felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refractor: move more profiles to groups.

Browse source
This commit is contained in:
Alexandre Pujol 2025-02-17 21:04:28 +01:00
parent 5aab9da030
commit 5870e1ee40
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
48 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

33
apparmor.d/groups/cap/filecap Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/filecap
profile filecap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
# The default behavior is to check only the directories in the PATH environmental variable.
@{bin}/ r,
@{bin}/* r,
/usr/local/sbin/ r,
/usr/local/sbin/* r,
/usr/local/bin/ r,
/usr/local/bin/* r,
# It's also possible to check any dir/file in the system by using the "-a" flag.
#capability dac_read_search,
#/ r,
#/** r,
include if exists <local/filecap>
}
# vim:syntax=apparmor

36
apparmor.d/groups/cap/netcap Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/netcap
profile netcap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_ptrace,
capability dac_read_search,
ptrace (read),
@{exec_path} mr,
@{PROC}/ r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/packet r,
@{PROC}/@{pid}/net/raw{,6} r,
@{PROC}/@{pid}/net/tcp{,6} r,
@{PROC}/@{pid}/net/udp{,6} r,
@{PROC}/@{pid}/net/udplite{,6} r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/stat r,
include if exists <local/netcap>
}
# vim:syntax=apparmor

28
apparmor.d/groups/cap/pscap Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pscap
profile pscap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
include if exists <local/pscap>
}
# vim:syntax=apparmor

66
apparmor.d/groups/filesystem/btrfs Normal file
View file

@ -0,0 +1,66 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/{btrfs,btrfsck}
profile btrfs @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
capability sys_admin,
capability fowner,
capability sys_rawio,
@{exec_path} mr,
/var/lib/btrfs/ rw,
/var/lib/btrfs/scrub.progress.@{uuid} rw,
/var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,
/ r,
/.snapshots/ r,
/boot/ r,
/boot/**/ r,
/home/ r,
/opt/ r,
/root/ r,
/srv/ r,
/usr/local/ r,
/var/ r,
@{MOUNTS}/ r,
@{MOUNTS}/ext2_saved/ rw,
@{MOUNTS}/ext2_saved/image rw,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/ext2_saved/ rw,
@{MOUNTS}/*/ext2_saved/image rw,
# To be able to manage btrfs volumes
owner @{user_img_dirs}/{,**} rwk,
# For fsck of the btrfs filesystem directly from gparted
owner @{tmp}/gparted-*/ rw,
@{run}/blkid/blkid.tab{,-@{rand6}} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{run}/snapper-tools-*/ r,
@{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r,
@{sys}/fs/btrfs/@{uuid}/** r,
@{PROC}/partitions r,
owner @{PROC}/@{pid}/mounts r,
/dev/btrfs-control rw,
/dev/pts/@{int} rw,
/dev/tty@{int} rw,
include if exists <local/btrfs>
}
# vim:syntax=apparmor

22
apparmor.d/groups/filesystem/btrfs-convert Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-convert
profile btrfs-convert @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/btrfs-convert>
}
# vim:syntax=apparmor

23
apparmor.d/groups/filesystem/btrfs-find-root Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-find-root
profile btrfs-find-root @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@{exec_path} mr,
# A place for file images
owner @{user_img_dirs}/{,**} rwk,
include if exists <local/btrfs-find-root>
}
# vim:syntax=apparmor

25
apparmor.d/groups/filesystem/btrfs-image Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-image
profile btrfs-image @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
# Image files
owner @{user_img_dirs}/{,**} rwk,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/btrfs-image>
}
# vim:syntax=apparmor

23
apparmor.d/groups/filesystem/btrfs-map-logical Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-map-logical
profile btrfs-map-logical @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@{exec_path} mr,
# A place for file images
owner @{user_img_dirs}/{,**} rwk,
include if exists <local/btrfs-map-logical>
}
# vim:syntax=apparmor

22
apparmor.d/groups/filesystem/btrfs-select-super Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-select-super
profile btrfs-select-super @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/btrfs-select-super>
}
# vim:syntax=apparmor

26
apparmor.d/groups/filesystem/btrfstune Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfstune
profile btrfstune @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
@{PROC}/partitions r,
owner @{PROC}/@{pid}/mounts r,
owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
include if exists <local/btrfstune>
}
# vim:syntax=apparmor

23
apparmor.d/groups/filesystem/fsck.btrfs Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/fsck.btrfs
profile fsck.btrfs @{exec_path} {
include <abstractions/base>
@{exec_path} r,
@{sh_path} rix,
/etc/fstab r,
include if exists <local/fsck.btrfs>
}
# vim:syntax=apparmor

26
apparmor.d/groups/filesystem/fsck.fat Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck
profile fsck.fat @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
@{exec_path} mr,
# A place for file images
owner @{user_img_dirs}/{,**} rwk,
owner @{run}/systemd/fsck.progress rw,
include if exists <local/fsck.fat>
}
# vim:syntax=apparmor

54
apparmor.d/groups/filesystem/lvm Normal file
View file

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lvm
profile lvm @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/disks-write>
capability dac_read_search,
capability fowner,
capability mknod,
capability net_admin,
capability sys_admin,
capability sys_nice,
capability sys_rawio,
ptrace (read),
mqueue r type=posix /,
@{exec_path} rm,
@{etc_rw}/lvm/** rwkl,
/etc/multipath.conf r,
@{run}/lock/ rw,
@{run}/lock/lvm/ rw,
@{run}/lock/lvm/* rwk,
@{run}/lvm/** rwk,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
@{sys}/devices/virtual/dmi/id/product_uuid r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/devices r,
owner @{PROC}/@{pid}/mounts r,
/dev/**/ r,
/dev/mapper/control rw,
include if exists <local/lvm>
}
# vim:syntax=apparmor

21
apparmor.d/groups/filesystem/lvmconfig Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lvmconfig
profile lvmconfig @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rm,
@{etc_rw}/lvm/** rw,
include if exists <local/lvmconfig>
}
# vim:syntax=apparmor

21
apparmor.d/groups/filesystem/lvmdump Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lvmdump
profile lvmdump @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
@{exec_path} rm,
include if exists <local/lvmdump>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/lvmpolld Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lvmpolld
profile lvmpolld @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} rm,
@{bin}/grep rix,
@{bin}/umount rPx,
@{run}/lvmpolld.pid rwk,
include if exists <local/lvmpolld>
}
# vim:syntax=apparmor

35
apparmor.d/groups/filesystem/mtools Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
profile mtools @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
capability setuid,
capability setgid,
@{exec_path} mr,
# Mtools config file locations
/etc/mtools.conf r,
/etc/default/mtools.conf r,
owner @{HOME}/.mtoolsrc r,
# A place for file images
owner @{user_img_dirs}/{,**} rwk,
/dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk,
/dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mtools>
}
# vim:syntax=apparmor

27
apparmor.d/groups/filesystem/nfsdcld Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/nfsdcld
profile nfsdcld @{exec_path} {
include <abstractions/base>
capability mknod,
capability setpcap,
@{exec_path} mr,
/etc/nfs.conf r,
/etc/nfs.conf rk,
/var/lib/nfs/nfsdcld/{,**} rw,
/var/lib/nfs/rpc_pipefs/nfsd/* rw,
include if exists <local/nfsdcld>
}
# vim:syntax=apparmor

61
apparmor.d/groups/filesystem/ntfs-3g Normal file
View file

@ -0,0 +1,61 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/{low,}ntfs{,-3g}
@{exec_path} += @{bin}/mount.{low,}ntfs{,-3g}
profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
capability dac_override,
capability dac_read_search,
capability mknod,
capability setgid,
capability setuid,
capability sys_admin,
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow to mount encrypted partition
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{exec_path} mr,
@{bin}/kmod rPx, # To load the fuse kernel module
# Mount points
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
/dev/fuse rw,
/dev/tty@{int} rw,
include if exists <local/ntfs-3g>
}
# vim:syntax=apparmor

22
apparmor.d/groups/filesystem/ntfs-3g-probe Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfs-3g.probe
profile ntfs-3g-probe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
include if exists <local/ntfs-3g-probe>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfscat Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfscat
profile ntfscat @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscat>
}
# vim:syntax=apparmor

30
apparmor.d/groups/filesystem/ntfsclone Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsclone
profile ntfsclone @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/private-files-strict>
include <abstractions/user-download-strict>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# A place for backups
@{HOME}/* rwk,
@{MOUNTS}/** rwk,
include if exists <local/ntfsclone>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfscluster Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfscluster
profile ntfscluster @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscluster>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfscmp Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfscmp
profile ntfscmp @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscmp>
}
# vim:syntax=apparmor

31
apparmor.d/groups/filesystem/ntfscp Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfscp
profile ntfscp @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
# For writing files owned by users other than root, since ntfscp has to be started as root.
capability dac_read_search,
@{HOME}/@{XDG_DESKTOP_DIR}/ r,
@{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
@{user_download_dirs}/ r,
@{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscp>
}
# vim:syntax=apparmor

26
apparmor.d/groups/filesystem/ntfsdecrypt Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsdecrypt
profile ntfsdecrypt @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
# Common locations of the key
owner @{tmp}/*.key r,
owner @{HOME}/*.key r,
include if exists <local/ntfsdecrypt>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfsfallocate Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsfallocate
profile ntfsfallocate @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsfallocate>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfsfix Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsfix
profile ntfsfix @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsfix>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfsinfo Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsinfo
profile ntfsinfo @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsinfo>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfslabel Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfslabel
profile ntfslabel @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfslabel>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfsls Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsls
profile ntfsls @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsls>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfsmove Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsmove
profile ntfsmove @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsmove>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfsrecover Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsrecover
profile ntfsrecover @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsrecover>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfsresize Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsresize
profile ntfsresize @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsresize>
}
# vim:syntax=apparmor

25
apparmor.d/groups/filesystem/ntfssecaudit Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfssecaudit
profile ntfssecaudit @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfssecaudit>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfstruncate Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfstruncate
profile ntfstruncate @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfstruncate>
}
# vim:syntax=apparmor

28
apparmor.d/groups/filesystem/ntfsundelete Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsundelete
profile ntfsundelete @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# The recovery dir
owner @{tmp}/ntfs-recovery/ r,
owner @{tmp}/ntfs-recovery/* rw,
include if exists <local/ntfsundelete>
}
# vim:syntax=apparmor

29
apparmor.d/groups/filesystem/ntfsusermap Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfsusermap
profile ntfsusermap @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# Where to save the UserMapping file
owner /root/UserMapping w,
owner @{tmp}/UserMapping w,
include if exists <local/ntfsusermap>
}
# vim:syntax=apparmor

24
apparmor.d/groups/filesystem/ntfswipe Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ntfswipe
profile ntfswipe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfswipe>
}
# vim:syntax=apparmor

46
apparmor.d/groups/filesystem/udiskie Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/udiskie
profile udiskie @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/python>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
@{exec_path} r,
@{bin}/python3.@{int} r,
@{bin}/ r,
@{open_path} rPx -> child-open,
/etc/fstab r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
# Silencer
deny @{lib}/** w,
include if exists <local/udiskie>
}
# vim:syntax=apparmor

28
apparmor.d/groups/filesystem/udiskie-info Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/udiskie-info
profile udiskie-info @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
@{bin}/python3.@{int} r,
/usr/bin/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/udiskie-info>
}
# vim:syntax=apparmor

28
apparmor.d/groups/filesystem/udiskie-mount Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/udiskie-mount
profile udiskie-mount @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
@{bin}/python3.@{int} r,
/usr/bin/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/udiskie-mount>
}
# vim:syntax=apparmor

28
apparmor.d/groups/filesystem/udiskie-umount Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/udiskie-umount
profile udiskie-umount @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
@{bin}/python3.@{int} r,
/usr/bin/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/udiskie-umount>
}
# vim:syntax=apparmor

29
apparmor.d/groups/filesystem/udisksctl Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/udisksctl
profile udisksctl @{exec_path} {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/consoles>
#aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
@{exec_path} mr,
@{sh_path} rix,
@{pager_path} rPx -> child-pager,
/dev/tty rw,
include if exists <local/udisksctl>
}
# vim:syntax=apparmor

165
apparmor.d/groups/filesystem/udisksd Normal file
View file

@ -0,0 +1,165 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/{,udisks2/}udisksd
profile udisksd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability net_admin,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_nice,
capability sys_rawio,
network netlink raw,
# Allow mounting of removable devices
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/,
# Allow mounting of loop devices (ISO files)
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow mounting of cdrom
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/,
# Allow mounting od sd cards
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
mount options=(rw move) -> @{MOUNTS}/,
mount options=(rw move) -> @{MOUNTS}/*/,
mount fstype=vfat -> /boot/efi/,
# Allow mounting on temporary mount point
mount -> @{run}/udisks2/temp-mount-*/,
mount / -> @{MOUNTS}/*/,
# Allow unmounting
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount @{run}/udisks2/temp-mount-*/,
umount /boot/efi/,
umount /media/cdrom@{int}/,
signal receive set=int peer=@{p_systemd},
#aa:dbus own bus=system name=org.freedesktop.UDisks2
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr,
@{sh_path} rix,
@{bin}/umount rix,
@{bin}/dmidecode rPx,
@{bin}/dumpe2fs rPx,
@{bin}/eject rPx,
@{bin}/fsck.fat rPx,
@{bin}/lvm rPUx,
@{bin}/mke2fs rPx,
@{bin}/mkfs.* rPx,
@{bin}/mount.exfat-fuse rPUx,
@{bin}/ntfs-3g rPx,
@{bin}/ntfsfix rPx,
@{bin}/sfdisk rPx,
@{bin}/sgdisk rPx,
@{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-escape rPx,
@{bin}/xfs_* rPUx,
/etc/crypttab r,
/etc/fstab r,
/etc/libblockdev/{,**} r,
/etc/nvme/* r,
/etc/udisks2/{,**} r,
/var/lib/udisks2/{,**} r,
/var/lib/udisks2/mounted-fs{,*} rw,
# Be able to create/delete dirs for removable media
@{MOUNTDIRS}/ rw,
@{MOUNTS}/ rw,
@{MOUNTS}/*/ rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/ r,
@{run}/mount/utab{,.*} rwk,
@{run}/udisks2/{,**} rw,
@{run}/systemd/seats/seat@{int} r,
@{run}/cryptsetup/ r,
@{run}/cryptsetup/L* rwk,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+scsi:* r,
@{run}/udev/data/+vmbus:* r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/@{int}/address r,
@{sys}/bus/scsi/devices/ r,
@{sys}/class/ r,
@{sys}/class/nvme-subsystem/ r,
@{sys}/class/nvme/ r,
@{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
@{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
@{sys}/devices/@{pci}/uevent rw,
@{sys}/devices/**/net/*/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
@{sys}/devices/virtual/block/*/{,**} rw,
@{sys}/devices/virtual/block/loop@{int}/uevent rw,
@{sys}/devices/virtual/dmi/id/product_uuid r,
@{sys}/devices/virtual/nvme-subsystem/{,**} r,
@{sys}/fs/ r,
@{PROC}/cmdline r,
@{PROC}/devices r,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/dev/loop-control rw,
/dev/null.@{int} rw,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/udisksd_systemctl>
}
include if exists <local/udisksd>
}
# vim:syntax=apparmor

19
apparmor.d/groups/filesystem/umount.udisks2 Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/umount.udisks2
profile umount.udisks2 @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/umount.udisks2>
}
# vim:syntax=apparmor

23
apparmor.d/groups/utils/swaplabel Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/swaplabel
profile swaplabel @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
# SWAP file common locations
owner /swapfile rw,
include if exists <local/swaplabel>
}
# vim:syntax=apparmor

52
apparmor.d/groups/utils/umount Normal file
View file

@ -0,0 +1,52 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/umount
profile umount @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
capability chown,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_admin,
network inet stream,
network inet6 stream,
umount,
@{exec_path} mr,
@{bin}/umount.* rPx,
@{bin}/mount.* rPx,
/etc/mtab r,
/etc/fstab r,
# Mount points
@{HOME}/ r,
@{HOME}/*/ r,
@{HOME}/*/*/ r,
@{user_cache_dirs}/*/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rwk,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/umount>
}
# vim:syntax=apparmor