felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Ubuntu 22.04, third batch (#65)

Browse source 
* initial

* ready

* cleanup

* cleanup2

* Update dbus-gtk
This commit is contained in:
nobodysu 2022-09-06 17:00:18 +00:00 committed by GitHub
parent 672d0a758b
commit 1649b427f8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 272 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

43
apparmor.d/groups/apps/thunderbird
View file

@ -8,6 +8,9 @@ abi <abi/3.0>,
include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird
@ -17,12 +20,13 @@ include <tunables/global>
profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/wayland>
include <abstractions/mesa>
include <abstractions/opencl-intel>
include <abstractions/nvidia>
include <abstractions/vulkan>
include <abstractions/mesa>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@ -30,10 +34,9 @@ profile thunderbird @{exec_path} {
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/dconf-write>
include <abstractions/ibus>
include <abstractions/dconf-write>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
@ -54,28 +57,30 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
dbus (send) bus=session path=/org/freedesktop/DBus
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]*
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
dbus (send) bus=system path=/org/freedesktop/UPower
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name=org.freedesktop.UPower),
dbus (send) bus=session path=/ca/desrt/dconf/Writer/user
dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member={Change,Notify}
peer=(name=ca.desrt.dconf),
dbus (bind) bus=session
dbus bind bus=session
name=org.mozilla.thunderbird.*,
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
@{exec_path} mrix,
@ -121,6 +126,7 @@ profile thunderbird @{exec_path} {
owner @{HOME}/ r,
owner @{HOME}/Mail/ rw,
owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
owner @{user_share_dirs}/ r,
# Fix error in libglib while saving files as
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -143,7 +149,6 @@ profile thunderbird @{exec_path} {
/usr/share/qt5ct/** r,
# gnome-tiny
/etc/gnome/defaults.list r,
/usr/share/gvfs/remote-volume-monitors/{,*} r,
@{run}/mount/utab r,
@ -195,13 +200,12 @@ profile thunderbird @{exec_path} {
/etc/timezone r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/ubuntu/applications/{,*} r,
# Silencer
deny /{usr/,}lib/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-{open,mime} rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@ -213,11 +217,11 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/gpgsm rCx -> gpg,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -284,21 +288,22 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/xfce4-mime-helper rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

69
apparmor.d/groups/apps/vlc
View file

@ -53,30 +53,27 @@ include <tunables/global>
profile vlc @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/opencl-intel>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/vulkan>
include <abstractions/nvidia>
include <abstractions/audio>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/vlc-art-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/user-download-strict>
include <abstractions/private-files-strict>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/ibus>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
include <abstractions/dconf-write>
include <abstractions/ibus>
# capability sys_ptrace,
# ptrace (read),
include <abstractions/devices-usb>
include <abstractions/vlc-art-cache-write>
signal (receive) set=(term, kill) peer=anyremote//*,
@ -86,67 +83,62 @@ profile vlc @{exec_path} {
network inet6 stream,
network netlink raw,
dbus (send) bus=session path=/org/freedesktop/DBus
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member=NotificationClosed
peer=(name=:*),
dbus (send) bus=session path=/org/a11y/bus
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.a11y.Bus),
dbus (send) bus=session path=/StatusNotifierWatcher
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member={Get,RegisterStatusNotifierItem}
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierItem
dbus send bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}
peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/StatusNotifierItem
dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(name=:*),
dbus (receive) bus=session path=/StatusNotifierItem
dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*),
dbus (send) bus=session path=/ScreenSaver
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
dbus (receive) bus=session path=/MenuBar
dbus receive bus=session path=/MenuBar
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus (send) bus=session path=/MenuBar
dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={LayoutUpdated,ItemsPropertiesUpdated}
peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/MenuBar
dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*),
@ -157,47 +149,47 @@ profile vlc @{exec_path} {
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.*
peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), # all members
peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members
# dbus (send) bus=system path=/
# dbus send bus=system path=/
# interface=org.freedesktop.DBus.Peer
# member=Ping,
# peer=(name="org.freedesktop.Avahi"),
dbus (send) bus=accessibility path=/org/freedesktop/DBus
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch}
peer=(name=org.freedesktop.DBus),
dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus (send) bus=accessibility path=/org/a11y/atspi/registry
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/registry
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name=:*),
dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry),
dbus (bind) bus=session
dbus bind bus=session
name=org.kde.StatusNotifierItem-*,
dbus (bind) bus=session
dbus bind bus=session
name=org.mpris.MediaPlayer2.vlc{,.instance*},
@{exec_path} mrix,
@ -257,6 +249,7 @@ profile vlc @{exec_path} {
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
@ -294,4 +287,4 @@ profile vlc @{exec_path} {
}
include if exists <local/vlc>
}
}