Profiles update.
This commit is contained in:
Alexandre Pujol
parent
937171d40c
commit
18e4745fb1
27 changed files with 103 additions and 67 deletions
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gio-querymodules
|
||||
profile gio-querymodules @{exec_path} {
|
||||
profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/openssl>
|
||||
|
||||
|
|
@ -16,5 +16,7 @@ profile gio-querymodules @{exec_path} {
|
|||
/{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
|
||||
/{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,
|
||||
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/gio-querymodules>
|
||||
}
|
||||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache
|
||||
profile gtk-update-icon-cache @{exec_path} {
|
||||
profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
|
|
@ -18,5 +18,7 @@ profile gtk-update-icon-cache @{exec_path} {
|
|||
/usr/share/icons/**/.icon-theme.cache rw,
|
||||
/usr/share/icons/**/icon-theme.cache rw,
|
||||
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/gtk-update-icon-cache>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ include <tunables/global>
|
|||
|
||||
@{exec_path} = /{usr/,}bin/{kmod,lsmod}
|
||||
@{exec_path} += /{usr/,}{s,}bin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
|
||||
profile kmod @{exec_path} {
|
||||
profile kmod @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
|
|
@ -59,5 +59,7 @@ profile kmod @{exec_path} {
|
|||
owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/{,**/} r,
|
||||
owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/**/*.ko r,
|
||||
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/kmod>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,9 +3,8 @@
|
|||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
# Version of less profiled: 563
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/less
|
||||
|
|
@ -13,19 +12,22 @@ profile less @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
|
||||
# less can be used to view protected files
|
||||
capability dac_read_search,
|
||||
capability dac_override,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{,**} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/source-highlight rix,
|
||||
/{usr/,}bin/src-hilite-lesspipe.sh rix,
|
||||
|
||||
# Source highlighting
|
||||
/usr/bin/{bash,dash} mrix,
|
||||
/usr/bin/source-highlight mrix,
|
||||
/usr/bin/src-hilite-lesspipe.sh mrix,
|
||||
@{system_share_dirs}/terminfo/{,**} r,
|
||||
|
||||
# Silence unnecessary permissions
|
||||
@{user_cache_dirs}/lesshs* rw,
|
||||
owner /root/.lesshs* rw,
|
||||
|
||||
/{,**} r,
|
||||
deny /{,**} w,
|
||||
|
||||
include if exists <local/less>
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue