feat(profiles): replace old [0-9]* glob by @{int}
Beware some [0-9]* glob are actually not proper @{int}.
This commit is contained in:
Alexandre Pujol
parent
8ea4491a56
commit
275d6b6e62
368 changed files with 637 additions and 636 deletions
|
|
@ -24,14 +24,14 @@ profile sensors @{exec_path} {
|
|||
@{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r,
|
||||
@{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
|
||||
@{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
|
||||
@{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r,
|
||||
@{sys}/devices/**/hwmon/hwmon@{int}/power[0-9]*_crit r,
|
||||
@{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-[0-9]*/name r,
|
||||
@{sys}/devices/pci[0-9]*/**/name r,
|
||||
@{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r,
|
||||
@{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon[0-9]* r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon[0-9]*/fan[0-9]_label r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/ r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r,
|
||||
@{sys}/devices/virtual/hwmon/hwmon@{int}/fan[0-9]_label r,
|
||||
|
||||
# file_inherit
|
||||
deny @{PROC}/@{pid}/net/dev r,
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ profile smplayer @{exec_path} {
|
|||
owner /tmp/qtsingleapp-smplay-* rw,
|
||||
owner /tmp/qtsingleapp-smplay-*-lockfile rwk,
|
||||
owner /tmp/smplayer_preview/ rw,
|
||||
owner /tmp/smplayer_preview/[0-9]*.{jpg,png} rw,
|
||||
owner /tmp/smplayer_preview/@{int}.{jpg,png} rw,
|
||||
owner /tmp/smplayer-mpv-* w,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
|
||||
|
|
@ -84,7 +84,7 @@ profile smplayer @{exec_path} {
|
|||
@{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/ r,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/smplayer>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ profile smtube @{exec_path} {
|
|||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile open {
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap
|
||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}bin/snap
|
||||
profile snap @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
@ -43,9 +43,9 @@ profile snap @{exec_path} {
|
|||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
|
||||
/snap/{,**} rw,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd r,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-confine rPx,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-seccomp rPx,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd r,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
|
|
@ -77,7 +77,7 @@ profile snap @{exec_path} {
|
|||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||
@{PROC}/version r,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
/dev/ttyS[0-9]* rw,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns
|
||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-discard-ns
|
||||
profile snap-discard-ns @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-failure
|
||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-failure
|
||||
profile snap-failure @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp
|
||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-seccomp
|
||||
profile snap-seccomp @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
@ -16,7 +16,7 @@ profile snap-seccomp @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp r,
|
||||
/snap/snapd/@{int}/usr/lib/snapd/snap-seccomp r,
|
||||
|
||||
/var/lib/snapd/seccomp/bpf/{,**} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns
|
||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-update-ns
|
||||
profile snap-update-ns @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd
|
||||
@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd
|
||||
profile snapd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
|
|
@ -84,15 +84,15 @@ profile snapd @{exec_path} {
|
|||
@{bin}/unsquashfs rix,
|
||||
@{bin}/update-desktop-database rPx,
|
||||
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* mr,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ?
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/** mr,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so rix,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns rPx,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx,
|
||||
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix,
|
||||
/{snap/snapd/@{int}/,}{usr/,}bin/fc-cache-* mr,
|
||||
/{snap/snapd/@{int}/,}{usr/,}bin/snap rPx,
|
||||
/{snap/snapd/@{int}/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ?
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/@{multiarch}/** mr,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/@{multiarch}/ld-*.so rix,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-discard-ns rPx,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-seccomp rPx,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-update-ns rPx,
|
||||
/{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd rix,
|
||||
|
||||
/usr/share/bash-completion/{,**} r,
|
||||
/usr/share/dbus-1/{system,session}.d/{,snapd*} r,
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ profile spacefm @{exec_path} {
|
|||
@{sys}/class/ r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{sys}/fs/cgroup/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ profile spectre-meltdown-checker @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
# Needed to read the /dev/cpu/[0-9]*/msr device
|
||||
# Needed to read the /dev/cpu/@{int}/msr device
|
||||
capability sys_rawio,
|
||||
|
||||
# Needed to read system logs
|
||||
|
|
@ -84,8 +84,8 @@ profile spectre-meltdown-checker @{exec_path} {
|
|||
/tmp/ r,
|
||||
owner /tmp/{config,kernel}-* rw,
|
||||
|
||||
owner /dev/cpu/[0-9]*/cpuid r,
|
||||
owner /dev/cpu/[0-9]*/msr rw,
|
||||
owner /dev/cpu/@{int}/cpuid r,
|
||||
owner /dev/cpu/@{int}/msr rw,
|
||||
owner /dev/kmsg r,
|
||||
|
||||
/boot/ r,
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ profile spice-vdagent @{exec_path} {
|
|||
|
||||
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/dri/card[0-9]* rw,
|
||||
/dev/dri/card@{int} rw,
|
||||
|
||||
include if exists <local/spice-vdagent>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/spice-vdagentd/spice-vdagent-sock r,
|
||||
owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,
|
||||
@{run}/systemd/journal/dev-log w,
|
||||
@{run}/systemd/seats/seat[0-9]* r,
|
||||
@{run}/systemd/seats/seat@{int} r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ profile startx @{exec_path} flags=(attach_disconnected) {
|
|||
owner /tmp/serverauth.* rw,
|
||||
|
||||
/dev/ r,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/startx>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -223,12 +223,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
|||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
||||
|
||||
/dev/hidraw[0-9]* rw,
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/input/ r,
|
||||
/dev/input/event[0-9]* r,
|
||||
/dev/input/event@{int} r,
|
||||
/dev/tty rw,
|
||||
/dev/uinput w,
|
||||
/dev/video[0-9]* rw,
|
||||
/dev/video@{int} rw,
|
||||
|
||||
audit deny /**.steam_exec_test.sh rw,
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
|
@ -244,7 +244,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
|
|||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/bus/pci/slots/ r,
|
||||
@{sys}/bus/pci/slots/[0-9]*/address r,
|
||||
@{sys}/bus/pci/slots/@{int}/address r,
|
||||
@{sys}/devices/pci[0-9]*/** r,
|
||||
|
||||
owner /dev/shm/ValveIPCSHM_@{uid} rw,
|
||||
|
|
|
|||
|
|
@ -22,15 +22,15 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{HOME}/.steam/steam.pipe r,
|
||||
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/fozpipelinesv[0-9]*/{,**} rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/mesa_shader_cache_sf/{,**} rwk,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/fozpipelinesv[0-9]*/{,**} rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav[0-9]*/GLCache/ rw,
|
||||
owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav[0-9]*/GLCache/** rwk,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/cpumap r,
|
||||
@{sys}/devices/system/node/node@{int}/cpumap r,
|
||||
|
||||
@{PROC}/@{pids}/statm r,
|
||||
@{PROC}/pressure/io r,
|
||||
|
|
|
|||
|
|
@ -111,7 +111,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||
@{user_share_dirs}/Steam/steamapps/common/Proton*/files/bin/* mrix,
|
||||
@{user_share_dirs}/Steam/steamapps/common/Proton*/files/lib{,32,64}/** mrix,
|
||||
@{user_share_dirs}/Steam/steamapps/common/Proton*/proton rix,
|
||||
@{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/pfx/**.dll rm,
|
||||
@{user_share_dirs}/Steam/steamapps/compatdata/@{int}/pfx/**.dll rm,
|
||||
|
||||
@{user_games_dirs}/*/* mr,
|
||||
@{user_games_dirs}/*/**.dll mr,
|
||||
|
|
@ -236,7 +236,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/uid_map rw,
|
||||
|
||||
/dev/hidraw[0-9]* rw,
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/input/ r,
|
||||
/dev/input/* rw,
|
||||
/dev/tty rw,
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ profile steam-gameoverlayui @{exec_path} {
|
|||
owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw,
|
||||
owner @{user_share_dirs}/Steam/public/* rk,
|
||||
owner @{user_share_dirs}/Steam/resource/{,**} rk,
|
||||
owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk,
|
||||
owner @{user_share_dirs}/Steam/userdata/@{int}/{,**} rk,
|
||||
|
||||
owner /var/cache/fontconfig/ rw,
|
||||
|
||||
|
|
@ -54,7 +54,7 @@ profile steam-gameoverlayui @{exec_path} {
|
|||
owner /tmp/miles_image_* mrw,
|
||||
|
||||
@{sys}/ r,
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/** r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/** r,
|
||||
@{sys}/kernel/ r,
|
||||
|
||||
@{PROC}/version r,
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile steam-reaper @{exec_path} {
|
|||
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
|
||||
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/** r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/** r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ profile strawberry @{exec_path} {
|
|||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.anyRemote/anyremote.stdout w,
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile strawberry-tagreader @{exec_path} {
|
|||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{HOME}/.anyRemote/anyremote.stdout w,
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
|
||||
include if exists <local/strawberry-tagreader>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ profile su @{exec_path} {
|
|||
@{sys}/devices/virtual/tty/console/active r,
|
||||
|
||||
/dev/{,pts/}ptmx rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/su>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ profile sudo @{exec_path} {
|
|||
@{bin}/{c,k,tc,z}sh rUx,
|
||||
@{lib}/cockpit/cockpit-askpass rPx,
|
||||
@{lib}/molly-guard/molly-guard rPx,
|
||||
/snap/snapd/[0-9]*/usr/bin/snap rPx,
|
||||
/snap/snapd/@{int}/usr/bin/snap rPx,
|
||||
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*} r,
|
||||
|
|
@ -95,7 +95,7 @@ profile sudo @{exec_path} {
|
|||
|
||||
/dev/ r, # interactive login
|
||||
/dev/ptmx rw,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ profile sulogin @{exec_path} {
|
|||
/etc/shadow r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
@{PROC}/consoles r,
|
||||
|
||||
|
|
|
|||
|
|
@ -21,9 +21,9 @@ profile swtpm @{exec_path} {
|
|||
/var/log/swtpm/libvirt/qemu/*-swtpm.log w,
|
||||
|
||||
/tmp/.swtpm_setup.pidfile.* rw,
|
||||
/tmp/[0-9]*/.lock rwk,
|
||||
/tmp/[0-9]*/TMP* rw,
|
||||
/tmp/[0-9]*/vtpm.sock rw,
|
||||
/tmp/@{int}/.lock rwk,
|
||||
/tmp/@{int}/TMP* rw,
|
||||
/tmp/@{int}/vtpm.sock rw,
|
||||
|
||||
@{run}/libvirt/qemu/swtpm/*.sock w,
|
||||
@{run}/libvirt/qemu/swtpm/*.pid w,
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
|||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/system-config-printer>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -55,8 +55,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r,
|
||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r,
|
||||
|
||||
@{sys}/devices/**/hwmon[0-9]*/name r,
|
||||
@{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r,
|
||||
@{sys}/devices/**/hwmon@{int}/name r,
|
||||
@{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
|
||||
@{sys}/devices/**/path r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
|
@ -87,7 +87,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/acpi_thermal_rel rw,
|
||||
/dev/input/ r,
|
||||
/dev/input/event[0-9]* r,
|
||||
/dev/input/event@{int} r,
|
||||
|
||||
include if exists <local/thermald>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -193,13 +193,13 @@ profile thunderbird @{exec_path} {
|
|||
|
||||
/dev/shm/ r,
|
||||
owner /dev/shm/org.chromium.* rw,
|
||||
owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
# Silencer
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile thunderbird-glxtest @{exec_path} {
|
|||
|
||||
owner /tmp/thunderbird/.parentlock rw,
|
||||
|
||||
owner @{run}/user/@{uid}/xauth_?????? r,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} r,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/class r,
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ profile tint2 @{exec_path} {
|
|||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/tint2>
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ profile tint2conf @{exec_path} {
|
|||
/etc/fstab r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/tint2conf>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -66,8 +66,8 @@ profile top @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/toprc r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node[0-9]*/cpumap r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/cpumap r,
|
||||
|
||||
owner @{user_config_dirs}/procps/ rw,
|
||||
owner @{user_config_dirs}/procps/toprc rw,
|
||||
|
|
|
|||
|
|
@ -131,7 +131,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/mount/utab{,.*} rw,
|
||||
@{run}/mount/utab.lock rwk,
|
||||
@{run}/udisks2/{,**} rw,
|
||||
@{run}/systemd/seats/seat[0-9]* r,
|
||||
@{run}/systemd/seats/seat@{int} r,
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/cryptsetup/ r,
|
||||
@{run}/cryptsetup/L* rwk,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile unix-chkpwd @{exec_path} {
|
|||
/etc/shadow r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/unix-chkpwd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ profile update-ca-certificates @{exec_path} {
|
|||
/etc/ca-certificates/update.d/ r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/pts/[0-9]* rw,
|
||||
owner /dev/pts/@{int} rw,
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile utox @{exec_path} {
|
|||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{user_config_dirs}/tox/[0-9A-F].ftinfo w,
|
||||
owner @{user_config_dirs}/tox/[0-9A-F].ftoutfo w,
|
||||
deny /dev/video[0-9]* rw,
|
||||
deny /dev/video@{int} rw,
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ profile vidcutter @{exec_path} {
|
|||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
owner /tmp/vidcutter-@{uuid} w,
|
||||
owner /tmp/#@{int} rw,
|
||||
|
|
@ -86,7 +86,7 @@ profile vidcutter @{exec_path} {
|
|||
/dev/shm/#@{int} rw,
|
||||
/dev/disk/*/ r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/vidcutter>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -102,8 +102,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/net/route r,
|
||||
|
||||
/dev/media[0-9]* r,
|
||||
/dev/video[0-9]* rw,
|
||||
/dev/media@{int} r,
|
||||
/dev/video@{int} rw,
|
||||
|
||||
# Silence the noise
|
||||
deny /usr/share/virt-manager/{,**} w,
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile vnstat @{exec_path} {
|
|||
deny @{PROC}/diskstats r,
|
||||
deny @{PROC}/loadavg r,
|
||||
deny @{sys}/devices/**/hwmon/**/temp*_input r,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
deny network inet dgram,
|
||||
deny network inet6 dgram,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ profile volumeicon @{exec_path} {
|
|||
@{bin}/pulseeffects rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/volumeicon>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile wireplumber @{exec_path} {
|
|||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/media[0-9]* rw,
|
||||
/dev/media@{int} rw,
|
||||
/dev/snd/ r,
|
||||
|
||||
include if exists <local/wireplumber>
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ profile wireshark @{exec_path} {
|
|||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile open {
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ profile wpa-gui @{exec_path} {
|
|||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/wpa-gui>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ profile wrmsr @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /dev/cpu/[0-9]*/msr w,
|
||||
owner /dev/cpu/@{int}/msr w,
|
||||
|
||||
include if exists <local/wrmsr>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ profile xarchiver @{exec_path} {
|
|||
@{bin}/viewnior rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
||||
profile open {
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile xautolock @{exec_path} {
|
|||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xautolock>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xbrlapi>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ profile xfce4-notifyd @{exec_path} {
|
|||
owner @{user_config_dirs}/calibre/resources/images/*.png r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xfce4-notifyd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile xfconfd @{exec_path} {
|
|||
owner @{user_share_dirs}/ r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/xfconfd>
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ profile xinit @{exec_path} {
|
|||
/etc/X11/Xresources/ r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
}
|
||||
|
|
@ -108,7 +108,7 @@ profile xinit @{exec_path} {
|
|||
@{run}/udev/data/* r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile xsel @{exec_path} {
|
|||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/xsel>
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile zed @{exec_path} {
|
|||
owner /tmp/tmp.* rw,
|
||||
|
||||
@{sys}/bus/pci/slots/ r,
|
||||
@{sys}/bus/pci/slots/[0-9]*/address r,
|
||||
@{sys}/bus/pci/slots/@{int}/address r,
|
||||
@{sys}/module/zfs/parameters/zfs_zevent_len_max rw,
|
||||
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
|
|
|||
|
|
@ -28,13 +28,13 @@ profile zpool @{exec_path} {
|
|||
/tmp/tmp.* rw,
|
||||
|
||||
@{sys}/bus/pci/slots/ r,
|
||||
@{sys}/bus/pci/slots/[0-9]*/address r,
|
||||
@{sys}/bus/pci/slots/@{int}/address r,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
@{PROC}/sys/kernel/spl/hostid r,
|
||||
|
||||
/dev/pts/[0-9]* rw,
|
||||
/dev/pts/@{int} rw,
|
||||
/dev/zfs rw,
|
||||
|
||||
include if exists <local/zpool>
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ profile zsysd @{exec_path} flags=(complain) {
|
|||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
/dev/pts/[0-9]* rw,
|
||||
/dev/pts/@{int} rw,
|
||||
/dev/zfs rw,
|
||||
|
||||
include if exists <local/zsysd>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue