felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into main

Browse source
This commit is contained in:
Alex 2025-09-07 20:59:54 +02:00 committed by GitHub
commit 6664390e57
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
496 changed files with 4091 additions and 1219 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/main.yml vendored
View file

@ -47,11 +47,6 @@ jobs:
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
sed -e "s/just complain/just fsp-complain/" -i debian/rules
fi
if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
# Test with Re-attach disconnected path
sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go
sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system
fi
bash dists/build.sh dpkg
- name: Install apparmor.d
@ -83,7 +78,7 @@ jobs:
tests:
runs-on: ubuntu-24.04
needs: build
if: github.ref == 'refs/heads/dev'
if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch'
steps:
- name: Check out repository code
uses: actions/checkout@v4

1
.gitignore vendored
View file

@ -1,6 +1,7 @@
# Build
.build
.logs
.pkg
tests/tldr
tests/tldr.tar.gz

115
Justfile
View file

@ -5,7 +5,7 @@
# Usage: `just`
# See https://apparmor.pujol.io/development/ for more information.
# Build setings
# Build settings
destdir := "/"
build := ".build"
pkgdest := `pwd` / ".pkg"
@ -49,44 +49,44 @@ c := "--connect=qemu:///system"
# VM prefix
prefix := "aa-"
[doc('Show this help message')]
# Show this help message
help:
@just --list --unsorted
@printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information."
# Build the go programs
[group('build')]
[doc('Build the go programs')]
build:
@go build -o {{build}}/ ./cmd/aa-log
@go build -o {{build}}/ ./cmd/prebuild
# Prebuild the profiles in enforced mode
[group('build')]
[doc('Prebuild the profiles in enforced mode')]
enforce: build
@./{{build}}/prebuild
@./{{build}}/prebuild --buildir {{build}}
# Prebuild the profiles in complain mode
[group('build')]
[doc('Prebuild the profiles in complain mode')]
complain: build
@./{{build}}/prebuild --complain
./{{build}}/prebuild --buildir {{build}} --complain
# Prebuild the profiles in FSP mode
[group('build')]
[doc('Prebuild the profiles in FSP mode')]
fsp: build
@./{{build}}/prebuild --full
@./{{build}}/prebuild --buildir {{build}} --full
# Prebuild the profiles in FSP mode (complain)
[group('build')]
[doc('Prebuild the profiles in FSP mode (complain)')]
fsp-complain: build
@./{{build}}/prebuild --complain --full
@./{{build}}/prebuild --buildir {{build}} --complain --full
# Prebuild the profiles in FSP mode (debug)
[group('build')]
[doc('Prebuild the profiles in FSP mode (debug)')]
fsp-debug: build
@./{{build}}/prebuild --complain --full --debug
@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
# Install prebuild profiles
[group('install')]
[doc('Install prebuild profiles')]
install:
#!/usr/bin/env bash
set -eu -o pipefail
@ -113,8 +113,8 @@ install:
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
done
# Locally install prebuild profiles
[group('install')]
[doc('Locally install prebuild profiles')]
local +names:
#!/usr/bin/env bash
set -eu -o pipefail
@ -135,39 +135,39 @@ local +names:
done;
systemctl restart apparmor || sudo journalctl -xeu apparmor.service
# Prebuild, install, and load a dev profile
[group('install')]
[doc('Prebuild, install, and load a dev profile')]
dev name:
go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}`
sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}}
sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
# Build & install apparmor.d on Arch based systems
[group('packages')]
[doc('Build & install apparmor.d on Arch based systems')]
pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
# Build & install apparmor.d on Debian based systems
[group('packages')]
[doc('Build & install apparmor.d on Debian based systems')]
dpkg:
@bash dists/build.sh dpkg
@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
# Build & install apparmor.d on OpenSUSE based systems
[group('packages')]
[doc('Build & install apparmor.d on OpenSUSE based systems')]
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
# Run the unit tests
[group('tests')]
[doc('Run the unit tests')]
tests:
@go test ./cmd/... -v -cover -coverprofile=coverage.out
@go test ./pkg/... -v -cover -coverprofile=coverage.out
@go tool cover -func=coverage.out
# Run the linters
[group('linter')]
[doc('Run the linters')]
lint:
golangci-lint run
packer fmt tests/packer/
@ -177,34 +177,34 @@ lint:
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
# Run style checks on the profiles
[group('linter')]
[doc('Run style checks on the profiles')]
check:
@bash tests/check.sh
# Generate the man pages
[group('docs')]
[doc('Generate the man pages')]
man:
@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
# Build the documentation
[group('docs')]
[doc('Build the documentation')]
docs:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
# Serve the documentation
[group('docs')]
[doc('Serve the documentation')]
serve:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
[doc('Remove all build artifacts')]
# Remove all build artifacts
clean:
@rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
# Build the package in a clean OCI container
[group('packages')]
[doc('Build the package in a clean OCI container')]
package dist:
#!/usr/bin/env bash
set -eu -o pipefail
@ -219,8 +219,8 @@ package dist:
fi
bash dists/docker.sh $dist $version
# Build the VM image
[group('vm')]
[doc('Build the VM image')]
img dist flavor: (package dist)
@mkdir -p {{base_dir}}
packer build -force \
@ -237,8 +237,8 @@ img dist flavor: (package dist)
-var output_dir={{output_dir}} \
tests/packer/
# Create the machine
[group('vm')]
[doc('Create the machine')]
create dist flavor:
@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
@virt-install {{c}} \
@ -251,62 +251,63 @@ create dist flavor:
--memorybacking source.type=memfd,access.mode=shared \
--disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \
--filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \
--os-variant "`just get_osinfo {{dist}}`" \
--os-variant "`just _get_osinfo {{dist}}`" \
--graphics spice \
--audio id=1,type=spice \
--sound model=ich9 \
--noautoconsole
# Start a machine
[group('vm')]
[doc('Start a machine')]
up dist flavor:
@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
# Stops the machine
[group('vm')]
[doc('Stops the machine')]
halt dist flavor:
@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
# Reboot the machine
[group('vm')]
[doc('Reboot the machine')]
reboot dist flavor:
@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
# Destroy the machine
[group('vm')]
[doc('Destroy the machine')]
destroy dist flavor:
@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
# Connect to the machine
[group('vm')]
[doc('Connect to the machine')]
ssh dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}`
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
# Mount the shared directory on the machine
[group('vm')]
[doc('Mount the shared directory on the machine')]
mount dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
# Unmout the shared directory on the machine
[group('vm')]
[doc('Unmout the shared directory on the machine')]
umount dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
# List the machines
[group('vm')]
[doc('List the machines')]
list:
@printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State"
@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
# List the VM images
[group('vm')]
[doc('List the VM images')]
images:
#!/usr/bin/env bash
set -eu -o pipefail
mkdir -p {{base_dir}}
ls -lh {{base_dir}} | awk '
BEGIN {
printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date")
@ -319,8 +320,8 @@ images:
}
'
# List the VM images that can be created
[group('vm')]
[doc('List the VM images that can be created')]
available:
#!/usr/bin/env bash
set -eu -o pipefail
@ -336,49 +337,47 @@ available:
}
'
# Install dependencies for the integration tests
[group('tests')]
[doc('Install dependencies for the integration tests')]
init:
@bash tests/requirements.sh
# Run the integration tests
[group('tests')]
[doc('Run the integration tests')]
integration:
bats --recursive --timing --print-output-on-failure tests/integration
integration name="":
bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
# Install dependencies for the integration tests (machine)
[group('tests')]
[doc('Install dependencies for the integration tests (machine)')]
tests-init dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
# Synchronize the integration tests (machine)
[group('tests')]
[doc('Synchronize the integration tests (machine)')]
tests-sync dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
# Re-synchronize the integration tests (machine)
[group('tests')]
[doc('Re-synchronize the integration tests (machine)')]
tests-resync dist flavor: (mount dist flavor) \
(tests-sync dist flavor) \
(umount dist flavor)
# Run the integration tests (machine)
[group('tests')]
[doc('Run the integration tests (machine)')]
tests-run dist flavor name="": (tests-resync dist flavor)
ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
bats --recursive --pretty --timing --print-output-on-failure \
/home/{{username}}/Projects/tests/integration/{{name}}
[private]
get_ip dist flavor:
_get_ip dist flavor:
@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
head -1 | \
grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
[private]
get_osinfo dist:
_get_osinfo dist:
#!/usr/bin/env python3
osinfo = {
"archlinux": "archlinux",

111
PKGBUILD
View file

@ -3,8 +3,15 @@
# Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use.
pkgname=apparmor.d
pkgver=0.001
pkgbase=apparmor.d
pkgname=(
apparmor.d
# apparmor.d.enforced
# apparmor.d.fsp apparmor.d.fsp.enforced
# apparmor.d.server apparmor.d.server.enforced
# apparmor.d.server.fsp apparmor.d.server.fsp.enforced
)
pkgver=0.0001
pkgrel=1
pkgdesc="Full set of apparmor profiles"
arch=('x86_64' 'armv6h' 'armv7h' 'aarch64')
@ -12,10 +19,9 @@ url="https://github.com/roddhjav/apparmor.d"
license=('GPL-2.0-only')
depends=('apparmor>=4.1.0' 'apparmor<5.0.0')
makedepends=('go' 'git' 'rsync' 'just')
conflicts=("$pkgname-git")
pkgver() {
cd "$srcdir/$pkgname"
cd "$srcdir/$pkgbase"
echo "0.$(git rev-list --count HEAD)"
}
@ -24,17 +30,104 @@ prepare() {
}
build() {
cd "$srcdir/$pkgname"
cd "$srcdir/$pkgbase"
export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}"
export GOPATH="${srcdir}"
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
export DISTRIBUTION=arch
just complain
local -A modes=(
# Mapping of modes to just build target.
[default]=complain
# [enforced]=enforce
# [fsp]=fsp-complain
# [fsp.enforced]=fsp
# [server]=server-complain
# [server.enforced]=server
# [server.fsp]=server-fsp-complain
# [server.fsp.enforced]=server-fsp
)
for mode in "${!modes[@]}"; do
just build=".build/$mode" "${modes[$mode]}"
done
}
package() {
cd "$srcdir/$pkgname"
just destdir="$pkgdir" install
_conflicts() {
local mode="$1"
local pattern=".$mode"
if [[ "$mode" == "default" ]]; then
pattern=""
else
echo "$pkgbase"
fi
for pkg in "${pkgname[@]}"; do
if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then
continue
fi
echo "$pkg"
done
}
_install() {
local mode="${1:?}"
cd "$srcdir/$pkgbase"
just build=".build/$mode" destdir="$pkgdir" install
}
package_apparmor.d() {
mode=default
pkgdesc="$pkgdesc (complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.enforced() {
mode=enforced
pkgdesc="$pkgdesc (enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.fsp() {
mode="fsp"
pkgdesc="$pkgdesc (FSP mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.fsp.enforced() {
mode="fsp.enforced"
pkgdesc="$pkgdesc (FSP enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server() {
mode="server"
pkgdesc="$pkgdesc (server complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.enforced() {
mode="server.enforced"
pkgdesc="$pkgdesc (server enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.fsp() {
mode="server.fsp"
pkgdesc="$pkgdesc (server FSP complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.fsp.enforced() {
mode="server.fsp.enforced"
pkgdesc="$pkgdesc (server FSP enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}

30
apparmor.d/abstractions/amdgpu Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Kernel Fusion Driver for AMD GPUs
abi <abi/4.0>,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/dev r,
@{sys}/devices/virtual/kfd/kfd/topology/ r,
@{sys}/devices/virtual/kfd/kfd/topology/generation_id r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/system_properties r,
@{sys}/devices/virtual/kfd/kfd/uevent r,
@{sys}/module/amdgpu/initstate r,
/dev/kfd rw,
include if exists <abstractions/amdgpu.d>
# vim:syntax=apparmor

39
apparmor.d/abstractions/app/chromium
View file

@ -25,34 +25,26 @@
include <abstractions/bus/org.bluez>
include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.Notifications>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.kde.kwalletd>
include <abstractions/camera>
include <abstractions/common/chromium>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/notifications>
include <abstractions/screensaver>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/uim>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
include <abstractions/video>
userns,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
network inet dgram,
network inet6 dgram,
@ -112,21 +104,12 @@
/etc/fstab r,
/etc/{,opensc/}opensc.conf r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/ r,
owner @{HOME}/ r,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
owner @{user_config_dirs}/gtk-3.0/servers r,
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w,
owner @{config_dirs}/ rw,
@ -151,10 +134,7 @@
/tmp/ r,
/var/tmp/ r,
owner @{tmp}/.@{domain}.@{rand6} rw,
owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
owner @{tmp}/tmp.@{rand10} rw,
owner @{tmp}/tmp.@{rand6} rw,
owner @{tmp}/tmp.@{rand6}/ rw,
@ -163,9 +143,6 @@
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
/dev/shm/ r,
owner /dev/shm/.@{domain}.@{rand6} rw,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/bus/ r,
@ -175,10 +152,7 @@
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/report_descriptor r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/**/report_descriptor r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r,
@{PROC}/@{pid}/fd/ r,
@ -192,18 +166,15 @@
owner @{PROC}/@{pid}/clear_refs w,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/smaps_rollup r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/uid_map w,
/dev/ r,
/dev/hidraw@{int} rw,

6
apparmor.d/abstractions/app/editor
View file

@ -12,9 +12,10 @@
@{sh_path} rix,
@{bin}/nvim mrix,
@{bin}/sensible-editor mr,
@{bin}/vim{,.*} mrix,
@{bin}/vim* mrix,
@{bin}/which{,.debianutils} rix,
/usr/share/doc/{,**} r,
/usr/share/nvim/{,**} r,
/usr/share/terminfo/** r,
/usr/share/vim/{,**} r,
@ -24,8 +25,9 @@
/etc/xdg/nvim/* r,
owner @{HOME}/.selected_editor r,
owner @{HOME}/.viminf@{c}{,.tmp} rw,
owner @{HOME}/.vim/{after/,}spell/{,**} rw,
owner @{HOME}/.vim/** r,
owner @{HOME}/.viminf@{c}{,.tmp} rw,
owner @{HOME}/.vimrc r,
owner @{HOME}/ r,

7
apparmor.d/abstractions/app/firefox
View file

@ -21,8 +21,9 @@
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.timedate1>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.freedesktop.timedate1>
include <abstractions/cups-client>
include <abstractions/dconf-write>
include <abstractions/desktop>
@ -98,8 +99,12 @@
/var/tmp/ r,
owner @{tmp}/@{name}/ rw,
owner @{tmp}/@{name}/* rwk,
owner @{tmp}/@{rand6}.tmp rw,
owner @{tmp}/firefox/ rw,
owner @{tmp}/firefox/* rwk,
owner @{tmp}/mozilla* rw,
owner @{tmp}/mozilla*/ rw,
owner @{tmp}/mozilla*/* rwk,
owner @{tmp}/remote-settings-startup-bundle- rw,
owner @{tmp}/remote-settings-startup-bundle-.tmp rw,
owner @{tmp}/Temp-@{uuid}/ rw,

6
apparmor.d/abstractions/app/open
View file

@ -7,6 +7,8 @@
abi <abi/4.0>,
include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/desktop>
# We cannot use `@{open_path} mrix,` here because it includes:
@ -30,11 +32,9 @@
include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/graphics>
/etc/xdg/menus/ r,
include <abstractions/nameservice-strict>
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

2
apparmor.d/abstractions/app/pager
View file

@ -21,6 +21,8 @@
/usr/share/file/misc/** r,
/usr/share/nvim/{,**} r,
@{etc_ro}/lesskey.bin r,
@{HOME}/.lesshst r,
owner @{HOME}/ r,

2
apparmor.d/abstractions/app/pgrep
View file

@ -19,11 +19,13 @@
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
include if exists <abstractions/app/pgrep.d>

4
apparmor.d/abstractions/attached/base
View file

@ -8,12 +8,14 @@
abi <abi/4.0>,
include <abstractions/base-strict>
include <abstractions/base>
@{att}/@{run}/systemd/journal/dev-log w,
@{att}/@{run}/systemd/journal/socket w,
@{att}/@{run}/systemd/journal/stdout rw,
@{att}/dev/null rw,
/apparmor/.null rw,
@{att}/apparmor/.null rw,

3
apparmor.d/abstractions/base-strict
View file

@ -67,8 +67,9 @@
# Allow unconfined processes to us via unix sockets
unix receive peer=(label=unconfined),
# Allow communication to children profiles
# Allow communication to children and stacked profiles
signal peer=@{profile_name}//*,
signal peer=@{profile_name}//&*,
unix type=stream peer=(label=@{profile_name}//*),
# Allow us to create abstract and anonymous sockets

28
apparmor.d/abstractions/base.d/complete
View file

@ -8,20 +8,20 @@
signal receive peer=@{p_systemd_user},
# Allow to receive some signals from new well-known profiles
signal (receive) peer=btop,
signal (receive) peer=htop,
signal (receive) peer=pkill,
signal (receive) peer=sudo,
signal (receive) peer=top,
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
signal (receive) set=(hup term) peer=login,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=gnome-shell,
signal (receive) set=(term,kill) peer=gnome-system-monitor,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(term,kill) peer=su,
signal receive peer=btop,
signal receive peer=htop,
signal receive peer=pkill,
signal receive peer=sudo,
signal receive peer=top,
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
signal receive set=(hup term) peer=login,
signal receive set=(hup) peer=xinit,
signal receive set=(term,kill) peer=gnome-shell,
signal receive set=(term,kill) peer=gnome-system-monitor,
signal receive set=(term,kill) peer=openbox,
signal receive set=(term,kill) peer=su,
ptrace (readby) peer=@{p_systemd_coredump},
ptrace readby peer=@{p_systemd_coredump},
@{etc_rw}/localtime r,
/etc/locale.conf r,
@ -30,4 +30,6 @@
@{PROC}/sys/kernel/core_pattern r,
/apparmor/.null rw,
# vim:syntax=apparmor

2
apparmor.d/abstractions/bus/own-accessibility → apparmor.d/abstractions/bus/accessibility/own
View file

@ -20,6 +20,6 @@
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
include if exists <abstractions/bus/own-accessibility.d>
include if exists <abstractions/bus/accessibility/own.d>
# vim:syntax=apparmor

10
apparmor.d/abstractions/bus/org.a11y
View file

@ -31,6 +31,11 @@
member=Embed
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
# Session bus
dbus send bus=session path=/org/a11y/bus
@ -38,6 +43,11 @@
member=GetAll
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=Get

4
apparmor.d/abstractions/bus/org.freedesktop.Accounts
View file

@ -8,8 +8,8 @@
dbus send bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member={FindUserByName,ListCachedUsers}
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
member={FindUserByName,ListCachedUsers,FindUserById}
peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.Accounts.User

2
apparmor.d/abstractions/bus/org.freedesktop.Avahi
View file

@ -23,7 +23,7 @@
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
member={ItemNew,AllForNow,CacheExhausted}
member={ItemNew,ItemRemove,AllForNow,CacheExhausted}
peer=(name="@{busname}", label="@{p_avahi_daemon}"),
dbus receive bus=system path=/

7
apparmor.d/abstractions/bus/org.freedesktop.ColorManager
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow for color managed applications to communicate with colord
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
@ -21,6 +23,11 @@
member={DeviceAdded,DeviceRemoved}
peer=(name="@{busname}", label="@{p_colord}"),
dbus (receive, send) bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=FindDeviceByProperty
peer=(name="@{busname}", label="@{p_colord}"),
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
# vim:syntax=apparmor

5
apparmor.d/abstractions/bus/org.freedesktop.FileManager1
View file

@ -6,6 +6,11 @@
#aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus
dbus send bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.FileManager1
member=ShowItems
peer=(name=org.freedesktop.FileManager1, label=nautilus),
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
# vim:syntax=apparmor

26
apparmor.d/abstractions/bus/org.freedesktop.Notifications
View file

@ -1,26 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={GetCapabilities,GetServerInformation,Notify}
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={NotificationClosed,CloseNotification}
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=Notify
peer=(name=org.freedesktop.DBus, label=gjs-console),
include if exists <abstractions/bus/org.freedesktop.Notifications.d>
# vim:syntax=apparmor

14
apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
View file

@ -1,14 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
# vim:syntax=apparmor

10
apparmor.d/abstractions/bus/org.freedesktop.UPower
View file

@ -2,10 +2,13 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Can query UPower for power devices, history and statistics.
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
# Find all devices monitored by UPower
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
@ -13,7 +16,12 @@
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Properties
member=GetDisplayDevice
member={GetDisplayDevice,GetCriticalAction}
peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
dbus send bus=system path=/org/freedesktop/UPower/devices/**
interface=org.freedesktop.UPower.Device
member={GetHistory,Refresh}
peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
dbus receive bus=system path=/org/freedesktop/UPower

1
apparmor.d/abstractions/bus/org.freedesktop.hostname1
View file

@ -5,6 +5,7 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=Get

30
apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
View file

@ -11,31 +11,51 @@
member=Read
peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member={Read,ReadAll}
peer=(name="@{busname}", label=xdg-desktop-portal),
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=SettingChanged
peer=(name="@{busname}", label=xdg-desktop-portal),
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="@{busname}", label=xdg-desktop-portal),
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member={Read,ReadAll}
peer=(name="@{busname}", label=xdg-desktop-portal),
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.host.portal.Registry
member=Register
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop/**
interface=org.freedesktop.portal.Request
member=Response
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Inhibit
member={StateChanged,CreateMonitor}
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop/session/**
interface=org.freedesktop.impl.portal.Session
member=Close
peer=(name=@{busname}, label=xdg-desktop-portal),
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
# vim:syntax=apparmor

6
apparmor.d/abstractions/bus/org.freedesktop.resolve1
View file

@ -4,12 +4,12 @@
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
#aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
dbus send bus=system path=/org/freedesktop/resolve1
interface=org.freedesktop.resolve1.Manager
member={SetLink*,ResolveHostname}
peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService}
peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"),
include if exists <abstractions/bus/org.freedesktop.resolve1.d>

4
apparmor.d/abstractions/bus/org.freedesktop.secrets
View file

@ -8,8 +8,8 @@
dbus send bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={OpenSession,GetSecrets,SearchItems,ReadAlias}
peer=(name="@{busname}", label=gnome-keyring-daemon),
member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias}
peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
dbus send bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.Secret.Collection

2
apparmor.d/abstractions/bus/org.freedesktop.systemd1
View file

@ -6,7 +6,7 @@
#aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
dbus send bus=session path=/org/freedesktop/systemd1
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit}
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

16
apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
View file

@ -1,16 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetUnit
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
# vim:syntax=apparmor

4
apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
View file

@ -13,8 +13,8 @@
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
peer=(name="@{busname}", label=gnome-shell),
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime}
peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor

5
apparmor.d/abstractions/bus/org.gnome.SessionManager
View file

@ -13,6 +13,11 @@
member={RegisterClient,IsSessionRunning}
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Inhibit,Uninhibit}
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Setenv,IsSessionRunning}

23
apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow requesting interest in receiving media key events. This tells Gnome
# settings that our application should be notified when key events we are
# interested in are pressed, and allows us to receive those events.
abi <abi/4.0>,
# DBus.Properties: read all properties from the interface
dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys
interface=org.gnome.SettingsDaemon.MediaKeys
peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
include if exists <abstractions/bus/org.gnome.SettingsDaemon.MediaKeys.d>
# vim:syntax=apparmor

10
apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2
View file

@ -6,6 +6,16 @@
#aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas}
peer=(name=@{busname}, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
member=*Cancel
peer=(name=@{busname}, label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>
# vim:syntax=apparmor

26
apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow accessing the GNOME crypto services prompt APIs as used by
# applications using libgcr (such as pinentry-gnome3) for secure pin
# entry to unlock GPG keys etc. See:
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member={BeginPrompting,PerformPrompt,StopPrompting}
peer=(name=@{busname}, label=pinentry-*),
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
interface=org.gnome.keyring.internal.Prompter.Callback
member={PromptReady,PromptDone}
peer=(name=@{busname}, label=pinentry-*),
include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
View file

@ -7,7 +7,7 @@
dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member={GetConnection,ListMonitorImplementations,ListMountableInfo}
peer=(name="@{busname}", label=gvfsd),
peer=(name=@{busname}, label=gvfsd),
dbus receive bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon

2
apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
View file

@ -21,7 +21,7 @@
dbus receive bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=Mounted
member={Mounted,Unmounted}
peer=(name="@{busname}", label=gvfsd),
include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>

24
apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
View file

@ -4,6 +4,30 @@
abi <abi/4.0>,
include <abstractions/bus/session/own>
dbus bind bus=session name=org.kde.StatusNotifierItem-@{int},
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
interface=org.kde.StatusNotifierItem
member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip}
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
# vim:syntax=apparmor

42
apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
View file

@ -2,14 +2,52 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow to display Status Notifier Items in the KDE Plasma systray
abi <abi/4.0>,
#aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
#aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label="@{pp_app_indicator}"),
dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
interface=com.canonical.dbusmenu
member={LayoutUpdated,ItemsPropertiesUpdated}
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
member={Get*,AboutTo*,Event*}
peer=(label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
peer=(label="@{pp_app_indicator}"),
dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={ProvideXdgActivationToken,Activate}
peer=(label="@{pp_app_indicator}"),
dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,GetLayout,Event}
peer=(label="@{pp_app_indicator}"),
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>

31
apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player
View file

@ -4,27 +4,34 @@
abi <abi/4.0>,
#aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined
# DBus.Properties: read all properties from the interface
dbus send bus=system path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=@{busname}),
# DBus.Properties: receive property changed events
dbus receive bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=@{busname}),
# DBus.Introspectable: allow clients to introspect the service
dbus send bus=system path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}),
dbus receive bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.Player
member={Seeked,Next,PlayPause}
peer=(name=@{busname}),
# https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked
dbus send bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.Player
member=Seeked
peer=(name=@{busname}),
dbus send bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=@{busname}),
dbus send bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}),
peer=(name=org.freedesktop.DBus),
include if exists <abstractions/bus/org.mpris.MediaPlayer2.Player.d>

21
apparmor.d/abstractions/bus/session/org.freedesktop.Notifications Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}"
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member={GetCapabilities,GetServerInformation,Notify,CloseNotification}
peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member={ActionInvoked,NotificationClosed,NotificationReplied}
peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
include if exists <abstractions/bus/session/org.freedesktop.Notifications.d>
# vim:syntax=apparmor

26
apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow checking status, activating and locking the screensaver
abi <abi/4.0>,
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
dbus send bus=session path=/{,org/freedesktop/}ScreenSaver
interface=org.freedesktop.ScreenSaver
member={GetActive,GetActiveTime,Lock,SetActive}
peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
dbus receive bus=session path=/org/freedesktop/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={ActiveChanged,WakeUpScreen}
peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver.d>
# vim:syntax=apparmor

26
apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetUnit
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
dbus send bus=session path=/org/freedesktop/systemd1/unit/app_*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=StartTransientUnit
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
include if exists <abstractions/bus/session/org.freedesktop.systemd1.d>
# vim:syntax=apparmor

14
apparmor.d/abstractions/bus/org.gnome.ScreenSaver → apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver
View file

@ -2,20 +2,20 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow checking status, activating and locking the screensaver (GNOME version)
abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console
dbus send bus=session path=/org/gnome/ScreenSaver
dbus send bus=session path=/{,org/gnome/}ScreenSaver
interface=org.gnome.ScreenSaver
member=GetActive
peer=(name="@{busname}", label=gjs-console),
member={GetActive,GetActiveTime,Lock,SetActive}
peer=(name=@{busname}, label=gjs-console),
dbus receive bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member={ActiveChanged,WakeUpScreen}
peer=(name="@{busname}", label=gjs-console),
peer=(name=@{busname}, label=gjs-console),
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
include if exists <abstractions/bus/session/org.gnome.ScreenSaver.d>
# vim:syntax=apparmor

22
apparmor.d/abstractions/bus/session/org.gtk.Actions Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus receive bus=session
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=gnome-shell),
dbus receive bus=session
interface=org.gtk.Actions
member={Activate,DescribeAll,SetState},
dbus send bus=session
interface=org.gtk.Actions
member=Changed,
include if exists <abstractions/bus/session/org.gtk.Actions.d>
# vim:syntax=apparmor

4
apparmor.d/abstractions/bus/org.gtk.Notifications → apparmor.d/abstractions/bus/session/org.gtk.Notifications
View file

@ -8,9 +8,9 @@
dbus send bus=session path=/org/gtk/Notifications
interface=org.gtk.Notifications
member=RemoveNotification
member={AddNotification,RemoveNotification}
peer=(name=org.gtk.Notifications, label=gnome-shell),
include if exists <abstractions/bus/org.gtk.Notifications.d>
include if exists <abstractions/bus/session/org.gtk.Notifications.d>
# vim:syntax=apparmor

18
apparmor.d/abstractions/bus/session/org.gtk.Settings Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=gsd-xsettings),
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=@{busname}, label=gsd-xsettings),
include if exists <abstractions/bus/session/org.gtk.Settings.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/bus/own-session → apparmor.d/abstractions/bus/session/own
View file

@ -20,6 +20,6 @@
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
include if exists <abstractions/bus/own-session.d>
include if exists <abstractions/bus/session/own.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/bus/own-system → apparmor.d/abstractions/bus/system/own
View file

@ -20,6 +20,6 @@
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
include if exists <abstractions/bus/own-system.d>
include if exists <abstractions/bus/system/own.d>
# vim:syntax=apparmor

35
apparmor.d/abstractions/camera Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allows access to all cameras
abi <abi/4.0>,
# Allow detection of cameras. Leaks plugged in USB device info
@{sys}/bus/usb/devices/ r,
@{sys}/devices/@{pci}/usb@{int}/**/busnum r,
@{sys}/devices/@{pci}/usb@{int}/**/devnum r,
@{sys}/devices/@{pci}/usb@{int}/**/idProduct r,
@{sys}/devices/@{pci}/usb@{int}/**/idVendor r,
@{sys}/devices/@{pci}/usb@{int}/**/interface r,
@{sys}/devices/@{pci}/usb@{int}/**/modalias r,
@{sys}/devices/@{pci}/usb@{int}/**/speed r,
@{sys}/class/video4linux/ r,
@{sys}/devices/**/video4linux/** r,
@{sys}/devices/**/video4linux/video@{int}/ r,
@{sys}/devices/**/video4linux/video@{int}/uevent r,
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c81:@{int} r, # For video4linux
# VideoCore cameras (shared device with VideoCore/EGL)
/dev/vchiq rw,
# Access to video /dev devices
/dev/video@{int} rw,
include if exists <abstractions/camera.d>
# vim:syntax=apparmor

13
apparmor.d/abstractions/common/app
View file

@ -16,6 +16,7 @@
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/camera>
include <abstractions/consoles>
include <abstractions/cups-client>
include <abstractions/desktop>
@ -28,8 +29,8 @@
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/path>
include <abstractions/sqlite>
include <abstractions/ssl_certs>
include <abstractions/video>
dbus bus=accessibility,
dbus bus=session,
@ -63,11 +64,10 @@
owner @{tmp}/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**,
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
owner /var/tmp/etilqs_@{sqlhex} rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
@{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket.
@{run}/host/{,**} r,
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
@{run}/utmp rk,
@ -114,6 +114,7 @@
@{PROC}/sys/kernel/sched_autogroup_enabled r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/net/core/bpf_jit_enable r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/uptime r,
@{PROC}/version r,
@{PROC}/zoneinfo r,
@ -131,10 +132,16 @@
owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/pagemap r,
owner @{PROC}/@{pid}/smaps_rollup r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{att}/dev/dri/card@{int} rw,
@{att}/dev/dri/renderD128 rw,
@{att}/dev/dri/renderD129 rw,
owner @{att}/dev/shm/@{uuid} r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/event@{int} rw,

1
apparmor.d/abstractions/common/apt
View file

@ -7,6 +7,7 @@
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/usr/share/dpkg/varianttable r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,

4
apparmor.d/abstractions/common/bwrap
View file

@ -38,12 +38,14 @@
pivot_root oldroot=/newroot/ /newroot/,
pivot_root oldroot=/tmp/oldroot/ /tmp/,
owner / r,
owner /newroot/{,**} w,
owner /tmp/newroot/ w,
owner /tmp/oldroot/ w,
@{att}/ r,
@{att}/@{run}/.userns r,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/user/max_user_namespaces r,

25
apparmor.d/abstractions/common/chromium
View file

@ -4,7 +4,13 @@
# SPDX-License-Identifier: GPL-2.0-only
# This abstraction is for chromium based application. Chromium based browsers
# need to use abstractions/chromium instead.
# need to use abstractions/app/chromium instead.
# It works as a *function* and requires a variable to be provided as *arguments*
# and set in the header of the calling profile. Example:
#
# @{domain} = org.chromium.Chromium
#
abi <abi/4.0>,
@ -22,19 +28,24 @@
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
/tmp/ r,
/var/tmp/ r,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
owner @{tmp}/.@{domain}.@{rand6} rw,
owner @{tmp}/.@{domain}.@{rand6}/ rw,
owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w,
owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/ rw,
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/SS w,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
owner /dev/shm/.@{domain}.@{rand6} rw,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
# If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/setgroups w,

45
apparmor.d/abstractions/common/electron
View file

@ -7,27 +7,22 @@
# in the header of the calling profile. Example:
#
# @{name} = spotify
# @{lib_dirs} = /opt/@{name}
# @{domain} = org.chromium.chromium
# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
# @{config_dirs} = @{user_config_dirs}/@{name}
# @{cache_dirs} = @{user_cache_dirs}/@{name}
#
abi <abi/4.0>,
include <abstractions/common/chromium>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
userns,
capability setgid, # If kernel.unprivileged_userns_clone = 1
capability setuid, # If kernel.unprivileged_userns_clone = 1
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
@{bin}/electron rix,
@{bin}/electron@{int} rix,
@{lib}/electron@{int}/{,**} r,
@ -47,31 +42,14 @@
owner @{cache_dirs}/ rw,
owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{user_config_dirs}/electron-flags.conf r,
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/ rw,
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/SS w,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,
@ -81,15 +59,12 @@
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
deny @{user_share_dirs}/gvfs-metadata/* r,

2
apparmor.d/abstractions/common/gnome
View file

@ -9,6 +9,8 @@
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/graphics>

21
apparmor.d/abstractions/desktop
View file

@ -9,10 +9,15 @@
abi <abi/4.0>,
include <abstractions/desktop-files>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gschemas>
include <abstractions/gtk>
include <abstractions/icons>
include <abstractions/mime>
include <abstractions/qt5>
include <abstractions/recently-used>
include <abstractions/user-dirs>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/xdg-desktop>
@ -24,16 +29,11 @@
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
/usr/{local/,}share/ r,
/usr/{local/,}share/glib-@{version}/schemas/** r,
/usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r,
@{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r,
/etc/gnome/* r,
/etc/xdg/{,*-}mimeapps.list r,
/var/cache/gio-@{version}/gnome-mimeapps.list r,
/ r, # deny?
/ r,
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
@ -63,6 +63,9 @@
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/session/ rw,
owner @{user_config_dirs}/session/@{profile_name}* rwlk,
owner @{user_config_dirs}/session/#@{int} rw,
owner @{user_config_dirs}/trashrc r,
# else if @{DE} == xfce
@ -75,7 +78,7 @@
# end
/usr/share/desktop-base/{,**} r,
/usr/share/hwdata/*.ids r,
/usr/share/hwdata/*.ids r, # FIXME: a bit too wide
/usr/share/icu/@{int}.@{int}/*.dat r,
include if exists <abstractions/desktop.d>

27
apparmor.d/abstractions/desktop-files Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
@{system_share_dirs}/applications/{,**} r,
@{system_share_dirs}/*ubuntu/applications/{,**} r,
@{system_share_dirs}/gnome/applications/{,**} r,
@{system_share_dirs}/xfce4/applications/{,**} r,
/etc/gnome/defaults.list r,
/etc/xfce4/defaults.list r,
/etc/xdg/menus/ r,
/etc/xdg/menus/applications-merged/{,**} r,
/var/lib/snapd/desktop/applications/{,**} r,
owner @{user_share_dirs}/applications/{,**} r,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/{,**} r,
include if exists <abstractions/desktop-files.d>
# vim:syntax=apparmor

5
apparmor.d/abstractions/freedesktop.org.d/complete
View file

@ -23,4 +23,9 @@
owner @{HOME}/.icons/{,**} r,
owner @{user_share_dirs}/#@{int} rw,
owner @{user_share_dirs}/recently-used.xbel rw,
owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
owner @{user_share_dirs}/recently-used.xbel.lock rwk,
# vim:syntax=apparmor

12
apparmor.d/abstractions/glibc
View file

@ -22,9 +22,15 @@
@{PROC}/stat r,
# Glibc's *printf protections read the maps file
@{PROC}/@{pid}/auxv r,
@{PROC}/@{pid}/maps r,
@{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/auxv r,
owner @{PROC}/@{pid}/maps r,
owner @{PROC}/@{pid}/status r,
# @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps,
# but in a format that is simpler to manage, because it doesn't require to
# parse the text data inside a file, but just reading the contents of
# a directory.
owner @{PROC}/@{pid}/map_files/ r,
# Glibc statvfs
@{PROC}/filesystems r,

15
apparmor.d/abstractions/gnome-strict
View file

@ -4,9 +4,15 @@
abi <abi/4.0>,
include <abstractions/desktop-files>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gschemas>
include <abstractions/gtk>
include <abstractions/icons>
include <abstractions/mime>
include <abstractions/qt5>
include <abstractions/recently-used>
include <abstractions/user-dirs>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/xdg-desktop>
@ -20,14 +26,9 @@
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/{local/,}share/ r,
/usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
/usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r,
@{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r,
/etc/gnome/* r,
/etc/xdg/{,*-}mimeapps.list r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
/ r,

1
apparmor.d/abstractions/graphics
View file

@ -14,6 +14,7 @@
@{sys}/bus/pci/devices/ r,
@{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r,
@{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r,
@{sys}/devices/system/cpu/cpu@{int}/online r,
@{sys}/devices/system/cpu/cpu@{int}/topology/* r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/* r,

6
apparmor.d/abstractions/graphics-full
View file

@ -4,7 +4,13 @@
abi <abi/4.0>,
include <abstractions/amdgpu>
include <abstractions/graphics>
include <abstractions/oneapi>
@{sys}/devices/@{pci}/numa_node r,
@{PROC}/devices r,
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
/dev/nvidia-uvm rw,

14
apparmor.d/abstractions/gschemas Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
@{system_share_dirs}/ r,
@{system_share_dirs}/glib-2.0/schemas/ r,
@{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
include if exists <abstractions/gschemas.d>
# vim:syntax=apparmor

19
apparmor.d/abstractions/gtk.d/complete
View file

@ -2,23 +2,8 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus receive bus=session
interface=org.gtk.Actions
member={Activate,DescribeAll,SetState}
peer=(name=@{busname}),
dbus send bus=session
interface=org.gtk.Actions
member=Changed,
dbus send bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=gsd-xsettings),
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=@{busname}, label=gsd-xsettings),
include <abstractions/bus/session/org.gtk.Actions>
include <abstractions/bus/session/org.gtk.Settings>
@{lib}/{,@{multiarch}/}gtk*/** mr,

23
apparmor.d/abstractions/icons Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
@{system_share_dirs}/icons/{,**} r,
@{system_share_dirs}/pixmaps/{,**} r,
/opt/**/share/icons/{,**} r,
/opt/*/**.desktop r,
/opt/*/**/*.png r,
/var/lib/snapd/desktop/icons/{,**} r,
owner @{HOME}/.icons/{,**} r,
owner @{user_share_dirs}/icons/{,**} r,
include if exists <abstractions/icons.d>
# vim:syntax=apparmor

14
apparmor.d/abstractions/java Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
/usr/share/java/{,**} r,
/etc/java/{,**} r,
/etc/java-*/{,**} r,
include if exists <abstractions/java.d>
# vim:syntax=apparmor

11
apparmor.d/abstractions/kde-strict
View file

@ -4,10 +4,15 @@
abi <abi/4.0>,
include <abstractions/desktop-files>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gschemas>
include <abstractions/gtk>
include <abstractions/icons>
include <abstractions/mime>
include <abstractions/qt5>
include <abstractions/recently-used>
include <abstractions/user-dirs>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/xdg-desktop>
@ -20,6 +25,7 @@
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications{5,6}/*.notifyrc r,
/usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu
/etc/xdg/baloofilerc r,
/etc/xdg/kcminputrc r,
@ -39,6 +45,9 @@
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/session/ rw,
owner @{user_config_dirs}/session/*_* rwlk,
owner @{user_config_dirs}/session/#@{int} rw,
owner @{user_config_dirs}/trashrc r,
owner @{user_share_dirs}/#@{int} rw,

20
apparmor.d/abstractions/media-control Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Canonical Ltd
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allows access to media controller such as microphones, and video capture hardware.
# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst
abi <abi/4.0>,
# Control of media devices
/dev/media@{int} rwk,
# Access to V4L subnodes configuration
# See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html
/dev/v4l-subdev@{int} rw,
include if exists <abstractions/media-control.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/mesa.d/complete
View file

@ -42,4 +42,6 @@
@{PROC}/sys/dev/xe/observation_paranoid r,
/dev/udmabuf rw, # In upstream, but not released yet
# vim:syntax=apparmor

22
apparmor.d/abstractions/mime Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
@{system_share_dirs}/ r,
@{system_share_dirs}/mime/{,**} r,
/etc/mime.types r,
/etc/xdg/{,*-}mimeapps.list r,
/var/cache/gio-@{version}/{,*-}-mimeapps.list r,
owner @{user_config_dirs}/mimeapps.list r,
owner @{user_share_dirs}/mime/{,**} r,
include if exists <abstractions/mime.d>
# vim:syntax=apparmor

12
apparmor.d/abstractions/notifications Normal file
View file

@ -0,0 +1,12 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <abstractions/bus/session/org.freedesktop.Notifications>
include <abstractions/bus/session/org.gtk.Notifications>
include if exists <abstractions/notifications.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/nvidia-strict
View file

@ -35,7 +35,7 @@
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/task/@{tid}/comm r,
/dev/char/195:@{int} w, # Nvidia graphics devices
/dev/char/195:@{u8} w, # Nvidia graphics devices
/dev/nvidia-modeset rw,
/dev/nvidia@{int} rw,
/dev/nvidiactl rw,

2
apparmor.d/abstractions/nvidia.d/complete
View file

@ -8,6 +8,6 @@
/etc/nvidia/nvidia-application-profiles* r,
/dev/char/195:@{int} rw, # Nvidia graphics devices
/dev/char/195:@{u8} rw, # Nvidia graphics devices
# vim:syntax=apparmor

14
apparmor.d/abstractions/oneapi Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Intel oneAPI compiler libraries
abi <abi/4.0>,
/opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
/opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
include if exists <abstractions/oneapi.d>
# vim:syntax=apparmor

19
apparmor.d/abstractions/recently-used Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
owner @{HOME}/.recently-used.xbel rw,
owner @{HOME}/.recently-used.xbel.@{rand6} rwl,
owner @{HOME}/.recently-used.xbel.lock rwk,
owner @{user_share_dirs}/#@{int} rw,
owner @{user_share_dirs}/recently-used.xbel rw,
owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
owner @{user_share_dirs}/recently-used.xbel.lock rwk,
include if exists <abstractions/recently-used.d>
# vim:syntax=apparmor

14
apparmor.d/abstractions/screensaver Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow checking status, activating and locking the screensaver
abi <abi/4.0>,
include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver>
include if exists <abstractions/bus/session/org.gnome.ScreenSaver>
include if exists <abstractions/screensaver.d>
# vim:syntax=apparmor

23
apparmor.d/abstractions/sqlite Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# SQlite temporary files (hexadecimal from 12 to 16 characters)
abi <abi/4.0>,
owner /var/tmp/etilqs_@{hex12} rw,
owner /var/tmp/etilqs_@{hex12}@{h} rw,
owner /var/tmp/etilqs_@{hex12}@{hex2} rw,
owner /var/tmp/etilqs_@{hex15} rw,
owner /var/tmp/etilqs_@{hex16} rw,
owner @{tmp}/etilqs_@{hex12} rw,
owner @{tmp}/etilqs_@{hex12}@{h} rw,
owner @{tmp}/etilqs_@{hex12}@{hex2} rw,
owner @{tmp}/etilqs_@{hex15} rw,
owner @{tmp}/etilqs_@{hex16} rw,
include if exists <abstractions/sqlite.d>
# vim:syntax=apparmor

16
apparmor.d/abstractions/tpm Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2016-2017 Canonical Ltd
# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM
# resource manager /dev/tpmrm@{int}
abi <abi/4.0>,
/dev/tpm@{int} rw,
/dev/tpmrm@{int} rw,
include if exists <abstractions/tpm.d>
# vim:syntax=apparmor

14
apparmor.d/abstractions/user-dirs Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
/etc/xdg/user-dirs.conf r,
/etc/xdg/user-dirs.defaults r,
owner @{user_config_dirs}/user-dirs.dirs r,
include if exists <abstractions/user-dirs.d>
# vim:syntax=apparmor

6
apparmor.d/abstractions/wine
View file

@ -9,9 +9,9 @@
owner @{user_share_dirs}/applications/wine/ rw,
owner @{user_share_dirs}/applications/wine/**/ rw,
owner @{tmp}/.wine-@{uid}/ rw,
owner @{tmp}/.wine-@{uid}/** rwk,
owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m,
owner @{att}/@{tmp}/.wine-@{uid}/ rw,
owner @{att}/@{tmp}/.wine-@{uid}/** rwk,
owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m,
owner /dev/shm/wine-@{hex6}-fsync rw,
owner /dev/shm/wine-@{hex6}@{h}-fsync rw,

2
apparmor.d/groups/apparmor/aa-enforce
View file

@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} {
owner /var/lib/snapd/apparmor/{,**} rw,
owner @{tmp}/@{rand8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
@{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/apparmor/aa-notify
View file

@ -45,7 +45,7 @@ profile aa-notify @{exec_path} {
owner @{HOME}/.terminfo/@{int}/dumb r,
owner @{tmp}/@{word8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,

2
apparmor.d/groups/apparmor/aa-unconfined
View file

@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/inputrc r,
owner @{tmp}/@{rand8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
owner /var/tmp/@{rand8} rw,
@{PROC}/ r,

13
apparmor.d/groups/apparmor/apparmor.systemd
View file

@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} {
@{bin}/sed rix,
@{bin}/cat rix,
@{bin}/sort rix,
@{sbin}/sysctl rix,
@{sbin}/sysctl rCx -> sysctl,
@{bin}/systemd-detect-virt rPx,
@{bin}/xargs rix,
@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} {
@{PROC}/@{pids}/maps r,
@{PROC}/@{pids}/mounts r,
@{PROC}/mounts r,
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
/dev/tty rw,
profile sysctl {
include <abstractions/base>
@{sbin}/sysctl mr,
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
include if exists <local/apparmor.systemd_sysctl>
}
include if exists <local/apparmor.systemd>
}

4
apparmor.d/groups/apparmor/apparmor_parser
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib}
@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mounts r,
deny network netlink raw, # file_inherit
deny /apparmor/.null rw,
/opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad?
include if exists <local/apparmor_parser>
}

1
apparmor.d/groups/apt/apt-overlay
View file

@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} {
/root/ r,
owner @{PROC}/@{pids}/loginuid r,
owner @{PROC}/@{pids}/maps r,
include if exists <local/apt-overlay>
}

4
apparmor.d/groups/apt/debconf-frontend
View file

@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
@{bin}/stty ix,
@{sbin}/update-secureboot-policy Px,
# debconf apps
# Debconf apps
@{bin}/adequate Px,
@{bin}/debconf-apt-progress Px,
@{bin}/linux-check-removal Px,
@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) {
@{lib}/dkms/dkms-* rPUx,
@{lib}/dkms/dkms_* rPUx,
/etc/libpaper.d/texlive-base rPUx,
/usr/share/debconf/{,**} r,
/etc/inputrc r,

2
apparmor.d/groups/apt/dpkg-script-linux
View file

@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} {
include <abstractions/base>
include <abstractions/common/debconf>
capability dac_read_search,
@{exec_path} mrix,
@{bin}/cat ix,

3
apparmor.d/groups/apt/dpkg-scripts
View file

@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} {
@{sbin}/ldconfig.real Cx -> ldconfig,
@{sbin}/update-rc.d Cx -> rc,
#aa:lint ignore=too-wide
# Maintainer scripts can legitimately start/restart anything
# PU is only used as a safety fallback.
@{bin}/** PUx,
@ -75,6 +76,7 @@ profile dpkg-scripts @{exec_path} {
@{run}/** rw,
@{efi}/grub/* rw,
/tmp/fmtutil.@{rand8} rw,
/tmp/grub.@{rand10} rw,
/tmp/sed@{rand6} rw,
/tmp/tmp.@{rand10} rw,
@ -167,6 +169,7 @@ profile dpkg-scripts @{exec_path} {
/usr/local/ r,
/usr/local/lib/ r,
/var/cache/ldconfig/ rw,
owner /var/cache/ldconfig/aux-cache* rw,
include if exists <local/dpkg-scripts_ldconfig>

2
apparmor.d/groups/apt/reportbug
View file

@ -61,8 +61,8 @@ profile reportbug @{exec_path} {
/usr/share/bug/*/{control,presubj} r,
#aa:lint ignore=too-wide
/etc/** r,
/etc/reportbug.conf r,
owner @{HOME}/ r, # For shell pwd
owner @{HOME}/.reportbugrc{,~} rw,

12
apparmor.d/groups/apt/unattended-upgrade
View file

@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{bin}/touch ix,
@{bin}/uname ix,
@{bin}/dpkg-deb px,
@{bin}/apt-listchanges Px,
@{bin}/df Px,
@{bin}/dmesg Px,
@{bin}/dpkg Px,
@{bin}/dpkg-deb px,
@{bin}/dpkg-divert Px,
@{bin}/etckeeper Px,
@{bin}/ischroot Px,
@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/pki/fwupd/{,**} r,
/etc/profile.d/* r,
/etc/ssh/moduli r,
/etc/ssh/ssh_config r,
@{etc_ro}/ssh/sshd_config r,
@{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/ufw/{,**} r,
/etc/update-manager/{,**} r,
/etc/update-motd.d/{,**} r,
@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/vmware-tools/{,**} r,
/var/log/unattended-upgrades/{,**} rw,
/var/crash/*.crash w,
/var/crash/*.crash rw,
/var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/info/{,*} r,
@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/var/lib/apt/lists/ rw,
/var/lib/apt/lists/partial/ rw,
/var/lib/apt/periodic/ w,
/var/log/apt/{term,history}.log w,
/var/log/apt/eipp.log.xz w,
/var/log/apt/*.log* rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{run}/unattended-upgrades.lock rwk,

1
apparmor.d/groups/bluetooth/blueman-mechanism
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/python>

8
apparmor.d/groups/bluetooth/obexd
View file

@ -10,8 +10,9 @@ include <tunables/global>
@{exec_path} = @{lib}/bluetooth/obexd
profile obexd @{exec_path} {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/ca.desrt.dconf.Writer>
include <abstractions/user-download-strict>
network bluetooth stream,
@ -24,6 +25,11 @@ profile obexd @{exec_path} {
member=Release
peer=(name=:*, label="@{p_bluetoothd}"),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mr,
owner @{user_cache_dirs}/ rw,

2
apparmor.d/groups/browsers/brave
View file

@ -18,7 +18,7 @@ profile brave @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app/chromium>
unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler),
# unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler),
signal receive peer=brave//&brave-crashpad-handler,

1
apparmor.d/groups/browsers/chromium-wrapper
View file

@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
# Silencer
deny @{user_share_dirs}/gvfs-metadata/* r,
deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
include if exists <local/chromium-wrapper>
}

3
apparmor.d/groups/browsers/epiphany
View file

@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio-server>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.GeoClue2>
include <abstractions/camera>
include <abstractions/common/bwrap>
include <abstractions/common/gnome>
include <abstractions/gstreamer>
@ -61,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
deny @{user_share_dirs}/gvfs-metadata/* r,
/dev/video@{int} rw,
include if exists <local/epiphany>
}

11
apparmor.d/groups/browsers/firefox
View file

@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
signal send set=(term, kill) peer=firefox//&keepassxc-proxy,
unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int},
unix type=seqpacket peer=(label=firefox-crashhelper),
#aa:dbus own bus=session name=org.mozilla.firefox
#aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2
@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{open_path} rPx -> child-open,
# Common extensions
@{bin}/browserpass rPx,
@{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy,
@{lib}/browserpass/browserpass-native rPx,
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
@{bin}/browserpass rPx,
@{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy,
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
owner @{user_config_dirs}/ibus/bus/ r,
@ -64,9 +68,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere)
owner @{tmp}/@{uuid}.zip{,.tmp} rw,
owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk,
owner @{tmp}/mozilla* rw,
owner @{tmp}/mozilla*/ rw,
owner @{tmp}/mozilla*/* rwk,
owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk,
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k,
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,

5
apparmor.d/groups/browsers/firefox-crashhelper
View file

@ -15,11 +15,16 @@ include <tunables/global>
profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
unix type=seqpacket peer=(label=firefox),
@{exec_path} mr,
owner "@{config_dirs}/firefox/Crash Reports/" rw,
owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw,
# file_inherit
deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
include if exists <local/firefox-crashhelper>
}

4
apparmor.d/groups/browsers/firefox-glxtest
View file

@ -16,11 +16,13 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/X-strict>
include <abstractions/wayland>
include <abstractions/X-strict>
@{exec_path} mr,
/ r,
owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r,
owner @{cache_dirs}/firefox/*/startupCache/startupCache* r,

5
apparmor.d/groups/browsers/firefox-kmozillahelper
View file

@ -27,16 +27,11 @@ profile firefox-kmozillahelper @{exec_path} {
/usr/share/kservices{5,6}/{,**} r,
/etc/xdg/menus/ r,
/etc/xdg/menus/applications-merged/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
owner @{user_config_dirs}/kmozillahelperrc r,
owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_share_dirs}/kservices5/ r,
owner @{user_share_dirs}/kservices5/searchproviders/ r,

Some files were not shown because too many files have changed in this diff Show more