Merge branch 'roddhjav:main' into kerberos-utils
This commit is contained in:
doublez13
GitHub
commit
6c1d7404ce
491 changed files with 3430 additions and 1166 deletions
7
.github/workflows/main.yml
vendored
7
.github/workflows/main.yml
vendored
|
|
@ -47,11 +47,6 @@ jobs:
|
|||
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
|
||||
sed -e "s/just complain/just fsp-complain/" -i debian/rules
|
||||
fi
|
||||
if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
|
||||
# Test with Re-attach disconnected path
|
||||
sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go
|
||||
sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system
|
||||
fi
|
||||
bash dists/build.sh dpkg
|
||||
|
||||
- name: Install apparmor.d
|
||||
|
|
@ -83,7 +78,7 @@ jobs:
|
|||
tests:
|
||||
runs-on: ubuntu-24.04
|
||||
needs: build
|
||||
if: github.ref == 'refs/heads/dev'
|
||||
if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch'
|
||||
steps:
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@v4
|
||||
|
|
|
|||
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -1,6 +1,7 @@
|
|||
# Build
|
||||
.build
|
||||
.logs
|
||||
.pkg
|
||||
tests/tldr
|
||||
tests/tldr.tar.gz
|
||||
|
||||
|
|
|
|||
37
Justfile
37
Justfile
|
|
@ -5,7 +5,7 @@
|
|||
# Usage: `just`
|
||||
# See https://apparmor.pujol.io/development/ for more information.
|
||||
|
||||
# Build setings
|
||||
# Build settings
|
||||
destdir := "/"
|
||||
build := ".build"
|
||||
pkgdest := `pwd` / ".pkg"
|
||||
|
|
@ -63,27 +63,27 @@ build:
|
|||
[group('build')]
|
||||
[doc('Prebuild the profiles in enforced mode')]
|
||||
enforce: build
|
||||
@./{{build}}/prebuild
|
||||
@./{{build}}/prebuild --buildir {{build}}
|
||||
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in complain mode')]
|
||||
complain: build
|
||||
@./{{build}}/prebuild --complain
|
||||
./{{build}}/prebuild --buildir {{build}} --complain
|
||||
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in FSP mode')]
|
||||
fsp: build
|
||||
@./{{build}}/prebuild --full
|
||||
@./{{build}}/prebuild --buildir {{build}} --full
|
||||
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in FSP mode (complain)')]
|
||||
fsp-complain: build
|
||||
@./{{build}}/prebuild --complain --full
|
||||
@./{{build}}/prebuild --buildir {{build}} --complain --full
|
||||
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in FSP mode (debug)')]
|
||||
fsp-debug: build
|
||||
@./{{build}}/prebuild --complain --full --debug
|
||||
@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
|
||||
|
||||
[group('install')]
|
||||
[doc('Install prebuild profiles')]
|
||||
|
|
@ -251,7 +251,7 @@ create dist flavor:
|
|||
--memorybacking source.type=memfd,access.mode=shared \
|
||||
--disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \
|
||||
--filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \
|
||||
--os-variant "`just get_osinfo {{dist}}`" \
|
||||
--os-variant "`just _get_osinfo {{dist}}`" \
|
||||
--graphics spice \
|
||||
--audio id=1,type=spice \
|
||||
--sound model=ich9 \
|
||||
|
|
@ -282,18 +282,18 @@ destroy dist flavor:
|
|||
[group('vm')]
|
||||
[doc('Connect to the machine')]
|
||||
ssh dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}`
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
|
||||
|
||||
[group('vm')]
|
||||
[doc('Mount the shared directory on the machine')]
|
||||
mount dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
|
||||
|
||||
[group('vm')]
|
||||
[doc('Unmout the shared directory on the machine')]
|
||||
umount dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
|
||||
|
||||
[group('vm')]
|
||||
|
|
@ -307,6 +307,7 @@ list:
|
|||
images:
|
||||
#!/usr/bin/env bash
|
||||
set -eu -o pipefail
|
||||
mkdir -p {{base_dir}}
|
||||
ls -lh {{base_dir}} | awk '
|
||||
BEGIN {
|
||||
printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date")
|
||||
|
|
@ -343,19 +344,19 @@ init:
|
|||
|
||||
[group('tests')]
|
||||
[doc('Run the integration tests')]
|
||||
integration:
|
||||
bats --recursive --timing --print-output-on-failure tests/integration
|
||||
integration name="":
|
||||
bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
|
||||
|
||||
[group('tests')]
|
||||
[doc('Install dependencies for the integration tests (machine)')]
|
||||
tests-init dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
|
||||
|
||||
[group('tests')]
|
||||
[doc('Synchronize the integration tests (machine)')]
|
||||
tests-sync dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
|
||||
|
||||
[group('tests')]
|
||||
|
|
@ -367,18 +368,16 @@ tests-resync dist flavor: (mount dist flavor) \
|
|||
[group('tests')]
|
||||
[doc('Run the integration tests (machine)')]
|
||||
tests-run dist flavor name="": (tests-resync dist flavor)
|
||||
ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
|
||||
ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
bats --recursive --pretty --timing --print-output-on-failure \
|
||||
/home/{{username}}/Projects/tests/integration/{{name}}
|
||||
|
||||
[private]
|
||||
get_ip dist flavor:
|
||||
_get_ip dist flavor:
|
||||
@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
|
||||
head -1 | \
|
||||
grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
|
||||
|
||||
[private]
|
||||
get_osinfo dist:
|
||||
_get_osinfo dist:
|
||||
#!/usr/bin/env python3
|
||||
osinfo = {
|
||||
"archlinux": "archlinux",
|
||||
|
|
|
|||
30
apparmor.d/abstractions/amdgpu
Normal file
30
apparmor.d/abstractions/amdgpu
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Kernel Fusion Driver for AMD GPUs
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
|
||||
|
||||
@{sys}/devices/virtual/kfd/kfd/dev r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/ r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/generation_id r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
|
||||
@{sys}/devices/virtual/kfd/kfd/topology/system_properties r,
|
||||
@{sys}/devices/virtual/kfd/kfd/uevent r,
|
||||
@{sys}/module/amdgpu/initstate r,
|
||||
|
||||
/dev/kfd rw,
|
||||
|
||||
include if exists <abstractions/amdgpu.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -25,20 +25,20 @@
|
|||
include <abstractions/bus/org.bluez>
|
||||
include <abstractions/bus/org.freedesktop.Avahi>
|
||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||
include <abstractions/bus/org.freedesktop.Notifications>
|
||||
include <abstractions/bus/org.freedesktop.ScreenSaver>
|
||||
include <abstractions/bus/org.freedesktop.secrets>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
|
||||
include <abstractions/bus/org.gnome.ScreenSaver>
|
||||
include <abstractions/bus/org.gnome.SessionManager>
|
||||
include <abstractions/bus/org.kde.kwalletd>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/notifications>
|
||||
include <abstractions/screensaver>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/uim>
|
||||
|
|
@ -46,14 +46,6 @@
|
|||
include <abstractions/user-read-strict>
|
||||
include <abstractions/video>
|
||||
|
||||
userns,
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
|
|
@ -112,21 +104,12 @@
|
|||
/etc/fstab r,
|
||||
/etc/{,opensc/}opensc.conf r,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
/ r,
|
||||
owner @{HOME}/ r,
|
||||
|
||||
owner @{HOME}/.pki/ rw,
|
||||
owner @{HOME}/.pki/nssdb/ rw,
|
||||
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||
|
||||
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
|
||||
owner @{user_config_dirs}/gtk-3.0/servers r,
|
||||
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
|
||||
|
||||
owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w,
|
||||
|
||||
owner @{config_dirs}/ rw,
|
||||
|
|
@ -151,10 +134,7 @@
|
|||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
owner @{tmp}/.@{domain}.@{rand6} rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
|
||||
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
|
||||
owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
|
||||
owner @{tmp}/tmp.@{rand10} rw,
|
||||
owner @{tmp}/tmp.@{rand6} rw,
|
||||
owner @{tmp}/tmp.@{rand6}/ rw,
|
||||
|
|
@ -163,9 +143,6 @@
|
|||
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
|
||||
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
|
||||
|
||||
/dev/shm/ r,
|
||||
owner /dev/shm/.@{domain}.@{rand6} rw,
|
||||
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
|
||||
@{sys}/bus/ r,
|
||||
|
|
@ -175,10 +152,7 @@
|
|||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/devices/@{pci}/report_descriptor r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/system/cpu/kernel_max r,
|
||||
@{sys}/devices/virtual/**/report_descriptor r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
|
@ -192,18 +166,15 @@
|
|||
owner @{PROC}/@{pid}/clear_refs w,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/environ r,
|
||||
owner @{PROC}/@{pid}/gid_map w,
|
||||
owner @{PROC}/@{pid}/limits r,
|
||||
owner @{PROC}/@{pid}/mem r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
owner @{PROC}/@{pid}/setgroups w,
|
||||
owner @{PROC}/@{pid}/smaps_rollup r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/uid_map w,
|
||||
|
||||
/dev/ r,
|
||||
/dev/hidraw@{int} rw,
|
||||
|
|
|
|||
|
|
@ -12,9 +12,10 @@
|
|||
@{sh_path} rix,
|
||||
@{bin}/nvim mrix,
|
||||
@{bin}/sensible-editor mr,
|
||||
@{bin}/vim{,.*} mrix,
|
||||
@{bin}/vim* mrix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
|
||||
/usr/share/doc/{,**} r,
|
||||
/usr/share/nvim/{,**} r,
|
||||
/usr/share/terminfo/** r,
|
||||
/usr/share/vim/{,**} r,
|
||||
|
|
@ -24,8 +25,9 @@
|
|||
/etc/xdg/nvim/* r,
|
||||
|
||||
owner @{HOME}/.selected_editor r,
|
||||
owner @{HOME}/.viminf@{c}{,.tmp} rw,
|
||||
owner @{HOME}/.vim/{after/,}spell/{,**} rw,
|
||||
owner @{HOME}/.vim/** r,
|
||||
owner @{HOME}/.viminf@{c}{,.tmp} rw,
|
||||
owner @{HOME}/.vimrc r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
|
|
|||
|
|
@ -21,8 +21,9 @@
|
|||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||
include <abstractions/bus/org.freedesktop.timedate1>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
||||
include <abstractions/bus/org.freedesktop.timedate1>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
|
|
@ -98,8 +99,12 @@
|
|||
/var/tmp/ r,
|
||||
owner @{tmp}/@{name}/ rw,
|
||||
owner @{tmp}/@{name}/* rwk,
|
||||
owner @{tmp}/@{rand6}.tmp rw,
|
||||
owner @{tmp}/firefox/ rw,
|
||||
owner @{tmp}/firefox/* rwk,
|
||||
owner @{tmp}/mozilla* rw,
|
||||
owner @{tmp}/mozilla*/ rw,
|
||||
owner @{tmp}/mozilla*/* rwk,
|
||||
owner @{tmp}/remote-settings-startup-bundle- rw,
|
||||
owner @{tmp}/remote-settings-startup-bundle-.tmp rw,
|
||||
owner @{tmp}/Temp-@{uuid}/ rw,
|
||||
|
|
|
|||
|
|
@ -7,6 +7,8 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/desktop>
|
||||
|
||||
# We cannot use `@{open_path} mrix,` here because it includes:
|
||||
|
|
@ -30,11 +32,9 @@
|
|||
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/graphics>
|
||||
|
||||
/etc/xdg/menus/ r,
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@
|
|||
/usr/share/file/misc/** r,
|
||||
/usr/share/nvim/{,**} r,
|
||||
|
||||
@{etc_ro}/lesskey.bin r,
|
||||
|
||||
@{HOME}/.lesshst r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
|
|
|||
|
|
@ -19,11 +19,13 @@
|
|||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/status r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/environ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/tty/drivers r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
include if exists <abstractions/app/pgrep.d>
|
||||
|
|
|
|||
|
|
@ -11,7 +11,8 @@
|
|||
|
||||
/etc/udev/udev.conf r,
|
||||
|
||||
@{run}/udev/data/* r,
|
||||
@{run}/udev/data/+*:* r, # Identifies all subsystems
|
||||
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
|
||||
|
||||
@{sys}/** r,
|
||||
|
||||
|
|
|
|||
|
|
@ -8,12 +8,14 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/base-strict>
|
||||
include <abstractions/base>
|
||||
|
||||
@{att}/@{run}/systemd/journal/dev-log w,
|
||||
@{att}/@{run}/systemd/journal/socket w,
|
||||
@{att}/@{run}/systemd/journal/stdout rw,
|
||||
|
||||
@{att}/dev/null rw,
|
||||
|
||||
/apparmor/.null rw,
|
||||
@{att}/apparmor/.null rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -67,8 +67,9 @@
|
|||
# Allow unconfined processes to us via unix sockets
|
||||
unix receive peer=(label=unconfined),
|
||||
|
||||
# Allow communication to children profiles
|
||||
# Allow communication to children and stacked profiles
|
||||
signal peer=@{profile_name}//*,
|
||||
signal peer=@{profile_name}//&*,
|
||||
unix type=stream peer=(label=@{profile_name}//*),
|
||||
|
||||
# Allow us to create abstract and anonymous sockets
|
||||
|
|
|
|||
|
|
@ -8,20 +8,20 @@
|
|||
signal receive peer=@{p_systemd_user},
|
||||
|
||||
# Allow to receive some signals from new well-known profiles
|
||||
signal (receive) peer=btop,
|
||||
signal (receive) peer=htop,
|
||||
signal (receive) peer=pkill,
|
||||
signal (receive) peer=sudo,
|
||||
signal (receive) peer=top,
|
||||
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
|
||||
signal (receive) set=(hup term) peer=login,
|
||||
signal (receive) set=(hup) peer=xinit,
|
||||
signal (receive) set=(term,kill) peer=gnome-shell,
|
||||
signal (receive) set=(term,kill) peer=gnome-system-monitor,
|
||||
signal (receive) set=(term,kill) peer=openbox,
|
||||
signal (receive) set=(term,kill) peer=su,
|
||||
signal receive peer=btop,
|
||||
signal receive peer=htop,
|
||||
signal receive peer=pkill,
|
||||
signal receive peer=sudo,
|
||||
signal receive peer=top,
|
||||
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
|
||||
signal receive set=(hup term) peer=login,
|
||||
signal receive set=(hup) peer=xinit,
|
||||
signal receive set=(term,kill) peer=gnome-shell,
|
||||
signal receive set=(term,kill) peer=gnome-system-monitor,
|
||||
signal receive set=(term,kill) peer=openbox,
|
||||
signal receive set=(term,kill) peer=su,
|
||||
|
||||
ptrace (readby) peer=@{p_systemd_coredump},
|
||||
ptrace readby peer=@{p_systemd_coredump},
|
||||
|
||||
@{etc_rw}/localtime r,
|
||||
/etc/locale.conf r,
|
||||
|
|
@ -30,4 +30,6 @@
|
|||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/apparmor/.null rw,
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -20,6 +20,6 @@
|
|||
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
include if exists <abstractions/bus/own-accessibility.d>
|
||||
include if exists <abstractions/bus/accessibility/own.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -31,6 +31,11 @@
|
|||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
|
||||
# Session bus
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
|
|
@ -38,6 +43,11 @@
|
|||
member=GetAll
|
||||
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=Get
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.Accounts
|
||||
member={FindUserByName,ListCachedUsers}
|
||||
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
|
||||
member={FindUserByName,ListCachedUsers,FindUserById}
|
||||
peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||
interface=org.freedesktop.Accounts.User
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
|
||||
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={ItemNew,AllForNow,CacheExhausted}
|
||||
member={ItemNew,ItemRemove,AllForNow,CacheExhausted}
|
||||
peer=(name="@{busname}", label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow for color managed applications to communicate with colord
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
|
||||
|
|
@ -21,6 +23,11 @@
|
|||
member={DeviceAdded,DeviceRemoved}
|
||||
peer=(name="@{busname}", label="@{p_colord}"),
|
||||
|
||||
dbus (receive, send) bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member=FindDeviceByProperty
|
||||
peer=(name="@{busname}", label="@{p_colord}"),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -6,6 +6,11 @@
|
|||
|
||||
#aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/FileManager1
|
||||
interface=org.freedesktop.FileManager1
|
||||
member=ShowItems
|
||||
peer=(name=org.freedesktop.FileManager1, label=nautilus),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetCapabilities,GetServerInformation,Notify}
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={NotificationClosed,CloseNotification}
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Notify
|
||||
peer=(name=org.freedesktop.DBus, label=gjs-console),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.Notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={Inhibit,UnInhibit}
|
||||
peer=(name=org.freedesktop.ScreenSaver),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -2,10 +2,13 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Can query UPower for power devices, history and statistics.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
|
||||
|
||||
# Find all devices monitored by UPower
|
||||
dbus send bus=system path=/org/freedesktop/UPower
|
||||
interface=org.freedesktop.UPower
|
||||
member=EnumerateDevices
|
||||
|
|
@ -13,7 +16,12 @@
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/UPower
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetDisplayDevice
|
||||
member={GetDisplayDevice,GetCriticalAction}
|
||||
peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower/devices/**
|
||||
interface=org.freedesktop.UPower.Device
|
||||
member={GetHistory,Refresh}
|
||||
peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/UPower
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
|
|
|
|||
|
|
@ -11,31 +11,51 @@
|
|||
member=Read
|
||||
peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member={Read,ReadAll}
|
||||
peer=(name="@{busname}", label=xdg-desktop-portal),
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=SettingChanged
|
||||
peer=(name="@{busname}", label=xdg-desktop-portal),
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(name="@{busname}", label=xdg-desktop-portal),
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Settings
|
||||
member={Read,ReadAll}
|
||||
peer=(name="@{busname}", label=xdg-desktop-portal),
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.host.portal.Registry
|
||||
member=Register
|
||||
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop/**
|
||||
interface=org.freedesktop.portal.Request
|
||||
member=Response
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Inhibit
|
||||
member={StateChanged,CreateMonitor}
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop/session/**
|
||||
interface=org.freedesktop.impl.portal.Session
|
||||
member=Close
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -4,12 +4,12 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
|
||||
#aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/resolve1
|
||||
interface=org.freedesktop.resolve1.Manager
|
||||
member={SetLink*,ResolveHostname}
|
||||
peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
|
||||
member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService}
|
||||
peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@
|
|||
|
||||
dbus send bus=session path=/org/freedesktop/secrets
|
||||
interface=org.freedesktop.Secret.Service
|
||||
member={OpenSession,GetSecrets,SearchItems,ReadAlias}
|
||||
peer=(name="@{busname}", label=gnome-keyring-daemon),
|
||||
member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias}
|
||||
peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/secrets/aliases/default
|
||||
interface=org.freedesktop.Secret.Collection
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
#aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit}
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=GetUnit
|
||||
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -13,8 +13,8 @@
|
|||
|
||||
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
|
||||
interface=org.gnome.Mutter.IdleMonitor
|
||||
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
|
||||
peer=(name="@{busname}", label=gnome-shell),
|
||||
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime}
|
||||
peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
|
||||
interface=org.gnome.Mutter.IdleMonitor
|
||||
|
|
|
|||
|
|
@ -13,6 +13,11 @@
|
|||
member={RegisterClient,IsSessionRunning}
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={Inhibit,Uninhibit}
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={Setenv,IsSessionRunning}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,23 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow requesting interest in receiving media key events. This tells Gnome
|
||||
# settings that our application should be notified when key events we are
|
||||
# interested in are pressed, and allows us to receive those events.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# DBus.Properties: read all properties from the interface
|
||||
dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
|
||||
|
||||
dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys
|
||||
interface=org.gnome.SettingsDaemon.MediaKeys
|
||||
peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
|
||||
|
||||
include if exists <abstractions/bus/org.gnome.SettingsDaemon.MediaKeys.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -6,6 +6,16 @@
|
|||
|
||||
#aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas}
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
member=*Cancel
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
|
||||
include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -0,0 +1,26 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow accessing the GNOME crypto services prompt APIs as used by
|
||||
# applications using libgcr (such as pinentry-gnome3) for secure pin
|
||||
# entry to unlock GPG keys etc. See:
|
||||
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
|
||||
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
|
||||
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/gnome/keyring/Prompter
|
||||
interface=org.gnome.keyring.internal.Prompter
|
||||
member={BeginPrompting,PerformPrompt,StopPrompting}
|
||||
peer=(name=@{busname}, label=pinentry-*),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
|
||||
interface=org.gnome.keyring.internal.Prompter.Callback
|
||||
member={PromptReady,PromptDone}
|
||||
peer=(name=@{busname}, label=pinentry-*),
|
||||
|
||||
include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -7,7 +7,7 @@
|
|||
dbus send bus=session path=/org/gtk/vfs/Daemon
|
||||
interface=org.gtk.vfs.Daemon
|
||||
member={GetConnection,ListMonitorImplementations,ListMountableInfo}
|
||||
peer=(name="@{busname}", label=gvfsd),
|
||||
peer=(name=@{busname}, label=gvfsd),
|
||||
|
||||
dbus receive bus=session path=/org/gtk/vfs/Daemon
|
||||
interface=org.gtk.vfs.Daemon
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
dbus receive bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=Mounted
|
||||
member={Mounted,Unmounted}
|
||||
peer=(name="@{busname}", label=gvfsd),
|
||||
|
||||
include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
|
||||
|
|
|
|||
|
|
@ -4,6 +4,30 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/session/own>
|
||||
|
||||
dbus bind bus=session name=org.kde.StatusNotifierItem-@{int},
|
||||
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.kde.StatusNotifierWatcher
|
||||
member=RegisterStatusNotifierItem
|
||||
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
|
||||
|
||||
dbus send bus=session path=/StatusNotifierItem
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
|
||||
|
||||
dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
|
||||
interface=org.kde.StatusNotifierItem
|
||||
member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip}
|
||||
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
|
||||
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
|
||||
|
||||
include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -2,14 +2,52 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow to display Status Notifier Items in the KDE Plasma systray
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
|
||||
#aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
|
||||
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
|
||||
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
|
||||
|
||||
dbus receive bus=session path=/StatusNotifierItem
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(label="@{pp_app_indicator}"),
|
||||
|
||||
|
||||
dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
|
||||
interface=com.canonical.dbusmenu
|
||||
member={LayoutUpdated,ItemsPropertiesUpdated}
|
||||
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
|
||||
|
||||
dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
|
||||
interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
|
||||
member={Get*,AboutTo*,Event*}
|
||||
peer=(label="@{pp_app_indicator}"),
|
||||
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.kde.StatusNotifierWatcher
|
||||
member=RegisterStatusNotifierItem
|
||||
peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
|
||||
peer=(label="@{pp_app_indicator}"),
|
||||
|
||||
dbus receive bus=session path=/StatusNotifierItem
|
||||
interface=org.kde.StatusNotifierItem
|
||||
member={ProvideXdgActivationToken,Activate}
|
||||
peer=(label="@{pp_app_indicator}"),
|
||||
|
||||
dbus receive bus=session path=/MenuBar
|
||||
interface=com.canonical.dbusmenu
|
||||
member={AboutToShow,GetLayout,Event}
|
||||
peer=(label="@{pp_app_indicator}"),
|
||||
|
||||
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -4,27 +4,34 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined
|
||||
# DBus.Properties: read all properties from the interface
|
||||
dbus send bus=system path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(name=@{busname}),
|
||||
|
||||
# DBus.Properties: receive property changed events
|
||||
dbus receive bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=@{busname}),
|
||||
|
||||
# DBus.Introspectable: allow clients to introspect the service
|
||||
dbus send bus=system path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus receive bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.mpris.MediaPlayer2.Player
|
||||
member={Seeked,Next,PlayPause}
|
||||
peer=(name=@{busname}),
|
||||
|
||||
# https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked
|
||||
dbus send bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.mpris.MediaPlayer2.Player
|
||||
member=Seeked
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus send bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus send bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}),
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
include if exists <abstractions/bus/org.mpris.MediaPlayer2.Player.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}"
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.Notifications
|
||||
member={GetCapabilities,GetServerInformation,Notify,CloseNotification}
|
||||
peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.Notifications
|
||||
member={ActionInvoked,NotificationClosed,NotificationReplied}
|
||||
peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.Notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow checking status, activating and locking the screensaver
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={Inhibit,UnInhibit}
|
||||
peer=(name=org.freedesktop.ScreenSaver),
|
||||
|
||||
dbus send bus=session path=/{,org/freedesktop/}ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={GetActive,GetActiveTime,Lock,SetActive}
|
||||
peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={ActiveChanged,WakeUpScreen}
|
||||
peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
26
apparmor.d/abstractions/bus/session/org.freedesktop.systemd1
Normal file
26
apparmor.d/abstractions/bus/session/org.freedesktop.systemd1
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=GetUnit
|
||||
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1/unit/app_*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=StartTransientUnit
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.systemd1.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -2,20 +2,20 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow checking status, activating and locking the screensaver (GNOME version)
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console
|
||||
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
dbus send bus=session path=/{,org/gnome/}ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member=GetActive
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
member={GetActive,GetActiveTime,Lock,SetActive}
|
||||
peer=(name=@{busname}, label=gjs-console),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member={ActiveChanged,WakeUpScreen}
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
peer=(name=@{busname}, label=gjs-console),
|
||||
|
||||
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
|
||||
include if exists <abstractions/bus/session/org.gnome.ScreenSaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
22
apparmor.d/abstractions/bus/session/org.gtk.Actions
Normal file
22
apparmor.d/abstractions/bus/session/org.gtk.Actions
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.gtk.Actions
|
||||
member={Activate,DescribeAll,SetState},
|
||||
|
||||
dbus send bus=session
|
||||
interface=org.gtk.Actions
|
||||
member=Changed,
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.Actions.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -8,9 +8,9 @@
|
|||
|
||||
dbus send bus=session path=/org/gtk/Notifications
|
||||
interface=org.gtk.Notifications
|
||||
member=RemoveNotification
|
||||
member={AddNotification,RemoveNotification}
|
||||
peer=(name=org.gtk.Notifications, label=gnome-shell),
|
||||
|
||||
include if exists <abstractions/bus/org.gtk.Notifications.d>
|
||||
include if exists <abstractions/bus/session/org.gtk.Notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
18
apparmor.d/abstractions/bus/session/org.gtk.Settings
Normal file
18
apparmor.d/abstractions/bus/session/org.gtk.Settings
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
dbus receive bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.Settings.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -20,6 +20,6 @@
|
|||
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
|
||||
|
||||
include if exists <abstractions/bus/own-session.d>
|
||||
include if exists <abstractions/bus/session/own.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -20,6 +20,6 @@
|
|||
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
|
||||
|
||||
include if exists <abstractions/bus/own-system.d>
|
||||
include if exists <abstractions/bus/system/own.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -28,6 +28,7 @@
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/path>
|
||||
include <abstractions/sqlite>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/video>
|
||||
|
||||
|
|
@ -63,11 +64,10 @@
|
|||
owner @{tmp}/** rmwk,
|
||||
owner /dev/shm/** rwlk -> /dev/shm/**,
|
||||
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
|
||||
owner /var/tmp/etilqs_@{sqlhex} rw,
|
||||
|
||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
|
||||
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
|
||||
@{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket.
|
||||
@{run}/host/{,**} r,
|
||||
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
|
||||
@{run}/utmp rk,
|
||||
|
|
@ -114,6 +114,7 @@
|
|||
@{PROC}/sys/kernel/sched_autogroup_enabled r,
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
@{PROC}/sys/net/core/bpf_jit_enable r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/uptime r,
|
||||
@{PROC}/version r,
|
||||
@{PROC}/zoneinfo r,
|
||||
|
|
@ -131,10 +132,16 @@
|
|||
owner @{PROC}/@{pid}/net/if_inet6 r,
|
||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||
owner @{PROC}/@{pid}/pagemap r,
|
||||
owner @{PROC}/@{pid}/smaps_rollup r,
|
||||
owner @{PROC}/@{pid}/statm r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
@{att}/dev/dri/card@{int} rw,
|
||||
@{att}/dev/dri/renderD128 rw,
|
||||
@{att}/dev/dri/renderD129 rw,
|
||||
owner @{att}/dev/shm/@{uuid} r,
|
||||
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/input/ r,
|
||||
/dev/input/event@{int} rw,
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
|
||||
/usr/share/dpkg/cputable r,
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/dpkg/varianttable r,
|
||||
|
||||
/etc/apt/apt.conf r,
|
||||
/etc/apt/apt.conf.d/{,*} r,
|
||||
|
|
|
|||
|
|
@ -38,12 +38,14 @@
|
|||
pivot_root oldroot=/newroot/ /newroot/,
|
||||
pivot_root oldroot=/tmp/oldroot/ /tmp/,
|
||||
|
||||
owner / r,
|
||||
owner /newroot/{,**} w,
|
||||
|
||||
owner /tmp/newroot/ w,
|
||||
owner /tmp/oldroot/ w,
|
||||
|
||||
@{att}/ r,
|
||||
@{att}/@{run}/.userns r,
|
||||
|
||||
@{PROC}/sys/kernel/overflowgid r,
|
||||
@{PROC}/sys/kernel/overflowuid r,
|
||||
@{PROC}/sys/user/max_user_namespaces r,
|
||||
|
|
|
|||
|
|
@ -4,7 +4,13 @@
|
|||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# This abstraction is for chromium based application. Chromium based browsers
|
||||
# need to use abstractions/chromium instead.
|
||||
# need to use abstractions/app/chromium instead.
|
||||
|
||||
# It works as a *function* and requires a variable to be provided as *arguments*
|
||||
# and set in the header of the calling profile. Example:
|
||||
#
|
||||
# @{domain} = org.chromium.Chromium
|
||||
#
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
|
|
@ -22,19 +28,24 @@
|
|||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||
|
||||
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
|
||||
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
|
||||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6} rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/ rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/ rw,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SS w,
|
||||
|
||||
/dev/shm/ r,
|
||||
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
|
||||
owner /dev/shm/.@{domain}.@{rand6} rw,
|
||||
|
||||
@{sys}/devices/system/cpu/kernel_max r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
|
||||
# If kernel.unprivileged_userns_clone = 1
|
||||
owner @{PROC}/@{pid}/setgroups w,
|
||||
|
|
|
|||
|
|
@ -7,27 +7,22 @@
|
|||
# in the header of the calling profile. Example:
|
||||
#
|
||||
# @{name} = spotify
|
||||
# @{lib_dirs} = /opt/@{name}
|
||||
# @{domain} = org.chromium.chromium
|
||||
# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
|
||||
# @{config_dirs} = @{user_config_dirs}/@{name}
|
||||
# @{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||
#
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
userns,
|
||||
|
||||
capability setgid, # If kernel.unprivileged_userns_clone = 1
|
||||
capability setuid, # If kernel.unprivileged_userns_clone = 1
|
||||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
capability sys_ptrace,
|
||||
|
||||
@{bin}/electron rix,
|
||||
@{bin}/electron@{int} rix,
|
||||
@{lib}/electron@{int}/{,**} r,
|
||||
|
|
@ -47,31 +42,14 @@
|
|||
owner @{cache_dirs}/ rw,
|
||||
owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**,
|
||||
|
||||
owner @{HOME}/.pki/ rw,
|
||||
owner @{HOME}/.pki/nssdb/ rw,
|
||||
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||
|
||||
owner @{user_config_dirs}/electron-flags.conf r,
|
||||
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
|
||||
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw,
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w,
|
||||
owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/ rw,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SS w,
|
||||
|
||||
/dev/shm/ r,
|
||||
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
|
||||
|
||||
@{sys}/devices/system/cpu/kernel_max r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
|
|
@ -81,15 +59,12 @@
|
|||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/oom_score_adj rw,
|
||||
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/statm r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@
|
|||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
|
|
|
|||
|
|
@ -9,10 +9,15 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/desktop-files>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gschemas>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/icons>
|
||||
include <abstractions/mime>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recently-used>
|
||||
include <abstractions/user-dirs>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
|
@ -24,16 +29,11 @@
|
|||
member=Introspect
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
|
||||
/usr/{local/,}share/ r,
|
||||
/usr/{local/,}share/glib-@{version}/schemas/** r,
|
||||
/usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r,
|
||||
@{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r,
|
||||
|
||||
/etc/gnome/* r,
|
||||
/etc/xdg/{,*-}mimeapps.list r,
|
||||
|
||||
/var/cache/gio-@{version}/gnome-mimeapps.list r,
|
||||
|
||||
/ r, # deny?
|
||||
/ r,
|
||||
|
||||
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
|
|
@ -63,6 +63,9 @@
|
|||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/session/ rw,
|
||||
owner @{user_config_dirs}/session/@{profile_name}* rwlk,
|
||||
owner @{user_config_dirs}/session/#@{int} rw,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
# else if @{DE} == xfce
|
||||
|
|
@ -75,7 +78,7 @@
|
|||
# end
|
||||
|
||||
/usr/share/desktop-base/{,**} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/hwdata/*.ids r, # FIXME: a bit too wide
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
include if exists <abstractions/desktop.d>
|
||||
|
|
|
|||
27
apparmor.d/abstractions/desktop-files
Normal file
27
apparmor.d/abstractions/desktop-files
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
@{system_share_dirs}/applications/{,**} r,
|
||||
@{system_share_dirs}/*ubuntu/applications/{,**} r,
|
||||
@{system_share_dirs}/gnome/applications/{,**} r,
|
||||
@{system_share_dirs}/xfce4/applications/{,**} r,
|
||||
|
||||
/etc/gnome/defaults.list r,
|
||||
/etc/xfce4/defaults.list r,
|
||||
/etc/xdg/menus/ r,
|
||||
/etc/xdg/menus/applications-merged/{,**} r,
|
||||
|
||||
/var/lib/snapd/desktop/applications/{,**} r,
|
||||
|
||||
owner @{user_share_dirs}/applications/{,**} r,
|
||||
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
owner @{user_config_dirs}/menus/applications-merged/{,**} r,
|
||||
|
||||
include if exists <abstractions/desktop-files.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -20,9 +20,9 @@
|
|||
@{sys}/devices/**/usb@{int}/{,**} r,
|
||||
|
||||
# Udev data about usb devices (~equal to content of lsusb -v)
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
@{run}/udev/data/+usb:* r, # Identifies all USB devices
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
|
||||
include if exists <abstractions/devices-usb-read.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -101,13 +101,13 @@
|
|||
@{run}/udev/data/b43:@{int} r, # for /dev/nbd*
|
||||
@{run}/udev/data/b179:@{int} r, # for /dev/mmcblk*
|
||||
@{run}/udev/data/b230:@{int} r, # for /dev/zvol*
|
||||
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
|
||||
@{run}/udev/data/b25[0-4]:@{int} r,
|
||||
@{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240
|
||||
@{run}/udev/data/b25[0-4]:@{int} r, # to 254
|
||||
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
||||
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
|
||||
@{run}/udev/data/+usb:* r, # for disk over usb hub
|
||||
@{run}/udev/data/+usb:* r, # Identifies all USB devices
|
||||
|
||||
include if exists <abstractions/disks-read.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -23,4 +23,9 @@
|
|||
|
||||
owner @{HOME}/.icons/{,**} r,
|
||||
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
owner @{user_share_dirs}/recently-used.xbel rw,
|
||||
owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
|
||||
owner @{user_share_dirs}/recently-used.xbel.lock rwk,
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -22,9 +22,15 @@
|
|||
@{PROC}/stat r,
|
||||
|
||||
# Glibc's *printf protections read the maps file
|
||||
@{PROC}/@{pid}/auxv r,
|
||||
@{PROC}/@{pid}/maps r,
|
||||
@{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/auxv r,
|
||||
owner @{PROC}/@{pid}/maps r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
|
||||
# @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps,
|
||||
# but in a format that is simpler to manage, because it doesn't require to
|
||||
# parse the text data inside a file, but just reading the contents of
|
||||
# a directory.
|
||||
owner @{PROC}/@{pid}/map_files/ r,
|
||||
|
||||
# Glibc statvfs
|
||||
@{PROC}/filesystems r,
|
||||
|
|
|
|||
|
|
@ -4,9 +4,15 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/desktop-files>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gschemas>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/icons>
|
||||
include <abstractions/mime>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recently-used>
|
||||
include <abstractions/user-dirs>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
|
@ -20,14 +26,9 @@
|
|||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
/usr/{local/,}share/ r,
|
||||
/usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
|
||||
/usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r,
|
||||
@{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r,
|
||||
|
||||
/etc/gnome/* r,
|
||||
/etc/xdg/{,*-}mimeapps.list r,
|
||||
|
||||
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
||||
|
||||
/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/online r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/* r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/* r,
|
||||
|
|
|
|||
|
|
@ -4,7 +4,13 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/amdgpu>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/oneapi>
|
||||
|
||||
@{sys}/devices/@{pci}/numa_node r,
|
||||
|
||||
@{PROC}/devices r,
|
||||
|
||||
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
/dev/nvidia-uvm rw,
|
||||
|
|
|
|||
14
apparmor.d/abstractions/gschemas
Normal file
14
apparmor.d/abstractions/gschemas
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
@{system_share_dirs}/ r,
|
||||
@{system_share_dirs}/glib-2.0/schemas/ r,
|
||||
@{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include if exists <abstractions/gschemas.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -36,7 +36,7 @@
|
|||
#owner @{HOME}/orcexec.* mrw,
|
||||
|
||||
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
|
||||
@{run}/udev/data/+usb:* r, # Identifies all USB devices
|
||||
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
@{run}/udev/data/c189:@{int} r, # For USB serial converters
|
||||
|
|
|
|||
|
|
@ -2,23 +2,8 @@
|
|||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.gtk.Actions
|
||||
member={Activate,DescribeAll,SetState}
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus send bus=session
|
||||
interface=org.gtk.Actions
|
||||
member=Changed,
|
||||
|
||||
dbus send bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
dbus receive bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
include <abstractions/bus/session/org.gtk.Actions>
|
||||
include <abstractions/bus/session/org.gtk.Settings>
|
||||
|
||||
@{lib}/{,@{multiarch}/}gtk*/** mr,
|
||||
|
||||
|
|
|
|||
23
apparmor.d/abstractions/icons
Normal file
23
apparmor.d/abstractions/icons
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
@{system_share_dirs}/icons/{,**} r,
|
||||
@{system_share_dirs}/pixmaps/{,**} r,
|
||||
|
||||
/opt/**/share/icons/{,**} r,
|
||||
/opt/*/**.desktop r,
|
||||
/opt/*/**/*.png r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
owner @{HOME}/.icons/{,**} r,
|
||||
|
||||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
include if exists <abstractions/icons.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
14
apparmor.d/abstractions/java
Normal file
14
apparmor.d/abstractions/java
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
/usr/share/java/{,**} r,
|
||||
|
||||
/etc/java/{,**} r,
|
||||
/etc/java-*/{,**} r,
|
||||
|
||||
include if exists <abstractions/java.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -4,10 +4,15 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/desktop-files>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gschemas>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/icons>
|
||||
include <abstractions/mime>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recently-used>
|
||||
include <abstractions/user-dirs>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
|
@ -20,6 +25,7 @@
|
|||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/knotifications{5,6}/*.notifyrc r,
|
||||
/usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu
|
||||
|
||||
/etc/xdg/baloofilerc r,
|
||||
/etc/xdg/kcminputrc r,
|
||||
|
|
@ -39,6 +45,9 @@
|
|||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/session/ rw,
|
||||
owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk,
|
||||
owner @{user_config_dirs}/session/#@{int} rw,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
|
|
|
|||
|
|
@ -42,4 +42,6 @@
|
|||
|
||||
@{PROC}/sys/dev/xe/observation_paranoid r,
|
||||
|
||||
/dev/udmabuf rw, # In upstream, but not released yet
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
22
apparmor.d/abstractions/mime
Normal file
22
apparmor.d/abstractions/mime
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
@{system_share_dirs}/ r,
|
||||
@{system_share_dirs}/mime/{,**} r,
|
||||
|
||||
/etc/mime.types r,
|
||||
/etc/xdg/{,*-}mimeapps.list r,
|
||||
|
||||
/var/cache/gio-@{version}/{,*-}-mimeapps.list r,
|
||||
|
||||
owner @{user_config_dirs}/mimeapps.list r,
|
||||
|
||||
owner @{user_share_dirs}/mime/{,**} r,
|
||||
|
||||
include if exists <abstractions/mime.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
12
apparmor.d/abstractions/notifications
Normal file
12
apparmor.d/abstractions/notifications
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/session/org.freedesktop.Notifications>
|
||||
include <abstractions/bus/session/org.gtk.Notifications>
|
||||
|
||||
include if exists <abstractions/notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -35,7 +35,7 @@
|
|||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm r,
|
||||
|
||||
/dev/char/195:@{int} w, # Nvidia graphics devices
|
||||
/dev/char/195:@{u8} w, # Nvidia graphics devices
|
||||
/dev/nvidia-modeset rw,
|
||||
/dev/nvidia@{int} rw,
|
||||
/dev/nvidiactl rw,
|
||||
|
|
|
|||
|
|
@ -8,6 +8,6 @@
|
|||
|
||||
/etc/nvidia/nvidia-application-profiles* r,
|
||||
|
||||
/dev/char/195:@{int} rw, # Nvidia graphics devices
|
||||
/dev/char/195:@{u8} rw, # Nvidia graphics devices
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
14
apparmor.d/abstractions/oneapi
Normal file
14
apparmor.d/abstractions/oneapi
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Intel oneAPI compiler libraries
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
/opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
|
||||
/opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
|
||||
|
||||
include if exists <abstractions/oneapi.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
19
apparmor.d/abstractions/recently-used
Normal file
19
apparmor.d/abstractions/recently-used
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
owner @{HOME}/.recently-used.xbel rw,
|
||||
owner @{HOME}/.recently-used.xbel.@{rand6} rwl,
|
||||
owner @{HOME}/.recently-used.xbel.lock rwk,
|
||||
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
owner @{user_share_dirs}/recently-used.xbel rw,
|
||||
owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
|
||||
owner @{user_share_dirs}/recently-used.xbel.lock rwk,
|
||||
|
||||
include if exists <abstractions/recently-used.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
14
apparmor.d/abstractions/screensaver
Normal file
14
apparmor.d/abstractions/screensaver
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow checking status, activating and locking the screensaver
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver>
|
||||
include if exists <abstractions/bus/session/org.gnome.ScreenSaver>
|
||||
|
||||
include if exists <abstractions/screensaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
23
apparmor.d/abstractions/sqlite
Normal file
23
apparmor.d/abstractions/sqlite
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# SQlite temporary files (hexadecimal from 12 to 16 characters)
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
owner /var/tmp/etilqs_@{hex12} rw,
|
||||
owner /var/tmp/etilqs_@{hex12}@{h} rw,
|
||||
owner /var/tmp/etilqs_@{hex12}@{hex2} rw,
|
||||
owner /var/tmp/etilqs_@{hex15} rw,
|
||||
owner /var/tmp/etilqs_@{hex16} rw,
|
||||
|
||||
owner @{tmp}/etilqs_@{hex12} rw,
|
||||
owner @{tmp}/etilqs_@{hex12}@{h} rw,
|
||||
owner @{tmp}/etilqs_@{hex12}@{hex2} rw,
|
||||
owner @{tmp}/etilqs_@{hex15} rw,
|
||||
owner @{tmp}/etilqs_@{hex16} rw,
|
||||
|
||||
include if exists <abstractions/sqlite.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
14
apparmor.d/abstractions/user-dirs
Normal file
14
apparmor.d/abstractions/user-dirs
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
/etc/xdg/user-dirs.conf r,
|
||||
/etc/xdg/user-dirs.defaults r,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
include if exists <abstractions/user-dirs.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -187,7 +187,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
|
|||
owner @{run}/*/** rw,
|
||||
|
||||
@{run}/udev/**/ r,
|
||||
@{run}/udev/data/* r,
|
||||
@{run}/udev/data/+*:* r, # Identifies all subsystems
|
||||
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
|
||||
|
||||
@{sys}/** r,
|
||||
@{sys}/fs/bpf/systemd/{,**} w,
|
||||
|
|
|
|||
|
|
@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) {
|
|||
@{run}/credentials/{,**} rw,
|
||||
@{run}/systemd/{,**} rw,
|
||||
|
||||
@{run}/udev/data/+module:configfs r,
|
||||
@{run}/udev/data/+module:fuse r,
|
||||
@{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev
|
||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
|
||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
@{run}/udev/data/n@{int} r,
|
||||
@{run}/udev/data/n@{int} r, # For network interfaces
|
||||
@{run}/udev/tags/systemd/ r,
|
||||
|
||||
@{sys}/**/uevent r,
|
||||
|
|
|
|||
|
|
@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) {
|
|||
@{run}/systemd/notify w,
|
||||
@{run}/systemd/oom/io.systemd.ManagedOOM rw,
|
||||
|
||||
@{run}/udev/data/+module:configfs r,
|
||||
@{run}/udev/data/+module:fuse r,
|
||||
@{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev
|
||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
|
||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||
@{run}/udev/data/c116:@{int} r, # for ALSA
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
@{run}/udev/data/n@{int} r,
|
||||
@{run}/udev/data/n@{int} r, # For network interfaces
|
||||
@{run}/udev/tags/systemd/ r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} {
|
|||
owner /var/lib/snapd/apparmor/{,**} rw,
|
||||
|
||||
owner @{tmp}/@{rand8} rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ profile aa-notify @{exec_path} {
|
|||
owner @{HOME}/.terminfo/@{int}/dumb r,
|
||||
|
||||
owner @{tmp}/@{word8} rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
|
|||
@{etc_ro}/inputrc r,
|
||||
|
||||
owner @{tmp}/@{rand8} rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
|
||||
owner /var/tmp/@{rand8} rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} {
|
|||
@{bin}/sed rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/sort rix,
|
||||
@{sbin}/sysctl rix,
|
||||
@{sbin}/sysctl rCx -> sysctl,
|
||||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/xargs rix,
|
||||
|
||||
|
|
@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} {
|
|||
@{PROC}/@{pids}/maps r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
@{PROC}/mounts r,
|
||||
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
profile sysctl {
|
||||
include <abstractions/base>
|
||||
|
||||
@{sbin}/sysctl mr,
|
||||
|
||||
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
|
||||
|
||||
include if exists <local/apparmor.systemd_sysctl>
|
||||
}
|
||||
|
||||
include if exists <local/apparmor.systemd>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
|
||||
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib}
|
||||
|
||||
@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
|
||||
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
||||
|
|
@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
deny network netlink raw, # file_inherit
|
||||
deny /apparmor/.null rw,
|
||||
/opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad?
|
||||
|
||||
include if exists <local/apparmor_parser>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} {
|
|||
/root/ r,
|
||||
|
||||
owner @{PROC}/@{pids}/loginuid r,
|
||||
owner @{PROC}/@{pids}/maps r,
|
||||
|
||||
include if exists <local/apt-overlay>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
|
|||
@{bin}/stty ix,
|
||||
@{sbin}/update-secureboot-policy Px,
|
||||
|
||||
# debconf apps
|
||||
# Debconf apps
|
||||
@{bin}/adequate Px,
|
||||
@{bin}/debconf-apt-progress Px,
|
||||
@{bin}/linux-check-removal Px,
|
||||
|
|
@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) {
|
|||
@{lib}/dkms/dkms-* rPUx,
|
||||
@{lib}/dkms/dkms_* rPUx,
|
||||
|
||||
/etc/libpaper.d/texlive-base rPUx,
|
||||
|
||||
/usr/share/debconf/{,**} r,
|
||||
|
||||
/etc/inputrc r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/common/debconf>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/cat ix,
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} {
|
|||
@{sbin}/ldconfig.real Cx -> ldconfig,
|
||||
@{sbin}/update-rc.d Cx -> rc,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
# Maintainer scripts can legitimately start/restart anything
|
||||
# PU is only used as a safety fallback.
|
||||
@{bin}/** PUx,
|
||||
|
|
@ -75,6 +76,7 @@ profile dpkg-scripts @{exec_path} {
|
|||
@{run}/** rw,
|
||||
@{efi}/grub/* rw,
|
||||
|
||||
/tmp/fmtutil.@{rand8} rw,
|
||||
/tmp/grub.@{rand10} rw,
|
||||
/tmp/sed@{rand6} rw,
|
||||
/tmp/tmp.@{rand10} rw,
|
||||
|
|
@ -167,6 +169,7 @@ profile dpkg-scripts @{exec_path} {
|
|||
/usr/local/ r,
|
||||
/usr/local/lib/ r,
|
||||
|
||||
/var/cache/ldconfig/ rw,
|
||||
owner /var/cache/ldconfig/aux-cache* rw,
|
||||
|
||||
include if exists <local/dpkg-scripts_ldconfig>
|
||||
|
|
|
|||
|
|
@ -61,8 +61,8 @@ profile reportbug @{exec_path} {
|
|||
|
||||
/usr/share/bug/*/{control,presubj} r,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
/etc/** r,
|
||||
/etc/reportbug.conf r,
|
||||
|
||||
owner @{HOME}/ r, # For shell pwd
|
||||
owner @{HOME}/.reportbugrc{,~} rw,
|
||||
|
|
|
|||
|
|
@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/touch ix,
|
||||
@{bin}/uname ix,
|
||||
|
||||
@{bin}/dpkg-deb px,
|
||||
@{bin}/apt-listchanges Px,
|
||||
@{bin}/df Px,
|
||||
@{bin}/dmesg Px,
|
||||
@{bin}/dpkg Px,
|
||||
@{bin}/dpkg-deb px,
|
||||
@{bin}/dpkg-divert Px,
|
||||
@{bin}/etckeeper Px,
|
||||
@{bin}/ischroot Px,
|
||||
|
|
@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/pki/fwupd/{,**} r,
|
||||
/etc/profile.d/* r,
|
||||
/etc/ssh/moduli r,
|
||||
/etc/ssh/ssh_config r,
|
||||
@{etc_ro}/ssh/sshd_config r,
|
||||
@{etc_ro}/ssh/sshd_config.d/{,*} r,
|
||||
/etc/ufw/{,**} r,
|
||||
/etc/update-manager/{,**} r,
|
||||
/etc/update-motd.d/{,**} r,
|
||||
|
|
@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/vmware-tools/{,**} r,
|
||||
|
||||
/var/log/unattended-upgrades/{,**} rw,
|
||||
/var/crash/*.crash w,
|
||||
/var/crash/*.crash rw,
|
||||
|
||||
/var/lib/apt/periodic/unattended-upgrades-stamp w,
|
||||
/var/lib/dpkg/info/{,*} r,
|
||||
|
|
@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/apt/lists/ rw,
|
||||
/var/lib/apt/lists/partial/ rw,
|
||||
/var/lib/apt/periodic/ w,
|
||||
/var/log/apt/{term,history}.log w,
|
||||
/var/log/apt/eipp.log.xz w,
|
||||
/var/log/apt/*.log* rw,
|
||||
|
||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
owner @{run}/unattended-upgrades.lock rwk,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/sdp rw,
|
||||
owner @{run}/systemd/notify w,
|
||||
|
||||
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
||||
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
|
||||
|
||||
@{sys}/devices/@{pci}/rfkill@{int}/name r,
|
||||
@{sys}/devices/@{pci}/**/{uevent,name} r,
|
||||
|
|
|
|||
|
|
@ -10,8 +10,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/bluetooth/obexd
|
||||
profile obexd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/ca.desrt.dconf.Writer>
|
||||
include <abstractions/user-download-strict>
|
||||
|
||||
network bluetooth stream,
|
||||
|
|
@ -24,6 +25,11 @@ profile obexd @{exec_path} {
|
|||
member=Release
|
||||
peer=(name=:*, label="@{p_bluetoothd}"),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile brave @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/app/chromium>
|
||||
|
||||
unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler),
|
||||
# unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler),
|
||||
|
||||
signal receive peer=brave//&brave-crashpad-handler,
|
||||
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# Silencer
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
include if exists <local/chromium-wrapper>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal send set=(term, kill) peer=firefox//&keepassxc-proxy,
|
||||
|
||||
unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int},
|
||||
unix type=seqpacket peer=(label=firefox-crashhelper),
|
||||
|
||||
#aa:dbus own bus=session name=org.mozilla.firefox
|
||||
#aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2
|
||||
|
||||
|
|
@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
@{open_path} rPx -> child-open,
|
||||
|
||||
# Common extensions
|
||||
@{bin}/browserpass rPx,
|
||||
@{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy,
|
||||
@{lib}/browserpass/browserpass-native rPx,
|
||||
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
|
||||
@{bin}/browserpass rPx,
|
||||
@{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy,
|
||||
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
|
|
@ -64,9 +68,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere)
|
||||
owner @{tmp}/@{uuid}.zip{,.tmp} rw,
|
||||
owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk,
|
||||
owner @{tmp}/mozilla* rw,
|
||||
owner @{tmp}/mozilla*/ rw,
|
||||
owner @{tmp}/mozilla*/* rwk,
|
||||
owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk,
|
||||
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k,
|
||||
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,
|
||||
|
|
|
|||
|
|
@ -15,11 +15,16 @@ include <tunables/global>
|
|||
profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
unix type=seqpacket peer=(label=firefox),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner "@{config_dirs}/firefox/Crash Reports/" rw,
|
||||
owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw,
|
||||
|
||||
# file_inherit
|
||||
deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
include if exists <local/firefox-crashhelper>
|
||||
}
|
||||
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue