feat(abs): add the input abs.

2025-09-13 00:43:40 +02:00 · 2025-09-13 00:43:40 +02:00 · 51bcdd5e14
commit 51bcdd5e14
parent 34cc1ab131
3 changed files with 28 additions and 8 deletions
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -26,6 +26,7 @@
  include <abstractions/fontconfig-cache-write>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
+  include <abstractions/input>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/path>
@ -72,8 +73,6 @@
  @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
  @{run}/utmp rk,

-  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
-
  @{sys}/ r,
  @{sys}/block/ r,
  @{sys}/bus/ r,
@ -143,8 +142,6 @@
  owner @{att}/dev/shm/@{uuid} r,

  /dev/hidraw@{int} rw,
-  /dev/input/ r,
-  /dev/input/event@{int} rw,
  /dev/ptmx rw,
  /dev/pts/ptmx rw,
  /dev/tty rw,
--- a/apparmor.d/abstractions/common/game
+++ b/apparmor.d/abstractions/common/game
@ -17,6 +17,7 @@
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/graphics>
+  include <abstractions/input>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

@ -108,11 +109,7 @@

  /dev/ r,
  /dev/hidraw@{int} rw,
-  /dev/input/ r,
-  /dev/input/event@{int} rw,
-  /dev/input/js@{int} rw,
  /dev/tty rw,
-  /dev/uinput rw,

  include if exists <abstractions/common/game.d>

--- a/apparmor.d/abstractions/input
+++ b/apparmor.d/abstractions/input
@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Canonical Ltd
+# Copyright (C) 2022-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow reading and writing to raw input devices
+
+  abi <abi/4.0>,
+
+  # network netlink raw,
+
+  # Allow reading for supported event reports for all input devices. See
+  # https://www.kernel.org/doc/Documentation/input/event-codes.txt
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
+  /dev/input/ r,
+  /dev/input/event@{int} rw,
+  /dev/input/mice rw,
+  /dev/input/mouse@{int} rw,
+
+  include if exists <abstractions/input.d>
+
+# vim:syntax=apparmor