Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables
* 'tunables' of https://github.com/nobody43/apparmor.d: dbus temp tails Update apparmor.d Update gdm-runtime-config more unrelated changes adjust date-time random tails rename to int, convert more profiles fixes tunables
This commit is contained in:
Alexandre Pujol
parent
7b018a60bd
commit
557d905543
198 changed files with 560 additions and 507 deletions
|
|
@ -38,7 +38,7 @@ profile baloo @{exec_path} {
|
|||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/baloofilerc rwl,
|
||||
owner @{user_config_dirs}/baloofilerc.lock rwkl,
|
||||
|
||||
|
|
|
|||
|
|
@ -22,9 +22,9 @@ profile drkonqi @{exec_path} {
|
|||
/usr/share/drkonqi/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/drkonqi>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,8 +23,8 @@ profile gmenudbusmenuproxy @{exec_path} {
|
|||
/etc/machine-id r,
|
||||
|
||||
owner @{HOME}/.gtkrc-2.0 rw,
|
||||
owner @{user_config_dirs}/gtk-{2,3}.0/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.??????} rwl,
|
||||
owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw,
|
||||
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
|
|
|||
|
|
@ -38,9 +38,9 @@ profile kaccess @{exec_path} {
|
|||
|
||||
owner @{user_share_dirs}/mime/generic-icons r,
|
||||
|
||||
owner /tmp/xauth_?????? r,
|
||||
owner /tmp/xauth_@{rand6} r,
|
||||
|
||||
owner @{run}/user/@{uid}/xauth_?????? r,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,23 +32,23 @@ profile kalendarac @{exec_path} {
|
|||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/akonadi-firstrunrc r,
|
||||
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
|
||||
owner @{user_config_dirs}/emaildefaults r,
|
||||
owner @{user_config_dirs}/emailidentities r,
|
||||
owner @{user_config_dirs}/kalendaracrc rw,
|
||||
owner @{user_config_dirs}/kalendaracrc.?????? rwl,
|
||||
owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
|
||||
owner @{user_config_dirs}/kalendaracrc.lock rwk,
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kmail2rc r,
|
||||
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/kalendarac>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,9 +28,9 @@ profile kcminit @{exec_path} {
|
|||
|
||||
owner @{HOME}/.Xdefaults r,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl,
|
||||
owner @{user_config_dirs}/gtkrc{,.??????} rwl,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
|
|
@ -40,16 +40,16 @@ profile kcminit @{exec_path} {
|
|||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/touchpadrc r,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||
|
||||
owner /tmp/kcminit.?????? rwl,
|
||||
owner /tmp/#[0-9]* rw,
|
||||
owner /tmp/kcminit.@{rand6} rwl,
|
||||
owner /tmp/#@{int} rw,
|
||||
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/kcminit>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ profile kconf_update @{exec_path} {
|
|||
/etc/machine-id r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/akregatorrc r,
|
||||
owner @{user_config_dirs}/kateschemarc r,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
|
|
@ -59,10 +59,10 @@ profile kconf_update @{exec_path} {
|
|||
owner @{user_config_dirs}/kxkbrc.lock rwk,
|
||||
owner @{user_config_dirs}/plasmashellrc r,
|
||||
|
||||
owner /tmp/#[0-9]* rw,
|
||||
owner /tmp/kconf_update.* rwl,
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/kconf_update.@{rand6} rwl,
|
||||
|
||||
@{PROC}/@{sys}/kernel/random/boot_id r,
|
||||
|
||||
include if exists <local/kconf_update>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||
|
||||
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#[0-9]*,
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ profile kded5 @{exec_path} {
|
|||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc rk,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
||||
|
|
@ -108,11 +108,11 @@ profile kded5 @{exec_path} {
|
|||
owner @{user_share_dirs}/remoteview/ r,
|
||||
owner @{user_share_dirs}/services5/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/gvfs/ r,
|
||||
owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
|
||||
|
||||
owner /tmp/plasma-csd-generator.??????/{,**} rw,
|
||||
owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
|
||||
|
||||
@{PROC}/@{pids}/cmdline/ r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -22,9 +22,9 @@ profile kglobalaccel5 @{exec_path} {
|
|||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/kglobalshortcutsrc* rwl,
|
||||
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
@ -32,4 +32,4 @@ profile kglobalaccel5 @{exec_path} {
|
|||
/dev/tty r,
|
||||
|
||||
include if exists <local/kglobalaccel5>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,9 +61,9 @@ profile kioslave5 @{exec_path} {
|
|||
owner @{user_share_dirs}/baloo/index-lock rwk,
|
||||
owner @{user_share_dirs}/baloo/index rw,
|
||||
|
||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
|
||||
owner @{run}/user/@{uid}/xauth_* rl,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
|
@ -72,4 +72,4 @@ profile kioslave5 @{exec_path} {
|
|||
/dev/tty r,
|
||||
|
||||
include if exists <local/kioslave5>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -71,12 +71,12 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
|
||||
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
|
||||
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
|
|
@ -85,7 +85,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
||||
# If one is blocked, the others are probed.
|
||||
deny owner @{HOME}/#[0-9]*[0-9] mrw,
|
||||
deny owner @{HOME}/#@{int} mrw,
|
||||
owner @{HOME}/.glvnd* mrw,
|
||||
|
||||
owner /tmp/*-cover-*.{jpg,png} r,
|
||||
|
|
|
|||
|
|
@ -44,10 +44,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
/etc/xdg/kwinrc r,
|
||||
/etc/xdg/menus/ r,
|
||||
|
||||
owner @{HOME}/?????? rw,
|
||||
owner @{HOME}/@{rand6} rw,
|
||||
owner @{HOME}/.Xauthority rw,
|
||||
|
||||
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rl,
|
||||
|
|
@ -56,18 +56,18 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc.?????? rwl,
|
||||
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
|
||||
|
||||
owner /tmp/?????? rw,
|
||||
owner /tmp/@{rand6} rw,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
|
||||
owner @{run}/user/@{uid}/xauth_* rl,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -55,19 +55,19 @@ profile kwalletd5 @{exec_path} {
|
|||
owner @{user_share_dirs}/kwalletd/ rw,
|
||||
owner @{user_share_dirs}/kwalletd/kdewallet_attributes.json r,
|
||||
owner @{user_share_dirs}/kwalletd/*.kwl rw,
|
||||
owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#[0-9]*[0-9],
|
||||
owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#@{int},
|
||||
owner @{user_share_dirs}/kwalletd/*.salt rw,
|
||||
owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw,
|
||||
owner @{user_share_dirs}/kwalletd/#@{int} rw,
|
||||
|
||||
owner /tmp/kwalletd5.* rw,
|
||||
owner /tmp/runtime-*/xauth_?????? r,
|
||||
owner /tmp/xauth_?????? r,
|
||||
owner /tmp/runtime-*/xauth_@{rand6} r,
|
||||
owner /tmp/xauth_@{rand6} r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
/dev/shm/#@{int} rw,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
|
|
|
|||
|
|
@ -37,16 +37,16 @@ profile kwalletmanager5 @{exec_path} {
|
|||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
owner @{user_config_dirs}/#[0-9]*[0-9] rw,
|
||||
owner @{user_config_dirs}/kwalletmanager5rc rw,
|
||||
owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
|
||||
owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwalletmanager5rc.lock rwk,
|
||||
owner @{user_config_dirs}/kwalletrc rw,
|
||||
owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
|
||||
owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwalletrc.lock rwk,
|
||||
owner @{user_config_dirs}/session/#[0-9]*[0-9] rw,
|
||||
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9],
|
||||
owner @{user_config_dirs}/session/#@{int} rw,
|
||||
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int},
|
||||
owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk,
|
||||
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
|
|
@ -60,7 +60,7 @@ profile kwalletmanager5 @{exec_path} {
|
|||
@{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/shm/ r,
|
||||
/dev/shm/#[0-9]*[0-9] rw,
|
||||
/dev/shm/#@{int} rw,
|
||||
|
||||
include if exists <local/kwalletmanager5>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,33 +46,33 @@ profile kwin_x11 @{exec_path} {
|
|||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner @{user_cache_dirs}/ r,
|
||||
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
|
||||
owner @{user_cache_dirs}/kwin/{,**} rwl,
|
||||
owner @{user_cache_dirs}/plasmarc r,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
|
||||
owner @{user_cache_dirs}/qtshadercache-*/@{hex} r,
|
||||
owner @{user_cache_dirs}/session/#[0-9]* rw,
|
||||
owner @{user_cache_dirs}/session/#@{int} rw,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrc{,.??????} rwl,
|
||||
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/kwinrulesrc r,
|
||||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/session/kwin_* rwk,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
||||
owner /tmp/#[0-9]* rw,
|
||||
owner /tmp/kwin.?????? rwl,
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/kwin.@{rand6} rwl,
|
||||
|
||||
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/xauth_* rl,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ profile plasma-discover @{exec_path} {
|
|||
|
||||
/var/tmp/flatpak-cache-*/ rw,
|
||||
/var/tmp/flatpak-cache-*/** rwkl,
|
||||
/var/tmp/#[0-9]* rw,
|
||||
/var/tmp/#@{int} rw,
|
||||
|
||||
/var/cache/swcatalog/ rw,
|
||||
|
||||
|
|
@ -63,7 +63,7 @@ profile plasma-discover @{exec_path} {
|
|||
owner @{user_cache_dirs}/kio_http/ w,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/#[0-9]* rwl,
|
||||
owner @{user_config_dirs}/#@{int} rwl,
|
||||
owner @{user_config_dirs}/discoverrc rwl,
|
||||
owner @{user_config_dirs}/discoverrc.lock rwk,
|
||||
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
||||
|
|
|
|||
|
|
@ -91,19 +91,19 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_templates_dirs}/ r,
|
||||
|
||||
owner @{user_cache_dirs}/ r,
|
||||
owner @{user_cache_dirs}/#[0-9]* rwk,
|
||||
owner @{user_cache_dirs}/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
|
||||
owner @{user_cache_dirs}/#@{int} rwk,
|
||||
owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rl,
|
||||
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.?????? rwlk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwlk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements* rwl,
|
||||
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rwk,
|
||||
owner @{user_config_dirs}/*kde*.desktop* r,
|
||||
owner @{user_config_dirs}/#[0-9]* rwk,
|
||||
owner @{user_config_dirs}/akonadi-firstrunrc r,
|
||||
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
|
|
@ -128,7 +128,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
owner @{user_share_dirs}/#[0-9]* rw,
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
owner @{user_share_dirs}/akonadi/search_db/{,**} r,
|
||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database rk,
|
||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
|
||||
|
|
@ -138,7 +138,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_share_dirs}/kpeople/persondb rwk,
|
||||
owner @{user_share_dirs}/kpeoplevcard/ r,
|
||||
owner @{user_share_dirs}/krunnerstaterc rwl,
|
||||
owner @{user_share_dirs}/krunnerstaterc.?????? rwl,
|
||||
owner @{user_share_dirs}/krunnerstaterc.@{rand6} rwl,
|
||||
owner @{user_share_dirs}/krunnerstaterc.lock rwk,
|
||||
owner @{user_share_dirs}/ktp/cache.db rwk,
|
||||
owner @{user_share_dirs}/plasma_icons/*.desktop r,
|
||||
|
|
@ -146,9 +146,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
@{run}/user/@{uid}/gvfs/ r,
|
||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kdesud_:1 w,
|
||||
owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl,
|
||||
owner @{run}/user/@{uid}/plasmashell@{rand6}.[0-9].kioworker.socket rwl,
|
||||
owner @{run}/user/@{uid}/pulse/ rw,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
|
|
|
|||
|
|
@ -123,18 +123,18 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
/tmp/sddm-* rw,
|
||||
owner /tmp/*/{,s} rw,
|
||||
owner /tmp/#[0-9]* rw,
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/sddm-auth* rw,
|
||||
owner /tmp/xauth_?????? rwl -> /tmp/#[0-9]*,
|
||||
owner /tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
|
||||
|
||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||
@{run}/sddm.pid rw,
|
||||
@{run}/sddm/\{@{uuid}\} rw,
|
||||
@{run}/sddm/xauth_?????? rwl -> @{run}/sddm/#[0-9]*,
|
||||
@{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/user/@{uid}/xauth_?????? rwl,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rwl,
|
||||
owner @{run}/sddm/ rw,
|
||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kwallet5.socket rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ profile sddm-greeter @{exec_path} {
|
|||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner /var/lib/sddm/** rw,
|
||||
owner /var/lib/sddm/#[0-9]*[0-9] mrw,
|
||||
owner /var/lib/sddm/#@{int} mrw,
|
||||
owner /var/lib/sddm/.cache/** mrwkl -> /var/lib/sddm/.cache/**,
|
||||
/var/lib/sddm/state.conf r,
|
||||
|
||||
|
|
@ -64,11 +64,11 @@ profile sddm-greeter @{exec_path} {
|
|||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
# If one is blocked, the others are probed.
|
||||
deny owner @{HOME}/#[0-9]*[0-9] mrw,
|
||||
deny owner @{HOME}/#@{int} mrw,
|
||||
owner @{HOME}/.glvnd* mrw,
|
||||
|
||||
owner /tmp/runtime-sddm/ rw,
|
||||
owner /tmp/xauth_?????? rw,
|
||||
owner /tmp/xauth_@{rand6} rw,
|
||||
|
||||
owner @{run}/sddm/{,*} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -37,12 +37,12 @@ profile startplasma @{exec_path} {
|
|||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/ rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rwkl,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/gtkrc rl,
|
||||
owner @{user_config_dirs}/gtkrc-2.0 rl,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
|
|
@ -63,10 +63,10 @@ profile startplasma @{exec_path} {
|
|||
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||
owner @{user_share_dirs}/sddm/wayland-session.log rw,
|
||||
|
||||
owner /tmp/#[0-9][0-9] rw,
|
||||
owner /tmp/startplasma-x11.?????? rwl,
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/startplasma-x11.@{rand6} rwl,
|
||||
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ profile xdm-xsession @{exec_path} {
|
|||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
owner /tmp/ssh-*/ rw,
|
||||
owner /tmp/ssh-*/agent.* rw,
|
||||
|
|
@ -106,4 +106,4 @@ profile xdm-xsession @{exec_path} {
|
|||
}
|
||||
|
||||
include if exists <local/xdm-xsession>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,9 +18,9 @@ profile xembedsniproxy @{exec_path} {
|
|||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
||||
owner /tmp/xauth_?????? r,
|
||||
owner /tmp/xauth_@{rand6} r,
|
||||
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
include if exists <local/xembedsniproxy>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,9 +16,9 @@ profile xsettingsd @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||
|
||||
owner /tmp/xauth_?????? r,
|
||||
owner /tmp/xauth_@{rand6} r,
|
||||
|
||||
owner @{run}/user/@{uid}/xauth_* rl,
|
||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
include if exists <local/xsettingsd>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue