added profiles for waybar and some hypr utilities

2024-07-14 19:20:54 -03:00 · 2024-07-14 19:20:54 -03:00 · 419ecb8b81
commit 419ecb8b81
parent 85ccc46e44
6 changed files with 213 additions and 0 deletions
--- a/apparmor.d/groups/hypr/hyprctl
+++ b/apparmor.d/groups/hypr/hyprctl
@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprctl
+
+profile hyprctl /{,usr/}{,s}bin/hyprctl {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/hyprctl>
+}
+
+# vim:syntax=apparmor
+
--- a/apparmor.d/groups/hypr/hyprlock
+++ b/apparmor.d/groups/hypr/hyprlock
@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprlock
+
+profile hyprlock /{,usr/}{,s}bin/hyprlock {
+  include <abstractions/base>
+  include <abstractions/dri>
+  include <abstractions/fonts>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/opencl-mesa>
+  include <abstractions/vulkan>
+  include <abstractions/vulkan-strict>
+
+  capability audit_write,
+
+  network netlink raw,
+
+  @{exec_path} mr,
+  @{bin}/unix_chkpwd mrix,
+
+  /etc/login.defs r,
+  /etc/pam.d/* r,
+  /etc/security/faillock.conf r,
+  /etc/shells r,
+  owner /etc/shadow r,
+
+  owner @{XDG_PICTURES_DIR}/** r,
+  owner @{XDG_WALLPAPERS_DIR}/** r,
+
+  owner @{user_config_dirs}/hypr/hyprlock.conf r,
+
+  owner @{run}/faillock/@{user} rwk,
+
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/hyprlock>
+}
+
+# vim:syntax=apparmor
+
--- a/apparmor.d/groups/hypr/hyprpaper
+++ b/apparmor.d/groups/hypr/hyprpaper
@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpaper
+
+profile hyprpaper /{,usr/}{,s}bin/hyprpaper flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/icons/** r,
+
+  owner @{XDG_WALLPAPERS_DIR}/** r,
+
+  owner @{user_config_dirs}/hypr/hyprpaper.conf r,
+
+  owner @{run}/user/*/ r,
+  owner @{run}/user/*/.hyprpaper* rw,
+  owner @{run}/user/*/hypr/*/.hyprpaper.sock w,
+  owner @{run}/user/*/hyprpaper.lock rw,
+
+  include if exists <local/hyprpaper>
+}
+
+# vim:syntax=apparmor
+
--- a/apparmor.d/groups/hypr/hyprpicker
+++ b/apparmor.d/groups/hypr/hyprpicker
@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpicker
+
+profile hyprpicker /{,usr/}{,s}bin/hyprpicker {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+  @{bin}/wl-copy Px,
+
+  /usr/share/icons/** r,
+
+  owner @{run}/user/*/.hyprpicker* rw,
+
+  include if exists <local/hyprpicker>
+}
+
+# vim:syntax=apparmor
+
--- a/apparmor.d/groups/hypr/hyprpm
+++ b/apparmor.d/groups/hypr/hyprpm
@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpm
+
+profile hyprpm /{,usr/}{,s}bin/hyprpm {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-tmp>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+
+  @{exec_path} mr,
+
+  @{bin}/** rix,
+  @{lib}/gcc/** rix,
+  @{lib}/gcc/*/*/** rix,
+  @{lib}/git-core/** rix,
+
+  /usr/include/** r,
+  /usr/share/git-core/** r,
+  /usr/share/pkgconfig/** r,
+
+  owner @{user_share_dirs}/hyprpm/ r,
+  owner @{user_share_dirs}/hyprpm/** rw,
+  owner @{user_share_dirs}/hyprpm/*/*/** rw,
+
+  /tmp/hyprpm/** rw,
+  /tmp/hyprpm/*/*/** rw,
+
+  include if exists <local/hyprpm>
+}
+
+# vim:syntax=apparmor
+
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@ -0,0 +1,45 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/waybar
+
+profile waybar /{,usr/}{,s}bin/waybar flags=(attach_disconnected) {
+  include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/** rPUx,
+  @{user_bin_dirs}/** rPUx,
+
+  /usr/share/icons/** r,
+  /usr/share/pixmaps/** r,
+
+  owner @{HOME}/.icons/** r,
+  owner @{HOME}/.themes/** r,
+
+  owner @{user_config_dirs}/waybar/config.jsonc r,
+  owner @{user_config_dirs}/waybar/style.css r,
+  owner @{user_config_dirs}/waybar/themes/** r,
+
+  owner @{user_share_dirs}/icons/** r,
+
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/waybar>
+}
+
+# vim:syntax=apparmor
+