Merge branch 'roddhjav:main' into main
This commit is contained in:
Besanon
GitHub
commit
44aaf8ecc4
1532 changed files with 16559 additions and 7587 deletions
2
.github/local/needrestart
vendored
2
.github/local/needrestart
vendored
|
|
@ -1,2 +0,0 @@
|
||||||
|
|
||||||
/var/lib/waagent/** r,
|
|
||||||
52
.github/workflows/main.yml
vendored
52
.github/workflows/main.yml
vendored
|
|
@ -9,21 +9,25 @@ jobs:
|
||||||
- name: Check out repository code
|
- name: Check out repository code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Install linter dependencies
|
||||||
|
run: |
|
||||||
|
pipx install rust-just
|
||||||
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||||
|
|
||||||
- name: Run basic profile linter check
|
- name: Run basic profile linter check
|
||||||
run: |
|
run: |
|
||||||
make check
|
just check
|
||||||
|
|
||||||
build:
|
build:
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
needs: check
|
needs: check
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
os:
|
include:
|
||||||
- ubuntu-24.04
|
- os: ubuntu-24.04
|
||||||
- ubuntu-22.04
|
mode: default
|
||||||
mode:
|
- os: ubuntu-24.04
|
||||||
- default
|
mode: full-system-policy
|
||||||
- full-system-policy
|
|
||||||
steps:
|
steps:
|
||||||
- name: Check out repository code
|
- name: Check out repository code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
@ -34,12 +38,19 @@ jobs:
|
||||||
sudo apt-get install -y \
|
sudo apt-get install -y \
|
||||||
devscripts debhelper config-package-dev \
|
devscripts debhelper config-package-dev \
|
||||||
auditd apparmor-profiles apparmor-utils
|
auditd apparmor-profiles apparmor-utils
|
||||||
|
pipx install rust-just
|
||||||
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||||
sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
|
sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
|
||||||
|
|
||||||
- name: Build the apparmor.d package
|
- name: Build the apparmor.d package
|
||||||
run: |
|
run: |
|
||||||
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
|
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
|
||||||
echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
|
sed -e "s/just complain/just fsp-complain/" -i debian/rules
|
||||||
|
fi
|
||||||
|
if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
|
||||||
|
# Test with Re-attach disconnected path
|
||||||
|
sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go
|
||||||
|
sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system
|
||||||
fi
|
fi
|
||||||
bash dists/build.sh dpkg
|
bash dists/build.sh dpkg
|
||||||
|
|
||||||
|
|
@ -48,13 +59,10 @@ jobs:
|
||||||
|
|
||||||
- name: Reload AppArmor
|
- name: Reload AppArmor
|
||||||
run: |
|
run: |
|
||||||
sudo systemctl restart apparmor.service || true
|
if ! sudo systemctl restart apparmor.service; then
|
||||||
sudo systemctl status apparmor.service
|
sudo journalctl -xeu apparmor.service
|
||||||
|
exit 1
|
||||||
- name: Ensure compatibility with some AppArmor userspace tools
|
fi
|
||||||
if: matrix.os != 'ubuntu-24.04'
|
|
||||||
run: |
|
|
||||||
sudo aa-enforce /etc/apparmor.d/aa-notify
|
|
||||||
|
|
||||||
- name: Show AppArmor log and rules
|
- name: Show AppArmor log and rules
|
||||||
run: |
|
run: |
|
||||||
|
|
@ -75,6 +83,7 @@ jobs:
|
||||||
tests:
|
tests:
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
needs: build
|
needs: build
|
||||||
|
if: github.ref == 'refs/heads/dev'
|
||||||
steps:
|
steps:
|
||||||
- name: Check out repository code
|
- name: Check out repository code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
@ -94,12 +103,15 @@ jobs:
|
||||||
sudo apt-get install -y \
|
sudo apt-get install -y \
|
||||||
apparmor-profiles apparmor-utils \
|
apparmor-profiles apparmor-utils \
|
||||||
bats bats-support
|
bats bats-support
|
||||||
sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart
|
pipx install rust-just
|
||||||
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||||
|
|
||||||
- name: Install apparmor.d
|
- name: Install apparmor.d
|
||||||
run: |
|
run: |
|
||||||
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
|
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
|
||||||
sudo systemctl restart apparmor.service
|
sudo systemctl restart apparmor.service
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
systemctl --user daemon-reload
|
||||||
|
|
||||||
- name: Restart some services to ensure they are confined
|
- name: Restart some services to ensure they are confined
|
||||||
run: |
|
run: |
|
||||||
|
|
@ -118,16 +130,18 @@ jobs:
|
||||||
for service in "${services[@]}"; do
|
for service in "${services[@]}"; do
|
||||||
sudo systemctl restart "$service" || systemctl status "$service.service" || true
|
sudo systemctl restart "$service" || systemctl status "$service.service" || true
|
||||||
done
|
done
|
||||||
|
systemctl restart --user dbus || systemctl status --user "dbus.service" || true
|
||||||
sudo ps auxZ | grep -v '\[.*\]'
|
sudo ps auxZ | grep -v '\[.*\]'
|
||||||
sudo aa-log -s --raw
|
sudo aa-log -s --raw
|
||||||
|
|
||||||
- name: Install integration dependencies
|
- name: Install integration dependencies
|
||||||
run: |
|
run: |
|
||||||
bash tests/requirements.sh
|
just init
|
||||||
|
find /usr/sbin/ -type f
|
||||||
|
|
||||||
- name: Run the bats integration tests
|
- name: Run the integration tests
|
||||||
run: |
|
run: |
|
||||||
make bats
|
just integration
|
||||||
|
|
||||||
- name: Show final AppArmor logs
|
- name: Show final AppArmor logs
|
||||||
if: always()
|
if: always()
|
||||||
|
|
|
||||||
|
|
@ -24,13 +24,13 @@ bash:
|
||||||
script:
|
script:
|
||||||
- shellcheck --shell=bash
|
- shellcheck --shell=bash
|
||||||
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
|
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
|
||||||
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
|
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh
|
||||||
|
|
||||||
golangci-lint:
|
golangci-lint:
|
||||||
stage: lint
|
stage: lint
|
||||||
image: golangci/golangci-lint
|
image: golangci/golangci-lint
|
||||||
script:
|
script:
|
||||||
- golangci-lint run --exclude-dirs pkg/paths
|
- golangci-lint run
|
||||||
|
|
||||||
packer:
|
packer:
|
||||||
stage: lint
|
stage: lint
|
||||||
|
|
@ -54,7 +54,6 @@ tests:
|
||||||
image: golang
|
image: golang
|
||||||
coverage: '/Coverage: \d+.\d+/'
|
coverage: '/Coverage: \d+.\d+/'
|
||||||
script:
|
script:
|
||||||
- apt update && apt install -y rsync
|
|
||||||
- cp tests/journalctl /usr/bin/journalctl
|
- cp tests/journalctl /usr/bin/journalctl
|
||||||
- chmod 755 /usr/bin/journalctl
|
- chmod 755 /usr/bin/journalctl
|
||||||
- mkdir -p /var/log/audit/
|
- mkdir -p /var/log/audit/
|
||||||
|
|
@ -67,7 +66,7 @@ check:
|
||||||
stage: test
|
stage: test
|
||||||
image: registry.gitlab.com/roddhjav/builders/archlinux
|
image: registry.gitlab.com/roddhjav/builders/archlinux
|
||||||
script:
|
script:
|
||||||
- make check
|
- just check
|
||||||
|
|
||||||
# Package Build
|
# Package Build
|
||||||
# -------------
|
# -------------
|
||||||
|
|
@ -85,13 +84,12 @@ archlinux:
|
||||||
|
|
||||||
debian:
|
debian:
|
||||||
stage: build
|
stage: build
|
||||||
image: registry.gitlab.com/roddhjav/builders/debian
|
image: registry.gitlab.com/roddhjav/builders/debian:trixie
|
||||||
script:
|
script:
|
||||||
- sudo chown -R build:build /builds/
|
- sudo chown -R build:build /builds/
|
||||||
- git config --global --add safe.directory $CI_PROJECT_DIR
|
- git config --global --add safe.directory $CI_PROJECT_DIR
|
||||||
- mkdir -p "$PKGDEST"
|
- mkdir -p "$PKGDEST"
|
||||||
- sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync
|
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
|
||||||
- sudo apt-get install -y -t bookworm-backports golang-go
|
|
||||||
- bash dists/build.sh dpkg
|
- bash dists/build.sh dpkg
|
||||||
artifacts:
|
artifacts:
|
||||||
expire_in: 1 day
|
expire_in: 1 day
|
||||||
|
|
@ -100,12 +98,13 @@ debian:
|
||||||
|
|
||||||
ubuntu:
|
ubuntu:
|
||||||
stage: build
|
stage: build
|
||||||
image: registry.gitlab.com/roddhjav/builders/ubuntu
|
image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04
|
||||||
|
variables:
|
||||||
|
GOFLAGS: "-buildvcs=false"
|
||||||
script:
|
script:
|
||||||
- sudo chown -R ubuntu:ubuntu /builds/
|
|
||||||
- git config --global --add safe.directory $CI_PROJECT_DIR
|
- git config --global --add safe.directory $CI_PROJECT_DIR
|
||||||
- mkdir -p "$PKGDEST"
|
- mkdir -p "$PKGDEST"
|
||||||
- sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go
|
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
|
||||||
- bash dists/build.sh dpkg
|
- bash dists/build.sh dpkg
|
||||||
artifacts:
|
artifacts:
|
||||||
expire_in: 1 day
|
expire_in: 1 day
|
||||||
|
|
@ -117,14 +116,14 @@ whonix:
|
||||||
variables:
|
variables:
|
||||||
DISTRIBUTION: whonix
|
DISTRIBUTION: whonix
|
||||||
before_script:
|
before_script:
|
||||||
- echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
|
- sed -e "s/just complain/just fsp-complain/" -i debian/rules
|
||||||
|
|
||||||
opensuse:
|
opensuse:
|
||||||
stage: build
|
stage: build
|
||||||
image: registry.gitlab.com/roddhjav/builders/opensuse
|
image: registry.gitlab.com/roddhjav/builders/opensuse
|
||||||
script:
|
script:
|
||||||
- mkdir -p "$PKGDEST"
|
- mkdir -p "$PKGDEST"
|
||||||
- sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
|
- sudo zypper install -y distribution-release golang-packaging apparmor-profiles
|
||||||
- bash dists/build.sh rpm
|
- bash dists/build.sh rpm
|
||||||
artifacts:
|
artifacts:
|
||||||
expire_in: 1 day
|
expire_in: 1 day
|
||||||
|
|
@ -147,7 +146,7 @@ preprocess-archlinux:
|
||||||
|
|
||||||
preprocess-debian:
|
preprocess-debian:
|
||||||
stage: preprocess
|
stage: preprocess
|
||||||
image: debian
|
image: debian:trixie
|
||||||
dependencies:
|
dependencies:
|
||||||
- debian
|
- debian
|
||||||
script:
|
script:
|
||||||
|
|
@ -167,7 +166,7 @@ preprocess-ubuntu:
|
||||||
- dpkg --install $PKGDEST/*
|
- dpkg --install $PKGDEST/*
|
||||||
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
|
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
|
||||||
|
|
||||||
preprocess-whonix:
|
.preprocess-whonix:
|
||||||
extends: preprocess-debian
|
extends: preprocess-debian
|
||||||
dependencies:
|
dependencies:
|
||||||
- whonix
|
- whonix
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
linters-settings:
|
version: "2"
|
||||||
staticcheck:
|
linters:
|
||||||
checks: ["all", "-SA1019" ]
|
settings:
|
||||||
|
staticcheck:
|
||||||
|
checks:
|
||||||
|
- all
|
||||||
|
- -SA1019
|
||||||
|
- -ST1000
|
||||||
|
exclusions:
|
||||||
|
paths:
|
||||||
|
- pkg/paths
|
||||||
|
- tests/cmd/
|
||||||
|
|
||||||
|
|
|
||||||
392
Justfile
Normal file
392
Justfile
Normal file
|
|
@ -0,0 +1,392 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
# Usage: `just`
|
||||||
|
# See https://apparmor.pujol.io/development/ for more information.
|
||||||
|
|
||||||
|
# Build setings
|
||||||
|
destdir := "/"
|
||||||
|
build := ".build"
|
||||||
|
pkgdest := `pwd` / ".pkg"
|
||||||
|
pkgname := "apparmor.d"
|
||||||
|
|
||||||
|
# Admin username
|
||||||
|
username := "user"
|
||||||
|
|
||||||
|
# Default admin password
|
||||||
|
password := "user"
|
||||||
|
|
||||||
|
# Disk size of the VM to build
|
||||||
|
disk_size := "40G"
|
||||||
|
|
||||||
|
# Virtual machine CPU
|
||||||
|
vcpus := "6"
|
||||||
|
|
||||||
|
# Virtual machine RAM
|
||||||
|
ram := "4096"
|
||||||
|
|
||||||
|
# Path to the ssh key
|
||||||
|
ssh_keyname := "id_ed25519"
|
||||||
|
ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname
|
||||||
|
ssh_publickey := ssh_privatekey + ".pub"
|
||||||
|
|
||||||
|
# Where the VM are stored
|
||||||
|
vm := home_dir() / ".vm"
|
||||||
|
|
||||||
|
# Where the VM images are stored
|
||||||
|
base_dir := home_dir() / ".libvirt/base"
|
||||||
|
|
||||||
|
# Where the packer temporary output is stored
|
||||||
|
output_dir := base_dir / "packer"
|
||||||
|
|
||||||
|
# SSH options
|
||||||
|
sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
|
||||||
|
|
||||||
|
# Libvirt connection address
|
||||||
|
c := "--connect=qemu:///system"
|
||||||
|
|
||||||
|
# VM prefix
|
||||||
|
prefix := "aa-"
|
||||||
|
|
||||||
|
[doc('Show this help message')]
|
||||||
|
help:
|
||||||
|
@just --list --unsorted
|
||||||
|
@printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information."
|
||||||
|
|
||||||
|
[group('build')]
|
||||||
|
[doc('Build the go programs')]
|
||||||
|
build:
|
||||||
|
@go build -o {{build}}/ ./cmd/aa-log
|
||||||
|
@go build -o {{build}}/ ./cmd/prebuild
|
||||||
|
|
||||||
|
[group('build')]
|
||||||
|
[doc('Prebuild the profiles in enforced mode')]
|
||||||
|
enforce: build
|
||||||
|
@./{{build}}/prebuild
|
||||||
|
|
||||||
|
[group('build')]
|
||||||
|
[doc('Prebuild the profiles in complain mode')]
|
||||||
|
complain: build
|
||||||
|
@./{{build}}/prebuild --complain
|
||||||
|
|
||||||
|
[group('build')]
|
||||||
|
[doc('Prebuild the profiles in FSP mode')]
|
||||||
|
fsp: build
|
||||||
|
@./{{build}}/prebuild --full
|
||||||
|
|
||||||
|
[group('build')]
|
||||||
|
[doc('Prebuild the profiles in FSP mode (complain)')]
|
||||||
|
fsp-complain: build
|
||||||
|
@./{{build}}/prebuild --complain --full
|
||||||
|
|
||||||
|
[group('build')]
|
||||||
|
[doc('Prebuild the profiles in FSP mode (debug)')]
|
||||||
|
fsp-debug: build
|
||||||
|
@./{{build}}/prebuild --complain --full --debug
|
||||||
|
|
||||||
|
[group('install')]
|
||||||
|
[doc('Install prebuild profiles')]
|
||||||
|
install:
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eu -o pipefail
|
||||||
|
install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
|
||||||
|
mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n")
|
||||||
|
for file in "${share[@]}"; do
|
||||||
|
install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file"
|
||||||
|
done
|
||||||
|
mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n")
|
||||||
|
for file in "${aa[@]}"; do
|
||||||
|
install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
|
||||||
|
done
|
||||||
|
mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n")
|
||||||
|
for file in "${links[@]}"; do
|
||||||
|
mkdir -p "{{destdir}}/etc/apparmor.d/disable"
|
||||||
|
cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
|
||||||
|
done
|
||||||
|
for file in "{{build}}/systemd/system/"*; do
|
||||||
|
service="$(basename "$file")"
|
||||||
|
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf"
|
||||||
|
done
|
||||||
|
for file in "{{build}}/systemd/user/"*; do
|
||||||
|
service="$(basename "$file")"
|
||||||
|
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
|
||||||
|
done
|
||||||
|
|
||||||
|
[group('install')]
|
||||||
|
[doc('Locally install prebuild profiles')]
|
||||||
|
local +names:
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eu -o pipefail
|
||||||
|
install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
|
||||||
|
mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n")
|
||||||
|
for file in "${abs[@]}"; do
|
||||||
|
install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file"
|
||||||
|
done;
|
||||||
|
mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n")
|
||||||
|
for file in "${tunables[@]}"; do
|
||||||
|
install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file"
|
||||||
|
done;
|
||||||
|
echo "Warning: profile dependencies fallback to unconfined."
|
||||||
|
for file in {{names}}; do
|
||||||
|
grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true
|
||||||
|
sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file"
|
||||||
|
install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
|
||||||
|
done;
|
||||||
|
systemctl restart apparmor || sudo journalctl -xeu apparmor.service
|
||||||
|
|
||||||
|
[group('install')]
|
||||||
|
[doc('Prebuild, install, and load a dev profile')]
|
||||||
|
dev name:
|
||||||
|
go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}`
|
||||||
|
sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}}
|
||||||
|
sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
|
||||||
|
|
||||||
|
[group('packages')]
|
||||||
|
[doc('Build & install apparmor.d on Arch based systems')]
|
||||||
|
pkg:
|
||||||
|
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
|
||||||
|
|
||||||
|
[group('packages')]
|
||||||
|
[doc('Build & install apparmor.d on Debian based systems')]
|
||||||
|
dpkg:
|
||||||
|
@bash dists/build.sh dpkg
|
||||||
|
@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
|
||||||
|
|
||||||
|
[group('packages')]
|
||||||
|
[doc('Build & install apparmor.d on OpenSUSE based systems')]
|
||||||
|
rpm:
|
||||||
|
@bash dists/build.sh rpm
|
||||||
|
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
|
||||||
|
|
||||||
|
[group('tests')]
|
||||||
|
[doc('Run the unit tests')]
|
||||||
|
tests:
|
||||||
|
@go test ./cmd/... -v -cover -coverprofile=coverage.out
|
||||||
|
@go test ./pkg/... -v -cover -coverprofile=coverage.out
|
||||||
|
@go tool cover -func=coverage.out
|
||||||
|
|
||||||
|
[group('linter')]
|
||||||
|
[doc('Run the linters')]
|
||||||
|
lint:
|
||||||
|
golangci-lint run
|
||||||
|
packer fmt tests/packer/
|
||||||
|
packer validate --syntax-only tests/packer/
|
||||||
|
shellcheck --shell=bash \
|
||||||
|
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
|
||||||
|
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
|
||||||
|
debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
|
||||||
|
|
||||||
|
[group('linter')]
|
||||||
|
[doc('Run style checks on the profiles')]
|
||||||
|
check:
|
||||||
|
@bash tests/check.sh
|
||||||
|
|
||||||
|
[group('docs')]
|
||||||
|
[doc('Generate the man pages')]
|
||||||
|
man:
|
||||||
|
@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
|
||||||
|
|
||||||
|
[group('docs')]
|
||||||
|
[doc('Build the documentation')]
|
||||||
|
docs:
|
||||||
|
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
|
||||||
|
|
||||||
|
[group('docs')]
|
||||||
|
[doc('Serve the documentation')]
|
||||||
|
serve:
|
||||||
|
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
|
||||||
|
|
||||||
|
[doc('Remove all build artifacts')]
|
||||||
|
clean:
|
||||||
|
@rm -rf \
|
||||||
|
debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
|
||||||
|
{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
|
||||||
|
|
||||||
|
[group('packages')]
|
||||||
|
[doc('Build the package in a clean OCI container')]
|
||||||
|
package dist:
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eu -o pipefail
|
||||||
|
dist="{{dist}}"
|
||||||
|
version=""
|
||||||
|
if [[ $dist =~ ubuntu([0-9]+) ]]; then
|
||||||
|
version="${BASH_REMATCH[1]}.04"
|
||||||
|
dist="ubuntu"
|
||||||
|
elif [[ $dist == debian* ]]; then
|
||||||
|
version="trixie"
|
||||||
|
dist="debian"
|
||||||
|
fi
|
||||||
|
bash dists/docker.sh $dist $version
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Build the VM image')]
|
||||||
|
img dist flavor: (package dist)
|
||||||
|
@mkdir -p {{base_dir}}
|
||||||
|
packer build -force \
|
||||||
|
-var dist={{dist}} \
|
||||||
|
-var flavor={{flavor}} \
|
||||||
|
-var prefix={{prefix}} \
|
||||||
|
-var username={{username}} \
|
||||||
|
-var password={{password}} \
|
||||||
|
-var ssh_publickey={{ssh_publickey}} \
|
||||||
|
-var disk_size={{disk_size}} \
|
||||||
|
-var cpus={{vcpus}} \
|
||||||
|
-var ram={{ram}} \
|
||||||
|
-var base_dir={{base_dir}} \
|
||||||
|
-var output_dir={{output_dir}} \
|
||||||
|
tests/packer/
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Create the machine')]
|
||||||
|
create dist flavor:
|
||||||
|
@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
|
||||||
|
@virt-install {{c}} \
|
||||||
|
--import \
|
||||||
|
--name {{prefix}}{{dist}}-{{flavor}} \
|
||||||
|
--vcpus {{vcpus}} \
|
||||||
|
--ram {{ram}} \
|
||||||
|
--machine q35 \
|
||||||
|
{{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \
|
||||||
|
--memorybacking source.type=memfd,access.mode=shared \
|
||||||
|
--disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \
|
||||||
|
--filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \
|
||||||
|
--os-variant "`just get_osinfo {{dist}}`" \
|
||||||
|
--graphics spice \
|
||||||
|
--audio id=1,type=spice \
|
||||||
|
--sound model=ich9 \
|
||||||
|
--noautoconsole
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Start a machine')]
|
||||||
|
up dist flavor:
|
||||||
|
@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Stops the machine')]
|
||||||
|
halt dist flavor:
|
||||||
|
@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Reboot the machine')]
|
||||||
|
reboot dist flavor:
|
||||||
|
@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Destroy the machine')]
|
||||||
|
destroy dist flavor:
|
||||||
|
@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
|
||||||
|
@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
|
||||||
|
@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Connect to the machine')]
|
||||||
|
ssh dist flavor:
|
||||||
|
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}`
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Mount the shared directory on the machine')]
|
||||||
|
mount dist flavor:
|
||||||
|
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||||
|
sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('Unmout the shared directory on the machine')]
|
||||||
|
umount dist flavor:
|
||||||
|
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||||
|
sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('List the machines')]
|
||||||
|
list:
|
||||||
|
@printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State"
|
||||||
|
@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('List the VM images')]
|
||||||
|
images:
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eu -o pipefail
|
||||||
|
ls -lh {{base_dir}} | awk '
|
||||||
|
BEGIN {
|
||||||
|
printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date")
|
||||||
|
}
|
||||||
|
{
|
||||||
|
if ($9 ~ /^{{prefix}}.*\.qcow2$/) {
|
||||||
|
split($9, arr, "-|\\.")
|
||||||
|
printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'
|
||||||
|
|
||||||
|
[group('vm')]
|
||||||
|
[doc('List the VM images that can be created')]
|
||||||
|
available:
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eu -o pipefail
|
||||||
|
ls -lh tests/cloud-init | awk '
|
||||||
|
BEGIN {
|
||||||
|
printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor")
|
||||||
|
}
|
||||||
|
{
|
||||||
|
if ($9 ~ /^.*\.user-data.yml$/) {
|
||||||
|
split($9, arr, "-|\\.")
|
||||||
|
printf("%-18s %s\n", arr[1], arr[2])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'
|
||||||
|
|
||||||
|
[group('tests')]
|
||||||
|
[doc('Install dependencies for the integration tests')]
|
||||||
|
init:
|
||||||
|
@bash tests/requirements.sh
|
||||||
|
|
||||||
|
[group('tests')]
|
||||||
|
[doc('Run the integration tests')]
|
||||||
|
integration:
|
||||||
|
bats --recursive --timing --print-output-on-failure tests/integration
|
||||||
|
|
||||||
|
[group('tests')]
|
||||||
|
[doc('Install dependencies for the integration tests (machine)')]
|
||||||
|
tests-init dist flavor:
|
||||||
|
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||||
|
just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
|
||||||
|
|
||||||
|
[group('tests')]
|
||||||
|
[doc('Synchronize the integration tests (machine)')]
|
||||||
|
tests-sync dist flavor:
|
||||||
|
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||||
|
rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
|
||||||
|
|
||||||
|
[group('tests')]
|
||||||
|
[doc('Re-synchronize the integration tests (machine)')]
|
||||||
|
tests-resync dist flavor: (mount dist flavor) \
|
||||||
|
(tests-sync dist flavor) \
|
||||||
|
(umount dist flavor)
|
||||||
|
|
||||||
|
[group('tests')]
|
||||||
|
[doc('Run the integration tests (machine)')]
|
||||||
|
tests-run dist flavor name="": (tests-resync dist flavor)
|
||||||
|
ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||||
|
bats --recursive --pretty --timing --print-output-on-failure \
|
||||||
|
/home/{{username}}/Projects/tests/integration/{{name}}
|
||||||
|
|
||||||
|
[private]
|
||||||
|
get_ip dist flavor:
|
||||||
|
@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
|
||||||
|
head -1 | \
|
||||||
|
grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
|
||||||
|
|
||||||
|
[private]
|
||||||
|
get_osinfo dist:
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
osinfo = {
|
||||||
|
"archlinux": "archlinux",
|
||||||
|
"debian12": "debian12",
|
||||||
|
"debian13": "debian13",
|
||||||
|
"ubuntu22": "ubuntu22.04",
|
||||||
|
"ubuntu24": "ubuntu24.04",
|
||||||
|
"ubuntu25": "ubuntu25.04",
|
||||||
|
"opensuse": "opensusetumbleweed",
|
||||||
|
}
|
||||||
|
print(osinfo.get("{{dist}}", "{{dist}}"))
|
||||||
134
Makefile
134
Makefile
|
|
@ -1,134 +0,0 @@
|
||||||
#!/usr/bin/make -f
|
|
||||||
# apparmor.d - Full set of apparmor profiles
|
|
||||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
DESTDIR ?= /
|
|
||||||
BUILD ?= .build
|
|
||||||
PKGDEST ?= ${PWD}/.pkg
|
|
||||||
PKGNAME := apparmor.d
|
|
||||||
PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
|
|
||||||
|
|
||||||
.PHONY: all
|
|
||||||
all: build
|
|
||||||
@./${BUILD}/prebuild --complain
|
|
||||||
|
|
||||||
.PHONY: build
|
|
||||||
build:
|
|
||||||
@go build -o ${BUILD}/ ./cmd/aa-log
|
|
||||||
@go build -o ${BUILD}/ ./cmd/prebuild
|
|
||||||
|
|
||||||
.PHONY: enforce
|
|
||||||
enforce: build
|
|
||||||
@./${BUILD}/prebuild
|
|
||||||
|
|
||||||
.PHONY: full
|
|
||||||
full: build
|
|
||||||
@./${BUILD}/prebuild --complain --full
|
|
||||||
|
|
||||||
.PHONY: install
|
|
||||||
install:
|
|
||||||
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
|
|
||||||
@for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \
|
|
||||||
install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
|
|
||||||
done;
|
|
||||||
@for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \
|
|
||||||
install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
|
|
||||||
done;
|
|
||||||
@for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \
|
|
||||||
mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
|
|
||||||
cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
|
|
||||||
done;
|
|
||||||
@for file in ${BUILD}/systemd/system/*; do \
|
|
||||||
service="$$(basename "$$file")"; \
|
|
||||||
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \
|
|
||||||
done;
|
|
||||||
@for file in ${BUILD}/systemd/user/*; do \
|
|
||||||
service="$$(basename "$$file")"; \
|
|
||||||
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
|
|
||||||
done
|
|
||||||
|
|
||||||
|
|
||||||
.PHONY: $(PROFILES)
|
|
||||||
$(PROFILES):
|
|
||||||
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
|
|
||||||
@for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \
|
|
||||||
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
|
|
||||||
done;
|
|
||||||
@for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \
|
|
||||||
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
|
|
||||||
done;
|
|
||||||
@echo "Warning: profile dependencies fallback to unconfined."
