felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into ubuntu2204_3

Browse source
This commit is contained in:
nobodysu 2022-09-03 22:30:52 +00:00 committed by GitHub
commit 5a7d5beda1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
118 changed files with 914 additions and 777 deletions
Download patch file Download diff file Expand all files Collapse all files

2
PKGBUILD
View file

@ -9,7 +9,7 @@ arch=("x86_64")
url="https://github.com/roddhjav/$pkgname"
license=('GPL2')
depends=('apparmor')
makedepends=('go' 'git')
makedepends=('go' 'git' 'rsync' 'lsb-release')
pkgver() {
cd "$srcdir/$pkgname"

15
apparmor.d/abstractions/file-browsing-strict
View file

@ -1,15 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
deny @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/@{pid}/mounts r,
# Usually, apps shouldn't view this file
deny /etc/fstab r,
deny /dev/disk/*/ r,
include if exists <abstractions/file-browsing-strict.d>

124
apparmor.d/abstractions/libvirt-lxc
View file

@ -1,124 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/base>
# Allow receiving signals from libvirtd
signal (receive) peer=libvirtd,
umount,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
deny /proc/sys/ke[^r]*{,/**} wklx,
deny /proc/sys/ker[^n]*{,/**} wklx,
deny /proc/sys/kern[^e]*{,/**} wklx,
deny /proc/sys/kerne[^l]*{,/**} wklx,
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/domainname?*{,/**} wklx,
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/hostname?*{,/**} wklx,
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
deny /proc/sys/kernel/msg*/** wklx,
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
deny /proc/sys/kernel/sem*/** wklx,
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
deny /proc/sys/kernel/shm*/** wklx,
deny /proc/sys/kernel?*{,/**} wklx,
deny /proc/sys/n[^e]*{,/**} wklx,
deny /proc/sys/ne[^t]*{,/**} wklx,
deny /proc/sys/net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
deny /sys/cla[^s]*{,/**} wklx,
deny /sys/clas[^s]*{,/**} wklx,
deny /sys/class/[^n]*{,/**} wklx,
deny /sys/class/n[^e]*{,/**} wklx,
deny /sys/class/ne[^t]*{,/**} wklx,
deny /sys/class/net?*{,/**} wklx,
deny /sys/class?*{,/**} wklx,
deny /sys/d[^e]*{,/**} wklx,
deny /sys/de[^v]*{,/**} wklx,
deny /sys/dev[^i]*{,/**} wklx,
deny /sys/devi[^c]*{,/**} wklx,
deny /sys/devic[^e]*{,/**} wklx,
deny /sys/device[^s]*{,/**} wklx,
deny /sys/devices/[^v]*{,/**} wklx,
deny /sys/devices/v[^i]*{,/**} wklx,
deny /sys/devices/vi[^r]*{,/**} wklx,
deny /sys/devices/vir[^t]*{,/**} wklx,
deny /sys/devices/virt[^u]*{,/**} wklx,
deny /sys/devices/virtu[^a]*{,/**} wklx,
deny /sys/devices/virtua[^l]*{,/**} wklx,
deny /sys/devices/virtual/[^n]*{,/**} wklx,
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
deny /sys/devices/virtual/net?*{,/**} wklx,
deny /sys/devices/virtual?*{,/**} wklx,
deny /sys/devices?*{,/**} wklx,
deny /sys/f[^s]*{,/**} wklx,
deny /sys/fs/[^c]*{,/**} wklx,
deny /sys/fs/c[^g]*{,/**} wklx,
deny /sys/fs/cg[^r]*{,/**} wklx,
deny /sys/fs/cgr[^o]*{,/**} wklx,
deny /sys/fs/cgro[^u]*{,/**} wklx,
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,
include if exists <abstractions/libvirt-lxc.d>

258
apparmor.d/abstractions/libvirt-qemu
View file

@ -1,258 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# required for reading disk images
capability dac_override,
capability dac_read_search,
capability chown,
# needed to drop privileges
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
ptrace (readby, tracedby) peer=libvirtd,
ptrace (readby, tracedby) peer=virtqemud,
signal (receive) peer=libvirtd,
signal (receive) peer=virtqemud,
/dev/kvm rw,
/dev/net/tun rw,
/dev/ptmx rw,
@{PROC}/*/status r,
# When qemu is signaled to terminate, it will read cmdline of signaling
# process for reporting purposes. Allowing read access to a process
# cmdline may leak sensitive information embedded in the cmdline.
@{PROC}/@{pid}/cmdline r,
# Per man(5) proc, the kernel enforces that a thread may
# only modify its comm value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/vm/overcommit_memory r,
# detect hardware capabilities via qemu_getauxval
owner @{PROC}/*/auxv r,
# allow reading libnl's classid file
/etc/libnl{,-3}/classid r,
# For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r,
/sys/devices/**/usb[0-9]*/** r,
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
@{run}/udev/data/+usb* r,
@{run}/udev/data/c16[6,7]* r,
@{run}/udev/data/c18[0,8,9]* r,
# WARNING: this gives the guest direct access to host hardware and specific
# portions of shared memory. This is required for sound using ALSA with kvm,
# but may constitute a security risk. If your environment does not require
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
# the rules for files in /dev.
/dev/snd/* rw,
/{dev,run}/shm r,
/{dev,run}/shmpulse-shm* r,
/{dev,run}/shmpulse-shm* rwk,
capability ipc_lock,
# spice
owner /{dev,run}/shm/spice.* rw,
# 'kill' is not required for sound and is a security risk. Do not enable
# unless you absolutely need it.
deny capability kill,
# Uncomment the following if you need access to /dev/fb*
#/dev/fb* rw,
/etc/pulse/client.conf r,
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
owner /root/.pulse/ rw,
owner /root/.pulse/* rw,
/usr/share/alsa/** r,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
/var/lib/dbus/machine-id r,
# access to firmware's etc
/usr/share/AAVMF/** r,
/usr/share/bochs/** r,
/usr/share/edk2-ovmf/** rk,
/usr/share/kvm/** r,
/usr/share/misc/sgabios.bin r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
/usr/share/OVMF/** rk,
/usr/share/ovmf/** rk,
/usr/share/proll/** r,
/usr/share/qemu-efi/** r,
/usr/share/qemu-kvm/** r,
/usr/share/qemu/** r,
/usr/share/seabios/** r,
/usr/share/sgabios/** r,
/usr/share/slof/** r,
/usr/share/vgabios/** r,
# pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
/etc/pki/CA/ r,
/etc/pki/CA/* r,
/etc/pki/libvirt{,-spice,-vnc}/ r,
/etc/pki/libvirt{,-spice,-vnc}/** r,
/etc/pki/qemu/ r,
/etc/pki/qemu/** r,
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/kvm-spice rmix,
/usr/bin/qemu rmix,
/usr/bin/qemu-aarch64 rmix,
/usr/bin/qemu-alpha rmix,
/usr/bin/qemu-arm rmix,
/usr/bin/qemu-armeb rmix,
/usr/bin/qemu-cris rmix,
/usr/bin/qemu-i386 rmix,
/usr/bin/qemu-kvm rmix,
/usr/bin/qemu-m68k rmix,
/usr/bin/qemu-microblaze rmix,
/usr/bin/qemu-microblazeel rmix,
/usr/bin/qemu-mips rmix,
/usr/bin/qemu-mips64 rmix,
/usr/bin/qemu-mips64el rmix,
/usr/bin/qemu-mipsel rmix,
/usr/bin/qemu-mipsn32 rmix,
/usr/bin/qemu-mipsn32el rmix,
/usr/bin/qemu-or32 rmix,
/usr/bin/qemu-ppc rmix,
/usr/bin/qemu-ppc64 rmix,
/usr/bin/qemu-ppc64abi32 rmix,
/usr/bin/qemu-ppc64le rmix,
/usr/bin/qemu-s390x rmix,
/usr/bin/qemu-sh4 rmix,
/usr/bin/qemu-sh4eb rmix,
/usr/bin/qemu-sparc rmix,
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-system-aarch64 rmix,
/usr/bin/qemu-system-alpha rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-hppa rmix,
/usr/bin/qemu-system-i386 rmix,
/usr/bin/qemu-system-lm32 rmix,
/usr/bin/qemu-system-m68k rmix,
/usr/bin/qemu-system-microblaze rmix,
/usr/bin/qemu-system-microblazeel rmix,
/usr/bin/qemu-system-mips rmix,
/usr/bin/qemu-system-mips64 rmix,
/usr/bin/qemu-system-mips64el rmix,
/usr/bin/qemu-system-mipsel rmix,
/usr/bin/qemu-system-moxie rmix,
/usr/bin/qemu-system-nios2 rmix,
/usr/bin/qemu-system-or1k rmix,
/usr/bin/qemu-system-or32 rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
/usr/bin/qemu-system-ppcemb rmix,
/usr/bin/qemu-system-riscv32 rmix,
/usr/bin/qemu-system-riscv64 rmix,
/usr/bin/qemu-system-s390x rmix,
/usr/bin/qemu-system-sh4 rmix,
/usr/bin/qemu-system-sh4eb rmix,
/usr/bin/qemu-system-sparc rmix,
/usr/bin/qemu-system-sparc64 rmix,
/usr/bin/qemu-system-tricore rmix,
/usr/bin/qemu-system-unicore32 rmix,
/usr/bin/qemu-system-x86_64 rmix,
/usr/bin/qemu-system-xtensa rmix,
/usr/bin/qemu-system-xtensaeb rmix,
/usr/bin/qemu-unicore32 rmix,
/usr/bin/qemu-x86_64 rmix,
# for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
# let qemu load old shared objects after upgrades (LP: #1847361)
/{var/,}run/qemu/*/*.so mr,
# but explicitly deny writing to these files
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
/{usr/,}bin/swtpm rmix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
/{usr/,}bin/cat rmix,
# for restore
/{usr/,}bin/bash rmix,
# for usb access
/dev/bus/usb/ r,
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
# for rbd
/etc/ceph/*.conf r,
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base
# dir and a few known functions like samba support.
# We want to avoid to give blanket rw permission to everything under /tmp,
# users are expected to add site specific addons for more uncommon cases.
# Qemu processes usually all run as the same users, so the "owner"
# restriction prevents access to other services files, but not across
# different instances.
# This is a tradeoff between usability and security - if paths would be more
# predictable that would be preferred - at least for write rules we would
# want more unique paths per rule.
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
# for file-posix getting limits since 9103f1ce
/sys/devices/**/block/*/queue/max_segments r,
# for ppc device-tree access
@{PROC}/device-tree/ r,
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
# allow connect with openGraphicsFD to work
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r,
# silence refusals to open lttng files (see LP: #1432644)
deny /dev/shm/lttng-ust-wait-* r,
deny @{run}/shm/lttng-ust-wait-* r,
# for vfio hotplug on systems without static vfio (LP: #1775777)
/dev/vfio/vfio rw,
# required for sasl GSSAPI plugin
/etc/gss/mech.d/ r,
/etc/gss/mech.d/* r,
# required by libpmem init to fts_open()/fts_read() the symlinks in
# /sys/bus/nd/devices
/ r, # harmless on any lsb compliant system
/sys/bus/nd/devices/{,**/} r,
# required for QEMU accessing UEFI nvram variables
owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
include if exists <abstractions/libvirt-qemu.d>

4
apparmor.d/abstractions/mesa.d/complete
View file

@ -7,8 +7,8 @@
/var/lib/gdm/.cache/mesa_shader_cache/ rw,
/var/lib/gdm/.cache/mesa_shader_cache/index rw,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
/var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
@{sys}/devices/pci[0-9]*/**/revision r,
@{sys}/devices/pci[0-9]*/**/config r,

4
apparmor.d/abstractions/qt5-shader-cache
View file

@ -6,7 +6,7 @@
owner @{HOME}/.cache/qtshadercache/ rw,
owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
owner @{HOME}/.cache/qtshadercache/@{hex} rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw,
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],

0
apparmor.d/abstractions/trash → apparmor.d/abstractions/trash.d/complete
View file

2
apparmor.d/groups/apps/atom
View file

@ -129,7 +129,7 @@ profile atom @{exec_path} {
# The irq file is needed to render pages.
deny @{sys}/devices/pci[0-9]*/**/irq r,
owner /tmp/atom-[0-9a-f]*.sock rw,
owner /tmp/atom-@{hex}.sock rw,
owner "/tmp/Atom Crashes/" rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw,

4
apparmor.d/groups/apps/calibre
View file

@ -91,9 +91,9 @@ profile calibre @{exec_path} {
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,

4
apparmor.d/groups/apps/code
View file

@ -109,8 +109,8 @@ profile code @{exec_path} {
owner "/tmp/VSCode Crashes/" rw,
owner /tmp/vscode-typescript[0-9]*/ rw,
owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw,
owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw,
owner /tmp/vscode-ipc-@{uuid}.sock rw,
# For installing extensions

2
apparmor.d/groups/apps/flameshot
View file

@ -54,7 +54,7 @@ profile flameshot @{exec_path} {
owner /tmp/.*/{,s} rw,
owner /tmp/*= rw,
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,

4
apparmor.d/groups/apps/geany
View file

@ -51,7 +51,7 @@ profile geany @{exec_path} {
owner @{user_config_dirs}/geany/{,**} rw,
owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw,
owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in
@ -110,7 +110,7 @@ profile geany @{exec_path} {
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}

2
apparmor.d/groups/apps/okular
View file

@ -85,7 +85,7 @@ profile okular @{exec_path} {
# Print to pdf
/{usr/,}bin/ps2pdf rPUx,
owner /tmp/[0-9a-f]* rw,
owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],

2
apparmor.d/groups/apps/spotify
View file

@ -67,7 +67,7 @@ profile spotify @{exec_path} {
/usr/share/X11/XErrorDB r,
owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
owner /tmp/@{hex}-@{hex}-@{hex}-@{hex} rw,
# What's this for?
#owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,

4
apparmor.d/groups/apps/telegram-desktop
View file

@ -59,8 +59,8 @@ profile telegram-desktop @{exec_path} {
# Autostart
owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
owner /tmp/[0-9a-f]*-* rwk,
owner @{run}/user/@{uid}/[0-9a-f]*-* rwk,
owner /tmp/@{hex}-* rwk,
owner @{run}/user/@{uid}/@{hex}-* rwk,
/dev/shm/#[0-9]*[0-9] rw,

2
apparmor.d/groups/apt/apt
View file

@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}}
interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
dbus send bus=system path=/org/freedesktop/PackageKit

2
apparmor.d/groups/apt/synaptic
View file

@ -170,7 +170,7 @@ profile synaptic @{exec_path} {
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}

2
apparmor.d/groups/browsers/firefox
View file

@ -200,7 +200,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]*} r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_cache_dirs}/ rw,

6
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -39,8 +39,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw,
owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw,
@ -53,7 +53,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
/tmp/ r,
/var/tmp/ r,
owner /tmp/[0-9a-f]*.{dmp,extra} rw,
owner /tmp/@{hex}.{dmp,extra} rw,
owner /tmp/firefox/.parentlock w,
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,

4
apparmor.d/groups/browsers/firefox-minidump-analyzer
View file

@ -22,14 +22,14 @@ profile firefox-minidump-analyzer @{exec_path} {
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw,
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,
owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r,
owner /tmp/[0-9a-f]*.{dmp,extra} rw,
owner /tmp/@{hex}.{dmp,extra} rw,
owner /tmp/firefox/.parentlock w,
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,

3
apparmor.d/groups/bus/dbus-daemon-launch-helper
View file

@ -19,9 +19,10 @@ profile dbus-daemon-launch-helper @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
/{usr/,}lib/cups-pk-helper-mechanism rPx,
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
/{usr/,}lib/software-properties/software-properties-dbus rPx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/usr/share/dbus-1/{,**} r,

8
apparmor.d/groups/bus/ibus-dconf
View file

@ -24,10 +24,10 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
/etc/dconf/db/ibus r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r,
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9]* r,
/var/lib/gdm/.cache/dconf/ w,
/var/lib/gdm/.cache/dconf/user rw,

4
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -19,8 +19,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9] r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/bus/ibus-memconf
View file

@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} {
/etc/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
include if exists <local/ibus-memconf>
}

2
apparmor.d/groups/bus/ibus-portal
View file

@ -26,7 +26,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/ r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
owner /dev/tty[0-9]* rw,
/dev/null rw,

6
apparmor.d/groups/bus/ibus-x11
View file

@ -23,10 +23,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,

1
apparmor.d/groups/freedesktop/plymouth
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth
profile plymouth @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),

141
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -34,105 +34,78 @@ profile pulseaudio @{exec_path} {
network bluetooth stream,
network bluetooth seqpacket,
dbus (send)
bus=session
path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member={GetState,AddService,AddServiceSubtype,Commit}
peer=(name=org.freedesktop.Avahi),
dbus send bus=session path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member={GetState,AddService,AddServiceSubtype,Commit}
peer=(name=org.freedesktop.Avahi),
dbus (receive)
bus=session
path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus receive bus=session path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,RequestName,ReleaseName}
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,RequestName,ReleaseName}
peer=(name=:*),
dbus (receive)
bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect,
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect,
dbus (bind)
bus=session
name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
dbus bind bus=session
name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
dbus (bind)
bus=session
name=org.PulseAudio[0-9],
dbus bind bus=session
name=org.PulseAudio[0-9],
dbus (bind)
bus=session
name=org.pulseaudio*,
dbus bind bus=session
name=org.pulseaudio*,
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch}
peer=(name=org.freedesktop.DBus),
dbus send bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch}
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/RealtimeKit[0-9]
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
peer=(name=org.freedesktop.RealtimeKit[0-9]),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
peer=(name=org.freedesktop.RealtimeKit[0-9]),
dbus (send)
bus=system
path=/
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.bluez),
dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.bluez),
dbus (send)
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,EntryGroupNew}
peer=(name=org.freedesktop.Avahi),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,EntryGroupNew}
peer=(name=org.freedesktop.Avahi),
dbus (receive)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus (send)
bus=system
path=/
interface=org.freedesktop.hostname[0-9]
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
dbus send bus=system path=/
interface=org.freedesktop.hostname[0-9]
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
dbus (send)
bus=system
path=/org.freedesktop.hostname[0-9]
interface=org.freedesktop.DBus.Prope
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
dbus send bus=system path=/org.freedesktop.hostname[0-9]
interface=org.freedesktop.DBus.Prope
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
@{exec_path} mrix,

1
apparmor.d/groups/freedesktop/update-mime-database
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/update-mime-database
profile update-mime-database @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_override,
capability dac_read_search,

2
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -69,7 +69,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/dbus-daemon rPx,
@{HOME}/.Xauthority r,
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
}

2
apparmor.d/groups/freedesktop/xdg-open
View file

@ -61,7 +61,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/dbus-daemon rPx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}

2
apparmor.d/groups/freedesktop/xdg-settings
View file

@ -64,7 +64,7 @@ profile xdg-settings @{exec_path} {
/{usr/,}bin/dbus-daemon rPx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}

6
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -31,6 +31,12 @@ profile evolution-calendar-factory @{exec_path} {
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged},
dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*},
dbus bind bus=session
name=org.gnome.evolution.dataserver.Calendar[0-9],
@{exec_path} mr,
@{exec_path}-subprocess rix,

33
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -49,6 +49,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.login[0-9].Manager
member={SessionNew,PrepareForShutdown,SessionRemoved},
dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**}
interface={org.freedesktop.DBus.{Properties,Introspectable},org.gnome.SessionManager},
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
peer=(name=:org.freedesktop.systemd1),
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
member=AddIdleWatch
peer=(name=:*),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=GetActive
peer=(name=:*),
@{exec_path} mr,
/{usr/,}bin/{,z,ba,da}sh rix,
@ -57,6 +74,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/mkdir rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/gsettings rix,
/{usr/,}bin/gsettings-data-convert rix,
/{usr/,}bin/session-migration rix,
/{usr/,}bin/xdg-user-dirs-gtk-update rix,
@{libexec}/gnome-session-check-accelerated rix,
@ -124,22 +142,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/applications/mimeinfo.cache r,
owner @{user_share_dirs}/session_migration-ubuntu r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/systemd/notify w,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/systemd/notify w,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{sys}/devices/**/{vendor,device} r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,
/dev/tty rw,
/dev/tty[0-9]* rw,

6
apparmor.d/groups/gnome/gnome-shell
View file

@ -150,13 +150,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.cache/ w,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/ibus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
/var/lib/gdm{3,}/.config/pulse/ r,
/var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,

19
apparmor.d/groups/gnome/gsd-printer
View file

@ -11,6 +11,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
signal (receive) set=(term, hup) peer=gdm*,
signal (receive) set=(hup) peer=gsd-print-notifications,
@ -25,8 +26,26 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
dbus bind bus=system
name=com.redhat.PrinterDriversInstaller,
dbus (send,receive) bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
peer=(name=:*),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus receive bus=session path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*),
@{exec_path} mr,
owner /tmp/[a-z0-9]* rw,
owner @{PROC}/@{pid}/cgroup r,
owner /dev/tty[0-9]* rw,
include if exists <local/gsd-printer>

2
apparmor.d/groups/gnome/tracker-miner
View file

@ -41,7 +41,7 @@ profile tracker-miner @{exec_path} {
/var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /var/tmp/etilqs_@{hex} rw,
# Allow to search user files
owner @{HOME}/{,**} r,

16
apparmor.d/groups/gpg/gpg-agent
View file

@ -25,53 +25,53 @@ profile gpg-agent @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r,
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
owner /var/lib/*/.gnupg/ rw,
owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw,
owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner /var/lib/*/.gnupg/sshcontrol r,
owner /var/lib/*/gnupg/ rw,
owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw,
owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner /var/lib/*/gnupg/sshcontrol r,
owner /tmp/tmp.*/gnupg/ rw,
owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw,
owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
owner /tmp/tmp.*/gnupg/sshcontrol r,

6
apparmor.d/groups/gpg/gpg-connect-agent
View file

@ -21,9 +21,9 @@ profile gpg-connect-agent @{exec_path} {
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw,
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw,
owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
include if exists <local/gpg-connect-agent>
}

1
apparmor.d/groups/network/mullvad-gui
View file

@ -46,6 +46,7 @@ profile mullvad-gui @{exec_path} {
/var/lib/dbus/machine-id r,
owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
owner @{user_share_dirs}/gvfs-metadata/* r,
owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,

2
apparmor.d/groups/network/networkd-dispatcher
View file

@ -18,6 +18,8 @@ profile networkd-dispatcher @{exec_path} {
/{usr/,}bin/ r,
/{usr/,}bin/networkctl rPx,
/etc/networkd-dispatcher/{,**} r,
@{run}/systemd/notify rw,
owner @{PROC}/@{pid}/fd/ r,

0
apparmor.d/profiles-a-f/aurpublish → apparmor.d/groups/pacman/aurpublish
View file

8
apparmor.d/groups/systemd/bootctl
View file

@ -24,11 +24,11 @@ profile bootctl @{exec_path} {
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
/{boot,efi}/EFI/systemd/systemd-boot*.efi w,
/{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
/{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
/{boot,efi}/loader/.#entries.srel* w,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/loader/entries.srel w,
@ -47,7 +47,7 @@ profile bootctl @{exec_path} {
@{sys}/firmware/dmi/entries/*/raw r,
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
@{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
@{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,

10
apparmor.d/groups/systemd/coredumpctl
View file

@ -26,13 +26,13 @@ profile coredumpctl @{exec_path} flags=(complain) {
owner /var/tmp/coredump-* rw,
/var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r,
/var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r,

12
apparmor.d/groups/systemd/journalctl
View file

@ -34,12 +34,12 @@ profile journalctl @{exec_path} {
/var/lib/systemd/catalog/.#database* rw,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*,
owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw,
owner /var/tmp/#[0-9]* rw,
@{run}/host/container-manager r,

8
apparmor.d/groups/systemd/networkctl
View file

@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
# To be able to read logs
@{run}/log/ r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
@{run}/systemd/netif/links/[0-9]* r,
@{run}/systemd/netif/state r,

13
apparmor.d/groups/systemd/systemd-coredump
View file

@ -26,11 +26,10 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/* r,
/{usr/,}sbin/* r,
@{libexec}/** r,
/opt/** r,
/ r,
/{usr/,}{s,}bin/* r,
/opt/** r,
/etc/systemd/coredump.conf r,
@ -38,15 +37,15 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
owner /var/lib/systemd/coredump/#[0-9]* rwl,
owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
owner @{PROC}/@{pid}/setgroups r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/limits r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/fdinfo/[0-9]* r,
@{PROC}/@{pids}/limits r,
@{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pid}/setgroups r,
include if exists <local/systemd-coredump>
}

5
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -26,8 +26,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
peer=(name=org.freedesktop.PolicyKit1),
dbus receive bus=system path=/org/freedesktop/hostname[0-9]
interface=org.freedesktop.DBus.Properties
member={Get,GetAll,SetHostname},
interface=org.freedesktop.{DBus.Properties,hostname1}
member={Get,GetAll,SetHostname}
peer=(name=:*),
dbus bind bus=system
name=org.freedesktop.hostname[0-9],

10
apparmor.d/groups/systemd/systemd-journald
View file

@ -30,11 +30,11 @@ profile systemd-journald @{exec_path} {
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
/{run,var}/log/journal/[0-9a-f]*/ rw,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/fss rw,
/{run,var}/log/journal/@{hex}/ rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/system.journal* rw,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/fss rw,
owner @{run}/systemd/journal/{,**} rw,
owner @{run}/systemd/notify rw,

6
apparmor.d/groups/systemd/systemd-networkd
View file

@ -39,6 +39,11 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
interface=org.freedesktop.DBus.Properties
member=Get,
dbus send bus=system path=/org/freedesktop/network[0-9]/link/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus),
dbus bind bus=system
name=org.freedesktop.network1,
@ -55,6 +60,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
@{run}/systemd/network/ r,
@{run}/systemd/network/*.network r,
@{run}/systemd/notify rw,
owner @{run}/systemd/netif/.#state rw,
owner @{run}/systemd/netif/.#state* rw,
owner @{run}/systemd/netif/leases/.#* rw,

18
apparmor.d/groups/systemd/systemd-timesyncd
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
@ -20,6 +21,9 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
network inet stream,
network inet6 stream,
dbus bind bus=system
name=org.freedesktop.timesync1,
@{exec_path} mr,
/etc/adjtime r,
@ -34,19 +38,5 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/netif/state r,
@{run}/systemd/notify rw,
# dbus-stricter
@{run}/dbus/system_bus_socket rw,
dbus send
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,RequestName}
peer=(name=org.freedesktop.DBus),
dbus bind
bus=system
name=org.freedesktop.timesync1,
include if exists <local/systemd-timesyncd>
}

3
apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
View file

@ -14,7 +14,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
/{usr/,}{s,}bin/dumpe2fs rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,}awk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
@ -37,6 +37,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
@{sys}/devices/virtual/block/**/ r,
@{sys}/devices/virtual/block/**/autoclear r,
@{sys}/devices/virtual/block/**/backing_file r,
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
@{PROC}/@{pid}/mountinfo r,

4
apparmor.d/groups/virt/containerd
View file

@ -31,12 +31,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
network inet6 stream,
network netlink raw,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
mount -> /tmp/ctd-volume[0-9]*/,
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
umount /tmp/ctd-volume[0-9]*/,
umount @{run}/netns/cni-@{uuid},

14
apparmor.d/groups/virt/containerd-shim-runc-v2
View file

@ -22,8 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
ptrace (read) peer=containerd,
ptrace (read) peer=unconfined,
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
@{exec_path} mrix,
@ -34,12 +34,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
/tmp/pty[0-9]*/pty.sock rw,
@{run}/containerd/{,containerd.sock.ttrpc} rw,
@{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw,
@{run}/containerd/s/{,[0-9a-f]*} rw,
@{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/[0-9]*/@{hex}-{stdin,stdout,stderr} rw,
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/@{hex}/{,*} rw,
@{run}/containerd/s/{,@{hex}} rw,
@{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/@{hex}/@{hex}-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/@{hex}/init-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/daemon/io.containerd.*/{,**} rw,
@{run}/secrets/kubernetes.io/serviceaccount/*/token w,

4
apparmor.d/groups/virt/k3s
View file

@ -61,7 +61,7 @@ profile k3s @{exec_path} {
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
/var/lib/rancher/k3s/data/@{hex}/bin/* rix,
@{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
/usr/share/mime/globs2 r,
@ -145,7 +145,7 @@ profile k3s @{exec_path} {
@{sys}/devices/virtual/block/*/** r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
@{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r,
@{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
@{sys}/fs/cgroup/{,*,*/} r,

21
apparmor.d/groups/virt/libvirt/TEMPLATE.lxc
View file

@ -1,21 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# This profile is for the container whose UUID matches this file.
abi <abi/3.0>,
include <tunables/global>
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/libvirt-lxc>
# Globally allows everything to run under this profile
# These can be narrowed depending on the container's use.
file,
capability,
network,
}

17
apparmor.d/groups/virt/libvirt/TEMPLATE.qemu
View file

@ -1,17 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# This profile is for the VM whose UUID matches this file.
abi <abi/3.0>,
include <tunables/global>
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/libvirt-qemu>
}

68
apparmor.d/groups/virt/virt-aa-helper Normal file
View file

@ -0,0 +1,68 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/libvirt/virt-aa-helper
profile virt-aa-helper @{exec_path} {
include <abstractions/base>
include <abstractions/openssl>
capability dac_override,
capability dac_read_search,
network inet,
network inet6,
@{exec_path} mr,
/{usr/,}{s,}bin/apparmor_parser rPx,
/etc/apparmor.d/libvirt/* r,
/etc/apparmor.d/libvirt/libvirt-@{uuid} rw,
/etc/libnl{,-3}/classid r, # Allow reading libnl's classid file
# System VM images
/var/lib/libvirt/images/{,**} r,
/var/lib/nova/instances/_base/* r,
# User VM images
@{user_share_dirs}/ r,
@{user_share_dirs}/libvirt/{,**} r,
@{user_vm_dirs}/{,**} r,
# For virt-sandbox
@{run}/libvirt/**/[sv]d[a-z] r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/ r,
@{sys}/devices/** r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/net/psched r,
@{PROC}/filesystems r,
deny @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/status r,
# For gl enabled graphics
/dev/dri/{,*} r,
# For hostdev
deny /dev/dasd* r,
deny /dev/dm-* r,
deny /dev/drbd[0-9]* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
deny /dev/nvme* r,
deny /dev/sd* r,
deny /dev/vd* r,
deny /dev/zd[0-9]* r,
include if exists <usr/virt-aa-helper.d>
include if exists <local/virt-aa-helper>
}

6
apparmor.d/profiles-a-f/aa-log
View file

@ -29,9 +29,9 @@ profile aa-log @{exec_path} {
/etc/machine-id r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r,
/{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r,
/{run,var}/log/journal/@{hex}/user-@{uid}.journal r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/cap_last_cap r,

4
apparmor.d/profiles-a-f/anki
View file

@ -55,9 +55,9 @@ profile anki @{exec_path} {
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
/usr/share/anki/{,**} r,

4
apparmor.d/profiles-a-f/claws-mail
View file

@ -43,8 +43,8 @@ profile claws-mail @{exec_path} flags=(complain) {
owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**,
owner /tmp/claws-mail-[0-9]*/ rw,
owner /tmp/claws-mail-[0-9]*/[0-9a-f]* rw,
owner /tmp/claws-mail-[0-9]*/[0-9a-f]*.lock rwk,
owner /tmp/claws-mail-[0-9]*/@{hex} rw,
owner /tmp/claws-mail-[0-9]*/@{hex}.lock rwk,
owner /var/mail/* rwk,

18
apparmor.d/profiles-a-f/cups-backend-beh Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/beh
profile cups-backend-beh @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-beh>
}

20
apparmor.d/profiles-a-f/cups-backend-brf Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-brf
profile cups-backend-brf @{exec_path} {
include <abstractions/base>
capability setuid,
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-brf>
}

18
apparmor.d/profiles-a-f/cups-backend-dnssd Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/dnssd
profile cups-backend-dnssd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-dnssd>
}

18
apparmor.d/profiles-a-f/cups-backend-implicitclass Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/implicitclass
profile cups-backend-implicitclass @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-implicitclass>
}

18
apparmor.d/profiles-a-f/cups-backend-ipp Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/ipp
profile cups-backend-ipp @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-ipp>
}

18
apparmor.d/profiles-a-f/cups-backend-lpd Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/lpd
profile cups-backend-lpd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-lpd>
}

18
apparmor.d/profiles-a-f/cups-backend-parallel Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/parallel
profile cups-backend-parallel @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-parallel>
}

46
apparmor.d/profiles-a-f/cups-backend-pdf Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf
profile cups-backend-pdf @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
capability chown,
capability setgid,
capability setuid,
capability dac_override,
unix peer=(label=cupsd),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/gs rix,
/{usr/,}bin/gsc rix,
/{usr/,}lib/ghostscript/** mr,
/usr/share/ghostscript/{,**} r,
/etc/papersize r,
/etc/cups/ r,
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups-pdf/{,**} rw,
/var/spool/cups/** r,
/var/tmp/gs_* rw,
/dev/tty rw,
include if exists <local/cups-backend-pdf>
}

18
apparmor.d/profiles-a-f/cups-backend-serial Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/serial
profile cups-backend-serial @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-serial>
}

23
apparmor.d/profiles-a-f/cups-backend-snmp Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/snmp
profile cups-backend-snmp @{exec_path} {
include <abstractions/base>
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
/etc/cups/snmp.conf r,
/etc/papersize r,
include if exists <local/cups-backend-snmp>
}

18
apparmor.d/profiles-a-f/cups-backend-socket Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/socket
profile cups-backend-socket @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-socket>
}

24
apparmor.d/profiles-a-f/cups-backend-usb Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/usb
profile cups-backend-usb @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
/usr/share/cups/usb/{,**} r,
/etc/cups/ppd/*.ppd r,
/etc/papersize r,
include if exists <local/cups-backend-usb>
}

69
apparmor.d/profiles-a-f/cups-browsed Normal file
View file

@ -0,0 +1,69 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cups-browsed
profile cups-browsed @{exec_path} {
include <abstractions/base>
include <abstractions/cups-client>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
capability net_bind_service,
capability sys_nice,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member=Free
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member={AllForNow,CacheExhausted},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.{DBus.Properties,NetworkManager}
member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded},
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged,
@{exec_path} mr,
/usr/share/cups/locale/{,**} r,
/usr/share/locale/{,**} r,
/etc/cups/{,**} r,
/var/cache/cups/{,**} rw,
/var/log/cups/{,**} rw,
@{run}/cups/certs/* r,
include if exists <local/cups-browsed>
}

35
apparmor.d/profiles-a-f/cups-pk-helper-mechanism Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism
profile cups-pk-helper-mechanism @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability sys_nice,
dbus receive bus=system path=/
interface=org.opensuse.CupsPkHelper.Mechanism,
dbus bind bus=system
name=org.opensuse.CupsPkHelper.Mechanism,
@{exec_path} mr,
/etc/cups/ppd/*.ppd r,
owner /tmp/[a-z0-9]* rw,
@{run}/cups/cups.sock rw,
include if exists <local/cups-pk-helper-mechanism>
}

90
apparmor.d/profiles-a-f/cupsd Normal file
View file

@ -0,0 +1,90 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cupsd
profile cupsd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability wake_alarm,
network inet stream,
network inet6 stream,
network appletalk dgram,
network ash dgram,
network ax25 dgram,
network bluetooth,
network econet dgram,
network ipx dgram,
network netrom seqpacket,
network rose dgram,
network x25 seqpacket,
dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*}
interface=org.freedesktop.ColorManager{,.*}
member={CreateProfile,CreateDevice,FindDeviceById,AddProfile}
peer=(name=org.freedesktop.ColorManager),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gsc rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/ippfind rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/smbspool rPx,
/{usr/,}bin/xz rix,
/{usr/,}lib/cups/backend/* rPx,
/{usr/,}lib/cups/cgi-bin/*.cgi rix,
/{usr/,}lib/cups/daemon/* rix,
/{usr/,}lib/cups/driver/* rix,
/{usr/,}lib/cups/filter/* rix,
/{usr/,}lib/cups/monitor/* rix,
/{usr/,}lib/cups/notifier/* rix,
/usr/share/cups/{,**} r,
/usr/share/ppd/{,**} r,
/usr/share/ghostscript/{,**} r,
/etc/cups/{,**} rw,
/etc/foomatic/* r,
/etc/papersize r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/var/cache/cups/ rw,
/var/cache/cups/** rwk,
/var/log/cups/{,*} rw,
/var/spool/cups/{,**} rw,
@{run}/cups/{,**} rw,
@{run}/systemd/notify w,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pids}/fd r,
owner @{PROC}/@{pid}/mounts r,
/dev/tty rw,
include if exists <local/cupsd>
}

8
apparmor.d/profiles-a-f/deltachat-desktop
View file

@ -49,10 +49,10 @@ profile deltachat-desktop @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner /tmp/[0-9a-f]*/ rw,
owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw,
owner /tmp/[0-9a-f]*/db.sqlite rwk,
owner /tmp/[0-9a-f]*/db.sqlite-journal rw,
owner /tmp/@{hex}/ rw,
owner /tmp/@{hex}/db.sqlite-blobs/ rw,
owner /tmp/@{hex}/db.sqlite rwk,
owner /tmp/@{hex}/db.sqlite-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,

104
apparmor.d/profiles-a-f/dhclient-script
View file

@ -14,88 +14,60 @@ profile dhclient-script @{exec_path} {
include <abstractions/openssl>
include <abstractions/ssl_certs>
capability net_admin,
capability sys_admin,
# Needed?
audit deny capability sys_module,
audit capability sys_module,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}{s,}bin/ddclient rPx,
/{usr/,}{s,}bin/sysctl rix,
/{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/chronyc rPUx,
/{usr/,}bin/date rix,
/{usr/,}bin/fold rix,
/{usr/,}bin/head rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/paste rix,
/{usr/,}bin/ping rPx,
/{usr/,}bin/printenv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/sed rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/xxd rix,
/{usr/,}sbin/resolvconf rPx,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/ping rPx,
/{usr/,}bin/chronyc rPUx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}sbin/resolvconf rPx,
# To remove the following error:
# /sbin/dhclient-script: 133: hostname: Permission denied
/{usr/,}bin/hostname rix,
# To read scripts
/etc/dhcp/ r,
/etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
# For debug script
/{usr/,}bin/date rix,
/etc/dhcp/debug r,
owner /tmp/dhclient-script.debug rw,
# For ddclient script
/{usr/,}{s,}bin/ddclient rPx,
/etc/default/ddclient r,
/{usr/,}bin/logger rix,
# For samba script
/{usr/,}bin/mv rix,
/etc/samba/dhcp.conf{,.new} rw,
# For netbios name servers settings from a DHCP server
/var/lib/samba/dhcp.conf{,.new} rw,
# Many scripts may use the ip tool
capability net_admin,
/{usr/,}bin/ip rix,
# For loadbalance
/etc/default/ddclient r,
/etc/dhcp/{,**} r,
/etc/fstab r,
/etc/iproute2/rt_tables r,
/etc/iproute2/rt_tables.d/{,*} r,
owner @{PROC}/@{pid}/loginuid r,
# For updating the /etc/resolv.conf file
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/sed rix,
/etc/fstab r,
/etc/resolv.conf.dhclient-new.@{pid} rw,
/etc/resolv.conf rw,
/etc/resolv.conf.dhclient-new.@{pid} rw,
/etc/samba/dhcp.conf{,.new} rw,
# For stable-privacy addresses
/{usr/,}{s,}bin/sysctl rix,
/{usr/,}bin/head rix,
/{usr/,}bin/xxd rix,
/{usr/,}bin/paste rix,
/{usr/,}bin/fold rix,
/{usr/,}bin/tr rix,
@{PROC}/sys/net/ipv6/conf/*/stable_secret w,
/var/lib/dhcp/dhclient.leases r,
/var/lib/samba/dhcp.conf{,.new} rw,
# For printing env
/{usr/,}bin/printenv rix,
owner /tmp/dhclient-script.debug rw,
owner /tmp/variables.txt w,
# For ntpd/ntpsec
@{run}/chrony-dhcp/ rw,
@{run}/systemd/netif/leases/ r,
# For chrony
@{run}/chrony-dhcp/ rw,
# file_inherit
/var/lib/dhcp/dhclient.leases r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
owner @{PROC}/@{pid}/loginuid r,
@{PROC}/sys/net/ipv6/conf/*/stable_secret w,
profile run-parts {
include <abstractions/base>

26
apparmor.d/profiles-a-f/losetup Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/losetup
profile losetup @{exec_path} {
include <abstractions/base>
capability dac_override,
capability dac_read_search,
unix (receive) type=stream,
@{exec_path} mr,
@{sys}/devices/system/cpu/possible r,
/dev/loop-control rw,
/dev/loop[0-9]* rw,
include if exists <local/losetup>
}

9
apparmor.d/profiles-g-l/git
View file

@ -11,9 +11,9 @@ include <tunables/global>
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
@{exec_path} += /usr/libexec/git-core/git
@{exec_path} += /usr/libexec/git-core/git-*
@{exec_path} += /usr/libexec/git-core/mergetools/*
@{exec_path} += @{libexec}/git-core/git
@{exec_path} += @{libexec}/git-core/git-*
@{exec_path} += @{libexec}/git-core/mergetools/*
profile git @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -167,8 +167,9 @@ profile git @{exec_path} {
/etc/vimrc r,
/etc/vim/{,**} r,
owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
owner @{user_projects_dirs}/**/ r,
owner @{user_projects_dirs}/**/.git/[0-9]* rw,
owner @{user_projects_dirs}/**/.git/*MSG rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,

2
apparmor.d/profiles-g-l/gpo
View file

@ -40,7 +40,7 @@ profile gpo @{exec_path} {
/etc/inputrc r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /var/tmp/etilqs_@{hex} rw,
include if exists <local/gpo>
}

2
apparmor.d/profiles-g-l/gpodder
View file

@ -46,7 +46,7 @@ profile gpodder @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /var/tmp/etilqs_@{hex} rw,
/etc/mime.types r,

2
apparmor.d/profiles-g-l/gsmartcontrol
View file

@ -76,7 +76,7 @@ profile gsmartcontrol @{exec_path} {
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}

8
apparmor.d/profiles-g-l/hw-probe
View file

@ -132,10 +132,10 @@ profile hw-probe @{exec_path} {
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
/{run,var}/log/journal/[0-9a-f]*/ rw,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
/{run,var}/log/journal/@{hex}/ rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/system.journal* rw,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
owner @{PROC}/@{pid}/stat r,

2
apparmor.d/profiles-g-l/jdownloader
View file

@ -51,7 +51,7 @@ profile jdownloader @{exec_path} {
owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw,
owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
owner @{HOME}/.java/fonts/[0-9]*/ rw,

2
apparmor.d/profiles-g-l/jdownloader-install
View file

@ -48,7 +48,7 @@ profile jdownloader-install @{exec_path} {
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/*.so mrw,
owner @{JD_SH_PATH}/install4jError[0-9]*.log rw,
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,

4
apparmor.d/profiles-g-l/kscreenlocker-greet
View file

@ -43,9 +43,9 @@ profile kscreenlocker-greet @{exec_path} {
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,

2
apparmor.d/profiles-g-l/linssid
View file

@ -103,7 +103,7 @@ profile linssid @{exec_path} {
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}

2
apparmor.d/profiles-g-l/lxappearance
View file

@ -59,7 +59,7 @@ profile lxappearance @{exec_path} {
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
}

4
apparmor.d/profiles-m-r/minitube
View file

@ -60,9 +60,9 @@ profile minitube @{exec_path} {
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,

2
apparmor.d/profiles-m-r/mkvtoolnix-gui
View file

@ -80,7 +80,7 @@ profile mkvtoolnix-gui @{exec_path} {
owner @{user_cache_dirs}/bunkus.org/ rw,
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/ rw,
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw,
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/[0-9a-f]* rw,
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,

6
apparmor.d/profiles-m-r/needrestart
View file

@ -38,6 +38,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/needrestart/iucode-scan-versions rPx,
/usr/share/debconf/frontend rix,
/{usr/,}bin/networkd-dispatcher r,
/{usr/,}bin/gettext.sh r,
/usr/share/needrestart/{,**} r,
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
@ -47,15 +48,18 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
/etc/needrestart/*.d/* rix,
/etc/shadow r,
/boot/ r,
/boot/vmlinuz* r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/maps r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pid}/fd/ r,
/dev/ r,
/dev/**/ r,

1
apparmor.d/profiles-m-r/needrestart-apt-pinvoke
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile needrestart-apt-pinvoke @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
@{exec_path} mr,

2
apparmor.d/profiles-m-r/openbox
View file

@ -35,7 +35,7 @@ profile openbox @{exec_path} {
owner @{user_config_dirs}/openbox/ r,
owner @{user_config_dirs}/openbox/* r,
owner @{user_config_dirs}/obmenu-generator/icons/[0-9a-f]*.png r,
owner @{user_config_dirs}/obmenu-generator/icons/@{hex}.png r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/openbox/ rw,

2
apparmor.d/profiles-m-r/psi
View file

@ -82,7 +82,7 @@ profile psi @{exec_path} {
/etc/fstab r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /var/tmp/etilqs_@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],

2
apparmor.d/profiles-m-r/psi-plus
View file

@ -82,7 +82,7 @@ profile psi-plus @{exec_path} {
/etc/fstab r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /var/tmp/etilqs_@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],

2
apparmor.d/profiles-m-r/qbittorrent
View file

@ -235,7 +235,7 @@ profile qbittorrent @{exec_path} {
# file_inherit
owner @{MOUNTS}/torrent/** r,
owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw,
owner @{MOUNTS}/torrent/**.@{hex}.parts rw,
owner "@{MOUNTS}/torrent/**.!qB" rw,
owner @{HOME}/.xsession-errors w,

2
apparmor.d/profiles-m-r/qnapi
View file

@ -109,7 +109,7 @@ profile qnapi @{exec_path} {
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw,
owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/[0-9a-f]*.@{qnapi_txt_ext} rw,
owner /tmp/@{hex}.@{qnapi_txt_ext} rw,
owner /tmp/*.@{qnapi_txt_ext} rw,
/var/lib/dbus/machine-id r,

2
apparmor.d/profiles-m-r/qpdfview
View file

@ -75,7 +75,7 @@ profile qpdfview @{exec_path} {
/usr/share/hwdata/pnp.ids r,
# Print
owner /tmp/[0-9a-f]* rw,
owner /tmp/@{hex} rw,
# Save as
owner /tmp/#[0-9]*[0-9] rw,

2
apparmor.d/profiles-m-r/qtox
View file

@ -60,7 +60,7 @@ profile qtox @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
@{sys}/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so

Some files were not shown because too many files have changed in this diff Show more