felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

Browse source 
* 'tunables' of https://github.com/nobody43/apparmor.d:
  dbus temp tails
  Update apparmor.d
  Update gdm-runtime-config
  more unrelated changes
  adjust date-time
  random tails
  rename to int, convert more profiles
  fixes
  tunables
This commit is contained in:
Alexandre Pujol 2023-08-17 20:01:53 +01:00
parent 7b018a60bd
commit 557d905543
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
198 changed files with 560 additions and 507 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/profiles-m-r/megasync
View file

@ -44,7 +44,7 @@ profile megasync @{exec_path} {
# Megasync home files
owner @{HOME}/ r,
owner "@{user_share_dirs}/data/Mega Limited/" rw,
owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#[0-9]*[0-9]",
owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}",
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -65,10 +65,10 @@ profile megasync @{exec_path} {
/etc/fstab r,
# Autostart
owner @{user_config_dirs}/autostart/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#[0-9]*[0-9],
owner @{user_config_dirs}/autostart/#@{int} rw,
owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int},
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/etc/machine-id r,
/var/lib/dbus/machine-id r,

16
apparmor.d/profiles-m-r/minitube
View file

@ -35,7 +35,7 @@ profile minitube @{exec_path} {
# Minitube home files
owner "@{user_config_dirs}/Flavio Tordini/" rw,
owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#[0-9]*[0-9]",
owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#@{int}",
owner "@{user_share_dirs}/Flavio Tordini/" rw,
owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw,
owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk,
@ -47,9 +47,9 @@ profile minitube @{exec_path} {
/usr/share/minitube/{,**} r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
deny owner @{HOME}/#@{int} mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/#@{int} mrw,
# owner /tmp/.glvnd* mrw,
# Cache
@ -59,17 +59,17 @@ profile minitube @{exec_path} {
owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**",
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/etc/vdpau_wrapper.cfg r,

2
apparmor.d/profiles-m-r/mke2fs
View file

@ -31,7 +31,7 @@ profile mke2fs @{exec_path} {
# For virt-resize
owner /var/tmp/.guestfs-[0-9]*/** rwk,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/swaps r,

12
apparmor.d/profiles-m-r/mkvtoolnix-gui
View file

@ -43,7 +43,7 @@ profile mkvtoolnix-gui @{exec_path} {
owner @{user_config_dirs}/bunkus.org/ rw,
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/ rw,
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/** rwkl -> @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/#[0-9]*[0-9],
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/** rwkl -> @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/#@{int},
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/bunkus.org/ rw,
@ -53,12 +53,12 @@ profile mkvtoolnix-gui @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int},
owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#@{int},
owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int},
owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,

4
apparmor.d/profiles-m-r/mono-sgen
View file

@ -37,7 +37,7 @@ profile mono-sgen @{exec_path} {
owner @{user_config_dirs}/openra/{,**} rw,
owner @{user_config_dirs}/.mono/{,**} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
owner /tmp/*.* rw,
owner /tmp/CASESENSITIVETEST* rw,
@ -52,4 +52,4 @@ profile mono-sgen @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/mono-sgen>
}
}

6
apparmor.d/profiles-m-r/mumble
View file

@ -40,7 +40,7 @@ profile mumble @{exec_path} {
# Mumble home files
owner @{HOME}/ r,
owner @{user_config_dirs}/Mumble/ rw,
owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#[0-9]*[0-9],
owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#@{int},
owner @{user_share_dirs}/Mumble/ rw,
owner @{user_share_dirs}/Mumble/** rwk,
owner @{HOME}/.MumbleOverlayPipe rw,
@ -51,8 +51,8 @@ profile mumble @{exec_path} {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/dev/shm/MumbleLink.[0-9]*[0-9] rw,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/MumbleLink.@{int} rw,
/dev/shm/#@{int} rw,
owner @{run}/user/@{uid}/MumbleSocket rw,
owner @{run}/user/@{uid}/MumbleOverlayPipe rw,

2
apparmor.d/profiles-m-r/obexd
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{lib}/bluetooth/obexd
profile obexd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/user-download-strict>
network bluetooth stream,

2
apparmor.d/profiles-m-r/packagekitd
View file

@ -175,4 +175,4 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
}
include if exists <local/packagekitd>
}
}

6
apparmor.d/profiles-m-r/pam/mappings
View file

@ -20,7 +20,7 @@
capability setuid,
/etc/default/su r,
@{etc_ro}/environment r,
@{HOMEDIRS}/.xauth* w,
@{HOMEDIRS}/.xauth@{rand6} w,
@{bin}/{,b,d,rb}ash Px -> default_user,
@{bin}/{c,k,tc,z}sh Px -> default_user,
}
@ -42,7 +42,7 @@
/etc/default/su r,
@{etc_ro}/environment r,
@{HOMEDIRS}/.xauth* w,
@{HOMEDIRS}/.xauth@{rand6} w,
}
@ -64,6 +64,6 @@
/etc/default/su r,
@{etc_ro}/environment r,
@{HOMEDIRS}/.xauth* w,
@{HOMEDIRS}/.xauth@{rand6} w,
}

2
apparmor.d/profiles-m-r/pinentry-gtk-2
View file

@ -18,7 +18,7 @@ profile pinentry-gtk-2 @{exec_path} {
/usr/share/gtk-2.0/gtkrc r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
include if exists <local/pinentry-gtk-2>
}

4
apparmor.d/profiles-m-r/pinentry-qt
View file

@ -27,12 +27,12 @@ profile pinentry-qt @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/usr/share/hwdata/pnp.ids r,

4
apparmor.d/profiles-m-r/plocate-build
View file

@ -14,8 +14,8 @@ profile plocate-build @{exec_path} {
/var/lib/mlocate/mlocate.db r,
/var/lib/mlocate/#[0-9]* rw,
/var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#[0-9]*,
/var/lib/mlocate/#@{int} rw,
/var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#@{int},
include if exists <local/plocate-build>
}

2
apparmor.d/profiles-m-r/popularity-contest
View file

@ -54,7 +54,7 @@ profile popularity-contest @{exec_path} {
/var/lib/ r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/tmp/#@{int} rw,
/var/log/popularity-contest.[0-9]* w,
include if exists <local/popularity-contest>

10
apparmor.d/profiles-m-r/psi
View file

@ -56,17 +56,17 @@ profile psi @{exec_path} {
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/psi/{,**} rw,
owner @{user_config_dirs}/autostart/psi.desktop rw,
owner @{user_config_dirs}/psi/ rw,
owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9],
owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_share_dirs}/psi/ rw,
owner @{user_share_dirs}/psi/** rwk,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/Psi.* rwl -> /tmp/#@{int},
@{run}/systemd/inhibit/[0-9]*.ref rw,
@ -75,7 +75,7 @@ profile psi @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty[0-9]* rw,

10
apparmor.d/profiles-m-r/psi-plus
View file

@ -54,17 +54,17 @@ profile psi-plus @{exec_path} {
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/psi+/{,**} rw,
owner @{user_config_dirs}/autostart/psi-plus.desktop rw,
owner @{user_config_dirs}/psi+/ rw,
owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#[0-9]*[0-9],
owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_share_dirs}/psi+/ rw,
owner @{user_share_dirs}/psi+/** rwk,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/Psi+.* rwl -> /tmp/#@{int},
owner /var/tmp/etilqs_@{hex} rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@ -74,7 +74,7 @@ profile psi-plus @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty[0-9]* rw,

3
apparmor.d/profiles-m-r/pwck
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/pwck
profile pwck @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@ -27,4 +28,4 @@ profile pwck @{exec_path} {
/etc/machine-id r,
include if exists <local/pwck>
}
}

14
apparmor.d/profiles-m-r/qbittorrent
View file

@ -106,8 +106,6 @@ profile qbittorrent @{exec_path} {
dbus bind bus=session
name=org.kde.StatusNotifierItem-*,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
@{exec_path} mr,
# For "search engine"
@ -115,16 +113,16 @@ profile qbittorrent @{exec_path} {
# Qbittorrent home dirs
owner @{user_config_dirs}/qBittorrent/ rw,
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int},
owner @{user_share_dirs}/data/ rw,
owner @{user_share_dirs}/{,data/}qBittorrent/ rw,
owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#[0-9]*[0-9],
owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#@{int},
# Old dir, not recommended to use:
# deny owner @{user_share_dirs}/data/qBittorrent/ rw,
# Cache dir
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/qBittorrent/{,**} rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
@ -140,7 +138,7 @@ profile qbittorrent @{exec_path} {
/dev/disk/by-label/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pids}/fd/ r,
deny owner @{PROC}/@{pids}/cmdline r,
@ -260,11 +258,11 @@ profile qbittorrent @{exec_path} {
owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw,
# Used while searching for torrents
owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9],
owner /dev/shm/sem.mp-* rwl -> /dev/shm/@{int},
owner /dev/shm/* rw,
# To load/add torrents from the search engine
owner /tmp/[0-9]*[0-9] rw,
owner /tmp/@{int} rw,
owner /tmp/tmp* rw,
# file_inherit

8
apparmor.d/profiles-m-r/qbittorrent-nox
View file

@ -24,15 +24,15 @@ profile qbittorrent-nox @{exec_path} {
# Qbittorrent home dirs
owner @{user_config_dirs}/qBittorrent/ rw,
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int},
owner @{user_share_dirs}/qBittorrent/ rw,
owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int},
# Old dir, not recommended to use:
deny owner @{user_share_dirs}/data/qBittorrent/ rw,
# Cache dir
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/qBittorrent/{,**} rw,
# Torrent files
@ -41,7 +41,7 @@ profile qbittorrent-nox @{exec_path} {
/dev/disk/by-label/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,

14
apparmor.d/profiles-m-r/qnapi
View file

@ -57,8 +57,8 @@ profile qnapi @{exec_path} {
owner @{user_config_dirs}/qnapi.ini rw,
owner @{user_config_dirs}/qnapi.ini.lock rwk,
owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_cache_dirs}/ rw,
@ -66,15 +66,15 @@ profile qnapi @{exec_path} {
/tmp/ r,
owner /tmp/@{hex}.* rw,
owner /tmp/** rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/QNapi-*-rc wl -> /tmp/#@{int},
owner /tmp/QNapi-*-rc.lock rwk,
owner /tmp/QNapi.[0-9]*.tmp rw,
owner /tmp/QNapi.[0-9]*.tmp.* rw,
owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/QNapi.[0-9]*[0-9] rw,
owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#@{int},
owner /tmp/QNapi.@{int} rw,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,

8
apparmor.d/profiles-m-r/qpdfview
View file

@ -50,17 +50,17 @@ profile qpdfview @{exec_path} {
owner @{user_work_dirs}/{,**} rw,
owner @{user_config_dirs}/qpdfview/ rw,
owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9],
owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#@{int},
owner @{user_share_dirs}/qpdfview/ rw,
owner @{user_share_dirs}/qpdfview/** rwk,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/qpdfview.*.pdf rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/qpdfview.*.pdf rwl -> /tmp/#@{int},
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,

6
apparmor.d/profiles-m-r/qt5ct
View file

@ -23,11 +23,11 @@ profile qt5ct @{exec_path} {
@{exec_path} mr,
owner @{user_config_dirs}/qt5ct/ rw,
owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#[0-9]*[0-9],
owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#@{int},
owner @{user_config_dirs}/fontconfig/ rw,
owner @{user_config_dirs}/fontconfig/** rw,
owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#[0-9]*[0-9],
owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int},
owner @{user_config_dirs}/kdeglobals r,
@ -48,7 +48,7 @@ profile qt5ct @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
include if exists <local/qt5ct>
}

2
apparmor.d/profiles-m-r/quiterss
View file

@ -63,7 +63,7 @@ profile quiterss @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,

2
apparmor.d/profiles-m-r/redshift
View file

@ -17,7 +17,7 @@ profile redshift @{exec_path} {
dbus send
bus=system
path=/org/freedesktop/GeoClue2/Client/[0-9]*[0-9],
path=/org/freedesktop/GeoClue2/Client/@{int},
dbus receive
bus=system

8
apparmor.d/profiles-m-r/rpi-imager
View file

@ -54,11 +54,11 @@ profile rpi-imager @{exec_path} {
owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/QtProject.conf r,

4
apparmor.d/profiles-m-r/run-parts
View file

@ -116,6 +116,7 @@ profile run-parts @{exec_path} {
/etc/kernel/postinst.d/initramfs-tools rCx -> kernel,
/etc/kernel/postinst.d/unattended-upgrades rCx -> kernel,
/etc/kernel/postinst.d/zz-update-grub rCx -> kernel,
/etc/kernel/postinst.d/zz-shim rCx -> kernel,
/etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel,
/etc/kernel/postrm.d/ r,
@ -128,8 +129,9 @@ profile run-parts @{exec_path} {
/etc/kernel/prerm.d/ r,
/etc/kernel/prerm.d/dkms rCx -> kernel,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
owner /tmp/$anacron* rw,
owner /tmp/file@{rand6} ra,
owner @{sys}/class/power_supply/ r,

4
apparmor.d/profiles-m-r/rustdesk
View file

@ -89,7 +89,7 @@ profile rustdesk @{exec_path} {
# service and GUI intercommunication
@{HOME}/.Xauthority r,
@{run}/user/@{uid}/.mutter-Xwaylandauth.?????? r,
@{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
@{run}/user/@{uid}/gdm{,3}/Xauthority r,
/tmp/[rR]ust[dD]esk/{,**} rw,
/tmp/.X11-unix/ r,
@ -103,7 +103,7 @@ profile rustdesk @{exec_path} {
owner @{run}/user/@{uid}/pulse/native rw,
owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/cookie rwk,
owner @{user_config_dirs}/pulse/*-runtime{,.tmp} rw,
owner @{user_config_dirs}/pulse/@{md5}-runtime{,.tmp} rw,
owner /tmp/pulse-*/ rw,
# gtk-tiny