felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'roddhjav:main' into hyprland

Browse source
This commit is contained in:
odomingao 2024-08-21 09:11:29 -03:00 committed by GitHub
commit 7d518a79e0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
89 changed files with 453 additions and 268 deletions
Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/abstractions/app/firefox
View file

@ -69,11 +69,12 @@
/usr/share/webext/{,**} r, /usr/share/webext/{,**} r,
/usr/share/xul-ext/kwallet5/* r, /usr/share/xul-ext/kwallet5/* r,
/etc/{,opensc/}opensc.conf r,
/etc/@{name}/{,**} r, /etc/@{name}/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/lsb-release r,
/etc/mailcap r, /etc/mailcap r,
/etc/mime.types r, /etc/mime.types r,
/etc/{,opensc/}opensc.conf r,
/etc/sysconfig/proxy r, /etc/sysconfig/proxy r,
/etc/xdg/* r, /etc/xdg/* r,
/etc/xul-ext/kwallet5.js r, /etc/xul-ext/kwallet5.js r,
@ -96,7 +97,7 @@
owner @{tmp}/firefox/* rwk, owner @{tmp}/firefox/* rwk,
owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/ rw,
owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/Temp-@{uuid}/* rwk,
owner @{tmp}/tmp-???.xpi rw, owner @{tmp}/tmp-*.xpi rw,
owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon r,
owner @{tmp}/tmpaddon-@{int} r, owner @{tmp}/tmpaddon-@{int} r,
@ -104,6 +105,7 @@
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
@{run}/mount/utab r, @{run}/mount/utab r,

2
apparmor.d/abstractions/audio-client
View file

@ -5,7 +5,7 @@
# Most programs do not need access to audio devices, audio-client only includes # Most programs do not need access to audio devices, audio-client only includes
# configuration files to be used by client applications. # configuration files to be used by client applications.
/usr/share/alsa/** r, /usr/share/alsa/{,**} r,
/usr/share/openal/hrtf/{,**} r, /usr/share/openal/hrtf/{,**} r,
/usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client-rt.conf r,
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,

4
apparmor.d/abstractions/audio-server
View file

@ -7,10 +7,6 @@
include <abstractions/audio-client> include <abstractions/audio-client>
/usr/share/alsa/{,**} r,
/etc/alsa/conf.d/{,**} r,
@{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/+sound:card@{int} r, # for sound card
@{sys}/class/ r, @{sys}/class/ r,

112
apparmor.d/abstractions/common/game Normal file
View file

@ -0,0 +1,112 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Core set of resources for any games on Linux. Runtimes such as sandboxing,
# wine, proton, game launchers should use this abstraction.
# This abstraction use the following tunables:
# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
# - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@{bin}/uname rix,
@{bin}/xdg-settings rPx,
@{browsers_path} rPx,
@{bin}/env r,
@{lib}/ r,
/ r,
/home/ r,
/usr/ r,
/usr/local/ r,
/usr/local/lib/ r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/ r,
owner @{user_games_dirs}/ r,
owner @{user_games_dirs}/*/ r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
@{tmp}/ r,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/#@{int} rw,
owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
owner @{tmp}/crashes/ rw,
owner @{tmp}/crashes/** rwk,
owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/mono.@{int} rw,
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/net/*/carrier r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/ r,
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/*/carrier r,
@{sys}/kernel/ r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/pagemap r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/event@{int} rw,
/dev/tty rw,
/dev/uinput rw,
include if exists <abstractions/common/game.d>
# vim:syntax=apparmor

94
apparmor.d/abstractions/common/steam-game
View file

@ -2,45 +2,13 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
include <abstractions/audio-client> include <abstractions/common/game>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@{bin}/uname rix,
@{bin}/xdg-settings rPx,
@{browsers_path} rPx,
@{bin}/env r,
@{lib_dirs}/ r, @{lib_dirs}/ r,
@{lib}/ r,
/ r,
/home/ r,
/usr/ r,
/usr/local/ r,
/usr/local/lib/ r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/ r,
owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pid r,
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,
owner @{user_games_dirs}/ r,
owner @{user_games_dirs}/*/ r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{app_dirs}/ r, owner @{app_dirs}/ r,
owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper" owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper"
@ -56,19 +24,6 @@
owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{share_dirs}/steamapps/shadercache/{,**} rwk, owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
@{tmp}/ r,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/#@{int} rw,
owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
owner @{tmp}/crashes/ rw,
owner @{tmp}/crashes/** rwk,
owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/mono.@{int} rw,
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
@ -76,53 +31,6 @@
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/ValveIPCSHM_@{uid} rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/net/*/carrier r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/ r,
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/*/carrier r,
@{sys}/kernel/ r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/pagemap r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/event@{int} rw,
/dev/tty rw,
/dev/uinput rw,
include if exists <abstractions/common/steam-game.d> include if exists <abstractions/common/steam-game.d>
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/groups/akonadi/akonadi_control
View file

@ -31,6 +31,8 @@ profile akonadi_control @{exec_path} {
owner @{user_share_dirs}/akonadi/{,**} rwl, owner @{user_share_dirs}/akonadi/{,**} rwl,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
/dev/tty r, /dev/tty r,
include if exists <local/akonadi_control> include if exists <local/akonadi_control>

10
apparmor.d/groups/browsers/firefox
View file

@ -57,14 +57,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/@{rand6}.tmp r, owner @{tmp}/@{rand6}.tmp r,
owner @{tmp}/@{rand8}.txt w, owner @{tmp}/@{rand8}.txt w,
owner @{tmp}/* w, # file downloads (to anywhere) owner @{tmp}/* w, # file downloads (to anywhere)
owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk,
owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla* rw,
owner @{tmp}/mozilla*/ rw, owner @{tmp}/mozilla*/ rw,
owner @{tmp}/mozilla*/* rwk, owner @{tmp}/mozilla*/* rwk,
owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk,
owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k,
owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,
owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk,
# Silencer # Silencer
deny @{lib_dirs}/** w, deny @{lib_dirs}/** w,

4
apparmor.d/groups/browsers/firefox-glxtest
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{name} = firefox{,.sh,-esr,-bin} @{name} = firefox{,.sh,-esr,-bin}
@{lib_dirs} = @{lib}/@{name} /opt/@{name} @{lib_dirs} = @{lib}/@{name} /opt/@{name}
@{config_dirs} = @{HOME}/.mozilla/ @{config_dirs} = @{HOME}/.mozilla/
@{cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = @{lib_dirs}/glxtest @{exec_path} = @{lib_dirs}/glxtest
profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
@ -19,6 +20,9 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r,
owner @{cache_dirs}/firefox/*/startupCache/startupCache* r,
owner @{config_dirs}/firefox/*/.parentlock rw, owner @{config_dirs}/firefox/*/.parentlock rw,
owner @{tmp}/@{name}/.parentlock rw, owner @{tmp}/@{name}/.parentlock rw,

2
apparmor.d/groups/browsers/firefox-kmozillahelper
View file

@ -10,8 +10,8 @@ include <tunables/global>
profile firefox-kmozillahelper @{exec_path} { profile firefox-kmozillahelper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write> include <abstractions/qt5-settings-write>
include <abstractions/recent-documents-write> include <abstractions/recent-documents-write>

8
apparmor.d/groups/bus/dbus-accessibility
View file

@ -16,6 +16,12 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
signal (receive) set=(term hup kill) peer=dbus-session, signal (receive) set=(term hup kill) peer=dbus-session,
signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
@ -50,6 +56,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner @{tmp}/xauth_@{rand6} r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,

1
apparmor.d/groups/bus/dbus-system
View file

@ -66,6 +66,7 @@ profile dbus-system flags=(attach_disconnected) {
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r, @{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/oom_score_adj r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

5
apparmor.d/groups/cron/cron
View file

@ -57,9 +57,10 @@ profile cron @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid rw,
@{PROC}/1/limits r, @{PROC}/1/limits r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/uid_map r,
/dev/tty rw, /dev/tty rw,

5
apparmor.d/groups/display-manager/xdm-xsession
View file

@ -18,9 +18,9 @@ profile xdm-xsession @{exec_path} {
@{shells_path} rix, @{shells_path} rix,
@{bin}/checkproc rix,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/checkproc rix,
@{bin}/dirname rix, @{bin}/dirname rix,
@{bin}/gpg-agent rPx, @{bin}/gpg-agent rPx,
@{bin}/gpg-connect-agent rPx, @{bin}/gpg-connect-agent rPx,
@ -28,8 +28,10 @@ profile xdm-xsession @{exec_path} {
@{bin}/locale rix, @{bin}/locale rix,
@{bin}/manpath rix, @{bin}/manpath rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/ssh-agent rix, @{bin}/ssh-agent rix,
@{bin}/tput rix,
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/tty rix, @{bin}/tty rix,
@{bin}/uname rix, @{bin}/uname rix,
@ -56,6 +58,7 @@ profile xdm-xsession @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mc/mc.sh r, /usr/share/mc/mc.sh r,
/usr/share/terminfo/{,**} r,
@{etc_ro}/X11/xdm/scripts/{,*} r, @{etc_ro}/X11/xdm/scripts/{,*} r,
@{etc_ro}/X11/xim r, @{etc_ro}/X11/xim r,

2
apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
View file

@ -46,6 +46,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
# owner /tmp/xauth_@{rand6} r, # owner /tmp/xauth_@{rand6} r,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
/dev/shm/#@{int} rw, /dev/shm/#@{int} rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

2
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -84,12 +84,14 @@ profile pulseaudio @{exec_path} {
owner @{desktop_config_dirs}/pulse/{,**} rw, owner @{desktop_config_dirs}/pulse/{,**} rw,
owner @{desktop_config_dirs}/pulse/cookie k, owner @{desktop_config_dirs}/pulse/cookie k,
owner @{HOME}/.pulse/{,**} rw,
owner @{user_config_dirs}/ w, owner @{user_config_dirs}/ w,
owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/ rw,
owner @{run}/user/@{uid}/pulse/** rwk, owner @{run}/user/@{uid}/pulse/** rwk,
owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/notify rw,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -71,6 +71,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/* r,
owner @{HOME}/*/{,**} rw, owner @{HOME}/*/{,**} rw,
owner @{MOUNTS}/ r, owner @{MOUNTS}/ r,

13
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -77,6 +77,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*.conf} r, @{etc_ro}/security/limits.d/{,*.conf} r,
/etc/default/locale r, /etc/default/locale r,
/etc/fscrypt.conf r,
/etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/custom.conf r,
/etc/gdm{3,}/daemon.conf r, /etc/gdm{3,}/daemon.conf r,
/etc/locale.conf r, /etc/locale.conf r,
@ -93,6 +94,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/var/lib/wtmpdb/ r, /var/lib/wtmpdb/ r,
/var/lib/wtmpdb/* rwk, /var/lib/wtmpdb/* rwk,
/.fscrypt/policies/ r,
/.fscrypt/protectors/ r,
owner /.fscrypt/protectors/@{hex16} r,
/home/ r,
/home/.fscrypt/policies/ r,
owner /home/.fscrypt/policies/@{hex32} r,
owner /home/.fscrypt/protectors/@{hex16}.link r,
owner @{HOME}/.pam_environment r, owner @{HOME}/.pam_environment r,
@{run}/cockpit/inactive.motd r, @{run}/cockpit/inactive.motd r,
@ -106,12 +116,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{run}/cockpit/active.motd r, @{run}/cockpit/active.motd r,
@{run}/faillock/@{user} rwk, @{run}/faillock/@{user} rwk,
@{run}/fscrypt/ rw,
@{run}/fscrypt/@{uid}.count rwk,
@{run}/motd.d/{,*} r, @{run}/motd.d/{,*} r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw, @{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{run}/utmp rwk, @{run}/utmp rwk,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/1/limits r, @{PROC}/1/limits r,
@{PROC}/keys r, @{PROC}/keys r,

3
apparmor.d/groups/gnome/gnome-clocks
View file

@ -14,8 +14,11 @@ profile gnome-clocks @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network netlink raw,
#aa:dbus own bus=session name=org.gnome.clocks #aa:dbus own bus=session name=org.gnome.clocks
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/groups/gnome/gnome-software
View file

@ -83,6 +83,11 @@ profile gnome-software @{exec_path} {
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/flatpak/.changed w, owner @{user_share_dirs}/flatpak/.changed w,
owner @{user_share_dirs}/flatpak/{app,runtime}/ r,
owner @{user_share_dirs}/flatpak/{app,runtime}/*/ r,
owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r,
owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r,
owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r,
owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/ rw,
owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{user_share_dirs}/gnome-software/{,**} rw,

2
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -38,6 +38,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-system-monitor/{,**} r, /usr/share/gnome-system-monitor/{,**} r,
/usr/share/firefox-esr/browser/chrome/icons/default/*.png r, /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/doc/ rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

2
apparmor.d/groups/gnome/gnome-tweaks
View file

@ -16,6 +16,8 @@ profile gnome-tweaks @{exec_path} {
include <abstractions/python> include <abstractions/python>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,

1
apparmor.d/groups/gnome/gsd-datetime
View file

@ -34,6 +34,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/geocode-glib/* r, owner @{user_cache_dirs}/geocode-glib/* r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

1
apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
View file

@ -47,6 +47,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm w,
owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/media@{int} r, /dev/media@{int} r,

2
apparmor.d/groups/gnome/tracker-miner
View file

@ -65,7 +65,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
owner @{gdm_share_dirs}/applications/ r, owner @{gdm_share_dirs}/applications/ r,
owner /var/tmp/etilqs_@{hex15} rw,
owner /var/tmp/etilqs_@{hex16} rw, owner /var/tmp/etilqs_@{hex16} rw,
owner @{tmp}/etilqs_@{hex15} rw,
owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/etilqs_@{hex16} rw,
# Allow to search user files # Allow to search user files

1
apparmor.d/groups/gpg/gpg-connect-agent
View file

@ -20,6 +20,7 @@ profile gpg-connect-agent @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{run}/user/@{uid}/gnupg/ w,
owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw,

2
apparmor.d/groups/gvfs/gvfsd-mtp
View file

@ -21,7 +21,7 @@ profile gvfsd-mtp @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/{,**} rw, owner @{HOME}/{,**} rw, # FIXME: ?
owner @{MOUNTS}/{,**} rw, owner @{MOUNTS}/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

2
apparmor.d/groups/gvfs/gvfsd-recent
View file

@ -36,7 +36,7 @@ profile gvfsd-recent @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Full access to user's data # Full access to user's data
owner @{HOME}/{,**} rw, owner @{HOME}/{,**} rw, # FIXME: ?
owner @{MOUNTS}/{,**} rw, owner @{MOUNTS}/{,**} rw,
owner @{HOME}/.zshenv r, owner @{HOME}/.zshenv r,

3
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -40,6 +40,7 @@ profile DiscoverNotifier @{exec_path} {
/var/lib/flatpak/{,**} r, /var/lib/flatpak/{,**} r,
/var/cache/swcatalog/cache/ w, /var/cache/swcatalog/cache/ w,
/var/cache/swcatalog/xml/{,**} r,
owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/ r,
owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/appstream/** rw,
@ -58,6 +59,8 @@ profile DiscoverNotifier @{exec_path} {
owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw, owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw,
owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw, owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
/dev/tty r, /dev/tty r,
profile gpg { profile gpg {

2
apparmor.d/groups/kde/gmenudbusmenuproxy
View file

@ -25,6 +25,8 @@ profile gmenudbusmenuproxy @{exec_path} {
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
include if exists <local/gmenudbusmenuproxy> include if exists <local/gmenudbusmenuproxy>
} }

4
apparmor.d/groups/kde/kalendarac
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/kalendarac @{exec_path} = @{bin}/kalendarac
profile kalendarac @{exec_path} { profile kalendarac @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-server>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/kde-strict> include <abstractions/kde-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -36,6 +36,8 @@ profile kalendarac @{exec_path} {
owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kalendaracrc.lock rwk,
owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/kmail2rc r,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
/dev/tty r, /dev/tty r,
include if exists <local/kalendarac> include if exists <local/kalendarac>

3
apparmor.d/groups/kde/kde-powerdevil
View file

@ -36,6 +36,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{user_cache_dirs}/ddcutil/* r,
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/#@{int} rw,
@ -63,7 +64,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
@{sys}/devices/@{pci}/drm/card@{int}/*/status r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
@{sys}/devices/@{pci}/i2c-@{int}/**/dev r, @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
@{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
@{sys}/devices/**/ r, @{sys}/devices/**/ r,
@{sys}/devices/i2c-@{int}/name r, @{sys}/devices/i2c-@{int}/name r,
@{sys}/devices/platform/**/i2c-@{int}/**/name r, @{sys}/devices/platform/**/i2c-@{int}/**/name r,

7
apparmor.d/groups/kde/kded
View file

@ -59,7 +59,7 @@ profile kded @{exec_path} {
@{bin}/xsettingsd rPx, @{bin}/xsettingsd rPx,
@{lib}/drkonqi rPx, @{lib}/drkonqi rPx,
#aa:exec utempter @{lib}/{,@{multiarch}/}utempter/utempter rPx,
#aa:exec kconf_update #aa:exec kconf_update
/usr/share/color-schemes/{,**} r, /usr/share/color-schemes/{,**} r,
@ -123,8 +123,7 @@ profile kded @{exec_path} {
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/networkmanagement.notifyrc r,
owner @{user_config_dirs}/plasma-nm r, owner @{user_config_dirs}/plasma* r,
owner @{user_config_dirs}/plasma-welcomerc r,
owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadrc r,
owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf.lock rwk,
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
@ -151,6 +150,8 @@ profile kded @{exec_path} {
owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,
@{sys}/class/leds/ r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/cmdline/ r,
@{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fd/ r,

3
apparmor.d/groups/kde/kglobalacceld
View file

@ -19,6 +19,7 @@ profile kglobalacceld @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
/etc/xdg/menus/ r, /etc/xdg/menus/ r,
/etc/xdg/menus/applications-merged/ r,
owner @{user_cache_dirs}/ksycoca{5,6}_* rw, owner @{user_cache_dirs}/ksycoca{5,6}_* rw,
@ -29,6 +30,8 @@ profile kglobalacceld @{exec_path} {
owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/ r,
@{PROC}/sys/kernel/random/boot_id r,
/dev/tty r, /dev/tty r,
include if exists <local/kglobalacceld> include if exists <local/kglobalacceld>

1
apparmor.d/groups/kde/kiod
View file

@ -13,6 +13,7 @@ profile kiod @{exec_path} {
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/kde-strict> include <abstractions/kde-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network netlink raw, network netlink raw,

9
apparmor.d/groups/kde/konsole
View file

@ -26,7 +26,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/@{shells} rUx, @{bin}/@{shells} rUx,
@{browsers_path} rPx, @{browsers_path} rPx,
#aa:exec utempter @{lib}/libheif/ r,
@{lib}/libheif/** mr,
@{lib}/{,@{multiarch}/}utempter/utempter rPx,
/usr/share/color-schemes/{,**} r, /usr/share/color-schemes/{,**} r,
/usr/share/kf6/{,**} r, /usr/share/kf6/{,**} r,
@ -47,12 +49,15 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/#@{int} rwl,
owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/breezerc r,
owner @{user_config_dirs}/kbookmarkrc r,
owner @{user_config_dirs}/konsole.notifyrc r,
owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolerc{,*} rwlk,
owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolesshconfig.lock rwk, owner @{user_config_dirs}/konsolesshconfig.lock rwk,
owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/kservicemenurc r,
owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/session/** rwlk,
owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/color-schemes/{,**} r,
owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/ rw,
@ -62,6 +67,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/konsole.@{rand6} rw, owner @{tmp}/konsole.@{rand6} rw,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,

1
apparmor.d/groups/kde/kscreenlocker_greet
View file

@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} {
owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/plasmarc r,
owner @{user_config_dirs}/plasmashellrc r,
# If one is blocked, the others are probed. # If one is blocked, the others are probed.
deny owner @{HOME}/#@{int} mrw, deny owner @{HOME}/#@{int} mrw,

7
apparmor.d/groups/kde/ksmserver
View file

@ -52,6 +52,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk, owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk,
owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc rw,
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
@ -62,6 +63,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ r,
owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int},
owner @{run}/user/@{uid}/iceauth_@{rand6}-c w,
owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c,
owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw,
owner @{tmp}/@{rand6} rw, owner @{tmp}/@{rand6} rw,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,

2
apparmor.d/groups/kde/kwalletd
View file

@ -43,6 +43,8 @@ profile kwalletd @{exec_path} {
owner @{tmp}/kwalletd5.* rw, owner @{tmp}/kwalletd5.* rw,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

1
apparmor.d/groups/kde/plasma_waitforname
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile plasma_waitforname @{exec_path} { profile plasma_waitforname @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/qt5>
@{exec_path} mr, @{exec_path} mr,

7
apparmor.d/groups/kde/plasmashell
View file

@ -178,6 +178,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/user/@{uid}/gvfs/ r, @{run}/user/@{uid}/gvfs/ r,
owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/kdesud_:@{int} w,
owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@ -187,9 +188,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
@{sys}/devices/platform/** r, @{sys}/devices/platform/** r,
@{sys}/devices/@{pci}/name r, @{sys}/devices/@{pci}/name r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/thermal/**/{name,type} r, @{sys}/devices/virtual/thermal/**/{name,type} r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

2
apparmor.d/groups/kde/sddm-greeter
View file

@ -49,6 +49,8 @@ profile sddm-greeter @{exec_path} {
owner @{SDDM_HOME}/#@{int} mrw, owner @{SDDM_HOME}/#@{int} mrw,
owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
owner @{HOME}/.face.icon r,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw,

1
apparmor.d/groups/kde/startplasma
View file

@ -22,6 +22,7 @@ profile startplasma @{exec_path} {
@{bin}/env rix, @{bin}/env rix,
@{bin}/grep rix, @{bin}/grep rix,
@{bin}/kapplymousetheme rPUx, @{bin}/kapplymousetheme rPUx,
@{bin}/kdeinit5_shutdown rPUx,
@{bin}/ksplashqml rPUx, @{bin}/ksplashqml rPUx,
@{bin}/plasma_session rPx, @{bin}/plasma_session rPx,
@{bin}/xrdb rPx, @{bin}/xrdb rPx,

2
apparmor.d/groups/kde/xembedsniproxy
View file

@ -20,6 +20,8 @@ profile xembedsniproxy @{exec_path} {
owner @{tmp}/xauth_@{rand6} r, owner @{tmp}/xauth_@{rand6} r,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
@{run}/user/@{uid}/xauth_@{rand6} rl, @{run}/user/@{uid}/xauth_@{rand6} rl,
include if exists <local/xembedsniproxy> include if exists <local/xembedsniproxy>

3
apparmor.d/groups/pacman/pacman
View file

@ -118,6 +118,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
/var/** rwlk -> /var/**, /var/** rwlk -> /var/**,
# Read packages files # Read packages files
@{user_pkg_dirs}/ r,
@{user_pkg_dirs}/**/ r, @{user_pkg_dirs}/**/ r,
@{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
@ -193,6 +194,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
capability dac_read_search, capability dac_read_search,
capability sys_resource, capability sys_resource,
signal send set=cont peer=child-pager,
@{bin}/pager rPx -> child-pager, @{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager, @{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager, @{bin}/more rPx -> child-pager,

1
apparmor.d/groups/virt/libvirtd
View file

@ -131,6 +131,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/usr/share/edk2*/{,**} rk, /usr/share/edk2*/{,**} rk,
/usr/share/hwdata/* r, /usr/share/hwdata/* r,
/usr/share/iproute2/{,**} r,
/usr/share/libvirt/{,**} r, /usr/share/libvirt/{,**} r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
/usr/share/misc/pci.ids r, /usr/share/misc/pci.ids r,

1
apparmor.d/groups/virt/virtlogd
View file

@ -24,6 +24,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw, owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw,
owner @{run}/user/@{uid}/common/system.token rw, owner @{run}/user/@{uid}/common/system.token rw,
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk,
owner @{run}/user/@{uid}/libvirt/virtlogd* w, owner @{run}/user/@{uid}/libvirt/virtlogd* w,

1
apparmor.d/groups/virt/virtnodedevd
View file

@ -62,6 +62,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c21:@{int} r, # Generic SCSI access
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
@{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
@{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c202:@{int} r, # CPU model-specific registers

2
apparmor.d/groups/xfce/xfce-sensors
View file

@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} {
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/class/thermal/ r, @{sys}/class/thermal/ r,
@{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
@{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/ r,
@{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
@{sys}/devices/**/hwmon@{int}/**/ r, @{sys}/devices/**/hwmon@{int}/**/ r,

2
apparmor.d/profiles-a-f/amixer
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/amixer @{exec_path} = @{bin}/amixer
profile amixer @{exec_path} { profile amixer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-server>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,

4
apparmor.d/profiles-a-f/atool
View file

@ -38,6 +38,7 @@ profile atool @{exec_path} {
@{bin}/lzma rix, @{bin}/lzma rix,
@{bin}/lzop rix, @{bin}/lzop rix,
@{bin}/lzop rix, @{bin}/lzop rix,
@{lib}/p7zip/7z rix,
@{bin}/rar rix, @{bin}/rar rix,
@{bin}/tar rix, @{bin}/tar rix,
@{bin}/unace rix, @{bin}/unace rix,
@ -47,6 +48,9 @@ profile atool @{exec_path} {
@{bin}/xz rix, @{bin}/xz rix,
@{bin}/zip rix, @{bin}/zip rix,
/etc/atool.conf r,
owner @{HOME}/.atoolrc r,
include if exists <local/atool> include if exists <local/atool>
} }

6
apparmor.d/profiles-a-f/borg
View file

@ -21,6 +21,9 @@ profile borg @{exec_path} {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/,
mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/,
@{exec_path} r, @{exec_path} r,
@{bin}/ r, @{bin}/ r,
@ -107,6 +110,9 @@ profile borg @{exec_path} {
/etc/fuse.conf r, /etc/fuse.conf r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
/dev/fuse rw, /dev/fuse rw,

2
apparmor.d/profiles-a-f/chronyd
View file

@ -12,6 +12,8 @@ include <tunables/global>
profile chronyd @{exec_path} flags=(attach_disconnected) { profile chronyd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
capability chown, capability chown,
capability dac_override, capability dac_override,

40
apparmor.d/profiles-a-f/dino-im → apparmor.d/profiles-a-f/dino
View file

@ -7,13 +7,17 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/dino-im @{exec_path} = @{bin}/dino{,-im}
profile dino-im @{exec_path} { profile dino @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
network inet dgram, network inet dgram,
@ -24,30 +28,26 @@ profile dino-im @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Needed for GPG/PGP support # Not in a subprofile because of no new privs
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rix,
@{bin}/gpgconf rCx -> gpg, @{bin}/gpgconf rix,
@{bin}/gpgsm rCx -> gpg, @{bin}/gpgsm rix,
@{lib}/gnupg/keyboxd rix,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/ rw,
owner @{user_share_dirs}/dino/** rwk, owner @{user_share_dirs}/dino/** rwk,
owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/S.keyboxd rw,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
profile gpg { include if exists <local/dino>
include <abstractions/base>
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
include if exists <local/dino-im_gpg>
}
include if exists <local/dino-im>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/profiles-a-f/dmesg
View file

@ -24,7 +24,7 @@ profile dmesg @{exec_path} {
/usr/share/terminfo/** r, /usr/share/terminfo/** r,
owner @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
/dev/kmsg r, /dev/kmsg r,

3
apparmor.d/profiles-a-f/engrampa
View file

@ -75,8 +75,7 @@ profile engrampa @{exec_path} {
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
/tmp/ r, /tmp/ r,
owner @{tmp}/** rw,
@{run}/mount/utab r, @{run}/mount/utab r,

1
apparmor.d/profiles-a-f/exiftool
View file

@ -11,6 +11,7 @@ profile exiftool @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
include <abstractions/user-read-strict> include <abstractions/user-read-strict>
include <abstractions/user-write-strict>
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/profiles-a-f/firewalld
View file

@ -44,9 +44,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
/usr/local/lib/python3.@{int}/dist-packages/ r, /usr/local/lib/python3.@{int}/dist-packages/ r,
/usr/share/libalternatives/ r, /usr/share/iproute2/{,**} r,
/usr/share/libalternatives/ebtables*/{,*} r, /usr/share/libalternatives/{,**} r,
/usr/share/libalternatives/ip{,4,6}tables*/{,*} r,
/etc/firewalld/{,**} rw, /etc/firewalld/{,**} rw,
/etc/iproute2/group r, /etc/iproute2/group r,

1
apparmor.d/profiles-a-f/flatpak-app
View file

@ -89,6 +89,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
owner @{run}/flatpak/app/** rw, owner @{run}/flatpak/app/** rw,
owner @{run}/flatpak/doc/** rw, owner @{run}/flatpak/doc/** rw,
owner @{run}/ld-so-cache-dir/* rw, owner @{run}/ld-so-cache-dir/* rw,
owner @{run}/user/ r,
owner @{run}/user/@{uid}/*.kioworker.socket r, owner @{run}/user/@{uid}/*.kioworker.socket r,
owner @{run}/user/@{uid}/#@{int} rwl, owner @{run}/user/@{uid}/#@{int} rwl,

11
apparmor.d/profiles-g-l/git
View file

@ -43,6 +43,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
# These are needed for "git submodule update" # These are needed for "git submodule update"
@{sh_path} rix, @{sh_path} rix,
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@{bin}/alts rix,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/date rix, @{bin}/date rix,
@ -78,6 +79,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
@{bin}/vim.* rCx -> editor, @{bin}/vim.* rCx -> editor,
/usr/share/git{,-core}/{,**} r, /usr/share/git{,-core}/{,**} r,
/usr/share/libalternatives/{,**} r,
/usr/share/terminfo/** r, /usr/share/terminfo/** r,
/etc/gitconfig r, /etc/gitconfig r,
@ -139,14 +141,15 @@ profile git @{exec_path} flags=(attach_disconnected) {
@{bin}/ssh mr, @{bin}/ssh mr,
/etc/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config.d/{,*} r,
/etc/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config r,
owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/* r,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl,
owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*,
owner @{tmp}/ssh-*/agent.@{int} rw, owner @{tmp}/ssh-*/agent.@{int} rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/profiles-g-l/htop
View file

@ -89,7 +89,7 @@ profile htop @{exec_path} {
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/class/i2c-adapter/ r, @{sys}/class/i2c-adapter/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
@{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/ r,
@{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
@{sys}/devices/**/hwmon@{int}/**/ r, @{sys}/devices/**/hwmon@{int}/**/ r,

1
apparmor.d/profiles-g-l/issue-generator
View file

@ -21,6 +21,7 @@ profile issue-generator @{exec_path} {
@{bin}/sort rix, @{bin}/sort rix,
/etc/issue.d/{,**} r, /etc/issue.d/{,**} r,
/etc/sysconfig/issue-generator r,
@{run}/issue r, @{run}/issue r,
@{run}/issue.@{rand10} rw, @{run}/issue.@{rand10} rw,

3
apparmor.d/profiles-m-r/modprobed-db
View file

@ -28,9 +28,10 @@ profile modprobed-db @{exec_path} {
@{bin}/uniq rix, @{bin}/uniq rix,
@{bin}/wc rix, @{bin}/wc rix,
/usr/share/modprobed-db/** r,
/usr/share/terminfo/** r, /usr/share/terminfo/** r,
owner @{user_config_dirs}/modprobed-db.conf r, owner @{user_config_dirs}/modprobed-db.conf rw,
owner @{user_config_dirs}/modprobed.db rw, owner @{user_config_dirs}/modprobed.db rw,
owner @{tmp}/.inmem rw, owner @{tmp}/.inmem rw,

2
apparmor.d/profiles-m-r/monitorix
View file

@ -95,7 +95,7 @@ profile monitorix @{exec_path} {
@{PROC}/@{pids}/io r, @{PROC}/@{pids}/io r,
@{sys}/class/i2c-adapter/ r, @{sys}/class/i2c-adapter/ r,
@{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/thermal*/{,**} r,
@{sys}/devices/**/hwmon*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r,

2
apparmor.d/profiles-m-r/mpv
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/mpv @{exec_path} = @{bin}/mpv
profile mpv @{exec_path} { profile mpv @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-server>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>

2
apparmor.d/profiles-m-r/mullvad-setup
View file

@ -9,9 +9,11 @@ include <tunables/global>
@{exec_path} = /opt/Mullvad*/resources/mullvad-setup @{exec_path} = /opt/Mullvad*/resources/mullvad-setup
profile mullvad-setup @{exec_path} { profile mullvad-setup @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
# File Inherit # File Inherit

23
apparmor.d/profiles-m-r/pinentry-qt
View file

@ -10,40 +10,23 @@ include <tunables/global>
@{exec_path} = @{bin}/pinentry-qt @{exec_path} = @{bin}/pinentry-qt
profile pinentry-qt @{exec_path} { profile pinentry-qt @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/graphics>
include <abstractions/freedesktop.org> include <abstractions/kde-strict>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write> include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5>
include <abstractions/vulkan>
include <abstractions/X>
@{exec_path} mr, @{exec_path} mr,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
/etc/xdg/kdeglobals r, /var/lib/dbus/machine-id r,
/etc/xdg/kwinrc r,
owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{tmp}/xauth_@{rand6} r, owner @{tmp}/xauth_@{rand6} r,
owner /dev/shm/#@{int} rw, owner /dev/shm/#@{int} rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
include if exists <local/pinentry-qt> include if exists <local/pinentry-qt>

1
apparmor.d/profiles-m-r/qnapi
View file

@ -55,7 +55,6 @@ profile qnapi @{exec_path} {
/tmp/ r, /tmp/ r,
owner @{tmp}/@{hex}.* rw, owner @{tmp}/@{hex}.* rw,
owner @{tmp}/** rw,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int},
owner @{tmp}/QNapi-*-rc.lock rwk, owner @{tmp}/QNapi-*-rc.lock rwk,

9
apparmor.d/profiles-s-z/YACReaderLibrary
View file

@ -14,11 +14,16 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-shader-cache> include <abstractions/qt5-shader-cache>
include <abstractions/ssl_certs>
network inet dgram,
network inet stream, network inet stream,
network inet6 dgram,
network inet6 stream, network inet6 stream,
network netlink dgram, network netlink dgram,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@ -31,6 +36,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/{,**} r,
owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk,
owner @{user_books_dirs}/**/None rw,
owner @{user_cache_dirs}/YACReader/ rw, owner @{user_cache_dirs}/YACReader/ rw,
owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw, owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw,
@ -43,7 +49,10 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
owner @{tmp}/@{uuid} w, owner @{tmp}/@{uuid} w,
@{run}/mount/utab r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/YACReaderLibrary> include if exists <local/YACReaderLibrary>
} }

2
apparmor.d/profiles-s-z/sanoid
View file

@ -27,8 +27,6 @@ profile sanoid @{exec_path} flags=(complain) {
@{run}/sanoid/sanoid_cacheupdate.lock rwk, @{run}/sanoid/sanoid_cacheupdate.lock rwk,
@{run}/sanoid/sanoid_pruning.lock rwk, @{run}/sanoid/sanoid_pruning.lock rwk,
owner @{tmp}/** rw,
include if exists <local/sanoid> include if exists <local/sanoid>
} }

2
apparmor.d/profiles-s-z/sensors-detect
View file

@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} {
@{sys}/bus/pci/devices/ r, @{sys}/bus/pci/devices/ r,
@{sys}/class/i2c-adapter/ r, @{sys}/class/i2c-adapter/ r,
@{sys}/devices/@{pci}/{class,vendor,device} r, @{sys}/devices/@{pci}/{class,vendor,device} r,
@{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
@{sys}/devices/@{pci}/modalias r, @{sys}/devices/@{pci}/modalias r,
@{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r,
@{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/chassis_type r,

1
apparmor.d/profiles-s-z/steam-game-proton
View file

@ -29,6 +29,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
network unix stream, network unix stream,
signal receive peer=steam, signal receive peer=steam,
unix,
@{exec_path} mr, @{exec_path} mr,
@{bin}/bwrap mrix, @{bin}/bwrap mrix,

3
apparmor.d/profiles-s-z/steam-gameoverlayui
View file

@ -23,7 +23,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network unix stream,
unix,
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/profiles-s-z/syncoid
View file

@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) {
/etc/mbuffer.rc r, /etc/mbuffer.rc r,
owner @{tmp}/** rw,
@{PROC}/@{pids}/maps r, @{PROC}/@{pids}/maps r,
include if exists <local/syncoid> include if exists <local/syncoid>

2
apparmor.d/profiles-s-z/system-config-printer
View file

@ -46,8 +46,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
@{run}/cups/cups.sock rw, @{run}/cups/cups.sock rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{tmp}/* rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

9
apparmor.d/profiles-s-z/transmission-gtk → apparmor.d/profiles-s-z/transmission
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/transmission-gtk @{exec_path} = @{bin}/transmission-{gtk,qt}
profile transmission-gtk @{exec_path} { profile transmission @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
@ -33,10 +33,11 @@ profile transmission-gtk @{exec_path} {
owner @{user_config_dirs}/transmission/ rw, owner @{user_config_dirs}/transmission/ rw,
owner @{user_config_dirs}/transmission/** rwk, owner @{user_config_dirs}/transmission/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/ rw,
owner @{user_cache_dirs}/transmission/** rwk, owner @{user_cache_dirs}/transmission/** rwk,
owner @{tmp}/tr_session_id_* rwk,
@{run}/mount/utab r, @{run}/mount/utab r,
@{PROC}/@{pid}/net/route r, @{PROC}/@{pid}/net/route r,
@ -48,7 +49,7 @@ profile transmission-gtk @{exec_path} {
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/transmission-gtk> include if exists <local/transmission>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

56
apparmor.d/profiles-s-z/transmission-qt
View file

@ -1,56 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/transmission-qt
profile transmission-qt @{exec_path} {
include <abstractions/base>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/private-files-strict>
include <abstractions/qt5>
include <abstractions/qt5-settings-write>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
# Torrent files
owner @{user_torrents_dirs}/ r,
owner @{user_torrents_dirs}/** rw,
owner @{user_config_dirs}/transmission/ rw,
owner @{user_config_dirs}/transmission/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/transmission/ rw,
owner @{user_cache_dirs}/transmission/** rwk,
owner @{tmp}/tr_session_id_* rwk,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/net/route r,
@{PROC}/sys/kernel/random/uuid r,
/usr/share/hwdata/pnp.ids r,
include if exists <local/transmission-qt>
}
# vim:syntax=apparmor

96
apparmor.d/profiles-s-z/veracrypt Normal file
View file

@ -0,0 +1,96 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/veracrypt
profile veracrypt @{exec_path} {
include <abstractions/base>
include <abstractions/app/kmod>
include <abstractions/app/sudo>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
capability chown,
capability dac_read_search,
capability fsetid,
capability sys_admin,
capability sys_ptrace,
mount fstype=fuse.veracrypt options=(rw nodev nosuid) veracrypt -> /tmp/.veracrypt_*/,
@{exec_path} mrix,
@{sh_path} rix,
@{open_path} rPx -> child-open-help,
@{bin}/dmsetup rPx,
@{bin}/grep rix,
@{bin}/kmod rix,
@{bin}/ldconfig rix,
@{bin}/losetup rCx -> losetup,
@{bin}/mount rPx,
@{bin}/sudo rix,
@{bin}/umount rCx -> umount,
@{bin}/wc rix,
@{file_explorers_path} rPx,
/home/ r,
# Mount points
@{MOUNTS}/ rw,
@{MOUNTS}/*/ rw,
owner @{HOME}/ r,
owner @{HOME}/.VeraCrypt-lock-@{user} rwk,
owner @{user_config_dirs}/VeraCrypt/ rw,
owner @{user_config_dirs}/VeraCrypt/** rwk,
/tmp/.veracrypt_*/ rw,
/tmp/.veracrypt_*/** rwk,
@{sys}/module/compression r,
@{sys}/module/dm_mod/initstate r,
@{PROC}/partitions r,
owner @{PROC}/@{pid}/mounts r,
/dev/fuse rw,
/dev/tty rw,
profile umount {
include <abstractions/base>
capability sys_admin,
umount /tmp/.veracrypt_*/,
umount @{MOUNTS}/{,*/},
@{bin}/umount mr,
owner @{run}/mount/utab r,
include if exists <local/veracrypt_umount>
}
profile losetup {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_rawio,
@{bin}/losetup mr,
include if exists <local/veracrypt_losetup>
}
include if exists <local/veracrypt>
}
# vim:syntax=apparmor

3
apparmor.d/profiles-s-z/waybar
View file

@ -9,7 +9,8 @@ include <tunables/global>
@{exec_path} = @{bin}/waybar @{exec_path} = @{bin}/waybar
profile waybar @{exec_path} flags=(attach_disconnected) { profile waybar @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio-client>
include <abstractions/app-launcher-user>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

4
apparmor.d/profiles-s-z/zathura
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/zathura @{exec_path} = @{bin}/zathura{,-sandbox}
profile zathura @{exec_path} { profile zathura @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -18,11 +18,13 @@ profile zathura @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/file/{,**} r, /usr/share/file/{,**} r,
/usr/share/poppler/{,**} r,
/etc/xdg/{,**} r, /etc/xdg/{,**} r,
/etc/zathurarc r, /etc/zathurarc r,
owner @{user_config_dirs}/zathura/** r, owner @{user_config_dirs}/zathura/** r,
owner @{user_share_dirs}/zathura/ r,
owner @{user_share_dirs}/zathura/** rwk, owner @{user_share_dirs}/zathura/** rwk,
owner @{tmp}/gtkprint* rw, owner @{tmp}/gtkprint* rw,

2
apparmor.d/tunables/multiarch.d/system
View file

@ -35,6 +35,7 @@
@{hex8}=@{hex4}@{hex4} @{hex8}=@{hex4}@{hex4}
@{hex9}=@{hex8}@{h} @{hex9}=@{hex8}@{h}
@{hex10}=@{hex8}@{hex2} @{hex10}=@{hex8}@{hex2}
@{hex15}=@{hex8}@{hex4}@{hex2}@{h}
@{hex16}=@{hex8}@{hex8} @{hex16}=@{hex8}@{hex8}
@{hex32}=@{hex16}@{hex16} @{hex32}=@{hex16}@{hex16}
@{hex38}=@{hex32}@{hex6} @{hex38}=@{hex32}@{hex6}
@ -47,6 +48,7 @@
@{rand8}=@{rand4}@{rand4} @{rand8}=@{rand4}@{rand4}
@{rand9}=@{rand8}@{c} @{rand9}=@{rand8}@{c}
@{rand10}=@{rand8}@{rand2} @{rand10}=@{rand8}@{rand2}
@{rand15}=@{rand8}@{rand4}@{rand2}@{c}
@{rand16}=@{rand8}@{rand8} @{rand16}=@{rand8}@{rand8}
@{rand32}=@{rand16}@{rand16} @{rand32}=@{rand16}@{rand16}
@{rand64}=@{rand64}@{rand64} @{rand64}=@{rand64}@{rand64}

4
cmd/aa/main.go
View file

@ -199,7 +199,7 @@ func main() {
case format: case format:
files, err = pathsFromArgs() files, err = pathsFromArgs()
if err != nil { if err != nil {
logging.Fatal(err.Error()) logging.Fatal("%s", err.Error())
} }
err = aaFormat(files) err = aaFormat(files)
case tree: case tree:
@ -207,6 +207,6 @@ func main() {
} }
if err != nil { if err != nil {
logging.Fatal(err.Error()) logging.Fatal("%s", err.Error())
} }
} }

2
cmd/prebuild/main.go
View file

@ -91,6 +91,6 @@ func main() {
os.Exit(0) os.Exit(0)
} }
if err := aaPrebuild(); err != nil { if err := aaPrebuild(); err != nil {
logging.Fatal(err.Error()) logging.Fatal("%s", err.Error())
} }
} }

3
dists/flags/main.flags
View file

@ -87,6 +87,7 @@ cups-notifier-rss complain
cups-pk-helper-mechanism complain cups-pk-helper-mechanism complain
cupsd attach_disconnected,complain cupsd attach_disconnected,complain
ddcutil complain ddcutil complain
dino attach_disconnected,complain
DiscoverNotifier complain DiscoverNotifier complain
dkms attach_disconnected,complain dkms attach_disconnected,complain
dockerd attach_disconnected,complain dockerd attach_disconnected,complain
@ -368,6 +369,7 @@ systemd-userwork attach_disconnected,complain
systemsettings complain systemsettings complain
totem attach_disconnected,complain totem attach_disconnected,complain
tracker-writeback complain tracker-writeback complain
transmission complain
udev-dmi-memory-id complain udev-dmi-memory-id complain
udisksctl complain udisksctl complain
udisksd attach_disconnected,complain udisksd attach_disconnected,complain
@ -375,6 +377,7 @@ update-grub complain
update-secureboot-policy complain update-secureboot-policy complain
userdbctl complain userdbctl complain
utempter attach_disconnected,complain utempter attach_disconnected,complain
veracrypt complain
virt-manager attach_disconnected,complain virt-manager attach_disconnected,complain
virtinterfaced attach_disconnected,complain virtinterfaced attach_disconnected,complain
virtiofsd complain,attach_disconnected virtiofsd complain,attach_disconnected

2
dists/overwrite
View file

@ -5,6 +5,7 @@
brave brave
chrome chrome
chromium
element-desktop element-desktop
epiphany epiphany
firefox firefox
@ -18,5 +19,6 @@ plasmashell
slirp4netns slirp4netns
systemd-coredump systemd-coredump
thunderbird thunderbird
transmission
unix-chkpwd unix-chkpwd
virtiofsd virtiofsd

9
docs/development/abstractions.md
View file

@ -122,6 +122,15 @@ A minimal set of rules for all electron based UI applications. It works as a *fu
@{cache_dirs} = @{user_cache_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name}
``` ```
### **`common/game`**
Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction.
This abstraction uses the following tunables:
- `@{XDG_GAMESSTUDIO_DIR}` for game studio and game engines specific directories (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`)
- `@{user_games_dirs}` for user specific game directories (e.g.: steam storage dir)
### **`common/systemd`** ### **`common/systemd`**
Common set of rules for internal systemd suite. Common set of rules for internal systemd suite.

12
pkg/logging/logging.go
View file

@ -37,7 +37,7 @@ func Print(msg string, a ...interface{}) int {
// Println prints a formatted message. Arguments are handled in the manner of fmt.Println. // Println prints a formatted message. Arguments are handled in the manner of fmt.Println.
func Println(msg string) int { func Println(msg string) int {
n, _ := fmt.Fprintf(os.Stdout, msg+"\n") n, _ := fmt.Fprintf(os.Stdout, "%s\n", msg)
return n return n
} }
@ -48,7 +48,7 @@ func Bulletf(msg string, a ...interface{}) string {
// Bullet prints a formatted bullet point string // Bullet prints a formatted bullet point string
func Bullet(msg string, a ...interface{}) int { func Bullet(msg string, a ...interface{}) int {
return Print(Bulletf(msg, a...)) return Print("%s", Bulletf(msg, a...))
} }
// Stepf returns a formatted step string // Stepf returns a formatted step string
@ -58,7 +58,7 @@ func Stepf(msg string, a ...interface{}) string {
// Step prints a step title // Step prints a step title
func Step(msg string, a ...interface{}) int { func Step(msg string, a ...interface{}) int {
return Print(Stepf(msg, a...)) return Print("%s", Stepf(msg, a...))
} }
// Successf returns a formatted success string // Successf returns a formatted success string
@ -68,7 +68,7 @@ func Successf(msg string, a ...interface{}) string {
// Success prints a formatted success message to stdout // Success prints a formatted success message to stdout
func Success(msg string, a ...interface{}) int { func Success(msg string, a ...interface{}) int {
return Print(Successf(msg, a...)) return Print("%s", Successf(msg, a...))
} }
// Warningf returns a formatted warning string // Warningf returns a formatted warning string
@ -78,12 +78,12 @@ func Warningf(msg string, a ...interface{}) string {
// Warning prints a formatted warning message to stdout // Warning prints a formatted warning message to stdout
func Warning(msg string, a ...interface{}) int { func Warning(msg string, a ...interface{}) int {
return Print(Warningf(msg, a...)) return Print("%s", Warningf(msg, a...))
} }
// Fatalf returns a formatted error message // Fatalf returns a formatted error message
func Error(msg string, a ...interface{}) int { func Error(msg string, a ...interface{}) int {
return Print(fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...)))
} }
// Fatalf returns a formatted error message // Fatalf returns a formatted error message

22
pkg/logging/logging_test.go
View file

@ -10,7 +10,7 @@ func TestPrint(t *testing.T) {
msg := "Print message" msg := "Print message"
wantN := 13 wantN := 13
gotN := Print(msg) gotN := Print("%s", msg)
if gotN != wantN { if gotN != wantN {
t.Errorf("Print() = %v, want %v", gotN, wantN) t.Errorf("Print() = %v, want %v", gotN, wantN)
} }
@ -28,7 +28,7 @@ func TestPrintln(t *testing.T) {
func TestBulletf(t *testing.T) { func TestBulletf(t *testing.T) {
msg := "Bullet message" msg := "Bullet message"
want := "\033[1m ⋅ \033[0mBullet message\n" want := "\033[1m ⋅ \033[0mBullet message\n"
if got := Bulletf(msg); got != want { if got := Bulletf("%s", msg); got != want {
t.Errorf("Bulletf() = %v, want %v", got, want) t.Errorf("Bulletf() = %v, want %v", got, want)
} }
} }
@ -36,7 +36,7 @@ func TestBulletf(t *testing.T) {
func TestBullet(t *testing.T) { func TestBullet(t *testing.T) {
msg := "Bullet message" msg := "Bullet message"
wantN := 28 wantN := 28
gotN := Bullet(msg) gotN := Bullet("%s", msg)
if gotN != wantN { if gotN != wantN {
t.Errorf("Bullet() = %v, want %v", gotN, wantN) t.Errorf("Bullet() = %v, want %v", gotN, wantN)
} }
@ -45,7 +45,7 @@ func TestBullet(t *testing.T) {
func TestStepf(t *testing.T) { func TestStepf(t *testing.T) {
msg := "Step message" msg := "Step message"
want := "\033[1;32mStep message\033[0m\n" want := "\033[1;32mStep message\033[0m\n"
if got := Stepf(msg); got != want { if got := Stepf("%s", msg); got != want {
t.Errorf("Stepf() = %v, want %v", got, want) t.Errorf("Stepf() = %v, want %v", got, want)
} }
} }
@ -53,7 +53,7 @@ func TestStepf(t *testing.T) {
func TestStep(t *testing.T) { func TestStep(t *testing.T) {
msg := "Step message" msg := "Step message"
wantN := 24 wantN := 24
gotN := Step(msg) gotN := Step("%s", msg)
if gotN != wantN { if gotN != wantN {
t.Errorf("Step() = %v, want %v", gotN, wantN) t.Errorf("Step() = %v, want %v", gotN, wantN)
} }
@ -62,7 +62,7 @@ func TestStep(t *testing.T) {
func TestSuccessf(t *testing.T) { func TestSuccessf(t *testing.T) {
msg := "Success message" msg := "Success message"
want := "\033[1;32m ✓ \033[0mSuccess message\n" want := "\033[1;32m ✓ \033[0mSuccess message\n"
if got := Successf(msg); got != want { if got := Successf("%s", msg); got != want {
t.Errorf("Successf() = %v, want %v", got, want) t.Errorf("Successf() = %v, want %v", got, want)
} }
} }
@ -70,7 +70,7 @@ func TestSuccessf(t *testing.T) {
func TestSuccess(t *testing.T) { func TestSuccess(t *testing.T) {
msg := "Success message" msg := "Success message"
wantN := 32 wantN := 32
gotN := Success(msg) gotN := Success("%s", msg)
if gotN != wantN { if gotN != wantN {
t.Errorf("Success() = %v, want %v", gotN, wantN) t.Errorf("Success() = %v, want %v", gotN, wantN)
} }
@ -79,7 +79,7 @@ func TestSuccess(t *testing.T) {
func TestWarningf(t *testing.T) { func TestWarningf(t *testing.T) {
msg := "Warning message" msg := "Warning message"
want := "\033[1;33m ‼ \033[0mWarning message\n" want := "\033[1;33m ‼ \033[0mWarning message\n"
if got := Warningf(msg); got != want { if got := Warningf("%s", msg); got != want {
t.Errorf("Warningf() = %v, want %v", got, want) t.Errorf("Warningf() = %v, want %v", got, want)
} }
} }
@ -87,7 +87,7 @@ func TestWarningf(t *testing.T) {
func TestWarning(t *testing.T) { func TestWarning(t *testing.T) {
msg := "Warning message" msg := "Warning message"
wantN := 32 wantN := 32
gotN := Warning(msg) gotN := Warning("%s", msg)
if gotN != wantN { if gotN != wantN {
t.Errorf("Warning() = %v, want %v", gotN, wantN) t.Errorf("Warning() = %v, want %v", gotN, wantN)
} }
@ -96,7 +96,7 @@ func TestWarning(t *testing.T) {
func TestError(t *testing.T) { func TestError(t *testing.T) {
msg := "Error message" msg := "Error message"
wantN := 30 wantN := 30
gotN := Error(msg) gotN := Error("%s", msg)
if gotN != wantN { if gotN != wantN {
t.Errorf("Error() = %v, want %v", gotN, wantN) t.Errorf("Error() = %v, want %v", gotN, wantN)
} }
@ -105,7 +105,7 @@ func TestError(t *testing.T) {
func TestFatalf(t *testing.T) { func TestFatalf(t *testing.T) {
msg := "Error message" msg := "Error message"
want := "\033[1;31m ✗ Error: \033[0mError message\n" want := "\033[1;31m ✗ Error: \033[0mError message\n"
if got := Fatalf(msg); got != want { if got := Fatalf("%s", msg); got != want {
t.Errorf("Fatalf() = %v, want %v", got, want) t.Errorf("Fatalf() = %v, want %v", got, want)
} }
} }

2
tests/cmd/main.go
View file

@ -197,6 +197,6 @@ func main() {
os.Exit(1) os.Exit(1)
} }
if err != nil { if err != nil {
logging.Fatal(err.Error()) logging.Fatal("%s", err.Error())
} }
} }

4
tests/integration/scenario.go
View file

@ -102,13 +102,13 @@ func (t *Test) Run(dryRun bool) (ran int, nb int, err error) {
if !strings.Contains(cmd, "{{") { if !strings.Contains(cmd, "{{") {
nb++ nb++
if dryRun { if dryRun {
logging.Bullet(cmd) logging.Bullet("%s", cmd)
} else { } else {
cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n")) cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n"))
if cmdErr != nil { if cmdErr != nil {
logging.Error("%v", cmdErr) logging.Error("%v", cmdErr)
} else { } else {
logging.Success(cmd) logging.Success("%s", cmd)
} }
} }
} }