|
|
||||||
@for file in ${@}; do \
|
|
||||||
grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \
|
|
||||||
sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
|
|
||||||
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
|
|
||||||
done;
|
|
||||||
@systemctl restart apparmor || sudo journalctl -xeu apparmor.service
|
|
||||||
|
|
||||||
.PHONY: dev
|
|
||||||
name ?=
|
|
||||||
dev:
|
|
||||||
@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
|
|
||||||
@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
|
|
||||||
@sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
|
|
||||||
|
|
||||||
.PHONY: package
|
|
||||||
dist ?= archlinux
|
|
||||||
package:
|
|
||||||
@bash dists/docker.sh ${dist}
|
|
||||||
|
|
||||||
.PHONY: pkg
|
|
||||||
pkg:
|
|
||||||
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
|
|
||||||
|
|
||||||
.PHONY: dpkg
|
|
||||||
dpkg:
|
|
||||||
@bash dists/build.sh dpkg
|
|
||||||
@sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb
|
|
||||||
|
|
||||||
.PHONY: rpm
|
|
||||||
rpm:
|
|
||||||
@bash dists/build.sh rpm
|
|
||||||
@sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm
|
|
||||||
|
|
||||||
.PHONY: tests
|
|
||||||
tests:
|
|
||||||
@go test ./cmd/... -v -cover -coverprofile=coverage.out
|
|
||||||
@go test ./pkg/... -v -cover -coverprofile=coverage.out
|
|
||||||
@go tool cover -func=coverage.out
|
|
||||||
|
|
||||||
.PHONY: lint
|
|
||||||
lint:
|
|
||||||
@golangci-lint run
|
|
||||||
@make --directory=tests lint
|
|
||||||
@shellcheck --shell=bash \
|
|
||||||
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
|
|
||||||
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
|
|
||||||
debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
|
|
||||||
|
|
||||||
.PHONY: check
|
|
||||||
check:
|
|
||||||
@bash tests/check.sh
|
|
||||||
|
|
||||||
.PHONY: bats
|
|
||||||
bats:
|
|
||||||
@bats --timing --print-output-on-failure tests/bats/
|
|
||||||
|
|
||||||
.PHONY: manual
|
|
||||||
manual:
|
|
||||||
@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
|
|
||||||
|
|
||||||
.PHONY: docs
|
|
||||||
docs:
|
|
||||||
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
|
|
||||||
|
|
||||||
.PHONY: serve
|
|
||||||
serve:
|
|
||||||
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
|
|
||||||
|
|
||||||
.PHONY: clean
|
|
||||||
clean:
|
|
||||||
@rm -rf \
|
|
||||||
debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
|
|
||||||
.pkg/${PKGNAME}* ${BUILD} coverage.out
|
|
||||||
15
PKGBUILD
15
PKGBUILD
|
|
@ -7,11 +7,11 @@ pkgname=apparmor.d
|
||||||
pkgver=0.001
|
pkgver=0.001
|
||||||
pkgrel=1
|
pkgrel=1
|
||||||
pkgdesc="Full set of apparmor profiles"
|
pkgdesc="Full set of apparmor profiles"
|
||||||
arch=("x86_64")
|
arch=('x86_64' 'armv6h' 'armv7h' 'aarch64')
|
||||||
url="https://github.com/roddhjav/$pkgname"
|
url="https://github.com/roddhjav/apparmor.d"
|
||||||
license=('GPL2')
|
license=('GPL-2.0-only')
|
||||||
depends=('apparmor')
|
depends=('apparmor>=4.1.0' 'apparmor<5.0.0')
|
||||||
makedepends=('go' 'git' 'rsync')
|
makedepends=('go' 'git' 'rsync' 'just')
|
||||||
conflicts=("$pkgname-git")
|
conflicts=("$pkgname-git")
|
||||||
|
|
||||||
pkgver() {
|
pkgver() {
|
||||||
|
|
@ -30,10 +30,11 @@ build() {
|
||||||
export CGO_CXXFLAGS="${CXXFLAGS}"
|
export CGO_CXXFLAGS="${CXXFLAGS}"
|
||||||
export CGO_LDFLAGS="${LDFLAGS}"
|
export CGO_LDFLAGS="${LDFLAGS}"
|
||||||
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
|
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
|
||||||
make DISTRIBUTION=arch
|
export DISTRIBUTION=arch
|
||||||
|
just complain
|
||||||
}
|
}
|
||||||
|
|
||||||
package() {
|
package() {
|
||||||
cd "$srcdir/$pkgname"
|
cd "$srcdir/$pkgname"
|
||||||
make install DESTDIR="$pkgdir"
|
just destdir="$pkgdir" install
|
||||||
}
|
}
|
||||||
|
|
|
||||||
13
README.md
13
README.md
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
# apparmor.d
|
# apparmor.d
|
||||||
|
|
||||||
[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link]
|
[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link]
|
||||||
|
|
||||||
**Full set of AppArmor profiles**
|
**Full set of AppArmor profiles**
|
||||||
|
|
||||||
|
|
@ -35,8 +35,11 @@
|
||||||
* Gnome (GDM)
|
* Gnome (GDM)
|
||||||
* KDE (SDDM)
|
* KDE (SDDM)
|
||||||
* XFCE (Lightdm) *(work in progress)*
|
* XFCE (Lightdm) *(work in progress)*
|
||||||
- Fully tested *(work in progress)*
|
- [Fully tested](https://apparmor.pujol.io/development/tests/)
|
||||||
|
|
||||||
|
**Demo**
|
||||||
|
|
||||||
|
You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/
|
||||||
|
|
||||||
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
|
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
|
||||||
|
|
||||||
|
|
@ -59,6 +62,10 @@ Building the largest set of AppArmor profiles:
|
||||||
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
||||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
||||||
|
|
||||||
|
Lessons learned while making an AppArmor Play machine:
|
||||||
|
|
||||||
|
- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))*
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)
|
Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)
|
||||||
|
|
@ -93,6 +100,8 @@ and thus has the same license (GPL2).
|
||||||
[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
|
[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
|
||||||
[matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix
|
[matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix
|
||||||
[matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org
|
[matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org
|
||||||
|
[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square
|
||||||
|
[play-link]: https://play.pujol.io
|
||||||
|
|
||||||
[android_model]: https://arxiv.org/pdf/1904.05572
|
[android_model]: https://arxiv.org/pdf/1904.05572
|
||||||
[clipos]: https://clip-os.org/en/
|
[clipos]: https://clip-os.org/en/
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,6 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
|
||||||
# The unix socket to use to connect to the display
|
# The unix socket to use to connect to the display
|
||||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
|
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
|
||||||
|
|
@ -13,6 +12,7 @@
|
||||||
|
|
||||||
/usr/share/X11/{,**} r,
|
/usr/share/X11/{,**} r,
|
||||||
/usr/share/xsessions/{,*.desktop} r, # Available Xsessions
|
/usr/share/xsessions/{,*.desktop} r, # Available Xsessions
|
||||||
|
/usr/share/xkeyboard-config-2/{,**} r,
|
||||||
|
|
||||||
/etc/X11/cursors/{,**} r,
|
/etc/X11/cursors/{,**} r,
|
||||||
|
|
||||||
|
|
|
||||||
11
apparmor.d/abstractions/ansible
Normal file
11
apparmor.d/abstractions/ansible
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw,
|
||||||
|
|
||||||
|
include if exists <abstractions/ansible.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -5,13 +5,11 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
@{bin}/** PUx,
|
include <abstractions/path>
|
||||||
/usr/local/{s,}bin/** PUx,
|
|
||||||
|
|
||||||
@{bin}/ r,
|
@{bin}/** PUx,
|
||||||
/ r,
|
@{sbin}/** PUx,
|
||||||
/usr/ r,
|
/usr/local/{s,}bin/** PUx,
|
||||||
/usr/local/{s,}bin/ r,
|
|
||||||
|
|
||||||
include if exists <abstractions/app-launcher-root.d>
|
include if exists <abstractions/app-launcher-root.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,8 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <abstractions/path>
|
||||||
|
|
||||||
@{bin}/** PUx,
|
@{bin}/** PUx,
|
||||||
/opt/*/** PUx,
|
/opt/*/** PUx,
|
||||||
/usr/share/** PUx,
|
/usr/share/** PUx,
|
||||||
|
|
@ -18,13 +20,7 @@
|
||||||
@{thunderbird_path} Px,
|
@{thunderbird_path} Px,
|
||||||
@{offices_path} PUx,
|
@{offices_path} PUx,
|
||||||
|
|
||||||
@{bin}/ r,
|
@{user_bin_dirs}/** PUx,
|
||||||
/ r,
|
|
||||||
/usr/ r,
|
|
||||||
/usr/local/bin/ r,
|
|
||||||
|
|
||||||
@{user_bin_dirs}/ r,
|
|
||||||
@{user_bin_dirs}/** PUx,
|
|
||||||
|
|
||||||
include if exists <abstractions/app-launcher-user.d>
|
include if exists <abstractions/app-launcher-user.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@
|
||||||
|
|
||||||
# Labeled programs
|
# Labeled programs
|
||||||
@{archive_viewers_path} PUx,
|
@{archive_viewers_path} PUx,
|
||||||
|
@{backup_path} PUx,
|
||||||
@{browsers_path} Px,
|
@{browsers_path} Px,
|
||||||
@{document_viewers_path} PUx,
|
@{document_viewers_path} PUx,
|
||||||
@{emails_path} PUx,
|
@{emails_path} PUx,
|
||||||
|
|
@ -25,6 +26,7 @@
|
||||||
@{help_path} Px,
|
@{help_path} Px,
|
||||||
@{image_viewers_path} PUx,
|
@{image_viewers_path} PUx,
|
||||||
@{offices_path} PUx,
|
@{offices_path} PUx,
|
||||||
|
@{terminal_path} Px,
|
||||||
@{text_editors_path} PUx,
|
@{text_editors_path} PUx,
|
||||||
|
|
||||||
# Others
|
# Others
|
||||||
|
|
@ -33,17 +35,19 @@
|
||||||
@{bin}/discord{,-ptb} Px,
|
@{bin}/discord{,-ptb} Px,
|
||||||
@{bin}/draw.io PUx,
|
@{bin}/draw.io PUx,
|
||||||
@{bin}/dropbox Px,
|
@{bin}/dropbox Px,
|
||||||
|
@{bin}/ebook-edit PUx,
|
||||||
@{bin}/element-desktop Px,
|
@{bin}/element-desktop Px,
|
||||||
@{bin}/extension-manager Px,
|
@{bin}/extension-manager Px,
|
||||||
@{bin}/filezilla Px,
|
@{bin}/filezilla Px,
|
||||||
@{bin}/flameshot Px,
|
@{bin}/flameshot Px,
|
||||||
@{bin}/gimp* PUx,
|
@{bin}/gimp{,-3.0} Px,
|
||||||
@{bin}/gnome-calculator PUx,
|
@{bin}/gnome-calculator Px,
|
||||||
@{bin}/gnome-disk-image-mounter Px,
|
@{bin}/gnome-disk-image-mounter Px,
|
||||||
@{bin}/gnome-disks Px,
|
@{bin}/gnome-disks Px,
|
||||||
|
@{bin}/gnome-session-quit Px,
|
||||||
@{bin}/gnome-software Px,
|
@{bin}/gnome-software Px,
|
||||||
@{bin}/gwenview PUx,
|
@{bin}/gwenview PUx,
|
||||||
@{bin}/kgx Px,
|
@{bin}/keepassxc Px,
|
||||||
@{bin}/qbittorrent Px,
|
@{bin}/qbittorrent Px,
|
||||||
@{bin}/qpdfview Px,
|
@{bin}/qpdfview Px,
|
||||||
@{bin}/smplayer Px,
|
@{bin}/smplayer Px,
|
||||||
|
|
@ -51,15 +55,12 @@
|
||||||
@{bin}/telegram-desktop Px,
|
@{bin}/telegram-desktop Px,
|
||||||
@{bin}/transmission-gtk Px,
|
@{bin}/transmission-gtk Px,
|
||||||
@{bin}/viewnior PUx,
|
@{bin}/viewnior PUx,
|
||||||
@{bin}/vlc PUx,
|
@{bin}/vlc Px,
|
||||||
@{bin}/xbrlapi Px,
|
@{bin}/xbrlapi Px,
|
||||||
|
|
||||||
#aa:only opensuse
|
#aa:only opensuse
|
||||||
@{lib}/YaST2/** PUx,
|
@{lib}/YaST2/** PUx,
|
||||||
|
|
||||||
# Backup
|
|
||||||
@{lib}/deja-dup/deja-dup-monitor PUx,
|
|
||||||
|
|
||||||
include if exists <abstractions/app-open.d>
|
include if exists <abstractions/app-open.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics-full>
|
include <abstractions/graphics>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
|
|
@ -78,7 +78,7 @@
|
||||||
@{lib_dirs}/chrome-sandbox rPx,
|
@{lib_dirs}/chrome-sandbox rPx,
|
||||||
|
|
||||||
# Desktop integration
|
# Desktop integration
|
||||||
@{bin}/lsb_release rPx -> lsb_release,
|
@{bin}/lsb_release rPx,
|
||||||
@{bin}/xdg-desktop-menu rPx,
|
@{bin}/xdg-desktop-menu rPx,
|
||||||
@{bin}/xdg-email rPx,
|
@{bin}/xdg-email rPx,
|
||||||
@{bin}/xdg-icon-resource rPx,
|
@{bin}/xdg-icon-resource rPx,
|
||||||
|
|
@ -86,16 +86,11 @@
|
||||||
@{bin}/xdg-open rPx -> child-open,
|
@{bin}/xdg-open rPx -> child-open,
|
||||||
@{bin}/xdg-settings rPx,
|
@{bin}/xdg-settings rPx,
|
||||||
|
|
||||||
# Installing/removing extensions & applications
|
# Installing/removing extensions, applications, and stacked xdg menus
|
||||||
@{bin}/{,e}grep rix,
|
@{sh_path} rix,
|
||||||
@{bin}/basename rix,
|
@{bin}/{,e}grep ix,
|
||||||
@{bin}/cat rix,
|
@{bin}/{m,g,}awk ix,
|
||||||
@{bin}/cut rix,
|
@{coreutils_path} ix,
|
||||||
@{bin}/mkdir rix,
|
|
||||||
@{bin}/mktemp rix,
|
|
||||||
@{bin}/rm rix,
|
|
||||||
@{bin}/sed rix,
|
|
||||||
@{bin}/touch rix,
|
|
||||||
|
|
||||||
# For storing passwords externally
|
# For storing passwords externally
|
||||||
@{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128
|
@{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128
|
||||||
|
|
@ -129,9 +124,10 @@
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
|
||||||
owner @{user_config_dirs}/gtk-3.0/servers r,
|
owner @{user_config_dirs}/gtk-3.0/servers r,
|
||||||
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
|
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
|
||||||
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
|
owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w,
|
||||||
|
|
||||||
owner @{config_dirs}/ rw,
|
owner @{config_dirs}/ rw,
|
||||||
owner @{config_dirs}/** rwk,
|
owner @{config_dirs}/** rwk,
|
||||||
|
|
@ -141,7 +137,7 @@
|
||||||
|
|
||||||
owner @{user_config_dirs}/kioslaverc r,
|
owner @{user_config_dirs}/kioslaverc r,
|
||||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||||
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
|
owner @{user_config_dirs}/menus/applications-merged/*.menu rw,
|
||||||
|
|
||||||
# For importing data (bookmarks, cookies, etc) from Firefox
|
# For importing data (bookmarks, cookies, etc) from Firefox
|
||||||
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
|
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
|
||||||
|
|
@ -159,6 +155,7 @@
|
||||||
owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
|
owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
|
||||||
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
|
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
|
||||||
owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
|
owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
|
||||||
|
owner @{tmp}/tmp.@{rand10} rw,
|
||||||
owner @{tmp}/tmp.@{rand6} rw,
|
owner @{tmp}/tmp.@{rand6} rw,
|
||||||
owner @{tmp}/tmp.@{rand6}/ rw,
|
owner @{tmp}/tmp.@{rand6}/ rw,
|
||||||
owner @{tmp}/tmp.@{rand6}/** rwk,
|
owner @{tmp}/tmp.@{rand6}/** rwk,
|
||||||
|
|
@ -202,6 +199,7 @@
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||||
owner @{PROC}/@{pid}/setgroups w,
|
owner @{PROC}/@{pid}/setgroups w,
|
||||||
|
owner @{PROC}/@{pid}/smaps_rollup r,
|
||||||
owner @{PROC}/@{pid}/task/ r,
|
owner @{PROC}/@{pid}/task/ r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
|
|
|
||||||
|
|
@ -10,10 +10,10 @@
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/nvim mix,
|
@{bin}/nvim mrix,
|
||||||
@{bin}/sensible-editor mr,
|
@{bin}/sensible-editor mr,
|
||||||
@{bin}/vim{,.*} mrix,
|
@{bin}/vim{,.*} mrix,
|
||||||
@{bin}/which{,.debianutils} ix,
|
@{bin}/which{,.debianutils} rix,
|
||||||
|
|
||||||
/usr/share/nvim/{,**} r,
|
/usr/share/nvim/{,**} r,
|
||||||
/usr/share/terminfo/** r,
|
/usr/share/terminfo/** r,
|
||||||
|
|
@ -25,6 +25,7 @@
|
||||||
|
|
||||||
owner @{HOME}/.selected_editor r,
|
owner @{HOME}/.selected_editor r,
|
||||||
owner @{HOME}/.viminf@{c}{,.tmp} rw,
|
owner @{HOME}/.viminf@{c}{,.tmp} rw,
|
||||||
|
owner @{HOME}/.vim/{after/,}spell/{,**} rw,
|
||||||
owner @{HOME}/.vimrc r,
|
owner @{HOME}/.vimrc r,
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
|
|
|
||||||
|
|
@ -21,12 +21,14 @@
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||||
|
include <abstractions/bus/org.freedesktop.timedate1>
|
||||||
|
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
||||||
include <abstractions/cups-client>
|
include <abstractions/cups-client>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/enchant>
|
include <abstractions/enchant>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics-full>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
|
@ -64,7 +66,7 @@
|
||||||
@{lib_dirs}/plugin-container rPx,
|
@{lib_dirs}/plugin-container rPx,
|
||||||
|
|
||||||
# Desktop integration
|
# Desktop integration
|
||||||
@{bin}/lsb_release rPx -> lsb_release,
|
@{bin}/lsb_release rPx,
|
||||||
|
|
||||||
/usr/share/@{name}/{,**} r,
|
/usr/share/@{name}/{,**} r,
|
||||||
/usr/share/doc/{,**} r,
|
/usr/share/doc/{,**} r,
|
||||||
|
|
@ -98,6 +100,8 @@
|
||||||
owner @{tmp}/@{name}/* rwk,
|
owner @{tmp}/@{name}/* rwk,
|
||||||
owner @{tmp}/firefox/ rw,
|
owner @{tmp}/firefox/ rw,
|
||||||
owner @{tmp}/firefox/* rwk,
|
owner @{tmp}/firefox/* rwk,
|
||||||
|
owner @{tmp}/remote-settings-startup-bundle- rw,
|
||||||
|
owner @{tmp}/remote-settings-startup-bundle-.tmp rw,
|
||||||
owner @{tmp}/Temp-@{uuid}/ rw,
|
owner @{tmp}/Temp-@{uuid}/ rw,
|
||||||
owner @{tmp}/Temp-@{uuid}/* rwk,
|
owner @{tmp}/Temp-@{uuid}/* rwk,
|
||||||
owner @{tmp}/tmp-*.xpi rw,
|
owner @{tmp}/tmp-*.xpi rw,
|
||||||
|
|
@ -124,8 +128,10 @@
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/power/events/energy-* r,
|
@{sys}/devices/power/events/energy-* r,
|
||||||
@{sys}/devices/power/type r,
|
@{sys}/devices/power/type r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_sku r,
|
||||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
|
||||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
|
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/net/arp r,
|
@{PROC}/@{pid}/net/arp r,
|
||||||
|
|
|
||||||
35
apparmor.d/abstractions/app/fusermount
Normal file
35
apparmor.d/abstractions/app/fusermount
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should
|
||||||
|
# be defined in the calling profile.
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
|
capability sys_admin, # To mount anything
|
||||||
|
|
||||||
|
@{bin}/fusermount{,3} mr,
|
||||||
|
|
||||||
|
@{bin}/mount rix,
|
||||||
|
@{bin}/umount rix,
|
||||||
|
|
||||||
|
@{etc_ro}/fuse{,3}.conf r,
|
||||||
|
|
||||||
|
@{run}/mount/utab r,
|
||||||
|
@{run}/mount/utab.* rwk,
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/mountinfo r,
|
||||||
|
@{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
|
/dev/fuse rw,
|
||||||
|
|
||||||
|
include if exists <abstractions/app/fusermount.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -7,13 +7,7 @@
|
||||||
|
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|
||||||
@{bin}/depmod mr,
|
@{bin}/kmod mr,
|
||||||
@{bin}/insmod mr,
|
|
||||||
@{bin}/kmod mr,
|
|
||||||
@{bin}/lsmod mr,
|
|
||||||
@{bin}/modinfo mr,
|
|
||||||
@{bin}/modprobe mr,
|
|
||||||
@{bin}/rmmod mr,
|
|
||||||
|
|
||||||
@{lib}/modprobe.d/ r,
|
@{lib}/modprobe.d/ r,
|
||||||
@{lib}/modprobe.d/*.conf r,
|
@{lib}/modprobe.d/*.conf r,
|
||||||
|
|
|
||||||
|
|
@ -3,19 +3,46 @@
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
# LOGPROF-SUGGEST: no
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
# Full set of rules for child-open-* profiles.
|
# Full set of rules for desktop generic open-* used in child-open-* profiles.
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
|
|
||||||
@{open_path} mrix,
|
# We cannot use `@{open_path} mrix,` here because it includes:
|
||||||
|
# @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
|
||||||
|
# And `@{multiarch}` has a wildcard that cannot be merged and that will generate
|
||||||
|
# "has merged rule with conflicting x modifiers" error when used with other
|
||||||
|
# wilcard over PUx transition.
|
||||||
|
@{bin}/exo-open mrix,
|
||||||
|
@{bin}/xdg-open mrix,
|
||||||
|
@{bin}/gio mrix,
|
||||||
|
@{bin}/kde-open mrix,
|
||||||
|
@{bin}/gio-launch-desktop mrix,
|
||||||
|
@{lib}/gio-launch-desktop mrix,
|
||||||
|
|
||||||
@{sh_path} r,
|
|
||||||
@{bin}/env rix,
|
@{bin}/env rix,
|
||||||
|
@{sh_path} r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
# if @{DE} == kde
|
||||||
|
|
||||||
|
include <abstractions/audio-client>
|
||||||
|
include <abstractions/bus-accessibility>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus/org.a11y>
|
||||||
|
include <abstractions/graphics>
|
||||||
|
|
||||||
|
/etc/xdg/menus/ r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/#@{int} rw,
|
||||||
|
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
|
# fi
|
||||||
|
|
||||||
include if exists <abstractions/app/open.d>
|
include if exists <abstractions/app/open.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
37
apparmor.d/abstractions/app/pager
Normal file
37
apparmor.d/abstractions/app/pager
Normal file
|
|
@ -0,0 +1,37 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
# Minimal set of rules for pagers.
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <abstractions/consoles>
|
||||||
|
|
||||||
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
|
signal receive set=(stop, cont, term, kill),
|
||||||
|
|
||||||
|
@{bin}/ r,
|
||||||
|
@{pager_path} mrix,
|
||||||
|
|
||||||
|
@{system_share_dirs}/terminfo/{,**} r,
|
||||||
|
/usr/share/file/misc/** r,
|
||||||
|
/usr/share/nvim/{,**} r,
|
||||||
|
|
||||||
|
@{HOME}/.lesshst r,
|
||||||
|
|
||||||
|
owner @{HOME}/ r,
|
||||||
|
owner @{HOME}/.lesshs* rw,
|
||||||
|
owner @{HOME}/.terminfo/@{int}/* r,
|
||||||
|
owner @{user_cache_dirs}/lesshs* rw,
|
||||||
|
owner @{user_state_dirs}/ r,
|
||||||
|
owner @{user_state_dirs}/lesshs* rw,
|
||||||
|
|
||||||
|
/dev/tty@{int} rw,
|
||||||
|
|
||||||
|
include if exists <abstractions/app/pager.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -21,6 +21,7 @@
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
@{PROC}/@{pids}/cmdline r,
|
@{PROC}/@{pids}/cmdline r,
|
||||||
|
@{PROC}/@{pids}/environ r,
|
||||||
@{PROC}/@{pids}/stat r,
|
@{PROC}/@{pids}/stat r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
@{PROC}/uptime r,
|
@{PROC}/uptime r,
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,8 @@
|
||||||
|
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/fdinfo/@{int} r,
|
||||||
|
@{PROC}/@{pid}/stat r,
|
||||||
owner @{PROC}/@{pid}/loginuid r,
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
|
|
||||||
owner /dev/tty@{int} rw,
|
owner /dev/tty@{int} rw,
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
# LOGPROF-SUGGEST: no
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
# Minimal set of rules for sudo. Interactive sudo need more rules.
|
# Minimal set of rules for sudo.
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
|
@ -24,10 +24,10 @@
|
||||||
|
|
||||||
network netlink raw, # PAM
|
network netlink raw, # PAM
|
||||||
|
|
||||||
unix bind type=stream addr=@@{udbus}/bus/sudo/system,
|
unix type=stream addr=@@{udbus}/bus/sudo/system,
|
||||||
|
|
||||||
#aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
|
#aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}"
|
||||||
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
|
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
|
||||||
|
|
||||||
dbus (send receive) bus=session path=/org/freedesktop/systemd1
|
dbus (send receive) bus=session path=/org/freedesktop/systemd1
|
||||||
interface=org.freedesktop.systemd.Manager
|
interface=org.freedesktop.systemd.Manager
|
||||||
|
|
|
||||||
|
|
@ -11,9 +11,12 @@
|
||||||
ptrace read peer=@{p_systemd},
|
ptrace read peer=@{p_systemd},
|
||||||
|
|
||||||
unix bind type=stream addr=@@{udbus}/bus/systemctl/,
|
unix bind type=stream addr=@@{udbus}/bus/systemctl/,
|
||||||
|
unix bind type=stream addr=@@{udbus}/bus/systemctl/system,
|
||||||
|
|
||||||
@{bin}/systemctl mr,
|
@{bin}/systemctl mr,
|
||||||
|
|
||||||
|
@{att}/@{run}/systemd/private rw,
|
||||||
|
|
||||||
owner @{run}/systemd/private rw,
|
owner @{run}/systemd/private rw,
|
||||||
|
|
||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,8 @@
|
||||||
|
|
||||||
/etc/udev/udev.conf r,
|
/etc/udev/udev.conf r,
|
||||||
|
|
||||||
@{run}/udev/data/* r,
|
@{run}/udev/data/+*:* r, # Identifies all subsystems
|
||||||
|
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
|
||||||
|
|
||||||
@{sys}/** r,
|
@{sys}/** r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,15 +3,19 @@
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
# LOGPROF-SUGGEST: no
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
# Do not use it manually, it is automatically included in profiles when it is required.
|
# Do not use it manually, It automatically replaces the base abstraction in a
|
||||||
|
# profile with the attach_disconnected flag set and the re-attached path enabled.
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <abstractions/base-strict>
|
||||||
|
|
||||||
@{att}/@{run}/systemd/journal/dev-log w,
|
@{att}/@{run}/systemd/journal/dev-log w,
|
||||||
@{att}/@{run}/systemd/journal/socket w,
|
@{att}/@{run}/systemd/journal/socket w,
|
||||||
|
@{att}/@{run}/systemd/journal/stdout rw,
|
||||||
|
|
||||||
deny /apparmor/.null rw,
|
/apparmor/.null rw,
|
||||||
deny @{att}/apparmor/.null rw,
|
@{att}/apparmor/.null rw,
|
||||||
|
|
||||||
include if exists <abstractions/attached/base.d>
|
include if exists <abstractions/attached/base.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,10 +3,26 @@
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
# LOGPROF-SUGGEST: no
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
# Do not use it manually, It automatically replaces the consoles abstraction in a
|
||||||
|
# profile with the attach_disconnected flag set and the re-attached path enabled.
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
@{att}/dev/tty@{int} rw,
|
# There are the common ways to refer to consoles
|
||||||
owner @{att}/dev/pts/@{int} rw,
|
/dev/console rw,
|
||||||
|
/dev/tty rw,
|
||||||
|
/dev/tty@{u8} rw,
|
||||||
|
@{att}/dev/tty rw,
|
||||||
|
@{att}/dev/tty@{u8} rw,
|
||||||
|
|
||||||
|
# These entries are a bit unfortunate; /dev/tty will always be
|
||||||
|
# associated with the controlling terminal by the kernel, but if a
|
||||||
|
# program uses the /dev/pts/ interface, it actually has access to
|
||||||
|
# -all- xterm, sshd, etc, terminals on the system.
|
||||||
|
/dev/pts/ r,
|
||||||
|
owner /dev/pts/@{u16} rw,
|
||||||
|
@{att}/pts/ r,
|
||||||
|
owner @{att}/dev/pts/@{u16} rw,
|
||||||
|
|
||||||
include if exists <abstractions/attached/consoles.d>
|
include if exists <abstractions/attached/consoles.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@
|
||||||
/etc/openal/alsoft.conf r,
|
/etc/openal/alsoft.conf r,
|
||||||
/etc/pipewire/client{,-rt}.conf r,
|
/etc/pipewire/client{,-rt}.conf r,
|
||||||
/etc/pipewire/client{,-rt}.conf.d/{,**} r,
|
/etc/pipewire/client{,-rt}.conf.d/{,**} r,
|
||||||
|
/etc/pipewire/jack.conf.d/{,**} r,
|
||||||
/etc/pulse/client.conf r,
|
/etc/pulse/client.conf r,
|
||||||
/etc/pulse/client.conf.d/{,**} r,
|
/etc/pulse/client.conf.d/{,**} r,
|
||||||
/etc/wildmidi/wildmidi.cfg r,
|
/etc/wildmidi/wildmidi.cfg r,
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,10 @@
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
@{bin}/pam-tmpdir-helper rPx,
|
@{bin}/pam-tmpdir-helper rPx,
|
||||||
|
@{lib}/pam-tmpdir/pam-tmpdir-helper rPx,
|
||||||
|
|
||||||
#aa:only abi3
|
#aa:only abi3
|
||||||
@{bin}/unix_chkpwd rPx,
|
@{sbin}/unix_chkpwd rPx,
|
||||||
|
|
||||||
#aa:only whonix
|
#aa:only whonix
|
||||||
@{lib}/security-misc/pam-abort-on-locked-password rPx,
|
@{lib}/security-misc/pam-abort-on-locked-password rPx,
|
||||||
|
|
|
||||||
131
apparmor.d/abstractions/base-strict
Normal file
131
apparmor.d/abstractions/base-strict
Normal file
|
|
@ -0,0 +1,131 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2002-2009 Novell/SUSE
|
||||||
|
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
# Do not use it manually, It automatically replaces the base abstraction in
|
||||||
|
# profiles when the re-attached mode is enabled.
|
||||||
|
|
||||||
|
# For now, it is only a restructuring of the base abstraction with awareness
|
||||||
|
# of the apparmor.d architecture.
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <abstractions/crypto>
|
||||||
|
include <abstractions/glibc>
|
||||||
|
include <abstractions/ld>
|
||||||
|
include <abstractions/locale>
|
||||||
|
|
||||||
|
# Allow us to signal ourselves
|
||||||
|
signal peer=@{profile_name},
|
||||||
|
|
||||||
|
# Checking for PID existence is quite common so add it by default for now
|
||||||
|
signal (receive, send) set=exists,
|
||||||
|
|
||||||
|
#aa:exclude RBAC
|
||||||
|
# Allow unconfined processes to send us signals by default
|
||||||
|
signal receive peer=unconfined,
|
||||||
|
|
||||||
|
# Systemd: allow to receive any signal from the systemd profiles stack
|
||||||
|
signal receive peer=@{p_systemd},
|
||||||
|
signal receive peer=@{p_systemd_user},
|
||||||
|
|
||||||
|
# Htop like programs can send any signal to any process
|
||||||
|
signal receive peer=btop,
|
||||||
|
signal receive peer=htop,
|
||||||
|
signal receive peer=top,
|
||||||
|
signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor,
|
||||||
|
|
||||||
|
# Allow to receive termination signal from manager such as sudo, login, shutdown or systemd
|
||||||
|
signal receive peer=su,
|
||||||
|
signal receive peer=sudo,
|
||||||
|
signal receive set=(cont,term,kill,stop) peer=gnome-shell,
|
||||||
|
signal receive set=(cont,term,kill,stop) peer=login,
|
||||||
|
signal receive set=(cont,term,kill,stop) peer=openbox,
|
||||||
|
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
|
||||||
|
signal receive set=(cont,term,kill,stop) peer=xinit,
|
||||||
|
|
||||||
|
# Allow other processes to read our /proc entries, futexes, perf tracing and
|
||||||
|
# kcmp for now (they will need 'read' in the first place). Administrators can
|
||||||
|
# override with:
|
||||||
|
# deny ptrace readby ...
|
||||||
|
ptrace readby,
|
||||||
|
|
||||||
|
# Allow other processes to trace us by default (they will need 'trace' in
|
||||||
|
# the first place). Administrators can override with:
|
||||||
|
# deny ptrace tracedby ...
|
||||||
|
ptrace tracedby,
|
||||||
|
|
||||||
|
# Allow us to ptrace read ourselves
|
||||||
|
ptrace read peer=@{profile_name},
|
||||||
|
|
||||||
|
# Allow us to create and use abstract and anonymous sockets
|
||||||
|
unix peer=(label=@{profile_name}),
|
||||||
|
|
||||||
|
# Allow unconfined processes to us via unix sockets
|
||||||
|
unix receive peer=(label=unconfined),
|
||||||
|
|
||||||
|
# Allow communication to children profiles
|
||||||
|
signal peer=@{profile_name}//*,
|
||||||
|
unix type=stream peer=(label=@{profile_name}//*),
|
||||||
|
|
||||||
|
# Allow us to create abstract and anonymous sockets
|
||||||
|
unix create,
|
||||||
|
|
||||||
|
# Allow us to getattr, getopt, setop and shutdown on unix sockets
|
||||||
|
unix (getattr, getopt, setopt, shutdown),
|
||||||
|
|
||||||
|
# Allow all programs to use common libraries
|
||||||
|
@{lib}/** r,
|
||||||
|
@{lib}/**.so* m,
|
||||||
|
@{lib}/@{multiarch}/**.so* m,
|
||||||
|
@{lib}/@{multiarch}/** r,
|
||||||
|
|
||||||
|
# Some applications will display license information
|
||||||
|
/usr/share/common-licenses/** r,
|
||||||
|
|
||||||
|
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
|
||||||
|
# time and getrandom()/{,u}random and, when available, runs under an
|
||||||
|
# unprivilged, dedicated user).
|
||||||
|
@{run}/uuidd/request r,
|
||||||
|
|
||||||
|
# Transparent hugepage support
|
||||||
|
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
|
|
||||||
|
# Systemd's equivalent of /dev/log
|
||||||
|
@{run}/systemd/journal/dev-log w,
|
||||||
|
|
||||||
|
# Systemd native journal API (see sd_journal_print(4))
|
||||||
|
@{run}/systemd/journal/socket w,
|
||||||
|
|
||||||
|
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
|
||||||
|
# be required but applications fail without it. journald doesn't leak
|
||||||
|
# anything when reading so this is ok.
|
||||||
|
@{run}/systemd/journal/stdout rw,
|
||||||
|
|
||||||
|
# Allow determining the highest valid capability of the running kernel
|
||||||
|
@{PROC}/sys/kernel/cap_last_cap r,
|
||||||
|
|
||||||
|
# Controls how core dump files are named
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
# Sometimes used to determine kernel/user interfaces to use
|
||||||
|
@{PROC}/sys/kernel/version r,
|
||||||
|
|
||||||
|
# Harmless and frequently used
|
||||||
|
/dev/null rw,
|
||||||
|
/dev/random r,
|
||||||
|
/dev/urandom r,
|
||||||
|
/dev/zero rw,
|
||||||
|
|
||||||
|
# The __canary_death_handler function writes a time-stamped log
|
||||||
|
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
|
||||||
|
# and localisations of date should be available EVERYWHERE, so
|
||||||
|
# StackGuard, FormatGuard, etc., alerts can be properly logged.
|
||||||
|
/dev/log w,
|
||||||
|
|
||||||
|
include if exists <abstractions/base-strict.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -3,14 +3,17 @@
|
||||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
# Systemd: allow to receive any signal from the systemd profiles stack
|
||||||
|
signal receive peer=@{p_systemd},
|
||||||
|
signal receive peer=@{p_systemd_user},
|
||||||
|
|
||||||
# Allow to receive some signals from new well-known profiles
|
# Allow to receive some signals from new well-known profiles
|
||||||
signal (receive) peer=btop,
|
signal (receive) peer=btop,
|
||||||
signal (receive) peer=htop,
|
signal (receive) peer=htop,
|
||||||
|
signal (receive) peer=pkill,
|
||||||
signal (receive) peer=sudo,
|
signal (receive) peer=sudo,
|
||||||
signal (receive) peer=top,
|
signal (receive) peer=top,
|
||||||
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
|
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
|
||||||
signal (receive) set=(cont,term) peer=@{p_systemd_user},
|
|
||||||
signal (receive) set=(cont,term) peer=@{p_systemd},
|
|
||||||
signal (receive) set=(hup term) peer=login,
|
signal (receive) set=(hup term) peer=login,
|
||||||
signal (receive) set=(hup) peer=xinit,
|
signal (receive) set=(hup) peer=xinit,
|
||||||
signal (receive) set=(term,kill) peer=gnome-shell,
|
signal (receive) set=(term,kill) peer=gnome-shell,
|
||||||
|
|
@ -18,17 +21,11 @@
|
||||||
signal (receive) set=(term,kill) peer=openbox,
|
signal (receive) set=(term,kill) peer=openbox,
|
||||||
signal (receive) set=(term,kill) peer=su,
|
signal (receive) set=(term,kill) peer=su,
|
||||||
|
|
||||||
ptrace (readby) peer=systemd-coredump,
|
ptrace (readby) peer=@{p_systemd_coredump},
|
||||||
|
|
||||||
@{etc_rw}/localtime r,
|
@{etc_rw}/localtime r,
|
||||||
/etc/locale.conf r,
|
/etc/locale.conf r,
|
||||||
|
|
||||||
# mesa 24.2 introduced a shader disk cache which opens quite a lot of fd.
|
|
||||||
# They are not closed and get inherited by child programs. Denying it can cause
|
|
||||||
# crash, so we are allowing it globally while the issue is beeing fixed in mesa.
|
|
||||||
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw,
|
|
||||||
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw,
|
|
||||||
|
|
||||||
@{sys}/devices/system/cpu/possible r,
|
@{sys}/devices/system/cpu/possible r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
# This abstraction is only required when an interactive shell is started.
|
# This abstraction is only required when .bashrc is loaded (e.g. interactive shell).
|
||||||
# Classic shell scripts do not need it.
|
# Classic shell scripts do not need it.
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
|
||||||
|
|
@ -9,11 +9,6 @@
|
||||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/freedesktop/DBus
|
|
||||||
interface=org.freedesktop.DBus
|
|
||||||
member={RequestName,ReleaseName}
|
|
||||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/at-spi/ rw,
|
owner @{run}/user/@{uid}/at-spi/ rw,
|
||||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||||
owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,
|
owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,
|
||||||
|
|
|
||||||
|
|
@ -4,20 +4,13 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
|
unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session,
|
||||||
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
|
|
||||||
unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus send bus=session path=/org/freedesktop/{dbus,DBus}
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
|
||||||
interface=org.freedesktop.DBus
|
|
||||||
member={RequestName,ReleaseName}
|
|
||||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,17 +4,15 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/DBus
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/DBus
|
@{run}/dbus/system_bus_socket rw,
|
||||||
interface=org.freedesktop.DBus
|
@{att}/@{run}/dbus/system_bus_socket rw,
|
||||||
member={RequestName,ReleaseName}
|
|
||||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
|
||||||
|
|
||||||
@{run}/dbus/system_bus_socket rw,
|
|
||||||
|
|
||||||
include if exists <abstractions/bus-system.d>
|
include if exists <abstractions/bus-system.d>
|
||||||
|
|
||||||
|
|
|
||||||
19
apparmor.d/abstractions/bus/ca.desrt.dconf.Writer
Normal file
19
apparmor.d/abstractions/bus/ca.desrt.dconf.Writer
Normal file
|
|
@ -0,0 +1,19 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
dbus send bus=session path=/ca/desrt/dconf/Writer/user
|
||||||
|
interface=ca.desrt.dconf.Writer
|
||||||
|
member=Change
|
||||||
|
peer=(name=ca.desrt.dconf), # no peer's labels
|
||||||
|
|
||||||
|
dbus receive bus=session path=/ca/desrt/dconf/Writer/user
|
||||||
|
interface=ca.desrt.dconf.Writer
|
||||||
|
member=Notify
|
||||||
|
peer=(name=@{busname}, label=dconf-service),
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/ca.desrt.dconf.Writer.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -4,6 +4,10 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
dbus send bus=session path=/com/canonical/unity/launcherentry/**
|
||||||
|
interface=com.canonical.dbusmenu
|
||||||
|
member={GetGroupProperties,GetLayout}
|
||||||
|
peer=(name=@{busname}, label=nautilus),
|
||||||
|
|
||||||
include if exists <abstractions/bus/com.canonical.dbusmenu.d>
|
include if exists <abstractions/bus/com.canonical.dbusmenu.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,14 +4,11 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/fi/w1/wpa_supplicant1
|
#aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={GetAll,PropertiesChanged}
|
|
||||||
peer=(name="@{busname}", label=wpa-supplicant),
|
|
||||||
|
|
||||||
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
|
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={GetAll,Set}
|
member=Set
|
||||||
peer=(name="@{busname}", label=wpa-supplicant),
|
peer=(name="@{busname}", label=wpa-supplicant),
|
||||||
|
|
||||||
dbus send bus=system path=/fi/w1/wpa_supplicant1
|
dbus send bus=system path=/fi/w1/wpa_supplicant1
|
||||||
|
|
@ -39,16 +36,6 @@
|
||||||
member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged}
|
member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged}
|
||||||
peer=(name="@{busname}", label=wpa-supplicant),
|
peer=(name="@{busname}", label=wpa-supplicant),
|
||||||
|
|
||||||
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={GetAll,PropertiesChanged}
|
|
||||||
peer=(name="@{busname}", label=wpa-supplicant),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={GetAll,PropertiesChanged}
|
|
||||||
peer=(name="@{busname}", label=wpa-supplicant),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
|
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
#aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=power-profiles-daemon),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
|
include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/net/hadess/SwitcherooControl
|
#aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=switcheroo-control),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>
|
include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,12 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}"
|
||||||
|
|
||||||
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
||||||
interface=net.reactivated.Fprint.Manager
|
interface=net.reactivated.Fprint.Manager
|
||||||
member={GetDevices,GetDefaultDevice}
|
member={GetDevices,GetDefaultDevice}
|
||||||
peer=(name="@{busname}", label=fprintd),
|
peer=(name="@{busname}", label="@{p_fprintd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
||||||
interface=net.reactivated.Fprint.Manager
|
interface=net.reactivated.Fprint.Manager
|
||||||
|
|
@ -17,7 +19,7 @@
|
||||||
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
dbus send bus=system path=/net/reactivated/Fprint/Manager
|
||||||
interface=net.reactivated.Fprint.Manager
|
interface=net.reactivated.Fprint.Manager
|
||||||
member={GetDevices,GetDefaultDevice}
|
member={GetDevices,GetDefaultDevice}
|
||||||
peer=(name=net.reactivated.Fprint, label=fprintd),
|
peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/net.reactivated.Fprint.d>
|
include if exists <abstractions/bus/net.reactivated.Fprint.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,33 +9,38 @@
|
||||||
dbus receive bus=accessibility path=/org/a11y/atspi/registry
|
dbus receive bus=accessibility path=/org/a11y/atspi/registry
|
||||||
interface=org.a11y.atspi.Registry
|
interface=org.a11y.atspi.Registry
|
||||||
member=EventListenerDeregistered
|
member=EventListenerDeregistered
|
||||||
peer=(name="@{busname}", label=at-spi2-registryd),
|
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||||
interface=org.a11y.atspi.Registry
|
interface=org.a11y.atspi.Registry
|
||||||
member=GetRegisteredEvents
|
member=GetRegisteredEvents
|
||||||
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
|
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||||
interface=org.a11y.atspi.DeviceEventController
|
interface=org.a11y.atspi.DeviceEventController
|
||||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||||
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
|
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||||
|
|
||||||
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
|
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=Set
|
member=Set
|
||||||
peer=(name="@{busname}", label=at-spi2-registryd),
|
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||||
interface=org.a11y.atspi.Socket
|
interface=org.a11y.atspi.Socket
|
||||||
member=Embed
|
member=Embed
|
||||||
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
|
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||||
|
|
||||||
# Session bus
|
# Session bus
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/a11y/bus
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=GetAll
|
||||||
|
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
|
||||||
|
|
||||||
dbus send bus=session path=/org/a11y/bus
|
dbus send bus=session path=/org/a11y/bus
|
||||||
interface=org.a11y.Bus
|
interface=org.a11y.Bus
|
||||||
member=GetAddress
|
member=Get
|
||||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||||
|
|
||||||
dbus send bus=session path=/org/a11y/bus
|
dbus send bus=session path=/org/a11y/bus
|
||||||
|
|
|
||||||
|
|
@ -4,45 +4,37 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}"
|
||||||
|
|
||||||
dbus receive bus=system path=/
|
dbus receive bus=system path=/
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=InterfacesRemoved
|
member={InterfacesAdded,InterfacesRemoved}
|
||||||
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
|
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/
|
dbus send bus=system path=/
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetManagedObjects
|
member=GetManagedObjects
|
||||||
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
|
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/bluez
|
dbus send bus=system path=/org/bluez
|
||||||
interface=org.bluez.AgentManager@{int}
|
interface=org.bluez.AgentManager@{int}
|
||||||
member={RegisterAgent,RequestDefaultAgent,UnregisterAgent}
|
member={RegisterAgent,RequestDefaultAgent,UnregisterAgent}
|
||||||
peer=(name=org.bluez, label=bluetoothd),
|
peer=(name=org.bluez, label="@{p_bluetoothd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/bluez
|
dbus send bus=system path=/org/bluez
|
||||||
interface=org.bluez.ProfileManager@{int}
|
interface=org.bluez.ProfileManager@{int}
|
||||||
member=RegisterProfile
|
member=RegisterProfile
|
||||||
peer=(name=org.bluez, label=bluetoothd),
|
peer=(name=org.bluez, label="@{p_bluetoothd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/bluez/hci@{int}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=Set
|
|
||||||
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/bluez/hci@{int}
|
dbus send bus=system path=/org/bluez/hci@{int}
|
||||||
interface=org.bluez.BatteryProviderManager@{int}
|
interface=org.bluez.BatteryProviderManager@{int}
|
||||||
member=RegisterProfile
|
member=RegisterProfile
|
||||||
peer=(name=org.bluez, label=bluetoothd),
|
peer=(name=org.bluez, label="@{p_bluetoothd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/bluez/hci@{int}
|
dbus send bus=system path=/org/bluez/hci@{int}
|
||||||
interface=org.bluez.Media@{int}
|
interface=org.bluez.Media@{int}
|
||||||
member=RegisterApplication
|
member=RegisterApplication
|
||||||
peer=(name=org.bluez, label=bluetoothd),
|
peer=(name=org.bluez, label="@{p_bluetoothd}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.bluez.d>
|
include if exists <abstractions/bus/org.bluez.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,30 +4,27 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/Accounts
|
dbus send bus=system path=/org/freedesktop/Accounts
|
||||||
interface=org.freedesktop.Accounts
|
interface=org.freedesktop.Accounts
|
||||||
member={FindUserByName,ListCachedUsers}
|
member={FindUserByName,ListCachedUsers}
|
||||||
peer=(name="@{busname}", label=accounts-daemon),
|
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=accounts-daemon),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
|
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||||
interface=org.freedesktop.Accounts.User
|
interface=org.freedesktop.Accounts.User
|
||||||
member=*Changed
|
member=*Changed
|
||||||
peer=(name="@{busname}", label=accounts-daemon),
|
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/Accounts
|
dbus receive bus=system path=/org/freedesktop/Accounts
|
||||||
interface=org.freedesktop.Accounts
|
interface=org.freedesktop.Accounts
|
||||||
member=UserAdded
|
member=UserAdded
|
||||||
peer=(name="@{busname}", label=accounts-daemon),
|
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
|
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=*Changed
|
member=*Changed
|
||||||
peer=(name="@{busname}", label=accounts-daemon),
|
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.Accounts.d>
|
include if exists <abstractions/bus/org.freedesktop.Accounts.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,25 +4,42 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}"
|
||||||
|
|
||||||
dbus send bus=system path=/
|
dbus send bus=system path=/
|
||||||
interface=org.freedesktop.DBus.Peer
|
interface=org.freedesktop.DBus.Peer
|
||||||
member=Ping
|
member=Ping
|
||||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
peer=(name=org.freedesktop.Avahi),
|
||||||
|
|
||||||
dbus send bus=system path=/
|
dbus send bus=system path=/
|
||||||
interface=org.freedesktop.Avahi.Server
|
interface=org.freedesktop.Avahi.Server
|
||||||
member={GetAPIVersion,GetState,Service*New}
|
member={GetAPIVersion,GetState,Service*New}
|
||||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||||
|
|
||||||
dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
|
dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
|
||||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||||
member=Free
|
member=Free
|
||||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
|
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
|
||||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||||
member={ItemNew,AllForNow,CacheExhausted}
|
member={ItemNew,AllForNow,CacheExhausted}
|
||||||
peer=(name="@{busname}", label=avahi-daemon),
|
peer=(name="@{busname}", label="@{p_avahi_daemon}"),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/
|
||||||
|
interface=org.freedesktop.Avahi.Server
|
||||||
|
member=StateChanged
|
||||||
|
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||||
|
interface=org.freedesktop.Avahi.ServiceResolver
|
||||||
|
member=Found
|
||||||
|
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||||
|
|
||||||
|
dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||||
|
interface=org.freedesktop.Avahi.ServiceResolver
|
||||||
|
member=Free
|
||||||
|
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.Avahi.d>
|
include if exists <abstractions/bus/org.freedesktop.Avahi.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,25 +4,22 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/ColorManager
|
dbus send bus=system path=/org/freedesktop/ColorManager
|
||||||
interface=org.freedesktop.ColorManager
|
interface=org.freedesktop.ColorManager
|
||||||
member=GetDevices
|
member=GetDevices
|
||||||
peer=(name="@{busname}", label=colord),
|
peer=(name="@{busname}", label="@{p_colord}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=colord),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/ColorManager
|
dbus send bus=system path=/org/freedesktop/ColorManager
|
||||||
interface=org.freedesktop.ColorManager
|
interface=org.freedesktop.ColorManager
|
||||||
member=CreateDevice
|
member=CreateDevice
|
||||||
peer=(name="@{busname}", label=colord),
|
peer=(name="@{busname}", label="@{p_colord}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/ColorManager
|
dbus receive bus=system path=/org/freedesktop/ColorManager
|
||||||
interface=org.freedesktop.ColorManager
|
interface=org.freedesktop.ColorManager
|
||||||
member={DeviceAdded,DeviceRemoved}
|
member={DeviceAdded,DeviceRemoved}
|
||||||
peer=(name="@{busname}", label=colord),
|
peer=(name="@{busname}", label="@{p_colord}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
|
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/FileManager1
|
#aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=nautilus),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/freedesktop/FileManager1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=nautilus),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
|
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,35 +4,26 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
|
#aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=geoclue),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
|
dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=PropertiesChanged
|
member=PropertiesChanged
|
||||||
peer=(name=org.freedesktop.DBus, label=geoclue),
|
peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
|
dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member=GetAll
|
||||||
peer=(name="@{busname}", label=geoclue),
|
peer=(name="@{busname}", label="@{p_geoclue}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
|
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member=GetAll
|
||||||
peer=(name="@{busname}", label=geoclue),
|
peer=(name="@{busname}", label="@{p_geoclue}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
|
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
|
||||||
interface=org.freedesktop.GeoClue2.Manager
|
interface=org.freedesktop.GeoClue2.Manager
|
||||||
member=AddAgent
|
member=AddAgent
|
||||||
peer=(name="@{busname}", label=geoclue),
|
peer=(name="@{busname}", label="@{p_geoclue}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=geoclue),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
|
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,20 +4,17 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/ModemManager1
|
#aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
|
||||||
member=GetManagedObjects
|
|
||||||
peer=(name=org.freedesktop.ModemManager1, label=ModemManager),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/ModemManager1
|
dbus send bus=system path=/org/freedesktop/ModemManager1
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetManagedObjects
|
member=GetManagedObjects
|
||||||
peer=(name="@{busname}", label=ModemManager),
|
peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/ModemManager1
|
dbus send bus=system path=/org/freedesktop/ModemManager1
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetAll
|
member=GetManagedObjects
|
||||||
peer=(name="@{busname}", label=ModemManager),
|
peer=(name="@{busname}", label="@{p_ModemManager}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
|
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,14 +4,11 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop
|
dbus send bus=system path=/org/freedesktop
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetManagedObjects
|
member={GetManagedObjects,InterfacesRemoved}
|
||||||
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||||
|
|
@ -29,19 +26,9 @@
|
||||||
member=GetSettings
|
member=GetSettings
|
||||||
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop
|
dbus receive bus=system path=/org/freedesktop
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=InterfacesAdded
|
member={InterfacesAdded,InterfacesRemoved}
|
||||||
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||||
|
|
@ -64,6 +51,11 @@
|
||||||
member=Updated
|
member=Updated
|
||||||
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
|
||||||
|
|
||||||
|
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
|
||||||
|
interface=org.freedesktop.NetworkManager.Connection.Active
|
||||||
|
member=StateChanged
|
||||||
|
peer=(name=@{busname}, label=NetworkManager),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
|
include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/Notifications
|
#aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=gjs-console),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/Notifications
|
dbus send bus=session path=/org/freedesktop/Notifications
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
|
@ -16,7 +13,7 @@
|
||||||
|
|
||||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={GetAll,NotificationClosed,CloseNotification}
|
member={NotificationClosed,CloseNotification}
|
||||||
peer=(name="@{busname}", label=gjs-console),
|
peer=(name="@{busname}", label=gjs-console),
|
||||||
|
|
||||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,8 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PackageKit
|
#aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=packagekitd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PackageKit
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
|
|
||||||
dbus send bus=system path=/org/freedesktop/PackageKit
|
dbus send bus=system path=/org/freedesktop/PackageKit
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
|
|
@ -21,7 +14,7 @@
|
||||||
dbus send bus=system path=/org/freedesktop/PackageKit
|
dbus send bus=system path=/org/freedesktop/PackageKit
|
||||||
interface=org.freedesktop.PackageKit
|
interface=org.freedesktop.PackageKit
|
||||||
member=StateHasChanged
|
member=StateHasChanged
|
||||||
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
|
peer=(name=org.freedesktop.PackageKit),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
|
include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,35 +4,27 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.PolicyKit1.Authority
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
member=Changed
|
member=Changed
|
||||||
peer=(name="@{busname}", label=polkitd),
|
peer=(name="@{busname}", label="@{p_polkitd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=polkitd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.PolicyKit1.Authority
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
member=CheckAuthorization
|
member=CheckAuthorization
|
||||||
peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
|
peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.PolicyKit1.Authority
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
member=CheckAuthorization
|
member=CheckAuthorization
|
||||||
peer=(name="@{busname}", label=polkitd),
|
peer=(name="@{busname}", label="@{p_polkitd}"),
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.PolicyKit1.Authority
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
member=CheckAuthorization
|
member=CheckAuthorization
|
||||||
peer=(name=org.freedesktop.PolicyKit1),
|
peer=(name=org.freedesktop.PolicyKit1),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name="@{busname}", label=polkitd),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
|
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -2,32 +2,25 @@
|
||||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
# Allow setting realtime priorities.
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}"
|
||||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=Get
|
member=Get
|
||||||
peer=(name=org.freedesktop.RealtimeKit1),
|
peer=(name=org.freedesktop.RealtimeKit1),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.RealtimeKit1
|
||||||
member={Get,GetAll}
|
member={MakeThreadHighPriority,MakeThreadRealtime}
|
||||||
peer=(name="@{busname}", label=rtkit-daemon),
|
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||||
interface=org.freedesktop.RealtimeKit1
|
interface=org.freedesktop.RealtimeKit1
|
||||||
member=MakeThread*
|
member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID}
|
||||||
peer=(name="@{busname}", label=rtkit-daemon),
|
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
|
||||||
interface=org.freedesktop.RealtimeKit1
|
|
||||||
member=MakeThread*
|
|
||||||
peer=(name=org.freedesktop.RealtimeKit1),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
|
||||||
interface=org.freedesktop.RealtimeKit1
|
|
||||||
member=MakeThread*
|
|
||||||
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
|
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,12 +7,12 @@
|
||||||
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||||
interface=org.freedesktop.DBus.Peer
|
interface=org.freedesktop.DBus.Peer
|
||||||
member=Ping
|
member=Ping
|
||||||
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||||
interface=org.freedesktop.Tracker3.Endpoint
|
interface=org.freedesktop.Tracker3.Endpoint
|
||||||
member=Query
|
member=Query
|
||||||
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>
|
include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,16 +4,13 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UDisks2
|
dbus send bus=system path=/org/freedesktop/UDisks2
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetManagedObjects
|
member=GetManagedObjects
|
||||||
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UDisks2/**
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/
|
dbus send bus=system path=/
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
|
|
@ -29,16 +26,6 @@
|
||||||
member=Introspect
|
member=Introspect
|
||||||
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/UDisks2
|
dbus receive bus=system path=/org/freedesktop/UDisks2
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=InterfacesAdded
|
member=InterfacesAdded
|
||||||
|
|
@ -49,11 +36,6 @@
|
||||||
member=Completed
|
member=Completed
|
||||||
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/*
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
|
include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,44 +4,22 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UPower
|
dbus send bus=system path=/org/freedesktop/UPower
|
||||||
interface=org.freedesktop.UPower
|
interface=org.freedesktop.UPower
|
||||||
member=EnumerateDevices
|
member=EnumerateDevices
|
||||||
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
|
peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UPower{,/**}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
|
|
||||||
dbus send bus=system path=/org/freedesktop/UPower{,/**}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name=org.freedesktop.UPower, label=upowerd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UPower
|
dbus send bus=system path=/org/freedesktop/UPower
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetDisplayDevice
|
member=GetDisplayDevice
|
||||||
peer=(name=org.freedesktop.UPower, label=upowerd),
|
peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UPower/devices/*
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UPower{,/**}
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/UPower
|
dbus receive bus=system path=/org/freedesktop/UPower
|
||||||
interface=org.freedesktop.UPower
|
interface=org.freedesktop.UPower
|
||||||
member=DeviceAdded
|
member={DeviceAdded,DeviceRemoved}
|
||||||
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
|
peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/UPower/devices/*
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.UPower.d>
|
include if exists <abstractions/bus/org.freedesktop.UPower.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/org.freedesktop.UPower.PowerProfiles.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -4,15 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/background/monitor
|
#aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=xdg-desktop-portal),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/freedesktop/background/monitor
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=xdg-desktop-portal),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>
|
include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,21 +4,12 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
|
||||||
dbus send bus=system path=/org/freedesktop/hostname1
|
dbus send bus=system path=/org/freedesktop/hostname1
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={Get,GetAll}
|
member=Get
|
||||||
peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/hostname1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name=org.freedesktop.hostname1),
|
peer=(name=org.freedesktop.hostname1),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/hostname1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.hostname1.d>
|
include if exists <abstractions/bus/org.freedesktop.hostname1.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,16 +4,18 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
#aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=xdg-permission-store),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||||
interface=org.freedesktop.impl.portal.PermissionStore
|
interface=org.freedesktop.impl.portal.PermissionStore
|
||||||
member=Lookup
|
member=Lookup
|
||||||
peer=(name="@{busname}", label=xdg-permission-store),
|
peer=(name="@{busname}", label=xdg-permission-store),
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||||
|
interface=org.freedesktop.impl.portal.PermissionStore
|
||||||
|
member=Lookup
|
||||||
|
peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
|
include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/locale1
|
#aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=systemd-localed),
|
|
||||||
dbus send bus=system path=/org/freedesktop/locale1
|
dbus send bus=system path=/org/freedesktop/locale1
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member=GetAll
|
||||||
|
|
|
||||||
|
|
@ -4,35 +4,22 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1
|
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1
|
dbus send bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login1.Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
|
member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login1
|
dbus receive bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login1.Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*}
|
member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*}
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1/session/*
|
dbus send bus=system path=/org/freedesktop/login1/session/*
|
||||||
interface=org.freedesktop.login1.Session
|
interface=org.freedesktop.login1.Session
|
||||||
member=PauseDeviceComplete
|
member=PauseDeviceComplete
|
||||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.login1.d>
|
include if exists <abstractions/bus/org.freedesktop.login1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,40 +4,22 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1
|
dbus send bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login1.Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member=GetSession
|
member=GetSession
|
||||||
peer=(name="@{busname}", label=systemd-logind),
|
peer=(name="@{busname}", label="@{p_systemd_logind}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*}
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1/session/*
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="@{busname}", label=systemd-logind),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1/session/*
|
dbus send bus=system path=/org/freedesktop/login1/session/*
|
||||||
interface=org.freedesktop.login1.Session
|
interface=org.freedesktop.login1.Session
|
||||||
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
|
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login1/seat/*
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login1/session/*
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=systemd-logind),
|
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login1/session/*
|
dbus receive bus=system path=/org/freedesktop/login1/session/*
|
||||||
interface=org.freedesktop.login1.Session
|
interface=org.freedesktop.login1.Session
|
||||||
member={PauseDevice,Unlock}
|
member={PauseDevice,Unlock}
|
||||||
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
|
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
|
include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/network1
|
#aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=Get
|
|
||||||
peer=(name=org.freedesktop.network1, label=systemd-networkd),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.network1.d>
|
include if exists <abstractions/bus/org.freedesktop.network1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,9 +4,11 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={Get,GetAll,Read}
|
member=Read
|
||||||
peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
|
peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||||
|
|
@ -29,6 +31,11 @@
|
||||||
member={Read,ReadAll}
|
member={Read,ReadAll}
|
||||||
peer=(name="@{busname}", label=xdg-desktop-portal),
|
peer=(name="@{busname}", label=xdg-desktop-portal),
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||||
|
interface=org.freedesktop.host.portal.Registry
|
||||||
|
member=Register
|
||||||
|
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
|
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,12 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/resolve1
|
dbus send bus=system path=/org/freedesktop/resolve1
|
||||||
interface=org.freedesktop.resolve1.Manager
|
interface=org.freedesktop.resolve1.Manager
|
||||||
member={SetLink*,ResolveHostname}
|
member={SetLink*,ResolveHostname}
|
||||||
peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
|
peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
|
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/secrets{,/**}
|
#aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=gnome-keyring-daemon),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/secrets
|
dbus send bus=session path=/org/freedesktop/secrets
|
||||||
interface=org.freedesktop.Secret.Service
|
interface=org.freedesktop.Secret.Service
|
||||||
|
|
@ -24,11 +21,6 @@
|
||||||
member=ItemCreated
|
member=ItemCreated
|
||||||
peer=(name="@{busname}", label=gnome-keyring-daemon),
|
peer=(name="@{busname}", label=gnome-keyring-daemon),
|
||||||
|
|
||||||
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=gnome-keyring-daemon),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.secrets.d>
|
include if exists <abstractions/bus/org.freedesktop.secrets.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,14 +4,16 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/systemd1{,/**}
|
#aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd1
|
dbus send bus=session path=/org/freedesktop/systemd1
|
||||||
interface=org.freedesktop.systemd1.Manager
|
interface=org.freedesktop.systemd1.Manager
|
||||||
member={GetUnit,StartUnit,StartTransientUnit}
|
member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit}
|
||||||
|
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/systemd1
|
||||||
|
interface=org.freedesktop.systemd1.Manager
|
||||||
|
member=ListUnitsByPatterns
|
||||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd1
|
dbus send bus=session path=/org/freedesktop/systemd1
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd1
|
#aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name=org.freedesktop.systemd1),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={Get,GetAll}
|
|
||||||
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd1
|
dbus send bus=session path=/org/freedesktop/systemd1
|
||||||
interface=org.freedesktop.systemd1.Manager
|
interface=org.freedesktop.systemd1.Manager
|
||||||
|
|
|
||||||
|
|
@ -4,21 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/timedate1
|
#aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=Get
|
|
||||||
peer=(name=org.freedesktop.timedate1, label=systemd-timedated),
|
|
||||||
|
|
||||||
# FIXME: should be under the systemd-timedated label
|
|
||||||
dbus send bus=system path=/org/freedesktop/timedate1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=Get
|
|
||||||
peer=(name=org.freedesktop.timedate1, label=unconfined),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/timedate1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=systemd-timedated),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.timedate1.d>
|
include if exists <abstractions/bus/org.freedesktop.timedate1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,12 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/ArchiveManager1
|
#aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}"
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=file-roller),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/ArchiveManager1
|
dbus send bus=session path=/org/gnome/ArchiveManager1
|
||||||
interface=org.gnome.ArchiveManager1
|
interface=org.gnome.ArchiveManager1
|
||||||
member=GetSupportedTypes
|
member=GetSupportedTypes
|
||||||
peer=(name="@{busname}", label=file-roller),
|
peer=(name="@{busname}", label="@{p_file_roller}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
|
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,8 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm
|
||||||
|
|
||||||
dbus send bus=system path=/org/gnome/DisplayManager/Manager
|
dbus send bus=system path=/org/gnome/DisplayManager/Manager
|
||||||
interface=org.gnome.DisplayManager.Manager
|
interface=org.gnome.DisplayManager.Manager
|
||||||
member=RegisterDisplay
|
member=RegisterDisplay
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,8 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
|
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
|
||||||
interface=org.gnome.Mutter.DisplayConfig
|
interface=org.gnome.Mutter.DisplayConfig
|
||||||
member={GetResources,GetCrtcGamma}
|
member={GetResources,GetCrtcGamma}
|
||||||
|
|
@ -14,16 +16,6 @@
|
||||||
member=GetCurrentState
|
member=GetCurrentState
|
||||||
peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
|
peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member={GetAll,PropertiesChanged}
|
|
||||||
peer=(name="@{busname}", label=gnome-shell),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=gnome-shell),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
|
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
|
||||||
interface=org.gnome.Mutter.DisplayConfig
|
interface=org.gnome.Mutter.DisplayConfig
|
||||||
member=MonitorsChanged
|
member=MonitorsChanged
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,8 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
|
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetManagedObjects
|
member=GetManagedObjects
|
||||||
|
|
|
||||||
|
|
@ -4,20 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
|
#aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=nautilus),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name="@{busname}", label=nautilus),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=nautilus),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
|
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
#aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=gjs-console),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||||
interface=org.gnome.ScreenSaver
|
interface=org.gnome.ScreenSaver
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,8 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/SessionManager
|
dbus send bus=session path=/org/gnome/SessionManager
|
||||||
interface=org.gnome.SessionManager
|
interface=org.gnome.SessionManager
|
||||||
member={RegisterClient,IsSessionRunning}
|
member={RegisterClient,IsSessionRunning}
|
||||||
|
|
@ -21,16 +23,6 @@
|
||||||
member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
|
member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
|
||||||
peer=(name="@{busname}", label=gnome-session-binary),
|
peer=(name="@{busname}", label=gnome-session-binary),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/SessionManager
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=gnome-session-binary),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/SessionManager
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=gnome-session-binary),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
|
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
|
||||||
interface=org.gnome.SessionManager.ClientPrivate
|
interface=org.gnome.SessionManager.ClientPrivate
|
||||||
member=EndSessionResponse
|
member=EndSessionResponse
|
||||||
|
|
@ -41,26 +33,11 @@
|
||||||
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
||||||
peer=(name="@{busname}", label=gnome-session-binary),
|
peer=(name="@{busname}", label=gnome-session-binary),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=gnome-session-binary),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=gnome-session-binary),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/SessionManager/Presence
|
dbus receive bus=session path=/org/gnome/SessionManager/Presence
|
||||||
interface=org.gnome.SessionManager.Presence
|
interface=org.gnome.SessionManager.Presence
|
||||||
member=StatusChanged
|
member=StatusChanged
|
||||||
peer=(name="@{busname}", label=gnome-session-binary),
|
peer=(name="@{busname}", label=gnome-session-binary),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/SessionManager
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.SessionManager.d>
|
include if exists <abstractions/bus/org.gnome.SessionManager.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,7 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Shell/Introspect
|
#aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name="@{busname}", label=gnome-shell),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Shell/Introspect
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=Get
|
|
||||||
peer=(name=org.gnome.Shell.Introspect, label=gnome-shell),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Shell/Introspect
|
dbus send bus=session path=/org/gnome/Shell/Introspect
|
||||||
interface=org.gnome.Shell.Introspect
|
interface=org.gnome.Shell.Introspect
|
||||||
|
|
@ -24,11 +16,6 @@
|
||||||
member={RunningApplicationsChanged,WindowsChanged}
|
member={RunningApplicationsChanged,WindowsChanged}
|
||||||
peer=(name="@{busname}", label=gnome-shell),
|
peer=(name="@{busname}", label=gnome-shell),
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/Shell/Introspect
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name="@{busname}", label=gnome-shell),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
|
include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
12
apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2
Normal file
12
apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
16
apparmor.d/abstractions/bus/org.gtk.Notifications
Normal file
16
apparmor.d/abstractions/bus/org.gtk.Notifications
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/gtk/Notifications
|
||||||
|
interface=org.gtk.Notifications
|
||||||
|
member=RemoveNotification
|
||||||
|
peer=(name=org.gtk.Notifications, label=gnome-shell),
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/org.gtk.Notifications.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -9,6 +9,11 @@
|
||||||
member={GetConnection,ListMonitorImplementations,ListMountableInfo}
|
member={GetConnection,ListMonitorImplementations,ListMountableInfo}
|
||||||
peer=(name="@{busname}", label=gvfsd),
|
peer=(name="@{busname}", label=gvfsd),
|
||||||
|
|
||||||
|
dbus receive bus=session path=/org/gtk/vfs/Daemon
|
||||||
|
interface=org.gtk.vfs.Daemon
|
||||||
|
member=GetConnection
|
||||||
|
peer=(name=@{busname}),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
|
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,9 +4,15 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata
|
||||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member=GetAll
|
||||||
|
peer=(name=@{busname}, label=gvfsd-metadata),
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||||
|
interface=org.gtk.vfs.Metadata
|
||||||
|
member={Set,Move,GetTreeFromDevice,Remove}
|
||||||
peer=(name="@{busname}", label=gvfsd-metadata),
|
peer=(name="@{busname}", label=gvfsd-metadata),
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gtk/vfs/metadata
|
dbus receive bus=session path=/org/gtk/vfs/metadata
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,11 @@
|
||||||
member=ListMountableInfo
|
member=ListMountableInfo
|
||||||
peer=(name="@{busname}", label=gvfsd),
|
peer=(name="@{busname}", label=gvfsd),
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||||
|
interface=org.gtk.vfs.MountTracker
|
||||||
|
member=LookupMount
|
||||||
|
peer=(name="@{busname}", label=gvfsd),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||||
interface=org.gtk.vfs.MountTracker
|
interface=org.gtk.vfs.MountTracker
|
||||||
member=ListMounts2
|
member=ListMounts2
|
||||||
|
|
|
||||||
|
|
@ -4,21 +4,13 @@
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
dbus send bus=session path=/StatusNotifierWatcher
|
#aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=Get
|
|
||||||
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
|
|
||||||
|
|
||||||
dbus send bus=session path=/StatusNotifierWatcher
|
dbus send bus=session path=/StatusNotifierWatcher
|
||||||
interface=org.kde.StatusNotifierWatcher
|
interface=org.kde.StatusNotifierWatcher
|
||||||
member=RegisterStatusNotifierItem
|
member=RegisterStatusNotifierItem
|
||||||
peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
|
peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
|
||||||
|
|
||||||
dbus send bus=session path=/StatusNotifierWatcher
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
|
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
31
apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player
Normal file
31
apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
#aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined
|
||||||
|
|
||||||
|
dbus receive bus=session path=/org/mpris/MediaPlayer2
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=PropertiesChanged
|
||||||
|
peer=(name=@{busname}),
|
||||||
|
|
||||||
|
dbus receive bus=session path=/org/mpris/MediaPlayer2
|
||||||
|
interface=org.mpris.MediaPlayer2.Player
|
||||||
|
member=Seeked
|
||||||
|
peer=(name=@{busname}),
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/mpris/MediaPlayer2
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=Get
|
||||||
|
peer=(name=@{busname}),
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/mpris/MediaPlayer2
|
||||||
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
member=GetAll
|
||||||
|
peer=(name=@{busname}),
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/org.mpris.MediaPlayer2.Player.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
25
apparmor.d/abstractions/bus/own-accessibility
Normal file
25
apparmor.d/abstractions/bus/own-accessibility
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
# Do not use it manually, It is automatically included in a profile by the
|
||||||
|
# `aa:dbus own` directive.
|
||||||
|
|
||||||
|
# Allow owning a name on DBus public bus
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
dbus send bus=accessibility path=/org/freedesktop/DBus
|
||||||
|
interface=org.freedesktop.DBus
|
||||||
|
member={RequestName,ReleaseName}
|
||||||
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
||||||
|
|
||||||
|
dbus send bus=accessibility path=/org/freedesktop/DBus
|
||||||
|
interface=org.freedesktop.DBus
|
||||||
|
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||||
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/own-accessibility.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
25
apparmor.d/abstractions/bus/own-session
Normal file
25
apparmor.d/abstractions/bus/own-session
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
# Do not use it manually, It is automatically included in a profile by the
|
||||||
|
# `aa:dbus own` directive.
|
||||||
|
|
||||||
|
# Allow owning a name on DBus public bus
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
|
interface=org.freedesktop.DBus
|
||||||
|
member={RequestName,ReleaseName}
|
||||||
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||||
|
|
||||||
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
|
interface=org.freedesktop.DBus
|
||||||
|
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||||
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/own-session.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
25
apparmor.d/abstractions/bus/own-system
Normal file
25
apparmor.d/abstractions/bus/own-system
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
# Do not use it manually, It is automatically included in a profile by the
|
||||||
|
# `aa:dbus own` directive.
|
||||||
|
|
||||||
|
# Allow owning a name on DBus public bus
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
|
interface=org.freedesktop.DBus
|
||||||
|
member={RequestName,ReleaseName}
|
||||||
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||||
|
|
||||||
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
|
interface=org.freedesktop.DBus
|
||||||
|
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||||
|
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||||
|
|
||||||
|
include if exists <abstractions/bus/own-system.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -27,6 +27,7 @@
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
|
include <abstractions/path>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/video>
|
include <abstractions/video>
|
||||||
|
|
||||||
|
|
@ -34,18 +35,13 @@
|
||||||
dbus bus=session,
|
dbus bus=session,
|
||||||
dbus bus=system,
|
dbus bus=system,
|
||||||
|
|
||||||
/usr/cache/** r,
|
/usr/** r,
|
||||||
/usr/local/{,**} r,
|
|
||||||
/usr/share/** rk,
|
/usr/share/** rk,
|
||||||
|
|
||||||
/etc/{,**} r,
|
/etc/{,**} r,
|
||||||
|
|
||||||
/ r,
|
|
||||||
/.* r,
|
/.* r,
|
||||||
/*/ r,
|
|
||||||
@{bin}/ r,
|
|
||||||
@{lib}/ r,
|
@{lib}/ r,
|
||||||
/usr/local/bin/ r,
|
|
||||||
owner /_@{int}_/ w,
|
owner /_@{int}_/ w,
|
||||||
owner /@{uuid}/ w,
|
owner /@{uuid}/ w,
|
||||||
owner /var/cache/ldconfig/{,**} rw,
|
owner /var/cache/ldconfig/{,**} rw,
|
||||||
|
|
@ -58,14 +54,16 @@
|
||||||
@{MOUNTS}/** rwl,
|
@{MOUNTS}/** rwl,
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{HOME}/.var/app/** rmix,
|
owner @{HOME}/.var/app/** rmix,
|
||||||
owner @{HOME}/** rwlk -> @{HOME}/**,
|
owner @{HOME}/** rwmlk -> @{HOME}/**,
|
||||||
owner @{run}/user/@{uid}/ r,
|
owner @{run}/user/@{uid}/ r,
|
||||||
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,
|
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide
|
||||||
owner @{user_games_dirs}/** rmix,
|
owner @{user_games_dirs}/** rmix,
|
||||||
|
|
||||||
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
|
#aa:lint ignore=too-wide
|
||||||
owner @{tmp}/** rmwk,
|
owner @{tmp}/** rmwk,
|
||||||
owner /dev/shm/** rwlk -> /dev/shm/**,
|
owner /dev/shm/** rwlk -> /dev/shm/**,
|
||||||
|
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
|
||||||
|
owner /var/tmp/etilqs_@{sqlhex} rw,
|
||||||
|
|
||||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||||
|
|
||||||
|
|
@ -81,6 +79,7 @@
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/*/devices/ r,
|
@{sys}/bus/*/devices/ r,
|
||||||
@{sys}/bus/pci/slots/ r,
|
@{sys}/bus/pci/slots/ r,
|
||||||
|
@{sys}/bus/pci/slots/@{int}-@{int}/address r,
|
||||||
@{sys}/bus/pci/slots/@{int}/address r,
|
@{sys}/bus/pci/slots/@{int}/address r,
|
||||||
@{sys}/class/*/ r,
|
@{sys}/class/*/ r,
|
||||||
@{sys}/devices/** r,
|
@{sys}/devices/** r,
|
||||||
|
|
@ -125,6 +124,7 @@
|
||||||
owner @{PROC}/@{pid}/fd/@{int} rw,
|
owner @{PROC}/@{pid}/fd/@{int} rw,
|
||||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||||
owner @{PROC}/@{pid}/io r,
|
owner @{PROC}/@{pid}/io r,
|
||||||
|
owner @{PROC}/@{pid}/limits r,
|
||||||
owner @{PROC}/@{pid}/loginuid r,
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
owner @{PROC}/@{pid}/mem r,
|
owner @{PROC}/@{pid}/mem r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
|
||||||
|
|
@ -47,6 +47,7 @@
|
||||||
@{PROC}/sys/kernel/overflowgid r,
|
@{PROC}/sys/kernel/overflowgid r,
|
||||||
@{PROC}/sys/kernel/overflowuid r,
|
@{PROC}/sys/kernel/overflowuid r,
|
||||||
@{PROC}/sys/user/max_user_namespaces r,
|
@{PROC}/sys/user/max_user_namespaces r,
|
||||||
|
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
@{att}/@{PROC}/sys/user/max_user_namespaces rw,
|
@{att}/@{PROC}/sys/user/max_user_namespaces rw,
|
||||||
|
|
|
||||||
28
apparmor.d/abstractions/common/debconf
Normal file
28
apparmor.d/abstractions/common/debconf
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
# LOGPROF-SUGGEST: no
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/perl>
|
||||||
|
|
||||||
|
@{sh_path} rix,
|
||||||
|
@{bin}/locale ix,
|
||||||
|
@{bin}/whiptail Px,
|
||||||
|
|
||||||
|
/usr/share/debconf/frontend rix,
|
||||||
|
/usr/share/debconf/confmodule r,
|
||||||
|
|
||||||
|
/etc/debconf.conf r,
|
||||||
|
|
||||||
|
/var/ r,
|
||||||
|
/var/cache/ r,
|
||||||
|
/var/cache/debconf/ r,
|
||||||
|
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
|
||||||
|
|
||||||
|
include if exists <abstractions/common/debconf.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -75,6 +75,7 @@
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pid}/stat r,
|
@{PROC}/@{pid}/stat r,
|
||||||
|
@{PROC}/@{pid}/task/@{tid}/status r,
|
||||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
|
@ -88,7 +89,6 @@
|
||||||
owner @{PROC}/@{pid}/statm r,
|
owner @{PROC}/@{pid}/statm r,
|
||||||
owner @{PROC}/@{pid}/task/ r,
|
owner @{PROC}/@{pid}/task/ r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
|
||||||
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||||
|
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
|
||||||
|
|
@ -6,9 +6,9 @@
|
||||||
# wine, proton, game launchers should use this abstraction.
|
# wine, proton, game launchers should use this abstraction.
|
||||||
|
|
||||||
# This abstraction uses the following tunables:
|
# This abstraction uses the following tunables:
|
||||||
# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
|
# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories
|
||||||
# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
|
# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
|
||||||
# - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
|
# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir)
|
||||||
|
|
||||||
abi <abi/4.0>,
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -32,6 +32,7 @@
|
||||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/stat r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
include if exists <abstractions/common/gnome.d>
|
include if exists <abstractions/common/gnome.d>
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@
|
||||||
ptrace read peer=@{p_systemd},
|
ptrace read peer=@{p_systemd},
|
||||||
|
|
||||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||||
|
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r,
|
||||||
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
||||||
|
|
||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
|
|
|
||||||
8
apparmor.d/abstractions/consoles.d/complete
Normal file
8
apparmor.d/abstractions/consoles.d/complete
Normal file
|
|
@ -0,0 +1,8 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
# There are the common ways to refer to consoles
|
||||||
|
/dev/tty@{u8} rw,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -4,7 +4,15 @@
|
||||||
|
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
|
# FIPS-140-2 versions of some crypto libraries need to access their
|
||||||
|
# associated integrity verification file, or they will abort.
|
||||||
|
@{lib}/.lib*.so*.hmac r,
|
||||||
|
@{lib}/@{multiarch}/.lib*.so*.hmac r,
|
||||||
|
|
||||||
@{etc_ro}/gnutls/config r,
|
@{etc_ro}/gnutls/config r,
|
||||||
@{etc_ro}/gnutls/pkcs11.conf r,
|
@{etc_ro}/gnutls/pkcs11.conf r,
|
||||||
|
|
||||||
|
# Used to determine if Linux is running in FIPS mode
|
||||||
|
@{PROC}/sys/crypto/fips_enabled r,
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
include <abstractions/bus-accessibility>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
7
apparmor.d/abstractions/dbus-session-strict.d/complete
Normal file
7
apparmor.d/abstractions/dbus-session-strict.d/complete
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue