felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): use the new @{tmp} variable.

Browse source 
It is only used with the owner statement.
This commit is contained in:
Alexandre Pujol 2024-05-02 22:12:02 +01:00
parent 0bbbe71422
commit 3f69b9fec4
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
257 changed files with 668 additions and 685 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/gnome/epiphany-search-provider
View file

@ -31,8 +31,8 @@ profile epiphany-search-provider @{exec_path} {
owner @{user_cache_dirs}/epiphany/{,**} rwk,
owner @{user_share_dirs}/epiphany/{,**} rwk,
owner /tmp/ContentRuleList@{rand6} rw,
owner /tmp/Serialized* rw,
owner @{tmp}/ContentRuleList@{rand6} rw,
owner @{tmp}/Serialized* rw,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/firmware/acpi/pm_profile r,

2
apparmor.d/groups/gnome/gdm-xsession
View file

@ -59,7 +59,7 @@ profile gdm-xsession @{exec_path} {
/etc/default/im-config r,
/etc/X11/{,**} r,
owner /tmp/gdm{3,}-config-err-@{rand6} rw,
owner @{tmp}/gdm{3,}-config-err-@{rand6} rw,
/dev/tty@{int} rw,

2
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -26,7 +26,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/{,**} rw,
owner /tmp/wl-copy-buffer-@{rand6}/stdin r,
owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,
@{run}/mount/utab r,

2
apparmor.d/groups/gnome/gnome-control-center
View file

@ -127,7 +127,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
@{run}/cups/cups.sock rw,
@{run}/samba/ rw,

8
apparmor.d/groups/gnome/gnome-desktop-thumbnailers
View file

@ -22,10 +22,10 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) {
owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw,
owner /tmp/flatpak-seccomp-@{rand6} rw,
owner /tmp/gnome-desktop-file-to-thumbnail.* r,
owner /tmp/gnome-desktop-thumbnailer.png w,
owner /tmp/gsf-thumbnailer-@{rand6} rw,
owner @{tmp}/flatpak-seccomp-@{rand6} rw,
owner @{tmp}/gnome-desktop-file-to-thumbnail.* r,
owner @{tmp}/gnome-desktop-thumbnailer.png w,
owner @{tmp}/gsf-thumbnailer-@{rand6} rw,
include if exists <local/gnome-desktop-thumbnailers>
}

2
apparmor.d/groups/gnome/gnome-disk-image-mounter
View file

@ -18,7 +18,7 @@ profile gnome-disk-image-mounter @{exec_path} {
# Allow to mount user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{tmp}/*/{,**} r,
@{run}/mount/utab r,

2
apparmor.d/groups/gnome/gnome-music
View file

@ -47,7 +47,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner /var/tmp/etilqs_@{hex} rw,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

4
apparmor.d/groups/gnome/gnome-shell
View file

@ -285,8 +285,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/tmp/.X@{int}-lock rw,
/tmp/dbus-@{rand8} rw,
owner /tmp/@{rand6}.shell-extension.zip rw,
owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{tmp}/@{rand6}.shell-extension.zip rw,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
@{run}/systemd/users/@{uid} r,
@{run}/systemd/seats/seat@{int} r,

10
apparmor.d/groups/gnome/gnome-software
View file

@ -86,9 +86,9 @@ profile gnome-software @{exec_path} {
owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
owner @{user_share_dirs}/gnome-software/{,**} rw,
owner /tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner /tmp/#@{int} rw,
owner @{tmp}/ostree-gpg-*/ rw,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{tmp}/#@{int} rw,
owner @{run}/user/@{uid}/.dbus-proxy/ rw,
owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
@ -121,8 +121,8 @@ profile gnome-software @{exec_path} {
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
owner /tmp/ostree-gpg-*/ r,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{tmp}/ostree-gpg-*/ r,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{run}/user/@{uid}/gnupg/ w,

2
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -56,7 +56,7 @@ profile gnome-terminal-server @{exec_path} {
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
owner /tmp/#@{int} rw,
owner @{tmp}/#@{int} rw,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/cgroup r,

2
apparmor.d/groups/gnome/kgx
View file

@ -32,7 +32,7 @@ profile kgx @{exec_path} {
@{open_path} rPx -> child-open-help,
owner /tmp/#@{int} rw,
owner @{tmp}/#@{int} rw,
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,

2
apparmor.d/groups/gnome/nautilus
View file

@ -92,7 +92,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{MOUNTS}/** rw,
owner @{HOME}/{,**} rw,
owner @{run}/user/@{uid}/{,**} rw,
owner /tmp/{,**} rw,
owner @{tmp}/{,**} rw,
# Silence non user's data
deny /boot/{,**} r,

4
apparmor.d/groups/gnome/tracker-extract
View file

@ -63,13 +63,13 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
# Allow to search user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{tmp}/*/{,**} r,
owner @{user_cache_dirs}/tracker3/ w,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
owner @{user_share_dirs}/gvfs-metadata/** r,
owner /tmp/tracker-extract-3-files.*/{,*} rw,
owner @{tmp}/tracker-extract-3-files.*/{,*} rw,
@{run}/blkid/blkid.tab r,

2
apparmor.d/groups/gnome/tracker-miner
View file

@ -70,7 +70,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
# Allow to search user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{tmp}/*/{,**} r,
owner @{user_cache_dirs}/tracker3/ rw,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,