felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

Browse source 
* 'tunables' of https://github.com/nobody43/apparmor.d:
  dbus temp tails
  Update apparmor.d
  Update gdm-runtime-config
  more unrelated changes
  adjust date-time
  random tails
  rename to int, convert more profiles
  fixes
  tunables
This commit is contained in:
Alexandre Pujol 2023-08-17 20:01:53 +01:00
parent 7b018a60bd
commit 557d905543
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
198 changed files with 560 additions and 507 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/profiles-s-z/scrcpy
View file

@ -31,7 +31,8 @@ profile scrcpy @{exec_path} {
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/pulse/client.conf r,
owner @{user_config_dirs}/pulse/cookie r,
owner @{user_config_dirs}/pulse/cookie rk,

2
apparmor.d/profiles-s-z/scrot
View file

@ -22,7 +22,7 @@ profile scrot @{exec_path} {
owner @{HOME}/.Xauthority r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/icons/*/index.theme r,

6
apparmor.d/profiles-s-z/smplayer
View file

@ -61,10 +61,10 @@ profile smplayer @{exec_path} {
owner @{user_videos_dirs}/{,**} rw,
owner @{user_config_dirs}/smplayer/ rw,
owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9],
owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner /tmp/qtsingleapp-smplay-* rw,
owner /tmp/qtsingleapp-smplay-*-lockfile rwk,
@ -75,7 +75,7 @@ profile smplayer @{exec_path} {
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/cmdline r,

8
apparmor.d/profiles-s-z/smtube
View file

@ -33,15 +33,15 @@ profile smtube @{exec_path} {
# SMTube config files
owner @{user_config_dirs}/smtube/ rw,
owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#[0-9]*[0-9],
owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#@{int},
# Needed for updating YT code
owner @{user_config_dirs}/smplayer/yt.js rw,
owner @{user_config_dirs}/smplayer/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/smplayer/#@{int} rw,
owner @{user_config_dirs}/smplayer/hdpi.ini rw,
owner @{user_config_dirs}/smplayer/hdpi.ini.lock rwk,
owner @{user_config_dirs}/smplayer/hdpi.ini.* rwl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9],
owner @{user_config_dirs}/smplayer/hdpi.ini.* rwl -> @{user_config_dirs}/smplayer/#@{int},
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -57,7 +57,7 @@ profile smtube @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/profiles-s-z/steam
View file

@ -148,7 +148,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/shm/#[0-9]* rw,
owner /dev/shm/#@{int} rw,
owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,

2
apparmor.d/profiles-s-z/steam-game
View file

@ -177,7 +177,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer
owner /dev/shm/#[0-9]* rw,
owner /dev/shm/#@{int} rw,
owner /dev/shm/mono.* rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,

10
apparmor.d/profiles-s-z/strawberry
View file

@ -53,14 +53,14 @@ profile strawberry @{exec_path} {
owner @{HOME}/ r,
owner @{user_config_dirs}/strawberry/ rw,
owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#[0-9]*[0-9],
owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int},
owner @{user_share_dirs}/strawberry/ rw,
owner @{user_share_dirs}/strawberry/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/strawberry/ rw,
owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#[0-9]*[0-9],
owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#@{int},
owner @{user_cache_dirs}/xine-lib/ rw,
owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw,
@ -78,15 +78,15 @@ profile strawberry @{exec_path} {
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/dev/sr[0-9]* r,
owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
owner /tmp/.*/ rw,
owner /tmp/.*/s rw,
owner /tmp/strawberry*[0-9] w,
owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#@{int},
owner /tmp/#@{int} rw,
owner /tmp/*= w,
owner /var/tmp/etilqs_@{hex} rw,

2
apparmor.d/profiles-s-z/strawberry-tagreader
View file

@ -25,7 +25,7 @@ profile strawberry-tagreader @{exec_path} {
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.anyRemote/anyremote.stdout w,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
include if exists <local/strawberry-tagreader>
}

2
apparmor.d/profiles-s-z/su
View file

@ -53,7 +53,7 @@ profile su @{exec_path} {
/etc/default/locale r,
/etc/shells r,
owner @{HOME}/.xauth?????? rw,
owner @{HOME}/.xauth@{rand6} rw,
owner @{PROC}/@{pids}/loginuid r,
owner @{PROC}/@{pids}/cgroup r,

2
apparmor.d/profiles-s-z/system-config-printer
View file

@ -60,7 +60,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
owner @{HOME}/.cups/ rw,
owner @{HOME}/.cups/lpoptions rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{run}/cups/cups.sock rw,
owner /tmp/* rw,

2
apparmor.d/profiles-s-z/tint2
View file

@ -50,7 +50,7 @@ profile tint2 @{exec_path} {
@{sys}/fs/cgroup/{,**} r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/profiles-s-z/tune2fs
View file

@ -25,7 +25,7 @@ profile tune2fs @{exec_path} {
# Image files
owner @{user_img_dirs}/{,**} rw,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/swaps r,

2
apparmor.d/profiles-s-z/udisksd
View file

@ -139,7 +139,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
@{sys}/devices/virtual/block/*/{,**} rw,
@{sys}/devices/virtual/block/loop[0-9]*/uevent rw,

4
apparmor.d/profiles-s-z/updatedb.plocate
View file

@ -26,8 +26,8 @@ profile updatedb.plocate @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
/var/lib/plocate/plocate.db rw,
/var/lib/plocate/#[0-9]* rw,
/var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#[0-9]*,
/var/lib/plocate/#@{int} rw,
/var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#@{int},
/ r,
/**/ r,

4
apparmor.d/profiles-s-z/usbguard-applet-qt
View file

@ -25,9 +25,9 @@ profile usbguard-applet-qt @{exec_path} {
@{exec_path} mr,
owner @{user_config_dirs}/USBGuard/ rw,
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#[0-9]*[0-9],
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int},
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,

16
apparmor.d/profiles-s-z/vidcutter
View file

@ -57,14 +57,14 @@ profile vidcutter @{exec_path} {
owner @{user_videos_dirs}/{,**} rw,
owner @{user_config_dirs}/vidcutter/ rw,
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#[0-9]*[0-9],
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int},
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -72,8 +72,8 @@ profile vidcutter @{exec_path} {
@{sys}/devices/system/node/node[0-9]*/meminfo r,
owner /tmp/vidcutter-@{uuid} w,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/*.jpg rwl -> /tmp/#@{int},
owner /tmp/vidcutter/{,*} rw,
deny owner @{PROC}/@{pid}/cmdline r,
@ -83,7 +83,7 @@ profile vidcutter @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
/dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/dev/disk/*/ r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/profiles-s-z/wireshark
View file

@ -76,7 +76,7 @@ profile wireshark @{exec_path} {
/usr/share/GeoIP/{,**} r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner /tmp/wireshark_extcap_ciscodump_[0-9]*_* rw,

2
apparmor.d/profiles-s-z/wpa-gui
View file

@ -26,7 +26,7 @@ profile wpa-gui @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/wpa_ctrl_@{pid}-[0-9] w,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
@{run}/wpa_supplicant/ r,

22
apparmor.d/profiles-s-z/xauth
View file

@ -16,10 +16,10 @@ profile xauth @{exec_path} {
/Xauthority-c w,
owner @{HOME}/.xauth?????? rw,
owner @{HOME}/.xauth??????-c w,
owner @{HOME}/.xauth??????-l wl,
owner @{HOME}/.xauth??????-n rw,
owner @{HOME}/.xauth@{rand6} rw,
owner @{HOME}/.xauth@{rand6}-c w,
owner @{HOME}/.xauth@{rand6}-l wl,
owner @{HOME}/.xauth@{rand6}-n rw,
owner @{HOME}/.Xauthority-c w,
owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c,
@ -31,14 +31,14 @@ profile xauth @{exec_path} {
owner /tmp/serverauth.*-n rw,
owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n,
owner /tmp/runtime-*/xauth_?????? r,
owner /tmp/xauth_?????? r,
owner /tmp/xauth_??????-c w,
owner /tmp/xauth_??????-l wl,
owner /tmp/runtime-*/xauth_@{rand6} r,
owner /tmp/xauth_@{rand6} r,
owner /tmp/xauth_@{rand6}-c w,
owner /tmp/xauth_@{rand6}-l wl,
owner @{run}/user/@{uid}/xauth_?????? rw,
owner @{run}/user/@{uid}/xauth_??????-c w,
owner @{run}/user/@{uid}/xauth_??????-l wl,
owner @{run}/user/@{uid}/xauth_@{rand6} rw,
owner @{run}/user/@{uid}/xauth_@{rand6}-c w,
owner @{run}/user/@{uid}/xauth_@{rand6}-l wl,
include if exists <local/xauth>
}

10
apparmor.d/profiles-s-z/yadifad
View file

@ -24,15 +24,15 @@ profile yadifad @{exec_path} {
/etc/yadifa/yadifad.conf r,
/var/lib/yadifa/** r,
owner /var/lib/yadifa/ydf.?????? rw,
owner /var/lib/yadifa/keys/ydf.?????? rw,
owner /var/lib/yadifa/xfr/ydf.?????? rw,
owner /var/lib/yadifa/ydf.@{rand6} rw,
owner /var/lib/yadifa/keys/ydf.@{rand6} rw,
owner /var/lib/yadifa/xfr/ydf.@{rand6} rw,
/var/log/yadifa/*.log rw,
/var/log/yadifa/ydf.?????? rw,
/var/log/yadifa/ydf.@{rand6} rw,
owner @{run}/yadifa/yadifad.pid rwk,
owner @{run}/yadifa/ydf.?????? rw,
owner @{run}/yadifa/ydf.@{rand6} rw,
include if exists <local/yadifad>
}

2
apparmor.d/profiles-s-z/zpool
View file

@ -23,7 +23,7 @@ profile zpool @{exec_path} {
@{run}/blkid/blkid.tab rw,
@{run}/blkid/blkid.tab.old rwl,
@{run}/blkid/blkid.tab-* rwl,
@{run}/blkid/blkid.tab-@{rand6} rwl,
/tmp/tmp.* rw,