felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): cleanup and remove open subprofile when it is useless.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-06 15:46:07 +01:00
parent 36f620dab1
commit 105a9b4def
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
14 changed files with 111 additions and 482 deletions
Download patch file Download diff file Expand all files Collapse all files

28
apparmor.d/profiles-g-l/gtk-youtube-viewer
View file

@ -40,8 +40,7 @@ profile gtk-youtube-viewer @{exec_path} {
@{lib}/firefox/firefox rPx,
@{bin}/xdg-open rCx -> open,
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
@{open_path} rPx -> child-open,
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
@ -91,30 +90,7 @@ profile gtk-youtube-viewer @{exec_path} {
# file_inherit
owner @{HOME}/.xsession-errors w,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/gtk-youtube-viewer_xterm>
}
include if exists <local/gtk-youtube-viewer>

94
apparmor.d/profiles-g-l/hardinfo
View file

@ -12,9 +12,7 @@ profile hardinfo @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/desktop>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/user-download-strict>
@ -49,7 +47,7 @@ profile hardinfo @{exec_path} {
@{lib}/@{multiarch}/valgrind/memcheck-*-linux rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open,
@{bin}/ccache rCx -> ccache,
@{bin}/kmod rCx -> kmod,
@ -62,8 +60,22 @@ profile hardinfo @{exec_path} {
@{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac,
/usr/share/gdb/python/ r,
/usr/share/gdb/python/** r,
/usr/share/hardinfo/{,**} r,
/etc/fstab r,
/etc/exports r,
/etc/samba/smb.conf r,
/etc/gdb/gdbinit.d/ r,
/var/log/wtmp r,
owner @{HOME}/.hardinfo/ rw,
owner @{tmp}/#@{int} rw,
@{sys}/class/power_supply/ r,
@{sys}/class/thermal/ r,
@{sys}/bus/i2c/drivers/eeprom/ r,
@ -78,48 +90,27 @@ profile hardinfo @{exec_path} {
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r,
@{sys}/devices/**/power_supply/** r,
@{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/arp r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/route r,
@{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/asound/cards r,
@{PROC}/bus/input/devices r,
@{PROC}/dma r,
@{PROC}/iomem r,
@{PROC}/ioports r,
@{PROC}/loadavg r,
@{PROC}/scsi/scsi r,
@{PROC}/sys/kernel/random/entropy_avail r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/uptime r,
@{PROC}/loadavg r,
@{PROC}/ioports r,
@{PROC}/iomem r,
@{PROC}/dma r,
@{PROC}/asound/cards r,
@{PROC}/scsi/scsi r,
@{PROC}/bus/input/devices r,
@{PROC}/sys/kernel/random/entropy_avail r,
@{PROC}/@{pids}/net/route r,
/etc/fstab r,
/etc/exports r,
/etc/samba/smb.conf r,
/etc/gdb/gdbinit.d/ r,
/usr/share/gdb/python/ r,
/usr/share/gdb/python/** r,
/var/log/wtmp r,
owner @{HOME}/.hardinfo/ rw,
owner @{tmp}/#@{int} rw,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# Silencer
deny /usr/share/gdb/python/** w,
# file_inherit
owner /dev/tty@{int} rw,
deny /usr/share/gdb/python/** w,
profile ccache {
include <abstractions/base>
@ -134,6 +125,7 @@ profile hardinfo @{exec_path} {
/etc/debian_version r,
include if exists <local/hardinfo_ccache>
}
profile javac {
@ -157,29 +149,7 @@ profile hardinfo @{exec_path} {
owner @{tmp}/hsperfdata_@{user}/ rw,
owner @{tmp}/hsperfdata_@{user}/@{pid} rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/hardinfo_javac>
}
profile kmod {