felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): ensure all access to udev/data is documented.

Browse source 
Cleanup some rule to wide in udev/data
This commit is contained in:
Alexandre Pujol 2025-08-11 16:16:35 +02:00
parent 73afa5835e
commit 175e2c3dc3
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
41 changed files with 120 additions and 118 deletions
Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/abstractions/devices-usb-read
View file

@ -20,9 +20,9 @@
@{sys}/devices/**/usb@{int}/{,**} r,
# Udev data about usb devices (~equal to content of lsusb -v)
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
include if exists <abstractions/devices-usb-read.d>

6
apparmor.d/abstractions/disks-read
View file

@ -101,13 +101,13 @@
@{run}/udev/data/b43:@{int} r, # for /dev/nbd*
@{run}/udev/data/b179:@{int} r, # for /dev/mmcblk*
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
@{run}/udev/data/b25[0-4]:@{int} r,
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240
@{run}/udev/data/b25[0-4]:@{int} r, # to 254
@{run}/udev/data/b259:@{int} r, # Block Extended Major
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # for disk over usb hub
@{run}/udev/data/+usb:* r, # Identifies all USB devices
include if exists <abstractions/disks-read.d>

2
apparmor.d/abstractions/gstreamer
View file

@ -36,7 +36,7 @@
#owner @{HOME}/orcexec.* mrw,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c189:@{int} r, # For USB serial converters

5
apparmor.d/groups/_full/systemd
View file

@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) {
@{run}/credentials/{,**} rw,
@{run}/systemd/{,**} rw,
@{run}/udev/data/+module:configfs r,
@{run}/udev/data/+module:fuse r,
@{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{run}/udev/tags/systemd/ r,
@{sys}/**/uevent r,

5
apparmor.d/groups/_full/systemd-user
View file

@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) {
@{run}/systemd/notify w,
@{run}/systemd/oom/io.systemd.ManagedOOM rw,
@{run}/udev/data/+module:configfs r,
@{run}/udev/data/+module:fuse r,
@{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{run}/udev/tags/systemd/ r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,

2
apparmor.d/groups/bluetooth/bluetoothd
View file

@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
@{run}/sdp rw,
owner @{run}/systemd/notify w,
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{sys}/devices/@{pci}/rfkill@{int}/name r,
@{sys}/devices/@{pci}/**/{uevent,name} r,

2
apparmor.d/groups/browsers/firefox-kmozillahelper
View file

@ -44,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} {
owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**

8
apparmor.d/groups/filesystem/udisksd
View file

@ -112,11 +112,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{run}/cryptsetup/ r,
@{run}/cryptsetup/L* rwk,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+scsi:* r,
@{run}/udev/data/+vmbus:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI
@{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices)
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r,

2
apparmor.d/groups/freedesktop/boltd
View file

@ -27,7 +27,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
@{att}/@{run}/systemd/notify w,
@{run}/udev/data/+thunderbolt:* r,
@{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices.
@{sys}/bus/ r,
@{sys}/bus/thunderbolt/devices/ r,

2
apparmor.d/groups/freedesktop/iio-sensor-proxy
View file

@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} {
@{exec_path} mr,
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

12
apparmor.d/groups/freedesktop/upowerd
View file

@ -28,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
/var/lib/upower/ r,
/var/lib/upower/history-*.dat{,.*} rw,
@{run}/udev/data/ r,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/ r, # Lists all udev data files
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+serio:* r, # for serial mice
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers)
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # for /dev/input/*

10
apparmor.d/groups/freedesktop/xorg
View file

@ -92,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/server-* rwk,
owner @{tmp}/serverauth.* r,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+dmi* r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r, # for ?
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+serio:* r, # for touchpad?
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx

2
apparmor.d/groups/gnome/gnome-control-center
View file

@ -159,7 +159,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/bus/ r,
@{sys}/class/ r,

12
apparmor.d/groups/gnome/gnome-shell
View file

@ -315,19 +315,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/udev/tags/seat/ r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+dmi:id r, # for motherboard info
@{run}/udev/data/+acpi* r,
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/**/uevent r,
@{sys}/bus/ r,

4
apparmor.d/groups/gnome/gsd-power
View file

@ -58,9 +58,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_config_dirs}/dconf/user r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens.
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.)
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,

8
apparmor.d/groups/hyprland/hyprland
View file

@ -42,15 +42,15 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/@{int} r,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+dmi:id r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*

4
apparmor.d/groups/kde/baloo
View file

@ -44,8 +44,8 @@ profile baloo @{exec_path} {
@{run}/mount/utab r,
@{run}/udev/data/+*:* r,
@{run}/udev/data/c@{int}:@{int} r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,

4
apparmor.d/groups/kde/baloorunner
View file

@ -28,8 +28,8 @@ profile baloorunner @{exec_path} {
/tmp/ r,
@{run}/udev/data/+*:* r,
@{run}/udev/data/c@{int}:@{int} r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,

4
apparmor.d/groups/kde/dolphin
View file

@ -105,8 +105,8 @@ profile dolphin @{exec_path} {
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@{run}/udev/data/+*:* r,
@{run}/udev/data/c@{int}:@{int} r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,

8
apparmor.d/groups/kde/kwin_wayland
View file

@ -110,15 +110,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{run}/udev/data/+acpi:* r, # for ACPI
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+dmi:* r, # for motherboard info
@{run}/udev/data/+hid:* r, # for HID subsystem
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r, # for ?
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+serio:* r, # for touchpad
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/+usb:* r,
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # for /dev/input/*

3
apparmor.d/groups/lxqt/lxqt-panel
View file

@ -63,7 +63,8 @@ profile lxqt-panel @{exec_path} {
owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/pulse/{,**} rwk,
@{run}/udev/data/* r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{sys}/class/i2c-adapter/ r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,

14
apparmor.d/groups/network/ModemManager
View file

@ -25,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+pnp:* r,
@{run}/udev/data/+serial*:* r,
@{run}/udev/data/+usb:* r,
@{run}/udev/data/+vmbus:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.)
@{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.)
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices)
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,

6
apparmor.d/groups/network/NetworkManager
View file

@ -125,9 +125,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{run}/nscd/db* rwl,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/n@{int} r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/devices/@{pci}/net/*/{,**} r,
@{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r,

2
apparmor.d/groups/network/dhcpcd
View file

@ -49,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
@{run}/dhcpcd/** rwk,
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/devices/@{pci}/uevent r,
@{sys}/devices/virtual/dmi/id/product_uuid r,

2
apparmor.d/groups/network/nmcli
View file

@ -25,7 +25,7 @@ profile nmcli @{exec_path} {
owner @{HOME}/.cert/nm-openvpn/*.pem rw,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/devices/virtual/net/{,**} r,
@{sys}/devices/@{pci}/net/*/{,**} r,

2
apparmor.d/groups/steam/steam
View file

@ -190,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/ r,
@{sys}/bus/ r,

2
apparmor.d/groups/systemd/networkctl
View file

@ -59,7 +59,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/netif/state r,
@{run}/systemd/notify w,
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/devices/**/net/**/uevent r,

4
apparmor.d/groups/systemd/systemd-backlight
View file

@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) {
/var/lib/systemd/backlight/*backlight* rw,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,
@{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens.
@{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc.
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{sys}/bus/ r,

26
apparmor.d/groups/systemd/systemd-journald
View file

@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted
@{run}/host/container-manager r,
@{run}/utmp rk,
@{run}/udev/data/+acpi:* r,
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+ieee80211:* r,
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections.
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points.
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+mdio_bus:* r,
@{run}/udev/data/+pci:* r,
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+scsi:* r,
@{run}/udev/data/+sdio:* r,
@{run}/udev/data/+thunderbolt:* r,
@{run}/udev/data/+usb-serial:* r,
@{run}/udev/data/+usb:* r,
@{run}/udev/data/+virtio:* r,
@{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI
@{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules.
@{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices.
@{run}/udev/data/+usb-serial:* r, # For USB to serial adapters
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console)
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
@{run}/udev/data/b259:@{int} r, # Block Extended Major
@{run}/udev/data/c1:@{int} r, # For RAM disk

12
apparmor.d/groups/systemd/systemd-logind
View file

@ -68,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
@{run}/udev/tags/uaccess/ r,
@{run}/udev/static_node-tags/uaccess/ r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+drivers:* r,
@{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens.
@{run}/udev/data/+drivers:* r, # For drivers loaded in the system
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r,
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+wakeup:* r,
@{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation)
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # For /dev/input/*

2
apparmor.d/groups/systemd/systemd-networkd
View file

@ -71,7 +71,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/network/*.network r,
owner @{run}/systemd/netif/** rw,
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/devices/@{pci}/ r,
@{sys}/devices/@{pci}/rfkill@{int}/* r,

2
apparmor.d/groups/systemd/systemd-rfkill
View file

@ -22,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) {
/var/lib/systemd/rfkill/* rw,
@{run}/systemd/notify rw,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power
@{sys}/devices/**/rfkill@{int}/{uevent,name} r,

8
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} {
@{run}/snapd-recovery-chooser-triggered r,
@{run}/snapd.socket rw,
@{run}/udev/data/+acpi:* r,
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+dmi:* r, # For motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+sound:card@{int} r, # For sound card
@{run}/udev/data/c1:@{int} r, # For RAM disk
@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} {
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/**/devices/ r,
@{sys}/*/*/ r,

6
apparmor.d/groups/virt/libvirtd
View file

@ -164,9 +164,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/notify w,
@{run}/utmp rk,
@{run}/udev/data/+*:* r,
@{run}/udev/data/c@{int}:@{int} r,
@{run}/udev/data/n@{int} r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/bus/[a-z]*/devices/ r,
@{sys}/bus/pci/drivers_probe w,

16
apparmor.d/groups/virt/virtnodedevd
View file

@ -44,18 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/utmp rk,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens.
@{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections.
@{run}/udev/data/+dmi:* r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # for screen outputs
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply:* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers)
@{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power
@{run}/udev/data/+sound:card@{int} r, # For sound card
@{run}/udev/data/+thunderbolt:* r,
@{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices.
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@ -71,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/data/n@{int} r, # For network interfaces
@{sys}/**/ r,
@{sys}/devices/@{pci}/net/{,**} r,

3
apparmor.d/profiles-a-f/cheese
View file

@ -36,10 +36,11 @@ profile cheese @{exec_path} {
owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r,
@{run}/udev/data/c@{dynamic}:@{int} r,
owner @{tmp}/flatpak-seccomp-@{rand6} rw,
owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

4
apparmor.d/profiles-a-f/fwupd
View file

@ -109,7 +109,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
@{run}/motd.d/@{int}-fwupd* rw,
@{run}/motd.d/fwupd/{,**} rw,
@{run}/mount/utab r,
@{run}/udev/data/* r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/mountinfo r,

3
apparmor.d/profiles-g-l/kodi
View file

@ -50,7 +50,8 @@ profile kodi @{exec_path} {
owner @{HOME}/core w,
owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w,
@{run}/udev/data/* r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{sys}/**/ r,
@{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r,

7
apparmor.d/profiles-g-l/labwc
View file

@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/**/uevent r,
@{run}/udev/data/+acpi:* r, # for ?
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+drm:card@{int}-* r, # for screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r, # for ?
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+serio:* r, # for touchpad?
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/c13:@{int} r, # for /dev/input/*

4
apparmor.d/profiles-m-r/power-profiles-daemon
View file

@ -28,8 +28,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
/var/lib/power-profiles-daemon/{,**} rw,
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers)
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*

2
apparmor.d/profiles-s-z/tlp
View file

@ -68,7 +68,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
owner @{run}/tlp/{,**} rw,
owner @{run}/tlp/lock_tlp rwk,
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{sys}/bus/pci/devices/ r,
@{sys}/bus/pci/drivers/*/ r,