Merge branch 'main' into xdg-open
This commit is contained in:
Alex
GitHub
commit
62d7d7af68
76 changed files with 242 additions and 169 deletions
|
|
@ -34,7 +34,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
network netlink dgram,
|
||||
network netlink raw,
|
||||
|
||||
signal (receive) set=(hup),
|
||||
signal receive set=hup,
|
||||
|
||||
@{bin}/bwrap rPx -> bwrap,
|
||||
@{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ include <tunables/global>
|
|||
@{cache_dirs} = @{user_cache_dirs}/google-@{name}
|
||||
|
||||
@{exec_path} = @{lib_dirs}/@{name}
|
||||
profile chrome @{exec_path} {
|
||||
profile chrome @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/chromium>
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ include <tunables/global>
|
|||
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||
|
||||
@{exec_path} = @{lib_dirs}/@{name}
|
||||
profile chromium @{exec_path} {
|
||||
profile chromium @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/chromium>
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/chromium
|
||||
profile chromium-wrapper @{exec_path} {
|
||||
profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
|
|
|
|||
|
|
@ -38,12 +38,15 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/xdg-dbus-proxy rix,
|
||||
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
|
||||
|
||||
/usr/share/enchant*/{,**} r,
|
||||
|
||||
owner /bindfile@{rand6} rw,
|
||||
owner @{att}/.flatpak-info r,
|
||||
|
||||
owner @{user_config_dirs}/glib-2.0/ w,
|
||||
owner @{user_config_dirs}/glib-2.0/settings/ w,
|
||||
|
||||
owner @{tmp}/ContentRuleList@{rand6} rw,
|
||||
owner @{tmp}/epiphany-*-@{rand6}/{,**} rw,
|
||||
owner @{tmp}/Serialized@{rand9} rw,
|
||||
owner @{tmp}/WebKit-Media-@{rand6} rw,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -42,6 +42,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
|
|||
owner "@{tmp}/Tor Project*" rwk,
|
||||
owner "@{tmp}/Tor Project*/" rw,
|
||||
owner "@{tmp}/Tor Project*/**" rwk,
|
||||
owner @{tmp}/@{rand8}.* rw,
|
||||
owner @{tmp}/mozilla_pc@{int}/ rw,
|
||||
owner @{tmp}/mozilla_pc@{int}/* rwk,
|
||||
|
||||
# Due to the nature of the browser, we silence much more than for Firefox.
|
||||
deny capability sys_ptrace,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/nvidia-modprobe
|
||||
profile child-modprobe-nvidia flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability chown,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/update-desktop-database
|
||||
profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/freedesktop.org>
|
||||
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{desktop_cache_dirs}/dconf/user r,
|
||||
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
|
||||
owner @{desktop_config_dirs}/dconf/user r,
|
||||
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/fuse rw,
|
||||
/dev/fuse rw,
|
||||
|
||||
profile fusermount flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
|
|
@ -29,6 +30,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,
|
||||
|
||||
/var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w,
|
||||
/var/log/Xorg.@{int}.log w,
|
||||
owner /var/log/lightdm/x-@{int}.log w,
|
||||
|
||||
owner @{run}/user/@{uid}/server-@{int}.xkm rwk,
|
||||
|
|
@ -38,9 +40,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/dri/card@{int} rw,
|
||||
/dev/fb@{int} rw,
|
||||
/dev/tty rw,
|
||||
|
||||
deny /dev/input/event@{int} rw,
|
||||
deny /var/log/Xorg.@{int}.log w,
|
||||
/dev/input/event@{int} rw,
|
||||
|
||||
include if exists <local/xkbcomp>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -134,6 +134,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/shm/shmfd-* rw,
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
/dev/udmabuf rw,
|
||||
/dev/vga_arbiter rw, # Graphic card modules
|
||||
|
||||
profile pkexec {
|
||||
|
|
|
|||
|
|
@ -105,6 +105,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{HOME}/.pam_environment r,
|
||||
|
||||
owner @{user_cache_dirs}/ w,
|
||||
|
||||
@{run}/cockpit/inactive.motd r,
|
||||
owner @{run}/systemd/seats/seat@{int} r,
|
||||
owner @{run}/user/@{uid}/keyring/control rw,
|
||||
|
|
|
|||
|
|
@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{HOME}/{,**} rw,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
|
|
|||
|
|
@ -181,7 +181,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
profile bwrap {
|
||||
profile bwrap flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/bwrap>
|
||||
|
||||
|
|
|
|||
|
|
@ -48,11 +48,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{sh_path} rix,
|
||||
@{bin}/tput rix,
|
||||
@{bin}/session-migration rPx,
|
||||
|
||||
@{lib}/gnome-session-check-accelerated rix,
|
||||
@{lib}/gnome-session-check-accelerated-gl-helper rix,
|
||||
@{lib}/gnome-session-check-accelerated-gles-helper rix,
|
||||
@{lib}/gnome-session-failed rix,
|
||||
@{lib}/gnome-session-check-* rPx,
|
||||
@{lib}/gnome-session-failed rix,
|
||||
|
||||
@{lib}/gio-launch-desktop rCx -> open,
|
||||
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
|
||||
|
|
|
|||
|
|
@ -64,8 +64,7 @@ profile gnome-software @{exec_path} {
|
|||
|
||||
/var/lib/PackageKit/offline-update-competed r,
|
||||
/var/lib/PackageKit/prepared-update r,
|
||||
/var/lib/swcatalog/icons/**.png r,
|
||||
/var/lib/swcatalog/yaml/ r,
|
||||
/var/lib/swcatalog/** r,
|
||||
|
||||
/var/tmp/flatpak-cache-*/ rw,
|
||||
/var/tmp/flatpak-cache-*/** rwkl,
|
||||
|
|
@ -91,6 +90,7 @@ profile gnome-software @{exec_path} {
|
|||
owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r,
|
||||
owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r,
|
||||
owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r,
|
||||
owner @{user_share_dirs}/flatpak/overrides/* r,
|
||||
owner @{user_share_dirs}/flatpak/repo/ rw,
|
||||
owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
|
||||
owner @{user_share_dirs}/gnome-software/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -7,12 +7,10 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/gnome-tweaks
|
||||
profile gnome-tweaks @{exec_path} {
|
||||
profile gnome-tweaks @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/common/gnome>
|
||||
include <abstractions/python>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
|
||||
|
|
@ -21,6 +19,7 @@ profile gnome-tweaks @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/env r,
|
||||
@{bin}/ps rPx,
|
||||
@{bin}/python3.@{int} rix,
|
||||
|
||||
|
|
@ -28,8 +27,6 @@ profile gnome-tweaks @{exec_path} {
|
|||
|
||||
@{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
|
||||
|
||||
/usr/share/gnome-tweaks/{,**} r,
|
||||
|
||||
/etc/xdg/autostart/{,**} r,
|
||||
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
|
|
@ -44,7 +41,12 @@ profile gnome-tweaks @{exec_path} {
|
|||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/class/input/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ profile kgx @{exec_path} {
|
|||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/1/cgroup r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/gnome-strict>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/private-files-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
|
|||
|
|
@ -28,11 +28,13 @@ profile yelp @{exec_path} {
|
|||
|
||||
/etc/xml/{,**} r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r,
|
||||
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r,
|
||||
|
||||
@{PROC}/zoneinfo r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -34,6 +34,8 @@ profile baloo @{exec_path} {
|
|||
owner @{MOUNTS}/{,**} r,
|
||||
owner @{tmp}/*/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/kcrash-metadata/ w,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/baloofilerc rwl,
|
||||
owner @{user_config_dirs}/baloofilerc.lock rwkl,
|
||||
|
|
@ -60,6 +62,7 @@ profile baloo @{exec_path} {
|
|||
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
|
||||
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gmenudbusmenuproxy
|
||||
profile gmenudbusmenuproxy @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -44,12 +44,15 @@ profile kconf_update @{exec_path} {
|
|||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{HOME}/.gtkrc-@{version} w,
|
||||
|
||||
owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/*rc.lock rwk,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**,
|
||||
owner @{user_config_dirs}/sed@{rand6} rw,
|
||||
owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw,
|
||||
owner @{user_config_dirs}/kcmfonts.lock rwk,
|
||||
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
owner @{user_share_dirs}/krunnerstaterc.lock rwk,
|
||||
|
|
|
|||
|
|
@ -93,34 +93,16 @@ profile kded @{exec_path} {
|
|||
|
||||
@{user_config_dirs}/kcookiejarrc.lock rwk,
|
||||
@{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/*rc.lock rwk,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
|
||||
owner @{user_config_dirs}/gtkrc{,*} rwlk,
|
||||
owner @{user_config_dirs}/kconf_updaterc rw,
|
||||
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
|
||||
owner @{user_config_dirs}/kdebugrc r,
|
||||
owner @{user_config_dirs}/kded{5,6}rc.lock rwk,
|
||||
owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/kdedefaults/{,**} r,
|
||||
owner @{user_config_dirs}/khotkeysrc.lock rwk,
|
||||
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/ktimezonedrc.lock rwk,
|
||||
owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||
owner @{user_config_dirs}/plasma* r,
|
||||
owner @{user_config_dirs}/touchpadrc r,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||
|
|
@ -137,6 +119,9 @@ profile kded @{exec_path} {
|
|||
owner @{user_share_dirs}/services5/{,**} r,
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
owner @{user_state_dirs}/#@{int} rw,
|
||||
owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
@{run}/user/@{uid}/gvfs/ r,
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi,
|
||||
#aa:exec kscreenlocker_greet
|
||||
|
||||
/usr/share/color-schemes/*.colors r,
|
||||
|
|
@ -47,6 +48,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
/etc/xdg/menus/{,applications.menu} r,
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
/etc/xdg/plasmarc r,
|
||||
/etc/xdg/Xwayland-session.d/{,*} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
|
@ -127,10 +129,28 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
|
||||
@{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/input/event@{int} rw,
|
||||
@{att}/dev/input/event@{int} rw,
|
||||
@{att}/dev/dri/card@{int} rw,
|
||||
|
||||
/dev/tty r,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
profile at-spi {
|
||||
include <abstractions/base>
|
||||
|
||||
@{sh_path} r,
|
||||
@{bin}/busctl rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/xprop rPx,
|
||||
|
||||
/etc/xdg/Xwayland-session.d/00-at-spi r,
|
||||
|
||||
/home/ r,
|
||||
owner @{HOME}/ r,
|
||||
|
||||
include if exists <local/kwin_wayland_at-spi>
|
||||
}
|
||||
|
||||
include if exists <local/kwin_wayland>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -76,6 +76,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
/usr/share/solid/actions/{,**} r,
|
||||
/usr/share/swcatalog/{,**} r,
|
||||
/usr/share/templates/{,*.desktop} r,
|
||||
/usr/share/thumbnailers/{,*} r,
|
||||
/usr/share/wallpapers/{,**} r,
|
||||
|
||||
/etc/appstream.conf r,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ profile sddm-greeter @{exec_path} {
|
|||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ profile startplasma @{exec_path} {
|
|||
owner @{user_config_dirs}/startkderc r,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||
owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int},
|
||||
|
||||
owner @{user_share_dirs}/color-schemes/{,**} r,
|
||||
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile xembedsniproxy @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,12 @@ include <tunables/global>
|
|||
profile makepkg @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/shells>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
|
|||
|
|
@ -32,10 +32,14 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/tput rix,
|
||||
@{bin}/vim rix,
|
||||
|
||||
owner @{HOME}/.viminfo{,.tmp} rw,
|
||||
|
||||
owner @{user_cache_dirs}/vim/{,**} rw,
|
||||
|
||||
# packages files
|
||||
/ r,
|
||||
/boot/{,**} r,
|
||||
/etc/{,**} r,
|
||||
/etc/{,**} rw,
|
||||
/opt/{,**} r,
|
||||
/srv/{,**} r,
|
||||
/usr/{,**} r,
|
||||
|
|
|
|||
|
|
@ -15,13 +15,14 @@ profile pacman-hook-systemd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bash rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/touch rix,
|
||||
|
||||
@{bin}/journalctl rPx,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/systemd-hwdb rPx,
|
||||
@{bin}/systemd-notify rPx,
|
||||
@{bin}/systemd-sysusers rPx,
|
||||
@{bin}/systemd-tmpfiles rPx,
|
||||
@{bin}/udevadm rPx,
|
||||
|
|
|
|||
|
|
@ -55,6 +55,10 @@ profile yay @{exec_path} {
|
|||
|
||||
/usr/share/git{,-core}/{,**} r,
|
||||
|
||||
owner @{user_build_dirs}/**/.git/** r,
|
||||
owner @{user_pkg_dirs}/**/.git/** r,
|
||||
owner @{user_projects_dirs}/**/.git/** r,
|
||||
|
||||
owner @{HOME}/.gitconfig r,
|
||||
owner @{user_cache_dirs}/yay/ rw,
|
||||
owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**,
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ profile systemd-journald @{exec_path} {
|
|||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/+virtio:* r,
|
||||
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
|
||||
@{run}/udev/data/b259:@{int} r,
|
||||
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
||||
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
|
|
|
|||
|
|
@ -45,15 +45,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
mount options=(rw rslave) -> /,
|
||||
|
||||
remount /tmp/containerd-mount@{int10}/,
|
||||
remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
|
||||
remount /var/lib/docker/**/,
|
||||
|
||||
umount /.pivot_root@{int}/,
|
||||
umount /run/docker/netns/*,
|
||||
umount /tmp/containerd-mount@{int}/,
|
||||
umount /var/lib/docker/buildkit/**/,
|
||||
umount /var/lib/docker/rootfs/**/,
|
||||
umount /var/lib/docker/overlay*/**/,
|
||||
umount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
umount /var/lib/docker/**/,
|
||||
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue