felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): small general improvments.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-26 17:34:30 +02:00
parent dca81f4a1e
commit 5bfebf6ea5
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 20 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/flatpak/flatpak
View file

@ -99,6 +99,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
owner /dev/shm/flatpak*/{,**} rw, owner /dev/shm/flatpak*/{,**} rw,
@{run}/.userns r, @{run}/.userns r,
@{att}/@{run}/.userns r,
@{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/.dbus-proxy/ w,
@{run}/user/@{uid}/dconf/user rw, @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/.dbus-proxy/* rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw,
@ -146,6 +148,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
include <abstractions/base> include <abstractions/base>
include <abstractions/app/fusermount> include <abstractions/app/fusermount>
capability setuid,
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
umount /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/,

8
apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
View file

@ -10,10 +10,12 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde
profile xdg-desktop-portal-kde @{exec_path} { profile xdg-desktop-portal-kde @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/kde-globals-write> include <abstractions/kde-globals-write>
include <abstractions/kde-strict> include <abstractions/kde-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -27,8 +29,14 @@ profile xdg-desktop-portal-kde @{exec_path} {
#aa:exec kioworker #aa:exec kioworker
/usr/share/plasma/look-and-feel/** r,
owner @{HOME}/ r,
owner @{desktop_config_dirs}/user-dirs.dirs r, owner @{desktop_config_dirs}/user-dirs.dirs r,
owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw,
owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/autostart/org.kde.*.desktop r,
owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/breezerc r,
owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk,

3
apparmor.d/profiles-a-f/finalrd
View file

@ -65,9 +65,8 @@ profile finalrd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{bin}/ldd mr, @{bin}/* mr,
@{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/@{multiarch}/ld-linux-*so* mrix,
@{lib}/ld-linux.so* mr,
include if exists <local/finalrd_ldd> include if exists <local/finalrd_ldd>
} }

2
apparmor.d/profiles-s-z/spotify
View file

@ -36,6 +36,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
/etc/spotify-adblock/* r, /etc/spotify-adblock/* r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner @{HOME}/.tmp rw,
owner @{user_music_dirs}/{,**} r, owner @{user_music_dirs}/{,**} r,
owner @{user_config_dirs}/spotify-adblock/* r, owner @{user_config_dirs}/spotify-adblock/* r,

4
apparmor.d/profiles-s-z/syncthing
View file

@ -36,10 +36,14 @@ profile syncthing @{exec_path} {
@{user_sync_dirs}/{,**} rw, @{user_sync_dirs}/{,**} rw,
@{PROC}/@{pids}/net/route r, @{PROC}/@{pids}/net/route r,
@{PROC}/bus/pci/devices r,
@{PROC}/modules r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
include if exists <local/syncthing> include if exists <local/syncthing>
} }