felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): general update on some core profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-10 00:56:31 +02:00
parent 51560bbbf5
commit 35ae596fd9
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
13 changed files with 36 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/profiles-a-f/dkms
View file

@ -29,8 +29,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{bin}/as rix, @{bin}/as rix,
@{bin}/bc rix, @{bin}/bc rix,
@{bin}/clang-@{version} rix, @{bin}/clang-@{version} rix,
@{bin}/gcc rix,
@{bin}/g++ rix, @{bin}/g++ rix,
@{bin}/gcc rix,
@{bin}/getconf rix, @{bin}/getconf rix,
@{bin}/kill rix, @{bin}/kill rix,
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@ -44,8 +44,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{bin}/readelf rix, @{bin}/readelf rix,
@{bin}/rpm rPUx, @{bin}/rpm rPUx,
@{bin}/strip rix, @{bin}/strip rix,
@{sbin}/update-secureboot-policy rPUx, @{bin}/xz rix,
@{bin}/zstd rix, @{bin}/zstd rix,
@{sbin}/update-secureboot-policy rPUx,
@{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/gcc/@{multiarch}/@{version}/* rix,
@{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/scripts/** rix,

4
apparmor.d/profiles-g-l/gimp
View file

@ -28,6 +28,7 @@ profile gimp @{exec_path} {
@{python_path} rix, @{python_path} rix,
@{bin}/env rix, @{bin}/env rix,
@{bin}/gimp-debug-tool-3.0 rix,
@{bin}/gimp-script-fu-interpreter-* rix, @{bin}/gimp-script-fu-interpreter-* rix,
@{bin}/gjs-console rix, @{bin}/gjs-console rix,
@{bin}/lua rix, @{bin}/lua rix,
@ -41,6 +42,7 @@ profile gimp @{exec_path} {
/usr/share/gimp/{,**} r, /usr/share/gimp/{,**} r,
/usr/share/mypaint-data/{,**} r, /usr/share/mypaint-data/{,**} r,
/usr/share/poppler/{,**} r,
/usr/share/xml/iso-codes/{,**} r, /usr/share/xml/iso-codes/{,**} r,
/etc/fstab r, /etc/fstab r,
@ -68,6 +70,8 @@ profile gimp @{exec_path} {
owner @{tmp}/gimp/{,**} rw, owner @{tmp}/gimp/{,**} rw,
@{run}/mount/utab r,
@{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,

3
apparmor.d/profiles-g-l/libreoffice
View file

@ -81,6 +81,7 @@ profile libreoffice @{exec_path} {
/etc/papersize r, /etc/papersize r,
/etc/xdg/* r, /etc/xdg/* r,
/var/tmp/ r,
owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w,
owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_cache_dirs}/libreoffice/{,**} rw,
@ -93,7 +94,7 @@ profile libreoffice @{exec_path} {
owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/#@{int} rw,
owner @{user_share_dirs}/user-places.xbel r, owner @{user_share_dirs}/user-places.xbel r,
owner @{tmp}/ r, @{tmp}/ r,
owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/.java_pid@{int}{,.tmp} rw,
owner @{tmp}/@{hex} rw, owner @{tmp}/@{hex} rw,
owner @{tmp}/@{rand6} rwk, owner @{tmp}/@{rand6} rwk,

6
apparmor.d/profiles-m-r/initramfs-hooks
View file

@ -25,10 +25,10 @@ profile initramfs-hooks @{exec_path} {
@{lib}/klibc/bin/fstype ix, @{lib}/klibc/bin/fstype ix,
/usr/share/mdadm/mkconf Px, /usr/share/mdadm/mkconf Px,
@{bin}/* r, @{bin}/* mr,
@{sbin}/* r, @{sbin}/* mr,
@{lib}/ r, @{lib}/ r,
@{lib}/** r, @{lib}/** mr,
/usr/share/initramfs-tools/{,**} r, /usr/share/initramfs-tools/{,**} r,
/usr/share/plymouth/{,**} r, /usr/share/plymouth/{,**} r,

1
apparmor.d/profiles-m-r/mdadm-mkconf
View file

@ -19,6 +19,7 @@ profile mdadm-mkconf @{exec_path} {
@{sbin}/mdadm Px, @{sbin}/mdadm Px,
/etc/default/mdadm r, /etc/default/mdadm r,
/etc/mdadm/mdadm.conf r,
/ r, / r,

2
apparmor.d/profiles-m-r/nvidia-smi
View file

@ -25,7 +25,7 @@ profile nvidia-smi @{exec_path} {
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
/dev/nvidia-caps/ rw, /dev/nvidia-caps/ rw,
/dev/nvidia-caps/nvidia-cap@{int} r, /dev/nvidia-caps/nvidia-cap@{int} rw,
/dev/nvidia-uvm rw, /dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools r, /dev/nvidia-uvm-tools r,

7
apparmor.d/profiles-m-r/ollama
View file

@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/{,**} rw,
owner @{tmp}/ollama@{int}/runners/{,**} mr, owner @{tmp}/ollama@{int}/runners/{,**} mr,
@{sys}/devices/@{pci}/drm/card@{int}/ r,
@{sys}/devices/@{pci}/drm/card@{int}/*/ r,
@{sys}/devices/@{pci}/mem_info_vram_total r,
@{sys}/devices/@{pci}/mem_info_vram_used r,
@{sys}/devices/@{pci}/numa_node r, @{sys}/devices/@{pci}/numa_node r,
@{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/cpumap r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
@{PROC}/devices r, @{PROC}/devices r,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,

3
apparmor.d/profiles-m-r/power-profiles-daemon
View file

@ -30,10 +30,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+platform:* r, @{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply:* r, @{run}/udev/data/+power_supply:* r,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/platform/devices/ r, @{sys}/bus/platform/devices/ r,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/power_supply/*/scope r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,

6
apparmor.d/profiles-s-z/speech-dispatcher
View file

@ -20,16 +20,20 @@ profile speech-dispatcher @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} ix, @{sh_path} ix,
@{lib}/speech-dispatcher-modules/* ix,
@{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/** r,
@{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,
/etc/machine-id r, /etc/machine-id r,
/etc/speech-dispatcher/{,**} r, /etc/speech-dispatcher/{,**} r,
owner @{user_config_dirs}/speech-dispatcher/{,**} r,
owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/ rw,
owner @{run}/user/@{uid}/speech-dispatcher/** rwk, owner @{run}/user/@{uid}/speech-dispatcher/** rwk,
owner @{user_config_dirs}/speech-dispatcher/{,**} r, owner /dev/shm/sem.@{rand6} rw,
owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6},
include if exists <local/speech-dispatcher> include if exists <local/speech-dispatcher>
} }

1
apparmor.d/profiles-s-z/terminator
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/terminator @{exec_path} = @{bin}/terminator
profile terminator @{exec_path} flags=(attach_disconnected) { profile terminator @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/bus-accessibility> include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>

4
apparmor.d/profiles-s-z/update-shells
View file

@ -17,12 +17,14 @@ profile update-shells @{exec_path} {
@{bin}/chmod ix, @{bin}/chmod ix,
@{bin}/chown ix, @{bin}/chown ix,
@{bin}/dirname ix, @{bin}/dirname ix,
@{bin}/dpkg-realpath ix, @{bin}/dpkg-realpath rix,
@{bin}/mv ix, @{bin}/mv ix,
@{bin}/sync ix, @{bin}/sync ix,
@{bin}/readlink ix,
/usr/share/debianutils/shells r, /usr/share/debianutils/shells r,
/usr/share/debianutils/shells.d/{,**} r, /usr/share/debianutils/shells.d/{,**} r,
/usr/share/dpkg/sh/dpkg-error.sh r,
/etc/shells r, /etc/shells r,
/etc/shells.tmp w, /etc/shells.tmp w,

1
apparmor.d/profiles-s-z/virt-manager
View file

@ -84,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
@{run}/libvirt/libvirt-sock rw,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

2
apparmor.d/profiles-s-z/whoopsie
View file

@ -25,6 +25,8 @@ profile whoopsie @{exec_path} {
owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/ rw,
owner @{run}/lock/whoopsie/lock rwk, owner @{run}/lock/whoopsie/lock rwk,
@{sys}/devices/virtual/dmi/id/product_uuid r,
include if exists <local/whoopsie> include if exists <local/whoopsie>
} }