felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

Browse source 
* 'tunables' of https://github.com/nobody43/apparmor.d:
  dbus temp tails
  Update apparmor.d
  Update gdm-runtime-config
  more unrelated changes
  adjust date-time
  random tails
  rename to int, convert more profiles
  fixes
  tunables
This commit is contained in:
Alexandre Pujol 2023-08-17 20:01:53 +01:00
parent 7b018a60bd
commit 557d905543
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
198 changed files with 560 additions and 507 deletions
Download patch file Download diff file Expand all files Collapse all files

12
apparmor.d/groups/apps/calibre
View file

@ -128,14 +128,14 @@ profile calibre @{exec_path} {
owner @{user_cache_dirs}/calibre/ rw,
owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -146,7 +146,7 @@ profile calibre @{exec_path} {
# owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, # newer AA version
owner /tmp/* rw,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
@{sys}/devices/pci[0-9]*/**/irq r,

2
apparmor.d/groups/apps/dropbox
View file

@ -107,7 +107,7 @@ profile dropbox @{exec_path} {
# Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
owner /tmp/dropbox-antifreeze-* rw,
owner /tmp/[a-zA-z0-9]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
owner /var/tmp/etilqs_* rw,
@{run}/systemd/users/@{uid} r,

6
apparmor.d/groups/apps/flameshot
View file

@ -40,8 +40,8 @@ profile flameshot @{exec_path} {
# Flameshot home files
owner @{user_config_dirs}/flameshot/ rw,
owner @{user_config_dirs}/flameshot/flameshot.ini rw,
owner @{user_config_dirs}/flameshot/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#[0-9]*[0-9],
owner @{user_config_dirs}/flameshot/#@{int} rw,
owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#@{int},
owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk,
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -63,7 +63,7 @@ profile flameshot @{exec_path} {
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty[0-9]* rw,

12
apparmor.d/groups/apps/okular
View file

@ -39,15 +39,15 @@ profile okular @{exec_path} {
/tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
owner @{user_config_dirs}/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/okularrc rw,
owner @{user_config_dirs}/okularrc.lock rwk,
owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/okularpartrc rw,
owner @{user_config_dirs}/okularpartrc.lock rwk,
owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwalletrc r,
@ -72,7 +72,7 @@ profile okular @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -86,8 +86,8 @@ profile okular @{exec_path} {
# Print to pdf
@{bin}/ps2pdf rPUx,
owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/okular_*.ps rwl -> /tmp/#@{int},
# About
/usr/share/kf5/licenses/GPL_V2 r,

4
apparmor.d/groups/apps/telegram-desktop
View file

@ -51,7 +51,7 @@ profile telegram-desktop @{exec_path} {
# Download dir
owner @{TELEGRAM_WORK_DIR}/ rw,
owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#[0-9]*[0-9],
owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#@{int},
# Telegram's profile (via telegram -many -workdir ~/some/dir/)
#owner @{TELEGRAM_WORK_DIR}/{,**} rw,
@ -62,7 +62,7 @@ profile telegram-desktop @{exec_path} {
owner /tmp/@{hex}-* rwk,
owner @{run}/user/@{uid}/@{hex}-* rwk,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,

6
apparmor.d/groups/apps/vlc
View file

@ -161,13 +161,13 @@ profile vlc @{exec_path} {
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/vlc/ rw,
owner @{user_cache_dirs}/vlc/{,**} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/vlc/ rw,
owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9],
owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#@{int},
owner @{user_share_dirs}/vlc/{,**} rw,
@ -193,7 +193,7 @@ profile vlc @{exec_path} {
audit @{PROC}/sys/kernel/random/boot_id r,
audit owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner /dev/tty[0-9]* rw,
# Silencer