felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): minor abstraction improvement.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-04 20:33:18 +02:00
parent 74dcf2defc
commit 37f70a0030
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
7 changed files with 13 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/app-open
View file

@ -60,6 +60,8 @@
# Backup # Backup
@{lib}/deja-dup/deja-dup-monitor PUx, @{lib}/deja-dup/deja-dup-monitor PUx,
@{bin}/gnome-session-quit rPx,
include if exists <abstractions/app-open.d> include if exists <abstractions/app-open.d>
# vim:syntax=apparmor # vim:syntax=apparmor

1
apparmor.d/abstractions/app/firefox
View file

@ -98,6 +98,7 @@
owner @{tmp}/@{name}/* rwk, owner @{tmp}/@{name}/* rwk,
owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/ rw,
owner @{tmp}/firefox/* rwk, owner @{tmp}/firefox/* rwk,
owner @{tmp}/remote-settings-startup-bundle- w,
owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/ rw,
owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/Temp-@{uuid}/* rwk,
owner @{tmp}/tmp-*.xpi rw, owner @{tmp}/tmp-*.xpi rw,

4
apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
View file

@ -5,6 +5,10 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue
dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus, label=geoclue),
dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

3
apparmor.d/abstractions/common/app
View file

@ -34,8 +34,7 @@
dbus bus=session, dbus bus=session,
dbus bus=system, dbus bus=system,
/usr/cache/** r, /usr/** r,
/usr/local/{,**} r,
/usr/share/** rk, /usr/share/** rk,
/etc/{,**} r, /etc/{,**} r,

2
apparmor.d/abstractions/gstreamer
View file

@ -32,7 +32,7 @@
# If one is blocked the next is used instead. # If one is blocked the next is used instead.
# The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag.
owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, owner @{run}/user/@{uid}/orcexec.@{rand6} mrw,
#owner /tmp/orcexec.* mrw, owner @{tmp}/orcexec.@{rand6} mrw,
#owner @{HOME}/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs

4
apparmor.d/abstractions/webkit
View file

@ -8,7 +8,7 @@
mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info,
@{bin}/xdg-dbus-proxy rix, @{bin}/xdg-dbus-proxy rix, # TODO: stack me
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
@ -26,6 +26,8 @@
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,
@{sys}/firmware/acpi/pm_profile r,
include if exists <abstractions/webkit.d> include if exists <abstractions/webkit.d>
# vim:syntax=apparmor # vim:syntax=apparmor

1
apparmor.d/abstractions/wine
View file

@ -11,6 +11,7 @@
owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/ rw,
owner @{tmp}/.wine-@{uid}/** rwk, owner @{tmp}/.wine-@{uid}/** rwk,
owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m,
owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}-fsync rw,
owner /dev/shm/wine-@{hex6}@{h}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw,