felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge FSP: rewrite the systemd profiles #753

Browse source 
* dev: (49 commits)
  fix: use mappings/sudo in su.
  build: justfile: add group.
  tests: update sbin.list
  fix: linter check.
  fix: add gpartedbin back to sbin.list.
  tests: show error line in sbin check.
  feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin).
  tests: remove symbolic link from sbin.
  test: add some security checks.
  tests: add more check for sbin path
  tests: rewrite and expand the profile check to more files.
  feat(tunable): add the archive_path variable.
  feat(profile): update gnome profiles.
  feat(fsp): small fsp improvement.
  feat(abs): minor improvement & cosmetic.
  feat(profile): add profiles for whoopsie.
  feat(profile): add initial profile for systemd-initctl.
  feat(profile): minor fsp related improvment.
  feat(fsp): setup RBAC mapping in auth enabled profiles.
  build: ignore all rule in abi3.
  ...
This commit is contained in:
Alexandre Pujol 2025-06-16 21:41:08 +02:00
commit 5e14271f76
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
326 changed files with 2692 additions and 1532 deletions
Download patch file Download diff file Expand all files Collapse all files

37
Justfile
View file

@ -64,24 +64,34 @@ help:
@just --list --unsorted
@echo -e "\nSee https://apparmor.pujol.io/development/ for more information."
[group('build')]
[doc('Build the go programs')]
build:
@go build -o {{build}}/ ./cmd/aa-log
@go build -o {{build}}/ ./cmd/prebuild
[group('build')]
[doc('Prebuild the profiles in enforced mode')]
enforce: build
@./{{build}}/prebuild
[group('build')]
[doc('Prebuild the profiles in complain mode')]
complain: build
@./{{build}}/prebuild --complain
[group('build')]
[doc('Prebuild the profiles in FSP mode')]
fsp: build
@./{{build}}/prebuild --full
[group('build')]
[doc('Prebuild the profiles in FSP mode (complain)')]
fsp-complain: build
@./{{build}}/prebuild --complain --full
[doc('Install the profiles')]
[group('build')]
[doc('Install prebuild profiles')]
install:
#!/usr/bin/env bash
set -eu -o pipefail
@ -108,26 +118,31 @@ install:
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
done
[group('packages')]
[doc('Build & install apparmor.d on Arch based systems')]
pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
[group('packages')]
[doc('Build & install apparmor.d on Debian based systems')]
dpkg:
@bash dists/build.sh dpkg
@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
[group('packages')]
[doc('Build & install apparmor.d on OpenSUSE based systems')]
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
[group('tests')]
[doc('Run the unit tests')]
tests:
@go test ./cmd/... -v -cover -coverprofile=coverage.out
@go test ./pkg/... -v -cover -coverprofile=coverage.out
@go tool cover -func=coverage.out
[group('linter')]
[doc('Run the linters')]
lint:
golangci-lint run
@ -138,18 +153,22 @@ lint:
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
[group('linter')]
[doc('Run style checks on the profiles')]
check:
@bash tests/check.sh
[group('docs')]
[doc('Generate the man pages')]
man:
@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
[group('docs')]
[doc('Build the documentation')]
docs:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
[group('docs')]
[doc('Serve the documentation')]
serve:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
@ -160,6 +179,7 @@ clean:
debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
[group('packages')]
[doc('Build the package in a clean OCI container')]
package dist:
#!/usr/bin/env bash
@ -175,6 +195,7 @@ package dist:
fi
bash dists/docker.sh $dist $version
[group('vm')]
[doc('Build the VM image')]
img dist flavor: (package dist)
@mkdir -p {{base_dir}}
@ -192,6 +213,7 @@ img dist flavor: (package dist)
-var output_dir={{output_dir}} \
tests/packer/
[group('vm')]
[doc('Create the machine')]
create dist flavor:
@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
@ -211,33 +233,40 @@ create dist flavor:
--sound model=ich9 \
--noautoconsole
[group('vm')]
[doc('Start a machine')]
up dist flavor:
@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
[group('vm')]
[doc('Stops the machine')]
halt dist flavor:
@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
[group('vm')]
[doc('Reboot the machine')]
reboot dist flavor:
@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
[group('vm')]
[doc('Destroy the machine')]
destroy dist flavor:
@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
[group('vm')]
[doc('Connect to the machine')]
ssh dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}`
[group('vm')]
[doc('List the machines')]
list:
@echo -e '\033[1m Id Distribution Flavor State\033[0m'
@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
[group('vm')]
[doc('List the VM images')]
images:
#!/usr/bin/env bash
@ -254,6 +283,7 @@ images:
}
'
[group('vm')]
[doc('List the VM images that can be created')]
available:
#!/usr/bin/env bash
@ -270,6 +300,8 @@ available:
}
'
[group('tests')]
[doc('Run the integration tests on the machine')]
integration dist flavor:
@ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \
@ -280,12 +312,13 @@ integration dist flavor:
@bats --recursive --timing --print-output-on-failure Projects/integration/
[group('internal')]
get_ip dist flavor:
@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
head -1 | \
grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
[group('internal')]
get_osinfo dist:
#!/usr/bin/env python3
osinfo = {

6
apparmor.d/abstractions/app/kmod
View file

@ -7,13 +7,7 @@
include <abstractions/consoles>
@{sbin}/depmod mr,
@{sbin}/insmod mr,
@{bin}/kmod mr,
@{sbin}/lsmod mr,
@{sbin}/modinfo mr,
@{sbin}/modprobe mr,
@{sbin}/rmmod mr,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,

2
apparmor.d/abstractions/app/pager
View file

@ -12,7 +12,7 @@
capability dac_override,
capability dac_read_search,
signal (receive) set=(stop, cont, term, kill),
signal receive set=(stop, cont, term, kill),
@{bin}/ r,
@{pager_path} mrix,

8
apparmor.d/abstractions/app/sudo
View file

@ -3,7 +3,7 @@
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for sudo. Interactive sudo need more rules.
# Minimal set of rules for sudo.
abi <abi/4.0>,
@ -24,8 +24,10 @@
network netlink raw, # PAM
#aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
unix type=stream addr=@@{udbus}/bus/sudo/system,
#aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}"
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus (send receive) bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd.Manager

3
apparmor.d/abstractions/attached/base
View file

@ -3,7 +3,8 @@
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, it is automatically included in profiles when it is required.
# Do not use it manually, It automatically replaces the base abstraction in a
# profile with the attach_disconnected flag set and the re-attached path enabled.
abi <abi/4.0>,

3
apparmor.d/abstractions/attached/consoles
View file

@ -3,7 +3,8 @@
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, it is automatically included in profiles when it is required.
# Do not use it manually, It automatically replaces the consoles abstraction in a
# profile with the attach_disconnected flag set and the re-attached path enabled.
abi <abi/4.0>,

8
apparmor.d/abstractions/base.d/complete
View file

@ -3,14 +3,16 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Systemd: allow to receive any signal from the systemd profiles stack
signal receive peer=@{p_systemd},
signal receive peer=@{p_systemd_user},
# Allow to receive some signals from new well-known profiles
signal (receive) peer=btop,
signal (receive) peer=htop,
signal (receive) peer=sudo,
signal (receive) peer=top,
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
signal (receive) set=(cont,term) peer=@{p_systemd_user},
signal (receive) set=(cont,term) peer=@{p_systemd},
signal (receive) set=(hup term) peer=login,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=gnome-shell,
@ -18,7 +20,7 @@
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(term,kill) peer=su,
ptrace (readby) peer=systemd-coredump,
ptrace (readby) peer=@{p_systemd_coredump},
@{etc_rw}/localtime r,
/etc/locale.conf r,

2
apparmor.d/abstractions/bus/net.hadess.PowerProfiles
View file

@ -4,7 +4,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon
#aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}"
include if exists <abstractions/bus/net.hadess.PowerProfiles.d>

6
apparmor.d/abstractions/bus/net.reactivated.Fprint
View file

@ -4,12 +4,12 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd
#aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}"
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member={GetDevices,GetDefaultDevice}
peer=(name="@{busname}", label=fprintd),
peer=(name="@{busname}", label="@{p_fprintd}"),
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
@ -19,7 +19,7 @@
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member={GetDevices,GetDefaultDevice}
peer=(name=net.reactivated.Fprint, label=fprintd),
peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"),
include if exists <abstractions/bus/net.reactivated.Fprint.d>

10
apparmor.d/abstractions/bus/org.a11y
View file

@ -9,27 +9,27 @@
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name="@{busname}", label=at-spi2-registryd),
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name="@{busname}", label=at-spi2-registryd),
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
# Session bus

14
apparmor.d/abstractions/bus/org.bluez
View file

@ -4,37 +4,37 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.bluez label=bluetoothd
#aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}"
dbus receive bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
dbus send bus=system path=/org/bluez
interface=org.bluez.AgentManager@{int}
member={RegisterAgent,RequestDefaultAgent,UnregisterAgent}
peer=(name=org.bluez, label=bluetoothd),
peer=(name=org.bluez, label="@{p_bluetoothd}"),
dbus send bus=system path=/org/bluez
interface=org.bluez.ProfileManager@{int}
member=RegisterProfile
peer=(name=org.bluez, label=bluetoothd),
peer=(name=org.bluez, label="@{p_bluetoothd}"),
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.bluez.BatteryProviderManager@{int}
member=RegisterProfile
peer=(name=org.bluez, label=bluetoothd),
peer=(name=org.bluez, label="@{p_bluetoothd}"),
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.bluez.Media@{int}
member=RegisterApplication
peer=(name=org.bluez, label=bluetoothd),
peer=(name=org.bluez, label="@{p_bluetoothd}"),
include if exists <abstractions/bus/org.bluez.d>

10
apparmor.d/abstractions/bus/org.freedesktop.Accounts
View file

@ -4,27 +4,27 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
dbus send bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member={FindUserByName,ListCachedUsers}
peer=(name="@{busname}", label=accounts-daemon),
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.Accounts.User
member=*Changed
peer=(name="@{busname}", label=accounts-daemon),
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
dbus receive bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member=UserAdded
peer=(name="@{busname}", label=accounts-daemon),
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.DBus.Properties
member=*Changed
peer=(name="@{busname}", label=accounts-daemon),
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
include if exists <abstractions/bus/org.freedesktop.Accounts.d>

10
apparmor.d/abstractions/bus/org.freedesktop.Avahi
View file

@ -4,27 +4,27 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon
#aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}"
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
peer=(name=org.freedesktop.Avahi),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,Service*New}
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
member=Free
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
member={ItemNew,AllForNow,CacheExhausted}
peer=(name="@{busname}", label=avahi-daemon),
peer=(name="@{busname}", label="@{p_avahi_daemon}"),
include if exists <abstractions/bus/org.freedesktop.Avahi.d>

8
apparmor.d/abstractions/bus/org.freedesktop.ColorManager
View file

@ -4,22 +4,22 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord
#aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=GetDevices
peer=(name="@{busname}", label=colord),
peer=(name="@{busname}", label="@{p_colord}"),
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=CreateDevice
peer=(name="@{busname}", label=colord),
peer=(name="@{busname}", label="@{p_colord}"),
dbus receive bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member={DeviceAdded,DeviceRemoved}
peer=(name="@{busname}", label=colord),
peer=(name="@{busname}", label="@{p_colord}"),
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>

10
apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
View file

@ -4,26 +4,26 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue
#aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus, label=geoclue),
peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"),
dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=geoclue),
peer=(name="@{busname}", label="@{p_geoclue}"),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=geoclue),
peer=(name="@{busname}", label="@{p_geoclue}"),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.GeoClue2.Manager
member=AddAgent
peer=(name="@{busname}", label=geoclue),
peer=(name="@{busname}", label="@{p_geoclue}"),
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>

6
apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
View file

@ -4,17 +4,17 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager
#aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.freedesktop.ModemManager1, label=ModemManager),
peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="@{busname}", label=ModemManager),
peer=(name="@{busname}", label="@{p_ModemManager}"),
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>

8
apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
View file

@ -4,22 +4,22 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd
#aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=Changed
peer=(name="@{busname}", label=polkitd),
peer=(name="@{busname}", label="@{p_polkitd}"),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name="@{busname}", label=polkitd),
peer=(name="@{busname}", label="@{p_polkitd}"),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization

6
apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
View file

@ -6,7 +6,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon
#aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}"
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.DBus.Properties
member=Get
@ -15,12 +15,12 @@
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member={MakeThreadHighPriority,MakeThreadRealtime}
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon),
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID}
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon),
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>

8
apparmor.d/abstractions/bus/org.freedesktop.UPower
View file

@ -4,22 +4,22 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd
#aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Properties
member=GetDisplayDevice
peer=(name=org.freedesktop.UPower, label=upowerd),
peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
dbus receive bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=DeviceAdded
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
include if exists <abstractions/bus/org.freedesktop.UPower.d>

2
apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles
View file

@ -4,7 +4,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
#aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
include if exists <abstractions/bus/org.freedesktop.UPower.PowerProfiles.d>

2
apparmor.d/abstractions/bus/org.freedesktop.hostname1
View file

@ -4,7 +4,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
#aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=Get

2
apparmor.d/abstractions/bus/org.freedesktop.locale1
View file

@ -4,7 +4,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed
#aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll

8
apparmor.d/abstractions/bus/org.freedesktop.login1
View file

@ -4,22 +4,22 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*}
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member=PauseDeviceComplete
peer=(name=org.freedesktop.login1, label=systemd-logind),
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
include if exists <abstractions/bus/org.freedesktop.login1.d>

8
apparmor.d/abstractions/bus/org.freedesktop.login1.Session
View file

@ -4,22 +4,22 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=GetSession
peer=(name="@{busname}", label=systemd-logind),
peer=(name="@{busname}", label="@{p_systemd_logind}"),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member={PauseDevice,Unlock}
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
include if exists <abstractions/bus/org.freedesktop.login1.Session.d>

2
apparmor.d/abstractions/bus/org.freedesktop.network1
View file

@ -4,7 +4,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd
#aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}"
include if exists <abstractions/bus/org.freedesktop.network1.d>

4
apparmor.d/abstractions/bus/org.freedesktop.resolve1
View file

@ -4,12 +4,12 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved
#aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
dbus send bus=system path=/org/freedesktop/resolve1
interface=org.freedesktop.resolve1.Manager
member={SetLink*,ResolveHostname}
peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
include if exists <abstractions/bus/org.freedesktop.resolve1.d>

2
apparmor.d/abstractions/bus/org.freedesktop.timedate1
View file

@ -4,7 +4,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated
#aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}"
include if exists <abstractions/bus/org.freedesktop.timedate1.d>

4
apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
View file

@ -4,12 +4,12 @@
abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller
#aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}"
dbus send bus=session path=/org/gnome/ArchiveManager1
interface=org.gnome.ArchiveManager1
member=GetSupportedTypes
peer=(name="@{busname}", label=file-roller),
peer=(name="@{busname}", label="@{p_file_roller}"),
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>

3
apparmor.d/abstractions/bus/own-accessibility
View file

@ -3,7 +3,8 @@
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, it is automatically included in a profile when it is required.
# Do not use it manually, It is automatically included in a profile by the
# `aa:dbus own` directive.
# Allow owning a name on DBus public bus

3
apparmor.d/abstractions/bus/own-session
View file

@ -3,7 +3,8 @@
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, it is automatically included in a profile when it is required.
# Do not use it manually, It is automatically included in a profile by the
# `aa:dbus own` directive.
# Allow owning a name on DBus public bus

3
apparmor.d/abstractions/bus/own-system
View file

@ -3,7 +3,8 @@
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, it is automatically included in a profile when it is required.
# Do not use it manually, It is automatically included in a profile by the
# `aa:dbus own` directive.
# Allow owning a name on DBus public bus

2
apparmor.d/abstractions/mapping/login
View file

@ -25,7 +25,7 @@
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=ReleaseSession
peer=(name=org.freedesktop.login1, label=systemd-logind),
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
@{etc_ro}/security/group.conf r,
@{etc_ro}/security/limits.conf r,

4
apparmor.d/abstractions/mapping/sshd
View file

@ -28,7 +28,7 @@
network inet6 stream,
network netlink raw,
signal receive set=exists peer=systemd-journald,
signal receive set=exists peer=@{p_systemd_journald},
signal receive set=hup peer=@{p_systemd},
unix bind type=stream addr=@@{udbus}/bus/sshd/system,
@ -36,7 +36,7 @@
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
peer=(name=org.freedesktop.login1, label=systemd-logind),
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
/etc/motd r,
/etc/locale.conf r,

1
apparmor.d/abstractions/vulkan.d/complete
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/etc/glvnd/egl_vendor.d/{,*.json} r,

2
apparmor.d/abstractions/webkit
View file

@ -2,7 +2,7 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Minimal set of rules for webkit UI.
# Minimal set of rules for webkit GTK UI.
abi <abi/4.0>,

1
apparmor.d/abstractions/zsh
View file

@ -12,6 +12,7 @@
/usr/local/share/zsh/{,**} r,
/usr/share/oh-my-zsh/{,**} r,
/usr/share/zsh-theme-*/{,**} r,
/usr/share/zsh/{,**} r,
/etc/zsh/* r,

56
apparmor.d/groups/_full/bwrap
View file

@ -1,56 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Default profile for bwrap.
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/bwrap
profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/common/bwrap>
include <abstractions/common/app>
include <abstractions/dbus>
include <abstractions/fontconfig-cache-write>
capability dac_override,
capability dac_read_search,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
ptrace peer=bwrap//&bwrap-app,
signal peer=bwrap//&bwrap-app,
signal (receive) set=(kill),
@{bin}/** rm,
@{lib}/** rm,
/opt/*/** rm,
/usr/share/*/* rm,
@{bin}/** Px -> bwrap//&bwrap-app,
@{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy,
# @{lib}/** Px -> bwrap//&bwrap-app,
/opt/*/** Px -> bwrap//&bwrap-app,
/usr/share/*/* Px -> bwrap//&bwrap-app,
/usr/.ref rk,
/bindfile@{rand6} rw,
owner /var/cache/ w,
owner @{run}/ld-so-cache-dir/* rw,
include if exists <usr/bwrap.d>
include if exists <local/bwrap>
}
# vim:syntax=apparmor

36
apparmor.d/groups/_full/bwrap-app
View file

@ -1,36 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Default profile for user sandboxed application
abi <abi/4.0>,
include <tunables/global>
profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/common/app>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace peer=bwrap//&bwrap-app,
signal peer=bwrap//&bwrap-app,
@{bin}/** rmix,
@{lib}/** rmix,
/opt/*/** rmix,
/usr/share/*/* rmix,
owner /var/cache/ w,
include if exists <usr/bwrap-app.d>
include if exists <local/bwrap-app>
}
# vim:syntax=apparmor

122
apparmor.d/groups/_full/default
View file

@ -1,122 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Default profile for unconfined programs
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /**
profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/consoles>
include <abstractions/dbus-session>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/shells>
include <abstractions/ssl_certs>
include <abstractions/video>
capability dac_override,
capability dac_read_search,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
signal receive set=hup,
@{bin}/bwrap rPx -> bwrap,
@{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse,
@{bin}/pulseaudio rPx -> systemd//&pulseaudio,
@{bin}/su rPx -> default-sudo,
@{bin}/sudo rPx -> default-sudo,
@{bin}/systemctl rix,
@{coreutils_path} rix,
@{shells_path} rix,
@{pager_path} rPx -> child-pager,
# @{open_path} rPx -> child-open,
audit @{bin}/** Pix,
audit @{lib}/** Pix,
audit /opt/*/** Pix,
audit /usr/share/*/* Pix,
@{bin}/{,**} r,
@{lib}/{,**} r,
/usr/share/** r,
/etc/xdg/** r,
# Full access to user's data
/ r,
/*/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rwl,
owner @{HOME}/{,**} rwlk,
owner @{run}/user/@{uid}/{,**} rw,
owner @{tmp}/{,**} rwk,
owner @{run}/user/@{uid}/{,**} rwlk,
@{run}/motd.dynamic.new rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/bus/pci/devices/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pids}/task/ r,
/dev/ r,
/dev/ptmx rwk,
/dev/tty rwk,
owner /dev/tty@{int} rw,
include if exists <usr/default.d>
include if exists <local/default>
}
# vim:syntax=apparmor

42
apparmor.d/groups/_full/default-sudo
View file

@ -1,42 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
profile default-sudo {
include <abstractions/base>
include <abstractions/app/sudo>
capability chown,
capability mknod,
capability sys_ptrace,
network inet dgram,
network inet6 dgram,
ptrace (read),
@{bin}/su mr,
@{bin}/** Px,
@{lib}/** Px,
/opt/*/** Px,
/var/db/sudo/lectured/ r,
/var/lib/extrausers/shadow r,
/var/lib/sudo/lectured/ r,
owner /var/db/sudo/lectured/@{uid} rw,
owner /var/lib/sudo/lectured/* rw,
owner @{HOME}/.sudo_as_admin_successful rw,
@{run}/ r,
@{run}/systemd/sessions/* r,
include if exists <local/default-sudo>
}
# vim:syntax=apparmor

265
apparmor.d/groups/_full/sd Normal file
View file

@ -0,0 +1,265 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Part of the systemd (as PID 1) profile.
# sd is a profile for SystemD-executor run as root, it is used to run all services
# files and to encapsulate stacked services profiles (hence the short name).
# It aims at reducing the size of the systemd profile.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
# Distributions and other programs can add rules in the usr/sd.d directory
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/systemd-executor
profile sd flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/devices-usb>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
userns,
capability audit_control,
capability audit_write,
capability bpf,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability linux_immutable,
capability mknod,
capability net_admin,
capability net_bind_service,
capability net_raw,
capability perfmon,
capability setfcap,
capability setgid,
capability setpcap,
capability setuid,
capability sys_admin,
capability sys_nice,
capability sys_ptrace,
capability sys_rawio,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability syslog,
network alg seqpacket,
network bluetooth,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 raw,
network inet6 stream,
network netlink raw,
network packet dgram,
network packet raw,
network qipcrtr dgram,
mount -> @{run}/systemd/mount-rootfs/{,**},
mount -> @{run}/systemd/namespace-@{rand6}/{,**},
mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/,
mount options=(rw rshared) -> /,
mount options=(rw rslave) -> /,
mount options=(rw rslave) -> /dev/,
mount options=(rw slave) -> @{run}/systemd/incoming/,
mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/,
mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/,
remount /dev/shm/,
remount @{run}/systemd/mount-rootfs/{,**},
umount /,
umount /dev/shm/,
umount @{run}/systemd/mount-rootfs/{,**},
# mount tmpfs -> @{run}/lock/,
# mount tmpfs -> @{sys}/fs/cgroup/,
# mount cgroup -> @{sys}/fs/cgroup/systemd/,
# audit mount /dev/** -> /boot/{,efi/},
# audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**,
# audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**},
# audit remount @{run}/systemd/unit-root/{,**},
# audit remount options=(ro noexec noatime bind) /var/snap/{,**},
# audit remount options=(ro nosuid nodev bind) /var/,
# audit remount options=(ro nosuid nodev noexec bind) /boot/,
# audit umount @{PROC}/sys/fs/binfmt_misc/,
# audit umount @{run}/systemd/namespace-@{rand6}/{,**},
# audit umount @{run}/systemd/unit-root/{,**},
pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
change_profile,
mqueue (read getattr) type=posix /,
signal peer=sd//&*,
signal receive peer=@{p_systemd},
signal send,
ptrace read,
unix type=dgram peer=(label=@{p_systemd}),
unix type=dgram peer=(label=systemd-timesyncd),
unix type=stream,
dbus bus=system,
@{exec_path} mr,
@{bin}/** mPx,
@{sbin}/** mPx,
@{lib}/** Px,
/etc/cron.*/* Px,
/etc/init.d/* Px,
/etc/update-motd.d/* Px,
/usr/share/*/** Px,
# Systemd user: systemd --user
@{lib}/systemd/systemd px -> systemd-user,
# Mount operations from services and systemd
@{bin}/mount Px -> sd-mount,
@{bin}/umount Px -> sd-umount,
# Unit services using systemctl
@{bin}/systemctl Cx -> systemctl,
# Unit services
@{bin}/kill Cx -> kill,
# Used by very basic services, ideally should be replaced by a unit profiles
@{sh_path} ix,
@{bin}/false ix,
@{bin}/true ix,
# Required due to stacked profiles
@{sbin}/grpck ix,
@{bin}/gzip ix,
@{bin}/install ix,
@{sbin}/pwck ix,
@{bin}/readlink ix,
@{lib}/colord-sane ix,
@{lib}/systemd/systemd-nsresourcework ix,
@{lib}/systemd/systemd-userwork ix,
/ r,
@{att}/ r,
@{bin}/{,**} r,
@{lib}/{,**} r,
@{sbin}/{,*} r,
/usr/share/** r,
/etc/** rk,
/home/ r,
@{efi}/ r,
@{efi}/** rw,
@{att}/var/lib/systemd/*/ r,
/var/cache/*/ rw,
/var/cache/*/** rwk,
/var/lib/*/ rw,
/var/lib/*/** rwk,
/var/lib/systemd/*/ r,
/var/log/** rw,
/var/log/journal/** rwl -> /var/log/journal/**,
@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
@{user_share_dirs}/icc/edid-@{hex32}.icc r,
@{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
@{att}/@{run}/systemd/notify rw,
@{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
@{att}/@{run}/systemd/userdb/io.systemd.Home rw,
@{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/ rw,
@{run}/* rw,
@{run}/*/ rw,
@{run}/*/* rw,
@{run}/systemd/{,**} rw,
owner @{run}/*/** rw,
@{run}/udev/**/ r,
@{run}/udev/data/* r,
@{sys}/** r,
@{sys}/fs/bpf/systemd/{,**} w,
@{sys}/firmware/efi/efivars/** w,
@{sys}/fs/cgroup/{,**} w,
@{PROC}/@{pid}/attr/apparmor/exec w,
@{PROC}/@{pid}/attr/current r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/comm r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/gid_map w,
@{PROC}/@{pid}/limits r,
@{PROC}/@{pid}/loginuid rw,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/oom_score_adj rw,
@{PROC}/@{pid}/sessionid r,
@{PROC}/@{pid}/setgroups r,
@{PROC}/@{pid}/setgroups w,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/uid_map r,
@{PROC}/@{pid}/uid_map w,
@{PROC}/cmdline r,
@{PROC}/interrupts r,
@{PROC}/irq/@{int}/node r,
@{PROC}/irq/@{int}/smp_affinity r,
@{PROC}/kmsg r,
@{PROC}/modules r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@{PROC}/sys/** r,
@{PROC}/sys/kernel/random/write_wakeup_threshold w,
@{PROC}/sys/net/ipv{4,6}/** rw,
@{PROC}/sysvipc/* r,
@{PROC}/version_signature r,
/dev/** rwk,
profile systemctl flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <usr/sd_systemctl.d>
include if exists <local/sd_systemctl>
}
profile kill flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
signal send,
@{bin}/kill mr,
include if exists <local/sd_kill>
}
include if exists <usr/sd.d>
include if exists <local/sd>
}
# vim:syntax=apparmor

71
apparmor.d/groups/_full/sd-mount Normal file
View file

@ -0,0 +1,71 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Part of the systemd (as PID 1) profile.
# sd-mount is a subprofile of sd responsible to handle mounting operation.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
# Distributions and other programs can add rules in the usr/sd-mount.d directory
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/mount
profile sd-mount flags=(complain) {
include <abstractions/base>
include <abstractions/disks-write>
capability dac_read_search,
capability sys_admin,
mount -> @{efi}/,
mount -> @{HOME}/{,**},
mount -> @{HOMEDIRS}/,
mount -> @{MOUNTDIRS}/,
mount -> @{MOUNTS}/{,**},
mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/,
mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/,
mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/,
mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/,
mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/,
mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/,
mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/,
mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/,
mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/,
mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/,
mount options=(rw move) -> @{efi},
mount options=(rw move) -> @{HOME}/{,**},
mount options=(rw move) -> @{HOMEDIRS}/,
mount options=(rw move) -> @{MOUNTDIRS}/,
mount options=(rw move) -> @{MOUNTS}/{,**},
mount options=(rw move) -> @{sys}/fs/fuse/connections/,
mount options=(rw move) -> @{sys}/kernel/config/,
mount options=(rw move) -> @{sys}/kernel/debug/,
mount options=(rw move) -> @{sys}/kernel/tracing/,
mount options=(rw move) -> /dev/hugepages/,
mount options=(rw move) -> /dev/mqueue/,
mount options=(rw move) -> /tmp/,
@{exec_path} mr,
/var/lib/snapd/snaps/*.snap r,
@{run}/ r,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rwk,
@{PROC}/@{pid}/mountinfo r,
/dev/loop-control rw,
include if exists <usr/sd-mount.d>
include if exists <local/sd-mount>
}
# vim:syntax=apparmor

124
apparmor.d/groups/_full/sdu Normal file
View file

@ -0,0 +1,124 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Part of the systemd-user profile.
# sdu is a profile for SystemD-executor run as User, it is used to run all services
# files and to encapsulate stacked services profiles (hence the short name).
# It aims at reducing the size of the systemd-user profile.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
# Distributions and other programs can add rules in the usr/sdu.d directory
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/systemd-executor
profile sdu flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/audio-server>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/nameservice-strict>
network netlink raw,
change_profile,
ptrace read,
unix type=dgram peer=(label=@{p_systemd_user}),
dbus bus=session,
@{exec_path} mr,
@{bin}/** mPx,
@{sbin}/** mPx,
@{lib}/** Px,
/etc/cron.*/* Px,
/opt/*/** Px,
/usr/share/*/** Px,
# Unit services using systemctl
@{bin}/systemctl Cx -> systemctl,
# Shell based user unit services
@{sh_path} Cx -> shell,
# Dbus needs to be started without environment scrubbing
@{bin}/dbus-broker px -> dbus-session,
@{bin}/dbus-broker-launch px -> dbus-session,
@{bin}/dbus-daemon px -> dbus-session,
@{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session,
/ r,
@{bin}/* r,
@{sbin}/* r,
/usr/share/** r,
owner @{desktop_local_dirs}/ w,
owner @{desktop_local_dirs}/state/ w,
owner @{desktop_local_dirs}/state/wireplumber/{,**} rw,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
owner @{run}/user/@{uid}/pipewire-@{int}-manager rw,
owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,
owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
owner @{run}/user/@{uid}/pulse/pid rw,
owner @{user_state_dirs}/wireplumber/ r,
owner @{user_state_dirs}/wireplumber/stream-properties rw,
owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw,
@{run}/systemd/users/@{uid} r,
@{run}/systemd/users/@{int} r,
@{run}/udev/data/c116:@{int} r, # for ALSA
@{sys}/bus/ r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/sound/seq/uevent r,
@{sys}/devices/virtual/sound/timer/uevent r,
@{sys}/module/apparmor/parameters/enabled r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
@{PROC}/pressure/* r,
@{PROC}/sys/fs/nr_open r,
owner @{PROC}/@{pid}/attr/apparmor/exec w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
profile shell flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
@{sh_path} mr,
@{bin}/systemctl Px -> sdu//systemctl,
include if exists <local/sdu_shell>
}
profile systemctl flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/app/systemctl>
audit capability net_admin,
owner @{run}/user/@{uid}/systemd/private rw,
include if exists <usr/sdu_systemctl.d>
include if exists <local/sdu_systemctl>
}
include if exists <usr/sdu.d>
include if exists <local/sdu>
}
# vim:syntax=apparmor

252
apparmor.d/groups/_full/systemd
View file

@ -11,24 +11,47 @@
# Distributions and other programs can add rules in the usr/systemd.d directory
# TODO: rework this to get a controlled environment: (cf security model)
# Overall architecture of the systemd profiles:
# systemd # PID 1, entrypoint, requires "Early policy"
# ├── systemd # To restart itself
# ├── systemd-generators-* # Systemd system and environment generators
# └── sd # Internal service starter and config handler, handles all services
# ├── Px or px, # Any service with profile
# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd)
# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd)
# ├── sd-mount # Handles all mounts from services
# ├── sd//systemctl # Internal system systemctl
# └── systemd-user # Profile for 'systemd --user'
# ├── systemd-user # To restart itself
# ├── systemd-user-generators-* # Systemd user and environment generators
# └── sdu # Handles all user services
# ├── Px or px, # Any user service with profile
# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd)
# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd)
# └── sdu//systemctl # Internal user systemctl
# Advantages:
# - Differentiate systemd (PID 1) and `system --user`
# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles.
# - Allow the executor profiles to handled stacked profiles.
# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`.
# - Dedicated `sd-mount` profile for most mount from the unit services.
# TODO: rework this to get a controlled environment:
# - No global allow anymore: in high security environments, we must manage the list
# of program/service that can be started by systemd and ensure that they are all
# listed and confined. Programs not listed will not be able to start.
# - Outside common systemd service, the list may have to be automatically
# generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec`
# - Stop disabling nnp flags in systemd dropin files.
# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo)
# need they own profile, profile name configured as a dropin unit file.
# - When this is done: the fallback profile as root will not be needed.
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
profile systemd flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability kill,
capability net_admin,
capability net_bind_service,
capability perfmon,
capability setfcap,
capability setgid,
capability setpcap,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_nice,
capability sys_boot,
capability sys_ptrace,
capability sys_resource,
capability sys_tty_config,
@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
network inet6 dgram,
network inet6 stream,
network netlink raw,
network vsock stream,
mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
mount fstype=autofs systemd-1 -> /efi/,
mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/,
mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/,
mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/,
mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/,
mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/,
mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/,
mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/,
mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/,
mount fstype=tmpfs tmpfs -> /dev/shm/,
mount fstype=autofs systemd-1 -> @{efi}/,
mount fstype=tmpfs tmpfs -> /tmp/,
mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/,
mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/,
mount /dev/** -> /boot/{,efi/},
mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**,
mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
mount options=(rw move) -> @{sys}/fs/fuse/connections/,
mount options=(rw move) -> @{sys}/kernel/config/,
mount options=(rw move) -> @{sys}/kernel/debug/,
mount options=(rw move) -> @{sys}/kernel/tracing/,
mount options=(rw move) -> /dev/hugepages/,
mount options=(rw move) -> /dev/mqueue/,
mount options=(rw move) -> /efi/,
mount options=(rw move) -> /tmp/,
mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**},
mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**},
mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**},
mount options=(rw rshared) -> /,
mount options=(rw rslave) -> /,
mount options=(rw rslave) -> /dev/,
mount options=(rw slave) -> @{run}/systemd/incoming/,
remount @{HOME}/{,**},
remount @{HOMEDIRS}/,
remount @{MOUNTDIRS}/,
remount @{MOUNTS}/{,**},
remount @{run}/systemd/mount-rootfs/{,**},
remount @{run}/systemd/unit-root/{,**},
remount /,
remount /snap/{,**},
remount options=(ro bind) /boot/{,efi/},
remount options=(ro noexec noatime bind) /var/snap/{,**},
remount options=(ro nosuid bind) /dev/,
remount options=(ro nosuid nodev bind) /dev/hugepages/,
remount options=(ro nosuid nodev bind) /var/,
remount options=(ro nosuid nodev noexec bind) /boot/,
remount options=(ro nosuid nodev noexec bind) /dev/mqueue/,
remount options=(ro nosuid nodev noexec bind) /efi/,
remount options=(ro nosuid noexec bind) /dev/pts/,
remount options=(ro bind nodev noexec nosuid) /dev/mqueue/,
remount options=(ro bind nodev nosuid) /dev/hugepages/,
remount options=(ro bind noexec nosuid) /dev/pts/,
remount options=(ro bind nosuid) /dev/,
remount options=(ro bind) @{efi}/,
remount options=(ro bind) /,
umount /,
umount /dev/shm/,
umount @{PROC}/sys/fs/binfmt_misc/,
umount @{run}/systemd/mount-rootfs/{,**},
umount @{run}/systemd/namespace-@{rand6}/{,**},
umount @{run}/systemd/unit-root/{,**},
pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/,
umount @{run}/credentials/*/,
mqueue (read getattr) type=posix /,
change_profile,
signal receive set=(rtmin+23) peer=plymouthd,
signal receive set=(term hup cont),
signal send,
ptrace (read, readby),
unix send type=dgram,
unix receive type=dgram peer=(label=systemd-timesyncd),
unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd),
unix type=dgram,
unix type=stream,
#aa:dbus own bus=system name=org.freedesktop.systemd1
# For stacked profiles
#aa:dbus own bus=system name=org.freedesktop.network1
#aa:dbus own bus=system name=org.freedesktop.oom1
#aa:dbus own bus=system name=org.freedesktop.resolve1
#aa:dbus own bus=system name=org.freedesktop.timesync1
@{exec_path} mrix,
@{sh_path} mr,
@{bin}/** Px,
@{sbin}/** Px,
@{lib}/** Px,
/etc/cron.*/* Px,
/etc/init.d/* Px,
/etc/update-motd.d/* Px,
/usr/share/*/** Px,
# Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.)
@{lib}/systemd/systemd-executor mPx -> sd,
# Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
@{lib}/systemd/systemd-executor ix,
# Systemd user: systemd --user
@{lib}/systemd/systemd px -> systemd-user,
# Unit services using systemctl
@{bin}/systemctl Cx -> systemctl,
# Unit services
@{bin}/mount ix,
@{bin}/kill ix,
# Shell based systemd unit services
# TODO: create unit profile for all of them
@{sbin}/ldconfig Px -> systemd-service,
@{bin}/mandb Px -> systemd-service,
@{bin}/savelog Px -> systemd-service,
@{coreutils_path} Px -> systemd-service,
@{sh_path} Px -> systemd-service,
# Systemd profiles that need be stacked
#aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd
@{lib}/systemd/systemd-networkd px -> systemd//&systemd-networkd,
@{lib}/systemd/systemd-oomd px -> systemd//&systemd-oomd,
@{lib}/systemd/systemd-resolved px -> systemd//&systemd-resolved,
@{lib}/systemd/systemd-timesyncd px -> systemd//&systemd-timesyncd,
@{lib}/ r,
/ r,
/*/ r,
/boot/efi/ r,
/snap/*/@{int}/ r,
/var/cache/*/ r,
/var/lib/*/ r,
/var/tmp/ r,
# Systemd system generators. Profiles must exist
@{lib}/netplan/generate mPx,
@{lib}/systemd/system-environment-generators/* mPx,
@{lib}/systemd/system-generators/* mPx,
@{etc_ro}/environment r,
@{etc_ro}/environment.d/{,**} r,
/etc/acpi/events/{,**} r,
/etc/binfmt.d/{,**} r,
/etc/conf.d/{,**} r,
/etc/credstore.encrypted/{,**} r,
/etc/credstore/{,**} r,
/etc/default/{,**} r,
/etc/machine-id r,
/etc/modules-load.d/{,**} r,
/etc/networkd-dispatcher/{,**} r,
/etc/systemd/{,**} r,
/etc/systemd/system/** w,
/etc/udev/hwdb.d/{,**} r,
/etc/systemd/system/multi-user.target.wants/{,*} w,
/var/log/dmesg rw,
/var/lib/systemd/{,**} rw,
#aa:only pacman
# It is unclear why this is needed here and not in sd
/etc/pacman.d/gnupg/S.dirmngr w,
/etc/pacman.d/gnupg/S.gpg-agent w,
/etc/pacman.d/gnupg/S.gpg-agent.browser w,
/etc/pacman.d/gnupg/S.gpg-agent.extra w,
/etc/pacman.d/gnupg/S.gpg-agent.ssh w,
/etc/pacman.d/gnupg/S.keyboxd w,
@{efi}/ r,
/snap/*/@{int}/ r,
/tmp/ r,
/var/tmp/ r,
owner /tmp/systemd-private-*/{,**} rw,
owner /var/tmp/systemd-private-*/{,**} rw,
/tmp/namespace-dev-@{rand6}/{,**} rw,
/tmp/systemd-private-*/{,**} rw,
@{att}/@{run}/systemd/journal/socket r,
@{att}/@{run}/systemd/journal/dev-log r,
@{att}/@{run}/systemd/journal/socket r,
@{att}/@{run}/systemd/notify r,
@{run}/ rw,
@{run}/* rw,
@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{run}/credentials/{,**} rw,
@{run}/systemd/{,**} rw,
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,
@{run}/udev/data/+module:configfs r,
@{run}/udev/data/+module:fuse r,
@{run}/udev/data/c4:@{int} r, # For TTY devices
@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{run}/udev/data/n@{int} r,
@{run}/udev/tags/systemd/ r,
@{sys}/**/uevent r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/power_supply/ r,
@{sys}/class/sound/ r,
@{sys}/devices/@{pci}/** r,
@{sys}/devices/**/net/** r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/fs/cgroup/{,**} rw,
@{sys}/fs/fuse/connections/ r,
@{sys}/fs/pstore/ r,
@{sys}/kernel/**/ r,
@{sys}/module/**/uevent r,
@{sys}/module/apparmor/parameters/enabled r,
@{sys}/module/vt/parameters/default_utf8 r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/comm r,
@{PROC}/@{pid}/coredump_filter r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/gid_map rw,
@{PROC}/@{pid}/loginuid rw,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/setgroups rw,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/uid_map rw,
@{PROC}/cmdline r,
@{PROC}/devices r,
@{PROC}/pressure/* r,
@ -280,32 +205,33 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{PROC}/sys/fs/binfmt_misc/ r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/* r,
@{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/oom_score_adj rw,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sysvipc/msg r,
@{PROC}/sysvipc/sem r,
@{PROC}/sysvipc/shm r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/1/coredump_filter r,
owner @{PROC}/1/fdinfo/@{int} r,
owner @{PROC}/1/gid_map r,
owner @{PROC}/1/oom_score_adj rw,
owner @{PROC}/1/setgroups r,
owner @{PROC}/1/uid_map r,
/dev/autofs r,
/dev/dri/card@{int} rw,
/dev/initctl w,
/dev/input/ r,
/dev/kmsg w,
/dev/tty rw,
/dev/tty@{int} rw,
owner /dev/console rwk,
owner /dev/dri/card@{int} rw,
owner /dev/hugepages/ rw,
owner /dev/initctl rw,
owner /dev/input/event@{int} rw,
owner /dev/mqueue/ rw,
owner /dev/rfkill rw,
owner /dev/shm/ rw,
owner /dev/shm/ r,
owner /dev/ttyS@{int} rwk,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <usr/systemd_systemctl.d>
include if exists <local/systemd_systemctl>
}
include if exists <usr/systemd.d>
include if exists <local/systemd>
}

77
apparmor.d/groups/_full/systemd-service
View file

@ -1,77 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Profile for generic systemd unit services. Only used by tiny systemd services
# that start a shell or use context specific programs.
# It does not specify an attachment path because it is intended to be used only
# via "Px -> systemd-service" exec transitions from the systemd profile.
abi <abi/4.0>,
include <tunables/global>
profile systemd-service flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability chown,
capability fsetid,
@{sbin}/ldconfig rix,
@{bin}/savelog rix,
@{bin}/systemctl rix,
@{bin}/gzip rix,
@{coreutils_path} rix,
@{sh_path} rmix,
# ifup@.service
@{bin}/ifup rPx,
# shadow.service
@{sbin}/pwck rPx,
@{sbin}/grpck rPx,
@{bin}/grub-editenv rPx,
@{bin}/ibus-daemon rPx,
@{bin}/* r,
@{lib}/ r,
/var/cache/ldconfig/{,**} rw,
/ r,
/boot/grub/grubenv rw,
/boot/grub/ w,
/var/spool/cron/atjobs/ r,
/var/log/ r,
/var/log/dmesg rw,
/var/log/dmesg.* rwl -> /var/log/dmesg,
# man-db.service
/usr/{,local/}share/man/{,**} r,
/etc/manpath.config r,
/var/cache/man/{,**} rwk,
# snapd.system-shutdown.service
@{run}/initramfs/shutdown rw,
@{run}/initramfs/ rw,
# cockpit.socket
@{run}/cockpit/@{rand8} rw,
@{run}/cockpit/motd w,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <usr/systemd-service.d>
include if exists <local/systemd-service>
}
# vim:syntax=apparmor

86
apparmor.d/groups/_full/systemd-user
View file

@ -11,8 +11,6 @@
# Distributions and other programs can add rules in the usr/systemd-user.d directory
# TODO: rework this to get a controlled environment. cf comments in systemd profile.
abi <abi/4.0>,
include <tunables/global>
@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
network netlink raw,
signal send set=(term, cont, kill),
signal receive set=hup peer=@{p_systemd},
signal send,
ptrace read peer=@{p_systemd},
ptrace read,
unix type=dgram peer=(label=@{p_sdu}),
unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
#aa:dbus own bus=session name=org.freedesktop.systemd1
@{exec_path} mr,
@{exec_path} mrix,
@{bin}/** Px,
@{lib}/** Px,
/etc/cron.*/* Px,
/opt/*/** Px,
/usr/share/*/** Px,
# Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.)
@{lib}/systemd/systemd-executor mPx -> sdu,
# Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
@{lib}/systemd/systemd-executor ix,
# Unit services using systemctl
@{bin}/systemctl Cx -> systemctl,
# Shell based ystemd unit services
@{coreutils_path} Px -> systemd-user-service,
@{sh_path} Px -> systemd-user-service,
# Dbus needs to be started without environment scrubbing
@{bin}/dbus-broker px -> dbus-session,
@{bin}/dbus-broker-launch px -> dbus-session,
@{bin}/dbus-daemon px -> dbus-session,
@{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session,
# Audio profiles need to be stacked
#aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber
@{bin}/pipewire Px -> systemd-user//&pipewire,
@{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session,
@{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse,
@{bin}/pulseaudio Px -> systemd-user//&pulseaudio,
@{bin}/wireplumber Px -> systemd-user//&wireplumber,
/usr/ r,
/usr/share/defaults/**.conf r,
# Systemd user generators. Profiles must exist
@{lib}/systemd/user-environment-generators/* Px,
@{lib}/systemd/user-generators/* Px,
@{etc_ro}/environment r,
/etc/systemd/user.conf r,
/etc/systemd/user.conf.d/{,**} r,
/etc/systemd/user/{,**} r,
/ r,
owner @{HOME}/.local/ w,
owner @{user_config_dirs}/systemd/user/{,**} rw,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/** rwkl,
@{run}/mount/utab r,
@{run}/systemd/notify w,
@{run}/systemd/oom/io.systemd.ManagedOOM rw,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,
@{run}/udev/data/+module:configfs r,
@{run}/udev/data/+module:fuse r,
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/tags/systemd/ r,
@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/**/uevent r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
@{sys}/module/apparmor/parameters/enabled r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/stat r,
@{PROC}/1/environ r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/comm r,
@{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@ -124,20 +89,15 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/threads-max r,
owner @{PROC}/@{pid}/coredump_filter r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/gid_map r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/oom_score_adj rw,
/dev/kmsg w,
/dev/tty rw,
deny capability bpf,
deny capability dac_override,
@ -149,16 +109,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
deny capability sys_boot,
deny capability sys_resource,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
deny capability net_admin,
include if exists <usr/systemd-user_systemctl.d>
include if exists <local/systemd-user_systemctl>
}
include if exists <usr/systemd-user.d>
include if exists <local/systemd-user>
}

23
apparmor.d/groups/_full/systemd-user-service
View file

@ -1,23 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Profile for generic systemd unit services. Only used by tiny systemd services
# that start a shell or use context specific programs.
# It does not specify an attachment path because it is intended to be used only
# via "Px -> systemd-user-service" exec transitions from the systemd-user profile.
abi <abi/4.0>,
include <tunables/global>
profile systemd-user-service flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include if exists <usr/systemd-user-service.d>
include if exists <local/systemd-user-service>
}
# vim:syntax=apparmor

2
apparmor.d/groups/apt/apt-listchanges
View file

@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} {
@{pager_path} Cx -> pager,
@{bin}/dpkg Px -> child-dpkg,
@{bin}/exim4 Px, # Send results using email
@{sbin}/exim4 Px, # Send results using email
/usr/share/apt-listchanges/{,**} r,

5
apparmor.d/groups/apt/apt-methods-http
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/apt/methods/http{,s}
profile apt-methods-http @{exec_path} {
profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} {
network inet6 stream,
network netlink raw,
signal receive peer=@{p_apt_news},
signal receive peer=@{p_packagekitd},
signal receive peer=apt-get,
signal receive peer=apt,
signal receive peer=aptitude,
signal receive peer=@{p_packagekitd},
signal receive peer=role_*,
signal receive peer=synaptic,
signal receive peer=ubuntu-advantage,

2
apparmor.d/groups/apt/debsecan
View file

@ -27,7 +27,7 @@ profile debsecan @{exec_path} {
@{sh_path} rix,
# Send results using email
@{bin}/exim4 rPx,
@{sbin}/exim4 rPx,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,

1
apparmor.d/groups/apt/dpkg-script-apparmor
View file

@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} {
/var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
/var/lib/dpkg/info/*.list r,
/var/lib/dpkg/info/format r,
/var/lib/dpkg/status r,
/var/lib/dpkg/triggers/File r,
/var/lib/dpkg/triggers/Unincorp r,

3
apparmor.d/groups/apt/dpkg-script-systemd
View file

@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} {
/etc/systemd/system/*.wants/ rw,
/etc/systemd/system/*.wants/* rw,
/etc/pam.d/sed@{rand6} rw,
/etc/pam.d/common-password rw,
/var/lib/systemd/{,*} rw,
/var/log/journal/ rw,

3
apparmor.d/groups/apt/dpkg-scripts
View file

@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} {
@{sbin}/update-rc.d Cx -> rc,
# Maintainer scripts can legitimately start/restart anything
# PU is only used as a safety fallback.
@{bin}/** PUx,
@{sbin}/** PUx,
@{lib}/** PUx,
@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
include <abstractions/app/bus>
include <abstractions/bus-system>
capability dac_read_search,
dbus send bus=system path=/
interface=org.freedesktop.DBus
member=ReloadConfig

2
apparmor.d/groups/apt/reportbug
View file

@ -40,7 +40,7 @@ profile reportbug @{exec_path} {
@{bin}/stty rix,
/usr/share/reportbug/handle_bugscript rix,
@{bin}/exim4 rPx,
@{sbin}/exim4 rPx,
@{bin}/apt-cache rPx,
@{bin}/debconf-show rPx,
@{bin}/debsums rPx,

2
apparmor.d/groups/apt/unattended-upgrade
View file

@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
capability setuid,
capability sys_nice,
network inet dgram,
network inet6 dgram,
network netlink raw,
signal send peer=apt-methods-http,

2
apparmor.d/groups/avahi/avahi-browse
View file

@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} {
dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
interface=org.freedesktop.Avahi.ServiceTypeBrowser
member={ItemNew,AllForNow,CacheExhausted}
peer=(name=:*, label=avahi-daemon),
peer=(name=:*, label="@{p_avahi_daemon}"),
@{exec_path} mr,

4
apparmor.d/groups/avahi/avahi-resolve
View file

@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} {
dbus send bus=system path=/Client@{int}/AddressResolver@{int}
interface=org.freedesktop.Avahi.AddressResolver
member={Free,HostNameResolverNew}
peer=(name=:*, label=avahi-daemon),
peer=(name=:*, label="@{p_avahi_daemon}"),
dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
interface=org.freedesktop.Avahi.AddressResolver
member={Failure,Found}
peer=(name=:*, label=avahi-daemon),
peer=(name=:*, label="@{p_avahi_daemon}"),
@{exec_path} mr,

2
apparmor.d/groups/bluetooth/bluetoothctl
View file

@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} {
network bluetooth raw,
#aa:dbus talk bus=system name=org.bluez label=bluetoothd
#aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}"
@{exec_path} mr,

2
apparmor.d/groups/bluetooth/obexd
View file

@ -22,7 +22,7 @@ profile obexd @{exec_path} {
dbus receive bus=system path=/org/bluez/obex/@{uuid}
interface=org.bluez.Profile1
member=Release
peer=(name=:*, label=bluetoothd),
peer=(name=:*, label="@{p_bluetoothd}"),
@{exec_path} mr,

1
apparmor.d/groups/bus/ibus-dconf
View file

@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
signal receive set=kill peer=@{p_systemd_user},
signal receive set=term peer=ibus-daemon,
dbus receive bus=session

2
apparmor.d/groups/cron/anacron
View file

@ -17,7 +17,7 @@ profile anacron @{exec_path} {
@{sh_path} rix,
@{bin}/run-parts rCx -> run-parts,
@{bin}/exim4 rPx,
@{sbin}/exim4 rPx,
/ r,
/etc/anacrontab r,

2
apparmor.d/groups/cron/cron
View file

@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/exim4 rPx,
@{sbin}/exim4 rPx,
@{bin}/ionice rix,
@{bin}/nice rix,
@{bin}/run-parts rCx -> run-parts,

4
apparmor.d/groups/cron/cron-apt
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{sbin}/cron-apt
@{exec_path} = @{bin}/cron-apt
profile cron-apt @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -46,7 +46,7 @@ profile cron-apt @{exec_path} {
@{bin}/apt-get rPx,
@{bin}/apt-file rPx,
@{bin}/aptitude{,-curses} rPx,
@{bin}/exim4 rPx,
@{sbin}/exim4 rPx,
/usr/share/cron-apt/{,*} r,

6
apparmor.d/groups/cron/cron-exim4-base
View file

@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} {
@{bin}/hostname rix,
@{bin}/xargs rix,
@{bin}/find rix,
@{bin}/eximstats rix,
@{sbin}/eximstats rix,
@{bin}/exim4 rPx,
@{bin}/exim_tidydb rix,
@{sbin}/exim4 rPx,
@{sbin}/exim_tidydb rix,
@{sbin}/start-stop-daemon rix,
@{sbin}/runuser rix,

2
apparmor.d/groups/cron/crontab
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{sbin}/crontab
@{exec_path} = @{bin}/crontab
profile crontab @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>

2
apparmor.d/groups/cups/cups-browsed
View file

@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} {
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=:*, label=avahi-daemon),
peer=(name=:*, label="@{p_avahi_daemon}"),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager

2
apparmor.d/groups/cups/cupsd
View file

@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{bin}/gs rix,
@{bin}/gsc rix,
@{bin}/hostname rix,
@{sbin}/ippfind rix,
@{bin}/ippfind rix,
@{bin}/mktemp rix,
@{bin}/printenv rix,
@{python_path} rix,

2
apparmor.d/groups/filesystem/btrfs-find-root
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-find-root
@{exec_path} = @{sbin}/btrfs-find-root
profile btrfs-find-root @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

4
apparmor.d/groups/filesystem/udisksd
View file

@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
signal receive set=int peer=@{p_systemd},
#aa:dbus own bus=system name=org.freedesktop.UDisks2
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
@{exec_path} mr,

4
apparmor.d/groups/firewall/firewalld
View file

@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
@{bin}/alts ix,
@{bin}/false ix,
@{bin}/kmod Cx -> kmod,
@{sbin}/ebtables-legacy ix,
@{sbin}/ebtables-legacy-restore ix,
@{bin}/ebtables-legacy ix,
@{bin}/ebtables-legacy-restore ix,
@{sbin}/ipset ix,
@{sbin}/xtables-legacy-multi ix,
@{sbin}/xtables-nft-multi mix,

4
apparmor.d/groups/flatpak/flatpak
View file

@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
signal send peer=flatpak-app,
#aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
#aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.portal.Documents

2
apparmor.d/groups/flatpak/flatpak-app
View file

@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
@{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//&gtk-update-icon-cache,
@{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database,
@{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database,
@{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database,
@{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy,
@{lib}/kf5/kioslave5 rPx,

5
apparmor.d/groups/freedesktop/colord
View file

@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.ColorManager
@{exec_path} mrix,
@{lib}/colord-sane ix,
/etc/machine-id r,
/etc/sane.d/{,**} r,
@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
owner /var/lib/snmp/mibs/{iana,ietf}/ r,
owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
@{att}/@{desktop_share_dirs}/icc/edid-*.icc r,
@{att}/@{user_share_dirs}/icc/edid-*.icc r,
@{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
@{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,
@{run}/systemd/sessions/* r,

8
apparmor.d/groups/freedesktop/pipewire-pulse
View file

@ -11,15 +11,18 @@ include <tunables/global>
profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/nameservice-strict>
capability sys_ptrace,
ptrace (read),
ptrace read,
@{exec_path} mr,
@{bin}/pactl rix,
@{bin}/pipewire mr,
/usr/share/pipewire/{,**} r,
@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/pipewire-pulse>
}

6
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} {
dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
interface=org.freedesktop.Avahi.ServiceResolver
member=Found
peer=(name=:*, label=avahi-daemon),
peer=(name=:*, label="@{p_avahi_daemon}"),
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
member=ItemRemove
peer=(name=:*, label=avahi-daemon),
peer=(name=:*, label="@{p_avahi_daemon}"),
dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} {
dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
interface=org.freedesktop.Avahi.ServiceResolver
member={Found,Free}
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
@{exec_path} mrix,

2
apparmor.d/groups/freedesktop/upower
View file

@ -13,7 +13,7 @@ profile upower @{exec_path} {
include <abstractions/bus-system>
include <abstractions/consoles>
#aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd
#aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
@{exec_path} mr,

4
apparmor.d/groups/freedesktop/wireplumber
View file

@ -75,6 +75,10 @@ profile wireplumber @{exec_path} {
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{PROC}/1/cgroup r,
@{PROC}/1/cmdline r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/media@{int} rw,

16
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-gnome
profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gnome.Shell.Introspect>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/fontconfig-cache-write>
@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
network unix stream,
signal (receive) set=term peer=gdm,
signal (receive) set=(hup term) peer=gdm-session-worker,
signal receive set=term peer=gdm,
signal receive set=(hup term) peer=gdm-session-worker,
#aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome
#aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal
@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
member=RunningApplicationsChanged
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
dbus send bus=session path=/org/gtk/Notifications
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,
/ r,
@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/.goutputstream-@{rand6} rw,
owner @{tmp}/@{rand6} rw,
owner @{tmp}/gtkprint_ppd_@{rand6} rw,
owner @{tmp}/gtkprint@{rand6} r,
owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw,
@{run}/mount/utab r,
owner @{PROC}/@{pid}/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/status r,

5
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,
/usr/share/gdm/greeter-dconf-defaults r,

4
apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
View file

@ -9,9 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-user-dirs-gtk-update
profile xdg-user-dirs-gtk-update @{exec_path} {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dbus-accessibility>
include <abstractions/dbus-session>
include <abstractions/gtk>
@{exec_path} mr,

2
apparmor.d/groups/freedesktop/xorg
View file

@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member=ReleaseControl
peer=(name=org.freedesktop.login1, label=systemd-logind),
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
@{exec_path} mrix,

4
apparmor.d/groups/gnome/gdm
View file

@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.gnome.DisplayManager
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
#aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
@{exec_path} mr,

6
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed
#aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
#aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}"
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={*Session,CreateSessionWithPIDFD}
peer=(name=org.freedesktop.login1, label=systemd-logind),
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
@{exec_path} mrix,

7
apparmor.d/groups/gnome/gjs-console
View file

@ -14,12 +14,13 @@ include <tunables/global>
@{exec_path} = @{bin}/gjs-console
profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gnome.Shell.Introspect>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/gnome-strict>
@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
network netlink raw,
signal (receive) set=(term hup) peer=gdm*,
unix type=stream peer=(label=gnome-shell),
signal receive set=(term hup) peer=gdm*,
#aa:dbus own bus=session name=org.freedesktop.Notifications
#aa:dbus own bus=session name=org.gnome.ScreenSaver

2
apparmor.d/groups/gnome/gnome-calendar
View file

@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} {
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry
#aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
#aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue
#aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
interface=org.freedesktop.DBus.ObjectManager

1
apparmor.d/groups/gnome/gnome-characters
View file

@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} {
/usr/share/xml/iso-codes/{,**} r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
include if exists <local/gnome-characters>

20
apparmor.d/groups/gnome/gnome-control-center
View file

@ -39,24 +39,28 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.bluez.obex.Agent1
#aa:dbus talk bus=session name=org.bluez.obex label=obexd
#aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
#aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
#aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill
#aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
#aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences
#aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
#aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}"
#aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
#aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd
#aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager
#aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
#aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
#aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
#aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
#aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd
#aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
#aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
#aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
@{exec_path} mr,

3
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/gnome-extension-gsconnect>
}

4
apparmor.d/groups/gnome/gnome-firmware
View file

@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} {
network inet6 stream,
network netlink raw,
#aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
@{exec_path} mr,
@{open_path} rPx -> child-open-help,

2
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=GetSession
peer=(name=org.freedesktop.login1, label=systemd-logind),
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
@{exec_path} mr,

4
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
signal (send) set=(term) peer=gsd-*,
#aa:dbus own bus=session name=org.gnome.SessionManager
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter/autostart/{,*.desktop} r,
/usr/share/gnome-session/hardware-compatibility r,
/usr/share/gnome-session/sessions/*.session r,
/usr/share/gnome-shell/extensions/ r,
/usr/share/gnome-shell/extensions/*/metadata.json r,
/usr/share/gnome/autostart/{,*.desktop} r,
@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{gdm_config_dirs}/dconf/user rw,
owner @{gdm_config_dirs}/gnome-session/ rw,
owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
owner @{gdm_config_dirs}/user-dirs.dirs r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_share_dirs}/applications/{,**} r,

43
apparmor.d/groups/gnome/gnome-shell
View file

@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
network netlink raw,
network unix stream,
ptrace (read),
ptrace (readby) peer=pipewire,
ptrace read,
ptrace readby peer=pipewire,
signal (receive) set=(term, hup) peer=gdm*,
signal (send),
signal receive set=(term, hup) peer=gdm*,
signal send,
unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
# Talk with gnome-shell
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
#aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
#aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=RegisterAuthenticationAgent
peer=(name=:*, label=polkitd),
peer=(name=:*, label="@{p_polkitd}"),
dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
interface=org.freedesktop.PolicyKit1.AuthenticationAgent
member=BeginAuthentication
peer=(name=:*, label=polkitd),
peer=(name=:*, label="@{p_polkitd}"),
dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
interface=org.freedesktop.NetworkManager.AgentManager
@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/share/gnome-shell/extensions/*/** rPUx,
/opt/**/share/icons/{,**} r,
/snap/*/@{uid}/**.png r,
/usr/share/**.{png,jpg,svg} r,
/snap/*/@{uid}/**.@{image_ext} r,
/usr/share/**.@{image_ext} r,
/usr/share/**/icons/{,**} r,
/usr/share/backgrounds/{,**} r,
/usr/share/byobu/desktop/byobu* r,
@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/.face r,
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
owner @{HOME}/.mozilla/native-messaging-hosts/ r,
owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw,
owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw,
owner @{HOME}/.mozilla/native-messaging-hosts/ rw,
owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw,
owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
owner @{HOME}/.var/app/**.{png,jpg,svg} r,
owner @{HOME}/.var/app/**.@{image_ext} r,
owner @{HOME}/.var/app/**/ r,
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,
owner @{user_games_dirs}/**.{png,jpg,svg} r,
owner @{user_music_dirs}/**.{png,jpg,svg} r,
owner @{user_games_dirs}/**.@{image_ext} r,
owner @{user_music_dirs}/**.@{image_ext} r,
owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
owner @{user_config_dirs}/**/NativeMessagingHosts/ rw,
owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw,
owner @{user_config_dirs}/background r,
owner @{user_config_dirs}/ibus/ w,
owner @{user_config_dirs}/monitors.xml{,~} rwl,
owner @{user_config_dirs}/tiling-assistant/{,**} rw,
owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/dbus-1/services/ r,
owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw,
owner @{user_share_dirs}/desktop-directories/{,**} r,
owner @{user_share_dirs}/gnome-shell/{,**} rw,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/icc/ rw,
owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w,
owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw,
owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w,
owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
owner @{user_cache_dirs}/gnome-boxes/*.png r,
owner @{user_cache_dirs}/gnome-photos/{,**} r,

6
apparmor.d/groups/gnome/gsd-color
View file

@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_config_dirs}/dconf/user r,
owner @{gdm_share_dirs}/icc/ rw,
owner @{gdm_share_dirs}/icc/edid-*.icc rw,
owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw,
owner @{user_share_dirs}/icc/ rw,
owner @{user_share_dirs}/icc/edid-*.icc rw,
owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
include if exists <local/gsd-color>
}

8
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=Subscribe
peer=(name=org.freedesktop.systemd1),
@{exec_path} mr,

2
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=PowerOff
peer=(name=:*, label=systemd-logind),
peer=(name=:*, label="@{p_systemd_logind}"),
dbus send bus=session path=/
interface=org.freedesktop.DBus

2
apparmor.d/groups/gnome/gsd-power
View file

@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
interface=org.freedesktop.UPower.KbdBacklight
member=GetBrightness
peer=(name=:*, label=upowerd),
peer=(name=:*, label="@{p_upowerd}"),
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties

13
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} {
include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.gnome.Shell.Introspect>
include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
@ -33,21 +34,19 @@ profile gsd-xsettings @{exec_path} {
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings
#aa:dbus own bus=session name=org.gtk.Settings
#aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell
dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.Accounts.User
member=SetInputSources
peer=(name=:*, label=accounts-daemon),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetId
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
peer=(name=:*, label="@{p_accounts_daemon}"),
@{exec_path} mr,
@{sh_path} mr,
@{bin}/cat rix,
@{bin}/sed rix,
@{bin}/which rix,
@{bin}/which{,.debianutils} rix,
@{bin}/busctl rPx,
@{bin}/pactl rPx,

14
apparmor.d/groups/gnome/loupe
View file

@ -9,18 +9,29 @@ include <tunables/global>
@{exec_path} = @{bin}/loupe
profile loupe @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/thumbnails-cache-write>
include <abstractions/trash-strict>
include <abstractions/user-read-strict>
include <abstractions/user-write-strict>
unix type=stream peer=(label=loupe//bwrap),
signal send set=kill peer=loupe//bwrap,
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=@{p_systemd_hostnamed}),
@{exec_path} mr,
@{bin}/bwrap rCx -> bwrap,
@ -33,6 +44,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/glycin/{,**} rw,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@ -51,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/bwrap>
unix type=stream peer=(label=loupe),
signal receive set=kill peer=loupe,
@{bin}/bwrap mr,

10
apparmor.d/groups/gnome/nautilus
View file

@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
mqueue r type=posix /,
unix type=stream peer=(label=gnome-shell),
#aa:dbus own bus=session name=org.freedesktop.FileManager1
#aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}"
#aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2
#aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center
#aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
#aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
dbus send bus=session path=/org/gnome/Mutter/ServiceChannel
interface=org.gnome.Mutter.ServiceChannel
member=OpenWaylandServiceConnection
peer=(name=@{busname}, label=gnome-shell),
dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
interface=org.gtk.private.CommandLine

2
apparmor.d/groups/gnome/ptyxis
View file

@ -28,6 +28,8 @@ profile ptyxis @{exec_path} {
owner @{user_share_dirs}/org.gnome.Ptyxis/ rw,
owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**,
owner /tmp/#@{int} w,
/dev/ptmx rw,
include if exists <local/ptyxis>

Some files were not shown because too many files have changed in this diff Show more