resident_set_memory
deny @{PROC}/@{pids}/stat r,
deny @{PROC}/@{pids}/statm r,
# To remove the following error:
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/net/dev r,
deny owner @{PROC}/@{pid}/net/if_inet6 r,
deny owner @{PROC}/@{pids}/cmdline r,
deny /dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
deny @{sys}/devices/pci[0-9]*/**/irq r,
/var/tmp/ r,
/tmp/ r,
owner "/tmp/VSCode Crashes/" rw,
owner /tmp/vscode-typescript[0-9]*/ rw,
owner @{run}/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
owner @{run}/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw,
# For installing extensions
owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/code>
}

213
apparmor.d/groups/apps/discord Normal file
View file

@ -0,0 +1,213 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{DISCORD_LIBDIR} = /usr/share/discord
@{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/Discord /{usr/,}bin/discord
profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
signal (send) set=(kill, term) peer=@{profile_name}//lsb_release,
# Needed for Game Activity
deny capability sys_ptrace,
deny ptrace (read),
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
#/{usr/,}bin/lsb_release rCx -> lsb_release,
#/{usr/,}bin/xdg-mime rCx -> xdg-mime,
deny /{usr/,}bin/lsb_release mrx,
deny /{usr/,}bin/xdg-mime mrx,
@{DISCORD_LIBDIR}/ r,
@{DISCORD_LIBDIR}/** r,
# @{DISCORD_LIBDIR}/**.so mr,
# @{DISCORD_LIBDIR}/libEGL.so mr,
# @{DISCORD_LIBDIR}/libGLESv2.so mr,
# To remove the following error:
# discord-canary: error while loading shared libraries: libffmpeg.so: cannot open shared object
# file: No such file or directory
@{DISCORD_LIBDIR}/libffmpeg.so mr,
# @{DISCORD_LIBDIR}/swiftshader/libEGL.so mr,
# @{DISCORD_LIBDIR}/swiftshader/libGLESv2.so mr,
@{DISCORD_LIBDIR}/chrome-sandbox rPx,
owner @{DISCORD_HOMEDIR}/ rw,
owner @{DISCORD_HOMEDIR}/** rwk,
owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/*.node mrwk,
owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/lib*.so.[0-9] mrw,
# Reading of the /proc/ dir is needed to start discord.
# Otherwise it returns the following error:
# [:FATAL:proc_util.cc(36)] : Permission denied (13)
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/vmstat r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pids}/statm r,
deny @{PROC}/@{pids}/cmdline r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# To avoid the following error:
# kernel: traps: Discord[] trap int3 ip:7fa5b7541885 sp:7ffff5539c40 error:0
# in libglib-2.0.so.0.6000.6[7fa5b7508000+80000]
/usr/share/glib-2.0/schemas/gschemas.compiled r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
@{sys}/devices/pci[0-9]*/**/irq r,
deny /dev/ r,
deny /dev/shm/ rw,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/tmp/ r,
/tmp/ r,
owner /tmp/net-export/ rw,
owner /tmp/discord.sock rw,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/discord1_[0-9]*.png rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
owner /tmp/.org.chromium.Chromium.*/SS rw,
owner "/tmp/Discord Crashes/" rw,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{run}/user/[0-9]*/discord-ipc-[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile xdg-mime {
include <abstractions/base>
include <abstractions/freedesktop.org>
/{usr/,}bin/xdg-mime mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/sed rix,
# file_inherit
/usr/share/discord/** r,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw,
owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r,
owner @{HOME}/.config/discord/GPUCache/index rw,
}
profile lsb_release {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
signal (receive) set=(kill, term) peer=discord,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
/etc/debian_version r,
/etc/dpkg/origins/debian r,
/usr/share/distro-info/debian.csv r,
# file_inherit
deny /usr/share/discord/** r,
deny owner /dev/shm/.org.chromium.Chromium.* rw,
deny owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw,
deny owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r,
deny owner @{HOME}/.config/discord/GPUCache/index rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/discord>
}

40
apparmor.d/groups/apps/discord-chrome-sandbox Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{DISCORD_LIBDIR} = /usr/share/discord
@{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
profile discord-chrome-sandbox @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
# For kernel unprivileged user namespaces
capability sys_admin,
capability sys_chroot,
capability setuid,
capability setgid,
# optional
capability sys_resource,
@{exec_path} mr,
# Do not strip env to avoid errors like the following:
# /usr/share/discord/Discord: error while loading shared libraries: libffmpeg.so: cannot open
# shared object file: No such file or directory
# [1] 777862 trace trap discord
@{DISCORD_LIBDIR}/Discord rpx,
@{PROC}/@{pids}/ r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
include if exists <local/discord-chrome-sandbox>
}

149
apparmor.d/groups/apps/dropbox Normal file
View file

@ -0,0 +1,149 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/
@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
@{exec_path} = /{usr/,}bin/dropbox
profile dropbox @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
ptrace peer=@{profile_name},
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r,
# Dropbox home files
owner @{HOME}/ r,
owner @{DROPBOX_HOME_DIR}/ rw,
owner @{DROPBOX_HOME_DIR}/** rwk,
# Shared files
owner @{DROPBOX_SHARE_DIR}/ rw,
owner @{DROPBOX_SHARE_DIR}/{,**} rw,
# Dropbox proprietary demon files
owner @{DROPBOX_DEMON_DIR}/{,**} rw,
owner @{DROPBOX_DEMON_DIR}/dropboxd rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropboxd rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox_py3 rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/wmctrl rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
# Needed for updating Dropbox
owner /tmp/.dropbox-dist-new-*/{,**} rw,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw,
owner @{HOME}/.dropbox-dist-old*/{,**} rw,
owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw,
# For autostart
deny owner @{HOME}/.config/autostart/dropbox.desktop rw,
# What's this for?
/{usr/,}bin/mount mrix,
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
@{sys}/devices/virtual/block/loop[0-9]/ r,
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
@{run}/mount/utab r,
deny @{PROC}/ r,
# Dropbox doesn't sync without the 'stat' file
owner @{PROC}/@{pid}/stat r,
#
deny owner @{PROC}/@{pid}/statm r,
deny owner @{PROC}/@{pid}/io r,
deny @{PROC}/@{pid}/net/tcp{,6} r,
deny @{PROC}/@{pid}/net/udp{,6} r,
# When "cmdline" is blocked, Dropbox has some issues while starting:
# The Dropbox daemon is not installed! Run "dropbox start -i" to install the daemon
@{PROC}/@{pid}/cmdline r,
#
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/* r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/version r,
# To remove the following error:
# RuntimeWarning: 'sin' and 'sout' swap memory stats couldn't be determined and were set to 0
# ([Errno 13] Permission denied: '/proc/vmstat')
@{PROC}/vmstat r,
# Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
owner /tmp/dropbox-antifreeze-* rw,
owner /tmp/[a-zA-z0-9]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /var/tmp/etilqs_* rw,
@{run}/systemd/users/[0-9]* r,
deny @{sys}/module/apparmor/parameters/enabled r,
# External apps
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/dropbox>
}

72
apparmor.d/groups/apps/filezilla Normal file
View file

@ -0,0 +1,72 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/filezilla
profile filezilla @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice>
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=fzsftp,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
# When using SFTP protocol
/{usr/,}bin/fzsftp rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
owner @{HOME}/ r,
owner @{HOME}/.config/filezilla/ rw,
owner @{HOME}/.config/filezilla/* rwk,
owner @{HOME}/.cache/filezilla/ rw,
owner @{HOME}/.cache/filezilla/default_*.png rw,
/usr/share/filezilla/{,**} r,
owner @{PROC}/@{pid}/fd/ r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# Creating new files on FTP
/tmp/ r,
owner /tmp/fz[0-9]temp-[0-9]*/ rw,
owner /tmp/fz[0-9]temp-[0-9]*/fz*-lockfile rwk,
owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
# FTP share folder
owner /media/*/ftp/ r,
owner /media/*/ftp/** rw,
# Silencer
/ r,
/*/ r,
/*/*/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/filezilla>
}

97
apparmor.d/groups/apps/flameshot Normal file
View file

@ -0,0 +1,97 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/flameshot
profile flameshot @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
network netlink dgram,
@{exec_path} mr,
/{usr/,}bin/whoami rix,
/{usr/,}bin/xdg-open rCx -> open,
# Flameshot home files
owner @{HOME}/.config/flameshot/ rw,
owner @{HOME}/.config/flameshot/flameshot.ini rw,
owner @{HOME}/.config/flameshot/#[0-9]*[0-9] rw,
owner @{HOME}/.config/flameshot/flameshot.ini* rwl -> @{HOME}/.config/flameshot/#[0-9]*[0-9],
owner @{HOME}/.config/flameshot/flameshot.ini.lock rwk,
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
owner /tmp/.*/{,s} rw,
owner /tmp/*= rw,
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/flameshot>
}

146
apparmor.d/groups/apps/freetube Normal file
View file

@ -0,0 +1,146 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue
@{exec_path} = @{FT_LIBDIR}/freetube{,-vue}
profile freetube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
@{FT_LIBDIR}/ r,
@{FT_LIBDIR}/** r,
@{FT_LIBDIR}/libffmpeg.so mr,
@{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
@{FT_LIBDIR}/{swiftshader/,}libEGL.so mr,
@{FT_LIBDIR}/chrome-sandbox rPx,
owner @{HOME}/ r,
owner @{HOME}/.config/FreeTube/ rw,
owner @{HOME}/.config/FreeTube/** rwk,
/var/tmp/ r,
/tmp/ r,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
owner /tmp/.org.chromium.Chromium.*/SS w,
owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/net-export/ rw,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,
# The /proc/ dir is needed to avoid the following error:
# traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in
# freetube[56499b8a8000+531e000]
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
# @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
# @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pids}/statm r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pids}/oom_{,score_}adj r,
deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
deny @{PROC}/vmstat r,
@{PROC}/sys/fs/inotify/max_user_watches r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{HOME}/.local/share r,
deny @{sys}/devices/virtual/tty/tty0/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
deny @{sys}/devices/pci[0-9]*/**/irq r,
# Needed?
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/** rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{run}/user/[0-9]*/ r,
# no new privs
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/freetube>
}

35
apparmor.d/groups/apps/freetube-chrome-sandbox Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue
@{exec_path} = @{FT_LIBDIR}/chrome-sandbox
profile freetube-chrome-sandbox @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/deny-root-dir-access>
capability sys_admin,
capability setgid,
capability setuid,
capability sys_chroot,
@{exec_path} mr,
# Has to be lower "P"
@{FT_LIBDIR}/freetube{,-vue} rpx,
@{PROC}/@{pids}/ r,
owner @{PROC}/@{pid}/oom_{,score_}adj r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
include if exists <local/freetube-chrome-sandbox>
}

119
apparmor.d/groups/apps/geany Normal file
View file

@ -0,0 +1,119 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/geany
profile geany @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/nameservice-strict>
# To edit system files as root.
capability dac_read_search,
capability dac_override,
deny capability sys_nice,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
# For the sorting feature
/{usr/,}bin/sort rix,
# When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following
# root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Geany works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/usr/share/geany/{,**} r,
owner @{HOME}/.config/geany/{,**} rw,
owner /{run/,}user/[0-9]*/geany/geany_socket.[0-9a-f]* rw,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in
# the list.
/ r,
/boot/ r,
/boot/** r,
owner /boot/** rw,
/etc/ r,
/etc/** r,
owner /etc/** rw,
/efi/ r,
/efi/** r,
owner /efi/** rw,
/home/ r,
/home/** r,
owner /home/** rw,
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
/media/ r,
/media/** r,
owner /media/** rw,
/mnt/ r,
/mnt/** r,
owner /mnt/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,
/root/ r,
/root/** r,
owner /root/** rw,
/run/ r,
/run/** r,
owner /run/** rw,
/srv/ r,
/srv/** r,
owner /srv/** rw,
/tmp/ r,
/tmp/** r,
owner /tmp/** rw,
/usr/ r,
/usr/** r,
owner /usr/** rw,
/var/ r,
/var/** r,
owner /var/** rw,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
@{HOME}/.Xauthority r,
}
include if exists <local/geany>
}

123
apparmor.d/groups/apps/okular Normal file
View file

@ -0,0 +1,123 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{okular_ext} = [pP][dD][fF]
@{exec_path} = /{usr/,}bin/okular
profile okular @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/audio>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/dri-enumerate>
include <abstractions/kde-icon-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# Which media files Okular should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
/tmp/ r,
/tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{HOME}/.config/okularrc rw,
owner @{HOME}/.config/okularrc.lock rwk,
owner @{HOME}/.config/okularrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/okularpartrc rw,
owner @{HOME}/.config/okularpartrc.lock rwk,
owner @{HOME}/.config/okularpartrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/kdeglobals r,
owner @{HOME}/.config/kwalletrc r,
owner @{HOME}/.local/share/okular/{,**} rw,
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/okular/{,**} rw,
/usr/share/okular/{,**} r,
/usr/share/kxmlgui5/okular/{,*} r,
/usr/share/poppler/** r,
/usr/share/hwdata/pnp.ids r,
/etc/xdg/ui/ui_standards.rc r,
@{PROC}/sys/kernel/core_pattern r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Search phrase in google
/{usr/,}bin/xdg-open rCx -> open,
/usr/share/kservices5/searchproviders/{,*.desktop} r,
/usr/share/kservices5/{,*.protocol} r,
/etc/xdg/kshorturifilterrc r,
# Print to pdf
/{usr/,}bin/ps2pdf rPUx,
owner /tmp/[0-9a-f]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
# About
/usr/share/kf5/licenses/GPL_V2 r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/okular>
}

72
apparmor.d/groups/apps/signal-desktop Normal file
View file

@ -0,0 +1,72 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
profile signal-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# Signal installation dir
@{SIGNAL_INSTALLDIR}/ r,
@{SIGNAL_INSTALLDIR}/** r,
@{SIGNAL_INSTALLDIR}/libnode.so mr,
@{SIGNAL_INSTALLDIR}/libffmpeg.so mr,
@{SIGNAL_INSTALLDIR}/chrome-sandbox rPx,
# Signal home dirs
@{SIGNAL_HOMEDIR}/ rw,
@{SIGNAL_HOMEDIR}/** rwk,
#owner @{HOME}/.pki/nssdb/pkcs11.txt r,
#owner @{HOME}/.pki/nssdb/cert9.db rwk,
#owner @{HOME}/.pki/nssdb/key4.db rwk,
# Signal wants the /tmp/ dir to be mounted with the "exec" flag. If this is not acceptable in
# your system, use the TMPDIR variable to set some other tmp dir.
/tmp/ r,
owner /tmp/.org.chromium.Chromium.* mrw,
/var/tmp/ r,
owner @{SIGNAL_HOMEDIR}/tmp/.org.chromium.Chromium.* mrw,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/stat r,
@{PROC}/vmstat r,
deny /dev/shm/ r,
/dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/getconf rix,
include if exists <local/signal-desktop>
}

23
apparmor.d/groups/apps/signal-desktop-chrome-sandbox Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
profile signal-desktop-chrome-sandbox @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
@{SIGNAL_INSTALLDIR}/signal-desktop rPx,
include if exists <local/signal-desktop-chrome-sandbox>
}

87
apparmor.d/groups/apps/spotify Normal file
View file

@ -0,0 +1,87 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify
profile spotify @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/audio>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
@{exec_path} mrix,
/usr/share/spotify/{,**} r,
/usr/share/spotify/libcef.so mr,
/usr/share/spotify/swiftshader/libGLESv2.so mr,
/usr/share/spotify/swiftshader/libEGL.so mr,
owner @{HOME}/.config/spotify/ rw,
owner @{HOME}/.config/spotify/** rw,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/spotify/ rw,
owner @{HOME}/.cache/spotify/** rwk,
owner @{HOME}/.Xauthority r,
# The /proc/ dir is needed to avoid the following errors:
# [:FATAL:proc_util.cc(36)] : Permission denied (13)
# [:FATAL:sandbox_linux.cc(484)] : Permission denied (13)
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/stat r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pids}/oom_score_adj w,
deny @{PROC}/vmstat r,
@{PROC}sys/kernel/yama/ptrace_scope r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
owner /dev/shm/.org.chromium.Chromium.* rw,
deny @{sys}/devices/virtual/tty/tty[0-9]*/active r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
deny @{sys}/devices/pci[0-9]*/**/irq r,
deny /var/lib/dbus/machine-id r,
deny /etc/machine-id r,
/usr/share/X11/XErrorDB r,
/tmp/ r,
owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# What's this for?
#owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,
/var/tmp/ r,
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/nssdb/ rw,
deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
include if exists <local/spotify>
}

117
apparmor.d/groups/apps/telegram-desktop Normal file
View file

@ -0,0 +1,117 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{TELEGRAM_WORK_DIR} = /media/Kabi/telegram
@{exec_path} = /{usr/,}bin/telegram-desktop
profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/enchant>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
# Launch external apps
/{usr/,}bin/xdg-open rCx -> open,
# What's this for?
deny /{usr/,}bin/fc-list rx,
# Telegram files
/usr/share/TelegramDesktop/{,**} r,
# Download dir
owner @{TELEGRAM_WORK_DIR}/ rw,
owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#[0-9]*[0-9],
# Telegram's profile (via telegram -many -workdir ~/some/dir/)
#owner @{TELEGRAM_WORK_DIR}/{,**} rw,
# Autostart
owner @{HOME}/.config/autostart/telegramdesktop.desktop rw,
/dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Needed when saving files as, or otherwise the app crashes
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/geany rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{TELEGRAM_WORK_DIR}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/geany rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/telegram-desktop>
}

272
apparmor.d/groups/apps/thunderbird Normal file
View file

@ -0,0 +1,272 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Useful info:
# http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird
#
abi <abi/3.0>,
include <tunables/global>
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{HOME}/.cache/thunderbird
@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin}
@{exec_path} += /{usr/,}bin/thunderbird
profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace peer=@{profile_name},
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
@{exec_path} mrix,
@{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/date rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/which rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dig rix,
# Thunderbird files
/usr/share/thunderbird/{,**} r,
/etc/thunderbird/{,**} r,
# Extensions
@{MOZ_LIBDIR}/extensions/{,**} r,
/usr/share/mozilla/extensions/{,**} r,
/usr/share/lightning/{,**} r,
# Thunderbird home files
owner @{MOZ_HOMEDIR}/ rw,
owner "@{MOZ_HOMEDIR}/{Crash Reports,Pending Pings}/" rw,
owner "@{MOZ_HOMEDIR}/Crash Reports/**" rw,
owner @{MOZ_HOMEDIR}/*.*/ rw,
owner @{MOZ_HOMEDIR}/*.*/** rwk,
deny @{MOZ_HOMEDIR}/*.*/pepmda/ rw,
deny @{MOZ_HOMEDIR}/*.*/pepmda/** rwklmx,
owner @{MOZ_HOMEDIR}/profiles.ini rw,
owner @{MOZ_HOMEDIR}/installs.ini rw,
deny @{HOME}/.mozilla/** mrwkl,
# Cache
owner @{HOME}/.cache/ rw,
owner @{MOZ_CACHEDIR}/{,**} rw,
# Needed for system mails
owner /var/mail/* rwk,
owner @{HOME}/ r,
owner @{HOME}/Mail/ rw,
owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
# Fix error in libglib while saving files as
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Spellcheck
/{usr/,}bin/locale rix,
# System integration
/etc/mime.types r,
owner @{HOME}/.config/mimeapps.list.* rw,
# KDE system keyring
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/usr/share/xul-ext/kwallet5/* r,
/etc/xul-ext/kwallet5.js r,
owner @{HOME}/.config/kwalletrc r,
# QT5
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny @{sys}/devices/system/cpu/present r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pids}/cmdline r,
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/@{pid}/net/arp r,
deny @{PROC}/@{pid}/net/route r,
# for dig
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# TMP files
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/thunderbird{,_*}/ rw,
owner /tmp/thunderbird{,_*}/* rwk,
owner /tmp/mozilla_*/ rw,
owner /tmp/mozilla_*/* rw,
owner /tmp/MozillaMailnews/ rw,
owner /tmp/MozillaMailnews/*.msf rw,
owner /tmp/Temp-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/ rw,
deny /dev/ r,
/dev/urandom w,
/dev/shm/ r,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
/etc/fstab r,
/etc/mailcap r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
# Silencer
deny /{usr/,}lib/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Needed for enigmail
/usr/share/xul-ext/enigmail/{,**} r,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg-connect-agent rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
network inet stream,
network inet6 stream,
network netlink raw,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpg-connect-agent mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
owner /tmp/nscopy.tmp w,
# For encryption + signature
owner /tmp/gpgOutput.* rw,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
# for signature generation
owner /tmp/nsemail.eml w,
owner /tmp/nsemail-[0-9]*.eml w,
# for signature verifications
owner /tmp/data.sig r,
owner /tmp/data-[0-9]*.sig r,
@{PROC}/@{pid}/fd/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
deny owner @{MOZ_HOMEDIR}/*.*/** rw,
deny owner @{MOZ_CACHEDIR}/** rw,
deny /usr/share/thunderbird/** r,
deny /usr/share/sounds/freedesktop/stereo/*.oga r,
deny owner /tmp/thunderbird{,_*}/* rwk,
deny /dev/shm/org.chromium.* r,
deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw,
owner /tmp/ns* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/thunderbird>
}

36
apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash Normal file
View file

@ -0,0 +1,36 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2018 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Author: Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
include <tunables/global>
profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) {
include <abstractions/base>
include <abstractions/X>
/etc/libreoffice/ r,
/etc/libreoffice/** r,
/etc/passwd r,
/etc/nsswitch.conf r,
/run/nscd/passwd r,
/sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c
/usr/lib{,32,64}/ure/bin/javaldx rmpux,
/usr/share/libreoffice/program/* r,
/usr/lib/libreoffice/program/** r,
/usr/lib/libreoffice/program/soffice.bin rmpx,
/usr/lib/libreoffice/program/javaldx rmpux,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),
unix peer=(addr=@/tmp/.X11-unix/* label=unconfined),
}

37
apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc Normal file
View file

@ -0,0 +1,37 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2017 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Authors: Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
include <tunables/global>
profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain) {
include <abstractions/base>
include <abstractions/user-tmp>
/{usr/,}bin/sh rmix,
/{usr/,}bin/bash rmix,
/{usr/,}bin/dash rmix,
/{usr/,}bin/sed rmix,
/usr/bin/dirname rmix,
/usr/bin/basename rmix,
/{usr/,}bin/grep rmix,
/{usr/,}bin/uname rmix,
/usr/bin/xdg-open rPUx,
/usr/bin/xdg-email rPUx,
/dev/null rw,
/usr/lib/libreoffice/program/uri-encode rmpux,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
}

271
apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin Normal file
View file

@ -0,0 +1,271 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2018 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Authors: Jonathan Davies <jonathan.davies@canonical.com>
# Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
# This profile should enable the average LibreOffice user to get their
# work done while blocking some advanced usage
# Namely not tested and likely not working : embedded plugins,
# Using the LibreOffice SDK and other development tasks
# Everything else should be working
#Defines all common supported file formats
#Some obscure ones we're excluded (mostly input)
#Generic
#.txt
@{libreoffice_ext} = [tT][xX][tT]
#All the open document format
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
#.xml and xsl
@{libreoffice_ext} += [xX][mMsS][lL]
#.pdf
@{libreoffice_ext} += [pP][dD][fF]
#Unified office format
@{libreoffice_ext} += [uU][oO][fFtTsSpP]
#(x)htm(l)
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
#.epub
@{libreoffice_ext} += [eE][pP][uU][bB]
#.ps (printing to file)
@{libreoffice_ext} += [pP][sS]
#Images
@{libreoffice_ext} += [jJ][pP][gG]
@{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ]99251
@{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF]
#Writer
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
@{libreoffice_ext} += [rR][tT][fF]
#Calc
@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
@{libreoffice_ext} += [xX][lL][wW]
#.dif dbf
@{libreoffice_ext} += [dD][iIbB][fF]
#.tsv .csv
@{libreoffice_ext} += [cCtT][sS][vV]
@{libreoffice_ext} += [sS][lL][kK]
#Impress/Draw
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
#Photoshop
@{libreoffice_ext} += [pP][sS][dD]
#Math
@{libreoffice_ext} += [mM][mM][lL]
@{libo_user_dirs} = @{HOME} /mnt /media
include <tunables/global>
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
include <abstractions/private-files>
include <abstractions/audio>
include <abstractions/bash>
include <abstractions/cups-client>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/ibus>
include <abstractions/nameservice>
include <abstractions/gnome>
# GnuPG1 only...
# include <abstractions/gnupg>
include <abstractions/python>
include <abstractions/p11-kit>
include <abstractions/user-tmp>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
#List directories for file browser
/ r,
/**/ r,
owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
owner @{libo_user_dirs}/**~lock.* rw, #lock file support
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
# Settings
/etc/libreoffice/ r,
/etc/libreoffice/** r,
/etc/cups/ppd/*.ppd r,
/etc/xml/catalog r, #exporting to .xhtml, for libxml2
/proc/*/status r,
owner @{HOME}/.config/libreoffice{,dev}/** rwk,
owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.lock rwk,
owner @{HOME}/.cache/fontconfig/** rw,
owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work
owner /{,var/}run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
# allow schema to be read
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
# bluetooth send to
network bluetooth,
/{usr/,}bin/sh rmix,
/{usr/,}bin/bash rmix,
/{usr/,}bin/dash rmix,
/{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998 (printing to file)
/usr/bin/bluetooth-sendto rmPUx,
/usr/bin/lpr rmPUx,
/usr/bin/paperconf rmix,
/usr/bin/gpgconf rmix,
/usr/bin/gpg rmCx -> gpg,
/usr/bin/gpgsm rmCx -> gpg,
/usr/bin/gpa rix,
/usr/bin/seahorse rix,
/usr/bin/kgpg rix,
/usr/bin/kleopatra rix,
/dev/tty rw,
/usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx,
owner @{HOME}/.cache/gstreamer-???/** rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this
/usr/lib{,32,64}/jvm/ r,
/usr/lib{,32,64}/jvm/** r,
/usr/lib{,32,64}/jvm/**/jre/bin/java mix,
/usr/lib{,32,64}/jvm/**/bin/java mix,
# should be included in the jvm/** above but there it is
# a symlink, so apparmor still doesn't allow it...
/etc/java-??-openjdk/security/java.security r,
/usr/lib/libreoffice/** rw,
/usr/lib/libreoffice/**.so m,
/usr/lib/libreoffice/program/soffice.bin mix,
/usr/lib/libreoffice/program/xpdfimport px,
/usr/lib/libreoffice/program/senddoc px,
/usr/bin/xdg-open rPUx,
/usr/share/java/**.jar r,
/usr/share/hunspell/ r,
/usr/share/hunspell/** r,
/usr/share/hyphen/ r,
/usr/share/hyphen/** r,
/usr/share/mythes/ r,
/usr/share/mythes/** r,
/usr/share/liblangtag/ r,
/usr/share/liblangtag/** r,
/usr/share/libreoffice/ r,
/usr/share/libreoffice/** r,
/usr/share/yelp-xsl/xslt/mallard/** r,
/usr/share/libexttextcat/* r,
/usr/share/icu/** r,
/usr/share/locale-bundle/* r,
/var/spool/libreoffice/ r,
/var/spool/libreoffice/** rw,
/var/cache/fontconfig/ rw,
#Likely moving to abstractions in the future
owner @{HOME}/.icons/*/cursors/* r,
/etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
/usr/share/*-fonts/conf.avail/*.conf r,
/usr/share/fonts-config/conf.avail/*.conf r,
/{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
/{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
@{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
#To avoid "Unable to create io-slave." for file dialog
owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
#For KIO IO::Slave::createSlave()
owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl -> /{,var/}run/user/[0-9]*/#[0-9]*,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.mozilla/firefox/*/secmod.db r,
# firefox < 58
owner @{HOME}/.mozilla/firefox/*/cert8.db r,
# firefox >= 58
owner @{HOME}/.mozilla/firefox/*/cert9.db r,
owner @{HOME}/.local/share/user-places.xbel r,
# there is abstractions/gnupg but that's just for gpg1...
profile gpg flags=(complain) {
include <abstractions/base>
/usr/bin/gpgconf rm,
/usr/bin/gpg rm,
/usr/bin/gpgsm rm,
owner @{HOME}/.gnupg/* r,
owner @{HOME}/.gnupg/random_seed rk,
}
# probably should become a subprofile like gpg above, but then it doesn't
# work either as it tries to access stuff only allowed above...
owner @{HOME}/.config/kdeglobals r,
/usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
/usr/share/qt5/translations/* r,
/usr/lib/*/qt5/plugins/** rm,
/usr/share/plasma/look-and-feel/**/contents/defaults r,
# TODO: remove when rules are available in abstractions/kde
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/trashrc r, # user by KFileWidget
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
# TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
/usr/share/kservices5/*.protocol r,
# TODO: use qt5-settings-write abstraction when it is available
owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
owner @{HOME}/.config/QtProject.conf rw,
owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.lock rwk,
# TODO: use qt5-compose-cache-write abstraction when it is available
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
# TODO: use recent-documents-write abstraction when it is available
owner @{HOME}/.local/share/RecentDocuments/** r,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# TODO: use kde-globals-write abstraction when it is available
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
}

31
apparmor.d/groups/apps/usr.lib.libreoffice.program.xpdfimport Normal file
View file

@ -0,0 +1,31 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2017 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Authors: Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
include <tunables/global>
profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport flags=(complain) {
include <abstractions/base>
include <abstractions/user-tmp>
/usr/share/poppler/** r,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
/usr/lib/libreoffice/program/xpdfimport pxm,
#Uncomment for build testing (should be one directory <- of instdir)
#/mnt/store/git/libo/** r,
}

171
apparmor.d/groups/apps/vlc Normal file
View file

@ -0,0 +1,171 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{vlc_ext} = [aA]{52,[aA][cC],[cC]3}
@{vlc_ext} += [mM][kK][aA]
@{vlc_ext} += [fF][lL][aA][cC]
@{vlc_ext} += [mM][pP][123cC]
@{vlc_ext} += [oO][gGmM][aA]
@{vlc_ext} += [wW]{,[aA]}[vV]
@{vlc_ext} += [wW][mM]{,[aA]}
@{vlc_ext} += 3[gG]{[2pP],[pP][2pP]}
@{vlc_ext} += [aA][sS][fF]
@{vlc_ext} += [aA][vV][iI]
@{vlc_ext} += [dD][iI][vV][xX]
@{vlc_ext} += [mM][124][vV]
@{vlc_ext} += [mM][kKoO][vV]
@{vlc_ext} += [mM][pP][4aAeEgG]
@{vlc_ext} += [mM][pP][eE][gG]{,[124]}
@{vlc_ext} += [oO][gG][gGmMxXvV]
@{vlc_ext} += [rR][mM]{,[vV][bB]}
@{vlc_ext} += [wW][eE][bB][mM]
@{vlc_ext} += [wW][mMtT][vV]
@{vlc_ext} += [mM][pP]2[tT]
# Image extensions
# bmp, jpg, jpeg, png, gif
@{vlc_ext} += [bB][mM][pP]
@{vlc_ext} += [jJ][pP]{,[eE]}[gG]
@{vlc_ext} += [pP][nN][gG]
@{vlc_ext} += [gG][iI][fF]
# Subtitle extensions:
# srt, txt, sub
@{vlc_ext} += [sS][rR][tT]
@{vlc_ext} += [tT][xX][tT]
@{vlc_ext} += [sS][uU][bB]
# Playlist extensions:
# m3u, m3u8, pls
@{vlc_ext} += [mM]3[uU]{,8}
@{vlc_ext} += [pP][lL][sS]
@{exec_path} = /{usr/,}bin/{c,}vlc
profile vlc @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/nvidia>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/vlc-art-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/user-download-strict>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill) peer=anyremote//*,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
# Which media files VLC should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
owner /{home,media}/**.@{vlc_ext} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# VLC files
/usr/share/vlc/{,**} r,
# VLC config files
owner @{HOME}/ r,
owner @{HOME}/.config/vlc/ rw,
owner @{HOME}/.config/vlc/* rwkl -> @{HOME}/.config/vlc/#[0-9]*[0-9],
owner @{HOME}/.local/share/vlc/{,*} rw,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/vlc/{,**} rw,
owner @{HOME}/.cache/#[0-9]*[0-9] rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/net/if_inet6 r,
deny @{PROC}/sys/kernel/random/boot_id r,
# Udev enumeration
@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/devices/**/uevent r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{run}/udev/data/b254:[0-9]* r, # for /dev/zram*
@{run}/udev/data/b253:[0-9]* r, # for /dev/dm*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
# Silencer
deny /{usr/,}lib/@{multiarch}/vlc/{,**} w,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.anyRemote/anyremote.stdout w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/vlc>
}