felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

Browse source 
* 'tunables' of https://github.com/nobody43/apparmor.d:
  dbus temp tails
  Update apparmor.d
  Update gdm-runtime-config
  more unrelated changes
  adjust date-time
  random tails
  rename to int, convert more profiles
  fixes
  tunables
This commit is contained in:
Alexandre Pujol 2023-08-17 20:01:53 +01:00
parent 7b018a60bd
commit 557d905543
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
198 changed files with 560 additions and 507 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/gnome/gdm-runtime-config
View file

@ -13,7 +13,7 @@ profile gdm-runtime-config @{exec_path} {
@{exec_path} mr,
@{run}/gdm{3,}/ rw,
@{run}/gdm{3,}/custom.conf* rw,
@{run}/gdm{3,}/custom.conf{,.@{rand6}} rw,
include if exists <local/gdm-runtime-config>
}

2
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -82,6 +82,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/etc/sysconfig/displaymanager r,
/etc/sysconfig/windowmanager r,
owner @{HOME}/.pam_environment r,
owner @{run}/user/@{uid}/keyring/control rw,
@{run}/cockpit/active.motd r,

2
apparmor.d/groups/gnome/gdm-xsession
View file

@ -54,7 +54,7 @@ profile gdm-xsession @{exec_path} {
/etc/default/im-config r,
/etc/X11/{,**} r,
owner /tmp/gdm{3,}-config-err-?????? rw,
owner /tmp/gdm{3,}-config-err-@{rand6} rw,
# file_inherit
/dev/tty[0-9]* rw,

4
apparmor.d/groups/gnome/gjs-console
View file

@ -89,7 +89,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
@ -98,7 +98,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,

20
apparmor.d/groups/gnome/gnome-control-center
View file

@ -35,7 +35,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
signal (send) set=(kill) peer=unconfined,
signal (send) set=(kill) peer=passwd,
unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon),
unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
@ -86,6 +86,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{lib}/gnome-control-center-print-renderer rPx,
@{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix,
/usr/share/language-tools/language-options rPUx,
/snap/*/[0-9]*/**.png r,
/usr/share/backgrounds/{,**} r,
@ -100,13 +101,14 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-shell/search-providers/{,**} r,
/usr/share/gnome/gnome-version.xml r,
/usr/share/libdrm/*.ids r,
/usr/share/language-tools/main-countries r,
/usr/share/mime/{,**} r,
/usr/share/pipewire/client.conf r,
/usr/share/thumbnailers/{,*} r,
/usr/share/wallpapers/{,**} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r,
# freedesktop.org-strict
/usr/share/*ubuntu/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -134,22 +136,27 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r,
owner @{user_config_dirs}/mimeapps.list* rw,
owner @{user_config_dirs}/rygel.conf{,.??????} rw,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
owner @{user_share_dirs}/webkitgtk/{,**} r,
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
owner @{user_share_dirs}/gnome-remote-desktop/ w,
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/wayland-@{int} rw,
@{run}/cups/cups.sock rw,
@{run}/samba/ rw,
@{run}/systemd/sessions/ r,
@ -190,6 +197,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/*/comm rw,
owner @{PROC}/@{pid}/loginuid r,
@{PROC}/cmdline r,
@{PROC}/zoneinfo r,

6
apparmor.d/groups/gnome/gnome-remote-desktop-daemon
View file

@ -13,12 +13,18 @@ profile gnome-remote-desktop-daemon @{exec_path} {
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/openssl>
include <abstractions/vulkan>
network inet stream,
network inet6 stream,
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/wayland-@{int} rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,

2
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -214,7 +214,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
owner /tmp/dirs-?????? rw,
owner /tmp/dirs-@{rand6} rw,
owner @{user_config_dirs}/autostart/{,*.desktop} r,
owner @{user_config_dirs}/gnome-session/ rw,

2
apparmor.d/groups/gnome/gnome-session-ctl
View file

@ -21,7 +21,7 @@ profile gnome-session-ctl @{exec_path} {
member=Initialized
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-*, label=dbus-daemon),
unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon),
@{exec_path} mr,

20
apparmor.d/groups/gnome/gnome-shell
View file

@ -52,7 +52,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
unix (send,receive) type=stream addr=none peer=(label=xwayland),
unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon),
unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
@ -514,20 +514,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/etc/xdg/menus/gnome-applications.menu r,
/var/lib/gdm{3,}/.cache/ w,
/var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
/var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
/var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl,
/var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
/var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
/var/lib/gdm{3,}/.cache/libgweather/ r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/ibus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
/var/lib/gdm{3,}/.config/pulse/ r,
/var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
@ -554,7 +554,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_games_dirs}/**/*.{png,jpg} r,
owner @{user_music_dirs}/**/*.{png,jpg} r,
owner @{user_config_dirs}/.goutputstream{,*} rw,
owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
owner @{user_config_dirs}/ibus/ w,
owner @{user_config_dirs}/monitors.xml{,~} rwl,
owner @{user_config_dirs}/pulse/ r,
@ -578,10 +578,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rwk,
owner @{run}/user/@{uid}/wayland-@{int} rwk,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

1
apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-shell-hotplug-sniffer
profile gnome-shell-hotplug-sniffer @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@{exec_path} mr,

4
apparmor.d/groups/gnome/gnome-software
View file

@ -71,7 +71,7 @@ profile gnome-software @{exec_path} {
/var/tmp/flatpak-cache-*/ rw,
/var/tmp/flatpak-cache-*/** rwkl,
/var/tmp/#[0-9]* rw,
/var/tmp/#@{int} rw,
owner @{HOME}/.var/app/{,**} rw,
@ -86,7 +86,7 @@ profile gnome-software @{exec_path} {
owner /tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
owner @{run}/user/@{uid}/.dbus-proxy/ rw,
owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw,

2
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -49,7 +49,7 @@ profile gnome-terminal-server @{exec_path} {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/cgroup r,

1
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -79,6 +79,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/mountinfo r,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -141,7 +141,7 @@ profile gsd-xsettings @{exec_path} {
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,

2
apparmor.d/groups/gnome/kgx
View file

@ -40,7 +40,7 @@ profile kgx @{exec_path} {
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,

4
apparmor.d/groups/gnome/mutter-x11-frames
View file

@ -23,7 +23,7 @@ profile mutter-x11-frames @{exec_path} {
@{exec_path} mr,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
include if exists <local/mutter-x11-frames>
}
}

4
apparmor.d/groups/gnome/tracker-extract
View file

@ -83,10 +83,10 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.cache/ rw,
/var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp??????} r,
/var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} r,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
/var/lib/flatpak/exports/share/mime/mime.cache r,

2
apparmor.d/groups/gnome/tracker-miner
View file

@ -88,7 +88,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
/var/lib/lightdm/.config/dconf/user r,
/var/lib/lightdm/.cache/tracker3/files/meta.db{,-wal} rwk,
/var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.??????} rw,
/var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.@{rand6}} rw,
owner /var/tmp/etilqs_@{hex} rw,