diff --git a/README.md b/README.md index 33fa7a333..ae9899b70 100644 --- a/README.md +++ b/README.md @@ -20,18 +20,18 @@ `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` - Confine all Desktop environments - Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` -- Confine some *"special"* user applications: web browser, file browser... +- Confine some *"special"* user applications: web browsers, file managers, etc - Should not break a normal usage of the confined software **Goals** - Target both desktops and servers - Support all distributions that support AppArmor: - * Archlinux + * Arch Linux * Ubuntu 22.04 * Debian 12 * OpenSUSE Tumbleweed -- Support major desktop environments: +- Support for all major desktop environments: * Gnome * KDE * XFCE *(work in progress)* @@ -54,7 +54,7 @@ This is fundamentally different from how AppArmor is usually used on Linux serve **Presentations** -Building large set of AppArmor profiles: +Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 5ae7743fd..0998bbb44 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -29,3 +29,5 @@ owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/X.d/complete b/apparmor.d/abstractions/X.d/complete index 0b654a761..8a6636664 100644 --- a/apparmor.d/abstractions/X.d/complete +++ b/apparmor.d/abstractions/X.d/complete @@ -5,3 +5,5 @@ # Available Xsessions /usr/share/xsessions/{,*.desktop} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 69bcf9007..c31d328fb 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -11,4 +11,6 @@ /usr/ r, /usr/local/{s,}bin/ r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 4a6c795d6..5e7c50824 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -21,4 +21,6 @@ /usr/ r, /usr/local/bin/ r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index df0eac9a6..513924de6 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -51,3 +51,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index d00fb331b..41bbab892 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -70,7 +70,6 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, - @{lib_dirs}/chrome_crashpad_handler rPx, @{lib_dirs}/chrome-sandbox rPx, # Desktop integration @@ -111,8 +110,7 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, # Debian ubication + /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -152,10 +150,10 @@ owner @{tmp}/.@{domain}.* rw, owner @{tmp}/.@{domain}*/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir*/{,**} rw, - owner @{tmp}/tmp.* rw, - owner @{tmp}/tmp.*/ rw, - owner @{tmp}/tmp.*/** rwk, + audit owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand6} rw, + owner @{tmp}/tmp.@{rand6}/ rw, + owner @{tmp}/tmp.@{rand6}/** rwk, owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, @@ -211,3 +209,5 @@ deny @{user_share_dirs}/gvfs-metadata/* r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 9b9933b1a..f0972f3e7 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -26,3 +26,5 @@ owner @{user_config_dirs}/vim/{,**} r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index ba0c7f3ee..bf86f419c 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -17,6 +17,7 @@ include include include + include include include include @@ -69,12 +70,10 @@ /usr/share/xul-ext/kwallet5/* r, /etc/@{name}/{,**} r, - /etc/cups/client.conf r, /etc/fstab r, /etc/mailcap r, /etc/mime.types r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -82,7 +81,6 @@ /var/lib/nscd/services r, owner @{HOME}/ r, - owner @{HOME}/.cups/lpoptions r, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -160,3 +158,5 @@ deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 0cbb75171..f93a1c444 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -13,3 +13,5 @@ /dev/tty rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index a225ce11b..4bab75387 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -23,3 +23,5 @@ @{PROC}/uptime r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index f792fc085..6fba1adfd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -68,3 +68,5 @@ deny @{user_share_dirs}/gvfs-metadata/* r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index aa1e8eff4..62b4aafdf 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -26,3 +26,5 @@ owner @{PROC}/@{pid}/stat r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm new file mode 100644 index 000000000..72fb4c61b --- /dev/null +++ b/apparmor.d/abstractions/app/udevadm @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + ptrace read peer=@{p_systemd}, + + @{bin}/udevadm mr, + + /etc/udev/udev.conf r, + + @{run}/udev/data/* r, + + @{sys}/** r, + + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index f12e7fcc4..ca4a8e16c 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -41,6 +41,9 @@ owner @{user_config_dirs}/pulse/client.conf.d/{,*.conf} r, owner @{user_config_dirs}/pulse/cookie rwk, + owner @{user_config_dirs}/pipewire/ rw, + owner @{user_config_dirs}/pipewire/client.conf r, + owner @{user_share_dirs}/openal/hrtf/{,**} r, owner @{user_share_dirs}/sounds/__custom/index.theme r, @@ -55,3 +58,5 @@ owner /dev/shm/pulse-shm-@{int} rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 22aa6837c..619ba1111 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -43,3 +43,5 @@ /dev/sound/* rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio.d/complete b/apparmor.d/abstractions/audio.d/complete index 51838adcc..01d94e067 100644 --- a/apparmor.d/abstractions/audio.d/complete +++ b/apparmor.d/abstractions/audio.d/complete @@ -11,3 +11,5 @@ @{sys}/class/ r, @{sys}/class/sound/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 4a9d55bd3..63819cc1b 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -1,3 +1,6 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only @{bin}/pam-tmpdir-helper rPx, @@ -8,3 +11,5 @@ @{lib}/security-misc/pam_faillock_not_if_x rPx, @{lib}/security-misc/pam-abort-on-locked-password rPx, @{lib}/security-misc/pam-info rPx, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index cc4b1a1e7..e9761b843 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -4,6 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Allow to receive some signals from new well-known profiles + signal (receive) peer=btop, signal (receive) peer=htop, signal (receive) peer=sudo, signal (receive) peer=top, @@ -28,3 +29,5 @@ @{PROC}/sys/kernel/core_pattern r, deny /apparmor/.null rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 86e9fc50b..eb4f65230 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -33,3 +33,5 @@ owner @{PROC}/@{pid}/mounts r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash.d/complete b/apparmor.d/abstractions/bash.d/complete index b8016f6d3..6d16109de 100644 --- a/apparmor.d/abstractions/bash.d/complete +++ b/apparmor.d/abstractions/bash.d/complete @@ -9,3 +9,5 @@ owner @{HOME}/.alias r, owner @{HOME}/.i18n r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index d69c9501a..f032f842b 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -17,3 +17,5 @@ owner @{run}/user/@{uid}/at-spi/bus_@{int} rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index f8d6ba37f..d5ca957e8 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -25,3 +25,5 @@ owner @{run}/user/@{uid}/bus rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 6d2a16beb..0148d0711 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -15,3 +15,5 @@ @{run}/dbus/system_bus_socket rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index a763bc5c1..3eceb53ab 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -20,3 +20,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index e3ad37725..290a86de8 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -4,3 +4,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 50cbab8a0..a8e3d52a5 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -48,3 +48,5 @@ peer=(name=:*, label=wpa-supplicant), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 38922c8b0..b4032e033 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -8,3 +8,5 @@ peer=(name=:*, label=power-profiles-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index ad2e358a2..55e4f414d 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -8,3 +8,5 @@ peer=(name=:*, label=switcheroo-control), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 17374de8b..7e7b21565 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -18,3 +18,5 @@ peer=(name=net.reactivated.Fprint, label=fprintd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 616029386..5103361c9 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -42,3 +42,5 @@ peer=(name=org.a11y.Bus), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 2417fb4e2..7c86817f5 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -43,3 +43,5 @@ peer=(name=org.bluez, label=bluetoothd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index c6ffc74bc..10a9e8fc0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -28,3 +28,5 @@ peer=(name=:*, label=accounts-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index fc7be18e4..8b24700db 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -23,3 +23,5 @@ peer=(name=:*, label=avahi-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index c8563e40a..3950b77aa 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -23,3 +23,5 @@ peer=(name=:*, label=colord), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 326c65849..b4e985b9e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -13,3 +13,5 @@ peer=(name=:*, label=nautilus), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 7ebcca741..836e99d94 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -33,3 +33,5 @@ peer=(name=:*, label=geoclue), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 75ee94bf8..217b588a4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -18,3 +18,5 @@ peer=(name=:*, label=ModemManager), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index d37f276b6..0fa92d3cc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -73,3 +73,5 @@ peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index c6d8fc6a6..90ee1aefc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -23,3 +23,5 @@ peer=(name=org.freedesktop.DBus, label=gjs-console), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index 6775a6e6f..7cdd9a3ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -22,3 +22,5 @@ peer=(name=org.freedesktop.PackageKit, label=packagekitd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 6f05ae688..3201e48ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -32,3 +32,5 @@ peer=(name=:*, label=polkitd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 9a0fdf9f2..474c4c625 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -28,3 +28,5 @@ peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index f3029c0b7..842057a1d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -8,3 +8,5 @@ peer=(name=org.freedesktop.ScreenSaver), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 82124c494..567740a35 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -13,3 +13,5 @@ peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 956356c55..79b882e51 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -53,3 +53,5 @@ peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 3d0963ae8..d8341d33c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -42,3 +42,5 @@ peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index 374c0693b..5f951381b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -13,3 +13,5 @@ peer=(name=:*, label=xdg-desktop-portal), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 8544b5036..54196d16b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -13,3 +13,5 @@ peer=(name=org.freedesktop.hostname1), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 5176d3f33..6b965a2f5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -13,3 +13,5 @@ peer=(name=:*, label=xdg-permission-store), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 6d8c9649e..a2865c7c9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -12,3 +12,5 @@ peer=(name=org.freedesktop.locale1), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 67d24772a..fdceceea4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -33,3 +33,5 @@ peer=(name=org.freedesktop.login1, label=systemd-logind), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 6541fb803..24d5c1452 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -38,3 +38,5 @@ peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 7abc771f2..268a21dea 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -8,3 +8,5 @@ peer=(name=org.freedesktop.network1, label=systemd-networkd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 5ce45ef8f..a2a1a94a0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -28,3 +28,5 @@ peer=(name=:*, label=xdg-desktop-portal), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 7c1260c7d..3057282c9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -8,3 +8,5 @@ peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index 5f53407c3..01ecf0786 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -28,3 +28,5 @@ peer=(name=:*, label=gnome-keyring-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 46d5fdc82..49e4b014d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -18,3 +18,5 @@ peer=(name=org.freedesktop.systemd1), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index 2f6bb9922..c0e852662 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -18,3 +18,5 @@ peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index d6748c8da..883c5c165 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -19,3 +19,5 @@ peer=(name=:*, label=systemd-timedated), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index 087a8f08c..9953ee8bf 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -13,3 +13,5 @@ peer=(name=:*, label=file-roller), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager index 3eeb35b69..05945a253 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -8,3 +8,5 @@ peer=(name=:*, label=gdm), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index 04d550761..d701792a6 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -28,3 +28,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 648e707c4..7ada64f05 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -18,3 +18,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 index 1a3dc2e0f..e547ab2c5 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -18,3 +18,5 @@ peer=(name=:*, label=nautilus), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver index 24c4e37ec..3e228ad1f 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -18,3 +18,5 @@ peer=(name=:*, label=gjs-console), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 07576ff52..4197fb4cf 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -60,3 +60,5 @@ peer=(name=org.gnome.SessionManager, label=gnome-session-binary), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index 4356c487b..72e4525bc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -28,3 +28,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index 1c3349dc7..73d958513 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -18,3 +18,5 @@ peer=(name=:*, label=gvfs-*-volume-monitor), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 5bbfd7594..35cd640d6 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -8,3 +8,5 @@ peer=(name=:*, label=gvfsd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index a547bc5d4..33d3c1c36 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -13,3 +13,5 @@ peer=(name=:*, label=gvfsd-metadata), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 262982bb1..4d59f0afc 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -18,3 +18,5 @@ peer=(name=:*, label=gvfsd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 553195bbc..4fca40e84 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,3 +4,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 28ccc4a4b..67ac1fb6d 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -18,3 +18,5 @@ peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd index db103ba85..c0d2ecba2 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -3,3 +3,5 @@ # SPDX-License-Identifier: GPL-2.0-only include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index b18ce7eb0..e44d8509c 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -15,10 +15,11 @@ include include include - # include + include include include include + include include include include @@ -63,7 +64,6 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, - @{run}/cups/cups.sock rw, # Allow access to cups printing socket. @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @@ -100,13 +100,14 @@ @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/comm rw, owner @{PROC}/@{pid}/environ r, @@ -128,4 +129,6 @@ /dev/pts/ptmx rw, /dev/tty rw, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index baa14757d..77c5a0b7e 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -28,4 +28,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f2e76bcdf..a73626bb1 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -2,10 +2,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for bwrap - +# A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: -# - the attach_disconnected flag +# - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' # userns, @@ -31,6 +30,9 @@ umount /, umount /oldroot/, + #aa:only debian whonix + mount -> /newroot/{,**}, # Debian does not support the remount rule. + pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, @@ -51,3 +53,5 @@ owner @{PROC}/@{pid}/uid_map rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 1fc1d1555..2e98c515a 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -20,23 +20,25 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.* rw, + owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, /tmp/ r, /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.* rw, - owner @{tmp}/.org.chromium.Chromium.*/{,**} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, owner @{tmp}/scoped_dir*/ rw, owner @{tmp}/scoped_dir*/SingletonCookie w, owner @{tmp}/scoped_dir*/SingletonSocket w, owner @{tmp}/scoped_dir*/SS w, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.* rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 22aa0d784..732129c26 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -86,4 +86,6 @@ owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 275853d51..c93f9bc05 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -24,4 +24,6 @@ owner @{PROC}/@{pid}/cmdline r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game new file mode 100644 index 000000000..88bd3d1b6 --- /dev/null +++ b/apparmor.d/abstractions/common/steam-game @@ -0,0 +1,125 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + include + include + include + include + include + include + + @{bin}/uname rix, + @{bin}/xdg-settings rPx, + @{browsers_path} rPx, + + @{bin}/env r, + + @{app_dirs}/ r, + @{lib_dirs}/ r, + @{lib}/ r, + / r, + /home/ r, + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, + owner @{HOME}/.steam/steam.pid r, + owner @{HOME}/.steam/steam.pipe r, + + owner @{user_games_dirs}/ r, + owner @{user_games_dirs}/*/ r, + owner @{user_games_dirs}/*/{,**} rwkl, + + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{share_dirs}/ r, + owner @{share_dirs}/* r, + owner @{share_dirs}/appcache/** rk, + owner @{share_dirs}/config/ r, + owner @{share_dirs}/config/* rwk, + owner @{share_dirs}/logs/ rw, + owner @{share_dirs}/logs/* rwk, + owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, + owner @{share_dirs}/steamapps/ r, + owner @{share_dirs}/steamapps/common/ r, + owner @{share_dirs}/steamapps/common/[^S]*/** rwlk, + owner @{share_dirs}/steamapps/shadercache/{,**} rwk, + + @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/crashes/ rw, + owner @{tmp}/crashes/** rwk, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/net/*/carrier r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/ r, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/*/carrier r, + @{sys}/kernel/ r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/uptime r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/tty rw, + /dev/uinput rw, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index b98291bf5..0ed3a824b 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -18,4 +18,6 @@ /dev/kmsg w, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index ccf3d799a..a163af66d 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -6,3 +6,5 @@ @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 58aad166e..f25e1c3e6 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -25,3 +25,5 @@ owner @{run}/user/@{uid}/dconf/user rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index ccae3cf45..d8e1fdfb8 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -49,3 +49,5 @@ deny @{HOME}/.{,cache/}fontconfig/** mrwl, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index bc273a006..befea8bcb 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -63,3 +63,5 @@ owner @{user_share_dirs}/ rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 9d9db462e..5a2a8b742 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -22,4 +22,6 @@ @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 2b89a1308..10beb258d 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -95,3 +95,5 @@ @{run}/udev/data/+usb:* r, # for disk over usb hub include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index b6937698c..361b60d82 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -95,3 +95,5 @@ @{run}/udev/data/+usb:* r, # for disk over usb hub include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index b6c6dc23b..a1eb1cd41 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -32,3 +32,5 @@ /dev/dri/renderD129 rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index c5ed229c0..fe3cab891 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -12,3 +12,5 @@ owner @{user_config_dirs}/fish/{,**} r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 2873ebe45..216075648 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -46,3 +46,5 @@ deny "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index c9bb799cd..19fa7c53a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -39,3 +39,5 @@ link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 7313fbca1..3e669f4dc 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -22,3 +22,5 @@ /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.icons/{,**} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index ba566cd69..891e5a573 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -28,3 +28,5 @@ owner @{user_share_dirs}/ rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3d204be7d..90f705ac7 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -10,3 +10,5 @@ peer=(name=:*, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 85589272f..9b7954f0d 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -20,3 +20,5 @@ @{sys}/devices/system/node/node@{int}/meminfo r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index e9480d217..fe2d2001c 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -9,3 +9,5 @@ /dev/nvidia-uvm-tools rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 87bf1c1b3..60bac614e 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -54,3 +54,5 @@ /dev/dri/ r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 942713159..ac702a70f 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -40,3 +40,5 @@ owner @{user_config_dirs}/gtk-{3,4}.0/servers r, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/window_decorations.css r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index c09e3ad6f..33d034b5a 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -22,3 +22,5 @@ addr="@/home/*/.cache/ibus/dbus-????????", owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index c3206ba85..37038b129 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -7,3 +7,5 @@ owner @{user_config_dirs}/menus/{,**} r, owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index e05ad466a..c164bd434 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -34,3 +34,5 @@ owner @{user_config_dirs}/kwinrc r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 1a77e3e7c..ed3306e42 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -10,3 +10,5 @@ owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index ad10304c4..b1d474717 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -49,3 +49,5 @@ @{PROC}/sys/kernel/random/boot_id r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index e5102cb24..6521c9840 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -34,3 +34,5 @@ deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index 08d3b91bc..ef9d0c40d 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -9,3 +9,5 @@ /etc/nvidia/nvidia-application-profiles* r, /dev/char/195:@{int} rw, # Nvidia graphics devices + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/opencl-intel.d/complete b/apparmor.d/abstractions/opencl-intel.d/complete index c250a369a..1845cd61d 100644 --- a/apparmor.d/abstractions/opencl-intel.d/complete +++ b/apparmor.d/abstractions/opencl-intel.d/complete @@ -4,3 +4,5 @@ /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index 9638a61a5..e6eea6744 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -10,3 +10,5 @@ owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index 05c4091f0..4ac0f7f1d 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -12,3 +12,5 @@ owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/qt5.d/complete b/apparmor.d/abstractions/qt5.d/complete index fadb39931..6063b47e2 100644 --- a/apparmor.d/abstractions/qt5.d/complete +++ b/apparmor.d/abstractions/qt5.d/complete @@ -9,3 +9,5 @@ /usr/share/qt{,5,6}ct/{,**} r, owner @{user_config_dirs}/qt{,5,6}ct/{,**} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index 5583f599d..b269f2335 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -10,3 +10,5 @@ include include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index 3c947d2ae..dc164c6ba 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -12,3 +12,5 @@ owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 5bcca4d4b..01de0407e 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -12,3 +12,5 @@ owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index 212385774..1f4202818 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -80,3 +80,5 @@ @{MOUNTS}/*/.Trash-@{uid}/expunged/@{int}/** rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/trash.d/complete b/apparmor.d/abstractions/trash.d/complete index 29d5d021a..a80a1e5a6 100644 --- a/apparmor.d/abstractions/trash.d/complete +++ b/apparmor.d/abstractions/trash.d/complete @@ -25,3 +25,5 @@ # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner /{media,mnt}/*/*/.Trash-@{int}/{,**} rwl, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 24b430b10..03ae9e3e8 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -12,4 +12,6 @@ owner @{run}/user/@{uid}/uim/socket/uim-helper rw, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index ee23bce39..3feed5cd8 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -13,3 +13,5 @@ owner @{user_download_dirs}/** rwkl, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index b79e78eae..4187ab9e2 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -10,4 +10,6 @@ owner @{HOME}/[^.]** r, owner @{MOUNTS}/[^.]** r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 3ff81e66a..5211b0345 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -30,4 +30,6 @@ owner @{user_vm_dirs}/{,**} rk, owner @{user_work_dirs}/{,**} rk, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 51fe3e08d..223fc660a 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -30,4 +30,6 @@ owner @{user_vm_dirs}/{,**} wl, owner @{user_work_dirs}/{,**} wl, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 8f73b06e6..a529324f5 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -9,3 +9,5 @@ owner @{HOME}/[^.]** wl, owner @{MOUNTS}/[^.]** wl, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/video.d/complete b/apparmor.d/abstractions/video.d/complete index e36b3128b..97b7f1a2a 100644 --- a/apparmor.d/abstractions/video.d/complete +++ b/apparmor.d/abstractions/video.d/complete @@ -8,3 +8,5 @@ # Access to video /dev devices /dev/video@{int} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index ee56ef44c..fd86f1e81 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -14,9 +14,12 @@ /etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/implicit_layer.d/{,*.json} r, - owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache + owner @{user_share_dirs}/vulkan/ rw, + owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, + owner @{user_share_dirs}/vulkan/implicit_layer.d/*.json r, + @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/@{pci}/drm/ r, @@ -26,3 +29,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 9df2edd4b..8e5b68c08 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -4,3 +4,5 @@ /etc/glvnd/egl_vendor.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/egl/egl_external_platform.d/{,*.json} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 4e2e7dd02..245b9238d 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-wayland-@{int} r, + owner @{user_share_dirs}/sddm/wayland-session.log w, owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, @@ -9,3 +11,5 @@ owner /dev/shm/sway* rw, owner /dev/shm/dunst-@{rand6} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index eff45b142..067de9148 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -19,3 +19,5 @@ owner @{user_share_dirs}/ rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 4addfdac9..15711713c 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -26,4 +26,6 @@ owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 0b6b72f15..8067b41a2 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -99,7 +99,6 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/cmdline r, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index aea9bf790..5956c3e78 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -36,8 +36,6 @@ profile akonadi_akonotes_resource @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index 22a2568c8..27a065274 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -42,8 +42,6 @@ profile akonadi_archivemail_agent @{exec_path} { owner @{user_share_dirs}/akonadi/file_db_data/{,**} r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource index bfc042c87..5da0cbffc 100644 --- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource +++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource @@ -35,8 +35,6 @@ profile akonadi_birthdays_resource @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index 03c733303..54cdc9af3 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -39,8 +39,6 @@ profile akonadi_contacts_resource @{exec_path} { owner @{user_share_dirs}/contacts/ r, owner @{user_share_dirs}/contacts/*.vcf w, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index 23bfbab2a..16ee7c6c3 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -40,8 +40,6 @@ profile akonadi_control @{exec_path} { owner @{user_share_dirs}/akonadi/{,**} rwl, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent index 805d79ab8..220161832 100644 --- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent +++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent @@ -38,8 +38,6 @@ profile akonadi_followupreminder_agent @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index 7c1b4ea61..12414ece7 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -31,8 +31,6 @@ profile akonadi_ical_resource @{exec_path} { owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/apps/korganizer/{,**} rw, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index 0bffc97ff..1c59bc78d 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -45,8 +45,6 @@ profile akonadi_indexing_agent @{exec_path} { owner @{user_share_dirs}/akonadi/ rw, owner @{user_share_dirs}/akonadi/** rwlk -> @{user_share_dirs}/akonadi/**, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index fa44749df..55d0ce2b0 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -39,8 +39,6 @@ profile akonadi_maildir_resource @{exec_path} { owner @{user_share_dirs}/akonadi/{,**} rwk, owner @{user_share_dirs}/local-mail*/{,**} rw, - @{PROC}/sys/kernel/core_pattern rw, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index 35839f63c..9030af7b5 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -50,8 +50,6 @@ profile akonadi_maildispatcher_agent @{exec_path} { owner @{user_share_dirs}/akonadi/file_db_data/{,**} r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 80594c6bd..d0d666b31 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -56,8 +56,6 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_share_dirs}/akonadi/file_db_data/{,**} rw, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent index fa663481a..510bcb1fb 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent @@ -39,8 +39,6 @@ profile akonadi_mailmerge_agent @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent index 5ad12003c..9a0478320 100644 --- a/apparmor.d/groups/akonadi/akonadi_migration_agent +++ b/apparmor.d/groups/akonadi/akonadi_migration_agent @@ -36,8 +36,6 @@ profile akonadi_migration_agent @{exec_path} { owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index ffd40e8de..d07dcedbf 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -33,8 +33,6 @@ profile akonadi_newmailnotifier_agent @{exec_path} { owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/specialmailcollectionsrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent index ee08560e3..56eb53c25 100644 --- a/apparmor.d/groups/akonadi/akonadi_notes_agent +++ b/apparmor.d/groups/akonadi/akonadi_notes_agent @@ -39,8 +39,6 @@ profile akonadi_notes_agent @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent index 945066cb8..104b3ec42 100644 --- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent +++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent @@ -40,8 +40,6 @@ profile akonadi_sendlater_agent @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent index fcbf68d07..22f53cb04 100644 --- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent +++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent @@ -34,8 +34,6 @@ profile akonadi_unifiedmailbox_agent @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 961850c9e..066f9a5b7 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -58,7 +58,7 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index d3165a54d..6048857e9 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -43,6 +43,7 @@ profile signal-desktop @{exec_path} { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{PROC}/@{pid}/fd/ r, @{PROC}/vmstat r, include if exists diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox index 4f6bf976a..3de0c2f3f 100644 --- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox +++ b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox @@ -22,6 +22,8 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{lib_dirs}/signal-desktop{,-beta} rPx, @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/oom_adj w, + @{PROC}/@{pid}/oom_score_adj w, include if exists } diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index add8fa0d2..68543770a 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -45,7 +45,6 @@ profile telegram-desktop @{exec_path} { owner @{run}/user/@{uid}/@{hex}-* rwk, owner /dev/shm/#@{int} rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index c15be86ea..effa93be2 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -55,6 +55,7 @@ profile debsign @{exec_path} { owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r, owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 7bc55f09b..5cd5e045d 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -20,13 +20,6 @@ profile debsums @{exec_path} { @{sh_path} rix, @{bin}/{m,g,}awk rix, - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /var/lib/dpkg/info/* r, - - /etc/locale.nopurge r, - # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. @@ -35,6 +28,13 @@ profile debsums @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-divert rPx -> child-dpkg-divert, + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + /etc/locale.nopurge r, + + /var/lib/dpkg/info/* r, + # For shell pwd / r, /root/ r, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 74217421c..515e41679 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/** r, - /usr/share/*/** w, + /usr/share/*/** rw, /var/lib/dpkg/diversions rw, /var/lib/dpkg/diversions-new rw, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 41b6c19b3..f8ce7d8cb 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -26,6 +26,8 @@ profile brave @{exec_path} { @{bin}/man rPUx, # For "brave --help" + @{lib_dirs}/chrome_crashpad_handler rPx -> brave//&brave-crashpad-handler, + /usr/share/chromium/extensions/ r, /etc/opt/chrome/ r, diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 22a4ebf0a..2a462592b 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -24,6 +24,7 @@ profile chrome @{exec_path} { @{bin}/man rPUx, # For "chrome --help" + @{lib_dirs}/chrome_crashpad_handler rPx -> chrome//&chrome-crashpad-handler, @{lib_dirs}/google-@{name} rPx, @{lib_dirs}/nacl_helper rix, diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 6ec3e3f97..c078e1131 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -22,5 +22,7 @@ profile chromium @{exec_path} { @{exec_path} mrix, + @{lib_dirs}/chrome_crashpad_handler rPx -> chromium//&chromium-crashpad-handler, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index a47bef7c5..cf299b489 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -55,7 +55,6 @@ profile firefox-kmozillahelper @{exec_path} { @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, /dev/tty r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 7c436755a..665673a77 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -15,7 +15,7 @@ include @{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/minidump-analyzer -profile firefox-minidump-analyzer @{exec_path} { +profile firefox-minidump-analyzer @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term, kill) peer=firefox, @@ -27,10 +27,10 @@ profile firefox-minidump-analyzer @{exec_path} { owner "@{config_dirs}/firefox/Crash Reports/" rw, owner "@{config_dirs}/firefox/Crash Reports/pending/" rw, owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, - owner @{config_dirs}/*.*/extensions/*.xpi r, - owner @{config_dirs}/*.*/minidumps/ rw, - owner @{config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw, - owner @{config_dirs}/*.*/storage/default/* r, + owner @{config_dirs}/{,firefox/}*.*/extensions/*.xpi r, + owner @{config_dirs}/{,firefox/}*.*/minidumps/ rw, + owner @{config_dirs}/{,firefox/}*.*/minidumps/@{uuid}.{dmp,extra} rw, + owner @{config_dirs}/{,firefox/}*.*/storage/default/* r, owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r, diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index 36c818c4d..bba1ac4fb 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -28,7 +28,7 @@ profile msedge @{exec_path} { @{lib_dirs}/xdg-settings rix, #-> xdg-settings, @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, - @{lib_dirs}/msedge_crashpad_handler rPx, + @{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler, @{lib_dirs}/*.so* mr, @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, diff --git a/apparmor.d/groups/browsers/msedge-crashpad-handlers b/apparmor.d/groups/browsers/msedge-crashpad-handler similarity index 100% rename from apparmor.d/groups/browsers/msedge-crashpad-handlers rename to apparmor.d/groups/browsers/msedge-crashpad-handler diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index dc7895bae..79aae18f7 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,ibus/}ibus-memconf -profile ibus-memconf @{exec_path} { +profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include @@ -27,5 +27,7 @@ profile ibus-memconf @{exec_path} { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index aadae9bfe..59bd622f0 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -49,6 +49,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest{,.new} rw, /var/log/popularity-contest{,.new}.gpg rw, /var/log/popularity-contest.@{int} rw, + /var/log/popularity-contest.@{int}.gpg rw, # Store last successful http submission timestamp /var/lib/popularity-contest/ rw, @@ -66,15 +67,14 @@ profile cron-popularity-contest @{exec_path} { @{bin}/savelog mr, - @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/date rix, @{bin}/dirname rix, - @{bin}/rm rix, - @{bin}/mv rix, - @{bin}/touch rix, @{bin}/gzip rix, - + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, @@ -82,9 +82,9 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int} rw, /var/log/popularity-contest rw, - # file_inherit - owner @{tmp}/#@{int} rw, + owner @{tmp}/#@{int} rw, # file_inherit + include if exists } profile runuser { @@ -96,19 +96,18 @@ profile cron-popularity-contest @{exec_path} { @{bin}/runuser mr, @{sh_path} rix, - - @{bin}/popularity-contest rPx, - - owner @{PROC}/@{pids}/loginuid r, - @{PROC}/1/limits r, + @{bin}/popularity-contest rPx, @{etc_ro}/security/limits.d/ r, /var/log/popularity-contest.new w, - # file_inherit - owner @{tmp}/#@{int} rw, + @{PROC}/1/limits r, + owner @{PROC}/@{pids}/loginuid r, + owner @{tmp}/#@{int} rw, # file_inherit + + include if exists } profile gpg { @@ -126,9 +125,9 @@ profile cron-popularity-contest @{exec_path} { owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**, - # file_inherit - owner @{tmp}/#@{int} rw, + owner @{tmp}/#@{int} rw, # file_inherit + include if exists } profile popcon-upload { @@ -142,18 +141,18 @@ profile cron-popularity-contest @{exec_path} { network inet6 stream, network netlink raw, - /usr/share/popularity-contest/popcon-upload r, @{bin}/perl r, - @{bin}/gzip rix, + /usr/share/popularity-contest/popcon-upload r, + /var/log/ r, /var/log/popularity-contest.new.gpg r, /var/log/popularity-contest.@{int}.gpg r, - # file_inherit - owner @{tmp}/#@{int} rw, + owner @{tmp}/#@{int} rw, # file_inherit + include if exists } include if exists diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index bafc9a31b..39169eaf7 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -139,18 +139,7 @@ profile x11-xsession @{exec_path} { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, + include include if exists } diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index affeb182c..a3e5beebb 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -7,7 +7,9 @@ abi , include -@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}bin/fc-cache{,-32,-v*} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} + +@{exec_path} = @{bin_dirs}/fc-cache{,-32,-v*} profile fc-cache @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 164d40ab4..abd15224c 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -53,7 +53,6 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/kernel/core_pattern r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b8ee7c4ac..f7801cb62 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,6 +10,7 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -19,6 +20,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -70,10 +72,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, /usr/share/dconf/profile/gdm r, - /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/** r, - /etc/pipewire/client.conf.d/ r, /etc/sysconfig/proxy r, /var/lib/gdm{,3}/greeter-dconf-defaults r, @@ -83,7 +83,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - owner @{run}/user/@{uid}/pipewire-@{int} rw, @{PROC}/ r, @{PROC}/*/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 9ca2e9b59..91eb77602 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -22,7 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include + include network unix stream, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index c724c0aad..22c944a87 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -38,8 +38,6 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 54104e51d..7884a3fd7 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -42,7 +42,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { / r, owner /.flatpak-info r, - owner @{HOME}/*/{,**} r, + owner @{HOME}/** r, owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index df733b16a..4ea8970b3 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -18,6 +18,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, + @{bin}/cat rix, @{bin}/cut rix, @{bin}/file rix, @{bin}/head rix, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 43faaaf9a..9a53b96cf 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -42,6 +42,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, owner @{user_share_dirs}/flatpak/db/devices r, + owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index 9b655a40b..353bb7b1b 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -32,7 +32,7 @@ profile xdg-screensaver @{exec_path} { @{bin}/xset rPx, @{bin}/hostname rix, - /dev/dri/card[0-9] rw, + /dev/dri/card@{int} rw, owner @{HOME}/ r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 7d24d304a..7d577c4c4 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -41,7 +41,7 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, @{PROC}/uptime r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fd2462ffa..6abb6f1f2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -16,6 +16,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -93,7 +94,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/cups/client.conf r, /etc/machine-info r, /etc/rygel.conf r, /etc/security/pwquality.conf r, @@ -130,7 +130,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - @{run}/cups/cups.sock rw, @{run}/samba/ rw, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index f22cde879..2eda9bb05 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 217cc0d52..2f0c112e9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -407,6 +407,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/games/* PUx, /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f4e6a1262..e87cbcd7e 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -99,6 +99,9 @@ profile gnome-software @{exec_path} { owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk, owner @{run}/user/@{uid}/app/{,*/} rw, + owner /dev/shm/flatpak-com.*/ rw, + owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, + @{run}/systemd/inhibit/*.ref rw, @{sys}/module/nvidia/version r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 6d40144ce..de035a598 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -11,13 +11,12 @@ profile gnome-text-editor @{exec_path} { include include include + include include include @{exec_path} mr, - /usr/share/enchant-*/{,**} r, - owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 6846ecaa5..ad71bec7f 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -13,6 +13,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -34,10 +35,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib}/gsd-printer rPx, - /etc/cups/client.conf r, - - @{run}/cups/cups.sock rw, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 4003d1753..f5516c22c 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -30,8 +30,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 8987ae31a..1f5a088be 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -36,8 +36,7 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6646d69d7..5e073215a 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -65,8 +65,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex16} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index b7fc61d2e..3156f1aa7 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -55,8 +55,6 @@ profile DiscoverNotifier @{exec_path} { owner @{tmp}/ostree-gpg-*/ rw, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, profile gpg { diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 88476e81c..fe18f834f 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,7 +42,6 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index b92bcd005..64d22df67 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -61,8 +61,6 @@ profile baloorunner @{exec_path} { @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index b22386b52..3d03db73f 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -86,7 +86,6 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/#@{int} rw, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 53bc4cd69..170144b8a 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -26,8 +26,6 @@ profile kaccess @{exec_path} { owner @{user_share_dirs}/mime/generic-icons r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 23ae41a5c..f12504d70 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -49,7 +49,6 @@ profile kactivitymanagerd @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/*@{rand6}.*.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index fc1cb49f4..453ac9124 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -36,8 +36,6 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index bec3e4456..1b14791ac 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -40,7 +40,6 @@ profile kcminit @{exec_path} { @{run}/user/@{uid}/xauth_@{rand6} rl, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 9e596c410..287b495fe 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -71,7 +71,6 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/core_pattern r, /dev/i2c-@{int} rwk, /dev/rfkill r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index cb719c10d..22c9ab4dd 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -157,7 +157,6 @@ profile kded @{exec_path} { @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/fd/info/@{int} r, @{PROC}/sys/fs/inotify/max_user_{instances,watches} r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 545e1e1b9..c0ea43b30 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -23,8 +23,6 @@ profile kglobalacceld @{exec_path} { owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner index 0f3c799ad..b96769fe4 100644 --- a/apparmor.d/groups/kde/kio_http_cache_cleaner +++ b/apparmor.d/groups/kde/kio_http_cache_cleaner @@ -21,7 +21,5 @@ profile kio_http_cache_cleaner @{exec_path} { owner @{run}/user/@{uid}/kio_http_cache_cleaner rw, - @{PROC}/sys/kernel/core_pattern r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 3e8d2a594..5e39ad775 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -92,7 +92,6 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 45cb52cf0..d80f20b93 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -62,7 +62,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 8f2120233..6b6eab4b5 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -101,7 +101,6 @@ profile kscreenlocker_greet @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/loginuid r, /dev/tty r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index e5f898295..33724c835 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -67,8 +67,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index a13b08f3c..9c35530a6 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/ r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/exe r, owner @{PROC}/@{pid}/status r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 59d90b35b..80d91048e 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -32,7 +32,5 @@ profile ksplashqml @{exec_path} { owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/plasmarc r, - @{PROC}/sys/kernel/core_pattern r, - include if exists } diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 5aa42fb38..9d255e683 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -43,7 +43,6 @@ profile kwalletd @{exec_path} { owner @{tmp}/kwalletd5.* rw, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index 90e8dbf2b..8c99ca25d 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -43,7 +43,6 @@ profile kwalletmanager @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, /dev/shm/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 3e62ed175..0c682e2a3 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -126,7 +126,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{PROC}/@{pid}/task/@{tid}/comm rw, - @{PROC}/sys/kernel/core_pattern r, /dev/input/event@{int} rw, /dev/tty r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index cd43b074c..7713d4945 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -64,8 +64,6 @@ profile kwin_x11 @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/kernel/core_pattern r, - /dev/tty rw, include if exists diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 71a982ca5..4d8e8a9b9 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -48,8 +48,6 @@ profile okular @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, - @{PROC}/sys/kernel/core_pattern r, - profile gpg { include diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index 93b11c812..18d09bf79 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -37,7 +37,6 @@ profile plasma-browser-integration-host @{exec_path} { owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 6b8269b46..11cb7206e 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -95,7 +95,6 @@ profile plasma-discover @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/discover@{rand6}.* rwl -> @{run}/user/@{uid}/#@{int}, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, /dev/tty r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 0041d753f..d67966678 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -45,7 +45,5 @@ profile plasma_session @{exec_path} { owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, - @{PROC}/sys/kernel/core_pattern r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f3456eec4..7464a9842 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -16,6 +16,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include include @@ -76,7 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/wallpapers/{,**} r, /etc/appstream.conf r, - /etc/cups/client.conf r, /etc/fstab r, /etc/ksysguarddrc r, /etc/machine-id r, @@ -192,7 +192,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{PROC}/cmdline r, @{PROC}/diskstats r, @{PROC}/loadavg r, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/uptime r, @{PROC}/vmstat r, owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 20fec7b18..b93d46e9d 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -188,7 +188,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/uptime r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index eb8943137..305430f1f 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -68,7 +68,6 @@ profile sddm-greeter @{exec_path} { owner @{run}/sddm/{,*} rw, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 1010c0a43..bcfa8d209 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -77,7 +77,6 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/maps r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 1af32ce81..d3ad9dccd 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -74,7 +74,6 @@ profile systemsettings @{exec_path} { @{sys}/bus/cpu/devices/ r, @{sys}/class/ r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mounts r, /dev/tty r, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index b72b5c8af..dacb3711c 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -34,11 +34,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, + include @{run}/udev/control rw, @{run}/udev/rules.d/90-netplan.rules rw, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 1a3a6ec46..4446ad039 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -55,7 +55,7 @@ profile aurpublish @{exec_path} { owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/maps r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 7207c714c..5a873f187 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -146,6 +146,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { # Silencer, deny @{HOME}/ r, + deny @{HOME}/**/ r, deny /tmp/ r, profile gpg { diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index eba45da06..f24a36275 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -46,7 +46,6 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/suid_dumpable w, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, owner @{PROC}/@{pid}/attr/current r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 2a75035e1..96be24919 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -117,6 +117,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ip rix, + @{bin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/tc rix, @@ -206,6 +207,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r, @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r, + @{sys}/devices/system/cpu/isolated r, @{sys}/devices/system/cpu/present r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/ r, diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad index e61709db1..a83e7fa0c 100644 --- a/apparmor.d/groups/xfce/mousepad +++ b/apparmor.d/groups/xfce/mousepad @@ -10,6 +10,7 @@ include profile mousepad @{exec_path} { include include + include include include include @@ -18,14 +19,9 @@ profile mousepad @{exec_path} { @{open_path} rPx -> child-open-help, - /usr/share/hunspell/{,**} r, - owner @{user_config_dirs}/Mousepad/ rw, owner @{user_config_dirs}/Mousepad/** rwk, - owner @{user_config_dirs}/enchant/ rw, - owner @{user_config_dirs}/enchant/ rwk, - owner @{user_share_dirs}/Mousepad/ rw, owner @{user_share_dirs}/Mousepad/** rwk, diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled index f85a84cd6..d5ebe0c10 100644 --- a/apparmor.d/profiles-a-f/aa-enabled +++ b/apparmor.d/profiles-a-f/aa-enabled @@ -18,4 +18,6 @@ profile aa-enabled @{exec_path} { owner @{PROC}/@{pid}/mounts r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index df5c7972d..a6f3d2b9e 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -32,4 +32,6 @@ profile aa-enforce @{exec_path} { owner @{PROC}/@{pid}/fd r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index c5bc84c76..6d1f690f6 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -35,3 +35,5 @@ profile aa-log @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7d10b57af..7c65b9be2 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -43,3 +43,5 @@ profile aa-notify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status index 7b94ce35f..5d5840f6f 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -30,3 +30,5 @@ profile aa-status @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown index c42501644..263c7b9af 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/profiles-a-f/aa-teardown @@ -23,4 +23,6 @@ profile aa-teardown @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook index 14e345864..f4252aeee 100644 --- a/apparmor.d/profiles-a-f/abook +++ b/apparmor.d/profiles-a-f/abook @@ -31,3 +31,5 @@ profile abook @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index ce1e57541..4f6132c25 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -22,3 +22,5 @@ profile acpi @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index ba559644c..9372f46b4 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -55,3 +55,5 @@ profile acpi-powerbtn flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 95eb98c61..10600e3d7 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -18,7 +18,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/{ba,da,}sh rix, + @{sh_path} rix, @{bin}/logger rix, /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn, @@ -37,3 +37,5 @@ profile acpid @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index bbdc782ab..13863c03a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -32,3 +32,5 @@ profile adb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index e816822ae..350f070b0 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -54,3 +54,5 @@ profile adduser @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index cbcb25574..fe3e7565f 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -109,3 +109,5 @@ profile adequate @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index bf83779a5..c15748c6a 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -42,3 +42,5 @@ profile agetty @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 8497cb986..80e64558a 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -33,4 +33,6 @@ profile alacarte @{exec_path} { owner @{PROC}/@{pid}/mounts r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index c0f821a10..bde626660 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -23,4 +23,6 @@ profile alsactl @{exec_path} { owner @{run}/alsa/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index c6c49ecca..ea2842a74 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -26,3 +26,5 @@ profile amixer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 40f14779c..8893f1d70 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -44,3 +44,5 @@ profile anacron @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 4fa47c613..b9031360f 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -138,3 +138,5 @@ profile anyremote @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index 44bdd100d..0bb417ae2 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -21,3 +21,5 @@ profile aplay @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index e993b3f85..a6d517b2a 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -48,4 +48,6 @@ profile apparmor.systemd @{exec_path} flags=(complain) { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index ee442861f..82acd0d0f 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -45,4 +45,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index e280c7055..6b6bad8d8 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -74,3 +74,5 @@ profile appstreamcli @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index cb2e5b37b..6baddcf18 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -37,3 +37,5 @@ profile arandr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 106afa48f..03836a9dc 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -56,3 +56,5 @@ profile archivemount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index d92b5dce9..47d784212 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -136,3 +136,5 @@ profile arduino @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 0eb54afe3..23f8628e5 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -49,3 +49,5 @@ profile arduino-builder @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index c97b00961..0c3849643 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -19,3 +19,5 @@ profile arduino-ctags @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 765234d6f..c5bd8d4f4 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -23,3 +23,5 @@ profile aspell @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index f7bf193a9..078fa0139 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -73,3 +73,5 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/at b/apparmor.d/profiles-a-f/at index 23d5d30d6..2da487b9c 100644 --- a/apparmor.d/profiles-a-f/at +++ b/apparmor.d/profiles-a-f/at @@ -29,4 +29,6 @@ profile at @{exec_path} { @{PROC}/@{pid}/loginuid r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 9da2f3041..b1b54f0fa 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -44,4 +44,6 @@ profile atd @{exec_path} { @{PROC}/loadavg r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index aa90818d6..02a0a018b 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -26,3 +26,5 @@ profile atftpd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index cb5317ded..947245d2a 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -49,3 +49,5 @@ profile atool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index a1caf6bc7..2163346cc 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -87,3 +87,5 @@ profile @{bin}/atril-previewer { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index d753d7f88..c44686d5a 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -18,3 +18,5 @@ profile atrild @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index daee68977..daaee243f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -19,4 +19,6 @@ profile auditctl @{exec_path} flags=(attach_disconnected) { /etc/audit/audit.rules r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 0775c6183..4e93a5d22 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -38,3 +38,5 @@ profile auditd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index f5a83b69a..5f192e8cc 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -34,3 +34,5 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index 0c514c76d..48b4cc8af 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -24,3 +24,5 @@ profile badblocks @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index dc9540643..caf8a50d2 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -20,3 +20,5 @@ profile biosdecode @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 972ee380d..b6314e942 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -49,7 +49,6 @@ profile birdtray @{exec_path} { /dev/shm/#@{int} rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -58,3 +57,5 @@ profile birdtray @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index ea688a331..f9db3e96f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -29,3 +29,5 @@ profile blkdeactivate @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index fef77c18a..ad8134064 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -41,3 +41,5 @@ profile blkid @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/profiles-a-f/blockdev index a69104221..1b6cc77cb 100644 --- a/apparmor.d/profiles-a-f/blockdev +++ b/apparmor.d/profiles-a-f/blockdev @@ -20,3 +20,5 @@ profile blockdev @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 13e3fed1b..9ac1c2c2b 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -65,3 +65,5 @@ profile blueman @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index 968c98f3c..152520fad 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -47,3 +47,5 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher index 9e24bf7b7..a8753ac8f 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -22,3 +22,5 @@ profile blueman-rfcomm-watcher @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/profiles-a-f/bluemoon index 5b975f1b9..06f4040f8 100644 --- a/apparmor.d/profiles-a-f/bluemoon +++ b/apparmor.d/profiles-a-f/bluemoon @@ -15,3 +15,5 @@ profile bluemoon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/profiles-a-f/bluetoothctl index 5af6e963e..603998f2c 100644 --- a/apparmor.d/profiles-a-f/bluetoothctl +++ b/apparmor.d/profiles-a-f/bluetoothctl @@ -21,3 +21,5 @@ profile bluetoothctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 499a7e3cb..75934102b 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -77,3 +77,5 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bmon b/apparmor.d/profiles-a-f/bmon index 3ed3aae29..77feb3210 100644 --- a/apparmor.d/profiles-a-f/bmon +++ b/apparmor.d/profiles-a-f/bmon @@ -19,3 +19,5 @@ profile bmon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 29fd2aac9..47c16d1cd 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -50,3 +50,5 @@ profile boltd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index dffe9087f..107330419 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -117,3 +117,5 @@ profile borg @{exec_path} { include if exists include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index e616a9411..cfc5d3b0b 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -62,3 +62,5 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 3ec7b2f3b..b6c3556ec 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -60,3 +60,5 @@ profile btop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index cb651e1c2..f056d12ca 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -58,3 +58,5 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/profiles-a-f/btrfs-convert index 0143fd5c9..8b443cf6e 100644 --- a/apparmor.d/profiles-a-f/btrfs-convert +++ b/apparmor.d/profiles-a-f/btrfs-convert @@ -18,3 +18,5 @@ profile btrfs-convert @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index d25c836bf..03c2d47bd 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -19,3 +19,5 @@ profile btrfs-find-root @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index 63a54f7d6..c1508bb09 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -21,3 +21,5 @@ profile btrfs-image @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index f50198a9e..12d2b09d6 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -19,3 +19,5 @@ profile btrfs-map-logical @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/profiles-a-f/btrfs-select-super index 12efd68cd..f083363cf 100644 --- a/apparmor.d/profiles-a-f/btrfs-select-super +++ b/apparmor.d/profiles-a-f/btrfs-select-super @@ -18,3 +18,5 @@ profile btrfs-select-super @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/profiles-a-f/btrfstune index 4eb522481..cd8f7adfe 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -22,3 +22,5 @@ profile btrfstune @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 6ebd21052..ee3bab550 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -72,3 +72,5 @@ profile cawbird @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper index 5bb52d718..bc12ec50b 100644 --- a/apparmor.d/profiles-a-f/cc-remote-login-helper +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -15,3 +15,5 @@ profile cc-remote-login-helper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index f73936734..3795d9836 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -32,4 +32,6 @@ profile cctk @{exec_path} { /dev/wmi/dell-smbios r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ccze b/apparmor.d/profiles-a-f/ccze index 6ef28e832..e51310b63 100644 --- a/apparmor.d/profiles-a-f/ccze +++ b/apparmor.d/profiles-a-f/ccze @@ -21,3 +21,5 @@ profile ccze @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cert-sync b/apparmor.d/profiles-a-f/cert-sync index b3abfcbb8..e2770bda1 100644 --- a/apparmor.d/profiles-a-f/cert-sync +++ b/apparmor.d/profiles-a-f/cert-sync @@ -15,4 +15,6 @@ profile cert-sync @{exec_path} { @{bin}/mono-sgen rPx, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 48d129e3f..7559b5c84 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -33,3 +33,5 @@ profile cfdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index ee305de16..f19e70c26 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -25,3 +25,5 @@ profile cgdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 1a9b6d81d..6c51eead1 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -51,3 +51,5 @@ profile cgrulesengd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage index 21d41f149..3eaa0efb9 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/profiles-a-f/chage @@ -36,3 +36,5 @@ profile chage @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool index 577e08395..9dd650d51 100644 --- a/apparmor.d/profiles-a-f/changestool +++ b/apparmor.d/profiles-a-f/changestool @@ -37,3 +37,5 @@ profile changestool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index a2021522d..4873d3e06 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -47,3 +47,5 @@ profile check-bios-nx @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index e6c6a2e0a..bdd9719d3 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -79,3 +79,5 @@ profile check-support-status @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index d10245d4c..e0c312423 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -128,3 +128,5 @@ profile check-support-status-hook @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/profiles-a-f/chfn index 1d6a56c5e..162a08b84 100644 --- a/apparmor.d/profiles-a-f/chfn +++ b/apparmor.d/profiles-a-f/chfn @@ -45,3 +45,5 @@ profile chfn @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd index b0414fad0..1fd84f53c 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -31,3 +31,5 @@ profile chpasswd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index ca1896015..5aa5c5ed2 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -60,4 +60,6 @@ profile chronyd @{exec_path} flags=(attach_disconnected) { /dev/rtc{,@{int}} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index 75f98c7c0..ffcdb5bdf 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -46,3 +46,5 @@ profile chsh @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 885d16027..4de4543a4 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -70,3 +70,5 @@ profile claws-mail @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index 8dcd847df..393598746 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -101,3 +101,5 @@ profile code flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 8b4196580..6954ca966 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -29,3 +29,5 @@ profile code-extension-git-askpass @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor index 1708393d1..104e01281 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-editor +++ b/apparmor.d/profiles-a-f/code-extension-git-editor @@ -20,4 +20,6 @@ profile code-extension-git-editor @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper index e867892ab..707164b09 100644 --- a/apparmor.d/profiles-a-f/code-wrapper +++ b/apparmor.d/profiles-a-f/code-wrapper @@ -23,3 +23,5 @@ profile code-wrapper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton index 360957a7c..b27228807 100644 --- a/apparmor.d/profiles-a-f/compton +++ b/apparmor.d/profiles-a-f/compton @@ -25,3 +25,5 @@ profile compton @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index fa71598fc..1e1b10abc 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -204,3 +204,5 @@ profile conky @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index a8bac3a11..d7b41ff20 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -18,4 +18,6 @@ profile console-setup @{exec_path} { @{run}/console-setup/boot_completed w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index a1453d122..28a393470 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -41,3 +41,5 @@ profile convertall @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cppw-cpgr b/apparmor.d/profiles-a-f/cppw-cpgr index 1795b49d5..9e0aa0ad1 100644 --- a/apparmor.d/profiles-a-f/cppw-cpgr +++ b/apparmor.d/profiles-a-f/cppw-cpgr @@ -34,3 +34,5 @@ profile cppw-cpgr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 3c4f797e0..8df6f750e 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -21,3 +21,5 @@ profile cpuid @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index 8cd26fff2..d29bfbbee 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -15,4 +15,6 @@ profile cracklib-packer @{exec_path} { owner /var/cache/cracklib/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 41e816370..96fb4c706 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -18,3 +18,5 @@ profile crda @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh index d3e7a4a7c..5945ac6ea 100644 --- a/apparmor.d/profiles-a-f/cups-backend-beh +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -15,4 +15,6 @@ profile cups-backend-beh @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/profiles-a-f/cups-backend-bluetooth index 402c97f74..ba606c7ef 100644 --- a/apparmor.d/profiles-a-f/cups-backend-bluetooth +++ b/apparmor.d/profiles-a-f/cups-backend-bluetooth @@ -15,4 +15,6 @@ profile cups-backend-bluetooth @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf index a0e46cf07..2ea66ba05 100644 --- a/apparmor.d/profiles-a-f/cups-backend-brf +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -17,4 +17,6 @@ profile cups-backend-brf @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd index e047682f0..0bb1a34d1 100644 --- a/apparmor.d/profiles-a-f/cups-backend-dnssd +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -16,4 +16,6 @@ profile cups-backend-dnssd @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/profiles-a-f/cups-backend-hp index 268ef4e96..f82ce7e0a 100644 --- a/apparmor.d/profiles-a-f/cups-backend-hp +++ b/apparmor.d/profiles-a-f/cups-backend-hp @@ -15,4 +15,6 @@ profile cups-backend-hp @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass index 53dd31cea..6a50ec237 100644 --- a/apparmor.d/profiles-a-f/cups-backend-implicitclass +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -15,4 +15,6 @@ profile cups-backend-implicitclass @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp index e20771d28..706e1a5ae 100644 --- a/apparmor.d/profiles-a-f/cups-backend-ipp +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -15,4 +15,6 @@ profile cups-backend-ipp @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd index 198d8a561..077a913a0 100644 --- a/apparmor.d/profiles-a-f/cups-backend-lpd +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -15,4 +15,6 @@ profile cups-backend-lpd @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/profiles-a-f/cups-backend-mdns index 7945a8b5f..a520e9a19 100644 --- a/apparmor.d/profiles-a-f/cups-backend-mdns +++ b/apparmor.d/profiles-a-f/cups-backend-mdns @@ -15,4 +15,6 @@ profile cups-backend-mdns @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel index 54eb3f307..fe2e752ef 100644 --- a/apparmor.d/profiles-a-f/cups-backend-parallel +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -15,4 +15,6 @@ profile cups-backend-parallel @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf index 650b5f879..efbb2a85d 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -43,4 +43,6 @@ profile cups-backend-pdf @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial index 1788cce1a..e2ec19bce 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -17,4 +17,6 @@ profile cups-backend-serial @{exec_path} { /dev/ttyS@{int} w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp index a11035efd..1532db04b 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -21,4 +21,6 @@ profile cups-backend-snmp @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket index f65196454..338d2e2e6 100644 --- a/apparmor.d/profiles-a-f/cups-backend-socket +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -15,4 +15,6 @@ profile cups-backend-socket @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb index ec059f654..e647939f4 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -23,4 +23,6 @@ profile cups-backend-usb @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index 9a10d3de9..2abffbe16 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -52,3 +52,5 @@ profile cups-browsed @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 3fb7158e9..9632ca91d 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -11,17 +11,18 @@ profile cups-notifier-dbus @{exec_path} { include include include + include include signal (receive) set=(term) peer=cupsd, @{exec_path} mr, - /etc/cups/client.conf r, - owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner @{tmp}/cups-dbus-notifier-lockfile rwk, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto index 7c7e79972..aad9f73c3 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-mailto +++ b/apparmor.d/profiles-a-f/cups-notifier-mailto @@ -13,4 +13,6 @@ profile cups-notifier-mailto @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss index d00b3dd34..86dfecc9e 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-rss +++ b/apparmor.d/profiles-a-f/cups-notifier-rss @@ -13,4 +13,6 @@ profile cups-notifier-rss @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index e71c37fe1..7c67e3e6a 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -31,4 +31,6 @@ profile cups-pk-helper-mechanism @{exec_path} { @{run}/cups/cups.sock rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 13bcc3b8c..9511c7495 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -100,3 +100,5 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/czkawka-cli b/apparmor.d/profiles-a-f/czkawka-cli index cae6daa46..6ad4c553b 100644 --- a/apparmor.d/profiles-a-f/czkawka-cli +++ b/apparmor.d/profiles-a-f/czkawka-cli @@ -32,3 +32,5 @@ profile czkawka-cli @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index fb4fb601d..68a30c769 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -66,3 +66,5 @@ profile czkawka-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index 96e02b281..000e61013 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -30,3 +30,5 @@ profile ddclient @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 1f554c4c4..eaf12a933 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -107,3 +107,5 @@ profile deltachat-desktop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 322df24e0..67e52b376 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -59,3 +59,5 @@ profile deluser @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/profiles-a-f/df index 67cba3931..18b3687e1 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/profiles-a-f/df @@ -26,3 +26,5 @@ profile df @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index d8451a4d9..b4ccf6743 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -25,3 +25,5 @@ profile dfc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient index 5925c6381..20e45b87f 100644 --- a/apparmor.d/profiles-a-f/dhclient +++ b/apparmor.d/profiles-a-f/dhclient @@ -39,3 +39,5 @@ profile dhclient @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 45faf18a7..4261a8be7 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -81,3 +81,5 @@ profile dhclient-script @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 8d3d1e7dc..87b80e3da 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -34,3 +34,5 @@ profile dig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index 4fce76bcf..f06989836 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -50,3 +50,5 @@ profile dino-im @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index d551bbfc7..90206b44c 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -119,3 +119,5 @@ profile dkms @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index bf81fe314..f266791a1 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -46,3 +46,5 @@ profile dkms-autoinstaller @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dleyna-renderer-service b/apparmor.d/profiles-a-f/dleyna-renderer-service index 3fb0d800e..d56098048 100644 --- a/apparmor.d/profiles-a-f/dleyna-renderer-service +++ b/apparmor.d/profiles-a-f/dleyna-renderer-service @@ -23,4 +23,6 @@ profile dleyna-renderer-service @{exec_path} { owner @{user_config_dirs}/dleyna-renderer-service.conf rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dleyna-server-service b/apparmor.d/profiles-a-f/dleyna-server-service index bd74802f7..f41d250f6 100644 --- a/apparmor.d/profiles-a-f/dleyna-server-service +++ b/apparmor.d/profiles-a-f/dleyna-server-service @@ -25,4 +25,6 @@ profile dleyna-server-service @{exec_path} { owner @{user_config_dirs}/dleyna-server-service.conf w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 95ed3f08b..e17a72c84 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -63,3 +63,5 @@ profile dlocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmcrypt-get-device b/apparmor.d/profiles-a-f/dmcrypt-get-device index 11364c40c..2fa3fc6a9 100644 --- a/apparmor.d/profiles-a-f/dmcrypt-get-device +++ b/apparmor.d/profiles-a-f/dmcrypt-get-device @@ -24,3 +24,5 @@ profile dmcrypt-get-device @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 85943afa7..6dcd5cbb8 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -12,8 +12,8 @@ profile dmesg @{exec_path} { include include - capability syslog, capability dac_read_search, + capability syslog, @{exec_path} mr, @@ -28,8 +28,13 @@ profile dmesg @{exec_path} { /dev/kmsg r, - deny /{usr/,}local/bin/ r, deny @{bin}/{,*/} r, + deny /{usr/,}local/{,s}bin/ r, + deny /var/lib/flatpak/exports/bin/ r, + deny @{HOME}/.go/bin/ r, + deny @{user_bin_dirs}/ r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 952379e64..2d904eec0 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -14,3 +14,5 @@ profile dmeventd @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index d2200c256..061bc40ac 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -22,3 +22,5 @@ profile dmidecode @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index de1597160..03d47e395 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -56,3 +56,5 @@ profile dnscrypt-proxy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index af3bc6f99..05b4085b3 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -42,4 +42,6 @@ profile downloadhelper @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dring b/apparmor.d/profiles-a-f/dring index c5b6742f4..8d0045030 100644 --- a/apparmor.d/profiles-a-f/dring +++ b/apparmor.d/profiles-a-f/dring @@ -36,3 +36,5 @@ profile dring @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 7013ff532..e03ad1742 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -54,3 +54,5 @@ profile dumpcap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 1595d0f7d..725f725c5 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -25,3 +25,5 @@ profile dumpe2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index debb3bbe6..8fb895029 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -23,3 +23,5 @@ profile dunst @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl index 052647fde..42276c6c6 100644 --- a/apparmor.d/profiles-a-f/dunstctl +++ b/apparmor.d/profiles-a-f/dunstctl @@ -23,3 +23,5 @@ profile dunstctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index 22b36527d..3a8f16c2f 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -18,3 +18,5 @@ profile dunstify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 7e5c95c2f..8ce1ed3c7 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -39,3 +39,5 @@ profile e2fsck @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index 5948a831f..ccb4cc5a4 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -23,3 +23,5 @@ profile e2image @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index be21cded0..de648cac2 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -25,4 +25,6 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode index 8543b6412..8925e5e2d 100644 --- a/apparmor.d/profiles-a-f/edid-decode +++ b/apparmor.d/profiles-a-f/edid-decode @@ -17,3 +17,5 @@ profile edid-decode @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/profiles-a-f/eject index 83942708a..bd467c2be 100644 --- a/apparmor.d/profiles-a-f/eject +++ b/apparmor.d/profiles-a-f/eject @@ -30,3 +30,5 @@ profile eject @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index a2eff5a44..1dd15b4b9 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -46,4 +46,6 @@ profile element-desktop @{exec_path} { deny /var/lib/dbus/machine-id r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/elinks b/apparmor.d/profiles-a-f/elinks new file mode 100644 index 000000000..d926271f5 --- /dev/null +++ b/apparmor.d/profiles-a-f/elinks @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/elinks +profile elinks @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner @{user_config_dirs}/elinks/{,**} rw, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index d76f5c1de..78fa87937 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -92,3 +92,5 @@ profile engrampa @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index f96fe8f34..6f10293c7 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -76,4 +76,6 @@ profile etckeeper @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 266a7566d..73d73eb02 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -65,3 +65,5 @@ profile evince @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 3a792e662..7a2b939a6 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -18,4 +18,6 @@ profile evince-previewer @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 6faf30098..d4e63c924 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -19,4 +19,6 @@ profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index b8c4f43b9..9f03de7fc 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -17,3 +17,5 @@ profile execute-dcut @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 9700aae9e..10edc6164 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -50,3 +50,5 @@ profile execute-dput @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool index c21f991c8..23aac34d4 100644 --- a/apparmor.d/profiles-a-f/exiftool +++ b/apparmor.d/profiles-a-f/exiftool @@ -16,3 +16,5 @@ profile exiftool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 5a8badc50..3dae4cae6 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -59,3 +59,5 @@ profile exim4 @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index edc88b0dd..990c67b85 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -22,3 +22,5 @@ profile exo-compose-mail @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index 378ac1ae8..af38a5fa3 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -53,3 +53,5 @@ profile exo-helper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open index ebdf097a2..7d265e566 100644 --- a/apparmor.d/profiles-a-f/exo-open +++ b/apparmor.d/profiles-a-f/exo-open @@ -31,3 +31,5 @@ profile exo-open @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3brew b/apparmor.d/profiles-a-f/f3brew index b1ad450af..8572f369c 100644 --- a/apparmor.d/profiles-a-f/f3brew +++ b/apparmor.d/profiles-a-f/f3brew @@ -16,3 +16,5 @@ profile f3brew @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index f31f6cfe3..a5d327e72 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -12,53 +12,33 @@ profile f3fix @{exec_path} { include include - # To remove the following errors: - # Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the - # kernel of the change, probably because it/they are in use. As a result, the old partition(s) - # will remain in use. You should reboot now before making further changes. capability sys_admin, - - # Needed? (##FIXME##) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/dmidecode rPx, + @{bin}/udevadm rCx -> udevadm, - @{bin}/udevadm rCx -> udevadm, - - owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - # file_inherit - /dev/sd[a-z]* rw, + ptrace read, + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe index 684901944..c7843c91f 100644 --- a/apparmor.d/profiles-a-f/f3probe +++ b/apparmor.d/profiles-a-f/f3probe @@ -17,3 +17,5 @@ profile f3probe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index 03b9e1a13..a25e7e0cc 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -26,3 +26,5 @@ profile f3read @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index 4c3a67047..25282dff8 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -30,3 +30,5 @@ profile f3write @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 11d38537d..23fd61125 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -20,4 +20,6 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { /etc/fail2ban/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index f023a04b3..2706c8e43 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -39,4 +39,6 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index fb65aa386..df95d83c0 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -16,3 +16,5 @@ profile fatlabel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 08d5124ae..b94e0e49c 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -12,51 +12,30 @@ profile fatresize @{exec_path} { include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKFLSBUF) = -1 EACCES (Permission denied) capability sys_admin, - - # Needed? (##FIXME##) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/dmidecode rPx, + @{bin}/udevadm rCx -> udevadm, - @{bin}/udevadm rCx -> udevadm, - - owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, - + owner @{PROC}/@{pid}/mounts r, profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - # file_inherit - /dev/{s,v}d[a-z]* rw, - + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index cfc99a31a..815e3bc76 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -35,3 +35,5 @@ profile fdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 3bc1fecfb..864becf32 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -40,3 +40,5 @@ profile ffmpeg @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ffmpegthumbnailer b/apparmor.d/profiles-a-f/ffmpegthumbnailer new file mode 100644 index 000000000..34d37e759 --- /dev/null +++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ffmpegthumbnailer +profile ffmpegthumbnailer @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 528ebb6f2..0615d1042 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -34,3 +34,5 @@ profile ffplay @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index 97400e7b2..f5448d7ef 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -24,3 +24,5 @@ profile ffprobe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index de0479a3b..4e432e2f1 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -42,4 +42,6 @@ profile file-roller @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/profiles-a-f/filecap index 65c83bf90..afad4070c 100644 --- a/apparmor.d/profiles-a-f/filecap +++ b/apparmor.d/profiles-a-f/filecap @@ -29,3 +29,5 @@ profile filecap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 663e40251..7fb7c9e1b 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -14,6 +14,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { include capability dac_read_search, + capability sys_rawio, @{exec_path} mr, @@ -26,4 +27,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { deny unix (receive) type=stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index deacc3e77..c470d068a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -39,3 +39,5 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 4e40ab10b..143719f0d 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -77,4 +77,6 @@ profile firewalld @{exec_path} { owner @{PROC}/@{pids}/net/ip_tables_names r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flameshot b/apparmor.d/profiles-a-f/flameshot index 666245156..877e42912 100644 --- a/apparmor.d/profiles-a-f/flameshot +++ b/apparmor.d/profiles-a-f/flameshot @@ -51,7 +51,6 @@ profile flameshot @{exec_path} { owner @{tmp}/.@{rand8}/** rw, owner /dev/shm/#@{int} rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, @@ -59,3 +58,5 @@ profile flameshot @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 81b60a200..4d3220a08 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -136,3 +136,5 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 9d06b4595..41d72d143 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -78,7 +78,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex} rw, + /var/tmp/etilqs_@{hex16} rw, @{run}/.userns r, @{run}/parent/** r, @@ -94,3 +94,5 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include if exists include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator index e01ee3c4f..9b379b55d 100644 --- a/apparmor.d/profiles-a-f/flatpak-oci-authenticator +++ b/apparmor.d/profiles-a-f/flatpak-oci-authenticator @@ -16,4 +16,6 @@ profile flatpak-oci-authenticator @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index d82c38653..570a3ea8c 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -34,6 +34,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, + owner @{HOME}/.var/app/*/**/.ref rw, + owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/mime/mime.cache r, @@ -41,4 +44,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 967787b3d..d27d0c24a 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -45,4 +45,6 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index cb49cd9d7..81a1231cb 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -73,3 +73,5 @@ profile flatpak-system-helper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/profiles-a-f/flatpak-validate-icon index c5ca0488f..7669bb1e6 100644 --- a/apparmor.d/profiles-a-f/flatpak-validate-icon +++ b/apparmor.d/profiles-a-f/flatpak-validate-icon @@ -13,4 +13,6 @@ profile flatpak-validate-icon @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index dedf342e4..8498285d1 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -68,4 +68,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 2082dcfaa..6d7096ad7 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -62,3 +62,5 @@ profile font-manager @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fping b/apparmor.d/profiles-a-f/fping index 5b9efa624..5d30e4522 100644 --- a/apparmor.d/profiles-a-f/fping +++ b/apparmor.d/profiles-a-f/fping @@ -26,3 +26,5 @@ profile fping @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 2fc866c6b..d856867a3 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -37,3 +37,5 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 5e7d3d3b4..c6355c2ff 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -40,4 +40,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /dev/ r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 638baa825..0499beb0a 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -25,3 +25,5 @@ profile freefall @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index e1ddc2f2b..3e3dde2e9 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -68,3 +68,5 @@ profile fritzing @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 664b43b40..eb90c18d6 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -125,3 +125,5 @@ profile frontend @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 6341954ae..d04b32e96 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -40,3 +40,5 @@ profile fsck @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/profiles-a-f/fsck.btrfs index 7142f9cf1..470b5a3d3 100644 --- a/apparmor.d/profiles-a-f/fsck.btrfs +++ b/apparmor.d/profiles-a-f/fsck.btrfs @@ -19,3 +19,5 @@ profile fsck.btrfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/profiles-a-f/fsck.fat index 6b5567d7d..c188574ee 100644 --- a/apparmor.d/profiles-a-f/fsck.fat +++ b/apparmor.d/profiles-a-f/fsck.fat @@ -22,3 +22,5 @@ profile fsck.fat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index fb957c462..643371c60 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -28,4 +28,6 @@ profile fuse-overlayfs @{exec_path} { /dev/fuse rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 01893d9c0..e4d6cfd99 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -62,3 +62,5 @@ profile fuseiso @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 83d8e8092..6774ffa96 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -55,3 +55,5 @@ profile fusermount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 57e006500..316f6ebdd 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -65,7 +65,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/fwupd/{,**} rw, /var/lib/fwupd/pending.db rwk, - /var/tmp/etilqs_@{hex} rw, + /var/tmp/etilqs_@{hex16} rw, /boot/{,**} r, /boot/EFI/*/.goutputstream-@{rand6} rw, @@ -148,3 +148,5 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 7315c550f..6064c0ff1 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -66,3 +66,5 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 361f6c7c0..5888743ef 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -138,3 +138,5 @@ profile gajim @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 36cb8f90b..7db7a5cb8 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -94,3 +94,5 @@ profile ganyremote @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gconfd b/apparmor.d/profiles-g-l/gconfd index 03544d354..5dffe8a0c 100644 --- a/apparmor.d/profiles-g-l/gconfd +++ b/apparmor.d/profiles-g-l/gconfd @@ -22,3 +22,5 @@ profile gconfd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 13cf3e41e..8c3662ba1 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -32,3 +32,5 @@ profile gdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index cce69937f..a01425bb9 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -24,4 +24,6 @@ profile gdk-pixbuf-query-loaders @{exec_path} { /usr/share/gvfs/remote-volume-monitors/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index f4518370e..8fdffbf87 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -27,4 +27,6 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index a8ba53f4f..3520ec06e 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -22,4 +22,6 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) { deny network inet6 stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0944759cf..c92f18656 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -180,3 +180,5 @@ profile git @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index f0b837c6a..da5566f9f 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -25,3 +25,5 @@ profile gitstatusd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glib-compile-resources b/apparmor.d/profiles-g-l/glib-compile-resources index 6062bbff2..45e787840 100644 --- a/apparmor.d/profiles-g-l/glib-compile-resources +++ b/apparmor.d/profiles-g-l/glib-compile-resources @@ -20,3 +20,5 @@ profile glib-compile-resources @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 476b4ebfc..a9004c22f 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -29,3 +29,5 @@ profile glib-compile-schemas @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index 13ae9222f..e3dfec88c 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -28,3 +28,5 @@ profile glib-pacrunner @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 4d3027ac0..566f58ee3 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -25,3 +25,5 @@ profile globaltime @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 321aaa702..9ad458720 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -28,3 +28,5 @@ profile glxgears @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index a13a22e7eb..7defbaf80 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -21,3 +21,5 @@ profile glxinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 566bd7815..9ed18534e 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -53,3 +53,5 @@ profile gpa @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 1e6be52c8..f225b5c06 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -60,16 +60,10 @@ profile gparted @{exec_path} { profile udevadm { include - include + include - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/** r, @{sys}/devices/virtual/block/**/uevent rw, @{sys}/devices/@{pci}/block/**/uevent rw, - @{run}/udev/data/* r, include if exists } @@ -104,3 +98,5 @@ profile gparted @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index ede60499d..b60e386bb 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,30 +7,26 @@ abi , include -@{exec_path} = @{bin}/gpartedbin -@{exec_path} += @{lib}/gpartedbin -@{exec_path} += @{lib}/gparted/gpartedbin +@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin profile gpartedbin @{exec_path} { include include + include include include - include - include - include capability dac_read_search, capability ipc_lock, capability sys_admin, capability sys_rawio, - ptrace (read), + ptrace read, - signal (send) peer=mke2fs, + signal send peer=mke2fs, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/blkid rPx, @{bin}/dmidecode rPx, @@ -84,29 +80,21 @@ profile gpartedbin @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /dev/mapper/control rw, - profile mount { include + include capability sys_admin, - mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/, + mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, + mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @{bin}/mount mr, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/dev r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/ r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/{start,size} r, - - /dev/{s,v}d[a-z]* r, - /dev/{s,v}d[a-z]*[0-9]* r, - + include if exists } profile umount { @@ -128,29 +116,18 @@ profile gpartedbin @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, + include if exists } profile udevadm { include + include include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, - - /dev/mapper/control rw, - + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd index 150b7b499..11c1e9767 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -44,3 +44,5 @@ profile gpasswd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gping b/apparmor.d/profiles-g-l/gping index e629ab584..956a1781f 100644 --- a/apparmor.d/profiles-g-l/gping +++ b/apparmor.d/profiles-g-l/gping @@ -16,4 +16,6 @@ profile gping @{exec_path} { @{bin}/ping rPx, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index da33f7bca..97c89a433 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -31,16 +31,18 @@ profile gpo @{exec_path} { @{bin}/less rPx -> child-pager, @{bin}/more rPx -> child-pager, - owner @{PROC}/@{pid}/fd/ r, + /etc/inputrc r, + + /usr/share/gpodder/extensions/{,*.py} r, owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - /usr/share/gpodder/extensions/{,*.py} r, + owner /var/tmp/etilqs_@{hex16} rw, - /etc/inputrc r, - - owner /var/tmp/etilqs_@{hex} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 60fe931f3..10b8492e9 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -10,14 +10,12 @@ include @{exec_path} = @{bin}/gpodder profile gpodder @{exec_path} { include - include - include + include include - include - include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,64 +30,32 @@ profile gpodder @{exec_path} { @{sh_path} rix, @{bin}/uname rix, - owner @{HOME}/ r, - owner @{HOME}/gPodder/ rw, - owner @{HOME}/gPodder/** rwk, - - /usr/share/gpodder/{,**} r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - /etc/fstab r, - - owner /var/tmp/etilqs_@{hex} rw, - - /etc/mime.types r, - - /usr/share/*/*.desktop r, - - @{bin}/xdg-settings rPUx, - - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-settings rPx, + @{open_path} rPx -> child-open, # A/V players @{bin}/smplayer rPUx, @{bin}/vlc rPUx, @{bin}/mpv rPUx, - # Open in a web browser - @{lib}/firefox/firefox rPUx, + /usr/share/gpodder/{,**} r, + + /etc/fstab r, + /etc/mime.types r, + + owner @{HOME}/ r, + owner @{HOME}/gPodder/ rw, + owner @{HOME}/gPodder/** rwk, + + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 0c048b19e..f8e2c73f4 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -26,3 +26,5 @@ profile gpodder-migrate2tres @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 9177b7b3c..4444662fc 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -33,4 +33,6 @@ profile gpu-manager @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index b0fd33c5c..4c6e80c59 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -37,3 +37,5 @@ profile groupadd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel index 1d7ecb4bc..a28fb72f7 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -40,3 +40,5 @@ profile groupdel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod index acb53e6ff..a37273af6 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -41,3 +41,5 @@ profile groupmod @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 625632e73..4c0f07d87 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -15,9 +15,9 @@ profile groups @{exec_path} { @{exec_path} mr, - @{PROC}/sys/kernel/random/boot_id r, - /dev/tty@{int} rw, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck index 190322e3f..3e42f90c7 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -34,3 +34,5 @@ profile grpck @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 17671f735..cd7ce37ce 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -26,3 +26,5 @@ profile gsettings @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal index d1b6994e4..ba7ba4da4 100644 --- a/apparmor.d/profiles-g-l/gsimplecal +++ b/apparmor.d/profiles-g-l/gsimplecal @@ -18,3 +18,5 @@ profile gsimplecal @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 6c4038e4a..f6f6b300f 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -110,3 +110,5 @@ profile gsmartcontrol @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index f5a817f6b..01b7d22e1 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -21,3 +21,5 @@ profile gsmartcontrol-root @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gssproxy b/apparmor.d/profiles-g-l/gssproxy index ca6b34ccf..6a16d1dc7 100644 --- a/apparmor.d/profiles-g-l/gssproxy +++ b/apparmor.d/profiles-g-l/gssproxy @@ -25,4 +25,6 @@ profile gssproxy @{exec_path} { owner @{PROC}/@{pids}/net/rpc/use-gss-proxy rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index eee4f7e51..e67def6d2 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -23,4 +23,6 @@ profile gtk-query-immodules @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index 917332e3d..a91dc3069 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -24,3 +24,5 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 9f3e50df2..96b114461 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -119,3 +119,5 @@ profile gtk-youtube-viewer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 02dd62dcd..02ac63e6f 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -197,3 +197,5 @@ profile hardinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 2e5471085..ff3870880 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -29,3 +29,5 @@ profile haveged @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr index f2150ba95..78c15672b 100644 --- a/apparmor.d/profiles-g-l/hbbr +++ b/apparmor.d/profiles-g-l/hbbr @@ -23,3 +23,5 @@ profile hbbr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index 783ee97a2..69ac0cc8c 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -28,3 +28,5 @@ profile hbbs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hciconfig b/apparmor.d/profiles-g-l/hciconfig index a1bd70d14..eb0319c5f 100644 --- a/apparmor.d/profiles-g-l/hciconfig +++ b/apparmor.d/profiles-g-l/hciconfig @@ -20,3 +20,5 @@ profile hciconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index efc3bbcb6..e0be907a6 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -38,3 +38,5 @@ profile hddtemp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 4abb330e9..f29bc1c20 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -34,3 +34,5 @@ profile hdparm @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index a802ea639..aaa550dfc 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -52,3 +52,5 @@ profile hexchat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/highlight b/apparmor.d/profiles-g-l/highlight index 4a5ef1402..fb90c4475 100644 --- a/apparmor.d/profiles-g-l/highlight +++ b/apparmor.d/profiles-g-l/highlight @@ -20,3 +20,5 @@ profile highlight @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index d063bf167..5894c85a0 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -27,3 +27,5 @@ profile host @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index d0c1cc18c..efda5b4a8 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -25,3 +25,5 @@ profile hostname @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 9c56a9986..d06991025 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -136,3 +136,5 @@ profile htop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hugeadm b/apparmor.d/profiles-g-l/hugeadm index 858f2740a..731483cf6 100644 --- a/apparmor.d/profiles-g-l/hugeadm +++ b/apparmor.d/profiles-g-l/hugeadm @@ -59,3 +59,5 @@ profile hugeadm @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index b3222265d..fcb585020 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -45,4 +45,6 @@ profile hugo @{exec_path} { @{PROC}/sys/net/core/somaxconn r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 8c179e0d9..7c6b87b6c 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -8,9 +8,10 @@ abi , include @{exec_path} = @{bin}/hw-probe -profile hw-probe @{exec_path} { +profile hw-probe @{exec_path} flags=(attach_disconnected) { include include + include capability sys_admin, @@ -20,111 +21,134 @@ profile hw-probe @{exec_path} { @{exec_path} rm, @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/dd rix, - @{bin}/efibootmgr rix, - @{bin}/efivar rix, - @{bin}/md5sum rix, - @{bin}/pwd rix, - @{bin}/sleep rix, - @{bin}/tar rix, - @{bin}/uname rix, - - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/dpkg rPx -> child-dpkg, - - @{bin}/acpi rPx, - @{bin}/amixer rPx, - @{bin}/aplay rPx, - @{bin}/biosdecode rPx, - @{bin}/cpuid rPx, - @{bin}/cpupower rPx, - @{bin}/df rPx, - @{bin}/dkms rPx, - @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, - @{bin}/edid-decode rPx, - @{bin}/fdisk rPx, - @{bin}/glxgears rPx, - @{bin}/glxinfo rPx, - @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, - @{bin}/hwinfo rPx, - @{bin}/i2cdetect rPx, - @{bin}/inxi rPx, - @{bin}/lsblk rPx, - @{bin}/lscpu rPx, - @{bin}/lspci rPx, - @{bin}/lsusb rPx, - @{bin}/memtester rPx, - @{bin}/rfkill rPx, - @{bin}/sensors rPx, - @{bin}/smartctl rPx, - @{bin}/upower rPx, - @{bin}/uptime rPx, - @{bin}/usb-devices rPx, - @{bin}/xdpyinfo rPx, - @{bin}/xinput rPx, - @{bin}/xrandr rPx, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/dd rix, + @{bin}/efibootmgr rix, + @{bin}/efivar rix, + @{bin}/find rix, + @{bin}/md5sum rix, + @{bin}/pwd rix, + @{bin}/sleep rix, + @{bin}/sort rix, + @{bin}/tar rix, + @{bin}/uname rix, + @{bin}/acpi rPx, + @{bin}/amixer rPx, + @{bin}/aplay rPx, + @{bin}/biosdecode rPx, + @{bin}/cpuid rPx, + @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, + @{bin}/df rPx, + @{bin}/dkms rPx, + @{bin}/dmesg rPx, + @{bin}/dmidecode rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/edid-decode rPx, @{bin}/ethtool rCx -> netconfig, - @{bin}/find rCx -> find, + @{bin}/fdisk rPx, + @{bin}/glxgears rPx, + @{bin}/glxinfo rPx, + @{bin}/hciconfig rPx, + @{bin}/hdparm rPx, + @{bin}/hwinfo rPx, + @{bin}/i2cdetect rPx, @{bin}/ifconfig rCx -> netconfig, + @{bin}/inxi rPx, @{bin}/iw rCx -> netconfig, @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsblk rPx, + @{bin}/lscpu rPx, + @{bin}/lspci rPx, + @{bin}/lsusb rPx, + @{bin}/memtester rPx, + @{bin}/nmcli rPx, + @{bin}/pacman rCx -> pacman, + @{bin}/rfkill rPx, + @{bin}/rpm rCx -> rpm, + @{bin}/sensors rPx, + @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, - - /usr/share/X11/xorg.conf.d/{,*.conf} r, + @{bin}/upower rPx, + @{bin}/uptime rPx, + @{bin}/usb-devices rPx, + @{bin}/xdpyinfo rPx, + @{bin}/xinput rPx, + @{bin}/xrandr rPx, /etc/modprobe.d/{,*.conf} r, - /etc/X11/xorg.conf.d/{,*.conf} r, - /var/log/Xorg.[0-9].log{,.old} r, + owner @{HOME}/HW_PROBE/{,**} rw, - owner /root/HW_PROBE/{,**} rw, - - owner @{tmp}/*/ rw, + audit owner @{tmp}/*/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, - - @{sys}/devices/virtual/dmi/id/* r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/**/power_supply/*/uevent r, - + @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, + @{sys}/module/*/ r, + @{sys}/module/*/{coresize,refcnt} r, + @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, + @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, + @{PROC}/modules r, @{PROC}/scsi/scsi r, - profile find { + /dev/{,**} r, + + profile pacman flags=(attach_disconnected) { include - include + include + + @{bin}/pacman mr, + + @{bin}/gpg rPx -> pacman//gpg, + @{bin}/gpgconf rPx -> pacman//gpg, + @{bin}/gpgsm rPx -> pacman//gpg, + + /etc/pacman.conf r, + /etc/pacman.d/{,**} r, + + /var/lib/pacman/{,**} r, + + include if exists + } + + profile rpm flags=(attach_disconnected) { + include + include capability dac_read_search, - @{bin}/find mr, + @{bin}/rpm mr, - /root/ r, + /var/ r, + /var/lib/ r, + /var/lib/rpm/ r, + /var/lib/rpm/rpmdb.sqlite rk, + /var/lib/rpm/rpmdb.sqlite-shm rwk, + /var/lib/rpm/rpmdb.sqlite-wal rw, - /dev/{,**} r, - - include if exists + include if exists } - profile journalctl { + profile journalctl flags=(attach_disconnected) { include @{bin}/journalctl mr, @@ -133,18 +157,18 @@ profile hw-probe @{exec_path} { /etc/machine-id r, @{run}/log/ rw, - /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex32}/ rw, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/system.journal* rw, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* rw, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner @{PROC}/@{pid}/stat r, include if exists } - profile killall { + profile killall flags=(attach_disconnected) { include capability sys_ptrace, @@ -155,47 +179,20 @@ profile hw-probe @{exec_path} { @{bin}/killall mr, - # The /proc/ dir is needed to avoid the following error: - # /proc: Permission denied @{PROC}/ r, @{PROC}/@{pids}/stat r, include if exists } - profile udevadm { + profile udevadm flags=(attach_disconnected) { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, + include include if exists } - profile kmod { - include - - @{bin}/kmod mr, - - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, - - @{PROC}/cmdline r, - @{PROC}/modules r, - - include if exists - } - - profile netconfig { + profile netconfig flags=(attach_disconnected) { include # Not needed @@ -220,7 +217,7 @@ profile hw-probe @{exec_path} { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include @@ -229,3 +226,5 @@ profile hw-probe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 277ce6e72..f56dd2b14 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -12,19 +12,10 @@ profile hwinfo @{exec_path} { include include - # Without the sys_admin CAP, some information, for instance the reserved I/O port address range - # in the /proc/ioports, will be hidden. - capability sys_admin, - - # For the kernel log entries to be shown in the output - capability syslog, - - # To remove the following errors: - # eth0: socket failed: Operation not permitted - capability net_raw, - - # Needed when passed disk related options (--block, --partition, --floppy) - capability sys_rawio, + capability net_raw, # Needed for network related options + capability sys_admin, # Needed for /proc/ioports + capability sys_rawio, # Needed for disk related options + capability syslog, # Needed for /proc/kmsg network inet dgram, network inet6 dgram, @@ -36,80 +27,73 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, + @{bin}/acpidump rPUx, @{bin}/dmraid rPUx, - @{PROC}/version r, - @{PROC}/cmdline r, - @{PROC}/dma r, - @{PROC}/interrupts r, - @{PROC}/modules r, - @{PROC}/tty/driver/serial r, - @{PROC}/ioports r, - @{PROC}/bus/input/devices r, - @{PROC}/partitions r, - @{PROC}/driver/nvram r, - @{PROC}/sys/dev/cdrom/info r, + /usr/share/hwinfo/{,**} r, - /dev/mem r, - /dev/nvram r, - /dev/psaux r, - /dev/console rw, - /dev/ttyS@{int} r, - /dev/fb@{int} r, + /var/lib/hardware/udi/{,**} r, + + owner @{tmp}/hwinfo*.txt rw, @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci_bus}/** r, - @{sys}/devices/**/input/**/dev r, + @{sys}/devices/@{pci}/** r, @{sys}/devices/**/{modalias,uevent} r, + @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/edd/{,**} r, - /var/lib/hardware/udi/ r, - - # For a log file - owner @{tmp}/hwinfo*.txt rw, + @{PROC}/bus/input/devices r, + @{PROC}/cmdline r, + @{PROC}/dma r, + @{PROC}/driver/nvram r, + @{PROC}/interrupts r, + @{PROC}/ioports r, + @{PROC}/modules r, + @{PROC}/partitions r, + @{PROC}/sys/dev/cdrom/info r, + @{PROC}/tty/driver/serial r, + @{PROC}/version r, + /dev/console rw, + /dev/fb@{int} r, + /dev/mem r, + /dev/nvram r, + /dev/psaux r, + /dev/ttyS@{int} r, profile kmod { include + include @{bin}/kmod mr, /etc/modprobe.d/{,*.conf} r, - @{PROC}/cmdline r, - - # file_inherit - /dev/ttyS@{int} r, owner @{tmp}/hwinfo*.txt rw, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{PROC}/cmdline r, + @{PROC}/modules r, + + include if exists } profile udevadm { include + include - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/** r, - @{run}/udev/data/* r, - - # file_inherit owner @{tmp}/hwinfo*.txt rw, + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index 4a0679f52..3a9a6131d 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -88,3 +88,5 @@ profile hypnotix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index baad4b969..f045b489d 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -17,3 +17,5 @@ profile i2cdetect @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index 4d3600a75..d2fbdff2c 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -36,3 +36,5 @@ profile i3lock @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index f0e0f35ff..fce4ff7d4 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -71,3 +71,5 @@ profile i3lock-fancy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index bd8df0f2e..66111ff55 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -22,4 +22,6 @@ profile iceauth @{exec_path} { owner @{run}/user/@{uid}/ICEauthority-n rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 7c92f2b9a..061313d42 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -21,3 +21,5 @@ profile id @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 74fe432ad..8dd7eaac0 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -30,3 +30,5 @@ profile ifconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 6ee7d10d2..74cf07da8 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -129,3 +129,5 @@ profile ifup @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index faf618d36..5520e990c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -40,3 +40,5 @@ profile im-launch @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/img2txt b/apparmor.d/profiles-g-l/img2txt new file mode 100644 index 000000000..1b3518777 --- /dev/null +++ b/apparmor.d/profiles-g-l/img2txt @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/img2txt +profile img2txt @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-g-l/imv-wayland b/apparmor.d/profiles-g-l/imv-wayland index 6bac7898b..72eaecc9c 100644 --- a/apparmor.d/profiles-g-l/imv-wayland +++ b/apparmor.d/profiles-g-l/imv-wayland @@ -27,3 +27,5 @@ profile imv @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index fcda63e83..f17356fcc 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -54,3 +54,5 @@ profile initd-kexec @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index ab1d54536..d36584ec9 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -78,3 +78,5 @@ profile initd-kexec-load @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod index 53c39142b..f8f975211 100644 --- a/apparmor.d/profiles-g-l/initd-kmod +++ b/apparmor.d/profiles-g-l/initd-kmod @@ -60,3 +60,5 @@ profile initd-kmod @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index 714d10a66..370cbf154 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -26,4 +26,6 @@ profile install-catalog @{exec_path} { /etc/sgml/sgml-ent.cat{,.new} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index 4060e715e..54e40386f 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -29,4 +29,6 @@ profile install-info @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index e8d110a99..ddbf2e31c 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -22,3 +22,5 @@ profile install-printerdriver @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 9f5632291..aba281c31 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -138,15 +138,7 @@ profile inxi @{exec_path} { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{run}/udev/data/b* r, - - @{sys}/devices/@{pci}/block/**/uevent r, + include include if exists } @@ -171,3 +163,5 @@ profile inxi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 5eb45817e..497e5cb1c 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -47,3 +47,5 @@ profile ioping @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index 7cf6e55e6..be2738443 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -39,3 +39,5 @@ profile iotop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 33f0c57d7..7fee79abc 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -51,3 +51,5 @@ profile ip @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index bc28ac5f0..dd750b8c9 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -17,3 +17,5 @@ profile ipcalc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 49f0dd90f..2226e6dd2 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -41,4 +41,6 @@ profile irqbalance @{exec_path} flags=(attach_disconnected) { @{PROC}/irq/@{int}/smp_affinity rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index f7b9fa5fe..a54b024ad 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -27,4 +27,6 @@ profile issue-generator @{exec_path} { @{run}/issue.d/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 3282afe9c..3b62c32ba 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -28,3 +28,5 @@ profile iw @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 4246f81e6..62bc16041 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -28,3 +28,5 @@ profile iwconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index cfa7f1b53..ef2a280e0 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -21,3 +21,5 @@ profile iwlist @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jackdbus b/apparmor.d/profiles-g-l/jackdbus index 9cf1be3b8..ed1094a17 100644 --- a/apparmor.d/profiles-g-l/jackdbus +++ b/apparmor.d/profiles-g-l/jackdbus @@ -26,4 +26,6 @@ profile jackdbus @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/jack/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index a2798cbc9..9d22933fc 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -57,3 +57,5 @@ profile jami-gnome @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index 27981fe73..424074da4 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -124,3 +124,5 @@ profile jdownloader @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index 3142c44d6..667b9304f 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -33,3 +33,5 @@ profile jekyll @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index a9eda288e..6c7f3c1ff 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -57,3 +57,5 @@ profile jgmenu @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jitterentropy-rngd b/apparmor.d/profiles-g-l/jitterentropy-rngd index 1434e560f..5b96e0c58 100644 --- a/apparmor.d/profiles-g-l/jitterentropy-rngd +++ b/apparmor.d/profiles-g-l/jitterentropy-rngd @@ -21,4 +21,6 @@ profile jitterentropy-rngd @{exec_path} { /dev/random w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index a90c7de8f..77127171c 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -62,3 +62,5 @@ profile jmtpfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index fb11c31c9..fef624841 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -65,7 +65,6 @@ profile kanyremote @{exec_path} { owner /dev/shm/#@{int} rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, profile killall { @@ -99,3 +98,5 @@ profile kanyremote @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kcheckpass b/apparmor.d/profiles-g-l/kcheckpass index dd4343a32..9dddbe470 100644 --- a/apparmor.d/profiles-g-l/kcheckpass +++ b/apparmor.d/profiles-g-l/kcheckpass @@ -23,3 +23,5 @@ profile kcheckpass @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 5674abb4c..6858f1b45 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -27,3 +27,5 @@ profile kconfig-hardened-check @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index aeb155df1..20be091cc 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -99,3 +99,5 @@ profile keepassxc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli index cdc3e94e2..b1d6e0e86 100644 --- a/apparmor.d/profiles-g-l/keepassxc-cli +++ b/apparmor.d/profiles-g-l/keepassxc-cli @@ -15,3 +15,5 @@ profile keepassxc-cli @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index f913de295..5e9736108 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -47,3 +47,5 @@ profile keepassxc-proxy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index af6578713..93cb01b19 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -65,3 +65,5 @@ profile kernel-install @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 5b778b1fa..f3c7e3b37 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -28,3 +28,5 @@ profile kerneloops @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 01f6aac19..e6860c5b9 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -24,3 +24,5 @@ profile kerneloops-applet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 960af35a1..dc027eae6 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -28,3 +28,5 @@ profile kexec @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 4dbb2de6b..ac03c2501 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -76,3 +76,5 @@ profile kmod @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 55beb1b6a..3d8800cc7 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -61,9 +61,10 @@ profile kodi @{exec_path} { @{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/route r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr index 469476329..932b869b8 100644 --- a/apparmor.d/profiles-g-l/kodi-xrandr +++ b/apparmor.d/profiles-g-l/kodi-xrandr @@ -16,9 +16,11 @@ profile kodi-xrandr @{exec_path} { owner @{HOME}/.Xauthority r, # file_inherit - @{sys}/devices/virtual/thermal/thermal_zone0/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r, owner @{HOME}/.kodi/temp/kodi.log w, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index 85849c429..a023293fa 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -46,3 +46,5 @@ profile kvm-ok @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 42548b880..8fa7552af 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -56,3 +56,5 @@ profile labwc @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 853416c3f..a9df8a2b3 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -45,4 +45,6 @@ profile landscape-sysinfo @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index 697328310..e33195eb1 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -32,4 +32,6 @@ profile landscape-sysinfo.wrapper @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 782b413e9..e77d997c5 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -22,4 +22,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/{,*} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index 91a78e0e5..fd0c403a4 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -28,3 +28,5 @@ profile last @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index f665d06b2..3df955097 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -22,3 +22,5 @@ profile lastlog @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index cad2260bb..313b34a23 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -10,9 +10,11 @@ include @{exec_path} += @{lib}/libreoffice/program/soffice profile libreoffice @{exec_path} { include + include include include include + include include include include @@ -52,13 +54,17 @@ profile libreoffice @{exec_path} { @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @{lib}/libreoffice/{,**} rm, + /usr/share/hyphen/{,**} r, /usr/share/libexttextcat/{,**} r, /usr/share/liblangtag/{,**} r, + /usr/share/libreoffice/{,**} r, + /usr/share/mythes/{,**} r, /etc/java-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, @@ -75,6 +81,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, @{PROC}/cgroups r, owner @{PROC}/@{pid}/cgroup r, @@ -88,3 +95,5 @@ profile libreoffice @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index 845cf92cf..d4ff8a7d7 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -36,3 +36,5 @@ profile light @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 6bd62f77f..8e8732c19 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -38,3 +38,5 @@ profile light-locker @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command index c77b1d07b..21daa1853 100644 --- a/apparmor.d/profiles-g-l/light-locker-command +++ b/apparmor.d/profiles-g-l/light-locker-command @@ -15,3 +15,5 @@ profile light-locker-command @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks index accbe2085..f2e6c74cf 100644 --- a/apparmor.d/profiles-g-l/lightworks +++ b/apparmor.d/profiles-g-l/lightworks @@ -26,3 +26,5 @@ profile lightworks @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt index ee5f0c71e..b4dc21398 100644 --- a/apparmor.d/profiles-g-l/lightworks-ntcardvt +++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt @@ -15,3 +15,5 @@ profile lightworks-ntcardvt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index 384fda9ea..615f51b62 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -109,3 +109,5 @@ profile linssid @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index a6fd4d8ed..41813c1a1 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -50,3 +50,5 @@ profile linux-check-removal @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index 3f866072e..998c48780 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -20,3 +20,5 @@ profile linux-version @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/profiles-g-l/locale-gen index 722349ea1..093074d1b 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -39,4 +39,6 @@ profile locale-gen @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge index 53e3fd930..30018bf00 100644 --- a/apparmor.d/profiles-g-l/localepurge +++ b/apparmor.d/profiles-g-l/localepurge @@ -57,3 +57,5 @@ profile localepurge @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index ba8c2c254..c93553030 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -73,3 +73,5 @@ profile login @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index ffc4099d3..6004b8a35 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -104,3 +104,5 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/profiles-g-l/losetup index 8c62398ec..fb8b448d1 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -24,4 +24,6 @@ profile losetup @{exec_path} { /dev/loop[0-9]* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/low-memory-monitor b/apparmor.d/profiles-g-l/low-memory-monitor index 625d147ac..4471dbd2e 100644 --- a/apparmor.d/profiles-g-l/low-memory-monitor +++ b/apparmor.d/profiles-g-l/low-memory-monitor @@ -17,4 +17,6 @@ profile low-memory-monitor @{exec_path} flags=(attach_disconnected) { owner @{PROC}/pressure/memory rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index e2a3207b5..56aad52b8 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -30,3 +30,5 @@ profile lsblk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index f59ee0e1e..804e67632 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -30,3 +30,5 @@ profile lscpu @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsinitramfs b/apparmor.d/profiles-g-l/lsinitramfs index ff3f52865..e5b6ff750 100644 --- a/apparmor.d/profiles-g-l/lsinitramfs +++ b/apparmor.d/profiles-g-l/lsinitramfs @@ -21,3 +21,5 @@ profile lsinitramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index d8aa90103..0d6936d22 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -44,3 +44,5 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb index 872ac8369..eadda4785 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -21,3 +21,5 @@ profile lsusb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 7256c4b76..0bd6ef2e8 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -50,3 +50,5 @@ profile lvm @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig index 2423886e8..f38bd6780 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -17,3 +17,5 @@ profile lvmconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump index 1d97ecf73..9dbe000f7 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/profiles-g-l/lvmdump @@ -17,3 +17,5 @@ profile lvmdump @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld index 7c5852d67..7a4bc90b3 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -20,3 +20,5 @@ profile lvmpolld @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index 5bb7dc92f..a400ef80c 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -67,3 +67,5 @@ profile lxappearance @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index a9b3691d2..143472569 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -13,6 +13,8 @@ profile lynx @{exec_path} { include include include + include + include network inet dgram, network inet6 dgram, @@ -20,20 +22,21 @@ profile lynx @{exec_path} { network inet6 stream, @{exec_path} mr, - - /etc/lynx/{,*} r, - + @{sh_path} rix, + + /usr/share/terminfo/{,**} r, /usr/share/doc/lynx-common/** r, - /etc/mime.types r, - - @{sh_path} rix, + /etc/lynx.cfg r, + /etc/lynx.lss r, + /etc/lynx/{,**} r, /etc/mailcap r, + /etc/mime.types r, owner @{tmp}/lynxXXXX*/ rw, owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, - owner @{HOME}/ r, - include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/macchanger b/apparmor.d/profiles-m-r/macchanger index 7f0d334eb..8f4efc921 100644 --- a/apparmor.d/profiles-m-r/macchanger +++ b/apparmor.d/profiles-m-r/macchanger @@ -26,3 +26,5 @@ profile macchanger @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index c85b5e1d1..aa0195853 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -113,3 +113,5 @@ profile man_filter { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 74cef2862..beeba50e8 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -36,3 +36,5 @@ profile mandb @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon index 7d3ea0192..871434151 100644 --- a/apparmor.d/profiles-m-r/mate-notification-daemon +++ b/apparmor.d/profiles-m-r/mate-notification-daemon @@ -15,4 +15,6 @@ profile mate-notification-daemon @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 4f1c54ac1..a2631c768 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -21,4 +21,6 @@ profile mdevctl @{exec_path} { @{PROC}/@{pids}/maps r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo index bd1d1e41a..bb7c2d59b 100644 --- a/apparmor.d/profiles-m-r/mediainfo +++ b/apparmor.d/profiles-m-r/mediainfo @@ -16,3 +16,5 @@ profile mediainfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 4315a8157..4648d4ddf 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -45,3 +45,5 @@ profile mediainfo-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 8f30c0c83..236041778 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -51,7 +51,6 @@ profile megasync @{exec_path} { owner @{user_sync_dirs}/ r, owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -61,3 +60,5 @@ profile megasync @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/memtester b/apparmor.d/profiles-m-r/memtester index e25c98180..506892f0e 100644 --- a/apparmor.d/profiles-m-r/memtester +++ b/apparmor.d/profiles-m-r/memtester @@ -15,3 +15,5 @@ profile memtester @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index 6cd06a019..739d18e2f 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -57,3 +57,5 @@ profile merkaartor @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 63bea0ac2..142ccb78a 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -60,4 +60,6 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index e65d07613..da56703c3 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -30,3 +30,5 @@ profile mimetype @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index e8e07ef43..4d4d26655 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -64,8 +64,6 @@ profile minitube @{exec_path} { # owner @{tmp}/#@{int} mrw, # owner @{tmp}/.glvnd* mrw, - @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, /dev/shm/#@{int} rw, @@ -98,3 +96,5 @@ profile minitube @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b36117459..267fb9d1a 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -28,3 +28,5 @@ profile mission-control @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index 4fc5c9d08..038de3c73 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -39,3 +39,5 @@ profile mke2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 48ba79bac..237fc8006 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -28,3 +28,5 @@ profile mkfs-btrfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index 68fc2aaae..d7f7a1cc9 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -22,3 +22,5 @@ profile mkfs-fat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 304b5834f..30bc6afd9 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -59,7 +59,7 @@ profile mkinitramfs @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, - @{lib}/ld-linux.so.2 rCx -> ldd, + @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, @@ -181,3 +181,5 @@ profile mkinitramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/profiles-m-r/mkntfs index ee6153a83..ccfa5f4ed 100644 --- a/apparmor.d/profiles-m-r/mkntfs +++ b/apparmor.d/profiles-m-r/mkntfs @@ -20,3 +20,5 @@ profile mkntfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/profiles-m-r/mkswap index 81cd835b1..4c732c2c6 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -24,3 +24,5 @@ profile mkswap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 7350d7b7f..22251b87e 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -27,3 +27,5 @@ profile mkvmerge @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 63a978baf..595a24666 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -66,3 +66,5 @@ profile mkvtoolnix-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mlocate b/apparmor.d/profiles-m-r/mlocate index 6d2d33c9e..08fdee129 100644 --- a/apparmor.d/profiles-m-r/mlocate +++ b/apparmor.d/profiles-m-r/mlocate @@ -21,3 +21,5 @@ profile mlocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 9e84ee501..29125f192 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -42,4 +42,6 @@ profile modprobed-db @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index c6eb2a2ac..d75a5092b 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -41,4 +41,6 @@ profile molly-guard @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 88699a37b..cb220a7b6 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -105,3 +105,5 @@ profile monitorix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 72891c7bf..e010a83d7 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -44,3 +44,5 @@ profile mono-sgen @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 7c48c4d85..f122b8f27 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -69,3 +69,5 @@ profile mount @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 94a523e8f..bbadcc7e0 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -46,3 +46,5 @@ profile mount-cifs @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 9e7a488d4..698f350ce 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -70,3 +70,5 @@ profile mount-nfs @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index d2efa3054..bc47f0a30 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -44,3 +44,5 @@ profile mount-zfs @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpd b/apparmor.d/profiles-m-r/mpd index e222681be..14a6c4acf 100644 --- a/apparmor.d/profiles-m-r/mpd +++ b/apparmor.d/profiles-m-r/mpd @@ -47,3 +47,5 @@ profile mpd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 71f1e4cf9..46f239fce 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -58,3 +58,5 @@ profile mpsyt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 23aa2b9a1..1629176dd 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -107,3 +107,5 @@ profile mpv @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index b19df6cc7..75c95fffd 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -31,3 +31,5 @@ profile mtools @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr index 00d4c0629..5b341d8f5 100644 --- a/apparmor.d/profiles-m-r/mtr +++ b/apparmor.d/profiles-m-r/mtr @@ -28,3 +28,5 @@ profile mtr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet index 2605b9e25..4bf15b7d5 100644 --- a/apparmor.d/profiles-m-r/mtr-packet +++ b/apparmor.d/profiles-m-r/mtr-packet @@ -26,3 +26,5 @@ profile mtr-packet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index befffe09f..db29113ce 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -19,4 +19,6 @@ profile mullvad-setup @{exec_path} { deny network inet6 stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index a571e233d..918e5a0c2 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -32,4 +32,6 @@ profile multipath @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/fs/nr_open r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index dffcde3cc..510fb3417 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -42,4 +42,6 @@ profile multipathd @{exec_path} { /dev/mapper/control rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 6608498b7..879d2b9bf 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -64,3 +64,5 @@ profile mumble @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 07f5a0107..61b287329 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -24,3 +24,5 @@ profile mumble-overlay @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index f9ee44271..aca74e562 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -43,3 +43,5 @@ profile murmurd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 27060bf3c..1ed63e68e 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -157,3 +157,5 @@ profile mutt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index d01c714f6..e3222d2ff 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -83,3 +83,5 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index addce84cb..805f69678 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -23,4 +23,6 @@ profile needrestart-apt-pinvoke @{exec_path} { @{run}/needrestart/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index 1de2b3200..fff97e67c 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -22,4 +22,6 @@ profile needrestart-dpkg-status @{exec_path} { @{run}/needrestart/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 30a7bb801..37dd180c3 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -35,3 +35,5 @@ profile needrestart-iucode-scan-versions @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index 56c2a960f..f28d053cd 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -26,3 +26,5 @@ profile nemo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/profiles-m-r/netcap index 91de9da81..d1e5a2852 100644 --- a/apparmor.d/profiles-m-r/netcap +++ b/apparmor.d/profiles-m-r/netcap @@ -32,3 +32,5 @@ profile netcap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs index 22fc63a36..e39e64621 100644 --- a/apparmor.d/profiles-m-r/nethogs +++ b/apparmor.d/profiles-m-r/nethogs @@ -31,3 +31,5 @@ profile nethogs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index 12060ddb8..039109ea2 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -47,3 +47,5 @@ profile netstat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap index 9c6303bef..9398350e1 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -26,4 +26,6 @@ profile newgidmap @{exec_path} { @{PROC}/@{pids}/gid_map w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index 836da42f9..1878b9b5e 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -31,3 +31,5 @@ profile newgrp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap index b2d0a5e16..eeba22557 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -26,4 +26,6 @@ profile newuidmap @{exec_path} { @{PROC}/@{pids}/uid_map w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/profiles-m-r/nfsdcld index 52223b8f1..a02e226c6 100644 --- a/apparmor.d/profiles-m-r/nfsdcld +++ b/apparmor.d/profiles-m-r/nfsdcld @@ -22,4 +22,6 @@ profile nfsdcld @{exec_path} { /var/lib/nfs/rpc_pipefs/nfsd/* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index caa99aa4d..50ee826cf 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -30,3 +30,5 @@ profile nft @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 4a40f4180..0eb1eceba 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -47,3 +47,5 @@ profile nmap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin index 431ca92b3..fad964b64 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/profiles-m-r/nologin @@ -17,4 +17,6 @@ profile nologin @{exec_path} { owner @{PROC}/@{pid}/loginuid r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 1cf1ec1fd..9ee225d9d 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -23,3 +23,5 @@ profile nslookup @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index bf6fda62f..e5ae871b6 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -55,3 +55,5 @@ profile ntfs-3g @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/profiles-m-r/ntfs-3g-probe index 1b3d84d48..ef870e0f0 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g-probe +++ b/apparmor.d/profiles-m-r/ntfs-3g-probe @@ -18,3 +18,5 @@ profile ntfs-3g-probe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/profiles-m-r/ntfscat index cba96e5ef..069a597e9 100644 --- a/apparmor.d/profiles-m-r/ntfscat +++ b/apparmor.d/profiles-m-r/ntfscat @@ -20,3 +20,5 @@ profile ntfscat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index 871cd69d6..06fe65684 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -26,3 +26,5 @@ profile ntfsclone @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/profiles-m-r/ntfscluster index fb5406347..62aff85c8 100644 --- a/apparmor.d/profiles-m-r/ntfscluster +++ b/apparmor.d/profiles-m-r/ntfscluster @@ -20,3 +20,5 @@ profile ntfscluster @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/profiles-m-r/ntfscmp index 2df16e98e..c5ecddc5f 100644 --- a/apparmor.d/profiles-m-r/ntfscmp +++ b/apparmor.d/profiles-m-r/ntfscmp @@ -20,3 +20,5 @@ profile ntfscmp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp index 323848b52..3beeb2b7a 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -27,3 +27,5 @@ profile ntfscp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt index 4a9e437b8..e7ffe3188 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -22,3 +22,5 @@ profile ntfsdecrypt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/profiles-m-r/ntfsfallocate index 03d346e80..670092820 100644 --- a/apparmor.d/profiles-m-r/ntfsfallocate +++ b/apparmor.d/profiles-m-r/ntfsfallocate @@ -20,3 +20,5 @@ profile ntfsfallocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/profiles-m-r/ntfsfix index 513985be5..179b3b7a9 100644 --- a/apparmor.d/profiles-m-r/ntfsfix +++ b/apparmor.d/profiles-m-r/ntfsfix @@ -20,3 +20,5 @@ profile ntfsfix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/profiles-m-r/ntfsinfo index 808723b00..3156e7004 100644 --- a/apparmor.d/profiles-m-r/ntfsinfo +++ b/apparmor.d/profiles-m-r/ntfsinfo @@ -20,3 +20,5 @@ profile ntfsinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/profiles-m-r/ntfslabel index 4c780e65c..6eee15ef8 100644 --- a/apparmor.d/profiles-m-r/ntfslabel +++ b/apparmor.d/profiles-m-r/ntfslabel @@ -20,3 +20,5 @@ profile ntfslabel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/profiles-m-r/ntfsls index 7b0f63c53..56c2c28de 100644 --- a/apparmor.d/profiles-m-r/ntfsls +++ b/apparmor.d/profiles-m-r/ntfsls @@ -20,3 +20,5 @@ profile ntfsls @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/profiles-m-r/ntfsmove index f1263c8b6..876113c98 100644 --- a/apparmor.d/profiles-m-r/ntfsmove +++ b/apparmor.d/profiles-m-r/ntfsmove @@ -20,3 +20,5 @@ profile ntfsmove @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/profiles-m-r/ntfsrecover index 971eea643..43de112c1 100644 --- a/apparmor.d/profiles-m-r/ntfsrecover +++ b/apparmor.d/profiles-m-r/ntfsrecover @@ -20,3 +20,5 @@ profile ntfsrecover @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/profiles-m-r/ntfsresize index f6c2608fc..e0e8f58d2 100644 --- a/apparmor.d/profiles-m-r/ntfsresize +++ b/apparmor.d/profiles-m-r/ntfsresize @@ -20,3 +20,5 @@ profile ntfsresize @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/profiles-m-r/ntfssecaudit index a1a0add39..ee38f60a0 100644 --- a/apparmor.d/profiles-m-r/ntfssecaudit +++ b/apparmor.d/profiles-m-r/ntfssecaudit @@ -21,3 +21,5 @@ profile ntfssecaudit @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/profiles-m-r/ntfstruncate index a5d9aea5c..c9dec413a 100644 --- a/apparmor.d/profiles-m-r/ntfstruncate +++ b/apparmor.d/profiles-m-r/ntfstruncate @@ -20,3 +20,5 @@ profile ntfstruncate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete index 5b066d3f1..a01876961 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -24,3 +24,5 @@ profile ntfsundelete @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap index 056207ccd..acc6e8bbc 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -25,3 +25,5 @@ profile ntfsusermap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/profiles-m-r/ntfswipe index 1c9a62f3d..1471e1d27 100644 --- a/apparmor.d/profiles-m-r/ntfswipe +++ b/apparmor.d/profiles-m-r/ntfswipe @@ -20,3 +20,5 @@ profile ntfswipe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send index efc10f9de..e27e15429 100644 --- a/apparmor.d/profiles-m-r/nullmailer-send +++ b/apparmor.d/profiles-m-r/nullmailer-send @@ -22,4 +22,6 @@ profile nullmailer-send @{exec_path} { /var/spool/nullmailer/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx index 672f33417..25903ed8b 100644 --- a/apparmor.d/profiles-m-r/numlockx +++ b/apparmor.d/profiles-m-r/numlockx @@ -21,3 +21,5 @@ profile numlockx @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvidia-detector b/apparmor.d/profiles-m-r/nvidia-detector index a29711965..b0465ef85 100644 --- a/apparmor.d/profiles-m-r/nvidia-detector +++ b/apparmor.d/profiles-m-r/nvidia-detector @@ -14,3 +14,5 @@ profile nvidia-detector @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvidia-persistenced b/apparmor.d/profiles-m-r/nvidia-persistenced index da68f30e2..33dac3dba 100644 --- a/apparmor.d/profiles-m-r/nvidia-persistenced +++ b/apparmor.d/profiles-m-r/nvidia-persistenced @@ -25,3 +25,5 @@ profile nvidia-persistenced @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index fa4c52f4c..d4bda6123 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -18,4 +18,6 @@ profile nvidia-settings @{exec_path} { /usr/share/pixmaps/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 0448b8db8..54c9c5959 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -48,4 +48,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { /dev/nvidia-caps/nvidia-cap@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index a5768aa00..070ac10af 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -26,3 +26,5 @@ profile obamenu @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index f3a4c9d37..37e94369e 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -38,3 +38,5 @@ profile obconf @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing index af0fda673..7aa4070c5 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -22,3 +22,5 @@ profile obex-folder-listing @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/profiles-m-r/obexautofs index 091a1df08..972829890 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -56,3 +56,5 @@ profile obexautofs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/profiles-m-r/obexctl index b6e78eff1..d87243b75 100644 --- a/apparmor.d/profiles-m-r/obexctl +++ b/apparmor.d/profiles-m-r/obexctl @@ -20,3 +20,5 @@ profile obexctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd index cb9f00b0d..9043489eb 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -33,3 +33,5 @@ profile obexd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/profiles-m-r/obexfs index 24c4063e5..4a746ecf1 100644 --- a/apparmor.d/profiles-m-r/obexfs +++ b/apparmor.d/profiles-m-r/obexfs @@ -52,3 +52,5 @@ profile obexfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/profiles-m-r/obexpush-atd index 3ea806849..17b0a2d37 100644 --- a/apparmor.d/profiles-m-r/obexpush-atd +++ b/apparmor.d/profiles-m-r/obexpush-atd @@ -15,3 +15,5 @@ profile obexpush-atd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/profiles-m-r/obexpushd index c6f4b6db7..33a922f41 100644 --- a/apparmor.d/profiles-m-r/obexpushd +++ b/apparmor.d/profiles-m-r/obexpushd @@ -26,3 +26,5 @@ profile obexpushd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop index 4a1688e70..724f83de7 100644 --- a/apparmor.d/profiles-m-r/obxprop +++ b/apparmor.d/profiles-m-r/obxprop @@ -20,3 +20,5 @@ profile obxprop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/odt2txt b/apparmor.d/profiles-m-r/odt2txt new file mode 100644 index 000000000..9be8b8642 --- /dev/null +++ b/apparmor.d/profiles-m-r/odt2txt @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/odt2txt +profile odt2txt @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index d5248795f..d9b5a412e 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -29,3 +29,5 @@ profile on-ac-power @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/onefetch b/apparmor.d/profiles-m-r/onefetch index 02618d169..84a68634c 100644 --- a/apparmor.d/profiles-m-r/onefetch +++ b/apparmor.d/profiles-m-r/onefetch @@ -23,4 +23,6 @@ profile onefetch @{exec_path} { owner @{PROC}/@{pid}/stat r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 4788f38c6..ac0831f05 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -87,3 +87,5 @@ profile openbox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session index 185984063..61666f756 100644 --- a/apparmor.d/profiles-m-r/openbox-session +++ b/apparmor.d/profiles-m-r/openbox-session @@ -26,3 +26,5 @@ profile openbox-session @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index ee04dda66..571532b4f 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -69,3 +69,5 @@ profile orage @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 5333bc944..819c4c9bd 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -75,3 +75,5 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 972d45265..b61426196 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -153,3 +153,5 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index 9ebb1b1a0..752c3edd7 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -30,3 +30,5 @@ profile pacmd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 551dc7a9a..2f8092a02 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -31,3 +31,5 @@ profile pactl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pagesize b/apparmor.d/profiles-m-r/pagesize index 64e575927..f6615a71e 100644 --- a/apparmor.d/profiles-m-r/pagesize +++ b/apparmor.d/profiles-m-r/pagesize @@ -18,3 +18,5 @@ profile pagesize @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 48af5a9f3..3d805f24c 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -64,3 +64,5 @@ profile pam-auth-update @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 1c0836c1f..983ca7d42 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -22,4 +22,6 @@ profile pam-tmpdir-helper @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings index 0f9d039fd..cbcb539ed 100644 --- a/apparmor.d/profiles-m-r/pam/mappings +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -68,3 +68,5 @@ include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index bd0238323..9408674f8 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -12,63 +12,37 @@ profile parted @{exec_path} { include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) - # - # Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the - # kernel of the change, probably because it/they are in use. As a result, the old partition(s) - # will remain in use. You should reboot now before making further changes. capability sys_admin, - - # Needed? (#FIXME#) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - - @{bin}/dmidecode rPx, + @{bin}/dmidecode rPx, /etc/inputrc r, - # Image files owner @{user_img_dirs}/{,**} rwk, @{PROC}/devices r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, - /dev/mapper/ r, - /dev/mapper/control rw, - profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, - - # file_inherit - include # lots of files in this abstraction get inherited owner @{user_img_dirs}/{,**} rwk, + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 27edebbf5..9e384c66c 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -12,58 +12,31 @@ profile partprobe @{exec_path} { include include - # To remove the following errors: - # device-mapper: version ioctl on failed: Permission denied - # Incompatible libdevmapper 1.02.167 (2019-11-30) and kernel driver (unknown version). capability sys_admin, - - # To remove the following errors: - # kernel: device-mapper: core: partprobe: sending ioctl 1261 to DM device without required - # privilege. capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, + @{bin}/dmidecode rPx, - @{bin}/dmidecode rPx, - - owner @{PROC}/@{pid}/mounts r, - @{PROC}/swaps r, @{PROC}/devices r, - - /dev/mapper/ r, - /dev/mapper/control rw, - + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/1/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - # file_inherit - include # lots of files in this abstraction get inherited - /dev/mapper/control rw, - + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 1dbcac174..724bd8f38 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -157,3 +157,5 @@ profile pass @{exec_path} { include if exists include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index d2ad4fd91..655804ccc 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/pimport profile pass-import @{exec_path} { include - include + include include + include + include network inet dgram, network inet6 dgram, @@ -39,3 +41,5 @@ profile pass-import @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 2ead4d034..8afbac8e5 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -34,4 +34,6 @@ profile passimd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 99d20eb10..f37f5651d 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -42,3 +42,5 @@ profile passwd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol index 0ea2b04ad..de3782b09 100644 --- a/apparmor.d/profiles-m-r/pavucontrol +++ b/apparmor.d/profiles-m-r/pavucontrol @@ -11,10 +11,9 @@ include profile pavucontrol @{exec_path} { include include + include + include include - include - include - include @{exec_path} mr, @@ -33,3 +32,5 @@ profile pavucontrol @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 9ff0fbcdd..99ad50a64 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -43,3 +43,5 @@ profile pcb-gtk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index c4b5cb689..085061b15 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -35,3 +35,5 @@ profile pcscd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext new file mode 100644 index 000000000..9980cff64 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftotext @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftotext +profile pdftotext @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom index baaa80dea..124d5c9c3 100644 --- a/apparmor.d/profiles-m-r/picom +++ b/apparmor.d/profiles-m-r/picom @@ -37,3 +37,5 @@ profile picom @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index ba557f810..e2ea46e57 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -30,4 +30,6 @@ profile pidof @{exec_path} { owner /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry index 3606078b7..c30bc5def 100644 --- a/apparmor.d/profiles-m-r/pinentry +++ b/apparmor.d/profiles-m-r/pinentry @@ -19,4 +19,6 @@ profile pinentry @{exec_path} { /etc/pinentry/preexec r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index b9d53352f..1fd585f47 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -18,4 +18,6 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index 5da9358bf..d6fc0abb0 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -18,4 +18,6 @@ profile pinentry-gnome3 @{exec_path} { owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk-2 index c139e2e2b..efad3a6f1 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk-2 @@ -23,3 +23,5 @@ profile pinentry-gtk-2 @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index 612f68851..235c256a7 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -51,3 +51,5 @@ profile pinentry-kwallet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index ae157744e..947350b8a 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -48,3 +48,5 @@ profile pinentry-qt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 3ca20d326..c8238688e 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -12,8 +12,7 @@ profile pkcs11-register @{exec_path} { @{exec_path} mr, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -23,3 +22,5 @@ profile pkcs11-register @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 417ca76fd..923d955af 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -37,12 +37,11 @@ profile pkexec @{exec_path} { # Apps to be run via pkexec @{bin}/* rPUx, + @{lib}/{,gvfs/}gvfsd-admin rPx, @{lib}/cc-remote-login-helper rPx, - @{lib}/gvfs/gvfsd-admin rPUx, #(#FIXME#) - @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{lib}/polkit-agent-helper-[0-9] rPx, @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx, + #aa:exec polkit-agent-helper @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, @@ -59,7 +58,9 @@ profile pkexec @{exec_path} { owner @{HOME}/.xsession-errors w, # Silencer -deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index ce290da5f..68c85487b 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -33,3 +33,5 @@ profile pkttyagent @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank index f94da07a7..77bad6788 100644 --- a/apparmor.d/profiles-m-r/plank +++ b/apparmor.d/profiles-m-r/plank @@ -24,3 +24,5 @@ profile plank @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index 21a27e43e..e66d0c14c 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -22,3 +22,5 @@ profile plocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index 615baabe5..5e81be8a3 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -20,3 +20,5 @@ profile plocate-build @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 702ccbcdf..a4b93d5b5 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -51,3 +51,5 @@ profile popularity-contest @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index eb5470217..067968258 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -47,4 +47,6 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/acpi/pm_profile* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 92a5eb13c..3d3878c3e 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -2,80 +2,50 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Warning: only the protonmail-bridge CLI and service are supported, NOT the GUI. - abi , include -@{exec_path} = @{bin}/protonmail-bridge -profile protonmail-bridge @{exec_path} { - include - include +@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3 +@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge" +@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3 - network inet dgram, - network inet6 dgram, +@{exec_path} = @{lib}/protonmail/bridge/bridge-gui +profile protonmail-bridge @{exec_path} { + include + include + include + include + include + include + + # network inet dgram, + # network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + # network netlink raw, @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{lib}/protonmail/bridge/bridge rPx, + @{open_path} rPx -> child-open-strict, - /etc/lsb-release r, /etc/machine-id r, - owner /var/tmp/etilqs_@{hex} rw, + owner @{config_dirs}/ rw, + owner @{config_dirs}/** rwlk -> @{config_dirs}/**, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{user_cache_dirs}/protonmail/{,**} rwk, - owner @{user_config_dirs}/protonmail/{,**} rwk, - owner @{user_share_dirs}/protonmail/{,**} rwk, + owner @{share_dirs}/ rw, + owner @{share_dirs}/** rwlk -> @{share_dirs}/**, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/@{pid}/cgroup r, + owner @{tmp}/@{uuid}.txt w, - # Force the use of the Gnome Keyring or Kwallet secret-service. - # Comment these lines and add the commented lines in your local/protonmail-bridge - # to allow the use of pass as secret-service. - # of pass as secret store - # deny @{bin}/pass rmx, - # deny owner @{user_password_store_dirs}/** r, - - profile pass { - include - include - - @{bin}/pass mr, - - @{sh_path} rix, - @{bin}/base64 rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/getopt rix, - @{bin}/git rPx -> pass//git, - @{bin}/gpg{,2} rPx -> pass//gpg, - @{bin}/mkdir rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/tail rix, - @{bin}/tree rix, - @{bin}/tty rix, - @{bin}/which rix, - - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, - - /dev/tty rw, - - include if exists - } + owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core new file mode 100644 index 000000000..b0d153ec2 --- /dev/null +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# To force the use of the Gnome Keyring or Kwallet secret-service, add the +# following lines in your local/protonmail-bridge-core file: +# deny @{bin}/pass x, +# deny owner @{user_password_store_dirs}/** r, + +abi , + +include + +@{exec_path} = @{lib}/protonmail/bridge/bridge +profile protonmail-bridge-core @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/pass rCx -> pass, + + /etc/lsb-release r, + /etc/machine-id r, + + owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + + owner @{user_cache_dirs}/protonmail/{,**} rwk, + owner @{user_config_dirs}/protonmail/{,**} rwk, + owner @{user_share_dirs}/protonmail/{,**} rwk, + + owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, + + owner @{tmp}/bridge@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + @{PROC}/ r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/@{pid}/cgroup r, + + deny @{bin}/pass x, + deny owner @{user_password_store_dirs}/** r, + + profile pass { + include + include + + @{bin}/pass mr, + + @{sh_path} rix, + @{bin}/base64 rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/getopt rix, + @{bin}/git rpx -> pass//git, + @{bin}/gpg{,2} rpx -> pass//gpg, + @{bin}/mkdir rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/tail rix, + @{bin}/tree rix, + @{bin}/tty rix, + @{bin}/which rix, + + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/.gpg-id r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_password_store_dirs}/**/ r, + + /dev/tty rw, + + include if exists + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index dbaf443fc..bdcd6cee2 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -53,3 +53,5 @@ profile ps @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index 4d0a5c642..f34992ccb 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -31,3 +31,5 @@ profile ps-mem @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/profiles-m-r/pscap index 61bd4438a..8a88b26a4 100644 --- a/apparmor.d/profiles-m-r/pscap +++ b/apparmor.d/profiles-m-r/pscap @@ -24,3 +24,5 @@ profile pscap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 84ae5b1b2..e764b69f8 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -56,12 +56,11 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -91,3 +90,5 @@ profile psi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index e1f78a45b..d9b1f7fd5 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -56,12 +56,11 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -91,3 +90,5 @@ profile psi-plus @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree index 3ad9e7b0c..a2630d212 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -28,3 +28,5 @@ profile pstree @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index 4166f0678..0ef899263 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -38,3 +38,5 @@ profile pulseeffects @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 051417cf2..af459593a 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -29,3 +29,5 @@ profile pwck @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e1eb03dd8..f9502cf75 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -150,3 +150,5 @@ profile qbittorrent @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index cc8edfd64..87bc84d51 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -46,7 +46,6 @@ profile qbittorrent-nox @{exec_path} { owner @{tmp}/qtsingleapp-qBitto-* rw, owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -57,3 +56,5 @@ profile qbittorrent-nox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index b873fb6a5..958706374 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -43,4 +43,6 @@ profile qemu-ga @{exec_path} { /dev/vport@{int}p@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 712750a33..911519459 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -64,7 +64,6 @@ profile qnapi @{exec_path} { owner @{tmp}/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, owner @{tmp}/QNapi.@{int} rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -74,3 +73,5 @@ profile qnapi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 2ced93511..e1ff13a92 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -54,7 +54,6 @@ profile qpdfview @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/qpdfview.*.pdf rwl -> /tmp/#@{int}, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -64,4 +63,4 @@ profile qpdfview @{exec_path} { include if exists } - +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index 3d4d73bb7..43964d950 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -33,10 +33,11 @@ profile qt5ct @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, /dev/shm/#@{int} rw, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qtchooser b/apparmor.d/profiles-m-r/qtchooser index 10749b88e..2202d8c5f 100644 --- a/apparmor.d/profiles-m-r/qtchooser +++ b/apparmor.d/profiles-m-r/qtchooser @@ -23,3 +23,5 @@ profile qtchooser @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index a60136402..e97bcc2ec 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -50,7 +50,6 @@ profile qtox @{exec_path} { owner @{user_share_dirs}/qTox/** rw, owner @{PROC}/@{pid}/cmdline r, - @{PROC}/sys/kernel/core_pattern r, # for KCrash::initialize() owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, @@ -59,3 +58,5 @@ profile qtox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index a0463bb98..1154ff337 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -63,7 +63,7 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, @@ -97,3 +97,5 @@ profile quiterss @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 5500bbfda..c3a4a8a22 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -20,3 +20,5 @@ profile rdmsr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 833c81818..dcee35f62 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -60,3 +60,5 @@ profile remmina @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 0132cbe9a..6f3ba2417 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -74,3 +74,5 @@ profile repo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index b0d31a4fb..4ef5e6b42 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -70,3 +70,5 @@ profile reprepro @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 7406602e4..114846812 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -28,3 +28,5 @@ profile resize2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 8609e4858..6dfe82b6e 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -37,3 +37,5 @@ profile resolvconf @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index a0ba2c7b3..f64dd20ba 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -20,3 +20,5 @@ profile rfkill @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index b929f1a7a..0f65d8f71 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -24,8 +24,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, @@ -38,3 +37,5 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 946219e92..641217f56 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -66,3 +66,5 @@ profile rpi-imager @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rredtool b/apparmor.d/profiles-m-r/rredtool index 569f9f25a..d8024b279 100644 --- a/apparmor.d/profiles-m-r/rredtool +++ b/apparmor.d/profiles-m-r/rredtool @@ -15,3 +15,5 @@ profile rredtool @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 60f6d63e9..423e7e41a 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -49,3 +49,5 @@ profile rsyslogd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 72d6f0e7f..21e715579 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -37,3 +37,5 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index adbe7d66b..d855c0a35 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -15,3 +15,5 @@ profile rtkitctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 726f6f64e..8fe649ff5 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -240,3 +240,5 @@ profile run-parts @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 590ed971c..97100f32a 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -49,3 +49,5 @@ profile runuser @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index c711530ef..956aaeaa4 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -134,3 +134,5 @@ profile rustdesk_shell { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils index 8c5817b15..0707f9c8f 100644 --- a/apparmor.d/profiles-m-r/rustdesk-utils +++ b/apparmor.d/profiles-m-r/rustdesk-utils @@ -18,3 +18,5 @@ profile rustdesk-utils @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index dee5b3522..ccbbb2494 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -43,4 +43,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/mountinfo r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 50e5ae8c8..418167345 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -46,4 +46,6 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index 1bc9288da..d614330d2 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -69,4 +69,6 @@ profile s3fs @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index f0b8426c6..aadad6860 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -31,3 +31,5 @@ profile sanoid @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 388145d76..938ecb638 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -39,4 +39,6 @@ profile sbctl @{exec_path} { deny network inet6 stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 711cd73ad..8903fe287 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -38,3 +38,5 @@ profile scrcpy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index f423775f6..377bb7962 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -29,3 +29,5 @@ profile scrot @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sdcv b/apparmor.d/profiles-s-z/sdcv index 7ad78e8a4..cfc6c1b3c 100644 --- a/apparmor.d/profiles-s-z/sdcv +++ b/apparmor.d/profiles-s-z/sdcv @@ -21,4 +21,6 @@ profile sdcv @{exec_path} { owner @{user_cache_dirs}/sdcv/{,**} rwk, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index bf11debcd..3ded8b7ae 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -31,3 +31,5 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index b64790203..618332bce 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -45,3 +45,5 @@ profile sensors @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 820c31d1f..577041922 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -41,13 +41,7 @@ profile sensors-detect @{exec_path} { profile udevadm { include - include - - capability sys_ptrace, - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, + include include if exists } @@ -74,3 +68,5 @@ profile sensors-detect @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 9bfc43d0f..25fe43065 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -19,3 +19,5 @@ profile setpci @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 7080cd909..79398e82d 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -18,4 +18,6 @@ profile setvtrgb @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 4afa8e575..5b75a27ef 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -34,3 +34,5 @@ profile sfdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index 778548d75..00a8c7a56 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -25,3 +25,5 @@ profile sgdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 07c557d7c..eb9866b53 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -35,3 +35,5 @@ profile sing-box @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index efd6756b7..0ec43cc9b 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -41,4 +41,6 @@ profile slirp4netns @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 442f4fd9b..6487e82e3 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -27,3 +27,5 @@ profile smartctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 3e710291b..4548813bf 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -53,3 +53,5 @@ profile smartd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool index 4ae50fbb4..010226342 100644 --- a/apparmor.d/profiles-s-z/smbspool +++ b/apparmor.d/profiles-s-z/smbspool @@ -15,4 +15,6 @@ profile smbspool @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 3751c4ab0..d8de18f20 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -87,3 +87,5 @@ profile smplayer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index c8cb926e3..af761d43c 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -102,3 +102,5 @@ profile smtube @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 3d71ce766..f59fd9226 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -111,3 +111,5 @@ profile snap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/profiles-s-z/snap-bootstrap index de4635dd1..71a4ad8f2 100644 --- a/apparmor.d/profiles-s-z/snap-bootstrap +++ b/apparmor.d/profiles-s-z/snap-bootstrap @@ -13,4 +13,6 @@ profile snap-bootstrap @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper index 836071c08..ec342d4e2 100644 --- a/apparmor.d/profiles-s-z/snap-device-helper +++ b/apparmor.d/profiles-s-z/snap-device-helper @@ -20,4 +20,6 @@ profile snap-device-helper @{exec_path} { @{sys}/fs/bpf/snap/ w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns index 2ba6f81ad..ab90529b7 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -30,4 +30,6 @@ profile snap-discard-ns @{exec_path} { @{run}/snapd/ns/* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index 9f6399064..df8fe47fb 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -31,4 +31,6 @@ profile snap-failure @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/profiles-s-z/snap-repair index 1527a465c..d5f282ffa 100644 --- a/apparmor.d/profiles-s-z/snap-repair +++ b/apparmor.d/profiles-s-z/snap-repair @@ -13,4 +13,6 @@ profile snap-repair @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index f62f3a3f3..0da410bca 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -27,4 +27,6 @@ profile snap-seccomp @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 328eab743..e9315f5c7 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -54,4 +54,6 @@ profile snap-update-ns @{exec_path} { @{PROC}/version r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index dfae29999..3892a8ca4 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -180,4 +180,6 @@ profile snapd @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener index f8c1df718..3e3045b80 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener @@ -21,4 +21,6 @@ profile snapd-aa-prompt-listener @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui index 35c6d5e4c..d7b9b3713 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui @@ -19,4 +19,6 @@ profile snapd-aa-prompt-ui @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index d9be96e87..22a9c5faa 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -27,4 +27,6 @@ profile snapd-apparmor @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/profiles-s-z/snapd-core-fixup index 7d407df32..fffbc4468 100644 --- a/apparmor.d/profiles-s-z/snapd-core-fixup +++ b/apparmor.d/profiles-s-z/snapd-core-fixup @@ -13,4 +13,6 @@ profile snapd-core-fixup @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spacefm-auth b/apparmor.d/profiles-s-z/spacefm-auth index 2e7f34125..754908eac 100644 --- a/apparmor.d/profiles-s-z/spacefm-auth +++ b/apparmor.d/profiles-s-z/spacefm-auth @@ -16,3 +16,5 @@ profile spacefm-auth @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 2ff6defc3..98d677189 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -187,3 +187,5 @@ profile spectre-meltdown-checker @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 5c299fb8d..511f32a96 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -34,3 +34,5 @@ profile speedtest @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index be131b3e9..1847c93d7 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -23,4 +23,6 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{PROC}/sys/kernel/cap_last_cap r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index e25574bb9..c2fd27ced 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -47,3 +47,5 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index cdaf03b9a..e9a8b6330 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -30,3 +30,5 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index e588ffbcf..db2e7ebe9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -56,3 +56,5 @@ profile spotify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 99d05d286..36f4c988d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -45,3 +45,5 @@ profile ss @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal index 2ce04f3e6..beff6a1e9 100644 --- a/apparmor.d/profiles-s-z/sslocal +++ b/apparmor.d/profiles-s-z/sslocal @@ -29,3 +29,5 @@ profile sslocal @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager index affdd3e85..7a89ea8bd 100644 --- a/apparmor.d/profiles-s-z/ssmanager +++ b/apparmor.d/profiles-s-z/ssmanager @@ -29,3 +29,5 @@ profile ssmanager @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver index 07690f08c..51dc62837 100644 --- a/apparmor.d/profiles-s-z/ssserver +++ b/apparmor.d/profiles-s-z/ssserver @@ -28,3 +28,5 @@ profile ssserver @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice index 5c63da5c2..1c62764b2 100644 --- a/apparmor.d/profiles-s-z/ssservice +++ b/apparmor.d/profiles-s-z/ssservice @@ -16,3 +16,5 @@ profile ssservice @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index 9471ab0ad..e1c7b9068 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -24,3 +24,5 @@ profile ssurl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 3287c7556..616b66963 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -24,4 +24,6 @@ profile start-pulseaudio-x11 @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 9a51396c9..26cf4027f 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -47,3 +47,5 @@ profile startx @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 85f5191bb..8de447bfe 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -6,28 +6,32 @@ # - Ensure no user data is accessed by either steam or steam games # - Limit what steam/games can access to the host # -# Current architecture: +# Overall architecture of the steam profiles: # steam -# ├── steam-fossilize -# ├── steam-reaper -# │ └── steam-game -# ├── steam-gameoverlayui -# └── steamerrorreporter +# ├── steam//check # Requirements check (sandboxed) +# ├── steam//web # steamwebhelper (sandboxed) +# ├── steam-fossilize # Update shader cache +# ├── steam-runtime # Launcher tasks up to the creation of the sandbox +# │ ├── steam-game-native # Native games +# │ └── steam-game-proton # Proton games (sandboxed) +# ├── steam-gameoverlayui # Steam game overlay +# └── steamerrorreporter # Error reporter abi , include -@{share_dirs} = @{user_share_dirs}/Steam +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include - include include include include @@ -38,69 +42,75 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability sys_ptrace, + network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + network unix, - ptrace (read), - ptrace (trace) peer=steam, + ptrace read, + ptrace trace peer=steam, - signal (send) peer=steam-game, - signal (read), + signal send peer=steam-game, + signal send peer=steam-launcher, + signal send peer=steam//journalctl, + signal send peer=steam//web, - unix (receive) type=stream, + unix, @{exec_path} mrix, @{sh_path} rix, @{coreutils_path} rix, - @{bin}/cmp rix, - @{bin}/file rix, @{bin}/getopt rix, - @{bin}/gzip rix, + @{bin}/journalctl rPx -> systemctl, @{bin}/ldconfig rix, @{bin}/ldd rix, - @{bin}/localedef rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @{bin}/lspci rCx -> lspci, - @{bin}/steam-runtime-urlopen rix, - @{bin}/tar rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @{bin}/xdg-user-dir rix, - @{bin}/xz rix, - @{bin}/zenity rix, + @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-linux.so* rix, + @{open_path} rPx -> child-open, - @{lib_dirs}/** mr, - @{lib_dirs}/*/** ix, - @{lib_dirs}/*driverquery rix, - @{lib_dirs}/fossilize_replay rpx, - @{lib_dirs}/gameoverlayui rpx, - @{lib_dirs}/reaper rpx, - @{lib_dirs}/steam* rix, + @{lib_dirs}/** mr, + @{lib_dirs}/*driverquery rix, + @{lib_dirs}/fossilize_replay rpx, + @{lib_dirs}/gameoverlayui rpx, + @{lib_dirs}/reaper rpx, # steam-runtime + @{lib_dirs}/steam* rix, - # Entry point for steam-game - @{runtime_dirs}/*entry-point rpx, - - @{lib}/pressure-vessel/from-host/** rix, - @{run}/host/@{bin}/* rix, - @{run}/host/@{lib}/** rix, + @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime, @{share_dirs}/linux{32,64}/steamerrorreporter rpx, - @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so rm, - /usr/lib/os-release rk, - /usr/share/fonts/**.{ttf,otf} rk, - /usr/share/terminfo/** r, - /usr/share/zenity/* r, + @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/*entry-point rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, + @{runtime_dirs}/run{,.sh} rix, + @{runtime_dirs}/setup.sh rix, + + @{lib}/os-release rk, + + /usr/share/fonts/** rk, /etc/lsb-release r, - /etc/udev/udev.conf r, /etc/machine-id r, + /etc/timezone r, /var/lib/dbus/machine-id r, @{bin}/ r, @@ -108,16 +118,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { / r, /etc/ r, /home/ r, - /run/ r, /usr/ r, /usr/local/ r, /usr/local/lib/ r, /var/ r, - - owner /bindfile@{rand6} rw, - - owner /var/pressure-vessel/** rw, - owner /var/cache/ldconfig/aux-cache* rw, + /var/tmp/ r, owner @{HOME}/ r, owner @{HOME}/.steam/{,**} rw, @@ -131,117 +136,259 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, - owner @{user_config_dirs}/unity3d/{,**} rwk, - owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_share_dirs}/applications/*.desktop w, owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, - owner /dev/shm/#@{int} rw, - owner /dev/shm/fossilize-*-@{int}-@{int} rw, - owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - owner /dev/shm/ValveIPCSHM_@{uid} rw, - @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - owner @{tmp}/miles_image_* mrw, - owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, - owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, - owner @{tmp}/runtime-info.txt.* rwk, - owner @{tmp}/sh-thd.* rw, - owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner @{tmp}/glx-icds-@{rand6}/{,**} rw, + owner @{tmp}/runtime-info.txt.@{rand6} rwk, owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/steam/ rw, owner @{tmp}/steam/** rwk, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - owner @{run}/pressure-vessel/** r, + owner /dev/shm/fossilize-*-@{int}-@{int} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, + owner @{run}/user/@{uid}/ r, - @{run}/host/{,**} r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{sys}/ r, @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, @{sys}/class/ r, @{sys}/class/hidraw/ r, @{sys}/class/input/ r, @{sys}/class/net/ r, - @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}report_descriptor r, - @{sys}/devices/@{pci}/sound/card@{int}/** r, - @{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r, + @{sys}/class/power_supply/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/properties r, + @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, + @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/** r, - @{sys}/devices/system/node/ r, - @{sys}/devices/virtual/**/report_descriptor r, + @{sys}/devices/system/ r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/ r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/kernel/ r, @{sys}/power/suspend_stats/success rk, @{PROC}/ r, - @{PROC}/@{pids}/comm rk, - @{PROC}/@{pids}/net/route r, - @{PROC}/@{pids}/stat r, - @{PROC}/locks r, + @{PROC}/@{pid}/comm rk, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cgroup r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/locks r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/unprivileged_userns_clone r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/sys/user/max_user_namespaces r, @{PROC}/version r, - owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/fd/@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/children r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/status r, - /dev/hidraw@{int} rw, /dev/input/ r, - /dev/input/event@{int} r, - /dev/tty rw, /dev/uinput w, - audit deny /**.steam_exec_test.sh rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny /opt/** r, - profile lspci { + profile web flags=(attach_disconnected,mediate_deleted,complain) { + include + include + include + include + include + include + include + include + + capability dac_read_search, + capability sys_chroot, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace trace peer=steam//web, + + signal receive set=kill peer=steam, + + unix receive type=stream, + + @{bin}/ldconfig rix, + @{bin}/getopt rix, + @{bin}/gzip rix, + @{bin}/true rix, + @{bin}/localedef rix, + @{bin}/readlink rix, + + @{lib_dirs}/** mr, + @{lib_dirs}/steamwebhelper rix, + @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, + + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, + @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + + @{lib}/pressure-vessel/from-host/** rix, + @{run}/host/@{bin}/* rix, + @{run}/host/@{lib}/** rix, + + @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + + @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, + + @{run}/host/{,**} r, + + /etc/machine-id r, + + @{lib}/ r, + /usr/local/lib/ r, + /var/tmp/ r, + + owner /bindfile@{rand6} rw, + + owner /var/cache/ldconfig/aux-cache* rw, + owner /var/pressure-vessel/ldso/* rw, + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner @{lib_dirs}/.cef-* wk, + + owner @{share_dirs}/{,**} r, + owner @{share_dirs}/config/** rwk, + owner @{share_dirs}/logs/** rwk, + owner @{share_dirs}/clientui/** k, + owner @{share_dirs}/public/** k, + + @{tmp}/ r, + owner @{tmp}/#@{int} rw, + owner @{tmp}/dumps/ rw, + owner @{tmp}/dumps/** rwk, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, + owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, + owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + + /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, + + owner @{run}/pressure-vessel/** r, + + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/report_descriptor r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/oom_score_adj w, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + + /dev/hidraw@{int} rw, + /dev/tty rw, + + include if exists + } + + profile check flags=(attach_disconnected,mediate_deleted,complain) { + include + include + include + + capability dac_read_search, + + unix receive type=stream, + + @{bin}/true rix, + + @{lib_dirs}/** mr, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, + + / r, + + owner @{HOME}/.steam/root r, + owner @{HOME}/.steam/steam r, + + owner @{share_dirs}/ r, + + @{PROC}/@{pid}/cgroup r, + + include if exists + } + + profile lspci flags=(attach_disconnected,mediate_deleted,complain) { include include include + unix receive type=stream, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, @@ -250,11 +397,26 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, - + owner /dev/shm/ValveIPCSHM_@{uid} rw, include if exists } + profile systemctl { + include + include + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + + include if exists + } + include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize index 323abea8c..b33c90d8b 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -6,9 +6,12 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{lib_dirs}/fossilize_replay profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @@ -17,17 +20,22 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { include include + signal receive peer=steam, + @{exec_path} mr, - @{lib_dirs}/*.so* mr, + @{lib_dirs}/** mr, owner @{HOME}/.steam/steam.pipe r, + owner @{share_dirs}/logs/container-runtime-info.txt.@{rand6} rw, owner @{share_dirs}/steamapps/shadercache/@{int}/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk, owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw, owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner /dev/shm/fossilize-*-@{int}-@{int} rw, @{sys}/devices/system/node/node@{int}/cpumap r, @@ -41,3 +49,5 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game deleted file mode 100644 index 83d001455..000000000 --- a/apparmor.d/profiles-s-z/steam-game +++ /dev/null @@ -1,225 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for steam games - -# TODO: -# Split this profile in three: -# - steam-game-native for native linux games -# - steam-runtime for all runtime related task up to the creation of the sandbox -# - steam-game-proton for the sandboxed proton games -# -# Tasks: -# - AppArmor supports for {*^} regex, or find an alternative -# - AppArmor supports change profile from pivot_root -# - Stack steam//&game to bypass no-new-privs issue -# -# The current version of this profile is not very useful as it is very similar -# to the main steam profile. - -abi , - -include - -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper - -@{exec_path} = @{share_dirs}/steamapps/common/*/** -@{exec_path} += @{lib_dirs}/steam-runtime-sniper/*entry-point -profile steam-game @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - signal (receive) peer=steam, - - unix (receive) type=stream, - - @{exec_path} mrix, - - @{sh_path} rix, - @{bin}/bwrap rix, - @{bin}/env rix, - @{bin}/getopt rix, - @{bin}/gzip rix, - @{bin}/localedef rix, - @{bin}/python3.@{int} rix, - @{bin}/readlink rix, - @{bin}/steam-runtime-launcher-interface-* rix, - @{bin}/steam-runtime-system-info rix, - @{bin}/timeout rix, - @{bin}/true rix, - @{bin}/uname rix, - @{bin}/xdg-open rPx, - - @{lib}/pressure-vessel/from-host/@{bin}/* rix, - @{lib}/pressure-vessel/from-host/@{lib}/** rix, - @{lib}/steam-runtime-tools*/* mrix, - - @{lib_dirs}/{,**} r, - @{lib_dirs}/**.so* mr, - @{lib_dirs}/reaper rix, - @{lib_dirs}/steam-launch-wrapper rm, - @{lib_dirs}/steam-runtime/@{lib}/** mrix, - - @{runtime_dirs}/pressure-vessel/@{bin}/ r, - @{runtime_dirs}/pressure-vessel/@{bin}/* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/ r, - @{runtime_dirs}/pressure-vessel/@{lib}/** mrix, - @{runtime_dirs}/run rix, - - @{share_dirs}/@{bin}/ r, - @{share_dirs}/@{bin}/* mr, - @{share_dirs}/d3ddriverquery64.dxvk-cache rw, - @{share_dirs}/legacycompat/ r, - @{share_dirs}/legacycompat/** mr, - @{share_dirs}/linux{32,64}/ r, - @{share_dirs}/linux{32,64}/**.so* mr, - @{share_dirs}/standalone_installscript_progress_@{int}.vdf rw, - @{share_dirs}/steamapps/common/*/* mr, - @{share_dirs}/steamapps/common/Proton*/ r, - @{share_dirs}/steamapps/common/Proton*/files/@{bin}/* mrix, - @{share_dirs}/steamapps/common/Proton*/files/@{lib}/** mrix, - @{share_dirs}/steamapps/common/Proton*/proton rix, - @{share_dirs}/steamapps/compatdata/@{int}/pfx/**.dll rm, - - @{user_games_dirs}/*/* mr, - @{user_games_dirs}/*/**.dll mr, - - @{run}/host/usr/bin/ldconfig rix, - @{run}/host/usr/lib{,32,64}/**.so* rm, - @{run}/host/usr/bin/localedef rix, - - /usr/share/terminfo/** r, - - /etc/machine-id r, - /etc/udev/udev.conf r, - /var/lib/dbus/machine-id r, - - / r, - /{usr/,}{local/,} r, - /{usr/,}{local/,}lib{,32,64}/ r, - /bindfile@{rand6} rw, - /home/ r, - /tmp/ r, - - owner /var/pressure-vessel/** rw, - owner /var/cache/ldconfig/aux-cache* rw, - - owner @{HOME}/ r, - owner @{HOME}/.steam/steam.pid r, - owner @{HOME}/.steam/steam.pipe r, - - owner @{user_games_dirs}/{,*/} r, - owner @{user_games_dirs}/*/{,**} rwkl, - - owner @{user_config_dirs}/unity3d/{,**} rwk, - - owner @{share_dirs}/ r, - owner @{share_dirs}/* r, - owner @{share_dirs}/*log* rw, - owner @{share_dirs}/config/config.vdf* rw, - owner @{share_dirs}/logs/{,*} rw, - owner @{share_dirs}/shader_cache_temp*/fozpipelinesv*/{,**} rw, - owner @{share_dirs}/steamapps/ r, - owner @{share_dirs}/steamapps/common/ r, - owner @{share_dirs}/steamapps/common/*/ r, - owner @{share_dirs}/steamapps/common/*/** rwkl, - owner @{share_dirs}/steamapps/common/Proton*/files/share/{,**} r, - owner @{share_dirs}/steamapps/compatdata/{,**} rwk, - owner @{share_dirs}/steamapps/shadercache/{,**} rwk, - owner @{share_dirs}/userdata/**/remotecache.vdf rw, - - @{run}/host/ r, - @{run}/host/container-manager r, - @{run}/host/fonts/{,**} r, - @{run}/host/share/{,**} r, - @{run}/host/usr/{,**} r, - owner @{run}/pressure-vessel/{,**} rw, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer - - owner /dev/shm/#@{int} rw, - owner /dev/shm/mono.* rw, - owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /dev/shm/wine-*-fsync rw, - - owner @{tmp}/ r, - owner @{tmp}/.wine-@{int}/ rw, - owner @{tmp}/.wine-@{int}/** rwk, - owner @{tmp}/.wine-@{uid}/server-*/* rwk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/miles_image_* mr, - owner @{tmp}/pressure-vessel-*/{,**} rwl, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/sound/card@{int}/** r, - @{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/** r, - @{sys}/devices/system/node/node[0-9]/cpumap r, - @{sys}/devices/system/node/online r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/kernel/ r, - - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/net/route r, - @{PROC}/sys/net/core/bpf_jit_enable r, - @{PROC}/uptime r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/* rw, - /dev/tty rw, - /dev/uinput rw, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native new file mode 100644 index 000000000..9453076ea --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-game-native @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{app_dirs}/*/** +profile steam-game-native @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + network unix stream, + + signal receive peer=steam, + + @{exec_path} rmix, + + @{sh_path} rix, + + @{app_dirs}/** mr, + @{lib_dirs}/** mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton new file mode 100644 index 000000000..49a668996 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -0,0 +1,111 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap +profile steam-game-proton @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability dac_read_search, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network unix stream, + + signal receive peer=steam, + + @{exec_path} mr, + @{bin}/bwrap mrix, + + @{bin}/getopt rix, + @{bin}/gzip rix, + @{bin}/ldconfig rix, + @{bin}/localedef rix, + @{bin}/python3.@{int} rix, + @{bin}/readlink rix, + @{bin}/steam-runtime-launcher-interface-@{int} rix, + @{bin}/steam-runtime-system-info rix, + @{bin}/steam-runtime-urlopen rix, + @{bin}/true rix, + @{bin}/chmod rix, + @{open_path} rix, + + @{lib_dirs}/** mr, + @{lib}/pressure-vessel/from-host/@{bin}/* rix, + @{lib}/pressure-vessel/from-host/@{lib}/** rix, + @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + + @{app_dirs}/** mr, + @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{app_dirs}/Proton*/files/@{bin}/* rix, + @{app_dirs}/Proton*/files/@{lib}/** rix, + @{app_dirs}/Proton*/proton rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + + @{run}/host/@{bin}/ldconfig rix, + @{run}/host/@{bin}/localedef rix, + @{run}/host/@{lib}/** mr, + + @{share_dirs}/bin/d3ddriverquery64.exe mr, + @{share_dirs}/steamapps/compatdata/@{int}/pfx/** mr, + + @{user_games_dirs}/** mr, + + owner /bindfile@{rand6} rw, + + owner /var/pressure-vessel/** rw, + owner /var/cache/ldconfig/aux-cache* rw, + + owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, + owner @{app_dirs}/Proton*/** rwkl, + + owner @{share_dirs}/*.dll r, + owner @{share_dirs}/bin/ r, + owner @{share_dirs}/legacycompat/ r, + owner @{share_dirs}/legacycompat/** mr, + owner @{share_dirs}/steamapps/compatdata/{,**} rwk, + + owner @{user_share_dirs}/applications/wine/ rw, + owner @{user_share_dirs}/applications/wine/**/ rw, + + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/** rwk, + owner @{tmp}/glx-icds-@{rand6}/{,**} w, + owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, + owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w, + + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + + @{run}/host/fonts/{,**} r, + @{run}/host/share/{,**} r, + @{run}/host/usr/{,**} r, + owner @{run}/pressure-vessel/{,**} r, + + @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/online r, + + @{PROC}/@{pids}/net/* r, + @{PROC}/sys/net/core/bpf_jit_enable r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index d41a5e644..bbe2452e2 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -6,9 +6,12 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{lib_dirs}/gameoverlayui profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { @@ -19,15 +22,16 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - - unix (receive) type=stream, + network unix stream, @{exec_path} mr, - @{lib_dirs}/*.so* mr, - @{lib_dirs}/steam-runtime/@{lib}/**.so* mr, + @{lib_dirs}/**.so* mr, + @{runtime_dirs}/@{lib}/**.so* mr, - /usr/share/fonts/{,**} rk, # ? + @{lib_dirs}/steamerrorreporter rpx, + + /usr/share/fonts/{,**} rk, / r, /home/ r, @@ -45,15 +49,19 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/userdata/@{int}/{,**} rk, owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, owner @{tmp}/gameoverlayui.log* rw, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, - owner @{tmp}/miles_image_* mrw, @{sys}/ r, @{sys}/kernel/ r, + @{sys}/devices/ r, + @{sys}/devices/system/ r, + @{sys}/devices/system/cpu/cpu@{int}/ r, @{PROC}/version r, @@ -61,3 +69,5 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch new file mode 100644 index 000000000..877181b61 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-launch @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{bin}/steam @{bin}/steam-runtime +profile steam-launch @{exec_path} { + include + include + + network unix stream, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/id rix, + @{bin}/readlink rix, + + @{lib}/steam/steam rix, + @{lib}/steam/bin_steam.sh rix, + @{share_dirs}/steam.sh rPx, + + /usr/ r, + /usr/local/ r, + + owner @{share_dirs}/bootstrap.tar.xz rw, + + /dev/tty rw, + + deny /opt/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher new file mode 100644 index 000000000..45fa30245 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-launcher @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service +profile steam-launcher @{exec_path} flags=(attach_disconnected) { + include + + network unix stream, + + signal receive peer=steam, + + @{exec_path} mr, + + @{lib_dirs}/** mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper deleted file mode 100644 index f635b1315..000000000 --- a/apparmor.d/profiles-s-z/steam-reaper +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper - -@{exec_path} = @{lib_dirs}/reaper -profile steam-reaper @{exec_path} flags=(attach_disconnected) { - include - include - - unix (receive) type=stream, - - @{exec_path} mr, - - @{lib_dirs}/*.so* mr, - @{lib_dirs}/steam-runtime/@{lib}/**.so* mr, - @{lib_dirs}/steam-launch-wrapper rpx -> steam-game, - - @{share_dirs}/steamapps/common/*/* rpx -> steam-game, - - owner @{HOME}/.steam/steam.pipe r, - - owner @{share_dirs}/userdata/**/remotecache.vdf rw, - - owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - - @{sys}/devices/system/cpu/cpu@{int}/** r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime index 6d04630d4..5d6d0f856 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -6,38 +6,80 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ -@{exec_path} = @{bin}/steam @{bin}/steam-runtime -profile steam-runtime @{exec_path} { +@{exec_path} = @{lib_dirs}/reaper +profile steam-runtime @{exec_path} flags=(attach_disconnected) { include - include + include + include + include + include + include - unix (receive) type=stream, + network unix stream, @{exec_path} mr, - @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/id rix, - @{bin}/readlink rix, + @{sh_path} r, + @{bin}/getopt rix, + @{bin}/readlink rix, - @{lib}/steam/steam rix, - @{lib}/steam/bin_steam.sh rix, - @{share_dirs}/steam.sh rPx, + @{lib_dirs}/** mr, + @{lib_dirs}/steam-launch-wrapper rix, - /usr/ r, - /usr/local/ r, + # Native linux games (steam-game-native) + @{app_dirs}/[^S]*/** rpx -> steam-game-native, - owner @{share_dirs}/bootstrap.tar.xz rw, + # Proton games, sandboxed (steam-game-proton) + @{app_dirs}/@{runtime}/*entry-point rmix, + @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton, + @{app_dirs}/@{runtime}/run rix, + @{bin}/bwrap rpx -> steam-game-proton, + + / r, + @{lib}/ r, + @{lib_dirs}/ r, + + owner @{HOME}/.steam/steam.pipe r, + + owner @{app_dirs}/*/ r, + owner @{app_dirs}/config/config.vdf rw, + owner @{app_dirs}/@{runtime}/** r, + owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, + owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/var/** rwk, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + + owner @{tmp}/ r, + owner @{tmp}/#@{int} rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner @{run}/user/@{uid}/ r, + + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, - deny /opt/** r, - include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter index c9e1bf630..3e206e898 100644 --- a/apparmor.d/profiles-s-z/steamerrorreporter +++ b/apparmor.d/profiles-s-z/steamerrorreporter @@ -6,12 +6,15 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ -@{exec_path} = @{share_dirs}/linux{32,64}/steamerrorreporter -profile steamerrorreporter @{exec_path} { +@{exec_path} = @{lib_dirs}/steamerrorreporter +profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { include include @@ -19,14 +22,14 @@ profile steamerrorreporter @{exec_path} { network inet stream, network inet6 dgram, network inet6 stream, + network unix stream, @{exec_path} mr, owner @{HOME}/.steam/steam.pipe r, - owner @{lib_dirs}/ r, - owner @{lib_dirs}/steam-runtime/pinned_libs_{32,64}/ r, - + owner @{lib_dirs}/{,**} r, + owner @{runtime_dirs}/pinned_libs_{32,64}/ r, owner @{share_dirs}/ r, owner @{tmp}/dumps/ r, @@ -35,4 +38,6 @@ profile steamerrorreporter @{exec_path} { owner @{PROC}/@{pid}/status r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index efb326115..a790e6b7b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -64,7 +64,7 @@ profile strawberry @{exec_path} { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, @@ -72,7 +72,6 @@ profile strawberry @{exec_path} { @{run}/mount/utab r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, @@ -80,3 +79,5 @@ profile strawberry @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index de4462c8c..0e1aced4f 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -29,3 +29,5 @@ profile strawberry-tagreader @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 940536a07..429c48938 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -28,3 +28,5 @@ profile su @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index f67917f55..0ba2694bd 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -47,3 +47,5 @@ profile sudo @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin index a50aeea42..3793df043 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -26,4 +26,6 @@ profile sulogin @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/profiles-s-z/swaplabel index a038e9dc9..03d2fe8d0 100644 --- a/apparmor.d/profiles-s-z/swaplabel +++ b/apparmor.d/profiles-s-z/swaplabel @@ -19,3 +19,5 @@ profile swaplabel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/profiles-s-z/swapon index 613e1b3de..31ee2e93a 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -28,3 +28,5 @@ profile swapon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 19b991cc1..4cfa8ba96 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -34,3 +34,5 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl index 1afd61d9c..9979c9246 100644 --- a/apparmor.d/profiles-s-z/switcherooctl +++ b/apparmor.d/profiles-s-z/switcherooctl @@ -17,4 +17,6 @@ profile switcherooctl @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 8b4fd09d0..4f6d1b38c 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -28,4 +28,6 @@ profile swtpm @{exec_path} { @{run}/libvirt/qemu/swtpm/*.pid w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl index 708ee3982..c77810624 100644 --- a/apparmor.d/profiles-s-z/swtpm_ioctl +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -16,4 +16,6 @@ profile swtpm_ioctl @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca index 6a8998829..a9749c91f 100644 --- a/apparmor.d/profiles-s-z/swtpm_localca +++ b/apparmor.d/profiles-s-z/swtpm_localca @@ -30,4 +30,6 @@ profile swtpm_localca @{exec_path} { @{run}/libvirt/qemu/swtpm/*.sock w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 18aafae60..f4b01f0e0 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -26,4 +26,6 @@ profile swtpm_setup @{exec_path} { owner @{tmp}/.swtpm_setup.pidfile* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 3211a2b59..6bdb55732 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -14,4 +14,6 @@ profile sync @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 36a5c9856..c90665cdf 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -31,3 +31,5 @@ profile syncoid @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index f669e73dc..50b04668b 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -45,3 +45,5 @@ profile syncthing @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 839e473f6..4e50430be 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -31,4 +31,6 @@ profile sysctl @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index fb3c60772..ab36047f2 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -58,3 +58,5 @@ profile system-config-printer @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index f5c393f64..0112b152a 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -31,3 +31,5 @@ profile system-config-printer-applet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index 3c0ea26b5..bd7f276a8 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -47,3 +47,5 @@ profile task @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 94bba6ce9..b96200dea 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -80,3 +80,5 @@ profile tasksel @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/taskwarrior-tui b/apparmor.d/profiles-s-z/taskwarrior-tui index f3678ff82..f125c993d 100644 --- a/apparmor.d/profiles-s-z/taskwarrior-tui +++ b/apparmor.d/profiles-s-z/taskwarrior-tui @@ -30,3 +30,5 @@ profile taskwarrior-tui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index c63a5657c..3f9ba6e25 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -63,4 +63,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 977b51790..fb848cb1c 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -17,3 +17,5 @@ profile tftp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 5dfa66125..1e72d45ec 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -82,3 +82,5 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan index cd5160493..56a39736e 100644 --- a/apparmor.d/profiles-s-z/thinkfan +++ b/apparmor.d/profiles-s-z/thinkfan @@ -28,3 +28,5 @@ profile thinkfan @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 7e9b67d6d..d6553d990 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -179,3 +179,5 @@ profile thunderbird @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index b69db4912..17fda9d56 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -26,4 +26,6 @@ profile thunderbird-glxtest @{exec_path} { owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index 345b7a6f8..85c1a08cb 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -28,3 +28,5 @@ profile thunderbird-vaapitest @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index e098f55e4..2e44d0fab 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -62,3 +62,5 @@ profile tint2 @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index 2ad3762cf..776b843a3 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -41,3 +41,5 @@ profile tint2conf @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 91cdd57a1..9e4b7c11a 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -68,3 +68,5 @@ profile top @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/torify b/apparmor.d/profiles-s-z/torify index 6eb5f76fa..fcc4c9b98 100644 --- a/apparmor.d/profiles-s-z/torify +++ b/apparmor.d/profiles-s-z/torify @@ -16,3 +16,5 @@ profile torify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index b72a959e7..8d75133da 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -25,3 +25,5 @@ profile torsocks @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index 3febe67c9..673f46e32 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -28,3 +28,5 @@ profile tpacpi-bat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk index 3da3784e5..40586fa03 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission-gtk @@ -50,3 +50,5 @@ profile transmission-gtk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index 5b232a005..bbfe5bff4 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -52,3 +52,5 @@ profile transmission-qt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 192fff844..d9a8c5409 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -34,3 +34,5 @@ profile tune2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id index 62c834d99..ab6a2de77 100644 --- a/apparmor.d/profiles-s-z/udev-dmi-memory-id +++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id @@ -18,4 +18,6 @@ profile udev-dmi-memory-id @{exec_path} { @{sys}/firmware/dmi/tables/smbios_entry_point r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index f6e7aaafc..505017bcd 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -68,3 +68,5 @@ profile udiskie @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/profiles-s-z/udiskie-info index 947144150..aa359ef56 100644 --- a/apparmor.d/profiles-s-z/udiskie-info +++ b/apparmor.d/profiles-s-z/udiskie-info @@ -24,3 +24,5 @@ profile udiskie-info @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/profiles-s-z/udiskie-mount index bbfb20ad8..7e72e9713 100644 --- a/apparmor.d/profiles-s-z/udiskie-mount +++ b/apparmor.d/profiles-s-z/udiskie-mount @@ -24,3 +24,5 @@ profile udiskie-mount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/profiles-s-z/udiskie-umount index edf8c79b9..8dc30eb9a 100644 --- a/apparmor.d/profiles-s-z/udiskie-umount +++ b/apparmor.d/profiles-s-z/udiskie-umount @@ -24,3 +24,5 @@ profile udiskie-umount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl index c4f6dc96b..a05cede9c 100644 --- a/apparmor.d/profiles-s-z/udisksctl +++ b/apparmor.d/profiles-s-z/udisksctl @@ -23,3 +23,5 @@ profile udisksctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index cbe3a79b0..365044702 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -150,3 +150,5 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 8253f4335..e066dff89 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -48,3 +48,5 @@ profile umount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/profiles-s-z/umount.udisks2 index 87a8e2b33..2a6f7747d 100644 --- a/apparmor.d/profiles-s-z/umount.udisks2 +++ b/apparmor.d/profiles-s-z/umount.udisks2 @@ -15,3 +15,5 @@ profile umount.udisks2 @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 267fdb82a..4dd41a7bf 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -21,3 +21,5 @@ profile uname @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-linux b/apparmor.d/profiles-s-z/unhide-linux index a782c72ca..d03561452 100644 --- a/apparmor.d/profiles-s-z/unhide-linux +++ b/apparmor.d/profiles-s-z/unhide-linux @@ -36,3 +36,5 @@ profile unhide-linux @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix index 0e869207c..1277e299c 100644 --- a/apparmor.d/profiles-s-z/unhide-posix +++ b/apparmor.d/profiles-s-z/unhide-posix @@ -39,3 +39,5 @@ profile unhide-posix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-rb b/apparmor.d/profiles-s-z/unhide-rb index a860f5218..e503f639a 100644 --- a/apparmor.d/profiles-s-z/unhide-rb +++ b/apparmor.d/profiles-s-z/unhide-rb @@ -23,3 +23,5 @@ profile unhide-rb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index bd17557df..bb54d19b1 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -33,3 +33,5 @@ profile unhide-tcp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 65fd4330c..c24da3bab 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -30,3 +30,5 @@ profile unix-chkpwd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 23f4e2490..d5d1cb953 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -52,3 +52,5 @@ profile unmkinitramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 3ef1d8f1d..dfe7725d8 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -32,3 +32,5 @@ profile update-alternatives @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index d1dba09ea..f08383fba 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -59,3 +59,5 @@ profile update-ca-certificates @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 4a9df2282..a4434ad48 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -37,4 +37,6 @@ profile update-ca-trust @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index a6e3eb3b4..56c215402 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -47,3 +47,5 @@ profile update-command-not-found @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 7c2d4c1b9..6b4192903 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -39,4 +39,6 @@ profile update-cracklib @{exec_path} { owner @{tmp}/sort@{rand6} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index fcf3c65b1..08687c6c8 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -62,3 +62,5 @@ profile update-dlocatedb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index be61c82b0..fc62d99f2 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -53,3 +53,5 @@ profile update-initramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index 759166464..233ed60be 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -66,3 +66,5 @@ profile update-pciids @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 8c3db4b0d..8431fd1e6 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -34,3 +34,5 @@ profile update-secureboot-policy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 60c1de581..7140bbd5b 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -92,3 +92,5 @@ profile update-smart-drivedb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 6a2469e3a..9e470d878 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -64,3 +64,5 @@ profile updatedb-mlocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate index 3b2cdd991..67ea546fd 100644 --- a/apparmor.d/profiles-s-z/updatedb.plocate +++ b/apparmor.d/profiles-s-z/updatedb.plocate @@ -38,3 +38,5 @@ profile updatedb.plocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime index b0cb79a81..1b28a07da 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -21,3 +21,5 @@ profile uptime @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uptimed b/apparmor.d/profiles-s-z/uptimed index 0c87a121b..a850d7771 100644 --- a/apparmor.d/profiles-s-z/uptimed +++ b/apparmor.d/profiles-s-z/uptimed @@ -19,4 +19,6 @@ profile uptimed @{exec_path} { @{run}/uptimed/uptimed.pid rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 881e35c45..94e6526ab 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -13,20 +13,24 @@ profile usb-devices @{exec_path} { include include - capability dac_read_search, - deny capability dac_override, + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, - @{exec_path} r, @{sh_path} rix, - - @{bin}/cat rix, - @{bin}/cut rix, @{bin}/{,e}grep rix, @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, @{bin}/readlink rix, + @{bin}/sort rix, # For shell pwd /root/ r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index 7ceb6038b..deb5ef46d 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -37,3 +37,5 @@ profile usbguard @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt index 6737abc6e..bc004b86f 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -36,7 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_@{int}-[a-zA-Z0-9]*/{,**} rw, owner @{PROC}/@{pid}/cmdline r, - @{PROC}/sys/kernel/core_pattern r, /usr/share/hwdata/pnp.ids r, @@ -45,3 +44,5 @@ profile usbguard-applet-qt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon index f831200e0..d6c05f782 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -40,3 +40,5 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus index f4cc7a4cb..b02524d55 100644 --- a/apparmor.d/profiles-s-z/usbguard-dbus +++ b/apparmor.d/profiles-s-z/usbguard-dbus @@ -23,3 +23,5 @@ profile usbguard-dbus @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/profiles-s-z/usbguard-notifier index f8f2b75a5..48f88d0aa 100644 --- a/apparmor.d/profiles-s-z/usbguard-notifier +++ b/apparmor.d/profiles-s-z/usbguard-notifier @@ -20,3 +20,5 @@ profile usbguard-notifier @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 78cc81779..a6094867a 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -73,3 +73,5 @@ profile useradd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 5c5b4f9bb..6b95a4848 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -55,3 +55,5 @@ profile userdel @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index 6c9dd9b2a..cfcdc6bdc 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -56,3 +56,5 @@ profile usermod @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/profiles-s-z/users index 684b489a3..fbad304bf 100644 --- a/apparmor.d/profiles-s-z/users +++ b/apparmor.d/profiles-s-z/users @@ -20,3 +20,5 @@ profile users @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/utmpdump b/apparmor.d/profiles-s-z/utmpdump index 3cb319f23..054bb69ce 100644 --- a/apparmor.d/profiles-s-z/utmpdump +++ b/apparmor.d/profiles-s-z/utmpdump @@ -18,3 +18,5 @@ profile utmpdump @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index 5a0c2cc81..e5642c263 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -39,3 +39,5 @@ profile utox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index 2fd5956f5..c98d8175f 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -13,4 +13,6 @@ profile uuidd @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/profiles-s-z/uuidgen index 4a433508f..b00ed1f26 100644 --- a/apparmor.d/profiles-s-z/uuidgen +++ b/apparmor.d/profiles-s-z/uuidgen @@ -14,4 +14,6 @@ profile uuidgen @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index ffc6c4069..f49441ebf 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -52,3 +52,5 @@ profile uupdate @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 9ceb9ec4b..37422840c 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -32,3 +32,5 @@ profile vcsi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index b9c129559..226a0dd98 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -70,3 +70,5 @@ profile vidcutter @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index c6e58e7f5..835267c2d 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -49,3 +49,5 @@ profile vipw-vigr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 68f52dd37..9fa13e500 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -100,3 +100,5 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index a457d6c89..5d113ba3b 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -85,3 +85,5 @@ profile vlc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index bffbd8fc0..b464f1712 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -23,4 +23,6 @@ profile vlc-cache-gen @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index 2a2f3b55a..25bdcfb1b 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -68,3 +68,5 @@ profile vnstat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vnstatd b/apparmor.d/profiles-s-z/vnstatd index a037c684d..c37c8b6d7 100644 --- a/apparmor.d/profiles-s-z/vnstatd +++ b/apparmor.d/profiles-s-z/vnstatd @@ -30,3 +30,5 @@ profile vnstatd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index 010b83789..c58381d7d 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -36,3 +36,5 @@ profile volumeicon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 33915f7c5..aa45b805e 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -71,3 +71,5 @@ profile vsftpd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 839080510..a3fc8c9e3 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -35,3 +35,5 @@ profile w @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m new file mode 100644 index 000000000..5b919ecc0 --- /dev/null +++ b/apparmor.d/profiles-s-z/w3m @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/w3m +profile w3m @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + /usr/share/terminfo/{,**} r, + + /etc/w3m/{,**} r, + owner @{HOME}/.w3m/{,**} r, + owner @{user_config_dirs}/w3m/{,**} r, + + owner /tmp/@{rand6}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wavemon b/apparmor.d/profiles-s-z/wavemon index 12299df81..9ec082580 100644 --- a/apparmor.d/profiles-s-z/wavemon +++ b/apparmor.d/profiles-s-z/wavemon @@ -30,3 +30,5 @@ profile wavemon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index db62117f8..e99900304 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -30,3 +30,5 @@ profile whatis @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index 77e93426b..e5e111b8b 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -34,3 +34,5 @@ profile whdd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis index c79baf349..330957a62 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -40,3 +40,5 @@ profile whereis @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 6b24b8a71..32d0945e1 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -35,3 +35,5 @@ profile which @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index 464d5862c..f2339717a 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -22,3 +22,5 @@ profile whiptail @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/profiles-s-z/who index 5a9ef26c6..bed53e7e6 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/profiles-s-z/who @@ -22,3 +22,5 @@ profile who @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami index cb7e2bb81..3072d7da0 100644 --- a/apparmor.d/profiles-s-z/whoami +++ b/apparmor.d/profiles-s-z/whoami @@ -17,3 +17,5 @@ profile whoami @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 143b9a4cc..146408bc7 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -76,3 +76,5 @@ profile wireplumber @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 3c10760d3..ed8fd0efa 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -63,3 +63,5 @@ profile wireshark @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index b961da104..3ea916395 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -15,6 +15,7 @@ profile wl-copy @{exec_path} { @{bin}/cat rix, @{bin}/rm rix, + @{bin}/cliphist rPUx, @{bin}/xdg-mime rPx, owner @{tmp}/wl-copy-buffer-*/{,**} rw, @@ -22,4 +23,6 @@ profile wl-copy @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl index ac3bf48fc..8d99da352 100644 --- a/apparmor.d/profiles-s-z/wmctrl +++ b/apparmor.d/profiles-s-z/wmctrl @@ -17,3 +17,5 @@ profile wmctrl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 59c06ee50..3495849e7 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -40,3 +40,5 @@ profile wpa-action @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index 03c3db367..5edd2f177 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -25,3 +25,5 @@ profile wpa-cli @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index 6718f20cc..ceefecbf2 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -35,3 +35,5 @@ profile wpa-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 0a16592a5..f3da61258 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -54,3 +54,5 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index cbbc56b17..1ee5bd806 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -20,3 +20,5 @@ profile wrmsr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 46a3c40b6..92b0f360f 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -11,6 +11,10 @@ profile wsdd @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network netlink raw, + @{exec_path} mr, @{bin}/env r, @@ -18,7 +22,11 @@ profile wsdd @{exec_path} { /etc/machine-id r, + owner /var/lib/libuuid/clock.txt rw, + owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index dccccc2b4..a5ec89fd9 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -100,3 +100,5 @@ profile xarchiver @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 02ab30427..f051fdc0c 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -42,3 +42,5 @@ profile xauth @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock index 3aebbe521..89de67bd1 100644 --- a/apparmor.d/profiles-s-z/xautolock +++ b/apparmor.d/profiles-s-z/xautolock @@ -30,3 +30,5 @@ profile xautolock @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight index 8d44638f6..19eb4a9f3 100644 --- a/apparmor.d/profiles-s-z/xbacklight +++ b/apparmor.d/profiles-s-z/xbacklight @@ -17,3 +17,5 @@ profile xbacklight @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index f38beeca9..dc30114bd 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -19,3 +19,5 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 192f17104..378e8cae3 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -20,3 +20,5 @@ profile xclip @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo index 2bad9b330..902905d09 100644 --- a/apparmor.d/profiles-s-z/xdpyinfo +++ b/apparmor.d/profiles-s-z/xdpyinfo @@ -16,3 +16,5 @@ profile xdpyinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 03ec3ff92..521a182ba 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -92,32 +92,12 @@ profile xinit @{exec_path} { profile udevadm { include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{run}/udev/data/* r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/stat r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, + include include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput index 1c3304538..18eab6a78 100644 --- a/apparmor.d/profiles-s-z/xinput +++ b/apparmor.d/profiles-s-z/xinput @@ -18,3 +18,5 @@ profile xinput @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 9fb9593d3..949aa19f7 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -27,3 +27,5 @@ profile xsel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index 0e03b9f7f..c22e3cdd9 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -32,3 +32,5 @@ profile yadifad @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 23d6b16e6..85da6bfe0 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -60,3 +60,5 @@ profile youtube-dl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 92c60e389..1c405e8fe 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -66,3 +66,5 @@ profile youtube-viewer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index d147f3a65..c71b87efd 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -46,3 +46,5 @@ profile yt-dlp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 452eef3f5..230e15f80 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -43,3 +43,5 @@ profile ytdl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index 98f218e13..b055fe31b 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -29,3 +29,5 @@ profile zathura @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 1ce392886..c966ce839 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -57,3 +57,5 @@ profile zed @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 2136952ad..bc4090be8 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -42,3 +42,5 @@ profile zenmap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index cb36774d0..9538b9c13 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -34,3 +34,5 @@ profile zfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index aad07309a..7d12cf3b7 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -42,3 +42,5 @@ profile zpool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index 0732978e9..653690898 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -28,3 +28,5 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index d492635eb..c325e216d 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -44,3 +44,5 @@ profile zsysd @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 5b8204163..c23a8d956 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -12,22 +12,23 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d # Extra user personal directories +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" @{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}=".games" @{XDG_PROJECTS_DIR}="Projects" @{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" @{XDG_SYNC_DIR}="Sync" @{XDG_TORRENTS_DIR}="Torrents" -@{XDG_GAMES_DIR}=".games" @{XDG_VM_DIR}=".vm" @{XDG_VM_SHARES_DIR}="VM_Shares" @{XDG_IMG_DIR}="images" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_GAMESSTUDIO_DIR}="unity3d" # User personal keyrings -@{XDG_SSH_DIR}=".ssh" @{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" @{XDG_PASSWORD_STORE_DIR}=".password-store" # User personal private directories @@ -44,9 +45,9 @@ # Full path of the user configuration directories @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} # User build directories and output @{user_build_dirs}="/tmp/build/" @@ -57,11 +58,13 @@ # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} +@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} @{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} @{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} -@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} -@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/home.d/whonix b/apparmor.d/tunables/home.d/whonix index f462036f9..e3c3f3d8a 100644 --- a/apparmor.d/tunables/home.d/whonix +++ b/apparmor.d/tunables/home.d/whonix @@ -70,3 +70,5 @@ alias /etc/timezone -> /etc/timezone.anondist-orig, alias /etc/timezone -> /etc/timezone.anondist, alias /etc/tor/torrc -> /etc/tor/torrc.anondist-orig, alias /etc/tor/torrc -> /etc/tor/torrc.anondist, + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 45dfea041..67f32bf8c 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -53,3 +53,5 @@ # Office suites @{offices_path} = @{bin}/@{offices} @{lib}/libreoffice/program/soffice + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 5a8348110..dd9386b09 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -10,3 +10,5 @@ # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` @{p_systemd}=unconfined @{p_systemd_user}=unconfined + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 33feb30e6..a118d0cbe 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -68,3 +68,5 @@ # Office suites @{offices} = libreoffice soffice + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 300a46b84..d219c1d4d 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -88,3 +88,5 @@ # OpenSUSE does not have the same multiarch structure @{multiarch}+=*-suse-linux* #aa:only opensuse + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index f39013def..885913da3 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -31,3 +31,5 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 7476a1678..00231cbce 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -18,9 +18,11 @@ @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} +@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} @{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} @{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} @{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists + +# vim:syntax=apparmor diff --git a/dists/docker.sh b/dists/docker.sh index 19a8737ae..500918c5f 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -100,7 +100,7 @@ build_in_docker_rpm() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ "$BASEIMAGE/$dist" - docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync + docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 4770b79eb..814123c81 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -298,11 +298,13 @@ startplasma complain startx attach_disconnected,complain steam attach_disconnected,mediate_deleted,complain steam-fossilize attach_disconnected,complain -steam-game attach_disconnected,complain +steam-game-native attach_disconnected,complain +steam-game-proton attach_disconnected,complain steam-gameoverlayui attach_disconnected,complain -steam-reaper attach_disconnected,complain -steam-runtime complain -steamerrorreporter complain +steam-launch complain +steam-launcher attach_disconnected,complain +steam-runtime attach_disconnected,complain +steamerrorreporter attach_disconnected,complain sulogin complain switcherooctl complain swtpm complain diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 795fbf1c7..0e89a76c5 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -17,8 +17,10 @@ man plasma-discover steam steam-fossilize -steam-game +steam-game-native +steam-game-proton steam-gameoverlayui -steam-reaper +steam-launch +steam-launcher steam-runtime steamerrorreporter diff --git a/docs/concepts.md b/docs/concepts.md index 503b7a6aa..eb4ccbbc4 100644 --- a/docs/concepts.md +++ b/docs/concepts.md @@ -8,7 +8,7 @@ There are over 50000 Linux packages and even more applications. It is simply not **What to confine and why?** -We take inspiration from the [Android/ChromeOS Security Model](https://arxiv.org/pdf/1904.05572v2.pdf), and we apply it to the Linux world. Modern [Linux security distributions](https://clip-os.org/en/) usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...). +We take inspiration from the [Android/ChromeOS Security Model](https://arxiv.org/pdf/1904.05572v2.pdf), and we apply it to the Linux world. Modern [Linux security distributions](https://clip-os.org/en/) usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment, etc. Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox, etc). This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users. diff --git a/docs/configuration.md b/docs/configuration.md index c367de4d2..e784dcb82 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -65,7 +65,7 @@ directories. Example: @{XDG_PROJECTS_DIR}+="Git" "Papers" ``` -Then restart the apparmor service to reload the profiles in the kernel: +Then restart the AppArmor service to reload the profiles in the kernel: ```sh sudo systemctl restart apparmor.service ``` @@ -105,4 +105,4 @@ You can extend any profile with your own rules by creating a file in the `/etc/a `rPx` allows transition to the Firefox profile. Use `rPUx` to allow transition to an unconfined state if you do not have the profile for a given program. -Then, reload the apparmor rules with `sudo systemctl restart apparmor`. +Then, reload the AppArmor rules with `sudo systemctl restart AppArmor`. diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 07d147d6e..82c7f4b04 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -2,11 +2,11 @@ title: Abstractions --- -This project and the apparmor profile official project provide a large selection of abstractions to be included in profiles. They should always be used as they target wide compatibility across hardware and distribution wile only allowing the bare minimum access. +This project and the official apparmor-profiles project provide a large selection of abstractions to be included in profiles. They should always be used as they target wide compatibility across hardware and distributions while only allowing the bare minimum access. !!! example - For instance, to allow download directory access, instead of writing: + For instance, to allow download directory access instead of read and write permissions: ```sh owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, ``` @@ -21,13 +21,13 @@ All of these abstractions can be extended by a system admin by adding rules in a ## Application helper -Abstraction that aim at including a complete set of rule for a given program. The calling profile only need to add rules dependant of its use case/program. +Abstraction that aims at including a complete set of rules for a given program. The calling profile only needs to add rules dependant of its use case/program. It is mostly useful for program often used in sub profile or for forks based on the same upstream. ### **`app/chromium`** -Full set of rules for all chromium based browsers. It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: +A full set of rules for all chromium based browsers. It works as a *function* and requires some variables to be provided as *arguments* and to be set in the header of the calling profile: !!! note "" @@ -49,7 +49,7 @@ instead. ### **`app/sudo`** -Minimal set of rules for profile including internal `sudo`. Interactive sudo need more rules. It is intended to be used in profile or sub profile that need to elevate their privileges using `sudo` or `su` for a very specific action: +A minimal set of rules for profiles including internal `sudo`. Interactive sudo needs more rules. It is intended to be used in profiles or sub-profiles that need to elevate their privileges using `sudo` or `su` for a very specific action: ```sh @{bin}/sudo rCx -> root, @@ -63,7 +63,7 @@ Minimal set of rules for profile including internal `sudo`. Interactive sudo nee ### **`app/systemctl`** -Alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provide too much/not enough access. This abstraction should be used by a sub profile as follows: +An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: ```sh @{bin}/systemctl rCx -> systemctl, @@ -82,7 +82,7 @@ On the contrary of [`abstractions/app/`](#application-helper), abstractions in t ### **`common/app`** -Common rules for unknown userland UI applications sandboxed using `bwrap`. +Common rules for unknown userland UI applications that are sandboxed using `bwrap`. !!! warning @@ -93,11 +93,11 @@ Common rules for unknown userland UI applications sandboxed using `bwrap`. ### **`common/apt`** -Minimal access to apt sources, preferences and configuration. +Minimal access to apt sources, preferences, and configuration. ### **`common/bwrap`** -Minimal set of rules for sandboxed program using `bwrap`. A profile using this abstraction still needs to set: +Minimal set of rules for sandboxed programs using `bwrap`. A profile using this abstraction still needs to set: - The flag: `attach_disconnected` - Bwrap execution: `@{bin}/bwrap rix,` @@ -105,12 +105,12 @@ Minimal set of rules for sandboxed program using `bwrap`. A profile using this a ### **`common/chromium`** -Minimal set of rules for chromium based application. Handle access for internal sandbox. +A minimal set of rules for chromium based application. Handle access for internal sandbox. ### **`common/electron`** -Minimal set of rules for all electron based UI application. It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: +A minimal set of rules for all electron based UI applications. It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: !!! note "" @@ -139,7 +139,7 @@ Most programs do not need access to audio devices, `audio-client` only includes ### **`audio-server`** -Provide access to audio devices. It should only be used by audio servers that need direct access to them. +Provides access to audio devices. It should only be used by audio servers that need direct access to them. ## Dbus @@ -156,16 +156,16 @@ This abstraction gives read access on all defined user directories. It should on ### **`user-download-strict`** -Provide write access to all user download directories +Provides write access to all user download directories ### **`deny-sensitive-home`** -Deny access to some sensitive directories under `/home/`. It is intended to be used by the few profiles that legitimately require full unrestricted access over all user directories (file browser and search engines). It allows to us to block access to really sensitive data to such profiles. +Denies access to some sensitive directories under `/home/`. It is intended to be used by the few profiles that legitimately require full unrestricted access over all user directories (file managers and search engines). It allows to us to block access to really sensitive data to such profiles. !!! danger - **Do not use this abstraction for other profile without explicit authorisation from the project maintainer** + **Do not use this abstraction for other profiles without explicit authorisation from the project maintainer** Per the **[Rule :material-numeric-1-circle:](index.md#rule-mandatory-access-control)** of this project: @@ -205,7 +205,7 @@ Common rules for interactive shell using zsh. ### **`nameservice-strict`** -Many programs wish to perform nameservice like operations, such as looking up users by name or Id, groups by name or Id, hosts by name or IP, etc. +Many programs wish to perform nameservice like operations, such as looking up users by name or ID, groups by name or ID, hosts by name or IP, etc. Use this abstraction instead of upstream `abstractions/nameservice` as upstream abstraction also provide full network access which is not needed for a lot of programs. @@ -218,36 +218,36 @@ Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpo ### **`devices-usb`** -Provide access to USB devices +Provides access to USB devices ### **`disks-write`** -Provide read write access to disks devices +Provides read write access to disks devices ### **`disks-read`** -Provide read only access to disks devices +Provides read-only access to disks devices ## Desktop Environment ### **`desktop`** -Unified minimal abstraction for all UI application regardless of the desktop environment. When supported in apparmor, condition will be used in this abstraction to filter resources specific for supported DE. +Unified minimal abstraction for all UI applications regardless of the desktop environment. When supported in apparmor, the condition will be used in this abstraction to filter resources specific for supported DE. -It is safe to use it in GUI application. As well as minimal desktop resource files, it includes access to configuration for: `fonts`, `gtk` & `qt`, `wayland` & `xorg`. +It is safe to use this in GUI applications as well as minimal desktop resource files, it includes access to configuration for: `fonts`, `gtk` & `qt`, `wayland` & `xorg`. ### **`gnome-strict`** -Same than `abstractions/desktop` but limited to gnome. +Same as `abstractions/desktop` but limited to gnome. ### **`kde-strict`** -Same than `abstractions/desktop` but limited to KDE. +Same as `abstractions/desktop` but limited to KDE. ## Graphics -Use either [`graphics`](#graphics) or [`graphics-full`](#graphics-full). The other abstractions are hardware/software dependant and should not usually be used directly. +Use either [`graphics`](#graphics) or [`graphics-full`](#graphics-full). The other abstractions are hardware/software dependent and should not usually be used directly. ### **`graphics`** @@ -261,7 +261,7 @@ Identical to [`graphics`](#graphics) with more direct access to nvidia GPU devic ### **`dri`** -Linux's graphics stack which allows unprivileged user-space programs to issue commands to graphics hardware without conflicting with other programs. Mostly used by Intel (integrated or not) and AMD GPU. +Linux's graphics stack which allows unprivileged user-space programs to issue commands to graphics hardware without conflicting with other programs. Mostly used by Intel (integrated or not) and AMD GPUs. Modernized equivalent of both `dri-common` and `dri-enumerate` diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 1c8e2e971..98b46501c 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -2,19 +2,19 @@ title: Dbus --- -All dbus rules are labelled under the name of the given profiles that provide dbus data. It is one of the value added by this project, as we have profile for *everything*, we can restrict the bus further by limitint connection to a given peer label (the profile name). In case of a renaming of a profile, all dbus rules related it this profile need to be updated accordingly. +All dbus rules are labelled under the name of the given profiles that provide dbus data. It is one of the value added by this project, as we have profiles for *everything*, we can restrict the bus further by limiting connection to a given peer label (the profile name). In the case of renaming a profile, all dbus rules related in this profile need to be updated accordingly. ## Profiles Regardless of the Dbus implementation used (`dbus-daemon` or `dbus-broker`), all dbus daemons are handled under the same set of profiles: [`dbus-system`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-system), [`dbus-session`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-session), and [`dbus-accessibility`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-accessibility). This structure largely improves the confinement of each profile. -To ensure system and session bus are handled by a different profile, a [systemd drop-in](https://github.com/roddhjav/apparmor.d/blob/main/systemd/default/system/dbus.service) configuration file is used to set the specific dbus profile a dbus service must use. +To ensure the system and session bus are handled by a different profile, a [systemd drop-in](https://github.com/roddhjav/apparmor.d/blob/main/systemd/default/system/dbus.service) configuration file is used to set the specific dbus profile that a dbus service must use. ## Abstractions ### Base -Default **system**, **session** and **accessibility** bus access are provided with the abstraction: +Default **system**, **session**, and **accessibility** bus access are provided with the following abstractions: - `abstractions/bus-system` - `abstractions/bus-session` @@ -22,13 +22,13 @@ Default **system**, **session** and **accessibility** bus access are provided wi ### Interfaces -Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed. +Access to common dbus interfaces is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed. For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive. ## Dbus Directive -We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the apparmor dbus rule. +We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the AppArmor dbus rule. **Format** @@ -40,8 +40,8 @@ We use a special [directive](directives.md) to generate more advanced dbus acces : Access type. Can be `own` or `talk`: - - `own` means the profile own the dbus interface. It is allowed to send and receive from anyone on this interface. - - `talk` means the profile can talk on a given interface to the profile owning it (that must be given under the `label` option). + - `own` means the profile owns the dbus interface. It is allowed to send and receive from anyone on this interface. + - `talk` means the profile can talk on a given interface to the profile that owns it (a label must be given under the `label` option). **``** @@ -64,7 +64,7 @@ We use a special [directive](directives.md) to generate more advanced dbus acces : Can optionally be given when it is different to the dbus name. -Note: ``, `` and `` are mandatory and will break the build if ignored. +Note: ``, ``, and `` are mandatory and will break the build if ignored. **Example** @@ -78,7 +78,7 @@ Allow owning a dbus interface: #aa:dbus own bus=system name=org.freedesktop.NetworkManager ``` -Allow talking to a dbus interface on a given profile +Allow talking to a dbus interface on a given profile: !!! note "" @@ -142,4 +142,4 @@ Allow talking to a dbus interface on a given profile peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - ``` \ No newline at end of file + ``` diff --git a/docs/development/directives.md b/docs/development/directives.md index 877001adb..9cff8840e 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -2,7 +2,7 @@ title: Directives --- -`apparmor.d` supports build directives, they are processed at build time of the project, when running `make`. They are valid apparmor comment, therefore, `apparmor_parser` can be used on a profile even if the directives have not been processed. They should not end with a comma. Multiline directive is not supported. +`apparmor.d` supports build directives, they are processed at build time of the project. They are valid AppArmor comments, therefore, `apparmor_parser` can be used on a profile even if the directives have not been processed. They should not end with a comma. Multiline directive is not supported. The directives follow the format: ```sh @@ -25,7 +25,7 @@ See the [dbus page](dbus.md#dbus-directive). ## Only, Exclude -The `only` and `exclude` directives can be used to filter individual rule or rule paragraph depending on the target distribution of distribution family. +The `only` and `exclude` directives can be used to filter individual rule or rule paragraphs depending on the target distribution or distribution family. **Format** @@ -58,12 +58,12 @@ The `only` and `exclude` directives can be used to filter individual rule or rul `#aa:only pacman` : - Remove the line/paragraph when the project is not compiled on the Archlinux family. + Remove the line/paragraph when the project is not compiled on the Arch Linux family. ## Exec -The `exec` directive is useful to allow executing transition to a profile without having to manage the possible long list of profile attachment (it varies depending on the distribution). The directive parse and resolve the attachment variable (`@{exec_path}`) of the target profile and include it in the current profile. +The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directives parse and resolve the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile. **Format** @@ -73,7 +73,7 @@ The `exec` directive is useful to allow executing transition to a profile withou **`profiles...`** -: List of profile **file** that can be executed from the current profile. +: List of profile **files** that can be executed from the current profile. **`[transition]`** @@ -113,7 +113,7 @@ The `exec` directive is useful to allow executing transition to a profile withou **`profiles...`** -: List a profile **file** to stack at the end of the current profile. +: List a profile **files** to stack at the end of the current profile. **Example** diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index 4e5e1af7e..b359576aa 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -4,11 +4,11 @@ title: Guidelines ## Common structure -AppArmor profiles can be written without any specific guidelines. However, when you work with over 1400 profiles, you need a common structure among all the profiles. +AppArmor profiles can be written without any specific guidelines. However, when you work with over 1500 profiles, you need a common structure among all the profiles. -The logic behind it is that if a rule is present in a profile, it should only be in one place, making profile review easier. +The logic behind it is that if a rule is present in a profile, it should only be in one place, making it easier to review profiles. -For example, if a program needs to run executables binary. The rules allowing it can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It is therefore easy to ensure some profile features such as: +For example, if a program needs to run executable binaries then the rules allowing it can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It is therefore easy to ensure some profile features such as: * A profile has access to a given resource * A profile enforces a strict [write xor execute] (W^X) policy. @@ -50,7 +50,7 @@ The rules in the profile should be sorted in the rule ***block*** as follows: This rule order is taken from AppArmor with minor changes as we tend to: -- Divide the file block in multiple subcategories +- Divide the file block into multiple subcategories - Put the block with the longer rules (`files`, `dbus`) after the other blocks ### The file block @@ -93,7 +93,7 @@ If there is no predictable label it can be omitted. #### :material-numeric-1-circle: Variables -: Always use the apparmor [variables](../variables.md). +: Always use the apparmor.d [variables](../variables.md). Example: - `/usr/lib` or `/usr/bin` become `@{bin}` or `@{lib}` @@ -101,15 +101,15 @@ If there is no predictable label it can be omitted. #### :material-numeric-2-circle: Sort -: In a rule block, the rules must be alphabetically sorted. +: In a rule block, all rules must be alphabetically sorted. -#### :material-numeric-3-circle: Sub profile +#### :material-numeric-3-circle: Sub-profiles -: Sub profile should come at the end of a profile. +: Sub-profiles should come at the end of a profile. #### :material-numeric-4-circle: Similar purpose -: When some rules share similar purpose, they may be sorted together. Eg: +: When some rules share similar purposes, they may be sorted together. E.g.: ``` /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -119,7 +119,7 @@ If there is no predictable label it can be omitted. ## Additional recommended documentation * [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference) -* [The OpenSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) +* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) * https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html * [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5) * [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/) diff --git a/docs/development/index.md b/docs/development/index.md index 72029af86..c12226a7a 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -2,15 +2,15 @@ title: Development --- -You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, contributors, pull requests are all very welcome. You will find in this page all the useful information needed to contribute. +If you're looking to contribute to `apparmor.d` you can get started by going to the project [GitHub repository](https://github.com/roddhjav/apparmor.d/)! All contributions are welcome no matter how small. In this page you will find all the useful information needed to contribute to the apparmor.d project. -??? info "How to contribute" +??? info "How to contribute pull requests" 1. If you don't have git on your machine, [install it](https://help.github.com/articles/set-up-git/). - 2. Fork this repo by clicking on the fork button on the top of the [project Github][project] page. - 3. Clone the repository and go to the directory: + 2. Fork this repo by clicking on the fork button on the top of the [project GitHub][project] page. + 3. Clone the forked repository and go to the directory: ```sh - git clone https://github.com/this-is-you/apparmor.d.git + git clone https://github.com/your-github-username/apparmor.d.git cd apparmor.d ``` 4. Create a branch: @@ -20,7 +20,7 @@ You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, co 5. Make the changes and commit: ``` git add - git commit -m "A message for sum up my contribution" + git commit -m "A message to sum up my contribution" ``` 6. Push changes to GitHub: ``` @@ -34,13 +34,13 @@ You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, co #### Rule :material-numeric-1-circle: - Mandatory Access Control -: As these are mandatory access control policies only what is explicitly required +: As these are mandatory access control policies **only** what is explicitly required should be authorized. Meaning, you should **not** allow everything (or a large area) and deny some sub areas. #### Rule :material-numeric-2-circle: - Do not break a program -: A profile **should not break a normal usage of the confined software**. It can +: A profile **should not break a normal usage of the confined software**. this can be complex as simply running the program for your own use case is not always exhaustive of the program features and required permissions. @@ -50,7 +50,7 @@ You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, co #### Rule :material-numeric-4-circle: - Distribution and devices agnostic -: A profile should be compatible with all distributions, software and devices +: A profile should be compatible with all distributions, software, and devices in the Linux world. You cannot deny access to resources you do not use on your devices or for your use case. @@ -85,6 +85,8 @@ profile foo @{exec_path} { include if exists } + +# vim:syntax=apparmor ``` diff --git a/docs/development/install.md b/docs/development/install.md index 83409e2d3..74271c13c 100644 --- a/docs/development/install.md +++ b/docs/development/install.md @@ -6,20 +6,20 @@ title: Installation !!! warning - Do **not** install this project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream. + Do **not** install this project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream. You have been warned! See `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`. **:material-docker: Docker** -From any distribution, if you have docker installed, you can simply build the package with: +For any system with docker installed you can simply build the package with: ```sh make package dist= ``` Then you can install the package with `dpkg`, `pacman` or `rpm`. -**:material-arch: Archlinux** +**:material-arch: Arch Linux** ```sh make pkg ``` @@ -29,7 +29,7 @@ make pkg make dpkg ``` -**:simple-suse: OpenSUSE** +**:simple-suse: openSUSE** ```sh make rpm ``` @@ -52,4 +52,4 @@ gnome-shell attach_disconnected,mediate_deleted,complain ## Ignore profiles -It can be handy to not install a profile for a given distribution. Profile or directory to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). +It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). diff --git a/docs/development/integration.md b/docs/development/integration.md index 19b156833..f829fb69f 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -4,13 +4,13 @@ title: Integration Tests !!! danger "Work in Progress" -The purpose of integration testing in apparmor.d is to ensure the profiles are not going to break a program when used in the Linux distribution and desktop environment we support. +The purpose of integration testing in apparmor.d is to ensure the profiles are not going to break programs found in Linux distributions and Desktop Environment that we support. **Workflow** -1. Build some tests VM +1. Create a testing VM 2. Start the VM, do some dev -3. Run the integration test against a given test VM +3. Run the integration tests against the testing VM 4. Ensure no new logs have been raised @@ -44,10 +44,10 @@ To build a VM image for development purpose, run the following from the `tests` | Distribution | Flavor | Build command | VM name | |:------------:|:------:|:-------------:|:-------:| -| Archlinux | Gnome | `make archlinux flavor=gnome` | `arch-gnome` | -| Archlinux | KDE | `make archlinux flavor=kde` | `arch-kde` | +| Arch Linux | Gnome | `make archlinux flavor=gnome` | `arch-gnome` | +| Arch Linux | KDE | `make archlinux flavor=kde` | `arch-kde` | | Debian | Server | `make debian flavor=server` | `debian-server` | -| OpenSUSE | KDE | `make opensuse falvor=kde` | `opensuse-kde` | +| openSUSE | KDE | `make opensuse flavor=kde` | `opensuse-kde` | | Ubuntu | Server | `make ubuntu flavor=server` | `ubuntu-server` | | Ubuntu | Desktop | `make ubuntu falvor=desktop` | `ubuntu-desktop` | @@ -59,7 +59,7 @@ The development workflow is done through vagrant: * Shutdown a VM: `vagrant halt ` * Reboot a VM: `vagrant reload ` -The available VM `name` are defined in the `tests/boxes.yml` file +The available VM `name` is defined in the `tests/boxes.yml` file ### Develop @@ -70,11 +70,11 @@ The admin user is: `user`, its password is: `user`. It has passwordless sudo acc **Directories** -All the images come pre-configured with the lastest version of `apparmor.d` installed and running in the VM. The apparmor.d is mounted as `/home/user/Projects/apparmor.d` +All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. apparmor.d is mounted as `/home/user/Projects/apparmor.d` **Usage** -On all images, `aa-update` can be used to rebuild and install latest version of the profiles. `p`, `pf`, and `pu` are two preconfigured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. +On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two preconfigured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. ## Tests @@ -106,7 +106,7 @@ Initialise the tests with: ./aa-test --bootstrap ``` -List the tests scenario to be run +List the tests scenarios to be run ```sh ./aa-test --list ``` diff --git a/docs/development/structure.md b/docs/development/structure.md index 5a68a8a81..0035b6c90 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -19,15 +19,14 @@ It gets even worse. Let's say, we write a profile for `cat`. Such a profile woul However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems: 1. How do we know the exhaustive list of *sensitive files* in `/etc`? -2. How do we ensure access to these sensitive files are not required? +2. How do we ensure access to these sensitive files is not required? 3. This breaks the principle of mandatory access control. - See the [first rule of this project](index.md#project-rules) that is to only allow + See the [first rule of this project](index.md#project-rules) which is to only allow what is required. Here we allow everything and blacklist some paths. -It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: +It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: -* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only - access etc config files: +* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files: !!! note "" @@ -54,10 +53,7 @@ It creates even more issues when we want to use this profile in other profiles. } ``` -* In `pass`, as it is a dependency of pass. Here `diff` inherits pass' profile - and has the same access than the pass profile, so it will be allowed to diff - password files because more than a generic `diff` it is a `diff` for the pass - password manager: +* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager: !!! note "" @@ -69,14 +65,12 @@ It creates even more issues when we want to use this profile in other profiles. **What if I still want to protect these programs?** -You do not protect these programs. *Protect the usage you have of these programs*. -In practice, it means that you should put your development's terminal in a -sandbox managed with [Toolbox]. +You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox. !!! example "To sum up" - 1. Do not a create profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` - 2. Do not a create profile for the shell: `bash`, `sh`, `dash`, `zsh` + 1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` + 2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh` 3. Use [Toolbox]. [Toolbox]: https://containertoolbx.org/ @@ -85,7 +79,7 @@ sandbox managed with [Toolbox]. ## Abstractions -This project and the apparmor profile official project provide a large selection of abstractions to be included in profiles. They should be used. +This project and the apparmor-profiles official project provide a large selection of abstractions to be included in profiles. They should be used. For instance, to allow download directory access, instead of writing: ```sh @@ -104,26 +98,17 @@ Usually, a child profile is in the [`children`][children] group. They have the f !!! quote - Note: This profile does not specify an attachment path because it is - intended to be used only via `"Px -> child-open"` exec transitions - from other profiles. + Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. [children]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children Here is an overview of the current children profile: -1. **`child-open`**: To open resources. Instead of allowing the run of all - software in `@{bin}/`, the purpose of this profile is to list all GUI - programs that can open resources. Ultimately, only sandbox manager programs - such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until - this day, this profile will be a controlled mess. +1. **`child-open`**: To open resources. Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. -2. **`child-pager`**: Simple access to pager such as `pager`, `less` and `more`. - This profile supposes the pager is reading its data from stdin, not from a - file on disk. +2. **`child-pager`**: Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. -3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most - of the time you will need more privilege than what this profile is giving you. +3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you. ## Browsers @@ -162,7 +147,7 @@ Special care must be given as sometimes udev numbers are allocated dynamically b ## No New Privileges -[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly-started program to get more privileges that its parent. So it is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transition to other profile because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). +[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). The possible solutions are: diff --git a/docs/development/tests.md b/docs/development/tests.md index 58920cf91..7fcdf1555 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -2,7 +2,7 @@ title: Tests suite --- -A full test suite to ensure compatibility across distributions and software is still a work in progress. Here is an overview of the current CI jobs: +A full test suite to ensure compatibility across supported distributions and that software is still considered a work in progress. Here is an overview of the current CI jobs: **On Gitlab CI** @@ -12,6 +12,4 @@ A full test suite to ensure compatibility across distributions and software is s **On Github Action** -- Integration test on the ubuntu-latest VM: run a simple list of tasks with - all the rules enabled and ensure no new issue has been raised. Github Action - is used as it offers direct access to a VM with AppArmor included. +- Integration test on the ubuntu-latest VM: run a simple list of tasks with all the rules enabled and ensure no new issue has been raised. Github Action is used as it offers direct access to a VM with AppArmor included. diff --git a/docs/enforce.md b/docs/enforce.md index 6abf1a1ba..52241859e 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -6,16 +6,16 @@ The default package configuration installs all profiles in *complain* mode. This !!! warning - - You need to test it in complain mode first and ensure your system boot! - - When reporting issue. Please ensure the profiles are in complain mode + - Please test in complain mode first and ensure your system boots! + - When reporting an issue, please ensure the affected profiles are in complain mode. -#### :material-arch: Archlinux +#### :material-arch: Arch Linux In `PKGBUILD`, replace `make` by `make enforce`: ```diff -- make -+ make enforce +- make DISTRIBUTION=arch ++ make enforce DISTRIBUTION=arch ``` #### :material-ubuntu: Ubuntu & :material-debian: Debian @@ -27,7 +27,7 @@ override_dh_auto_build: make enforce ``` -#### :simple-suse: OpenSUSE +#### :simple-suse: openSUSE In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce` ```diff diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index f5b7fa812..2b9f57454 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -6,8 +6,8 @@ title: Full system policy (FSP) Full system policy is still under early development: - - Do not run it outside a development VM! - - This is an **advanced** feature, you should understand what you are doing + - Do not run this outside of a development VM! + - This is an **advanced** feature, you should understand what you are doing before use. **You have been warned!!!** @@ -28,7 +28,7 @@ Particularly: - Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. - FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. -- In FSP mode, all sandbox manager **must** have a profile. Then user sandboxed application (flatpak, snap...) will work as expected. +- In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. ## Install @@ -43,7 +43,7 @@ cache-loc /etc/apparmor/earlypolicy/ Optimize=compress-fast ``` -**:material-arch: Archlinux** +**:material-arch: Arch Linux** In `PKGBUILD`, replace `make` by `make full`: ```diff @@ -60,7 +60,7 @@ override_dh_auto_build: make full ``` -**:simple-suse: OpenSUSE** +**:simple-suse: openSUSE** In `dists/apparmor.d.spec`, replace `%make_build` by `make full` ```diff @@ -94,7 +94,7 @@ To work as intended, all privileged services started by systemd **must** have a /usr/lib/systemd/system/*.service ``` -The main [fallback](#fallback) profile (`default`) is not intended to be used by privileged program or service. Such programs must have they dedicated profile and will fail otherwise. This is a **feature**, not a bug. +The main [fallback](#fallback) profile (`default`) is not intended to be used by privileged program or service. Such programs must have a dedicated profile and will fail otherwise. This is a **feature**, not a bug. **`systemd-user`** @@ -120,14 +120,14 @@ To work as intended, userland services started by `systemd --user` **should** ha ### Fallback -In addition to the `systemd` profiles, a full system policy needs to ensure that no program run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: +In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: - **`default`** is used for any *classic* user application with a GUI. It has full access to user home directories. - **`bwrap`, `bwrap-app`** are used for *classic* user application that are sandboxed with **bwrap**. !!! warning - The main fallback profile (`default`) is not intended to be used by priviligied program or service. Such programs **must** have they dedicaded profile and would break otherwise. + The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). diff --git a/docs/index.md b/docs/index.md index 5638c2f3b..3a9381ccd 100644 --- a/docs/index.md +++ b/docs/index.md @@ -24,7 +24,7 @@ Business Benefits of an LSM - Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` - Confine all Desktop environments - Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` -- Confine some *"special"* user applications: web browser, file browser... +- Confine some *"special"* user applications: web browsers, file managers, etc - Should not break a normal usage of the confined software See the [Concepts](concepts.md)' page for more detail on the architecture. @@ -32,19 +32,19 @@ See the [Concepts](concepts.md)' page for more detail on the architecture. **Goals** - Target both desktops and servers -- Support all distributions that support AppArmor: - * [:material-arch: Archlinux](install.md#archlinux) +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) * [:material-ubuntu: Ubuntu 22.04](install.md#ubuntu-debian) * [:material-debian: Debian 12](install.md#ubuntu-debian) - * [:simple-suse: OpenSUSE Tumbleweed](install.md#opensuse) -- Support all major desktop environments: + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: - [x] :material-gnome: Gnome - [ ] :simple-kde: KDE *(work in progress)* - Fully tested (Work in progress) **Presentations** -Building large set of AppArmor profiles: +Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* diff --git a/docs/install.md b/docs/install.md index 59a963a23..8f234872c 100644 --- a/docs/install.md +++ b/docs/install.md @@ -4,17 +4,17 @@ title: Installation !!! warning - In order to not break your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. + To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. !!! danger - Do **not** install this project if your Desktop Environement and Display Manager is not supported. Your system will not boot, and that would be a feature. + Do **not** expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature. ## Requirements **AppArmor** -An `apparmor` based Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed. +An `AppArmor` supported Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed. **Desktop environment** @@ -28,7 +28,7 @@ The following desktop environments are supported: * Go >= 1.18 -## :material-arch: Archlinux +## :material-arch: Arch Linux `apparmor.d-git` is available in the [Arch User Repository][aur]: ``` @@ -72,13 +72,13 @@ sudo dpkg -i ../apparmor.d_*.deb !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are differents. + **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based. -## :simple-suse: OpenSUSE +## :simple-suse: openSUSE -OpenSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS +openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS ```sh zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo zypper refresh @@ -97,7 +97,7 @@ sudo make profile-names... !!! warning - Partial installation is discouraged because profile dependencies are not fetched. To prevent some apparmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) + Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) For instance, `sudo make pass` gives: ```sh @@ -115,9 +115,9 @@ sudo make profile-names... ## Uninstall -- :material-arch: Archlinux `sudo pacman -R apparmor.d` +- :material-arch: Arch Linux `sudo pacman -R apparmor.d` - :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d` -- :simple-suse: OpenSUSE `sudo zypper remove apparmor.d` +- :simple-suse: openSUSE `sudo zypper remove apparmor.d` [aur]: https://aur.archlinux.org/packages/apparmor.d-git [repo]: https://repo.pujol.io/ diff --git a/docs/issues.md b/docs/issues.md index 59ccf0ba4..d9f28cfe6 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -11,7 +11,7 @@ Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/app * `deny` rules are enforced even in complain mode, * `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, - * If apparmor does not find the profile to transition `rPx`. + * If AppArmor does not find the profile to transition `rPx`. ### Pacman "could not get current working directory" @@ -25,7 +25,7 @@ error: could not get current working directory This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. -According to the Archlinux guideline, on Archlinux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. +According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. This provides a basic protection against some packages (on the AUR) that may have rogue install script. diff --git a/docs/recovery.md b/docs/recovery.md index 9f5af42d4..8cb5d7188 100644 --- a/docs/recovery.md +++ b/docs/recovery.md @@ -2,15 +2,15 @@ title: System Recovery --- -Issue in some core profiles like the systemd suite, or the desktop environment can fully break your system. This should not happen a lot, but if it does here is the process to recover your system on Archlinux: +An issue in some core profiles like the systemd suite, or the desktop environment can prevent your system from starting correctly. This is rare, but if it does happen this is the process to recover your system on an Arch Linux system **without subvolumes**: -1. Boot from a Archlinux live USB -1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/ vg0` +1. Boot from an Arch Linux live USB +1. If you root partition is encrypted, decrypt it: `cryptsetup open /dev/ vg0` 1. Mount your root partition: `mount /dev/ /mnt` 1. Chroot into your system: `arch-chroot /mnt` -1. Check the AppArmor messages to see what profile is faulty: `aa-log` +1. Check the AppArmor logs to see which profile is faulty: `aa-log` 1. Temporarily fix the issue with either: - - When only one profile is faultily, remove it: `rm /etc/apparmor.d/` + - When only one profile is causing problems, remove it: `rm /etc/apparmor.d/` - Otherwise, you can also remove the package: `pacman -R apparmor.d` - Alternatively, you may temporarily disable apparmor as it will allow you to boot and study the log: `systemctl disable apparmor` diff --git a/docs/report.md b/docs/report.md index 2292d1bd0..e13ac9e9f 100644 --- a/docs/report.md +++ b/docs/report.md @@ -16,6 +16,16 @@ If this command produce nothing, try: aa-log -s -R ``` +If the log file is empty, check that Auditd is running: +```sh +sudo systemctl status auditd.service +``` + +If Auditd is disabled aa-log will not have new results, you can enable Auditd by doing the following command: +```sh +sudo systemctl enable auditd.service --now +``` + You can get more logs with: 1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them) diff --git a/docs/usage.md b/docs/usage.md index 9ad0d7050..70eaaa292 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -76,8 +76,7 @@ ps (complain) user ps auxZ ## AppArmor Log -Ensure that `auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in -a colorful way. +Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way. Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. diff --git a/docs/variables.md b/docs/variables.md index 6ea5285c8..a70358263 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -6,71 +6,83 @@ title: Variables References ### User directories -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | -| Download | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | -| Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | -| Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | +| Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | | Music | `@{XDG_MUSIC_DIR}` | `Music` | | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | -| Books | `@{XDG_BOOKS_DIR}` | `Books` | -| Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | +| Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | +| Books | `@{XDG_BOOKS_DIR}` | `Books` | +| Games | `@{XDG_GAMES_DIR}` | `.games` | +| Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | +| Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | +| Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | +| Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | +| Work | `@{XDG_WORK_DIR}` | `Work` | +| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` -| Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | +| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | Disk images | `@{XDG_IMG_DIR}` | `images` | ### Dotfiles -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| -| SSH | `@{XDG_SSH_DIR}` | `.ssh` | -| GPG | `@{XDG_GPG_DIR}` | `.gnupg` | -| Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | | Config | `@{XDG_CONFIG_DIR}` | `.config` | | Data | `@{XDG_DATA_DIR}` | `.local/share` | | State | `@{XDG_STATE_DIR}` | `.local/state` | | Bin | `@{XDG_BIN_DIR}` | `.local/bin` | | Lib | `@{XDG_LIB_DIR}` | `.local/lib` | +| GPG | `@{XDG_GPG_DIR}` | `.gnupg` | +| SSH | `@{XDG_SSH_DIR}` | `.ssh` | +| Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | +| Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | +| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | ### Full configuration path -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | -| Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | -| State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | +| Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | +| State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | | Build | `@{user_build_dirs}` | `/tmp/` | -| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` | | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | +| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` | ### Full user path -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| -| Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | -| Download | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | +| Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | | Pictures | `@{user_pictures_dirs}` | `@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}` | +| Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | +| Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | +| Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | +| Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | +| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | +| Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | | Public | `@{user_publicshare_dirs}` | `@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}` | -| Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | -| Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | +| Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` -| Password | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | -| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | +| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` +| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | ## System variables @@ -81,7 +93,7 @@ title: Variables References **Helper variables** -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` | | Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | | @@ -99,7 +111,7 @@ title: Variables References **System Paths** -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Root Home | `@{HOMEDIRS}` | `/home/` | | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | @@ -111,12 +123,12 @@ title: Variables References | Proc | `@{PROC}` | `/proc/` | | Run | `@{run}` | `/run/ /var/run/` | | Sys | `@{sys}` | `/sys/` | -| Flatpack export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` | | System wide share | `@{system_share_dirs}` | `/{usr,usr/local,var/lib/@{flatpak_exports_root}}/share` | +| Flatpak export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` | **Program paths** -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | All the shells | `@{shells}` | `sh zsh bash dash fish rbash ksh tcsh csh` | | Shells path | `@{shells_path}` | `@{bin}/@{shells}` | diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index a580e7e52..ffdf107de 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -6,6 +6,7 @@ package aa import ( "reflect" + "strings" "testing" "github.com/roddhjav/apparmor.d/pkg/paths" @@ -17,6 +18,13 @@ var ( intData = paths.New("../../apparmor.d") ) +// mustReadProfileFile read a file and return its content as a slice of string. +// It panics if an error occurs. It removes the last comment line. +func mustReadProfileFile(path *paths.Path) string { + res := strings.Split(util.MustReadFile(path), "\n") + return strings.Join(res[:len(res)-2], "\n") +} + func TestAppArmorProfileFile_String(t *testing.T) { tests := []struct { name string @@ -230,7 +238,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: util.MustReadFile(intData.Join("profiles-a-f/aa-status")), + want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 211813789..97349a456 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -176,13 +176,7 @@ var ( newRule := newLogMountMap[log["operation"]] return newRule(log) }, - "net": func(log map[string]string) Rule { - if log["family"] == "unix" { - return newUnixFromLog(log) - } else { - return newNetworkFromLog(log) - } - }, + "net": newNetworkFromLog, "file": func(log map[string]string) Rule { if log["operation"] == "change_onexec" { return newChangeProfileFromLog(log) @@ -190,10 +184,14 @@ var ( return newFileFromLog(log) } }, - "exec": newFileFromLog, - "file_inherit": newFileFromLog, - "file_perm": newFileFromLog, - "open": newFileFromLog, + "exec": newFileFromLog, + "getattr": newFileFromLog, + "mkdir": newFileFromLog, + "mknod": newFileFromLog, + "open": newFileFromLog, + "rename_src": newFileFromLog, + "truncate": newFileFromLog, + "unlink": newFileFromLog, } newLogMountMap = map[string]func(log map[string]string) Rule{ "mount": newMountFromLog, @@ -229,10 +227,13 @@ func (p *Profile) AddRule(log map[string]string) { } if !done { - if strings.Contains(log["operation"], "dbus") { + switch { + case strings.HasPrefix(log["operation"], "file_"): + p.Rules = append(p.Rules, newFileFromLog(log)) + case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) - } else { - fmt.Printf("unknown log type: %s", log) + default: + fmt.Printf("unknown log type: %s", log["operation"]) } } } diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 53176b01d..d14dd4861 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -65,7 +65,7 @@ func NewOption(file *paths.Path, match []string) *Option { // Useful to remove directive text applied on some condition only func (o *Option) Clean(profile string) string { reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`) - return reg.ReplaceAllString(profile, "") + return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1) } func RegisterDirective(d Directive) {