chore: enforce indentation consistency across profile.
This commit is contained in:
Alexandre Pujol
parent
6e2d817805
commit
37bafddc80
30 changed files with 181 additions and 182 deletions
|
|
@ -15,7 +15,7 @@ profile avahi-browse @{exec_path} {
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|
||||||
dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
|
dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
|
||||||
interface=org.freedesktop.Avahi.ServiceTypeBrowser
|
interface=org.freedesktop.Avahi.ServiceTypeBrowser
|
||||||
member={ItemNew,AllForNow,CacheExhausted}
|
member={ItemNew,AllForNow,CacheExhausted}
|
||||||
peer=(name=:*, label=avahi-daemon),
|
peer=(name=:*, label=avahi-daemon),
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,10 +16,10 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
signal (receive) set=(term) peer=ibus-daemon,
|
signal (receive) set=(term) peer=ibus-daemon,
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -74,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{tmp}/#@{int} rw,
|
owner @{tmp}/#@{int} rw,
|
||||||
|
|
||||||
include if exists <local/cron_run-parts>
|
include if exists <local/cron_run-parts>
|
||||||
}
|
}
|
||||||
|
|
||||||
include if exists <local/cron>
|
include if exists <local/cron>
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@ profile iwd @{exec_path} {
|
||||||
network netlink dgram,
|
network netlink dgram,
|
||||||
network alg seqpacket,
|
network alg seqpacket,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/iwd/{,**} r,
|
/etc/iwd/{,**} r,
|
||||||
/var/lib/iwd/{,**} rw,
|
/var/lib/iwd/{,**} rw,
|
||||||
|
|
|
||||||
|
|
@ -49,8 +49,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
owner /var/log/mullvad-vpn/{,*} rw,
|
owner /var/log/mullvad-vpn/{,*} rw,
|
||||||
owner /var/log/private/mullvad-vpn/*.log rw,
|
owner /var/log/private/mullvad-vpn/*.log rw,
|
||||||
|
|
||||||
|
@{run}/NetworkManager/resolv.conf r,
|
||||||
owner @{run}/mullvad-vpn rw,
|
owner @{run}/mullvad-vpn rw,
|
||||||
@{run}/NetworkManager/resolv.conf r,
|
|
||||||
|
|
||||||
@{sys}/fs/cgroup/net_cls/ w,
|
@{sys}/fs/cgroup/net_cls/ w,
|
||||||
@{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w,
|
@{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w,
|
||||||
|
|
|
||||||
|
|
@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member=UpdateActivationEnvironment
|
member=UpdateActivationEnvironment
|
||||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd1
|
dbus send bus=session path=/org/freedesktop/systemd1
|
||||||
interface=org.freedesktop.systemd1.Manager
|
interface=org.freedesktop.systemd1.Manager
|
||||||
member=SetEnvironment
|
member=SetEnvironment
|
||||||
peer=(name=org.freedesktop.systemd1),
|
peer=(name=org.freedesktop.systemd1),
|
||||||
|
|
||||||
@{bin}/dbus-update-activation-environment mr,
|
@{bin}/dbus-update-activation-environment mr,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -67,8 +67,8 @@ profile bootctl @{exec_path} {
|
||||||
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
|
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
|
||||||
@{sys}/firmware/efi/fw_platform_size r,
|
@{sys}/firmware/efi/fw_platform_size r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/poolsize r,
|
@{PROC}/sys/kernel/random/poolsize r,
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
|
||||||
# Inherit silencer
|
# Inherit silencer
|
||||||
deny network inet6 stream,
|
deny network inet6 stream,
|
||||||
|
|
|
||||||
|
|
@ -85,7 +85,7 @@ profile ifup @{exec_path} {
|
||||||
|
|
||||||
/etc/network/if-up.d/ r,
|
/etc/network/if-up.d/ r,
|
||||||
/etc/network/if-up.d/*resolvconf rPUx,
|
/etc/network/if-up.d/*resolvconf rPUx,
|
||||||
/etc/network/if-up.d/resolved rPUx,
|
/etc/network/if-up.d/resolved rPUx,
|
||||||
/etc/network/if-up.d/chrony rPUx,
|
/etc/network/if-up.d/chrony rPUx,
|
||||||
/etc/network/if-up.d/ethtool rPUx,
|
/etc/network/if-up.d/ethtool rPUx,
|
||||||
/etc/network/if-up.d/ifenslave rPUx,
|
/etc/network/if-up.d/ifenslave rPUx,
|
||||||
|
|
|
||||||
|
|
@ -13,38 +13,38 @@ include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq
|
@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq
|
||||||
profile linuxqq @{exec_path} flags=(attach_disconnected) {
|
profile linuxqq @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/attached/consoles>
|
include <abstractions/attached/consoles>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-client>
|
||||||
include <abstractions/common/electron>
|
include <abstractions/common/electron>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
network netlink dgram,
|
network netlink dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
@{sh_path} r,
|
@{sh_path} r,
|
||||||
@{bin}/grep rix,
|
@{bin}/grep rix,
|
||||||
@{lib_dirs}/chrome_crashpad_handler ix,
|
@{lib_dirs}/chrome_crashpad_handler ix,
|
||||||
@{lib_dirs}/resources/app/{,**} m,
|
@{lib_dirs}/resources/app/{,**} m,
|
||||||
@{open_path} rPx -> child-open-strict,
|
@{open_path} rPx -> child-open-strict,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||||
@{run}/utmp r,
|
@{run}/utmp r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/loginuid r,
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <local/linuxqq>
|
include if exists <local/linuxqq>
|
||||||
}
|
}
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -9,54 +9,54 @@ include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/ufw
|
@{exec_path} = @{bin}/ufw
|
||||||
profile ufw @{exec_path} flags=(attach_disconnected) {
|
profile ufw @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/attached/consoles>
|
include <abstractions/attached/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet raw,
|
network inet raw,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet6 raw,
|
network inet6 raw,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
ptrace read,
|
ptrace read,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
@{bin}/cat ix,
|
@{bin}/cat ix,
|
||||||
@{bin}/env r,
|
@{bin}/env r,
|
||||||
@{bin}/python3.@{int} ix,
|
@{bin}/python3.@{int} ix,
|
||||||
@{bin}/sysctl ix,
|
@{bin}/sysctl ix,
|
||||||
@{bin}/xtables-legacy-multi ix,
|
@{bin}/xtables-legacy-multi ix,
|
||||||
@{bin}/xtables-nft-multi ix,
|
@{bin}/xtables-nft-multi ix,
|
||||||
@{lib}/ufw/ufw-init ix,
|
@{lib}/ufw/ufw-init ix,
|
||||||
|
|
||||||
/etc/default/ufw rw,
|
/etc/default/ufw rw,
|
||||||
/etc/ufw/ rw,
|
/etc/ufw/ rw,
|
||||||
/etc/ufw/** rwk,
|
/etc/ufw/** rwk,
|
||||||
|
|
||||||
@{run}/xtables.lock rwk,
|
@{run}/xtables.lock rwk,
|
||||||
owner @{run}/ufw.lock rwk,
|
owner @{run}/ufw.lock rwk,
|
||||||
|
|
||||||
owner @{tmp}/@{word8} rw,
|
owner @{tmp}/@{word8} rw,
|
||||||
owner @{tmp}/tmp@{word8} rw,
|
owner @{tmp}/tmp@{word8} rw,
|
||||||
owner /var/tmp/@{word8} rw,
|
owner /var/tmp/@{word8} rw,
|
||||||
owner /var/tmp/tmp@{word8} rw,
|
owner /var/tmp/tmp@{word8} rw,
|
||||||
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
@{PROC}/@{pid}/net/ip_tables_names r,
|
@{PROC}/@{pid}/net/ip_tables_names r,
|
||||||
@{PROC}/@{pid}/stat r,
|
@{PROC}/@{pid}/stat r,
|
||||||
@{PROC}/sys/net/ipv{4,6}/** rw,
|
@{PROC}/sys/net/ipv{4,6}/** rw,
|
||||||
@{PROC}/sys/kernel/modprobe r,
|
@{PROC}/sys/kernel/modprobe r,
|
||||||
|
|
||||||
include if exists <local/ufw>
|
include if exists <local/ufw>
|
||||||
}
|
}
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,7 @@ profile update-pciids @{exec_path} {
|
||||||
/usr/share/misc/ r,
|
/usr/share/misc/ r,
|
||||||
/usr/share/misc/* rwl -> /usr/share/misc/*,
|
/usr/share/misc/* rwl -> /usr/share/misc/*,
|
||||||
|
|
||||||
# For shell pwd
|
# For shell pwd
|
||||||
/root/ r,
|
/root/ r,
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,48 +13,48 @@ include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
|
@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
|
||||||
profile wechat-universal @{exec_path} flags=(attach_disconnected) {
|
profile wechat-universal @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/attached/consoles>
|
include <abstractions/attached/consoles>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-client>
|
||||||
include <abstractions/common/electron>
|
include <abstractions/common/electron>
|
||||||
include <abstractions/common/bwrap>
|
include <abstractions/common/bwrap>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/app/bus>
|
include <abstractions/app/bus>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
network netlink dgram,
|
network netlink dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{lib}/wechat-universal/common.sh ix,
|
@{lib}/wechat-universal/common.sh ix,
|
||||||
@{bin}/sed ix,
|
@{bin}/sed ix,
|
||||||
@{bin}/ln ix,
|
@{bin}/ln ix,
|
||||||
@{bin}/mkdir ix,
|
@{bin}/mkdir ix,
|
||||||
@{bin}/lsblk Px,
|
@{bin}/lsblk Px,
|
||||||
@{bin}/bwrap rix,
|
@{bin}/bwrap rix,
|
||||||
@{bin}/xdg-user-dir rix,
|
@{bin}/xdg-user-dir rix,
|
||||||
@{lib_dirs}/crashpad_handler ix,
|
@{lib_dirs}/crashpad_handler ix,
|
||||||
@{open_path} rPx -> child-open-strict,
|
@{open_path} rPx -> child-open-strict,
|
||||||
|
|
||||||
/etc/lsb-release r,
|
/etc/lsb-release r,
|
||||||
|
|
||||||
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
|
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
|
||||||
owner @{HOME}/.xwechat/{,**} rwk,
|
owner @{HOME}/.xwechat/{,**} rwk,
|
||||||
owner @{HOME}/.sys1og.conf rw,
|
owner @{HOME}/.sys1og.conf rw,
|
||||||
|
|
||||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||||
@{run}/utmp r,
|
@{run}/utmp r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/net/route r,
|
@{PROC}/@{pid}/net/route r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <local/wechat-universal>
|
include if exists <local/wechat-universal>
|
||||||
}
|
}
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -10,54 +10,53 @@ include <tunables/global>
|
||||||
@{exec_path} += /opt/wemeet/bin/wemeetapp
|
@{exec_path} += /opt/wemeet/bin/wemeetapp
|
||||||
@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
|
@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
|
||||||
profile wemeet @{exec_path} flags=(attach_disconnected) {
|
profile wemeet @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/attached/consoles>
|
include <abstractions/attached/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/audio-client>
|
||||||
include <abstractions/common/bwrap>
|
include <abstractions/common/bwrap>
|
||||||
include <abstractions/common/chromium>
|
include <abstractions/common/chromium>
|
||||||
include <abstractions/graphics>
|
include <abstractions/desktop>
|
||||||
include <abstractions/desktop>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/graphics>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/ssl_certs>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
network netlink dgram,
|
network netlink dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{sh_path} r,
|
@{sh_path} r,
|
||||||
@{bin}/basename rix,
|
@{bin}/basename rix,
|
||||||
@{bin}/bwrap rix,
|
@{bin}/bwrap rix,
|
||||||
@{bin}/id rix,
|
@{bin}/id rix,
|
||||||
@{bin}/mkdir rix,
|
@{bin}/mkdir rix,
|
||||||
/opt/wemeet/bin/** rix,
|
/opt/wemeet/bin/** rix,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/var/cache/ w,
|
/var/cache/ w,
|
||||||
|
|
||||||
owner @{user_share_dirs}/wemeetapp/ rw,
|
owner @{user_share_dirs}/wemeetapp/ rw,
|
||||||
owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
|
owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/asound/ r,
|
@{PROC}/asound/ r,
|
||||||
@{PROC}/@{pid}/net/route r,
|
@{PROC}/@{pid}/net/route r,
|
||||||
@{PROC}/@{pid}/net/wireless r,
|
@{PROC}/@{pid}/net/wireless r,
|
||||||
@{PROC}/@{pid}/stat r,
|
@{PROC}/@{pid}/stat r,
|
||||||
@{PROC}/@{pid}/statm r,
|
@{PROC}/@{pid}/statm r,
|
||||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
/dev/shm/ r,
|
/dev/shm/ r,
|
||||||
|
|
||||||
include if exists <local/wemeet>
|
|
||||||
|
|
||||||
|
include if exists <local/wemeet>
|
||||||
}
|
}
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue