felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): initial integration with attached path.

Browse source 
The feature is not yet enabled.

See https://apparmor.pujol.io/development/internal/#re-attached-path
This commit is contained in:
Alexandre Pujol 2024-10-11 14:13:17 +01:00
parent 5bf8c6ef0f
commit 61a27bc336
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
85 changed files with 164 additions and 139 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -114,13 +114,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
owner @{run}/gdm{3,}/dbus/ w,
owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
@{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
@{run}/cockpit/active.motd r,
@{run}/faillock/@{user} rwk,
@{run}/fscrypt/ rw,
@{run}/fscrypt/@{uid}.count rwk,
@{run}/motd.d/{,*} r,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
@{run}/utmp rwk,

2
apparmor.d/groups/gnome/gjs-console
View file

@ -14,6 +14,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gjs-console
profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -85,7 +86,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/dev/ r,
/dev/tty rw,
/dev/tty@{int} rw,
include if exists <local/gjs-console>
}

1
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-keyring-daemon
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1.Session>

2
apparmor.d/groups/gnome/gnome-music
View file

@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/grilo-plugins/ rwk,
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner /var/tmp/etilqs_@{hex15} rw,

7
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -79,9 +79,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/gnome-session/ rw,
owner @{user_config_dirs}/gnome-session/saved-session/ rw,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority rw,
@ -104,6 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
profile open flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/desktop>
@{bin}/env rix,
@ -119,7 +121,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/usr/games/** PUx,
/dev/tty rw,
/dev/tty@{int} rw,
include if exists <usr/gnome-session-binary_open.d>
include if exists <local/gnome-session-binary_open>

15
apparmor.d/groups/gnome/gnome-shell
View file

@ -207,8 +207,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/share/xml/iso-codes/{,**} r,
@{system_share_dirs}/gnome-shell/{,**} r,
/ r,
/.flatpak-info r,
/etc/fstab r,
/etc/timezone r,
/etc/tpm2-tss/*.json r,
@ -220,6 +218,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
/var/lib/flatpak/appstream/**/icons/** r,
owner @{att}/ r,
owner @{att}/.flatpak-info r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_cache_dirs}/ w,
owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
@ -293,11 +294,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{tmp}/@{rand6}.shell-extension.zip rw,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/systemd/users/@{uid} r,
@{run}/systemd/seats/seat@{int} r,
@{run}/systemd/sessions/ r,
@{run}/systemd/sessions/* r,
@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/udev/tags/seat/ r,
@ -365,9 +367,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/input/event@{int} rw,
/dev/media@{int} rw,
/dev/tty@{int} rw,
/dev/media@{int} rw,
/dev/tty@{int} rw,
@{att}/dev/dri/card@{int} rw,
@{att}/dev/input/event@{int} rw,
profile shell flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>

2
apparmor.d/groups/gnome/gnome-software
View file

@ -111,7 +111,7 @@ profile gnome-software @{exec_path} {
owner /dev/shm/flatpak-com.*/ rw,
owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/systemd/sessions/@{int} r,
@{run}/systemd/users/@{uid} r,

3
apparmor.d/groups/gnome/gsd-a11y-settings
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-a11y-settings
profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/dconf-write>
@ -31,8 +32,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
@{gdm_config_dirs}/dconf/user r,
@{GDM_HOME}/greeter-dconf-defaults r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-a11y-settings>
}

3
apparmor.d/groups/gnome/gsd-color
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-color
profile gsd-color @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
@ -49,8 +50,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/icc/ rw,
owner @{user_share_dirs}/icc/edid-*.icc rw,
owner /dev/tty@{int} rw,
include if exists <local/gsd-color>
}

3
apparmor.d/groups/gnome/gsd-datetime
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-datetime
profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/dconf-write>
@ -49,8 +50,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/stat r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-datetime>
}

3
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -46,8 +47,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/mountinfo r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-housekeeping>
}

3
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-keyboard
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
@ -39,8 +40,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
owner /dev/tty@{int} rw,
include if exists <local/gsd-keyboard>
}

5
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-media-keys
profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
@ -72,7 +73,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/udev/data/+sound:card@{int} r, # For sound card
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@ -86,8 +87,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-media-keys>
}

5
apparmor.d/groups/gnome/gsd-power
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-power
profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
@ -60,7 +61,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+leds:* r,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{sys}/bus/ r,
@{sys}/class/ r,
@ -83,8 +84,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/cgroup r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-power>
}

3
apparmor.d/groups/gnome/gsd-print-notifications
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-print-notifications
profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.Avahi>
@ -38,8 +39,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-print-notifications>
}

3
apparmor.d/groups/gnome/gsd-printer
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-printer
profile gsd-printer @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.gnome.SessionManager>
@ -29,8 +30,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cgroup r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-printer>
}

3
apparmor.d/groups/gnome/gsd-rfkill
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-rfkill
profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.hostname1>
@ -33,8 +34,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
owner /dev/tty@{int} rw,
/dev/rfkill rw,
include if exists <local/gsd-rfkill>

3
apparmor.d/groups/gnome/gsd-screensaver-proxy
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-screensaver-proxy
profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager>
@ -24,8 +25,6 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
owner /dev/tty@{int} rw,
include if exists <local/gsd-screensaver-proxy>
}

3
apparmor.d/groups/gnome/gsd-sharing
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-sharing
profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.NetworkManager>
@ -44,8 +45,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-sharing>
}

3
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-smartcard
profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/dconf-write>
@ -42,8 +43,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
owner /dev/tty@{int} rw,
include if exists <local/gsd-smartcard>
}

3
apparmor.d/groups/gnome/gsd-sound
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-sound
profile gsd-sound @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager>
@ -36,8 +37,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/sounds/ rw,
owner /dev/tty@{int} rw,
include if exists <local/gsd-sound>
}

3
apparmor.d/groups/gnome/gsd-wacom
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-wacom
profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
@ -32,8 +33,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
owner @{gdm_config_dirs}/dconf/user r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner /dev/tty@{int} rw,
include if exists <local/gsd-wacom>
}

3
apparmor.d/groups/gnome/mutter-x11-frames
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/mutter-x11-frames
profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/attached/consoles>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
@ -33,8 +34,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cmdline r,
owner /dev/tty@{int} rw,
include if exists <local/mutter-x11-frames>
}