Merge branch 'roddhjav:main' into patch-thunar
This commit is contained in:
REmerald
GitHub
commit
56d2007b99
960 changed files with 3408 additions and 1516 deletions
|
|
@ -20,18 +20,18 @@
|
||||||
`polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
|
`polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
|
||||||
- Confine all Desktop environments
|
- Confine all Desktop environments
|
||||||
- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
|
- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
|
||||||
- Confine some *"special"* user applications: web browser, file browser...
|
- Confine some *"special"* user applications: web browsers, file managers, etc
|
||||||
- Should not break a normal usage of the confined software
|
- Should not break a normal usage of the confined software
|
||||||
|
|
||||||
**Goals**
|
**Goals**
|
||||||
|
|
||||||
- Target both desktops and servers
|
- Target both desktops and servers
|
||||||
- Support all distributions that support AppArmor:
|
- Support all distributions that support AppArmor:
|
||||||
* Archlinux
|
* Arch Linux
|
||||||
* Ubuntu 22.04
|
* Ubuntu 22.04
|
||||||
* Debian 12
|
* Debian 12
|
||||||
* OpenSUSE Tumbleweed
|
* OpenSUSE Tumbleweed
|
||||||
- Support major desktop environments:
|
- Support for all major desktop environments:
|
||||||
* Gnome
|
* Gnome
|
||||||
* KDE
|
* KDE
|
||||||
* XFCE *(work in progress)*
|
* XFCE *(work in progress)*
|
||||||
|
|
@ -54,7 +54,7 @@ This is fundamentally different from how AppArmor is usually used on Linux serve
|
||||||
|
|
||||||
**Presentations**
|
**Presentations**
|
||||||
|
|
||||||
Building large set of AppArmor profiles:
|
Building the largest set of AppArmor profiles:
|
||||||
|
|
||||||
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
||||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
||||||
|
|
|
||||||
|
|
@ -29,3 +29,5 @@
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},
|
owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},
|
||||||
|
|
||||||
include if exists <abstractions/X-strict.d>
|
include if exists <abstractions/X-strict.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -5,3 +5,5 @@
|
||||||
|
|
||||||
# Available Xsessions
|
# Available Xsessions
|
||||||
/usr/share/xsessions/{,*.desktop} r,
|
/usr/share/xsessions/{,*.desktop} r,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -11,4 +11,6 @@
|
||||||
/usr/ r,
|
/usr/ r,
|
||||||
/usr/local/{s,}bin/ r,
|
/usr/local/{s,}bin/ r,
|
||||||
|
|
||||||
include if exists <abstractions/app-launcher-root.d>
|
include if exists <abstractions/app-launcher-root.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -21,4 +21,6 @@
|
||||||
/usr/ r,
|
/usr/ r,
|
||||||
/usr/local/bin/ r,
|
/usr/local/bin/ r,
|
||||||
|
|
||||||
include if exists <abstractions/app-launcher-user.d>
|
include if exists <abstractions/app-launcher-user.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -51,3 +51,5 @@
|
||||||
|
|
||||||
|
|
||||||
include if exists <abstractions/app-open.d>
|
include if exists <abstractions/app-open.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -70,7 +70,6 @@
|
||||||
|
|
||||||
@{lib_dirs}/{,**} r,
|
@{lib_dirs}/{,**} r,
|
||||||
@{lib_dirs}/*.so* mr,
|
@{lib_dirs}/*.so* mr,
|
||||||
@{lib_dirs}/chrome_crashpad_handler rPx,
|
|
||||||
@{lib_dirs}/chrome-sandbox rPx,
|
@{lib_dirs}/chrome-sandbox rPx,
|
||||||
|
|
||||||
# Desktop integration
|
# Desktop integration
|
||||||
|
|
@ -111,8 +110,7 @@
|
||||||
|
|
||||||
/etc/@{name}/{,**} r,
|
/etc/@{name}/{,**} r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/opensc.conf r,
|
/etc/{,opensc/}opensc.conf r,
|
||||||
/etc/opensc/opensc.conf r, # Debian ubication
|
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
@ -152,10 +150,10 @@
|
||||||
owner @{tmp}/.@{domain}.* rw,
|
owner @{tmp}/.@{domain}.* rw,
|
||||||
owner @{tmp}/.@{domain}*/{,**} rw,
|
owner @{tmp}/.@{domain}*/{,**} rw,
|
||||||
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
|
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
|
||||||
owner @{tmp}/scoped_dir*/{,**} rw,
|
audit owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
|
||||||
owner @{tmp}/tmp.* rw,
|
owner @{tmp}/tmp.@{rand6} rw,
|
||||||
owner @{tmp}/tmp.*/ rw,
|
owner @{tmp}/tmp.@{rand6}/ rw,
|
||||||
owner @{tmp}/tmp.*/** rwk,
|
owner @{tmp}/tmp.@{rand6}/** rwk,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
|
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
|
||||||
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
|
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
|
||||||
|
|
@ -211,3 +209,5 @@
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
include if exists <abstractions/app/chromium.d>
|
include if exists <abstractions/app/chromium.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -26,3 +26,5 @@
|
||||||
owner @{user_config_dirs}/vim/{,**} r,
|
owner @{user_config_dirs}/vim/{,**} r,
|
||||||
|
|
||||||
include if exists <abstractions/app/editor.d>
|
include if exists <abstractions/app/editor.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||||
|
include <abstractions/cups-client>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/enchant>
|
include <abstractions/enchant>
|
||||||
|
|
@ -69,12 +70,10 @@
|
||||||
/usr/share/xul-ext/kwallet5/* r,
|
/usr/share/xul-ext/kwallet5/* r,
|
||||||
|
|
||||||
/etc/@{name}/{,**} r,
|
/etc/@{name}/{,**} r,
|
||||||
/etc/cups/client.conf r,
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/mailcap r,
|
/etc/mailcap r,
|
||||||
/etc/mime.types r,
|
/etc/mime.types r,
|
||||||
/etc/opensc.conf r,
|
/etc/{,opensc/}opensc.conf r,
|
||||||
/etc/opensc/opensc.conf r,
|
|
||||||
/etc/sysconfig/proxy r,
|
/etc/sysconfig/proxy r,
|
||||||
/etc/xdg/* r,
|
/etc/xdg/* r,
|
||||||
/etc/xul-ext/kwallet5.js r,
|
/etc/xul-ext/kwallet5.js r,
|
||||||
|
|
@ -82,7 +81,6 @@
|
||||||
/var/lib/nscd/services r,
|
/var/lib/nscd/services r,
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{HOME}/.cups/lpoptions r,
|
|
||||||
|
|
||||||
owner @{config_dirs}/ rw,
|
owner @{config_dirs}/ rw,
|
||||||
owner @{config_dirs}/** rwk,
|
owner @{config_dirs}/** rwk,
|
||||||
|
|
@ -160,3 +158,5 @@
|
||||||
deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||||
|
|
||||||
include if exists <abstractions/app/firefox.d>
|
include if exists <abstractions/app/firefox.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <abstractions/app/open.d>
|
include if exists <abstractions/app/open.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -23,3 +23,5 @@
|
||||||
@{PROC}/uptime r,
|
@{PROC}/uptime r,
|
||||||
|
|
||||||
include if exists <abstractions/app/pgrep.d>
|
include if exists <abstractions/app/pgrep.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -68,3 +68,5 @@
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
include if exists <abstractions/app/sudo.d>
|
include if exists <abstractions/app/sudo.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -26,3 +26,5 @@
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
include if exists <abstractions/app/systemctl.d>
|
include if exists <abstractions/app/systemctl.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
26
apparmor.d/abstractions/app/udevadm
Normal file
26
apparmor.d/abstractions/app/udevadm
Normal file
|
|
@ -0,0 +1,26 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
ptrace read peer=@{p_systemd},
|
||||||
|
|
||||||
|
@{bin}/udevadm mr,
|
||||||
|
|
||||||
|
/etc/udev/udev.conf r,
|
||||||
|
|
||||||
|
@{run}/udev/data/* r,
|
||||||
|
|
||||||
|
@{sys}/** r,
|
||||||
|
|
||||||
|
@{PROC}/1/cgroup r,
|
||||||
|
@{PROC}/1/environ r,
|
||||||
|
@{PROC}/1/sched r,
|
||||||
|
@{PROC}/cmdline r,
|
||||||
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
|
include if exists <abstractions/app/udevadm.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -41,6 +41,9 @@
|
||||||
owner @{user_config_dirs}/pulse/client.conf.d/{,*.conf} r,
|
owner @{user_config_dirs}/pulse/client.conf.d/{,*.conf} r,
|
||||||
owner @{user_config_dirs}/pulse/cookie rwk,
|
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/pipewire/ rw,
|
||||||
|
owner @{user_config_dirs}/pipewire/client.conf r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/openal/hrtf/{,**} r,
|
owner @{user_share_dirs}/openal/hrtf/{,**} r,
|
||||||
owner @{user_share_dirs}/sounds/__custom/index.theme r,
|
owner @{user_share_dirs}/sounds/__custom/index.theme r,
|
||||||
|
|
||||||
|
|
@ -55,3 +58,5 @@
|
||||||
owner /dev/shm/pulse-shm-@{int} rw,
|
owner /dev/shm/pulse-shm-@{int} rw,
|
||||||
|
|
||||||
include if exists <abstractions/audio-client.d>
|
include if exists <abstractions/audio-client.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -43,3 +43,5 @@
|
||||||
/dev/sound/* rw,
|
/dev/sound/* rw,
|
||||||
|
|
||||||
include if exists <abstractions/audio-server.d>
|
include if exists <abstractions/audio-server.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -11,3 +11,5 @@
|
||||||
|
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/class/sound/ r,
|
@{sys}/class/sound/ r,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,6 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
@{bin}/pam-tmpdir-helper rPx,
|
@{bin}/pam-tmpdir-helper rPx,
|
||||||
|
|
||||||
|
|
@ -8,3 +11,5 @@
|
||||||
@{lib}/security-misc/pam_faillock_not_if_x rPx,
|
@{lib}/security-misc/pam_faillock_not_if_x rPx,
|
||||||
@{lib}/security-misc/pam-abort-on-locked-password rPx,
|
@{lib}/security-misc/pam-abort-on-locked-password rPx,
|
||||||
@{lib}/security-misc/pam-info rPx,
|
@{lib}/security-misc/pam-info rPx,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
# Allow to receive some signals from new well-known profiles
|
# Allow to receive some signals from new well-known profiles
|
||||||
|
signal (receive) peer=btop,
|
||||||
signal (receive) peer=htop,
|
signal (receive) peer=htop,
|
||||||
signal (receive) peer=sudo,
|
signal (receive) peer=sudo,
|
||||||
signal (receive) peer=top,
|
signal (receive) peer=top,
|
||||||
|
|
@ -28,3 +29,5 @@
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
deny /apparmor/.null rw,
|
deny /apparmor/.null rw,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -33,3 +33,5 @@
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
include if exists <abstractions/bash-strict.d>
|
include if exists <abstractions/bash-strict.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -9,3 +9,5 @@
|
||||||
|
|
||||||
owner @{HOME}/.alias r,
|
owner @{HOME}/.alias r,
|
||||||
owner @{HOME}/.i18n r,
|
owner @{HOME}/.i18n r,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -17,3 +17,5 @@
|
||||||
owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,
|
owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,
|
||||||
|
|
||||||
include if exists <abstractions/bus-accessibility.d>
|
include if exists <abstractions/bus-accessibility.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -25,3 +25,5 @@
|
||||||
owner @{run}/user/@{uid}/bus rw,
|
owner @{run}/user/@{uid}/bus rw,
|
||||||
|
|
||||||
include if exists <abstractions/bus-session.d>
|
include if exists <abstractions/bus-session.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -15,3 +15,5 @@
|
||||||
@{run}/dbus/system_bus_socket rw,
|
@{run}/dbus/system_bus_socket rw,
|
||||||
|
|
||||||
include if exists <abstractions/bus-system.d>
|
include if exists <abstractions/bus-system.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -20,3 +20,5 @@
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
include if exists <abstractions/bus/com.canonical.Unity.LauncherEntry.d>
|
include if exists <abstractions/bus/com.canonical.Unity.LauncherEntry.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,3 +4,5 @@
|
||||||
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/com.canonical.dbusmenu.d>
|
include if exists <abstractions/bus/com.canonical.dbusmenu.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -48,3 +48,5 @@
|
||||||
peer=(name=:*, label=wpa-supplicant),
|
peer=(name=:*, label=wpa-supplicant),
|
||||||
|
|
||||||
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
|
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -8,3 +8,5 @@
|
||||||
peer=(name=:*, label=power-profiles-daemon),
|
peer=(name=:*, label=power-profiles-daemon),
|
||||||
|
|
||||||
include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
|
include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -8,3 +8,5 @@
|
||||||
peer=(name=:*, label=switcheroo-control),
|
peer=(name=:*, label=switcheroo-control),
|
||||||
|
|
||||||
include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>
|
include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=net.reactivated.Fprint, label=fprintd),
|
peer=(name=net.reactivated.Fprint, label=fprintd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/net.reactivated.Fprint.d>
|
include if exists <abstractions/bus/net.reactivated.Fprint.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -42,3 +42,5 @@
|
||||||
peer=(name=org.a11y.Bus),
|
peer=(name=org.a11y.Bus),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.a11y.d>
|
include if exists <abstractions/bus/org.a11y.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -43,3 +43,5 @@
|
||||||
peer=(name=org.bluez, label=bluetoothd),
|
peer=(name=org.bluez, label=bluetoothd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.bluez.d>
|
include if exists <abstractions/bus/org.bluez.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,3 +28,5 @@
|
||||||
peer=(name=:*, label=accounts-daemon),
|
peer=(name=:*, label=accounts-daemon),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.Accounts.d>
|
include if exists <abstractions/bus/org.freedesktop.Accounts.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -23,3 +23,5 @@
|
||||||
peer=(name=:*, label=avahi-daemon),
|
peer=(name=:*, label=avahi-daemon),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.Avahi.d>
|
include if exists <abstractions/bus/org.freedesktop.Avahi.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -23,3 +23,5 @@
|
||||||
peer=(name=:*, label=colord),
|
peer=(name=:*, label=colord),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
|
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
peer=(name=:*, label=nautilus),
|
peer=(name=:*, label=nautilus),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
|
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -33,3 +33,5 @@
|
||||||
peer=(name=:*, label=geoclue),
|
peer=(name=:*, label=geoclue),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
|
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=:*, label=ModemManager),
|
peer=(name=:*, label=ModemManager),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
|
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -73,3 +73,5 @@
|
||||||
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
|
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
|
include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -23,3 +23,5 @@
|
||||||
peer=(name=org.freedesktop.DBus, label=gjs-console),
|
peer=(name=org.freedesktop.DBus, label=gjs-console),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.Notifications.d>
|
include if exists <abstractions/bus/org.freedesktop.Notifications.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -22,3 +22,5 @@
|
||||||
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
|
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
|
include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -32,3 +32,5 @@
|
||||||
peer=(name=:*, label=polkitd),
|
peer=(name=:*, label=polkitd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
|
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,3 +28,5 @@
|
||||||
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
|
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
|
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -8,3 +8,5 @@
|
||||||
peer=(name=org.freedesktop.ScreenSaver),
|
peer=(name=org.freedesktop.ScreenSaver),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
|
include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>
|
include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -53,3 +53,5 @@
|
||||||
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
|
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
|
include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -42,3 +42,5 @@
|
||||||
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
|
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.UPower.d>
|
include if exists <abstractions/bus/org.freedesktop.UPower.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
peer=(name=:*, label=xdg-desktop-portal),
|
peer=(name=:*, label=xdg-desktop-portal),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>
|
include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
peer=(name=org.freedesktop.hostname1),
|
peer=(name=org.freedesktop.hostname1),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.hostname1.d>
|
include if exists <abstractions/bus/org.freedesktop.hostname1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
peer=(name=:*, label=xdg-permission-store),
|
peer=(name=:*, label=xdg-permission-store),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
|
include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -12,3 +12,5 @@
|
||||||
peer=(name=org.freedesktop.locale1),
|
peer=(name=org.freedesktop.locale1),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.locale1.d>
|
include if exists <abstractions/bus/org.freedesktop.locale1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -33,3 +33,5 @@
|
||||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.login1.d>
|
include if exists <abstractions/bus/org.freedesktop.login1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -38,3 +38,5 @@
|
||||||
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
|
include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -8,3 +8,5 @@
|
||||||
peer=(name=org.freedesktop.network1, label=systemd-networkd),
|
peer=(name=org.freedesktop.network1, label=systemd-networkd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.network1.d>
|
include if exists <abstractions/bus/org.freedesktop.network1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,3 +28,5 @@
|
||||||
peer=(name=:*, label=xdg-desktop-portal),
|
peer=(name=:*, label=xdg-desktop-portal),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
|
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -8,3 +8,5 @@
|
||||||
peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved),
|
peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
|
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,3 +28,5 @@
|
||||||
peer=(name=:*, label=gnome-keyring-daemon),
|
peer=(name=:*, label=gnome-keyring-daemon),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.secrets.d>
|
include if exists <abstractions/bus/org.freedesktop.secrets.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=org.freedesktop.systemd1),
|
peer=(name=org.freedesktop.systemd1),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.systemd1.d>
|
include if exists <abstractions/bus/org.freedesktop.systemd1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
|
peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
|
include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -19,3 +19,5 @@
|
||||||
peer=(name=:*, label=systemd-timedated),
|
peer=(name=:*, label=systemd-timedated),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.freedesktop.timedate1.d>
|
include if exists <abstractions/bus/org.freedesktop.timedate1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
peer=(name=:*, label=file-roller),
|
peer=(name=:*, label=file-roller),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
|
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -8,3 +8,5 @@
|
||||||
peer=(name=:*, label=gdm),
|
peer=(name=:*, label=gdm),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.DisplayManager.d>
|
include if exists <abstractions/bus/org.gnome.DisplayManager.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,3 +28,5 @@
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.Mutter.DisplayConfig.d>
|
include if exists <abstractions/bus/org.gnome.Mutter.DisplayConfig.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.Mutter.IdleMonitor.d>
|
include if exists <abstractions/bus/org.gnome.Mutter.IdleMonitor.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=:*, label=nautilus),
|
peer=(name=:*, label=nautilus),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
|
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=:*, label=gjs-console),
|
peer=(name=:*, label=gjs-console),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
|
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -60,3 +60,5 @@
|
||||||
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
|
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.SessionManager.d>
|
include if exists <abstractions/bus/org.gnome.SessionManager.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,3 +28,5 @@
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
|
include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=:*, label=gvfs-*-volume-monitor),
|
peer=(name=:*, label=gvfs-*-volume-monitor),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
|
include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -8,3 +8,5 @@
|
||||||
peer=(name=:*, label=gvfsd),
|
peer=(name=:*, label=gvfsd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
|
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,5 @@
|
||||||
peer=(name=:*, label=gvfsd-metadata),
|
peer=(name=:*, label=gvfsd-metadata),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
|
include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=:*, label=gvfsd),
|
peer=(name=:*, label=gvfsd),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
|
include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -4,3 +4,5 @@
|
||||||
|
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
|
include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -18,3 +18,5 @@
|
||||||
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
|
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
|
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -3,3 +3,5 @@
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
include if exists <abstractions/bus/org.kde.kwalletd.d>
|
include if exists <abstractions/bus/org.kde.kwalletd.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -15,10 +15,11 @@
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
# include <abstractions/deny-sensitive-home>
|
include <abstractions/cups-client>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
include <abstractions/enchant>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
|
|
@ -63,7 +64,6 @@
|
||||||
owner @{tmp}/** rmwk,
|
owner @{tmp}/** rmwk,
|
||||||
owner /dev/shm/** rwlk -> /dev/shm/**,
|
owner /dev/shm/** rwlk -> /dev/shm/**,
|
||||||
|
|
||||||
@{run}/cups/cups.sock rw, # Allow access to cups printing socket.
|
|
||||||
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
|
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
|
||||||
@{run}/host/{,**} r,
|
@{run}/host/{,**} r,
|
||||||
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
|
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
|
||||||
|
|
@ -100,13 +100,14 @@
|
||||||
@{PROC}/pressure/io r,
|
@{PROC}/pressure/io r,
|
||||||
@{PROC}/pressure/memory r,
|
@{PROC}/pressure/memory r,
|
||||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
@{PROC}/sys/kernel/pid_max r,
|
@{PROC}/sys/kernel/pid_max r,
|
||||||
|
@{PROC}/sys/kernel/sched_autogroup_enabled r,
|
||||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||||
@{PROC}/uptime r,
|
@{PROC}/uptime r,
|
||||||
@{PROC}/version r,
|
@{PROC}/version r,
|
||||||
@{PROC}/zoneinfo r,
|
@{PROC}/zoneinfo r,
|
||||||
|
owner @{PROC}/@{pid}/autogroup rw,
|
||||||
owner @{PROC}/@{pid}/clear_refs w,
|
owner @{PROC}/@{pid}/clear_refs w,
|
||||||
owner @{PROC}/@{pid}/comm rw,
|
owner @{PROC}/@{pid}/comm rw,
|
||||||
owner @{PROC}/@{pid}/environ r,
|
owner @{PROC}/@{pid}/environ r,
|
||||||
|
|
@ -128,4 +129,6 @@
|
||||||
/dev/pts/ptmx rw,
|
/dev/pts/ptmx rw,
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <abstractions/common/app.d>
|
include if exists <abstractions/common/app.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,4 +28,6 @@
|
||||||
owner @{tmp}/#@{int} rw,
|
owner @{tmp}/#@{int} rw,
|
||||||
owner @{tmp}/clearsigned.message.* rw,
|
owner @{tmp}/clearsigned.message.* rw,
|
||||||
|
|
||||||
include if exists <abstractions/common/apt.d>
|
include if exists <abstractions/common/apt.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -2,10 +2,9 @@
|
||||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
# Minimal set of rules for bwrap
|
# A minimal set of rules for sandboxed programs using bwrap.
|
||||||
|
|
||||||
# A profile using this abstraction still needs to set:
|
# A profile using this abstraction still needs to set:
|
||||||
# - the attach_disconnected flag
|
# - the flag: attach_disconnected
|
||||||
# - bwrap execution: '@{bin}/bwrap rix,'
|
# - bwrap execution: '@{bin}/bwrap rix,'
|
||||||
|
|
||||||
# userns,
|
# userns,
|
||||||
|
|
@ -31,6 +30,9 @@
|
||||||
umount /,
|
umount /,
|
||||||
umount /oldroot/,
|
umount /oldroot/,
|
||||||
|
|
||||||
|
#aa:only debian whonix
|
||||||
|
mount -> /newroot/{,**}, # Debian does not support the remount rule.
|
||||||
|
|
||||||
pivot_root oldroot=/newroot/ /newroot/,
|
pivot_root oldroot=/newroot/ /newroot/,
|
||||||
pivot_root oldroot=/tmp/oldroot/ /tmp/,
|
pivot_root oldroot=/tmp/oldroot/ /tmp/,
|
||||||
|
|
||||||
|
|
@ -51,3 +53,5 @@
|
||||||
owner @{PROC}/@{pid}/uid_map rw,
|
owner @{PROC}/@{pid}/uid_map rw,
|
||||||
|
|
||||||
include if exists <abstractions/common/bwrap.d>
|
include if exists <abstractions/common/bwrap.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -20,23 +20,25 @@
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||||
|
|
||||||
owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
|
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
|
||||||
|
|
||||||
/tmp/ r,
|
/tmp/ r,
|
||||||
/var/tmp/ r,
|
/var/tmp/ r,
|
||||||
owner @{tmp}/.org.chromium.Chromium.* rw,
|
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
|
||||||
owner @{tmp}/.org.chromium.Chromium.*/{,**} rw,
|
owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
|
||||||
owner @{tmp}/scoped_dir*/ rw,
|
owner @{tmp}/scoped_dir*/ rw,
|
||||||
owner @{tmp}/scoped_dir*/SingletonCookie w,
|
owner @{tmp}/scoped_dir*/SingletonCookie w,
|
||||||
owner @{tmp}/scoped_dir*/SingletonSocket w,
|
owner @{tmp}/scoped_dir*/SingletonSocket w,
|
||||||
owner @{tmp}/scoped_dir*/SS w,
|
owner @{tmp}/scoped_dir*/SS w,
|
||||||
|
|
||||||
/dev/shm/ r,
|
/dev/shm/ r,
|
||||||
owner /dev/shm/.org.chromium.Chromium.* rw,
|
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
|
||||||
|
|
||||||
# If kernel.unprivileged_userns_clone = 1
|
# If kernel.unprivileged_userns_clone = 1
|
||||||
owner @{PROC}/@{pid}/setgroups w,
|
owner @{PROC}/@{pid}/setgroups w,
|
||||||
owner @{PROC}/@{pid}/gid_map w,
|
owner @{PROC}/@{pid}/gid_map w,
|
||||||
owner @{PROC}/@{pid}/uid_map w,
|
owner @{PROC}/@{pid}/uid_map w,
|
||||||
|
|
||||||
include if exists <abstractions/common/chromium.d>
|
include if exists <abstractions/common/chromium.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -86,4 +86,6 @@
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
||||||
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||||
|
|
||||||
include if exists <abstractions/common/electron.d>
|
include if exists <abstractions/common/electron.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -24,4 +24,6 @@
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|
||||||
include if exists <abstractions/common/gnome.d>
|
include if exists <abstractions/common/gnome.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
125
apparmor.d/abstractions/common/steam-game
Normal file
125
apparmor.d/abstractions/common/steam-game
Normal file
|
|
@ -0,0 +1,125 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
include <abstractions/audio-client>
|
||||||
|
include <abstractions/desktop>
|
||||||
|
include <abstractions/devices-usb>
|
||||||
|
include <abstractions/fontconfig-cache-write>
|
||||||
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/ssl_certs>
|
||||||
|
|
||||||
|
@{bin}/uname rix,
|
||||||
|
@{bin}/xdg-settings rPx,
|
||||||
|
@{browsers_path} rPx,
|
||||||
|
|
||||||
|
@{bin}/env r,
|
||||||
|
|
||||||
|
@{app_dirs}/ r,
|
||||||
|
@{lib_dirs}/ r,
|
||||||
|
@{lib}/ r,
|
||||||
|
/ r,
|
||||||
|
/home/ r,
|
||||||
|
/usr/ r,
|
||||||
|
/usr/local/ r,
|
||||||
|
/usr/local/lib/ r,
|
||||||
|
|
||||||
|
/etc/machine-id r,
|
||||||
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
|
owner @{HOME}/ r,
|
||||||
|
owner @{HOME}/.steam/steam.pid r,
|
||||||
|
owner @{HOME}/.steam/steam.pipe r,
|
||||||
|
|
||||||
|
owner @{user_games_dirs}/ r,
|
||||||
|
owner @{user_games_dirs}/*/ r,
|
||||||
|
owner @{user_games_dirs}/*/{,**} rwkl,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
|
||||||
|
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
|
||||||
|
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
|
||||||
|
|
||||||
|
owner @{share_dirs}/ r,
|
||||||
|
owner @{share_dirs}/* r,
|
||||||
|
owner @{share_dirs}/appcache/** rk,
|
||||||
|
owner @{share_dirs}/config/ r,
|
||||||
|
owner @{share_dirs}/config/* rwk,
|
||||||
|
owner @{share_dirs}/logs/ rw,
|
||||||
|
owner @{share_dirs}/logs/* rwk,
|
||||||
|
owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
|
||||||
|
owner @{share_dirs}/steamapps/ r,
|
||||||
|
owner @{share_dirs}/steamapps/common/ r,
|
||||||
|
owner @{share_dirs}/steamapps/common/[^S]*/** rwlk,
|
||||||
|
owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
|
||||||
|
|
||||||
|
@{tmp}/ r,
|
||||||
|
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
|
||||||
|
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
|
||||||
|
owner @{tmp}/#@{int} rw,
|
||||||
|
owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
|
||||||
|
owner @{tmp}/crashes/ rw,
|
||||||
|
owner @{tmp}/crashes/** rwk,
|
||||||
|
owner @{tmp}/miles_image_@{rand6} mrw,
|
||||||
|
owner @{tmp}/runtime-info.txt.@{rand6} rw,
|
||||||
|
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
|
||||||
|
|
||||||
|
owner /dev/shm/mono.@{int} rw,
|
||||||
|
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
|
||||||
|
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
|
||||||
|
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
|
||||||
|
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
|
||||||
|
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
|
||||||
|
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
|
||||||
|
owner /dev/shm/ValveIPCSHM_@{uid} rw,
|
||||||
|
|
||||||
|
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||||
|
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||||
|
|
||||||
|
@{sys}/ r,
|
||||||
|
@{sys}/bus/ r,
|
||||||
|
@{sys}/class/ r,
|
||||||
|
@{sys}/class/hidraw/ r,
|
||||||
|
@{sys}/class/input/ r,
|
||||||
|
@{sys}/devices/ r,
|
||||||
|
@{sys}/devices/@{pci}/boot_vga r,
|
||||||
|
@{sys}/devices/@{pci}/net/*/carrier r,
|
||||||
|
@{sys}/devices/**/input@{int}/ r,
|
||||||
|
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
|
||||||
|
@{sys}/devices/**/input@{int}/capabilities/* r,
|
||||||
|
@{sys}/devices/**/input/input@{int}/ r,
|
||||||
|
@{sys}/devices/**/uevent r,
|
||||||
|
@{sys}/devices/system/ r,
|
||||||
|
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
|
||||||
|
@{sys}/devices/system/cpu/cpu@{int}/ r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/* r,
|
||||||
|
@{sys}/devices/virtual/net/*/carrier r,
|
||||||
|
@{sys}/kernel/ r,
|
||||||
|
|
||||||
|
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||||
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||||
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
|
||||||
|
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||||
|
|
||||||
|
@{PROC}/uptime r,
|
||||||
|
@{PROC}/version r,
|
||||||
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
owner @{PROC}/@{pid}/pagemap r,
|
||||||
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
owner @{PROC}/@{pid}/task/ r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
|
|
||||||
|
/dev/ r,
|
||||||
|
/dev/hidraw@{int} rw,
|
||||||
|
/dev/input/ r,
|
||||||
|
/dev/input/event@{int} rw,
|
||||||
|
/dev/tty rw,
|
||||||
|
/dev/uinput rw,
|
||||||
|
|
||||||
|
include if exists <abstractions/common/steam-game.d>
|
||||||
|
|
@ -18,4 +18,6 @@
|
||||||
|
|
||||||
/dev/kmsg w,
|
/dev/kmsg w,
|
||||||
|
|
||||||
include if exists <abstractions/common/systemd.d>
|
include if exists <abstractions/common/systemd.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -6,3 +6,5 @@
|
||||||
|
|
||||||
@{etc_ro}/gnutls/config r,
|
@{etc_ro}/gnutls/config r,
|
||||||
@{etc_ro}/gnutls/pkcs11.conf r,
|
@{etc_ro}/gnutls/pkcs11.conf r,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -25,3 +25,5 @@
|
||||||
owner @{run}/user/@{uid}/dconf/user rw,
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
include if exists <abstractions/dconf-write.d>
|
include if exists <abstractions/dconf-write.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -49,3 +49,5 @@
|
||||||
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
|
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
|
||||||
|
|
||||||
include if exists <abstractions/deny-sensitive-home.d>
|
include if exists <abstractions/deny-sensitive-home.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -63,3 +63,5 @@
|
||||||
owner @{user_share_dirs}/ rw,
|
owner @{user_share_dirs}/ rw,
|
||||||
|
|
||||||
include if exists <abstractions/desktop.d>
|
include if exists <abstractions/desktop.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -22,4 +22,6 @@
|
||||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||||
|
|
||||||
include if exists <abstractions/devices-usb.d>
|
include if exists <abstractions/devices-usb.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -95,3 +95,5 @@
|
||||||
@{run}/udev/data/+usb:* r, # for disk over usb hub
|
@{run}/udev/data/+usb:* r, # for disk over usb hub
|
||||||
|
|
||||||
include if exists <abstractions/disks-read.d>
|
include if exists <abstractions/disks-read.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -95,3 +95,5 @@
|
||||||
@{run}/udev/data/+usb:* r, # for disk over usb hub
|
@{run}/udev/data/+usb:* r, # for disk over usb hub
|
||||||
|
|
||||||
include if exists <abstractions/disks-write.d>
|
include if exists <abstractions/disks-write.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -32,3 +32,5 @@
|
||||||
/dev/dri/renderD129 rw,
|
/dev/dri/renderD129 rw,
|
||||||
|
|
||||||
include if exists <abstractions/dri.d>
|
include if exists <abstractions/dri.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -12,3 +12,5 @@
|
||||||
owner @{user_config_dirs}/fish/{,**} r,
|
owner @{user_config_dirs}/fish/{,**} r,
|
||||||
|
|
||||||
include if exists <abstractions/fish.d>
|
include if exists <abstractions/fish.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -46,3 +46,5 @@
|
||||||
deny "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,
|
deny "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,
|
||||||
|
|
||||||
include if exists <abstractions/fontconfig-cache-read.d>
|
include if exists <abstractions/fontconfig-cache-read.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -39,3 +39,5 @@
|
||||||
link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*,
|
link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*,
|
||||||
|
|
||||||
include if exists <abstractions/fontconfig-cache-write.d>
|
include if exists <abstractions/fontconfig-cache-write.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -22,3 +22,5 @@
|
||||||
/var/lib/snapd/desktop/icons/{,**} r,
|
/var/lib/snapd/desktop/icons/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/.icons/{,**} r,
|
owner @{HOME}/.icons/{,**} r,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -28,3 +28,5 @@
|
||||||
owner @{user_share_dirs}/ rw,
|
owner @{user_share_dirs}/ rw,
|
||||||
|
|
||||||
include if exists <abstractions/gnome-strict.d>
|
include if exists <abstractions/gnome-strict.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -10,3 +10,5 @@
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -20,3 +20,5 @@
|
||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|
||||||
include if exists <abstractions/graphics.d>
|
include if exists <abstractions/graphics.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -9,3 +9,5 @@
|
||||||
/dev/nvidia-uvm-tools rw,
|
/dev/nvidia-uvm-tools rw,
|
||||||
|
|
||||||
include if exists <abstractions/graphics-full.d>
|
include if exists <abstractions/graphics-full.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
|
|
@ -54,3 +54,5 @@
|
||||||
/dev/dri/ r,
|
/dev/dri/ r,
|
||||||
|
|
||||||
include if exists <abstractions/gstreamer.d>
|
include if exists <abstractions/gstreamer.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
|
||||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue