felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (2)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 13:30:27 +01:00
parent bb71f49598
commit 2eed3b725f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
101 changed files with 538 additions and 538 deletions
Download patch file Download diff file Expand all files Collapse all files

14
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,accountsservice/}accounts-daemon
@{exec_path} = @{lib}/{,accountsservice/}accounts-daemon
profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -43,13 +43,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/cat rix,
@{bin}/adduser rPx,
@{bin}/cat rix,
@{bin}/chage rPx,
@{bin}/passwd rPx,
@{bin}/userdel rPx,
@{bin}/usermod rPx,
/{usr/,}{s,}bin/adduser rPx,
/{usr/,}{s,}bin/usermod rPx,
/{usr/,}{s,}bin/userdel rPx,
/{usr/,}bin/passwd rPx,
/{usr/,}bin/chage rPx,
/usr/share/language-tools/language-validate rPx,
/usr/share/language-tools/set-language-helper rPUx,

6
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session>
@ -29,8 +29,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/dbus-daemon rPx,
/{usr/,}bin/dbus-broker-launch rPUx,
@{bin}/dbus-daemon rPx,
@{bin}/dbus-broker-launch rPUx,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/dconf/profile/gdm r,

2
apparmor.d/groups/freedesktop/at-spi2-registryd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>

6
apparmor.d/groups/freedesktop/colord
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord
@{exec_path} = @{lib}/{,colord/}colord
profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -57,8 +57,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/colord/colord-sane rPx,
@{libexec}/colord-sane rPx,
@{lib}/colord/colord-sane rPx,
@{lib}/colord-sane rPx,
/etc/machine-id r,
/etc/udev/hwdb.bin r,

2
apparmor.d/groups/freedesktop/colord-sane
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord-sane
@{exec_path} = @{lib}/{,colord/}colord-sane
profile colord-sane @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/freedesktop/colord-session
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,colord/}colord-session
@{exec_path} = @{lib}/{,colord/}colord-session
profile colord-session @{exec_path} {
include <abstractions/base>

10
apparmor.d/groups/freedesktop/cpupower
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cpupower
@{exec_path} = @{bin}/cpupower
profile cpupower @{exec_path} {
include <abstractions/base>
@ -19,9 +19,9 @@ profile cpupower @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/man rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/kmod rCx -> kmod,
@{bin}/man rPx,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
@ -43,7 +43,7 @@ profile cpupower @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{PROC}/cmdline r,
#@{PROC}/modules r,

2
apparmor.d/groups/freedesktop/dconf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf
@{exec_path} = @{bin}/dconf
profile dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf-write>

2
apparmor.d/groups/freedesktop/dconf-editor
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf-editor
@{exec_path} = @{bin}/dconf-editor
profile dconf-editor @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>

2
apparmor.d/groups/freedesktop/dconf-service
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,dconf/}dconf-service
@{exec_path} = @{lib}/{,dconf/}dconf-service
profile dconf-service @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>

2
apparmor.d/groups/freedesktop/desktop-file-install
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/desktop-file-install
@{exec_path} = @{bin}/desktop-file-install
profile desktop-file-install @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/fc-list
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fc-list
@{exec_path} = @{bin}/fc-list
profile fc-list @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>

2
apparmor.d/groups/freedesktop/geoclue
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/geoclue @{libexec}/geoclue-2.0/demos/agent
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

6
apparmor.d/groups/freedesktop/pipewire
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire
@{exec_path} = @{bin}/pipewire
profile pipewire @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
@ -44,8 +44,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/pactl rix,
/{usr/,}bin/pipewire-media-session rPx,
@{bin}/pactl rix,
@{bin}/pipewire-media-session rPx,
/usr/share/pipewire/pipewire*.conf r,

2
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-media-session
@{exec_path} = @{bin}/pipewire-media-session
profile pipewire-media-session @{exec_path} {
include <abstractions/base>
include <abstractions/audio>

4
apparmor.d/groups/freedesktop/pipewire-pulse
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-pulse
@{exec_path} = @{bin}/pipewire-pulse
profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
@ -19,7 +19,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/pactl rix,
@{bin}/pactl rix,
/var/lib/dbus/machine-id r,
/etc/machine-id r,

2
apparmor.d/groups/freedesktop/plymouth
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth
@{exec_path} = @{bin}/plymouth
profile plymouth @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

10
apparmor.d/groups/freedesktop/plymouth-set-default-theme
View file

@ -6,16 +6,16 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth-set-default-theme
@{exec_path} = @{bin}/plymouth-set-default-theme
profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/plymouth rPx,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/grep rix,
@{bin}/plymouth rPx,
@{bin}/{,ba,da}sh rix,
/etc/plymouth/{,*} r,

2
apparmor.d/groups/freedesktop/plymouthd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/plymouthd
@{exec_path} = @{bin}/plymouthd
profile plymouthd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/groups/freedesktop/polkit-agent-helper
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
@{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]
@{exec_path} += @{lib}/polkit-agent-helper-[0-9]
profile polkit-agent-helper @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>

6
apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib{,exec}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
@{exec_path} += /{usr/,}lib{,exec}/polkit-kde-authentication-agent-[0-9]
@{exec_path} = @{lib}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
@{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9]
profile polkit-kde-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -29,7 +29,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,

4
apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
@{exec_path} = @{lib}/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
profile polkit-mate-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -24,7 +24,7 @@ profile polkit-mate-authentication-agent @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/usr/share/X11/xkb/** r,

2
apparmor.d/groups/freedesktop/polkitd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,polkit-1/}polkitd
@{exec_path} = @{lib}/{,polkit-1/}polkitd
profile polkitd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>

8
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pulseaudio
@{exec_path} = @{bin}/pulseaudio
profile pulseaudio @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -132,9 +132,9 @@ profile pulseaudio @{exec_path} {
@{exec_path} mrix,
@{libexec}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
/{usr/,}lib/pulse-*/modules/*.so mr,
@{lib}/pulse/gsettings-helper mrix,
@{lib}/@{multiarch}/pulse/gconf-helper mrix,
@{lib}/pulse-*/modules/*.so mr,
/usr/share/pulseaudio/{,**} r,

2
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-desktop-database
@{exec_path} = @{bin}/update-desktop-database
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/freedesktop/update-mime-database
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-mime-database
@{exec_path} = @{bin}/update-mime-database
profile update-mime-database @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/freedesktop/upower
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/upower
@{exec_path} = @{bin}/upower
profile upower @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/upowerd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/{,upower/}upowerd
@{exec_path} = @{lib}/{,upower/}upowerd
profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
@{exec_path} = @{bin}/xdg-dbus-proxy
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/freedesktop/xdg-desktop-icon
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-desktop-icon
@{exec_path} = @{bin}/xdg-desktop-icon
profile xdg-desktop-icon @{exec_path} {
include <abstractions/base>

32
apparmor.d/groups/freedesktop/xdg-desktop-menu
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-desktop-menu
@{exec_path} = @{bin}/xdg-desktop-menu
profile xdg-desktop-menu @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -14,22 +14,22 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/whoami rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/readlink rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mkdir rix,
@{bin}/sed rix,
@{bin}/cut rix,
@{bin}/basename rix,
@{bin}/rm rix,
@{bin}/cp rix,
@{bin}/cat rix,
@{bin}/touch rix,
@{bin}/{m,g,}awk rix,
@{bin}/whoami rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/readlink rix,
/{usr/,}bin/update-desktop-database rPx,
@{bin}/update-desktop-database rPx,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw,
owner @{user_share_dirs}/applications/chrome-*.desktop rw,

16
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal
@{exec_path} = @{lib}/xdg-desktop-portal
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-network-manager-strict>
@ -107,14 +107,14 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nautilus rPx,
/{usr/,}bin/snap rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/nautilus rPx,
@{bin}/snap rPx,
/{usr/,}bin/kreadconfig5 rPx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/xdg-desktop-portal-validate-icon rPUx,
@{bin}/kreadconfig5 rPx,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{lib}/xdg-desktop-portal-validate-icon rPUx,
/ r,
/.flatpak-info r,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
@{exec_path} = @{lib}/xdg-desktop-portal-gnome
profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-kde
@{exec_path} = @{lib}/xdg-desktop-portal-kde
profile xdg-desktop-portal-kde @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

10
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-document-portal
@{exec_path} = @{lib}/xdg-document-portal
profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@ -51,8 +51,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/flatpak rCx -> flatpak,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/flatpak rCx -> flatpak,
@{bin}/fusermount{,3} rCx -> fusermount,
/ r,
@ -73,7 +73,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
profile flatpak {
include <abstractions/base>
/{usr/,}bin/flatpak mr,
@{bin}/flatpak mr,
/ r,
/etc/flatpak/remotes.d/{,*} r,
@ -103,7 +103,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
# network inet stream,
# network inet6 stream,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
/etc/fuse{,3}.conf r,

18
apparmor.d/groups/freedesktop/xdg-email
View file

@ -7,20 +7,20 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-email
@{exec_path} = @{bin}/xdg-email
profile xdg-email @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-mime rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/gio rPx,
@{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/which rix,
@{bin}/xdg-mime rPx,
owner /dev/tty[0-9]* rw,

24
apparmor.d/groups/freedesktop/xdg-icon-resource
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-icon-resource
@{exec_path} = @{bin}/xdg-icon-resource
profile xdg-icon-resource @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -14,18 +14,18 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/whoami rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/touch rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/whoami rix,
@{bin}/sed rix,
@{bin}/basename rix,
@{bin}/mkdir rix,
@{bin}/cp rix,
@{bin}/rm rix,
@{bin}/readlink rix,
@{bin}/touch rix,
/{usr/,}bin/gtk{,4}-update-icon-cache rPx,
@{bin}/gtk{,4}-update-icon-cache rPx,
/usr/share/**/icons/**.png r,
/usr/share/icons/**.png rw,

48
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -7,30 +7,30 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-mime
@{exec_path} = @{bin}/xdg-mime
profile xdg-mime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/freedesktop.org>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/file rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/cut rix,
@{bin}/file rix,
@{bin}/head rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/tr rix,
@{bin}/uname rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/mimetype rPx,
/{usr/,}bin/xprop rPx,
@{bin}/gio rPx,
@{bin}/mimetype rPx,
@{bin}/xprop rPx,
/usr/share/terminfo/x/xterm-256color r,
@ -51,10 +51,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Xdg-mime works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
@ -62,9 +62,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
@{HOME}/.Xauthority r,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

36
apparmor.d/groups/freedesktop/xdg-open
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-open
@{exec_path} = @{bin}/xdg-open
profile xdg-open @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
@ -15,23 +15,23 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/cut rix,
@{bin}/which{,.debianutils} rix,
@{bin}/cat rix,
@{bin}/uname rix,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
@{bin}/xprop rPx,
@{bin}/xdg-mime rPx,
/{usr/,}bin/exo-open rPx,
/{usr/,}bin/gio rPx,
#/{usr/,}bin/kde-open5 rPUx,
@{bin}/exo-open rPx,
@{bin}/gio rPx,
#@{bin}/kde-open5 rPUx,
/{usr/,}bin/dbus-launch rCx -> dbus,
/{usr/,}bin/dbus-send rCx -> dbus,
@{bin}/dbus-launch rCx -> dbus,
@{bin}/dbus-send rCx -> dbus,
/** r,
owner /** rw,
@ -46,9 +46,9 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

2
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/xdg-permission-store
@{exec_path} = @{lib}/xdg-permission-store
profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>

30
apparmor.d/groups/freedesktop/xdg-screensaver
View file

@ -6,30 +6,30 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-screensaver
@{exec_path} = @{bin}/xdg-screensaver
profile xdg-screensaver @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/ r,
@{bin}/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/cat rix,
@{bin}/uname rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xset rPx,
/{usr/,}bin/hostname rix,
@{bin}/xprop rPx,
@{bin}/xdg-mime rPx,
@{bin}/xset rPx,
@{bin}/hostname rix,
/dev/dri/card[0-9] rw,

42
apparmor.d/groups/freedesktop/xdg-settings
View file

@ -7,31 +7,31 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-settings
@{exec_path} = @{bin}/xdg-settings
profile xdg-settings @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/uname rix,
@{bin}/wc rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/dbus-launch rCx -> dbus,
/{usr/,}bin/dbus-send rCx -> dbus,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xprop rPx,
@{bin}/dbus-launch rCx -> dbus,
@{bin}/dbus-send rCx -> dbus,
@{bin}/xdg-mime rPx,
@{bin}/xprop rPx,
/usr/share/terminfo/x/xterm-256color r,
@ -61,9 +61,9 @@ profile xdg-settings @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

6
apparmor.d/groups/freedesktop/xdg-user-dir
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dir
@{exec_path} = @{bin}/xdg-user-dir
profile xdg-user-dir @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix,
@{bin}/{,ba,da}sh rix,
@{bin}/env rix,
owner @{user_config_dirs}/user-dirs.dirs r,

2
apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dirs-gtk-update
@{exec_path} = @{bin}/xdg-user-dirs-gtk-update
profile xdg-user-dirs-gtk-update @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

2
apparmor.d/groups/freedesktop/xdg-user-dirs-update
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dirs-update
@{exec_path} = @{bin}/xdg-user-dirs-update
profile xdg-user-dirs-update @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/xhost
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xhost
@{exec_path} = @{bin}/xhost
profile xhost @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/freedesktop/xkbcomp
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xkbcomp
@{exec_path} = @{bin}/xkbcomp
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

20
apparmor.d/groups/freedesktop/xorg
View file

@ -7,10 +7,10 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/X
@{exec_path} += /{usr/,}bin/Xorg{,.bin}
@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
@{exec_path} = @{bin}/X
@{exec_path} += @{bin}/Xorg{,.bin}
@{exec_path} += @{lib}/Xorg{,.wrap}
@{exec_path} += @{lib}/xorg/Xorg{,.wrap}
profile xorg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -58,13 +58,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xkbcomp rPx,
/{usr/,}bin/pkexec rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/xkbcomp rPx,
@{bin}/pkexec rPx,
/{usr/,}lib/xorg/ r,
/{usr/,}lib/xorg/modules/ r,
/{usr/,}lib/xorg/modules/** mr,
@{lib}/xorg/ r,
@{lib}/xorg/modules/ r,
@{lib}/xorg/modules/** mr,
/var/lib/xkb/server-[0-9]*.xkm rw,
/var/lib/xkb/compiled/server-[0-9]*.xkm rw,

2
apparmor.d/groups/freedesktop/xprop
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xprop
@{exec_path} = @{bin}/xprop
profile xprop @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/xrandr
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xrandr
@{exec_path} = @{bin}/xrandr
profile xrandr @{exec_path} {
include <abstractions/base>

12
apparmor.d/groups/freedesktop/xrdb
View file

@ -7,18 +7,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xrdb
@{exec_path} = @{bin}/xrdb
profile xrdb @{exec_path} {
include <abstractions/base>
include <abstractions/X-strict>
@{exec_path} mr,
/{usr/,}bin/{,*-}cpp-[0-9]* rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cpp rix,
/{usr/,}lib{,32,64}/gcc/*/[0-9]*/cc1 rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
@{bin}/{,*-}cpp-[0-9]* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cpp rix,
@{lib}/gcc/*/[0-9]*/cc1 rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
/usr/include/stdc-predef.h r,
/usr/etc/X11/xdm/Xresources r,

2
apparmor.d/groups/freedesktop/xset
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xset
@{exec_path} = @{bin}/xset
profile xset @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/freedesktop/xsetroot
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xsetroot
@{exec_path} = @{bin}/xsetroot
profile xsetroot @{exec_path} {
include <abstractions/base>

6
apparmor.d/groups/freedesktop/xwayland
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/Xwayland
@{exec_path} = @{bin}/Xwayland
profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dri-common>
@ -25,8 +25,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xkbcomp rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/xkbcomp rPx,
/usr/share/egl/{,**} r,
/usr/share/fonts/{,**} r,