feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
19331acaa9
commit
75ef5ef6ad
48 changed files with 205 additions and 141 deletions
|
|
@ -33,10 +33,13 @@ profile git @{exec_path} {
|
|||
# the most similar commands, which it thinks can be used instead. Git binaries are all under
|
||||
# /usr/bin/ , so allow only this location.
|
||||
@{bin}/ r,
|
||||
deny /{usr/,}sbin/ r,
|
||||
deny /usr/local/{s,}bin/ r,
|
||||
deny @{bin}/*/ r,
|
||||
deny /usr/games/ r,
|
||||
deny /usr/local/{s,}bin/ r,
|
||||
deny /usr/local/games/ r,
|
||||
deny /var/lib/flatpak/exports/bin/ r,
|
||||
deny owner @{HOME}/.go/bin/ r,
|
||||
deny owner @{user_bin_dirs}/ r,
|
||||
|
||||
# These are needed for "git submodule update"
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
|
@ -97,7 +100,7 @@ profile git @{exec_path} {
|
|||
owner /tmp/* rw,
|
||||
owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator
|
||||
owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**,
|
||||
owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature
|
||||
owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature
|
||||
owner /tmp/git-commit-msg-.txt rw, # For android studio
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
|
@ -112,7 +115,7 @@ profile git @{exec_path} {
|
|||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||
|
||||
owner /tmp/.git_vtag_tmp* r,
|
||||
owner /tmp/.git_vtag_tmp@{rand6} r,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,8 @@ profile hugo @{exec_path} {
|
|||
owner @{user_projects_dirs}/**/.hugo_build.lock rwk,
|
||||
owner @{user_projects_dirs}/**/go.{mod,sum} rwk,
|
||||
|
||||
owner @{user_cache_dirs}/hugo_cache/{,**} rwkl,
|
||||
|
||||
owner /tmp/hugo_cache/{,**} rwkl,
|
||||
owner /tmp/go-codehost-[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ profile im-launch @{exec_path} {
|
|||
@{bin}/true rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/dpkg-query rpx,
|
||||
@{bin}/uim-toolbar-gtk3 rPUx,
|
||||
|
||||
/usr/share/im-config/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -58,6 +58,12 @@ profile keepassxc @{exec_path} {
|
|||
owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/ r,
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/* r,
|
||||
|
||||
owner @{user_password_store_dirs}/ r,
|
||||
owner @{user_password_store_dirs}/*.csv rw,
|
||||
owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int},
|
||||
owner @{user_password_store_dirs}/#@{int} rw,
|
||||
|
||||
owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
|
||||
|
|
@ -68,10 +74,6 @@ profile keepassxc @{exec_path} {
|
|||
owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int},
|
||||
owner @{user_config_dirs}/keepassxc/ rw,
|
||||
owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int},
|
||||
owner @{user_password_store_dirs}/ r,
|
||||
owner @{user_password_store_dirs}/*.csv rw,
|
||||
owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int},
|
||||
owner @{user_password_store_dirs}/#@{int} rw,
|
||||
|
||||
owner /tmp/.[a-zA-Z]*/{,s} rw,
|
||||
owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
|||
capability sys_module,
|
||||
capability syslog,
|
||||
|
||||
network inet raw,
|
||||
|
||||
unix (receive) type=stream,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
|
@ -43,7 +45,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/dkms/**/module/*.ko r,
|
||||
/var/lib/dpkg/triggers/* r,
|
||||
/var/lib/ebtables/lock r,
|
||||
/var/tmp/dracut.*/{,**} rw,
|
||||
|
||||
owner /var/tmp/*modules*/{,**} rw,
|
||||
owner /var/tmp/dracut.*/{,**} rw,
|
||||
|
||||
owner /boot/System.map-* r,
|
||||
owner /tmp/mkinitcpio.*/{,**} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,16 +10,20 @@ include <tunables/global>
|
|||
profile locale-gen @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/perl>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,ba}sh rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/gzip rix,
|
||||
@{bin}/localedef rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/sort rix,
|
||||
|
||||
@{lib}/locale/locale-archive rwl,
|
||||
@{lib}/locale/locale-archive* rw,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue