feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
43ab1d064d
commit
197c1bd78a
43 changed files with 148 additions and 236 deletions
|
|
@ -11,8 +11,6 @@ profile default-sudo @{exec_path} {
|
|||
include <abstractions/app/sudo>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability mknod,
|
||||
capability sys_ptrace,
|
||||
|
||||
|
|
@ -21,7 +19,6 @@ profile default-sudo @{exec_path} {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
@{bin}/sudo mr,
|
||||
@{bin}/su mr,
|
||||
|
||||
@{bin}/** Px,
|
||||
|
|
@ -31,20 +28,13 @@ profile default-sudo @{exec_path} {
|
|||
/var/db/sudo/lectured/ r,
|
||||
/var/lib/extrausers/shadow r,
|
||||
/var/lib/sudo/lectured/ r,
|
||||
/var/lib/sudo/ts/ rw,
|
||||
/var/lib/sudo/ts/* rwk,
|
||||
/var/log/sudo.log wk,
|
||||
owner /var/db/sudo/lectured/@{uid} rw,
|
||||
owner /var/lib/sudo/lectured/* rw,
|
||||
|
||||
owner @{HOME}/.sudo_as_admin_successful rw,
|
||||
|
||||
@{run}/ r,
|
||||
@{run}/faillock/{,*} rwk,
|
||||
@{run}/systemd/sessions/* r,
|
||||
owner @{run}/sudo/ rw,
|
||||
owner @{run}/sudo/ts/ rw,
|
||||
owner @{run}/sudo/ts/* rwk,
|
||||
@{run}/ r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
|
||||
include if exists <local/default-sudo>
|
||||
}
|
||||
|
|
@ -17,13 +17,10 @@ profile signal-desktop @{exec_path} {
|
|||
include <abstractions/audio-client>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-intel>
|
||||
include <abstractions/user-download-strict>
|
||||
|
||||
# Needed?
|
||||
|
|
@ -60,11 +57,6 @@ profile signal-desktop @{exec_path} {
|
|||
|
||||
@{run}/systemd/inhibit/*.ref rw,
|
||||
|
||||
@{sys}/devices/@{pci}/{irq,vendor,device} r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
@{sys}/fs/cgroup/** r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
|
|
|
|||
|
|
@ -34,12 +34,12 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/mv rix,
|
||||
|
||||
owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw,
|
||||
owner @{config_dirs}/*.*/crashes/{,**} rw,
|
||||
owner @{config_dirs}/*.*/crashes/events/@{uuid} rw,
|
||||
owner @{config_dirs}/*.*/extensions/*.xpi r,
|
||||
owner @{config_dirs}/*.*/minidumps/{,**} rw,
|
||||
owner @{config_dirs}/*.*/minidumps//@{uuid}.{dmp,extra} r,
|
||||
owner @{config_dirs}/*.*/storage/default/* r,
|
||||
owner @{config_dirs}/firefox/*.*/crashes/{,**} rw,
|
||||
owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw,
|
||||
owner @{config_dirs}/firefox/*.*/extensions/*.xpi r,
|
||||
owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw,
|
||||
owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r,
|
||||
owner @{config_dirs}/firefox/*.*/storage/default/* r,
|
||||
|
||||
owner @{cache_dirs}/firefox/*.*/** r,
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/dbus-broker rix,
|
||||
|
|
|
|||
|
|
@ -23,12 +23,15 @@ profile dbus-system flags=(attach_disconnected) {
|
|||
capability net_admin,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_ptrace,
|
||||
capability sys_resource,
|
||||
|
||||
network netlink raw,
|
||||
network bluetooth stream,
|
||||
network bluetooth seqpacket,
|
||||
|
||||
ptrace (read) peer=@{systemd},
|
||||
|
||||
dbus bus=system,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
|
@ -59,6 +62,9 @@ profile dbus-system flags=(attach_disconnected) {
|
|||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||
|
|
|
|||
|
|
@ -22,8 +22,5 @@ profile dconf-editor @{exec_path} {
|
|||
owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
|
||||
owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/dconf-editor>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/snapd/desktop/applications/mimeinfo.cache w,
|
||||
|
||||
owner @{user_share_dirs}/.mimeinfo.cache.* rw,
|
||||
owner @{user_share_dirs}/{,**/} r,
|
||||
owner @{user_share_dirs}/**.desktop r,
|
||||
owner @{user_share_dirs}/applications/.mimeinfo.cache.* rw,
|
||||
owner @{user_share_dirs}/applications/mimeinfo.cache w,
|
||||
|
|
@ -37,6 +36,7 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
|||
# Inherit silencer
|
||||
deny network inet6 stream,
|
||||
deny network inet stream,
|
||||
deny network netlink raw,
|
||||
|
||||
include if exists <local/update-desktop-database>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -59,10 +59,9 @@ profile xdg-settings @{exec_path} {
|
|||
@{bin}/dbus-send mr,
|
||||
@{bin}/dbus-daemon rPx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
include if exists <local/xdg-settings_dbus>
|
||||
}
|
||||
|
||||
include if exists <local/xdg-settings>
|
||||
|
|
|
|||
|
|
@ -11,13 +11,11 @@ profile epiphany-search-provider @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
capability kill,
|
||||
capability net_admin,
|
||||
capability sys_nice,
|
||||
capability sys_tty_config,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -32,6 +33,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
signal (send) set=(term) peer=gdm-session-worker,
|
||||
signal (send) set=(term) peer=gdm-session,
|
||||
signal (send) set=(term) peer=gnome-session-binary,
|
||||
signal (send) set=(term) peer=jackdbus,
|
||||
signal (send) set=(term) peer=tracker-miner,
|
||||
signal (send) set=(term) peer=xdg-*,
|
||||
signal (send) set=(term) peer=xorg,
|
||||
|
|
@ -52,10 +54,12 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/chvt rix,
|
||||
@{bin}/pidof rPx,
|
||||
@{bin}/plymouth rPx,
|
||||
@{bin}/prime-switch rPUx,
|
||||
@{bin}/sleep rix,
|
||||
@{bin}/systemd-cat rPx,
|
||||
@{lib}/{,gdm/}gdm-session-worker rPx,
|
||||
/etc/gdm{3,}/PrimeOff/Default rix,
|
||||
|
||||
|
|
@ -70,7 +74,10 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/sysconfig/displaymanager r,
|
||||
/etc/sysconfig/windowmanager r,
|
||||
|
||||
/var/{lib,log}/gdm{3,}/ rw,
|
||||
/var/lib/gdm{3,}/ rw,
|
||||
/var/lib/gdm{3,}/block-initial-setup rw,
|
||||
|
||||
/var/log/gdm{3,}/ rw,
|
||||
|
||||
owner @{GDM_HOME}/block-initial-setup rw,
|
||||
|
||||
|
|
@ -81,6 +88,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/gdm{3,}.pid rw,
|
||||
owner @{run}/gdm{3,}/ rw,
|
||||
owner @{run}/gdm{3,}/custom.conf r,
|
||||
owner @{run}/gdm{3,}/dbus/ w,
|
||||
owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
|
||||
owner @{run}/gdm{3,}/gdm.pid rw,
|
||||
|
||||
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||
|
|
@ -92,6 +101,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/1/environ r,
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ profile gdm-session @{exec_path} {
|
|||
|
||||
owner @{gdm_cache_dirs}/gdm/ rw,
|
||||
owner @{gdm_cache_dirs}/gdm/Xauthority rw,
|
||||
owner @{gdm_config_dirs}/.config/dconf/user r,
|
||||
owner @{gdm_config_dirs}/dconf/user r,
|
||||
owner @{GDM_HOME}/greeter-dconf-defaults r,
|
||||
|
||||
owner @{run}/gdm{3,}/custom.conf r,
|
||||
|
|
|
|||
|
|
@ -69,6 +69,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/wayland-sessions/*.desktop r,
|
||||
/usr/share/xsessions/gnome-xorg.desktop r,
|
||||
|
||||
# Add user; set password on first login
|
||||
/etc/.pwd.lock wk,
|
||||
/etc/nshadow rw,
|
||||
/etc/shadow w,
|
||||
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*.conf} r,
|
||||
/etc/default/locale r,
|
||||
|
|
@ -93,30 +98,28 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/systemd/seats/seat@{int} r,
|
||||
owner @{run}/user/@{uid}/keyring/control rw,
|
||||
|
||||
@{run}/gdm{3,}/custom.conf r,
|
||||
owner @{run}/gdm{3,}/dbus/ w,
|
||||
owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
|
||||
|
||||
@{run}/cockpit/active.motd r,
|
||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||
@{run}/gdm{3,}/custom.conf r,
|
||||
@{run}/motd.d/{,*} r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/utmp rwk,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/1/limits r,
|
||||
@{PROC}/keys r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
|
||||
owner @{PROC}/@{pid}/uid_map r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/1/limits r,
|
||||
@{PROC}/keys r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
# Add user; set password on first login
|
||||
/etc/.pwd.lock wk,
|
||||
/etc/nshadow rw,
|
||||
/etc/shadow w,
|
||||
|
||||
include if exists <local/gdm-session-worker>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,12 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gkbd-keyboard-display
|
||||
profile gkbd-keyboard-display @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
include if exists <local/gkbd-keyboard-display>
|
||||
}
|
||||
|
|
@ -60,6 +60,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/language-tools/language2locale rix,
|
||||
/usr/share/language-tools/language-options rPUx,
|
||||
|
||||
@{open_path} rPx -> child-open-browsers,
|
||||
|
||||
/opt/**/share/icons/{,**} r,
|
||||
/snap/*/@{int}/**.png r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
|
|
@ -99,6 +101,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
|
||||
owner @{user_config_dirs}/background rw,
|
||||
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) {
|
|||
@{bin}/bwrap mr,
|
||||
@{bin}/*-thumbnailer rix,
|
||||
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -76,7 +76,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{etc_ro}/xdg/autostart/{,*.desktop} r,
|
||||
|
||||
owner @{gdm_cache_dirs}/gdm/Xauthority r,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{gdm_config_dirs}/dconf/user rw,
|
||||
owner @{gdm_config_dirs}/gnome-session/ rw,
|
||||
owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
|
||||
|
|
@ -140,7 +139,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
|
||||
@{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx,
|
||||
@{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
|
||||
@{lib}/baloo_file rPx,
|
||||
@{lib}/caribou/caribou rPUx,
|
||||
@{lib}/deja-dup/deja-dup-monitor rPx,
|
||||
@{lib}/gsd-disk-utility-notify rPx,
|
||||
|
|
@ -149,6 +147,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{thunderbird_path} rPx,
|
||||
/usr/share/libpam-kwallet-common/pam_kwallet_init rPUx,
|
||||
|
||||
#aa:exec baloo
|
||||
#aa:exec evolution-alarm-notify
|
||||
@{lib}/kdeconnectd rPUx,
|
||||
@{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx,
|
||||
|
|
|
|||
|
|
@ -87,6 +87,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
# Talk with gnome-shell
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
|
||||
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
|
||||
|
||||
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
|
||||
|
|
@ -109,15 +110,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
member={RegisterWithCapabilities,Unregister}
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member=DeleteDevice
|
||||
peer=(name=:*, label=colord),
|
||||
dbus receive bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member=ProfileAdded
|
||||
peer=(name=:*, label=colord),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
|
|
@ -252,11 +244,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
|
||||
owner @{gdm_cache_dirs}/libgweather/ r,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/ rw,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/ rw,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex} rw,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{gdm_config_dirs}/dconf/user r,
|
||||
owner @{gdm_config_dirs}/ibus/ rw,
|
||||
owner @{gdm_config_dirs}/ibus/bus/ rw,
|
||||
|
|
@ -314,7 +301,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
/tmp/.X@{int}-lock rw,
|
||||
/tmp/dbus-@{rand8} rw,
|
||||
owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
|
||||
owner /tmp/@{rand6}.shell-extension.zip rw,
|
||||
owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
|
||||
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
|
|
|||
|
|
@ -11,13 +11,9 @@ profile kgx @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-read>
|
||||
include <abstractions/trash-strict>
|
||||
|
||||
signal (send) set=(kill) peer=loupe//bwrap,
|
||||
|
||||
|
|
@ -23,6 +23,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/glycin-loaders/{,**} r,
|
||||
|
||||
/ r,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||
|
|
|
|||
|
|
@ -27,9 +27,9 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
|
|||
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
/usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r,
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
|
|
|
|||
|
|
@ -31,11 +31,23 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||
#aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files
|
||||
#aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.RSS
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=:*, label=nautilus),
|
||||
dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||
interface=org.freedesktop.Tracker3.Endpoint
|
||||
member=Query
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/tracker-extract-3 rix,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
|
||||
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/tracker3-miners/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ profile gpg @{exec_path} {
|
|||
owner /var/tmp/zypp.@{rand6}/ rw,
|
||||
owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
|
||||
|
||||
#aa:exclude ubuntu
|
||||
owner /tmp/ostree-gpg-*/ r,
|
||||
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/konsole
|
||||
profile konsole @{exec_path} flags=(attach_disconnected) {
|
||||
profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-accessibility>
|
||||
|
|
|
|||
|
|
@ -16,10 +16,10 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bash rix,
|
||||
@{bin}/dkms rPx,
|
||||
@{bin}/kmod rPx,
|
||||
@{bin}/nproc rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/dkms rPx,
|
||||
@{bin}/kmod rPx,
|
||||
@{bin}/nproc rix,
|
||||
|
||||
/usr/src/ r,
|
||||
/usr/src/**.conf r,
|
||||
|
|
|
|||
|
|
@ -83,8 +83,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
@{etc_ro}/ssh/sshd_config.d/{,*} r,
|
||||
/etc/ssh/ssh_host_* r,
|
||||
|
||||
/var/lib/extrausers/shadow r,
|
||||
|
||||
# For scp
|
||||
owner @{user_download_dirs}/{,**} rwl,
|
||||
owner @{user_sync_dirs}/{,**} rwl,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/systemd-path
|
||||
profile systemd-path @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,6 +39,10 @@ profile update-notifier @{exec_path} {
|
|||
member={AboutToShow,GetGroupProperties,GetLayout}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/ayatana/NotificationItem/*
|
||||
interface=org.kde.StatusNotifierItem
|
||||
peer=(name=org.freedesktop.DBus, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue