felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve integration with ubuntu.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-10 19:00:42 +02:00
parent 526a7e704c
commit 67c9e86d83
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
20 changed files with 48 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/groups/apt/dpkg-script-apparmor
View file

@ -11,6 +11,8 @@ profile dpkg-script-apparmor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/debconf> include <abstractions/common/debconf>
capability dac_read_search,
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/{,e}grep ix, @{bin}/{,e}grep ix,
@ -43,11 +45,16 @@ profile dpkg-script-apparmor @{exec_path} {
capability net_admin, capability net_admin,
capability sys_resource, capability sys_resource,
capability dac_override,
capability dac_read_search,
signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal send set=(cont term) peer=systemd-tty-ask-password-agent,
@{bin}/systemd-tty-ask-password-agent rix, @{bin}/systemd-tty-ask-password-agent rix,
@{run}/user/@{uid}/systemd/ask-password/ rw,
@{run}/user/@{uid}/systemd/ask-password-block/{,*} rw,
owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/{,*} rw, owner @{run}/systemd/ask-password-block/{,*} rw,

6
apparmor.d/groups/cups/cups-browsed
View file

@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
capability net_admin, # capability net_admin,
capability net_bind_service, capability net_bind_service,
capability sys_nice, # capability sys_nice,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -43,6 +43,8 @@ profile cups-browsed @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/ippfind rPx,
/usr/share/cups/locale/{,**} r, /usr/share/cups/locale/{,**} r,
/etc/cups/{,**} r, /etc/cups/{,**} r,

3
apparmor.d/groups/cups/cupsd
View file

@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
capability setuid, capability setuid,
capability wake_alarm, capability wake_alarm,
network inet dgram,
network inet stream, network inet stream,
network inet6 dgram,
network inet6 stream, network inet6 stream,
network appletalk dgram, network appletalk dgram,
@ -99,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{run}/cups/{,**} rw, @{run}/cups/{,**} rw,
@{run}/systemd/notify w, @{run}/systemd/notify w,
@{run}/avahi-daemon/socket rw,
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,

4
apparmor.d/groups/gnome/gdm-generate-config
View file

@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/dconf rix, @{bin}/dconf rix,
@{bin}/install rix, @{bin}/install rix,
@{bin}/pgrep rCx -> pgrep, @{bin}/pgrep rCx -> &pgrep,
@{bin}/pkill rCx -> pgrep, @{bin}/pkill rCx -> &pgrep,
@{bin}/setpriv rix, @{bin}/setpriv rix,
@{bin}/setsid rix, @{bin}/setsid rix,

2
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -38,6 +38,8 @@ profile gnome-terminal-server @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{lib}/gnome-terminal-preferences ix,
# The shell is not confined on purpose. # The shell is not confined on purpose.
@{bin}/@{shells} Ux, @{bin}/@{shells} Ux,

1
apparmor.d/groups/gnome/papers
View file

@ -26,6 +26,7 @@ profile papers @{exec_path} {
owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw,
owner @{tmp}/papers-@{int}/{,**} rw,
owner @{tmp}/gtkprint_@{rand6} rw, owner @{tmp}/gtkprint_@{rand6} rw,
owner @{tmp}/gtkprint@{rand6} rw, owner @{tmp}/gtkprint@{rand6} rw,

1
apparmor.d/groups/systemd/systemd-coredump
View file

@ -35,6 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
@{bin}/* r, @{bin}/* r,
@{sbin}/* r, @{sbin}/* r,
/opt/** r, /opt/** r,
/usr/share/*/** r,
@{user_lib_dirs}/** r, @{user_lib_dirs}/** r,
/etc/systemd/coredump.conf r, /etc/systemd/coredump.conf r,

10
apparmor.d/groups/systemd/systemd-logind
View file

@ -136,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
@{PROC}/sysvipc/{shm,sem,msg} r, @{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
/dev/dri/card@{int} rw, /dev/dri/card@{int} rw,
/dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc)
/dev/mqueue/ r, /dev/mqueue/ r,
/dev/tty@{int} rw, /dev/tty@{int} rw,
owner /dev/shm/{,**/} rw, /dev/shm/{,**/} rw,
include if exists <local/systemd-logind> include if exists <local/systemd-logind>
} }

1
apparmor.d/groups/systemd/systemd-sleep-hdparm
View file

@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
@{sh_path} r,
include if exists <local/systemd-sleep-hdparm> include if exists <local/systemd-sleep-hdparm>
} }

6
apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
View file

@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w,
@{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w,
@{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw,
@{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw,
/usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,**} r,

2
apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile gdk-pixbuf-thumbnailer @{exec_path} { profile gdk-pixbuf-thumbnailer @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr,
include if exists <local/gdk-pixbuf-thumbnailer> include if exists <local/gdk-pixbuf-thumbnailer>
} }

5
apparmor.d/profiles-g-l/git
View file

@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/.git_vtag_tmp@{rand6} r, owner @{tmp}/.git_vtag_tmp@{rand6} r,
owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/git_gpg> include if exists <local/git_gpg>
@ -138,13 +140,14 @@ profile git @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config.d/{,*} r,
@{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config r,
owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl,
owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*,
owner @{tmp}/ssh-*/agent.@{int} rw, owner @{tmp}/ssh-*/agent.@{int} rw,
owner @{run}/user/@{uid}/keyring/ssh rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-g-l/gitstatusd
View file

@ -6,12 +6,14 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} @{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*}
@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*}
profile gitstatusd @{exec_path} { profile gitstatusd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
signal receive set=term peer=*//shell, signal receive set=term peer=*//shell,
signal receive set=term peer=vscode,
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/profiles-g-l/host
View file

@ -22,10 +22,11 @@ profile host @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
@{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/enabled r,
@{PROC}/version_signature r,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
include if exists <local/host> include if exists <local/host>
} }

1
apparmor.d/profiles-g-l/language-validate
View file

@ -18,7 +18,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) {
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@{bin}/locale rix, @{bin}/locale rix,
/usr/share/locale-langpack/{,*} r,
/usr/share/language-tools/{,*} r, /usr/share/language-tools/{,*} r,
include if exists <local/language-validate> include if exists <local/language-validate>

1
apparmor.d/profiles-m-r/on-ac-power
View file

@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} {
@{bin}/cat rix, @{bin}/cat rix,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/class/typec/ r,
@{sys}/devices/**/power_supply/**/{online,type} r, @{sys}/devices/**/power_supply/**/{online,type} r,
@{PROC}/pmu/info r, @{PROC}/pmu/info r,

1
apparmor.d/profiles-m-r/pass
View file

@ -146,6 +146,7 @@ profile pass @{exec_path} {
owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**,
owner /dev/shm/pass.@{rand}/* rw, owner /dev/shm/pass.@{rand}/* rw,
owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw,
owner /dev/pts/@{int} rw, owner /dev/pts/@{int} rw,

2
apparmor.d/profiles-s-z/spotify
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{name} = spotify @{name} = spotify
@{lib_dirs} = /opt/spotify/ @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
@{config_dirs} = @{user_config_dirs}/@{name} @{config_dirs} = @{user_config_dirs}/@{name}
@{cache_dirs} = @{user_cache_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name}

5
apparmor.d/profiles-s-z/sysstat-sadc
View file

@ -24,10 +24,9 @@ profile sysstat-sadc @{exec_path} {
@{sys}/class/fc_host/ r, @{sys}/class/fc_host/ r,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/class/i2c-adapter/ r, @{sys}/class/i2c-adapter/ r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r,
@{sys}/devices/@{pci}/net/*/duplex r, @{sys}/devices/@{pci}/net/*/duplex r,
@{sys}/devices/**/i2c-*/name r, @{sys}/devices/**/hwmon@{int}/ r,
@{sys}/devices/**/name r,
@{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/duplex r,
@{sys}/devices/**/net/*/speed r, @{sys}/devices/**/net/*/speed r,
@{sys}/devices/virtual/net/*/duplex r, @{sys}/devices/virtual/net/*/duplex r,

3
apparmor.d/profiles-s-z/thermald
View file

@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
/etc/thermald/{,*} r, /etc/thermald/{,*} r,
owner @{run}/thermald/ rw, owner @{run}/thermald/ rw,
owner @{run}/thermald/thd_preference.conf rw, owner @{run}/thermald/** rw,
owner @{run}/thermald/thd_preference.conf.save w,
owner @{run}/thermald/thermald.pid rwk, owner @{run}/thermald/thermald.pid rwk,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,