feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
0238adaaf1
commit
0f61c4649c
23 changed files with 207 additions and 199 deletions
|
|
@ -19,9 +19,10 @@ profile dbus-daemon-launch-helper @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
|
||||
/{usr/,}lib/cups-pk-helper-mechanism rPx,
|
||||
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
|
||||
/{usr/,}lib/software-properties/software-properties-dbus rPx,
|
||||
|
||||
|
||||
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
|
||||
|
||||
/usr/share/dbus-1/{,**} r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/plymouth
|
||||
profile plymouth @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
|
||||
|
||||
|
|
|
|||
|
|
@ -34,105 +34,78 @@ profile pulseaudio @{exec_path} {
|
|||
network bluetooth stream,
|
||||
network bluetooth seqpacket,
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/Client0/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member={GetState,AddService,AddServiceSubtype,Commit}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
dbus send bus=session path=/Client0/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member={GetState,AddService,AddServiceSubtype,Commit}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus (receive)
|
||||
bus=session
|
||||
path=/Client0/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member=StateChanged
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
dbus receive bus=session path=/Client0/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member=StateChanged
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus (receive)
|
||||
bus=session
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,RequestName,ReleaseName}
|
||||
peer=(name=:*),
|
||||
dbus receive bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,RequestName,ReleaseName}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (receive)
|
||||
bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect,
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect,
|
||||
|
||||
dbus (bind)
|
||||
bus=session
|
||||
name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
|
||||
|
||||
dbus (bind)
|
||||
bus=session
|
||||
name=org.PulseAudio[0-9],
|
||||
dbus bind bus=session
|
||||
name=org.PulseAudio[0-9],
|
||||
|
||||
dbus (bind)
|
||||
bus=session
|
||||
name=org.pulseaudio*,
|
||||
dbus bind bus=session
|
||||
name=org.pulseaudio*,
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus send bus=system
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/RealtimeKit[0-9]
|
||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
|
||||
peer=(name=org.freedesktop.RealtimeKit[0-9]),
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
|
||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
|
||||
peer=(name=org.freedesktop.RealtimeKit[0-9]),
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=org.bluez),
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=org.bluez),
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,EntryGroupNew}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,EntryGroupNew}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus (receive)
|
||||
bus=system
|
||||
path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=StateChanged
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=StateChanged
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/
|
||||
interface=org.freedesktop.hostname[0-9]
|
||||
member=Get
|
||||
peer=(name=/org/freedesktop/hostname[0-9]),
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.hostname[0-9]
|
||||
member=Get
|
||||
peer=(name=/org/freedesktop/hostname[0-9]),
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org.freedesktop.hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Prope
|
||||
member=Get
|
||||
peer=(name=/org/freedesktop/hostname[0-9]),
|
||||
dbus send bus=system path=/org.freedesktop.hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Prope
|
||||
member=Get
|
||||
peer=(name=/org/freedesktop/hostname[0-9]),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/update-mime-database
|
||||
profile update-mime-database @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
|
|
|||
|
|
@ -31,6 +31,12 @@ profile evolution-calendar-factory @{exec_path} {
|
|||
interface=org.freedesktop.NetworkManager
|
||||
member={CheckPermissions,StateChanged},
|
||||
|
||||
dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
|
||||
interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*},
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gnome.evolution.dataserver.Calendar[0-9],
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path}-subprocess rix,
|
||||
|
||||
|
|
|
|||
|
|
@ -49,6 +49,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.login[0-9].Manager
|
||||
member={SessionNew,PrepareForShutdown,SessionRemoved},
|
||||
|
||||
dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**}
|
||||
interface={org.freedesktop.DBus.{Properties,Introspectable},org.gnome.SessionManager},
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
peer=(name=:org.freedesktop.systemd1),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
|
||||
interface=org.gnome.Mutter.IdleMonitor
|
||||
member=AddIdleWatch
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member=GetActive
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,z,ba,da}sh rix,
|
||||
|
|
@ -57,6 +74,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/mkdir rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
/{usr/,}bin/gsettings rix,
|
||||
/{usr/,}bin/gsettings-data-convert rix,
|
||||
/{usr/,}bin/session-migration rix,
|
||||
/{usr/,}bin/xdg-user-dirs-gtk-update rix,
|
||||
@{libexec}/gnome-session-check-accelerated rix,
|
||||
|
|
@ -124,22 +142,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
||||
owner @{user_share_dirs}/session_migration-ubuntu r,
|
||||
|
||||
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
|
||||
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
|
||||
owner @{run}/user/@{uid}/systemd/notify w,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
|
||||
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
|
||||
owner @{run}/user/@{uid}/systemd/notify w,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
@{sys}/devices/**/{vendor,device} r,
|
||||
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
signal (receive) set=(hup) peer=gsd-print-notifications,
|
||||
|
|
@ -25,8 +26,26 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
|
|||
dbus bind bus=system
|
||||
name=com.redhat.PrinterDriversInstaller,
|
||||
|
||||
dbus (send,receive) bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /tmp/[a-z0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/gsd-printer>
|
||||
|
|
|
|||
|
|
@ -46,6 +46,7 @@ profile mullvad-gui @{exec_path} {
|
|||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
|
||||
owner @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ profile networkd-dispatcher @{exec_path} {
|
|||
/{usr/,}bin/ r,
|
||||
/{usr/,}bin/networkctl rPx,
|
||||
|
||||
/etc/networkd-dispatcher/{,**} r,
|
||||
|
||||
@{run}/systemd/notify rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -26,11 +26,10 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/* r,
|
||||
/{usr/,}sbin/* r,
|
||||
@{libexec}/** r,
|
||||
/opt/** r,
|
||||
/ r,
|
||||
/{usr/,}{s,}bin/* r,
|
||||
/opt/** r,
|
||||
|
||||
/etc/systemd/coredump.conf r,
|
||||
|
||||
|
|
@ -38,15 +37,15 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
|
|||
owner /var/lib/systemd/coredump/#[0-9]* rwl,
|
||||
owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
|
||||
|
||||
owner @{PROC}/@{pid}/setgroups r,
|
||||
@{PROC}/@{pids}/comm r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/limits r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/comm r,
|
||||
@{PROC}/@{pids}/environ r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/fdinfo/[0-9]* r,
|
||||
@{PROC}/@{pids}/limits r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/setgroups r,
|
||||
|
||||
include if exists <local/systemd-coredump>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,8 +26,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
peer=(name=org.freedesktop.PolicyKit1),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll,SetHostname},
|
||||
interface=org.freedesktop.{DBus.Properties,hostname1}
|
||||
member={Get,GetAll,SetHostname}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.hostname[0-9],
|
||||
|
|
|
|||
|
|
@ -39,6 +39,11 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/network[0-9]/link/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.network1,
|
||||
|
||||
|
|
@ -55,6 +60,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
@{run}/systemd/network/ r,
|
||||
@{run}/systemd/network/*.network r,
|
||||
@{run}/systemd/notify rw,
|
||||
owner @{run}/systemd/netif/.#state rw,
|
||||
owner @{run}/systemd/netif/.#state* rw,
|
||||
owner @{run}/systemd/netif/leases/.#* rw,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
|
||||
profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
|
|
@ -20,6 +21,9 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
|||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.timesync1,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/adjtime r,
|
||||
|
|
@ -34,19 +38,5 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/netif/state r,
|
||||
@{run}/systemd/notify rw,
|
||||
|
||||
# dbus-stricter
|
||||
@{run}/dbus/system_bus_socket rw,
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,RequestName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus bind
|
||||
bus=system
|
||||
name=org.freedesktop.timesync1,
|
||||
|
||||
include if exists <local/systemd-timesyncd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
|
|||
|
||||
/{usr/,}{s,}bin/dumpe2fs rPx,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{m,}awk rix,
|
||||
/{usr/,}bin/{m,g,}awk rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/date rix,
|
||||
|
|
@ -37,6 +37,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
|
|||
@{sys}/devices/virtual/block/**/ r,
|
||||
@{sys}/devices/virtual/block/**/autoclear r,
|
||||
@{sys}/devices/virtual/block/**/backing_file r,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
|
||||
|
||||
@{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue