felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): new definition for MOUNTs, add MOUNTDIRS.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-12 22:51:37 +01:00
parent 9493e783ce
commit 779853dc7f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
62 changed files with 198 additions and 203 deletions
Download patch file Download diff file Expand all files Collapse all files

10
apparmor.d/profiles-s-z/s3fs
View file

@ -19,8 +19,8 @@ profile s3fs @{exec_path} {
network inet6 stream,
network netlink raw,
mount fstype=fuse.s3fs -> @{MOUNTS}/,
mount fstype=fuse.s3fs -> @{MOUNTS}/*/,
mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/,
@{exec_path} mr,
@ -31,8 +31,8 @@ profile s3fs @{exec_path} {
owner @{HOME}/.passwd-s3fs r,
owner @{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/*/ r,
owner /tmp/* rw,
/dev/fuse rw,
@ -50,14 +50,14 @@ profile s3fs @{exec_path} {
/etc/fuse.conf r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
mount fstype=fuse.s3fs -> @{MOUNTS}/,
mount fstype=fuse.s3fs -> @{MOUNTS}/*/,
mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
owner /tmp/s3fstmp.* rw,

4
apparmor.d/profiles-s-z/sfdisk
View file

@ -24,9 +24,9 @@ profile sfdisk @{exec_path} {
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,

6
apparmor.d/profiles-s-z/sgdisk
View file

@ -24,13 +24,13 @@ profile sgdisk @{exec_path} {
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
owner @{MOUNTS}/**.{bak,back} rwk,
include if exists <local/sgdisk>
}

2
apparmor.d/profiles-s-z/strawberry
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{MEDIA_LIB} = @{MOUNTS}/*/mp3/
@{MEDIA_LIB} = @{MOUNTS}/mp3/
@{exec_path} = /{usr/,}bin/strawberry
profile strawberry @{exec_path} {

2
apparmor.d/profiles-s-z/strawberry-tagreader
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{MEDIA_LIB} = @{MOUNTS}/*/mp3/
@{MEDIA_LIB} = @{MOUNTS}/mp3/
@{exec_path} = /{usr/,}bin/strawberry-tagreader
profile strawberry-tagreader @{exec_path} {

4
apparmor.d/profiles-s-z/tune2fs
View file

@ -29,9 +29,9 @@ profile tune2fs @{exec_path} {
# Image files
@{HOME}/**.{iso,img,bin,mdf,nrg} rw,
@{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw,
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} rw,
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw,
@{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw,
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rw,
include if exists <local/tune2fs>
}

20
apparmor.d/profiles-s-z/udisksd
View file

@ -35,7 +35,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={ReleaseName,GetConnectionUnixUser},
member={ReleaseName,GetConnectionUnixUser,RequestName},
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
@ -71,26 +71,26 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/systemd-escape rPx,
# Allow mounting of removable devices
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/,
# Allow mounting of loop devices (ISO files)
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow mounting of cdrom
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/,
# Allow mounting od sd cards
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow unmounting
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /media/cdrom[0-9]/,
# Be able to create/delete dirs for removable media
@{MOUNTS}/ rw,
@{MOUNTS}/*/ rw,
@{MOUNTS}/*/*/ rw,
/media/cdrom[0-9]/ rw,
# Udisks2 config files

7
apparmor.d/profiles-s-z/virt-manager
View file

@ -73,11 +73,10 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
# For disk images
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{HOME}/**.{iso,img,bin,mdf,nrg} r,
@{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
@{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
@{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
@{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
@{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,
# System VM images
/var/lib/libvirt/images/{,**} rw,
@ -86,7 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/libvirt/{,**} rw,
owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw,
owner @{MOUNTS}/@{XDG_VM_DIR}/{,**} rw,
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
@{run}/mount/utab r,