felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-14 19:32:48 +01:00
parent 48751f75b2
commit 185dc96d45
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
48 changed files with 165 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

15
apparmor.d/profiles-s-z/sanoid
View file

@ -6,26 +6,25 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid
@{exec_path} = @{bin}/sanoid
profile sanoid @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} mr,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/perl rix,
@{bin}/ps rPx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
@{bin}/zfs rPx,
/etc/sanoid/{*,} r,
/usr/share/sanoid/{,**} r,
/var/cache/sanoid/snapshots.txt rw,
/etc/sanoid/{,*} r,
/usr/share/sanoid/{**,} r,
/var/cache/sanoid/{,**} rw,
@{run}/sanoid/ rw,
@{run}/sanoid/sanoid_cacheupdate.lock rwk,
@{run}/sanoid/sanoid_pruning.lock rwk,
@{run}/sanoid/** rwk,
include if exists <local/sanoid>
}

5
apparmor.d/profiles-s-z/snapshot
View file

@ -8,12 +8,13 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/snapshot
profile snapshot @{exec_path} {
profile snapshot @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/gnome>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/video>
@{exec_path} mr,
@ -22,6 +23,8 @@ profile snapshot @{exec_path} {
owner @{user_pictures_dirs}/Camera/{,**} rw,
owner @{user_videos_dirs}/Camera/{,**} rw,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
include if exists <local/snapshot>
}

2
apparmor.d/profiles-s-z/spotify
View file

@ -13,7 +13,7 @@ include <tunables/global>
@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
profile spotify @{exec_path} {
profile spotify @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/electron>

3
apparmor.d/profiles-s-z/sslocal
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# shadowsocks-rust only:
@ -8,7 +9,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /{,usr/}{,local/}bin/sslocal
@{exec_path} = @{bin}/sslocal
profile sslocal @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

3
apparmor.d/profiles-s-z/ssmanager
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# shadowsocks-rust only:
@ -8,7 +9,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /{,usr/}{,local/}bin/ssmanager
@{exec_path} = @{bin}/ssmanager
profile ssmanager @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

3
apparmor.d/profiles-s-z/ssserver
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# shadowsocks-rust only:
@ -8,7 +9,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /{,usr/}{,local/}bin/ssserver
@{exec_path} = @{bin}/ssserver
profile ssserver @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

3
apparmor.d/profiles-s-z/ssservice
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# shadowsocks-rust only:
@ -8,7 +9,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /{,usr/}{,local/}bin/ssservice
@{exec_path} = @{bin}/ssservice
profile ssservice @{exec_path} {
include <abstractions/base>

3
apparmor.d/profiles-s-z/ssurl
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# shadowsocks-rust only:
@ -8,7 +9,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /{,usr/}{,local/}bin/ssurl
@{exec_path} = @{bin}/ssurl
profile ssurl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

3
apparmor.d/profiles-s-z/steam
View file

@ -107,6 +107,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix,
@{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web,
@ -182,6 +183,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@ -366,6 +368,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/common/bwrap>
include <abstractions/nameservice-strict>
capability dac_override,
capability dac_read_search,
unix receive type=stream,

13
apparmor.d/profiles-s-z/steam-game-proton
View file

@ -13,7 +13,7 @@ include <tunables/global>
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap
profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/common/bwrap>
include <abstractions/common/steam-game>
@ -34,6 +34,8 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/bwrap mrix,
@{bin}/chmod rix,
@{bin}/fc-match rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/ldconfig rix,
@ -44,7 +46,6 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
@{bin}/steam-runtime-system-info rix,
@{bin}/steam-runtime-urlopen rix,
@{bin}/true rix,
@{bin}/chmod rix,
@{open_path} rix,
@{lib_dirs}/** mr,
@ -52,12 +53,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
@{lib}/pressure-vessel/from-host/@{lib}/** rix,
@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{app_dirs}/** mr,
@{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{app_dirs}/Proton*/files/@{bin}/* rix,
@{app_dirs}/Proton*/files/@{lib}/** rix,
@{app_dirs}/Proton*/proton rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{app_dirs}/** mrix,
@{run}/host/@{bin}/ldconfig rix,
@{run}/host/@{bin}/localedef rix,
@ -73,6 +69,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
owner /var/pressure-vessel/** rw,
owner /var/cache/ldconfig/aux-cache* rw,
owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw,
owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk,
owner @{app_dirs}/Proton*/** rwkl,

2
apparmor.d/profiles-s-z/steam-runtime-steam-remote
View file

@ -13,7 +13,7 @@ include <tunables/global>
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote
profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
@{exec_path} mr,

2
apparmor.d/profiles-s-z/thermald
View file

@ -16,7 +16,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.freedesktop.UPower>
capability sys_boot,
#aa:dbus own bus=system name=org.freedesktop.thermald
@{exec_path} mr,

2
apparmor.d/profiles-s-z/thunderbird
View file

@ -56,6 +56,8 @@ profile thunderbird @{exec_path} {
owner @{tmp}/nsma rw,
owner @{tmp}/pid-@{pid}/{,**} w,
/dev/urandom w,
# Silencer
deny capability sys_ptrace,
deny @{lib_dirs}/** w,

5
apparmor.d/profiles-s-z/vesktop
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 odomingao
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
@ -15,6 +16,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/electron>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/user-download-strict>
include <abstractions/video>
@ -27,6 +29,9 @@ profile vesktop @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/speech-dispatcher rPx,
@{open_path} rPx -> child-open,
owner /tmp/.org.chromium.Chromium.@{rand6} mr,
owner @{run}/user/@{uid}/discord-ipc-@{int} rw,