refractor: move more profiles to groups.

2025-02-17 21:04:28 +01:00 · 2025-02-17 21:04:28 +01:00 · 5870e1ee40
commit 5870e1ee40
parent 5aab9da030
48 changed files with 0 additions and 0 deletions
--- a/apparmor.d/profiles-s-z/swaplabel
+++ b/apparmor.d/profiles-s-z/swaplabel
@ -1,23 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/swaplabel
-profile swaplabel @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/disks-write>
-
-  @{exec_path} mr,
-
-  # SWAP file common locations
-  owner /swapfile rw,
-
-  include if exists <local/swaplabel>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/udiskie
+++ b/apparmor.d/profiles-s-z/udiskie
@ -1,46 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/udiskie
-profile udiskie @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/dconf-write>
-  include <abstractions/X>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/python>
-  include <abstractions/user-download-strict>
-  include <abstractions/thumbnails-cache-read>
-  include <abstractions/mesa>
-  include <abstractions/dri-enumerate>
-
-  @{exec_path} r,
-  @{bin}/python3.@{int} r,
-
-  @{bin}/ r,
-  @{open_path} rPx -> child-open,
-
-  /etc/fstab r,
-
-  owner @{user_config_dirs}/udiskie/ r,
-  owner @{user_config_dirs}/udiskie/config.yml r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/mountinfo r,
-
-  # Silencer
-  deny @{lib}/** w,
-
-  include if exists <local/udiskie>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/udiskie-info
+++ b/apparmor.d/profiles-s-z/udiskie-info
@ -1,28 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/udiskie-info
-profile udiskie-info @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/python>
-
-  @{exec_path} r,
-  @{bin}/python3.@{int} r,
-
-  /usr/bin/ r,
-
-  owner @{user_config_dirs}/udiskie/ r,
-  owner @{user_config_dirs}/udiskie/config.yml r,
-
-  owner @{PROC}/@{pid}/mounts r,
-
-  include if exists <local/udiskie-info>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/udiskie-mount
+++ b/apparmor.d/profiles-s-z/udiskie-mount
@ -1,28 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/udiskie-mount
-profile udiskie-mount @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/python>
-
-  @{exec_path} r,
-  @{bin}/python3.@{int} r,
-
-  /usr/bin/ r,
-
-  owner @{user_config_dirs}/udiskie/ r,
-  owner @{user_config_dirs}/udiskie/config.yml r,
-
-  owner @{PROC}/@{pid}/mounts r,
-
-  include if exists <local/udiskie-mount>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/udiskie-umount
+++ b/apparmor.d/profiles-s-z/udiskie-umount
@ -1,28 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/udiskie-umount
-profile udiskie-umount @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/python>
-
-  @{exec_path} r,
-  @{bin}/python3.@{int} r,
-
-  /usr/bin/ r,
-
-  owner @{user_config_dirs}/udiskie/ r,
-  owner @{user_config_dirs}/udiskie/config.yml r,
-
-  owner @{PROC}/@{pid}/mounts r,
-
-  include if exists <local/udiskie-umount>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/udisksctl
+++ b/apparmor.d/profiles-s-z/udisksctl
@ -1,29 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/udisksctl
-profile udisksctl @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/bus-system>
-  include <abstractions/consoles>
-
-  #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
-
-  @{exec_path} mr,
-
-  @{sh_path}        rix,
-
-  @{pager_path} rPx -> child-pager,
-
-  /dev/tty rw,
-
-  include if exists <local/udisksctl>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -1,165 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{lib}/{,udisks2/}udisksd
-profile udisksd @{exec_path} flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/bus-system>
-  include <abstractions/disks-write>
-  include <abstractions/nameservice-strict>
-
-  capability chown,
-  capability dac_override,
-  capability dac_read_search,
-  capability fowner,
-  capability fsetid,
-  capability net_admin,
-  capability setgid,
-  capability setuid,
-  capability sys_admin,
-  capability sys_nice,
-  capability sys_rawio,
-
-  network netlink raw,
-
-  # Allow mounting of removable devices
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*       -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]*          -> @{MOUNTS}/*/,
-
-  # Allow mounting of loop devices (ISO files)
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*        -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
-
-  # Allow mounting of cdrom
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
-  mount fstype={iso9660,udf,ntfs3}                       /dev/sr[0-9]*   -> @{MOUNTS}/*/,
-
-  # Allow mounting od sd cards
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]         -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
-
-  mount options=(rw move) -> @{MOUNTS}/,
-  mount options=(rw move) -> @{MOUNTS}/*/,
-
-  mount fstype=vfat -> /boot/efi/,
-
-  # Allow mounting on temporary mount point
-  mount -> @{run}/udisks2/temp-mount-*/,
-  mount / -> @{MOUNTS}/*/,
-
-  # Allow unmounting
-  umount @{MOUNTS}/,
-  umount @{MOUNTS}/*/,
-  umount @{run}/udisks2/temp-mount-*/,
-  umount /boot/efi/,
-  umount /media/cdrom@{int}/,
-
-  signal receive set=int peer=@{p_systemd},
-
-  #aa:dbus own bus=system name=org.freedesktop.UDisks2
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
-
-  dbus send bus=system path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
-
-  @{exec_path} mr,
-
-  @{sh_path}             rix,
-  @{bin}/umount          rix,
-
-  @{bin}/dmidecode            rPx,
-  @{bin}/dumpe2fs             rPx,
-  @{bin}/eject                rPx,
-  @{bin}/fsck.fat             rPx,
-  @{bin}/lvm                 rPUx,
-  @{bin}/mke2fs               rPx,
-  @{bin}/mkfs.*               rPx,
-  @{bin}/mount.exfat-fuse    rPUx,
-  @{bin}/ntfs-3g              rPx,
-  @{bin}/ntfsfix              rPx,
-  @{bin}/sfdisk               rPx,
-  @{bin}/sgdisk               rPx,
-  @{bin}/systemctl            rCx -> systemctl,
-  @{bin}/systemd-escape       rPx,
-  @{bin}/xfs_*               rPUx,
-
-  /etc/crypttab r,
-  /etc/fstab r,
-  /etc/libblockdev/{,**} r,
-  /etc/nvme/* r,
-  /etc/udisks2/{,**} r,
-
-  /var/lib/udisks2/{,**} r,
-  /var/lib/udisks2/mounted-fs{,*} rw,
-
-  # Be able to create/delete dirs for removable media
-  @{MOUNTDIRS}/ rw,
-  @{MOUNTS}/ rw,
-  @{MOUNTS}/*/ rw,
-
-  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
-
-  @{run}/ r,
-  @{run}/mount/utab{,.*} rwk,
-  @{run}/udisks2/{,**} rw,
-  @{run}/systemd/seats/seat@{int} r,
-  @{run}/cryptsetup/ r,
-  @{run}/cryptsetup/L* rwk,
-
-  @{run}/udev/data/+acpi:* r,             # for acpi
-  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
-  @{run}/udev/data/+platform:* r,
-  @{run}/udev/data/+scsi:* r,
-  @{run}/udev/data/+vmbus:* r,
-  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
-
-  @{sys}/bus/ r,
-  @{sys}/bus/pci/slots/ r,
-  @{sys}/bus/pci/slots/@{int}/address r,
-  @{sys}/bus/scsi/devices/ r,
-  @{sys}/class/ r,
-  @{sys}/class/nvme-subsystem/ r,
-  @{sys}/class/nvme/ r,
-  @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
-  @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
-  @{sys}/devices/@{pci}/uevent rw,
-  @{sys}/devices/**/net/*/ r,
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
-  @{sys}/devices/virtual/block/*/{,**} rw,
-  @{sys}/devices/virtual/block/loop@{int}/uevent rw,
-  @{sys}/devices/virtual/dmi/id/product_uuid r,
-  @{sys}/devices/virtual/nvme-subsystem/{,**} r,
-  @{sys}/fs/ r,
-
-        @{PROC}/cmdline r,
-        @{PROC}/devices r,
-        @{PROC}/swaps r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-
-  /dev/loop-control rw,
-  /dev/null.@{int} rw,
-
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    include if exists <local/udisksd_systemctl>
-  }
-
-  include if exists <local/udisksd>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/umount
+++ b/apparmor.d/profiles-s-z/umount
@ -1,52 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/umount
-profile umount @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/disks-read>
-  include <abstractions/nameservice-strict>
-
-  capability chown,
-  capability dac_read_search,
-  capability setgid,
-  capability setuid,
-  capability sys_admin,
-
-  network inet stream,
-  network inet6 stream,
-
-  umount,
-
-  @{exec_path} mr,
-
-  @{bin}/umount.*  rPx,
-  @{bin}/mount.*   rPx,
-
-  /etc/mtab r,
-  /etc/fstab r,
-
-  # Mount points
-  @{HOME}/ r,
-  @{HOME}/*/ r,
-  @{HOME}/*/*/ r,
-  @{user_cache_dirs}/*/*/ r,
-  @{MOUNTS}/*/ r,
-  @{MOUNTS}/*/*/ r,
-
-  owner @{run}/mount/ rw,
-  owner @{run}/mount/utab{,.*} rwk,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-
-  include if exists <local/umount>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/umount.udisks2
+++ b/apparmor.d/profiles-s-z/umount.udisks2
@ -1,19 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/umount.udisks2
-profile umount.udisks2 @{exec_path} flags=(complain) {
-  include <abstractions/base>
-
-  @{exec_path} mr,
-
-  include if exists <local/umount.udisks2>
-}
-
-# vim:syntax=apparmor