felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update and enforce a few profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-18 14:46:35 +02:00
parent 1fab846875
commit 658c054c47
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
17 changed files with 76 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/filesystem/mke2fs
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 @{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4
profile mke2fs @{exec_path} { profile mke2fs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-write> include <abstractions/disks-write>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>

1
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
profile open flags=(attach_disconnected) { profile open flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/consoles>
include <abstractions/desktop> include <abstractions/desktop>
@{bin}/env rix, @{bin}/env rix,

14
apparmor.d/groups/gnome/gnome-software
View file

@ -9,10 +9,8 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-software @{exec_path} = @{bin}/gnome-software
profile gnome-software @{exec_path} { profile gnome-software @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/common/gnome>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -71,15 +69,11 @@ profile gnome-software @{exec_path} {
/var/tmp/flatpak-cache-*/** rwkl, /var/tmp/flatpak-cache-*/** rwkl,
/var/tmp/#@{int} rw, /var/tmp/#@{int} rw,
/ r,
owner @{HOME}/.var/app/{,**} rw, owner @{HOME}/.var/app/{,**} rw,
owner @{user_download_dirs}/*.flatpakref r, owner @{user_download_dirs}/*.flatpakref r,
owner @{user_cache_dirs}/flatpak/{,**} rwl, owner @{user_cache_dirs}/flatpak/{,**} rwl,
owner @{user_cache_dirs}/gnome-software/ rw,
owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**,
owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/flatpak/{,**} r,
owner @{user_config_dirs}/pulse/*.conf r, owner @{user_config_dirs}/pulse/*.conf r,
@ -94,7 +88,6 @@ profile gnome-software @{exec_path} {
owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/overrides/* r,
owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/ rw,
owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
owner @{user_share_dirs}/gnome-software/{,**} rw,
owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
@ -123,10 +116,7 @@ profile gnome-software @{exec_path} {
@{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/fs/pipe-max-size r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/fuse rw, /dev/fuse rw,
@ -166,6 +156,8 @@ profile gnome-software @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/fusermount> include <abstractions/app/fusermount>
capability setuid,
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
umount /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/,

8
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -9,10 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-system-monitor @{exec_path} = @{bin}/gnome-system-monitor
profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/common/gnome>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_ptrace, capability sys_ptrace,
@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/tr rix, @{bin}/tr rix,
/usr/share/gnome-system-monitor/{,**} r,
/usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
/ r, / r,
@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{PROC}/diskstats r, @{PROC}/diskstats r,
@{PROC}/vmstat r, @{PROC}/vmstat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
/dev/tty rw, /dev/tty rw,

18
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
signal (send) set=(hup) peer=htop, signal send set=(hup) peer=htop,
signal (send) set=(term hup kill) peer=unconfined, signal send set=(term hup kill) peer=unconfined,
ptrace (read) peer=htop, ptrace read peer=htop,
ptrace (read) peer=unconfined, ptrace read peer=unconfined,
#aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions
@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# The shell is not confined on purpose. # The shell is not confined on purpose.
@{bin}/@{shells} rUx, @{bin}/@{shells} Ux,
# Some CLI program can be launched directly from Gnome Shell # Some CLI program can be launched directly from Gnome Shell
@{bin}/htop rPx, @{bin}/htop Px,
@{bin}/micro rPUx, @{bin}/micro PUx,
@{bin}/nvtop rPx, @{bin}/nvtop Px,
@{open_path} rPx -> child-open, @{open_path} Px -> child-open,
/etc/shells r, /etc/shells r,

2
apparmor.d/groups/gnome/gnome-tweaks
View file

@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{user_config_dirs}/autostart/ rw, owner @{user_config_dirs}/autostart/ rw,
owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_config_dirs}/autostart/*.desktop rw,
owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw,
owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/backgrounds/{,**} r,
owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,

16
apparmor.d/groups/gnome/kgx
View file

@ -17,7 +17,7 @@ profile kgx @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
ptrace (read), ptrace read,
@{exec_path} mr, @{exec_path} mr,
@ -25,14 +25,14 @@ profile kgx @{exec_path} {
@{bin}/@{shells} rUx, @{bin}/@{shells} rUx,
# Some CLI program can be launched directly from Gnome Shell # Some CLI program can be launched directly from Gnome Shell
@{bin}/btop rPUx, @{bin}/btop PUx,
@{bin}/htop rPx, @{bin}/htop Px,
@{bin}/micro rPUx, @{bin}/micro PUx,
@{bin}/nvtop rPx, @{bin}/nvtop Px,
@{bin}/nvtop rPx, @{bin}/nvtop Px,
@{bin}/vim rUx, @{bin}/vim Ux,
@{open_path} rPx -> child-open-help, @{open_path} Px -> child-open-help,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,

3
apparmor.d/groups/network/ModemManager
View file

@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.freedesktop.PolicyKit1> include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/dri-enumerate> include <abstractions/dri>
capability net_admin, capability net_admin,
@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
@{sys}/class/tty/ r, @{sys}/class/tty/ r,
@{sys}/class/wwan/ r, @{sys}/class/wwan/ r,
@{sys}/devices/@{pci}/revision r,
@{sys}/devices/**/net/*/ r, @{sys}/devices/**/net/*/ r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/virtual/tty/*/ r, @{sys}/devices/virtual/tty/*/ r,

4
apparmor.d/groups/polkit/pkttyagent
View file

@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} {
capability sys_nice, capability sys_nice,
capability audit_write, capability audit_write,
ptrace (read), ptrace read,
signal (send,receive), signal (send, receive),
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/shadow/newgidmap
View file

@ -18,6 +18,8 @@ profile newgidmap @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{etc_ro}/login.defs r,
@{etc_ro}/login.defs.d/{,*} r,
/etc/subgid r, /etc/subgid r,
@{PROC}/@{pids}/ r, @{PROC}/@{pids}/ r,

2
apparmor.d/groups/shadow/newuidmap
View file

@ -18,6 +18,8 @@ profile newuidmap @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{etc_ro}/login.defs r,
@{etc_ro}/login.defs.d/{,*} r,
/etc/subuid r, /etc/subuid r,
@{PROC}/@{pids}/ r, @{PROC}/@{pids}/ r,

28
apparmor.d/profiles-a-f/calibre
View file

@ -15,9 +15,10 @@ profile calibre @{exec_path} {
include <abstractions/bus-accessibility> include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/bus/org.freedesktop.UDisks2> include <abstractions/bus/org.freedesktop.UDisks2>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/bus/org.kde.StatusNotifierWatcher> include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
@ -35,11 +36,13 @@ profile calibre @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
network inet dgram,
network inet stream, network inet stream,
network inet6 dgram,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
unix (send, receive) type=stream peer=(addr=none, label=xorg), # unix (send, receive) type=stream peer=(addr=none, label=xorg),
unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind, listen) type=stream addr="@*-calibre-gui.socket",
unix (bind) type=stream addr="@calibre-*", unix (bind) type=stream addr="@calibre-*",
@ -47,9 +50,10 @@ profile calibre @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{python_path} rix, @{python_path} rix,
@{bin}/env r,
@{bin}/file rix, @{bin}/file rix,
@{sbin}/ldconfig{,.real} rix,
@{bin}/uname rix, @{bin}/uname rix,
@{sbin}/ldconfig{,.real} rix,
@{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix,
@{bin}/pdftoppm rPUx, # (#FIXME#) @{bin}/pdftoppm rPUx, # (#FIXME#)
@ -61,6 +65,7 @@ profile calibre @{exec_path} {
/usr/share/calibre/{,**} r, /usr/share/calibre/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/httpd/conf/mime.types r,
/etc/inputrc r, /etc/inputrc r,
/etc/magic r, /etc/magic r,
/etc/mime.types r, /etc/mime.types r,
@ -68,10 +73,15 @@ profile calibre @{exec_path} {
owner @{HOME}/ r, owner @{HOME}/ r,
owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/{,**}" rw,
owner "@{HOME}/Calibre Library/metadata.db" rwk, owner "@{HOME}/Calibre Library/metadata.db" rwk,
owner @{user_documents_dirs}/{,**} rwl,
owner @{user_books_dirs}/{,**} rwl, owner @{user_books_dirs}/{,**} rwl,
owner @{user_books_dirs}/Calibre/** rwk,
owner @{user_documents_dirs}/{,**} rwl,
owner @{user_documents_dirs}/Calibre/** rwk,
owner @{user_torrents_dirs}/{,**} rwl, owner @{user_torrents_dirs}/{,**} rwl,
owner @{user_torrents_dirs}/Calibre/** rwk,
owner @{user_work_dirs}/{,**} rwl, owner @{user_work_dirs}/{,**} rwl,
owner @{user_work_dirs}/Calibre/** rwk,
owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk, owner @{user_config_dirs}/calibre/** rwk,
@ -82,10 +92,11 @@ profile calibre @{exec_path} {
owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/ rw,
owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
owner @{tmp}/calibre_*_tmp_*/{,**} rw, owner @{tmp}/@{rand8} rw,
owner @{tmp}/calibre-*/{,**} rw, audit owner @{tmp}/@{int}-*/ rw,
owner @{tmp}/@{int}-*/ rw, audit owner @{tmp}/@{int}-*/** rwl,
owner @{tmp}/@{int}-*/** rwl, audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw,
audit owner @{tmp}/calibre-@{rand8}/{,**} rw,
owner /dev/shm/#@{int} rw, owner /dev/shm/#@{int} rw,
@ -108,6 +119,7 @@ profile calibre @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/task/@{tid}/status r,
/dev/tty r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
include if exists <local/calibre> include if exists <local/calibre>

1
apparmor.d/profiles-m-r/mdevctl
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/mdevctl @{exec_path} = @{bin}/mdevctl
profile mdevctl @{exec_path} { profile mdevctl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,

14
apparmor.d/profiles-m-r/metadata-cleaner
View file

@ -9,9 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/metadata-cleaner @{exec_path} = @{bin}/metadata-cleaner
profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/common/gnome>
include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
include <abstractions/user-read-strict> include <abstractions/user-read-strict>
@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{python_path} rix, @{python_path} rix,
@{bin}/bwrap rCx -> bwrap, @{bin}/bwrap Cx -> bwrap,
@{open_path} rPx -> child-open-help, @{open_path} Px -> child-open-help,
/usr/share/metadata-cleaner/{,**} r,
/usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w,
/usr/share/poppler/{,**} r, /usr/share/poppler/{,**} r,
/etc/httpd/conf/mime.types r, /etc/httpd/conf/mime.types r,
@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_share_dirs}/gvfs-metadata/* r,
deny owner @{user_cache_dirs}/thumbnails/** r, deny owner @{user_cache_dirs}/thumbnails/** r,
@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
include <abstractions/common/bwrap> include <abstractions/common/bwrap>
include <abstractions/perl> include <abstractions/perl>
signal (receive) set=(kill) peer=metadata-cleaner, signal receive set=(kill) peer=metadata-cleaner,
@{bin}/bwrap mr, @{bin}/bwrap mr,
@{bin}/vendor_perl/exiftool rix, @{bin}/vendor_perl/exiftool rix,

8
apparmor.d/profiles-s-z/totem
View file

@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/thumbnails-cache-write>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
network netlink raw, network netlink raw,
@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) {
include <abstractions/gstreamer> include <abstractions/gstreamer>
capability dac_override, capability dac_override,
capability sys_ptrace,
network inet dgram,
network inet6 dgram,
@{bin}/bwrap mr, @{bin}/bwrap mr,
@{bin}/totem-video-thumbnailer rix, @{bin}/totem-video-thumbnailer rix,
@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/flatpak-seccomp-@{rand6} rw,
owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw,
owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw,
owner @{tmp}/gnome-desktop-thumbnailer.png rw,
@{PROC}/sys/vm/mmap_min_addr r, @{PROC}/sys/vm/mmap_min_addr r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/comm w,
/dev/ r, /dev/ r,

18
apparmor.d/profiles-s-z/xsane-gimp
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua> # Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
# Copyright (C) 2024-2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>, abi <abi/4.0>,
@ -10,27 +11,30 @@ include <tunables/global>
profile xsane-gimp @{exec_path} { profile xsane-gimp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/gnome-strict> include <abstractions/desktop>
signal (receive) set=(term, kill) peer=gimp,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
signal receive set=(term, kill) peer=gimp,
@{exec_path} mr, @{exec_path} mr,
@{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/gimp/{,**} r,
@{system_share_dirs}/sane/xsane/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r,
@{system_share_dirs}/snmp/mibs/{,**} r, # network @{system_share_dirs}/snmp/mibs/{,**} r,
/etc/sane.d/{,**} r, /etc/sane.d/{,**} r,
owner @{HOME}/.sane/{,**} rw, owner @{HOME}/.sane/{,**} rw,
owner @{tmp}/xsane-*-@{rand6} rw, owner @{tmp}/xsane-*-@{rand6} rw,
@{sys}/devices/@{pci}/{model,type,vendor} r,
@{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,
# SCSI
@{sys}/bus/scsi/devices/ r, @{sys}/bus/scsi/devices/ r,
@{sys}/devices/@{pci}/{model,type,vendor} r,
@{PROC}/scsi/scsi r, @{PROC}/scsi/scsi r,
@{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,
include if exists <local/xsane-gimp> include if exists <local/xsane-gimp>
} }

22
dists/flags/main.flags
View file

@ -9,7 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain
systemd-service attach_disconnected,complain systemd-service attach_disconnected,complain
systemd-user attach_disconnected,mediate_deleted,complain systemd-user attach_disconnected,mediate_deleted,complain
aa-notify complain
akonadi_akonotes_resource complain akonadi_akonotes_resource complain
akonadi_archivemail_agent complain akonadi_archivemail_agent complain
akonadi_birthdays_resource complain akonadi_birthdays_resource complain
@ -106,7 +105,6 @@ filezilla complain
finalrd complain finalrd complain
firewall-applet attach_disconnected,complain firewall-applet attach_disconnected,complain
firewall-config complain firewall-config complain
firewalld attach_disconnected,complain
flameshot complain flameshot complain
flatpak attach_disconnected,mediate_deleted,complain flatpak attach_disconnected,mediate_deleted,complain
flatpak-app attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain
@ -117,29 +115,20 @@ flatpak-system-helper complain
flatpak-validate-icon complain flatpak-validate-icon complain
fstrim complain fstrim complain
fuse-overlayfs complain fuse-overlayfs complain
fusermount complain
gdk-pixbuf-thumbnailer complain gdk-pixbuf-thumbnailer complain
gdm-generate-config complain gdm-generate-config complain
gdm-runtime-config complain gdm-runtime-config complain
gdm-session attach_disconnected,complain gdm-session attach_disconnected,complain
gdm-xsession complain gdm-xsession complain
gimp complain
gmenudbusmenuproxy complain gmenudbusmenuproxy complain
gnome-browser-connector-host complain gnome-browser-connector-host complain
gnome-control-center attach_disconnected,complain gnome-control-center attach_disconnected,complain
gnome-control-center-goa-helper complain gnome-control-center-goa-helper complain
gnome-disk-image-mounter complain gnome-disk-image-mounter complain
gnome-disks complain
gnome-extension-gsconnect complain gnome-extension-gsconnect complain
gnome-extension-manager complain gnome-extension-manager complain
gnome-initial-setup complain gnome-initial-setup complain
gnome-music attach_disconnected,complain
gnome-photos-thumbnailer complain
gnome-remote-desktop-daemon complain gnome-remote-desktop-daemon complain
gnome-software complain
gnome-system-monitor attach_disconnected,complain
gnome-terminal-server complain
gnome-tweaks complain
grub-bios-setup complain grub-bios-setup complain
grub-editenv complain grub-editenv complain
grub-file complain grub-file complain
@ -173,8 +162,8 @@ gsettings complain
gvfsd-dav complain gvfsd-dav complain
gvfsd-wsdd complain gvfsd-wsdd complain
hostnamectl complain hostnamectl complain
hyprctl complain hyprctl attach_disconnected,complain
hyprlock complain hyprlock attach_disconnected,complain
hyprpaper attach_disconnected,complain hyprpaper attach_disconnected,complain
hyprpicker complain hyprpicker complain
hyprpm complain hyprpm complain
@ -184,7 +173,6 @@ im-launch complain
install-info complain install-info complain
iwctl complain iwctl complain
iwd complain iwd complain
jitterentropy-rngd complain
kaccess complain kaccess complain
kactivitymanagerd complain kactivitymanagerd complain
kalendarac complain kalendarac complain
@ -202,7 +190,6 @@ kded complain
kernel-install complain kernel-install complain
keyboxd complain keyboxd complain
kglobalacceld complain kglobalacceld complain
kgx complain
kio_http_cache_cleaner complain kio_http_cache_cleaner complain
kiod complain kiod complain
kioworker complain kioworker complain
@ -238,9 +225,6 @@ lvmdump complain
lvmpolld complain lvmpolld complain
man complain man complain
mate-notification-daemon complain mate-notification-daemon complain
mdevctl complain
metadata-cleaner attach_disconnected,complain
mke2fs complain
ModemManager attach_disconnected,complain ModemManager attach_disconnected,complain
mount attach_disconnected,complain mount attach_disconnected,complain
multipath attach_disconnected,complain multipath attach_disconnected,complain
@ -357,7 +341,6 @@ systemd-network-generator complain
systemd-nsresourced complain systemd-nsresourced complain
systemd-nsresourcework complain systemd-nsresourcework complain
systemd-portabled complain systemd-portabled complain
systemd-remount-fs complain
systemd-resolve complain systemd-resolve complain
systemd-shutdown complain systemd-shutdown complain
systemd-sleep-tlp complain systemd-sleep-tlp complain
@ -408,6 +391,5 @@ xdm-xsession complain
xembedsniproxy complain xembedsniproxy complain
xfce-session attach_disconnected,complain xfce-session attach_disconnected,complain
xsettingsd complain xsettingsd complain
xwaylandvideobridge complain
zpool complain zpool complain