feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
671dcca38d
commit
63e5980d8d
33 changed files with 177 additions and 85 deletions
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -12,19 +13,18 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# Needed?
|
||||
deny capability sys_nice,
|
||||
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
/var/lib/lightdm/.Xauthority r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/at-spi2-registryd>
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -8,7 +9,7 @@ include <tunables/global>
|
|||
|
||||
@{exec_path} = /{usr/,}lib/colord/colord-sane
|
||||
@{exec_path} += @{libexec}/colord-sane
|
||||
profile colord-sane @{exec_path} flags=(complain) {
|
||||
profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
|
|
@ -16,17 +17,18 @@ profile colord-sane @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/sane.d/{,**} r,
|
||||
/usr/share/snmp/mibs/{,*} r,
|
||||
|
||||
/etc/sane.d/{,**} r,
|
||||
/etc/snmp/snmp.conf r,
|
||||
|
||||
/var/lib/snmp/{mib,cert}_indexes/ rw,
|
||||
/var/lib/snmp/mibs/{iana,ietf}/ r,
|
||||
/var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
|
||||
|
||||
/var/lib/snmp/{mib,cert}_indexes/ rw,
|
||||
/usr/share/snmp/mibs/{,*} r,
|
||||
@{run}/systemd/journal/socket rw,
|
||||
|
||||
@{sys}/bus/scsi/devices/ r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
|
||||
|
||||
@{PROC}/sys/dev/parport/ r,
|
||||
|
|
|
|||
|
|
@ -14,10 +14,11 @@ profile polkitd @{exec_path} {
|
|||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
audit deny capability net_admin,
|
||||
audit capability net_admin,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ profile upower @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
# Needed?
|
||||
deny capability sys_nice,
|
||||
audit capability sys_nice,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2018-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -17,30 +18,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
# UPower config file
|
||||
/etc/UPower/ r,
|
||||
/etc/UPower/UPower.conf r,
|
||||
|
||||
# The history data for the power device
|
||||
/var/lib/upower/ r,
|
||||
/var/lib/upower/history-*.dat{,.*} rw,
|
||||
|
||||
# Are all of these needed? (#FIXME#)
|
||||
/dev/input/event* r,
|
||||
@{sys}/bus/hid/devices/ r,
|
||||
@{sys}/class/leds/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/class/input/ r,
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/**/power_supply/**/* r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/**/capabilities/* r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
||||
@{sys}/devices/platform/**/leds/**/max_brightness r,
|
||||
@{sys}/devices/platform/**/leds/**/brightness rw,
|
||||
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
|
||||
|
||||
@{run}/udev/data/ r,
|
||||
@{run}/udev/data/+power_supply* r,
|
||||
@{run}/udev/data/+input* r,
|
||||
|
|
@ -49,5 +32,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
@{sys}/bus/hid/devices/ r,
|
||||
@{sys}/class/input/ r,
|
||||
@{sys}/class/leds/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/**/capabilities/* r,
|
||||
@{sys}/devices/**/power_supply/**/* r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/platform/**/leds/**/brightness rw,
|
||||
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
|
||||
@{sys}/devices/platform/**/leds/**/max_brightness r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
|
||||
/dev/input/event* r,
|
||||
|
||||
include if exists <local/upowerd>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/pipewire/client.conf.d/ r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
|
@ -43,6 +42,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/ r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ include <tunables/global>
|
|||
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ include <tunables/global>
|
|||
profile xrdb @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term hup) peer=gdm*,
|
||||
signal (receive) set=(term hup) peer=gnome-shell,
|
||||
|
||||
unix (receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue