chore: enforce indentation consistency across profile.
This commit is contained in:
Alexandre Pujol
parent
6e2d817805
commit
37bafddc80
30 changed files with 181 additions and 182 deletions
|
|
@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} {
|
|||
capability syslog,
|
||||
|
||||
@{exec_path} rm,
|
||||
|
||||
|
||||
@{bin}/kmod rCx -> kmod,
|
||||
@{bin}/perl r,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ profile session-desktop @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
||||
@{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr,
|
||||
|
||||
@{open_path} rPx -> child-open-strict,
|
||||
|
|
|
|||
|
|
@ -83,7 +83,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/task/@{tid}/comm w,
|
||||
|
||||
/dev/ r,
|
||||
|
||||
|
||||
include if exists <local/totem_bwrap>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,54 +9,54 @@ include <tunables/global>
|
|||
|
||||
@{exec_path} = @{bin}/ufw
|
||||
profile ufw @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability sys_ptrace,
|
||||
capability dac_read_search,
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet raw,
|
||||
network inet6 dgram,
|
||||
network inet6 raw,
|
||||
network netlink raw,
|
||||
network inet dgram,
|
||||
network inet raw,
|
||||
network inet6 dgram,
|
||||
network inet6 raw,
|
||||
network netlink raw,
|
||||
|
||||
ptrace read,
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/cat ix,
|
||||
@{bin}/env r,
|
||||
@{bin}/python3.@{int} ix,
|
||||
@{bin}/sysctl ix,
|
||||
@{bin}/xtables-legacy-multi ix,
|
||||
@{bin}/xtables-nft-multi ix,
|
||||
@{lib}/ufw/ufw-init ix,
|
||||
@{bin}/ r,
|
||||
@{bin}/cat ix,
|
||||
@{bin}/env r,
|
||||
@{bin}/python3.@{int} ix,
|
||||
@{bin}/sysctl ix,
|
||||
@{bin}/xtables-legacy-multi ix,
|
||||
@{bin}/xtables-nft-multi ix,
|
||||
@{lib}/ufw/ufw-init ix,
|
||||
|
||||
/etc/default/ufw rw,
|
||||
/etc/ufw/ rw,
|
||||
/etc/ufw/** rwk,
|
||||
/etc/default/ufw rw,
|
||||
/etc/ufw/ rw,
|
||||
/etc/ufw/** rwk,
|
||||
|
||||
@{run}/xtables.lock rwk,
|
||||
owner @{run}/ufw.lock rwk,
|
||||
@{run}/xtables.lock rwk,
|
||||
owner @{run}/ufw.lock rwk,
|
||||
|
||||
owner @{tmp}/@{word8} rw,
|
||||
owner @{tmp}/tmp@{word8} rw,
|
||||
owner /var/tmp/@{word8} rw,
|
||||
owner /var/tmp/tmp@{word8} rw,
|
||||
owner @{tmp}/@{word8} rw,
|
||||
owner @{tmp}/tmp@{word8} rw,
|
||||
owner /var/tmp/@{word8} rw,
|
||||
owner /var/tmp/tmp@{word8} rw,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/net/ip_tables_names r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/net/ipv{4,6}/** rw,
|
||||
@{PROC}/sys/kernel/modprobe r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/net/ip_tables_names r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/net/ipv{4,6}/** rw,
|
||||
@{PROC}/sys/kernel/modprobe r,
|
||||
|
||||
include if exists <local/ufw>
|
||||
include if exists <local/ufw>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ profile update-pciids @{exec_path} {
|
|||
/usr/share/misc/ r,
|
||||
/usr/share/misc/* rwl -> /usr/share/misc/*,
|
||||
|
||||
# For shell pwd
|
||||
# For shell pwd
|
||||
/root/ r,
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -13,48 +13,48 @@ include <tunables/global>
|
|||
|
||||
@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
|
||||
profile wechat-universal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/electron>
|
||||
include <abstractions/common/bwrap>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/app/bus>
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/electron>
|
||||
include <abstractions/common/bwrap>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/app/bus>
|
||||
|
||||
network netlink raw,
|
||||
network netlink dgram,
|
||||
network inet stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
network netlink dgram,
|
||||
network inet stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet6 stream,
|
||||
|
||||
@{exec_path} mrix,
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{lib}/wechat-universal/common.sh ix,
|
||||
@{bin}/sed ix,
|
||||
@{bin}/ln ix,
|
||||
@{bin}/mkdir ix,
|
||||
@{bin}/lsblk Px,
|
||||
@{bin}/bwrap rix,
|
||||
@{bin}/xdg-user-dir rix,
|
||||
@{lib_dirs}/crashpad_handler ix,
|
||||
@{open_path} rPx -> child-open-strict,
|
||||
@{sh_path} rix,
|
||||
@{lib}/wechat-universal/common.sh ix,
|
||||
@{bin}/sed ix,
|
||||
@{bin}/ln ix,
|
||||
@{bin}/mkdir ix,
|
||||
@{bin}/lsblk Px,
|
||||
@{bin}/bwrap rix,
|
||||
@{bin}/xdg-user-dir rix,
|
||||
@{lib_dirs}/crashpad_handler ix,
|
||||
@{open_path} rPx -> child-open-strict,
|
||||
|
||||
/etc/lsb-release r,
|
||||
/etc/lsb-release r,
|
||||
|
||||
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
|
||||
owner @{HOME}/.xwechat/{,**} rwk,
|
||||
owner @{HOME}/.sys1og.conf rw,
|
||||
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
|
||||
owner @{HOME}/.xwechat/{,**} rwk,
|
||||
owner @{HOME}/.sys1og.conf rw,
|
||||
|
||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
@{run}/utmp r,
|
||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
@{run}/utmp r,
|
||||
|
||||
@{PROC}/@{pid}/net/route r,
|
||||
@{PROC}/@{pid}/net/route r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/wechat-universal>
|
||||
include if exists <local/wechat-universal>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -10,54 +10,53 @@ include <tunables/global>
|
|||
@{exec_path} += /opt/wemeet/bin/wemeetapp
|
||||
@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
|
||||
profile wemeet @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/common/bwrap>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/bwrap>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
network netlink raw,
|
||||
network netlink dgram,
|
||||
network inet stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
network netlink dgram,
|
||||
network inet stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet6 stream,
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} r,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/bwrap rix,
|
||||
@{bin}/id rix,
|
||||
@{bin}/mkdir rix,
|
||||
/opt/wemeet/bin/** rix,
|
||||
@{sh_path} r,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/bwrap rix,
|
||||
@{bin}/id rix,
|
||||
@{bin}/mkdir rix,
|
||||
/opt/wemeet/bin/** rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/cache/ w,
|
||||
/etc/machine-id r,
|
||||
/var/cache/ w,
|
||||
|
||||
owner @{user_share_dirs}/wemeetapp/ rw,
|
||||
owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
|
||||
owner @{user_share_dirs}/wemeetapp/ rw,
|
||||
owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/asound/ r,
|
||||
@{PROC}/@{pid}/net/route r,
|
||||
@{PROC}/@{pid}/net/wireless r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pid}/statm r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/asound/ r,
|
||||
@{PROC}/@{pid}/net/route r,
|
||||
@{PROC}/@{pid}/net/wireless r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pid}/statm r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/tty rw,
|
||||
/dev/shm/ r,
|
||||
|
||||
include if exists <local/wemeet>
|
||||
/dev/ r,
|
||||
/dev/tty rw,
|
||||
/dev/shm/ r,
|
||||
|
||||
include if exists <local/wemeet>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue