felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update flatpak profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-03-29 13:05:56 +01:00
parent 2e5c860f0d
commit 414d8a3a47
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 19 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

14
apparmor.d/groups/flatpak/flatpak
View file

@ -9,9 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/flatpak @{exec_path} = @{bin}/flatpak
profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.Accounts> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
@ -37,6 +39,10 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
signal send peer=flatpak-app, signal send peer=flatpak-app,
#aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
@{exec_path} mr, @{exec_path} mr,
@{bin}/bwrap rPx -> flatpak-app, @{bin}/bwrap rPx -> flatpak-app,
@ -46,6 +52,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
@{bin}/gpgsm rCx -> gpg, @{bin}/gpgsm rCx -> gpg,
@{lib}/revokefs-fuse rix, @{lib}/revokefs-fuse rix,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{lib}/polkit-agent-helper-[0-9] rPx,
/usr/share/flatpak/{,**} r, /usr/share/flatpak/{,**} r,
/etc/flatpak/{,**} r, /etc/flatpak/{,**} r,
@ -57,7 +66,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
/var/tmp/#@{int} rw, /var/tmp/#@{int} rw,
/var/tmp/flatpak-cache-@{rand6}/{,**/} r, /var/tmp/flatpak-cache-@{rand6}/{,**/} r,
owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk, owner /var/tmp/flatpak-cache-@{rand6}/ rw,
owner /var/tmp/flatpak-cache-@{rand6}/** rwlk -> /var/tmp/flatpak-cache-@{rand6}/**,
owner @{HOME}/.var/ w, owner @{HOME}/.var/ w,
owner @{HOME}/.var/app/{,**} rw, owner @{HOME}/.var/app/{,**} rw,

8
apparmor.d/groups/flatpak/flatpak-system-helper
View file

@ -9,12 +9,15 @@ include <tunables/global>
@{exec_path} = @{lib}/flatpak-system-helper @{exec_path} = @{lib}/flatpak-system-helper
profile flatpak-system-helper @{exec_path} { profile flatpak-system-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
capability chown, capability chown,
capability dac_override, capability dac_override,
capability dac_read_search,
capability fowner, capability fowner,
capability net_admin, capability net_admin,
capability setgid, capability setgid,
@ -22,7 +25,7 @@ profile flatpak-system-helper @{exec_path} {
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
ptrace (read), ptrace read,
#aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper
@ -48,6 +51,9 @@ profile flatpak-system-helper @{exec_path} {
owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
/tmp/remote-summary-sig.@{rand6} r,
/tmp/remote-summary.@{rand6} r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,