felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'roddhjav:main' into main

Browse source
This commit is contained in:
Besanon 2024-10-21 12:05:49 +02:00 committed by GitHub
commit 3f549805af
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1828 changed files with 12101 additions and 9179 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/main.yml vendored
View file

@ -8,17 +8,16 @@ jobs:
strategy:
matrix:
os:
# - ubuntu-24.04
- ubuntu-24.04
- ubuntu-22.04
mode:
- default
- full-system-policy
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Install Build dependencies
- name: Install Build dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
@ -39,12 +38,15 @@ jobs:
run: sudo dpkg --install ../apparmor.d_*_amd64.deb || true
- name: Reload AppArmor
run: |
run: |
sudo systemctl restart apparmor.service || true
sudo systemctl status apparmor.service
- name: Ensure compatibility with some AppArmor userspace tools
run: sudo aa-enforce /etc/apparmor.d/aa-notify
run: |
if [[ ${{ matrix.os }} != ubuntu-24.04 ]]; then
sudo aa-enforce /etc/apparmor.d/aa-notify
fi
- name: Show AppArmor log and rules
run: |

13
.gitlab-ci.yml
View file

@ -4,7 +4,7 @@ include:
- template: Security/SAST.gitlab-ci.yml
variables:
PKGDEST: $CI_PROJECT_DIR/packages
PKGDEST: $CI_PROJECT_DIR/.pkg
PACKAGER: 'Alexandre Pujol <alexandre@pujol.io>'
stages:
@ -23,14 +23,14 @@ bash:
image: koalaman/shellcheck-alpine
script:
- shellcheck --shell=bash
PKGBUILD dists/build.sh dists/docker.sh
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
golangci-lint:
stage: lint
image: golangci/golangci-lint
script:
- golangci-lint run --skip-dirs pkg/paths
- golangci-lint run --exclude-dirs pkg/paths
packer:
stage: lint
@ -63,6 +63,11 @@ tests:
- go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out
- go tool cover -func=coverage.out
check:
stage: test
image: registry.gitlab.com/roddhjav/builders/archlinux
script:
- make check
# Package Build
# -------------
@ -190,7 +195,7 @@ pages:
GIT_DEPTH: 0
script:
- pip install -r requirements.txt
- mkdocs build --strict --site-dir public
- mkdocs build --site-dir public
artifacts:
paths:
- public

37
Makefile
View file

@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-2.0-only
DESTDIR ?= /
BUILD := .build
PKGDEST := /tmp/pkg
BUILD ?= .build
PKGDEST ?= ${PWD}/.pkg
PKGNAME := apparmor.d
P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean
.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean
all: build
@./${BUILD}/prebuild --complain
@ -24,13 +24,13 @@ enforce: build
full: build
@./${BUILD}/prebuild --complain --full
ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n")
SHARE = $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n")
PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
install:
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ROOT}; do \
install -Dm0644 "${BUILD}/root/$${file}" "${DESTDIR}/$${file}"; \
@for file in ${SHARE}; do \
install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
done;
@for file in ${PROFILES}; do \
install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
@ -56,7 +56,7 @@ local:
ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n")
TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n")
$(P):
@[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ABSTRACTIONS}; do \
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
done;
@ -71,6 +71,12 @@ $(P):
done;
@systemctl restart apparmor || systemctl status apparmor
name ?=
dev:
@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
@sudo systemctl restart apparmor || systemctl status apparmor
dist ?= archlinux
package:
@bash dists/docker.sh ${dist}
@ -95,12 +101,23 @@ lint:
@golangci-lint run
@make --directory=tests lint
@shellcheck --shell=bash \
PKGBUILD dists/build.sh dists/docker.sh \
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
check:
@bash tests/check.sh
manual:
@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
docs:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
serve:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
clean:
@rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst coverage.out \
${PKGNAME}_*.* ${PKGNAME}-*.rpm ${BUILD}
.pkg/${PKGNAME}* ${BUILD} coverage.out

16
README.md
View file

@ -27,15 +27,15 @@
- Target both desktops and servers
- Support all distributions that support AppArmor:
* Arch Linux
* Ubuntu 22.04
* Debian 12
* OpenSUSE Tumbleweed
* [Arch Linux](https://apparmor.pujol.io/install#archlinux)
* [Ubuntu 24.04/22.04](https://apparmor.pujol.io/install#ubuntu)
* [Debian 12](https://apparmor.pujol.io/install#debian)
* [OpenSUSE Tumbleweed](https://apparmor.pujol.io/install#opensuse)
- Support for all major desktop environments:
* Gnome
* KDE
* XFCE *(work in progress)*
- Fully tested (Work in progress)
* Gnome (GDM)
* KDE (SDDM)
* XFCE (Lightdm) *(work in progress)*
- Fully tested *(work in progress)*
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.

4
apparmor.d/abstractions/X-strict
View file

@ -2,6 +2,9 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# The unix socket to use to connect to the display
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
@ -24,6 +27,7 @@
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/X11/Xauthority r,
owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},

6
apparmor.d/abstractions/app-launcher-root
View file

@ -3,8 +3,10 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
@{bin}/* PUx,
/usr/local/{s,}bin/* PUx,
abi <abi/4.0>,
@{bin}/** PUx,
/usr/local/{s,}bin/** PUx,
@{bin}/ r,
/ r,

11
apparmor.d/abstractions/app-launcher-user
View file

@ -3,10 +3,12 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
@{bin}/* PUx,
abi <abi/4.0>,
@{bin}/** PUx,
/opt/*/** PUx,
/usr/share/*/* PUx,
/usr/local/bin/* PUx,
/usr/share/** PUx,
/usr/local/bin/** PUx,
@{brave_path} Px,
@{chrome_path} Px,
@ -21,6 +23,9 @@
/usr/ r,
/usr/local/bin/ r,
@{user_bin_dirs}/ r,
@{user_bin_dirs}/** PUx,
include if exists <abstractions/app-launcher-user.d>
# vim:syntax=apparmor

80
apparmor.d/abstractions/app-open
View file

@ -8,51 +8,57 @@
# Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail
# should be present here. Until this day, this profile will be a controlled mess.
abi <abi/4.0>,
# Sandbox managers
@{bin}/bwrap rPUx,
@{bin}/firejail rPUx,
@{bin}/flatpak rPUx,
@{bin}/snap rPUx,
@{bin}/bwrap PUx,
@{bin}/firejail PUx,
@{bin}/flatpak Px,
@{bin}/snap Px,
# Labeled programs
@{archive_viewers_path} rPUx,
@{browsers_path} rPx,
@{document_viewers_path} rPUx,
@{emails_path} rPUx,
@{file_explorers_path} rPx,
@{help_path} rPx,
@{image_viewers_path} rPUx,
@{offices_path} rPUx,
@{text_editors_path} rPUx,
@{archive_viewers_path} PUx,
@{browsers_path} Px,
@{document_viewers_path} PUx,
@{emails_path} PUx,
@{file_explorers_path} Px,
@{help_path} Px,
@{image_viewers_path} PUx,
@{offices_path} PUx,
@{text_editors_path} PUx,
# Others
@{bin}/blueman-tray rPx,
@{bin}/discord{,-ptb} rPx,
@{bin}/draw.io rPUx,
@{bin}/dropbox rPx,
@{bin}/element-desktop rPx,
@{bin}/extension-manager rPx,
@{bin}/filezilla rPx,
@{bin}/flameshot rPx,
@{bin}/gimp* rPUx,
@{bin}/gnome-calculator rPUx,
@{bin}/gnome-disk-image-mounter rPx,
@{bin}/gnome-disks rPx,
@{bin}/gwenview rPUx,
@{bin}/kgx rPx,
@{bin}/qbittorrent rPx,
@{bin}/qpdfview rPx,
@{bin}/smplayer rPx,
@{bin}/steam-runtime rPUx,
@{bin}/telegram-desktop rPx,
@{bin}/transmission-gtk rPx,
@{bin}/viewnior rPUx,
@{bin}/vlc rPUx,
@{bin}/xbrlapi rPx,
@{bin}/amule Px,
@{bin}/blueman-tray Px,
@{bin}/discord{,-ptb} Px,
@{bin}/draw.io PUx,
@{bin}/dropbox Px,
@{bin}/element-desktop Px,
@{bin}/extension-manager Px,
@{bin}/filezilla Px,
@{bin}/flameshot Px,
@{bin}/gimp* PUx,
@{bin}/gnome-calculator PUx,
@{bin}/gnome-disk-image-mounter Px,
@{bin}/gnome-disks Px,
@{bin}/gnome-software Px,
@{bin}/gwenview PUx,
@{bin}/kgx Px,
@{bin}/qbittorrent Px,
@{bin}/qpdfview Px,
@{bin}/smplayer Px,
@{bin}/steam-runtime PUx,
@{bin}/telegram-desktop Px,
@{bin}/transmission-gtk Px,
@{bin}/viewnior PUx,
@{bin}/vlc PUx,
@{bin}/xbrlapi Px,
#aa:only opensuse
@{lib}/YaST2/** rPUx,
@{lib}/YaST2/** PUx,
# Backup
@{lib}/deja-dup/deja-dup-monitor PUx,
include if exists <abstractions/app-open.d>

22
apparmor.d/abstractions/app/bus Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for dbus-send/dbus-launch.
abi <abi/4.0>,
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{bin}/dbus-launch mix,
@{bin}/dbus-send mrix,
@{bin}/dbus-daemon Px -> dbus-session,
owner @{HOME}/.dbus/session-bus/@{hex}-@{int} w,
include if exists <abstractions/app/bus.d>
# vim:syntax=apparmor

28
apparmor.d/abstractions/app/chromium
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Full set of rules for all chromium based browsers. It works as a *function*
# and requires some variables to be provided as *arguments* and set in the
@ -16,6 +17,8 @@
# or abstractions/common/electron instead.
#
abi <abi/4.0>,
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus-system>
@ -26,6 +29,8 @@
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.kde.kwalletd>
include <abstractions/dconf-write>
@ -41,7 +46,7 @@
include <abstractions/user-read-strict>
include <abstractions/video>
# userns,
userns,
capability setgid,
capability setuid,
@ -127,7 +132,6 @@
owner @{user_config_dirs}/gtk-3.0/servers r,
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{config_dirs}/ rw,
owner @{config_dirs}/** rwk,
@ -135,6 +139,10 @@
owner @{cache_dirs}/{,**} rw,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
# For importing data (bookmarks, cookies, etc) from Firefox
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
# owner @{HOME}/.mozilla/firefox/*/ r,
@ -177,14 +185,15 @@
@{PROC}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/task/@{tid}/status r,
@{PROC}/pressure/{memory,cpu,io} r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/clear_refs w,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/mem r,
@ -192,12 +201,11 @@
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/uid_map w,
owner @{PROC}/@{pids}/clear_refs w,
owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pids}/task/ r,
/dev/ r,
/dev/hidraw@{int} rw,

13
apparmor.d/abstractions/app/editor
View file

@ -1,16 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
include <abstractions/nameservice-strict>
include <abstractions/consoles>
@{sh_path} rix,
@{bin}/nvim mrix,
@{bin}/sensible-editor mr,
@{bin}/vim{,.*} mrix,
@{sh_path} rix,
@{bin}/which{,.debianutils} rix,
/usr/share/vim/{,**} r,
/usr/share/nvim/{,**} r,
/usr/share/terminfo/** r,
/usr/share/vim/{,**} r,
/etc/vimrc r,
/etc/vim/{,**} r,
@ -19,11 +26,11 @@
owner @{HOME}/.viminf@{c}{,.tmp} rw,
owner @{HOME}/.vimrc r,
# Vim swap file
owner @{HOME}/ r,
owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/vim/{,**} rw,
owner @{user_config_dirs}/vim/{,**} r,
owner @{user_state_dirs}/nvim/{,**} rw,
include if exists <abstractions/app/editor.d>

23
apparmor.d/abstractions/app/firefox
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Full set of rules for all firefox based browsers. It works as a *function*
# and requires some variables to be provided as *arguments* and set in the
@ -12,11 +13,14 @@
# @{cache_dirs} = @{user_cache_dirs}/mozilla/
#
abi <abi/4.0>,
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/cups-client>
include <abstractions/dconf-write>
include <abstractions/desktop>
@ -27,10 +31,9 @@
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
include <abstractions/uim>
# userns,
userns,
capability sys_admin, # If kernel.unprivileged_userns_clone = 1
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
@ -46,6 +49,8 @@
signal (send) set=(term, kill) peer=@{profile_name}-*,
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/dirname rix,
@ -54,11 +59,9 @@
@{lib_dirs}/{,**} r,
@{lib_dirs}/*.so mr,
@{lib_dirs}/crashreporter rPx,
@{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest,
@{lib_dirs}/minidump-analyzer rPx,
@{lib_dirs}/pingsender rPx,
@{lib_dirs}/plugin-container rPx,
@{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest,
# Desktop integration
@{bin}/lsb_release rPx -> lsb_release,
@ -69,11 +72,12 @@
/usr/share/webext/{,**} r,
/usr/share/xul-ext/kwallet5/* r,
/etc/{,opensc/}opensc.conf r,
/etc/@{name}/{,**} r,
/etc/fstab r,
/etc/lsb-release r,
/etc/mailcap r,
/etc/mime.types r,
/etc/{,opensc/}opensc.conf r,
/etc/sysconfig/proxy r,
/etc/xdg/* r,
/etc/xul-ext/kwallet5.js r,
@ -96,7 +100,7 @@
owner @{tmp}/firefox/* rwk,
owner @{tmp}/Temp-@{uuid}/ rw,
owner @{tmp}/Temp-@{uuid}/* rwk,
owner @{tmp}/tmp-???.xpi rw,
owner @{tmp}/tmp-*.xpi rw,
owner @{tmp}/tmpaddon r,
owner @{tmp}/tmpaddon-@{int} r,
@ -104,8 +108,6 @@
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
@{run}/mount/utab r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@ -123,7 +125,7 @@
@{sys}/devices/power/events/energy-* r,
@{sys}/devices/power/type r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
@{PROC}/@{pid}/net/arp r,
@ -155,7 +157,6 @@
# Silencer
deny dbus send bus=system path=/org/freedesktop/hostname1,
deny /tmp/MozillaUpdateLock-* w,
deny owner @{HOME}/ r,
deny owner @{HOME}/.* r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,

11
apparmor.d/abstractions/app/kmod
View file

@ -1,10 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
include <abstractions/consoles>
@{bin}/kmod mr,
@{bin}/depmod mr,
@{bin}/insmod mr,
@{bin}/kmod mr,
@{bin}/lsmod mr,
@{bin}/modinfo mr,
@{bin}/modprobe mr,
@{bin}/rmmod mr,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,

3
apparmor.d/abstractions/app/open
View file

@ -1,9 +1,12 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Full set of rules for child-open-* profiles.
abi <abi/4.0>,
include <abstractions/desktop>
@{open_path} mrix,

5
apparmor.d/abstractions/app/pgrep
View file

@ -1,8 +1,11 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for pgrep.
# Minimal set of rules for pgrep/pkill.
abi <abi/4.0>,
include <abstractions/consoles>

41
apparmor.d/abstractions/app/pkexec Normal file
View file

@ -0,0 +1,41 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for pkexec.
abi <abi/4.0>,
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability audit_write,
capability dac_override,
capability dac_read_search,
capability net_admin,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
network netlink raw, # PAM
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
@{bin}/pkexec mr,
/etc/shells r,
owner @{PROC}/@{pid}/loginuid r,
owner /dev/tty@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <abstractions/app/pkexec.d>
# vim:syntax=apparmor

10
apparmor.d/abstractions/app/sudo
View file

@ -1,14 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for sudo. Interactive sudo need more rules.
abi <abi/4.0>,
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
include <abstractions/devices-usb>
capability audit_write,
capability dac_override,
@ -48,6 +52,10 @@
owner @{HOME}/.sudo_as_admin_successful rw,
# yubikey support
owner @{HOME}/.yubico/challenge-* rw,
@{HOME}/.yubico/ r,
@{run}/faillock/ rw,
@{run}/faillock/@{user} rwk,
owner @{run}/sudo/ rw,
@ -57,8 +65,6 @@
@{PROC}/@{pid}/limits r,
@{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/kernel/ngroups_max r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
/dev/ r,

3
apparmor.d/abstractions/app/systemctl
View file

@ -1,6 +1,9 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
include <abstractions/bus-system>
include <abstractions/consoles>

3
apparmor.d/abstractions/app/udevadm
View file

@ -1,6 +1,9 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
ptrace read peer=@{p_systemd},

14
apparmor.d/abstractions/attached/base Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, it is automatically included in profiles when it is required.
abi <abi/4.0>,
deny @{att}/apparmor/.null rw,
include if exists <abstractions/attached/base.d>
# vim:syntax=apparmor

13
apparmor.d/abstractions/attached/consoles Normal file
View file

@ -0,0 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
@{att}/dev/tty@{int} rw,
owner @{att}/dev/pts/@{int} rw,
include if exists <abstractions/attached/consoles.d>
# vim:syntax=apparmor

7
apparmor.d/abstractions/audio-client
View file

@ -5,7 +5,9 @@
# Most programs do not need access to audio devices, audio-client only includes
# configuration files to be used by client applications.
/usr/share/alsa/** r,
abi <abi/4.0>,
/usr/share/alsa/{,**} r,
/usr/share/openal/hrtf/{,**} r,
/usr/share/pipewire/client-rt.conf r,
/usr/share/pipewire/client.conf r,
@ -17,7 +19,7 @@
/etc/libao.conf r,
/etc/openal/alsoft.conf r,
/etc/pipewire/client{,-rt}.conf r,
/etc/pipewire/client.conf.d/{,**} r,
/etc/pipewire/client{,-rt}.conf.d/{,**} r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
/etc/wildmidi/wildmidi.cfg r,
@ -45,6 +47,7 @@
owner @{user_config_dirs}/pipewire/client.conf r,
owner @{user_share_dirs}/openal/hrtf/{,**} r,
owner @{user_share_dirs}/sounds/ r,
owner @{user_share_dirs}/sounds/__custom/index.theme r,
owner @{run}/user/@{uid}/pipewire-@{int} rw,

6
apparmor.d/abstractions/audio-server
View file

@ -5,12 +5,10 @@
# Provide access to audio devices. It should only be used by audio servers that
# need direct access to them.
abi <abi/4.0>,
include <abstractions/audio-client>
/usr/share/alsa/{,**} r,
/etc/alsa/conf.d/{,**} r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{sys}/class/ r,

2
apparmor.d/abstractions/authentication.d/complete
View file

@ -4,7 +4,7 @@
@{bin}/pam-tmpdir-helper rPx,
#aa:exclude ubuntu opensuse
#aa:only abi3
@{bin}/unix_chkpwd rPx,
#aa:only whonix

9
apparmor.d/abstractions/base.d/complete
View file

@ -11,6 +11,7 @@
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
signal (receive) set=(cont,term) peer=@{p_systemd_user},
signal (receive) set=(cont,term) peer=@{p_systemd},
signal (receive) set=(hup term) peer=login,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=gnome-shell,
signal (receive) set=(term,kill) peer=gnome-system-monitor,
@ -19,11 +20,15 @@
ptrace (readby) peer=systemd-coredump,
/usr/share/locale/ r,
@{etc_rw}/localtime r,
/etc/locale.conf r,
# mesa 24.2 introduced a shader disk cache which opens quite a lot of fd.
# They are not closed and get inherited by child programs. Denying it can cause
# crash, so we are allowing it globally while the issue is beeing fixed in mesa.
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw,
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw,
@{sys}/devices/system/cpu/possible r,
@{PROC}/sys/kernel/core_pattern r,

3
apparmor.d/abstractions/bash-strict
View file

@ -5,6 +5,8 @@
# This abstraction is only required when an interactive shell is started.
# Classic shell scripts do not need it.
abi <abi/4.0>,
/usr/share/bash-completion/{,**} r,
/usr/share/terminfo/{,**} r,
@ -24,6 +26,7 @@
owner @{HOME}/.alias r,
owner @{HOME}/.bash_aliases r,
owner @{HOME}/.bash_complete r,
owner @{HOME}/.bash_history rw,
owner @{HOME}/.bash_profile r,
owner @{HOME}/.bashrc r,

2
apparmor.d/abstractions/bus-accessibility
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}

2
apparmor.d/abstractions/bus-session
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),

2
apparmor.d/abstractions/bus-system
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}

6
apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
View file

@ -4,6 +4,8 @@
# Access required for connecting to/communicating with the Unity Launcher
abi <abi/4.0>,
dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=com.canonical.Unity.LauncherEntry
member=Update
@ -12,12 +14,12 @@
dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties}
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
include if exists <abstractions/bus/com.canonical.Unity.LauncherEntry.d>

2
apparmor.d/abstractions/bus/com.canonical.dbusmenu
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include if exists <abstractions/bus/com.canonical.dbusmenu.d>

20
apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
View file

@ -2,50 +2,52 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/fi/w1/wpa_supplicant1
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=org.freedesktop.DBus.Properties
member={GetAll,Set}
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1
interface=fi.w1.wpa_supplicant1.Interface
member=CreateInterface
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=fi.w1.wpa_supplicant1.Interface
member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork}
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=fi.w1.wpa_supplicant1.Interface.P2PDevice
member=Cancel
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=fi.w1.wpa_supplicant1.Interface
member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
peer=(name="@{busname}", label=wpa-supplicant),
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>

4
apparmor.d/abstractions/bus/net.hadess.PowerProfiles
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=power-profiles-daemon),
peer=(name="@{busname}", label=power-profiles-daemon),
include if exists <abstractions/bus/net.hadess.PowerProfiles.d>

4
apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/net/hadess/SwitcherooControl
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=switcheroo-control),
peer=(name="@{busname}", label=switcheroo-control),
include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>

4
apparmor.d/abstractions/bus/net.reactivated.Fprint
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member={GetDevices,GetDefaultDevice}
peer=(name=:*, label=fprintd),
peer=(name="@{busname}", label=fprintd),
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager

6
apparmor.d/abstractions/bus/org.a11y
View file

@ -2,12 +2,14 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# Accessibility bus
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name=:*, label=at-spi2-registryd),
peer=(name="@{busname}", label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
@ -22,7 +24,7 @@
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*, label=at-spi2-registryd),
peer=(name="@{busname}", label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket

10
apparmor.d/abstractions/bus/org.bluez
View file

@ -2,20 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus receive bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved
peer=(name="{:*,org.bluez}", label=bluetoothd),
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.bluez}", label=bluetoothd),
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="{:*,org.bluez}", label=bluetoothd),
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus send bus=system path=/org/bluez
interface=org.bluez.AgentManager@{int}
@ -30,7 +32,7 @@
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name="{:*,org.bluez}", label=bluetoothd),
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.bluez.BatteryProviderManager@{int}

12
apparmor.d/abstractions/bus/org.freedesktop.Accounts
View file

@ -2,30 +2,32 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member={FindUserByName,ListCachedUsers}
peer=(name=:*, label=accounts-daemon),
peer=(name="@{busname}", label=accounts-daemon),
dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=accounts-daemon),
peer=(name="@{busname}", label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.Accounts.User
member=*Changed
peer=(name=:*, label=accounts-daemon),
peer=(name="@{busname}", label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member=UserAdded
peer=(name=:*, label=accounts-daemon),
peer=(name="@{busname}", label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.DBus.Properties
member=*Changed
peer=(name=:*, label=accounts-daemon),
peer=(name="@{busname}", label=accounts-daemon),
include if exists <abstractions/bus/org.freedesktop.Accounts.d>

4
apparmor.d/abstractions/bus/org.freedesktop.Avahi
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
@ -20,7 +22,7 @@
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
member={ItemNew,AllForNow,CacheExhausted}
peer=(name=:*, label=avahi-daemon),
peer=(name="@{busname}", label=avahi-daemon),
include if exists <abstractions/bus/org.freedesktop.Avahi.d>

10
apparmor.d/abstractions/bus/org.freedesktop.ColorManager
View file

@ -2,25 +2,27 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=GetDevices
peer=(name=:*, label=colord),
peer=(name="@{busname}", label=colord),
dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=colord),
peer=(name="@{busname}", label=colord),
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=CreateDevice
peer=(name=:*, label=colord),
peer=(name="@{busname}", label=colord),
dbus receive bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member={DeviceAdded,DeviceRemoved}
peer=(name=:*, label=colord),
peer=(name="@{busname}", label=colord),
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>

6
apparmor.d/abstractions/bus/org.freedesktop.FileManager1
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=nautilus),
peer=(name="@{busname}", label=nautilus),
dbus receive bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=nautilus),
peer=(name="@{busname}", label=nautilus),
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>

12
apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=geoclue),
peer=(name="@{busname}", label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties
@ -15,22 +17,22 @@
dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=geoclue),
peer=(name="@{busname}", label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=geoclue),
peer=(name="@{busname}", label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.GeoClue2.Manager
member=AddAgent
peer=(name=:*, label=geoclue),
peer=(name="@{busname}", label=geoclue),
dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=geoclue),
peer=(name="@{busname}", label=geoclue),
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>

6
apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
@ -10,12 +12,12 @@
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=ModemManager),
peer=(name="@{busname}", label=ModemManager),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=ModemManager),
peer=(name="@{busname}", label=ModemManager),
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>

40
apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
View file

@ -2,75 +2,67 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager
dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={GetDevices,GetPermissions}
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesAdded
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=CheckPermissions
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=CheckPermissions
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
interface=org.freedesktop.NetworkManager.Settings.Connection
member=Updated
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>

8
apparmor.d/abstractions/bus/org.freedesktop.Notifications
View file

@ -2,20 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gjs-console),
peer=(name="@{busname}", label=gjs-console),
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={GetCapabilities,GetServerInformation,Notify}
peer=(name=:*, label=gjs-console),
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={GetAll,NotificationClosed,CloseNotification}
peer=(name=:*, label=gjs-console),
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties

4
apparmor.d/abstractions/bus/org.freedesktop.PackageKit
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=packagekitd),
peer=(name="@{busname}", label=packagekitd),
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable

10
apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=Changed
peer=(name=:*, label=polkitd),
peer=(name="@{busname}", label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=polkitd),
peer=(name="@{busname}", label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
@ -20,7 +22,7 @@
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name=:*, label=polkitd),
peer=(name="@{busname}", label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
@ -29,7 +31,7 @@
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=polkitd),
peer=(name="@{busname}", label=polkitd),
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>

6
apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.DBus.Properties
member=Get
@ -10,12 +12,12 @@
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*, label=rtkit-daemon),
peer=(name="@{busname}", label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member=MakeThread*
peer=(name=:*, label=rtkit-daemon),
peer=(name="@{busname}", label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1

2
apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}

2
apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.DBus.Peer
member=Ping

22
apparmor.d/abstractions/bus/org.freedesktop.UDisks2
View file

@ -2,55 +2,57 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/**
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesAdded
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int}
interface=org.freedesktop.UDisks2.Job
member=Completed
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
include if exists <abstractions/bus/org.freedesktop.UDisks2.d>

16
apparmor.d/abstractions/bus/org.freedesktop.UPower
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
@ -24,22 +26,22 @@
dbus send bus=system path=/org/freedesktop/UPower/devices/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower/devices/*
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus receive bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=DeviceAdded
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus receive bus=system path=/org/freedesktop/UPower/devices/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
include if exists <abstractions/bus/org.freedesktop.UPower.d>

6
apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/background/monitor
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/background/monitor
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=xdg-desktop-portal),
peer=(name="@{busname}", label=xdg-desktop-portal),
include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>

4
apparmor.d/abstractions/bus/org.freedesktop.hostname1
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.hostname1}", label=systemd-hostnamed),
peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties

6
apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-permission-store),
peer=(name="@{busname}", label=xdg-permission-store),
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.impl.portal.PermissionStore
member=Lookup
peer=(name=:*, label=xdg-permission-store),
peer=(name="@{busname}", label=xdg-permission-store),
include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>

4
apparmor.d/abstractions/bus/org.freedesktop.locale1
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-localed),
peer=(name="@{busname}", label=systemd-localed),
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll

12
apparmor.d/abstractions/bus/org.freedesktop.login1
View file

@ -2,30 +2,32 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session

16
apparmor.d/abstractions/bus/org.freedesktop.login1.Session
View file

@ -2,40 +2,42 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=GetSession
peer=(name=:*, label=systemd-logind),
peer=(name="@{busname}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*, label=systemd-logind),
peer=(name="@{busname}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/seat/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=systemd-logind),
peer=(name="@{busname}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member={PauseDevice,Unlock}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
include if exists <abstractions/bus/org.freedesktop.login1.Session.d>

2
apparmor.d/abstractions/bus/org.freedesktop.network1
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/network1
interface=org.freedesktop.DBus.Properties
member=Get

12
apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
View file

@ -2,30 +2,32 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={Get,GetAll,Read}
peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member={Read,ReadAll}
peer=(name=:*, label=xdg-desktop-portal),
peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=SettingChanged
peer=(name=:*, label=xdg-desktop-portal),
peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*, label=xdg-desktop-portal),
peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member={Read,ReadAll}
peer=(name=:*, label=xdg-desktop-portal),
peer=(name="@{busname}", label=xdg-desktop-portal),
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>

4
apparmor.d/abstractions/bus/org.freedesktop.resolve1
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/resolve1
interface=org.freedesktop.resolve1.Manager
member={SetLink*,ResolveHostname}
peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved),
peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
include if exists <abstractions/bus/org.freedesktop.resolve1.d>

10
apparmor.d/abstractions/bus/org.freedesktop.secrets
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/secrets{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-keyring-daemon),
peer=(name="@{busname}", label=gnome-keyring-daemon),
dbus send bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={OpenSession,GetSecrets,SearchItems,ReadAlias}
peer=(name=:*, label=gnome-keyring-daemon),
peer=(name="@{busname}", label=gnome-keyring-daemon),
dbus send bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.Secret.Collection
@ -20,12 +22,12 @@
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.Secret.Collection
member=ItemCreated
peer=(name=:*, label=gnome-keyring-daemon),
peer=(name="@{busname}", label=gnome-keyring-daemon),
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-keyring-daemon),
peer=(name="@{busname}", label=gnome-keyring-daemon),
include if exists <abstractions/bus/org.freedesktop.secrets.d>

2
apparmor.d/abstractions/bus/org.freedesktop.systemd1
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}

6
apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
@ -10,12 +12,12 @@
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetUnit
peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>

4
apparmor.d/abstractions/bus/org.freedesktop.timedate1
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=Get
@ -16,7 +18,7 @@
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-timedated),
peer=(name="@{busname}", label=systemd-timedated),
include if exists <abstractions/bus/org.freedesktop.timedate1.d>

6
apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/ArchiveManager1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=file-roller),
peer=(name="@{busname}", label=file-roller),
dbus send bus=session path=/org/gnome/ArchiveManager1
interface=org.gnome.ArchiveManager1
member=GetSupportedTypes
peer=(name=:*, label=file-roller),
peer=(name="@{busname}", label=file-roller),
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>

4
apparmor.d/abstractions/bus/org.gnome.DisplayManager
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/gnome/DisplayManager/Manager
interface=org.gnome.DisplayManager.Manager
member=RegisterDisplay
peer=(name=:*, label=gdm),
peer=(name="@{busname}", label=gdm),
include if exists <abstractions/bus/org.gnome.DisplayManager.d>

12
apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
View file

@ -2,30 +2,32 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member={GetResources,GetCrtcGamma}
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member=GetCurrentState
peer=(name="{:*,org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member=MonitorsChanged
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Mutter.DisplayConfig.d>

8
apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
View file

@ -2,20 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
member=WatchFired
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Mutter.IdleMonitor.d>

8
apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
View file

@ -2,20 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=nautilus),
peer=(name="@{busname}", label=nautilus),
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=nautilus),
peer=(name="@{busname}", label=nautilus),
dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=nautilus),
peer=(name="@{busname}", label=nautilus),
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>

8
apparmor.d/abstractions/bus/org.gnome.ScreenSaver
View file

@ -2,20 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gjs-console),
peer=(name="@{busname}", label=gjs-console),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=GetActive
peer=(name=:*, label=gjs-console),
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member={ActiveChanged,WakeUpScreen}
peer=(name=:*, label=gjs-console),
peer=(name="@{busname}", label=gjs-console),
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>

20
apparmor.d/abstractions/bus/org.gnome.SessionManager
View file

@ -4,10 +4,12 @@
# FIXME: Too large, restrict it.
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={RegisterClient,IsSessionRunning}
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
@ -17,42 +19,42 @@
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member={CancelEndSession,QueryEndSession,EndSession,Stop}
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Presence
interface=org.gnome.SessionManager.Presence
member=StatusChanged
peer=(name=:*, label=gnome-session-binary),
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Introspectable

10
apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
@ -15,17 +17,17 @@
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.gnome.Shell.Introspect
member=GetRunningApplications
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.gnome.Shell.Introspect
member={RunningApplicationsChanged,WindowsChanged}
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-shell),
peer=(name="@{busname}", label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>

8
apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
View file

@ -2,20 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded}
peer=(name=:*, label=gvfs-*-volume-monitor),
peer=(name="@{busname}", label=gvfs-*-volume-monitor),
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={MountAdded,MountChanged,VolumeChanged,VolumeRemoved}
peer=(name=:*, label=gvfs-*-volume-monitor),
peer=(name="@{busname}", label=gvfs-*-volume-monitor),
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged}
peer=(name=:*, label=gvfs-*-volume-monitor),
peer=(name="@{busname}", label=gvfs-*-volume-monitor),
include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>

4
apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
View file

@ -2,10 +2,12 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member={GetConnection,ListMonitorImplementations,ListMountableInfo}
peer=(name=:*, label=gvfsd),
peer=(name="@{busname}", label=gvfsd),
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>

6
apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
View file

@ -2,15 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gvfsd-metadata),
peer=(name="@{busname}", label=gvfsd-metadata),
dbus receive bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=AttributeChanged
peer=(name=:*, label=gvfsd-metadata),
peer=(name="@{busname}", label=gvfsd-metadata),
include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>

8
apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
View file

@ -2,20 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(name=:*, label=gvfsd),
peer=(name="@{busname}", label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMounts2
peer=(name=:*, label=gvfsd),
peer=(name="@{busname}", label=gvfsd),
dbus receive bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=Mounted
peer=(name=:*, label=gvfsd),
peer=(name="@{busname}", label=gvfsd),
include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>

1
apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
View file

@ -2,6 +2,7 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>

2
apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get

2
apparmor.d/abstractions/bus/org.kde.kwalletd
View file

@ -2,6 +2,8 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include if exists <abstractions/bus/org.kde.kwalletd.d>
# vim:syntax=apparmor

21
apparmor.d/abstractions/common/app
View file

@ -9,6 +9,8 @@
# applications (bwrap) that have no way to restrict access depending on the
# application being confined.
abi <abi/4.0>,
include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
@ -20,7 +22,7 @@
include <abstractions/devices-usb>
include <abstractions/disks-read>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
@ -54,25 +56,32 @@
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rwl,
owner @{HOME}/ r,
owner @{HOME}/.var/app/** rmix,
owner @{HOME}/{,**} rwlk,
owner @{run}/user/@{uid}/{,**} rw,
owner @{user_config_dirs}/** rwkl,
owner @{user_share_dirs}/** rwkl,
owner @{user_games_dirs}/{,**} rm,
owner @{HOME}/** rwlk -> @{HOME}/**,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,
owner @{user_games_dirs}/** rm,
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
owner @{tmp}/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
@{run}/host/{,**} r,
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
@{run}/utmp rk,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/block/ r,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/@{int}/address r,
@{sys}/class/*/ r,
@{sys}/devices/** r,

2
apparmor.d/abstractions/common/apt
View file

@ -3,6 +3,8 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,

17
apparmor.d/abstractions/common/bwrap
View file

@ -7,7 +7,9 @@
# - the flag: attach_disconnected
# - bwrap execution: '@{bin}/bwrap rix,'
# userns,
abi <abi/4.0>,
userns,
capability net_admin,
capability setpcap,
@ -42,15 +44,16 @@
owner /tmp/newroot/ w,
owner /tmp/oldroot/ w,
@{att}/@{PROC}/sys/user/max_user_namespaces rw,
owner @{att}/@{PROC}/@{pid}/cgroup r,
owner @{att}/@{PROC}/@{pid}/gid_map rw,
owner @{att}/@{PROC}/@{pid}/mountinfo r,
owner @{att}/@{PROC}/@{pid}/setgroups rw,
owner @{att}/@{PROC}/@{pid}/uid_map rw,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/user/max_user_namespaces rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/setgroups rw,
owner @{PROC}/@{pid}/uid_map rw,
include if exists <abstractions/common/bwrap.d>

12
apparmor.d/abstractions/common/chromium
View file

@ -6,7 +6,9 @@
# This abstraction is for chromium based application. Chromium based browsers
# need to use abstractions/chromium instead.
# userns,
abi <abi/4.0>,
userns,
capability setgid, # If kernel.unprivileged_userns_clone = 1
capability setuid, # If kernel.unprivileged_userns_clone = 1
@ -26,10 +28,10 @@
/var/tmp/ r,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
owner @{tmp}/scoped_dir*/ rw,
owner @{tmp}/scoped_dir*/SingletonCookie w,
owner @{tmp}/scoped_dir*/SingletonSocket w,
owner @{tmp}/scoped_dir*/SS w,
owner @{tmp}/scoped_dir@{rand6}/ rw,
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/SS w,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,

11
apparmor.d/abstractions/common/electron
View file

@ -12,13 +12,15 @@
# @{cache_dirs} = @{user_cache_dirs}/@{name}
#
abi <abi/4.0>,
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# userns,
userns,
capability setgid, # If kernel.unprivileged_userns_clone = 1
capability setuid, # If kernel.unprivileged_userns_clone = 1
@ -26,6 +28,7 @@
capability sys_chroot,
capability sys_ptrace,
@{bin}/electron rix,
@{bin}/electron@{int} rix,
@{lib}/electron@{int}/{,**} r,
@{lib}/electron@{int}/electron rix,
@ -50,7 +53,8 @@
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
owner @{user_config_dirs}/electron-flags.conf r,
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw,
@ -61,6 +65,7 @@
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/SS w,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
@{sys}/devices/system/cpu/kernel_max r,
@ -86,6 +91,8 @@
owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <abstractions/common/electron.d>
# vim:syntax=apparmor

119
apparmor.d/abstractions/common/game Normal file
View file

@ -0,0 +1,119 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Core set of resources for any games on Linux. Runtimes such as sandboxing,
# wine, proton, game launchers should use this abstraction.
# This abstraction uses the following tunables:
# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
# - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
abi <abi/4.0>,
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@{bin}/uname rix,
@{bin}/xdg-settings rPx,
@{browsers_path} rPx,
@{bin}/env r,
@{lib}/ r,
/ r,
/home/ r,
/usr/ r,
/usr/local/ r,
/usr/local/lib/ r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/ r,
owner @{user_games_dirs}/ r,
owner @{user_games_dirs}/*/ r,
owner @{user_games_dirs}/*/** rwlk,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
@{tmp}/ r,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/#@{int} rw,
owner @{tmp}/AsyncGPUReadbackPlugin_*.log w,
owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
owner @{tmp}/crashes/ rw,
owner @{tmp}/crashes/** rwk,
owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/tmp@{rand6}.tmp rw,
owner @{tmp}/tmp@{rand6}@{h}.tmp rw,
owner @{tmp}/tmp@{rand8}.tmp rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/mono.@{int} rw,
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/net/*/carrier r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/ r,
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/*/carrier r,
@{sys}/kernel/ r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/pagemap r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/event@{int} rw,
/dev/input/js@{int} rw,
/dev/tty rw,
/dev/uinput rw,
include if exists <abstractions/common/game.d>
# vim:syntax=apparmor

20
apparmor.d/abstractions/common/gnome
View file

@ -4,25 +4,35 @@
# Minimal set of rules for all gnome based UI application.
abi <abi/4.0>,
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/graphics>
@{open_path} rPx -> child-open-help,
/usr/share/@{profile_name}/{,**} r,
/ r,
owner @{user_cache_dirs}/@{profile_name}/ rw,
owner @{user_cache_dirs}/@{profile_name}/** rwlk,
owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**,
owner @{user_config_dirs}/@{profile_name}/ rw,
owner @{user_config_dirs}/@{profile_name}/** rwlk,
owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**,
owner @{user_share_dirs}/@{profile_name}/ rw,
owner @{user_share_dirs}/@{profile_name}/** rwlk,
owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <abstractions/common/gnome.d>

94
apparmor.d/abstractions/common/steam-game
View file

@ -2,45 +2,15 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
abi <abi/4.0>,
@{bin}/uname rix,
@{bin}/xdg-settings rPx,
@{browsers_path} rPx,
@{bin}/env r,
include <abstractions/common/game>
@{lib_dirs}/ r,
@{lib}/ r,
/ r,
/home/ r,
/usr/ r,
/usr/local/ r,
/usr/local/lib/ r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/ r,
owner @{HOME}/.steam/steam.pid r,
owner @{HOME}/.steam/steam.pipe r,
owner @{user_games_dirs}/ r,
owner @{user_games_dirs}/*/ r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{app_dirs}/ r,
owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper"
@ -56,19 +26,6 @@
owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
@{tmp}/ r,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/#@{int} rw,
owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
owner @{tmp}/crashes/ rw,
owner @{tmp}/crashes/** rwk,
owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/mono.@{int} rw,
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
@ -76,53 +33,6 @@
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/net/*/carrier r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/ r,
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/*/carrier r,
@{sys}/kernel/ r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/pagemap r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/event@{int} rw,
/dev/tty rw,
/dev/uinput rw,
include if exists <abstractions/common/steam-game.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/common/systemd
View file

@ -3,6 +3,8 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
ptrace read peer=@{p_systemd},
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

3
apparmor.d/abstractions/dconf-write
View file

@ -5,6 +5,8 @@
# Permissions for querying dconf settings with write access; use the dconf
# abstraction first, and dconf-write only for specific application's profile.
abi <abi/4.0>,
dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Change
@ -20,6 +22,7 @@
/etc/dconf/** r,
owner @{user_config_dirs}/dconf/user r,
owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,

7
apparmor.d/abstractions/dconf.d/complete Normal file
View file

@ -0,0 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{user_config_dirs}/glib-2.0/settings/keyfile r,
# vim:syntax=apparmor

54
apparmor.d/abstractions/deny-sensitive-home
View file

@ -11,42 +11,58 @@
# The only legitimate use in this project is for file browser and search engine.
deny @{HOME}/.*.bak mrwkl,
deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*~1~ mrwkl,
abi <abi/4.0>,
# User defined private directories
deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
deny @{user_private_dirs}/{,**} mrxwlk,
# Files with secret paswords and tokens
deny @{HOME}/.*age*{,/{,**}} mrwkl,
deny @{HOME}/.*aws*{,/{,**}} mrwkl,
deny @{HOME}/.*cert*{,/{,**}} mrwkl,
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.*key*{,/{,**}} mrwkl,
deny @{HOME}/.*pass*{,/{,**}} mrwkl,
deny @{HOME}/.*pki*{,/{,**}} mrwkl,
deny @{HOME}/.*private*{,/{,**}} mrwkl,
deny @{HOME}/.*secret*{,/{,**}} mrwkl,
deny @{HOME}/.*yubi*{,/{,**}} mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.lesshst* mrwkl,
deny @{HOME}/.mozilla/{,**} mrwkl,
deny @{HOME}/.mutt* mrwkl,
deny @{HOME}/.thunderbird/{,**} mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.wget-hsts mrwkl,
deny @{HOME}/.aws/{,**} mrwkl,
deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
deny @{run}/user/@{uid}/keyring** mrwkl,
deny @{user_config_dirs}/*-store/{,**} mrwkl,
deny @{user_config_dirs}/chromium/{,**} mrwkl,
deny @{user_password_store_dirs}/{,**} mrwkl,
deny @{user_share_dirs}/kwalletd/{,**} mrwkl,
# User defined private directories
deny @{user_private_dirs}/{,**} mrxwlk,
deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
# Privacy violations
deny @{HOME}/.*.bak mrwkl,
deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.evolution/{,**} mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.gnome2_private/{,**} mrwkl,
deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
deny @{HOME}/.lesshst* mrwkl,
deny @{HOME}/.mozilla/{,**} mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.thunderbird/{,**} mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.wget-hsts mrwkl,
deny @{user_config_dirs}/chromium/{,**} mrwkl,
deny @{user_config_dirs}/evolution/{,**} mrwkl,
# Deny executable mapping in writable space as allowed in abstractions/fonts
deny @{HOME}/.{,cache/}fontconfig/ rw,
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
deny @{HOME}/.{,cache/}fontconfig/ rw,
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
# special attention to (potentially) executable files
deny @{HOME}/bin wl,
deny @{HOME}/bin/{,**} wl,
include if exists <abstractions/deny-sensitive-home.d>

30
apparmor.d/abstractions/desktop
View file

@ -7,12 +7,15 @@
# When supported in apparmor, condition will be used in this abstraction to filter
# resources specific for supported DE.
abi <abi/4.0>,
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/qt5>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/xdg-desktop>
# if @{DE} == gnome
@ -22,13 +25,17 @@
peer=(name=:*, label=gnome-shell),
/usr/{local/,}share/ r,
/usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
/usr/{local/,}share/glib-@{version}/schemas/** r,
/usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r,
/etc/gnome/* r,
/etc/xdg/{,*-}mimeapps.list r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
/var/cache/gio-@{version}/gnome-mimeapps.list r,
/ r, # deny?
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
# else if @{DE} == kde
@ -36,14 +43,27 @@
@{lib}/kde{,3,4}/plugins/*/ r,
@{lib}/kde{,3,4}/plugins/*/*.so mr,
/usr/share/knotifications{5,6}/*.notifyrc r,
/etc/xdg/baloofilerc r,
/etc/xdg/kcminputrc r,
/etc/xdg/kdeglobals r,
/etc/xdg/kwinrc r,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
owner @{user_config_dirs}/baloofilerc r,
owner @{user_config_dirs}/dolphinrc r,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/ r,
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/trashrc r,
# else if @{DE} == xfce
@ -54,14 +74,10 @@
# end
/usr/share/desktop-base/{,**} r,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
owner @{HOME}/.local/ rw,
owner @{user_cache_dirs}/ rw,
owner @{user_config_dirs}/ rw,
owner @{user_share_dirs}/ rw,
include if exists <abstractions/desktop.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/devices-usb
View file

@ -3,6 +3,8 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
/dev/ r,
/dev/bus/usb/ r,
/dev/bus/usb/@{int}/ r,

4
apparmor.d/abstractions/disks-read
View file

@ -5,6 +5,8 @@
# The /sys/ entries probably should be tightened
abi <abi/4.0>,
/dev/ r,
/dev/block/ r,
/dev/disk/{,*/} r,
@ -88,7 +90,7 @@
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
@{run}/udev/data/b25[0-4]:@{int} r,
@{run}/udev/data/b259:@{int} r,
@{run}/udev/data/b259:@{int} r, # Block Extended Major
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**

4
apparmor.d/abstractions/disks-write
View file

@ -5,6 +5,8 @@
# The /sys/ entries probably should be tightened
abi <abi/4.0>,
/dev/ r,
/dev/block/ r,
/dev/disk/{,*/} r,
@ -88,7 +90,7 @@
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
@{run}/udev/data/b25[0-4]:@{int} r,
@{run}/udev/data/b259:@{int} r,
@{run}/udev/data/b259:@{int} r, # Block Extended Major
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**

2
apparmor.d/abstractions/dri
View file

@ -6,6 +6,8 @@
# Linux graphics stack which allows unprivileged user-space programs to issue
# commands to graphics hardware without conflicting with other programs.
abi <abi/4.0>,
@{lib}/dri/** mr,
@{lib}/@{multiarch}/dri/** mr,
@{lib}/fglrx/dri/** mr,

2
apparmor.d/abstractions/fish
View file

@ -5,6 +5,8 @@
# This abstraction is only required when an interactive shell is started.
# Classic shell scripts do not need it.
abi <abi/4.0>,
/usr/share/fish/{,**} r,
/etc/fish/{,**} r,

2
apparmor.d/abstractions/fontconfig-cache-read
View file

@ -9,6 +9,8 @@
# fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
# the "fontconfig-cache-write" abstraction.
abi <abi/4.0>,
owner @{user_cache_dirs}/fontconfig/ r,
deny @{user_cache_dirs}/fontconfig/ w,
deny @{user_cache_dirs}/fontconfig/** w,

2
apparmor.d/abstractions/fontconfig-cache-write
View file

@ -3,6 +3,8 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
owner @{user_cache_dirs}/fontconfig/ rw,
owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,

Some files were not shown because too many files have changed in this diff Show more