felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): various ubuntu based improvements.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-24 22:15:51 +02:00
parent f21fecc25a
commit 1724040229
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
22 changed files with 107 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -65,11 +65,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/gdm/greeter/applications/{,**} r,
/usr/share/thumbnailers/{,**} r, /usr/share/thumbnailers/{,**} r,
owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/dconf/user r,
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_config_dirs}/dconf/user r,
owner @{desktop_share_dirs}/applications/{,**} r,
owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
owner @{HOME}/ r, owner @{HOME}/ r,

1
apparmor.d/groups/freedesktop/xkbcomp
View file

@ -17,6 +17,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
unix (send,receive) type=stream addr=none peer=(label=xwayland), unix (send,receive) type=stream addr=none peer=(label=xwayland),
unix (send,receive) type=stream addr=none peer=(label=kwin_wayland),
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/gnome/evolution-alarm-notify
View file

@ -37,6 +37,8 @@ profile evolution-alarm-notify @{exec_path} {
/etc/timezone r, /etc/timezone r,
owner @{user_share_dirs}/evolution/datetime-formats.ini r,
include if exists <local/evolution-alarm-notify> include if exists <local/evolution-alarm-notify>
} }

1
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/tr rix, @{bin}/tr rix,
/usr/share/byobu/desktop/{,**} r,
/usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
/ r, / r,

2
apparmor.d/groups/gnome/mutter-x11-frames
View file

@ -29,7 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl,
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
@{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/boot_vga r,

4
apparmor.d/groups/gnome/nautilus
View file

@ -72,7 +72,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{bin}/file-roller rPx, @{bin}/file-roller rPx,
@{bin}/firejail rPUx, @{bin}/firejail rPUx,
@{bin}/net rPUx, @{bin}/net rPUx,
@{bin}/tracker3 rPUx,
@{bin}/* r,
@{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m,
@{open_path} rPx -> child-open, @{open_path} rPx -> child-open,

7
apparmor.d/groups/gnome/ptyxis
View file

@ -13,6 +13,10 @@ profile ptyxis @{exec_path} {
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/consoles> include <abstractions/consoles>
unix type=stream peer=(label=ptyxis-agent),
#aa:dbus own bus=session name=org.gnome.Ptyxis
@{exec_path} mr, @{exec_path} mr,
@{lib}/ptyxis-agent Px, @{lib}/ptyxis-agent Px,
@ -25,11 +29,12 @@ profile ptyxis @{exec_path} {
owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, owner @{user_config_dirs}/org.gnome.Ptyxis/ rw,
owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**,
owner @{user_config_dirs}/ubuntu-xdg-terminals.list r,
owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/ rw,
owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**,
owner /tmp/#@{int} w, owner /tmp/#@{int} rw,
/dev/ptmx rw, /dev/ptmx rw,

8
apparmor.d/groups/gnome/ptyxis-agent
View file

@ -25,7 +25,9 @@ profile ptyxis-agent @{exec_path} {
@{bin}/podman Px, @{bin}/podman Px,
@{bin}/systemd-run Cx -> shell, @{bin}/systemd-run Cx -> shell,
/usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/containers/ w,
owner @{user_share_dirs}/containers/storage/ w,
owner @{user_share_dirs}/containers/storage/overlay-containers/ w,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@ -37,9 +39,13 @@ profile ptyxis-agent @{exec_path} {
signal send, signal send,
unix bind type=stream addr=@@{udbus}/bus/systemd-run/,
@{bin}/systemd-run mr, @{bin}/systemd-run mr,
@{bin}/@{shells} Ux, @{bin}/@{shells} Ux,
owner @{run}/user/@{uid}/systemd/private rw,
include if exists <local/ptyxis-agent_shell> include if exists <local/ptyxis-agent_shell>
} }

48
apparmor.d/groups/snap/snap
View file

@ -52,11 +52,14 @@ profile snap @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} mr,
@{bin}/mount rix, @{bin}/mount rix,
@{bin}/getent rix, @{bin}/getent rix,
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-run rCx -> run, # Start snap from the cli
@{bin}/xdg-settings rCx -> xdg-settings,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-confine rPx,
@ -98,7 +101,7 @@ profile snap @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r, @{PROC}/version r,
owner @{PROC}/@{pid}/attr/apparmor/current r, @{PROC}/@{pid}/attr/apparmor/current r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/dev/tty@{int} rw, /dev/tty@{int} rw,
@ -125,6 +128,49 @@ profile snap @{exec_path} flags=(attach_disconnected) {
include if exists <local/snap_gpg> include if exists <local/snap_gpg>
} }
profile xdg-settings {
include <abstractions/base>
include <abstractions/desktop-files>
@{bin}/xdg-settings mr,
@{sh_path} r,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat ix,
@{bin}/cut rix,
@{bin}/head ix,
@{bin}/mkdir ix,
@{bin}/mktemp ix,
@{bin}/mv ix,
@{bin}/readlink ix,
@{bin}/realpath rix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/sleep ix,
@{bin}/sort ix,
@{bin}/touch ix,
@{bin}/tr ix,
@{bin}/uname ix,
@{bin}/wc ix,
@{bin}/xdg-mime Px,
include if exists <local/snap_xdg-settings>
}
profile run {
include <abstractions/base>
unix bind type=stream addr=@@{udbus}/bus/systemd-run/,
@{bin}/systemd-run mr,
owner @{run}/user/@{uid}/systemd/private rw,
include if exists <local/snap_run>
}
profile systemctl { profile systemctl {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/systemctl> include <abstractions/app/systemctl>

1
apparmor.d/groups/snap/snap-update-ns
View file

@ -61,6 +61,7 @@ profile snap-update-ns @{exec_path} {
@{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/{,**/} r,
@{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,

4
apparmor.d/groups/ssh/ssh
View file

@ -45,8 +45,8 @@ profile ssh @{exec_path} {
audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl,
owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
owner @{run}/user/@{uid}/keyring/ssh rw, owner @{run}/user/@{uid}/keyring/ssh rw,
@{sys}/ r, @{sys}/ r,

4
apparmor.d/groups/systemd/systemd-coredump
View file

@ -37,6 +37,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
/opt/** r, /opt/** r,
/usr/share/*/** r, /usr/share/*/** r,
@{user_lib_dirs}/** r, @{user_lib_dirs}/** r,
/snap/*/@{int}/opt/** r,
/snap/*/@{int}/usr/** r,
/etc/systemd/coredump.conf r, /etc/systemd/coredump.conf r,
/etc/systemd/coredump.conf.d/{,**} r, /etc/systemd/coredump.conf.d/{,**} r,
@ -45,6 +47,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
/var/lib/systemd/coredump/{,**} rwl, /var/lib/systemd/coredump/{,**} rwl,
owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r,
@{att}/@{run}/systemd/coredump rw, @{att}/@{run}/systemd/coredump rw,
@{run}/systemd/coredump rw, @{run}/systemd/coredump rw,

2
apparmor.d/groups/systemd/systemd-udevd
View file

@ -35,6 +35,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
unix type=stream addr=@@{udbus}/bus/udevadm/,
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} rix, @{sh_path} rix,

5
apparmor.d/groups/ubuntu/apport
View file

@ -43,6 +43,11 @@ profile apport @{exec_path} flags=(attach_disconnected) {
/var/lib/dpkg/info/ r, /var/lib/dpkg/info/ r,
/var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.list r,
/var/lib/dpkg/info/*.md5sums r, /var/lib/dpkg/info/*.md5sums r,
/var/lib/dpkg/diversions r,
/var/lib/dpkg/triggers/* r,
/var/lib/dpkg/updates/ r,
/var/lib/systemd/coredump/*.zst r,
/var/crash/ rw, /var/crash/ rw,
/var/crash/*.@{uid}.crash rw, /var/crash/*.@{uid}.crash rw,

7
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/software-properties-gtk @{exec_path} = @{bin}/software-properties-gtk
profile software-properties-gtk @{exec_path} { profile software-properties-gtk @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-accessibility> include <abstractions/bus-accessibility>
@ -62,6 +62,10 @@ profile software-properties-gtk @{exec_path} {
owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/ rw,
owner @{tmp}/tmp@{word8}/apt.conf rw, owner @{tmp}/tmp@{word8}/apt.conf rw,
/dev/shm/ r,
owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6},
owner /dev/shm/sem.mp-@{rand8} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
@{sys}/devices/ r, @{sys}/devices/ r,
@ -75,6 +79,7 @@ profile software-properties-gtk @{exec_path} {
owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
# Silencer # Silencer
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

2
apparmor.d/groups/ubuntu/ubuntu-advantage
View file

@ -52,6 +52,8 @@ profile ubuntu-advantage @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
owner @{user_cache_dirs}/ubuntu-pro/{,**} rw,
owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/tmp[0-9a-z]*/apt.conf r,
owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*{,/} rw,
owner @{tmp}/[0-9a-z]*/apt-helper-output rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw,

2
apparmor.d/groups/utils/who
View file

@ -20,6 +20,8 @@ profile who @{exec_path} {
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
# file_inherit
deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
deny owner @{user_share_dirs}/zed/**/data.mdb rw, deny owner @{user_share_dirs}/zed/**/data.mdb rw,

1
apparmor.d/profiles-a-f/fwupdmgr
View file

@ -42,6 +42,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw,
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
owner /var/lib/fwupd/ w,
owner /var/lib/fwupd/.cache/ w, owner /var/lib/fwupd/.cache/ w,
@{user_cache_dirs}/dconf/user rw, @{user_cache_dirs}/dconf/user rw,

7
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -174,6 +174,7 @@ profile mkinitramfs @{exec_path} {
/usr/share/initramfs-tools/scripts/{,**/} r, /usr/share/initramfs-tools/scripts/{,**/} r,
/etc/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r,
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r,
owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r,
include if exists <local/mkinitramfs_find> include if exists <local/mkinitramfs_find>
@ -189,6 +190,12 @@ profile mkinitramfs @{exec_path} {
owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r,
owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r,
owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r,
owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw,
owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r,
owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r,
owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r,
@{sys}/module/compression r, @{sys}/module/compression r,
include if exists <local/mkinitramfs_kmod> include if exists <local/mkinitramfs_kmod>

1
apparmor.d/profiles-m-r/motd
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile motd @{exec_path} { profile motd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
capability net_admin, capability net_admin,

1
apparmor.d/profiles-m-r/on-ac-power
View file

@ -14,6 +14,7 @@ profile on-ac-power @{exec_path} {
@{exec_path} r, @{exec_path} r,
@{sh_path} rix, @{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
@{bin}/cat rix, @{bin}/cat rix,

6
apparmor.d/profiles-s-z/swtpm_setup
View file

@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} {
/var/log/swtpm/{,**} w, /var/log/swtpm/{,**} w,
/var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r,
owner @{tmp}/swtpm_setup.certs.*/ w, owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw,
owner @{tmp}/swtpm_setup.certs.*/*.cert rw, owner @{tmp}/swtpm_setup.certs.@{rand6}/ w,
owner @{tmp}/.swtpm_setup.pidfile* rw, owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw,
include if exists <local/swtpm_setup> include if exists <local/swtpm_setup>
} }