feat(profiles): use the new hex variable.
This commit is contained in:
Alexandre Pujol
parent
5d0c521e44
commit
3b56d3ff0f
70 changed files with 142 additions and 142 deletions
|
|
@ -129,7 +129,7 @@ profile atom @{exec_path} {
|
|||
# The irq file is needed to render pages.
|
||||
deny @{sys}/devices/pci[0-9]*/**/irq r,
|
||||
|
||||
owner /tmp/atom-[0-9a-f]*.sock rw,
|
||||
owner /tmp/atom-@{hex}.sock rw,
|
||||
owner "/tmp/Atom Crashes/" rw,
|
||||
owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw,
|
||||
owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw,
|
||||
|
|
|
|||
|
|
@ -91,9 +91,9 @@ profile calibre @{exec_path} {
|
|||
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
|
||||
|
|
|
|||
|
|
@ -109,8 +109,8 @@ profile code @{exec_path} {
|
|||
owner "/tmp/VSCode Crashes/" rw,
|
||||
owner /tmp/vscode-typescript[0-9]*/ rw,
|
||||
|
||||
owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
|
||||
owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw,
|
||||
owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
|
||||
owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw,
|
||||
|
||||
owner /tmp/vscode-ipc-@{uuid}.sock rw,
|
||||
# For installing extensions
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ profile flameshot @{exec_path} {
|
|||
|
||||
owner /tmp/.*/{,s} rw,
|
||||
owner /tmp/*= rw,
|
||||
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
|
||||
owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
|
||||
|
||||
deny owner @{PROC}/@{pid}/cmdline r,
|
||||
deny @{PROC}/sys/kernel/random/boot_id r,
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ profile geany @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/geany/{,**} rw,
|
||||
|
||||
owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw,
|
||||
owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw,
|
||||
|
||||
# To read/write files in the system. The read permission is granted for all files, the write
|
||||
# permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in
|
||||
|
|
@ -110,7 +110,7 @@ profile geany @{exec_path} {
|
|||
/{usr/,}bin/dbus-daemon rPUx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ profile okular @{exec_path} {
|
|||
|
||||
# Print to pdf
|
||||
/{usr/,}bin/ps2pdf rPUx,
|
||||
owner /tmp/[0-9a-f]* rw,
|
||||
owner /tmp/@{hex} rw,
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
||||
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
|
||||
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ profile spotify @{exec_path} {
|
|||
|
||||
/usr/share/X11/XErrorDB r,
|
||||
|
||||
owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
owner /tmp/@{hex}-@{hex}-@{hex}-@{hex} rw,
|
||||
|
||||
# What's this for?
|
||||
#owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,
|
||||
|
|
|
|||
|
|
@ -59,8 +59,8 @@ profile telegram-desktop @{exec_path} {
|
|||
# Autostart
|
||||
owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
|
||||
|
||||
owner /tmp/[0-9a-f]*-* rwk,
|
||||
owner @{run}/user/@{uid}/[0-9a-f]*-* rwk,
|
||||
owner /tmp/@{hex}-* rwk,
|
||||
owner @{run}/user/@{uid}/@{hex}-* rwk,
|
||||
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
|
||||
|
||||
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
|
||||
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}}
|
||||
interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PackageKit
|
||||
|
|
|
|||
|
|
@ -170,7 +170,7 @@ profile synaptic @{exec_path} {
|
|||
/{usr/,}bin/dbus-daemon rPUx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -118,7 +118,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
|
|
|||
|
|
@ -39,8 +39,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw,
|
||||
|
||||
owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw,
|
||||
|
|
@ -53,7 +53,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
owner /tmp/[0-9a-f]*.{dmp,extra} rw,
|
||||
owner /tmp/@{hex}.{dmp,extra} rw,
|
||||
owner /tmp/firefox/.parentlock w,
|
||||
|
||||
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
|
||||
|
|
|
|||
|
|
@ -22,14 +22,14 @@ profile firefox-minidump-analyzer @{exec_path} {
|
|||
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
|
||||
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
|
||||
|
||||
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw,
|
||||
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,
|
||||
|
||||
owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r,
|
||||
|
||||
owner /tmp/[0-9a-f]*.{dmp,extra} rw,
|
||||
owner /tmp/@{hex}.{dmp,extra} rw,
|
||||
owner /tmp/firefox/.parentlock w,
|
||||
|
||||
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
|
||||
|
|
|
|||
|
|
@ -24,10 +24,10 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/dconf/db/ibus r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
|
||||
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9]* r,
|
||||
|
||||
/var/lib/gdm/.cache/dconf/ w,
|
||||
/var/lib/gdm/.cache/dconf/user rw,
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9] r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} {
|
|||
/etc/machine-id r,
|
||||
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
|
||||
|
||||
include if exists <local/ibus-memconf>
|
||||
}
|
||||
|
|
@ -26,7 +26,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/var/lib/gdm/.config/ibus/bus/ r,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
/dev/null rw,
|
||||
|
|
|
|||
|
|
@ -23,10 +23,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/dbus-daemon rPx,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/dbus-daemon rPx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ profile xdg-settings @{exec_path} {
|
|||
/{usr/,}bin/dbus-daemon rPx,
|
||||
|
||||
# for dbus-launch
|
||||
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
|
||||
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -150,13 +150,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.cache/ w,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/.config/ibus/ rw,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ rw,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
|
||||
/var/lib/gdm{3,}/.config/pulse/ r,
|
||||
/var/lib/gdm{3,}/.config/pulse/client.conf r,
|
||||
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ profile tracker-miner @{exec_path} {
|
|||
/var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
# Allow to search user files
|
||||
owner @{HOME}/{,**} r,
|
||||
|
|
|
|||
|
|
@ -25,53 +25,53 @@ profile gpg-agent @{exec_path} {
|
|||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
|
||||
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
|
||||
|
||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
|
||||
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
|
||||
|
||||
owner /var/lib/*/.gnupg/ rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/.gnupg/sshcontrol r,
|
||||
|
||||
owner /var/lib/*/gnupg/ rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner /var/lib/*/gnupg/sshcontrol r,
|
||||
|
||||
owner /tmp/tmp.*/gnupg/ rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||
owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
|
||||
owner /tmp/tmp.*/gnupg/sshcontrol r,
|
||||
|
||||
|
|
|
|||
|
|
@ -21,9 +21,9 @@ profile gpg-connect-agent @{exec_path} {
|
|||
|
||||
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
||||
|
||||
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw,
|
||||
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||
owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw,
|
||||
owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
|
||||
owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
|
||||
|
||||
include if exists <local/gpg-connect-agent>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,11 +24,11 @@ profile bootctl @{exec_path} {
|
|||
|
||||
/{boot,efi}/ r,
|
||||
/{boot,efi}/EFI/{,**} r,
|
||||
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
|
||||
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
|
||||
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
|
||||
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
|
||||
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
|
||||
/{boot,efi}/EFI/systemd/systemd-boot*.efi w,
|
||||
/{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
|
||||
/{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
|
||||
/{boot,efi}/loader/.#entries.srel* w,
|
||||
/{boot,efi}/loader/{,**} r,
|
||||
/{boot,efi}/loader/entries.srel w,
|
||||
|
|
@ -47,7 +47,7 @@ profile bootctl @{exec_path} {
|
|||
@{sys}/firmware/dmi/entries/*/raw r,
|
||||
@{sys}/firmware/efi/efivars/ r,
|
||||
@{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
|
||||
|
|
|
|||
|
|
@ -26,13 +26,13 @@ profile coredumpctl @{exec_path} flags=(complain) {
|
|||
|
||||
owner /var/tmp/coredump-* rw,
|
||||
|
||||
/var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r,
|
||||
/var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/1/cgroup r,
|
||||
|
|
|
|||
|
|
@ -34,12 +34,12 @@ profile journalctl @{exec_path} {
|
|||
/var/lib/systemd/catalog/.#database* rw,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
|
||||
owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
|
||||
owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
|
||||
owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*,
|
||||
owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw,
|
||||
owner /var/tmp/#[0-9]* rw,
|
||||
|
||||
@{run}/host/container-manager r,
|
||||
|
|
|
|||
|
|
@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
|
|||
# To be able to read logs
|
||||
@{run}/log/ r,
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/ r,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* r,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
|
||||
|
||||
@{run}/systemd/netif/links/[0-9]* r,
|
||||
@{run}/systemd/netif/state r,
|
||||
|
|
|
|||
|
|
@ -30,11 +30,11 @@ profile systemd-journald @{exec_path} {
|
|||
|
||||
@{run}/log/ rw,
|
||||
/{run,var}/log/journal/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/ rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
|
||||
/{run,var}/log/journal/[0-9a-f]*/fss rw,
|
||||
/{run,var}/log/journal/@{hex}/ rw,
|
||||
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/system.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
|
||||
/{run,var}/log/journal/@{hex}/fss rw,
|
||||
|
||||
owner @{run}/systemd/journal/{,**} rw,
|
||||
owner @{run}/systemd/notify rw,
|
||||
|
|
|
|||
|
|
@ -31,12 +31,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
||||
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
|
||||
mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||
mount -> /tmp/ctd-volume[0-9]*/,
|
||||
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
|
||||
|
||||
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
||||
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
|
||||
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||
umount /tmp/ctd-volume[0-9]*/,
|
||||
umount @{run}/netns/cni-@{uuid},
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
|
|||
ptrace (read) peer=containerd,
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
|
||||
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
|
||||
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
|
||||
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
@ -34,12 +34,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
|
|||
/tmp/pty[0-9]*/pty.sock rw,
|
||||
|
||||
@{run}/containerd/{,containerd.sock.ttrpc} rw,
|
||||
@{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
|
||||
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw,
|
||||
@{run}/containerd/s/{,[0-9a-f]*} rw,
|
||||
@{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/[0-9]*/@{hex}-{stdin,stdout,stderr} rw,
|
||||
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/@{hex}/{,*} rw,
|
||||
@{run}/containerd/s/{,@{hex}} rw,
|
||||
|
||||
@{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/@{hex}/@{hex}-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/@{hex}/init-{stdin,stdout,stderr} rw,
|
||||
@{run}/docker/containerd/daemon/io.containerd.*/{,**} rw,
|
||||
@{run}/secrets/kubernetes.io/serviceaccount/*/token w,
|
||||
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile k3s @{exec_path} {
|
|||
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
|
||||
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
|
||||
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
|
||||
/var/lib/rancher/k3s/data/@{hex}/bin/* rix,
|
||||
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
|
||||
/usr/share/mime/globs2 r,
|
||||
|
|
@ -145,7 +145,7 @@ profile k3s @{exec_path} {
|
|||
|
||||
@{sys}/devices/virtual/block/*/** r,
|
||||
@{sys}/devices/virtual/dmi/id/* r,
|
||||
@{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
|
||||
@{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r,
|
||||
@{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
|
||||
|
||||
@{sys}/fs/cgroup/{,*,*/} r,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue