feat: profiles update.
This commit is contained in:
Alexandre Pujol
parent
ef9c451559
commit
1ad60d3b1c
14 changed files with 56 additions and 35 deletions
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2019-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -15,6 +16,8 @@ profile apt-mark @{exec_path} {
|
|||
|
||||
/{usr/,}bin/dpkg rPx,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/apt/extended_states{,.*} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
@ -22,5 +25,7 @@ profile apt-mark @{exec_path} {
|
|||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
|
||||
/dev/pts/[0-9]* rw,
|
||||
|
||||
include if exists <local/apt-mark>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,26 +9,28 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}lib/ibus/ibus-dconf
|
||||
profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=term peer=ibus-daemon,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
||||
/etc/dconf/profile/ibus r,
|
||||
/etc/dconf/db/ibus r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.cache/dconf/ w,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/dconf
|
||||
profile dconf @{exec_path} {
|
||||
profile dconf @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_nice,
|
||||
|
|
|
|||
|
|
@ -43,6 +43,13 @@ profile gpg-agent @{exec_path} {
|
|||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r,
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
|
||||
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
|
||||
|
|
@ -68,14 +75,7 @@ profile gpg-agent @{exec_path} {
|
|||
owner /tmp/tmp.*/gnupg/S.gpg-agent rw,
|
||||
owner /tmp/tmp.*/gnupg/sshcontrol r,
|
||||
|
||||
# For debuild
|
||||
owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,
|
||||
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# Silencer
|
||||
deny /{usr/,}bin/.gnupg/ w,
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ profile tailscaled @{exec_path} {
|
|||
@{PROC}/@{pid}/net/{,**} r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/net/route r,
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/1/stat r,
|
||||
|
|
|
|||
|
|
@ -17,10 +17,14 @@ profile archlinux-java @{exec_path} {
|
|||
/{usr/,}bin/basename rix,
|
||||
/{usr/,}bin/bash rix,
|
||||
/{usr/,}bin/dirname rix,
|
||||
/{usr/,}bin/id rix,
|
||||
/{usr/,}bin/ln rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/unlink rix,
|
||||
|
||||
/{usr/,}lib/jvm/default w,
|
||||
/{usr/,}lib/jvm/default-runtime w,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
# Inherit Silencer
|
||||
|
|
|
|||
|
|
@ -13,10 +13,11 @@ profile systemd-logind @{exec_path} flags=(complain) {
|
|||
include <abstractions/devices-usb>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability sys_tty_config,
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability fowner,
|
||||
capability sys_admin,
|
||||
capability sys_tty_config,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -73,7 +74,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
|
|||
/dev/dri/card[0-9]* rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/nvme* r,
|
||||
/dev/shm/ r,
|
||||
/dev/shm/{,**/} r,
|
||||
/dev/mqueue/ r,
|
||||
|
||||
@{sys}/module/vt/parameters/default_utf8 r,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue