felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve support for ubuntu & kubuntu.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-17 17:15:24 +02:00
parent 523522dd1d
commit 7e79d5abef
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
47 changed files with 180 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

10
apparmor.d/abstractions/bus/org.a11y
View file

@ -31,6 +31,11 @@
member=Embed member=Embed
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
# Session bus # Session bus
dbus send bus=session path=/org/a11y/bus dbus send bus=session path=/org/a11y/bus
@ -38,6 +43,11 @@
member=GetAll member=GetAll
peer=(name=@{busname}, label="@{p_dbus_accessibility}"), peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus interface=org.a11y.Bus
member=Get member=Get

4
apparmor.d/abstractions/graphics-full
View file

@ -6,6 +6,10 @@
include <abstractions/graphics> include <abstractions/graphics>
@{sys}/devices/@{pci}/numa_node r,
@{PROC}/devices r,
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
/dev/nvidia-uvm rw, /dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools rw, /dev/nvidia-uvm-tools rw,

3
apparmor.d/abstractions/kde-strict
View file

@ -20,6 +20,7 @@
/usr/share/hwdata/*.ids r, /usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/knotifications{5,6}/*.notifyrc r,
/usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu
/etc/xdg/baloofilerc r, /etc/xdg/baloofilerc r,
/etc/xdg/kcminputrc r, /etc/xdg/kcminputrc r,
@ -44,7 +45,7 @@
owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/ rw,
owner @{user_config_dirs}/session/@{profile_name}* rwlk, owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk,
owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/session/#@{int} rw,
owner @{user_config_dirs}/trashrc r, owner @{user_config_dirs}/trashrc r,

2
apparmor.d/abstractions/mesa.d/complete
View file

@ -42,4 +42,6 @@
@{PROC}/sys/dev/xe/observation_paranoid r, @{PROC}/sys/dev/xe/observation_paranoid r,
/dev/udmabuf rw, # In upstream, but not released yet
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/groups/apt/dpkg-script-linux
View file

@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/debconf> include <abstractions/common/debconf>
capability dac_read_search,
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/cat ix, @{bin}/cat ix,

1
apparmor.d/groups/apt/dpkg-scripts
View file

@ -168,6 +168,7 @@ profile dpkg-scripts @{exec_path} {
/usr/local/ r, /usr/local/ r,
/usr/local/lib/ r, /usr/local/lib/ r,
/var/cache/ldconfig/ rw,
owner /var/cache/ldconfig/aux-cache* rw, owner /var/cache/ldconfig/aux-cache* rw,
include if exists <local/dpkg-scripts_ldconfig> include if exists <local/dpkg-scripts_ldconfig>

12
apparmor.d/groups/apt/unattended-upgrade
View file

@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{bin}/touch ix, @{bin}/touch ix,
@{bin}/uname ix, @{bin}/uname ix,
@{bin}/dpkg-deb px,
@{bin}/apt-listchanges Px, @{bin}/apt-listchanges Px,
@{bin}/df Px,
@{bin}/dmesg Px,
@{bin}/dpkg Px, @{bin}/dpkg Px,
@{bin}/dpkg-deb px,
@{bin}/dpkg-divert Px, @{bin}/dpkg-divert Px,
@{bin}/etckeeper Px, @{bin}/etckeeper Px,
@{bin}/ischroot Px, @{bin}/ischroot Px,
@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/pki/fwupd/{,**} r, /etc/pki/fwupd/{,**} r,
/etc/profile.d/* r, /etc/profile.d/* r,
/etc/ssh/moduli r, /etc/ssh/moduli r,
/etc/ssh/ssh_config r, @{etc_ro}/ssh/sshd_config r,
@{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/ufw/{,**} r, /etc/ufw/{,**} r,
/etc/update-manager/{,**} r, /etc/update-manager/{,**} r,
/etc/update-motd.d/{,**} r, /etc/update-motd.d/{,**} r,
@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/vmware-tools/{,**} r, /etc/vmware-tools/{,**} r,
/var/log/unattended-upgrades/{,**} rw, /var/log/unattended-upgrades/{,**} rw,
/var/crash/*.crash w, /var/crash/*.crash rw,
/var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/info/{,*} r, /var/lib/dpkg/info/{,*} r,
@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/var/lib/apt/lists/ rw, /var/lib/apt/lists/ rw,
/var/lib/apt/lists/partial/ rw, /var/lib/apt/lists/partial/ rw,
/var/lib/apt/periodic/ w, /var/lib/apt/periodic/ w,
/var/log/apt/{term,history}.log w, /var/log/apt/*.log* rw,
/var/log/apt/eipp.log.xz w,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.lock rwk,

1
apparmor.d/groups/bluetooth/blueman-mechanism
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/fonts>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>

3
apparmor.d/groups/bluetooth/obexd
View file

@ -10,8 +10,9 @@ include <tunables/global>
@{exec_path} = @{lib}/bluetooth/obexd @{exec_path} = @{lib}/bluetooth/obexd
profile obexd @{exec_path} { profile obexd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/ca.desrt.dconf.Writer>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
network bluetooth stream, network bluetooth stream,

1
apparmor.d/groups/browsers/chromium-wrapper
View file

@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
# Silencer # Silencer
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,
deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
include if exists <local/chromium-wrapper> include if exists <local/chromium-wrapper>
} }

2
apparmor.d/groups/browsers/firefox-glxtest
View file

@ -21,6 +21,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/ r,
owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r,
owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, owner @{cache_dirs}/firefox/*/startupCache/startupCache* r,

7
apparmor.d/groups/bus/dbus-accessibility
View file

@ -23,8 +23,9 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (receive) set=(term hup kill) peer=dbus-session, signal receive set=(term hup kill) peer=dbus-session,
signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, signal receive set=(term hup kill) peer=gdm{,-session-worker},
signal receive set=(term hup kill) peer=gnome-session-binary,
unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0),
@ -71,10 +72,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
@{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/kernel/security/apparmor/features/dbus/mask r,
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/attr/apparmor/current r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

3
apparmor.d/groups/bus/ibus-memconf
View file

@ -11,6 +11,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/consoles>
include <abstractions/ibus> include <abstractions/ibus>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/ r,
owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
owner /dev/tty@{int} rw,
include if exists <local/ibus-memconf> include if exists <local/ibus-memconf>
} }

6
apparmor.d/groups/freedesktop/wireplumber
View file

@ -76,10 +76,8 @@ profile wireplumber @{exec_path} {
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cmdline r, @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/media@{int} rw, /dev/media@{int} rw,

4
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -45,6 +45,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.host.portal.Registry interface=org.freedesktop.host.portal.Registry
member=Register member=Register
peer=(name=@{busname}), peer=(name=@{busname}),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.NetworkMonitor
member=GetStatus
peer=(name=@{busname}, label=snap.*),
#aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor

4
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -47,6 +47,10 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
member=GetAll member=GetAll
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell dbus receive bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=PropertiesChanged member=PropertiesChanged

4
apparmor.d/groups/freedesktop/xrandr
View file

@ -12,8 +12,12 @@ profile xrandr @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X-strict> include <abstractions/X-strict>
capability dac_read_search,
@{exec_path} mr, @{exec_path} mr,
@{run}/sddm/xauth_@{rand6} r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
include if exists <local/xrandr> include if exists <local/xrandr>

3
apparmor.d/groups/freedesktop/xwayland
View file

@ -20,7 +20,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=kwin_wayland,
signal (receive) set=(term hup) peer=login, signal (receive) set=(term hup) peer=login,
unix type=stream addr=none peer=(label=gnome-shell, addr=none), unix type=stream peer=(label=gnome-shell),
unix type=stream peer=(label=kwin_wayland),
@{exec_path} mrix, @{exec_path} mrix,

6
apparmor.d/groups/gnome/deja-dup-monitor
View file

@ -33,10 +33,16 @@ profile deja-dup-monitor @{exec_path} {
member=GetAll member=GetAll
peer=(name=:*, label=NetworkManager), peer=(name=:*, label=NetworkManager),
dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=power-profiles-daemon),
@{exec_path} mr, @{exec_path} mr,
@{bin}/chrt rix, @{bin}/chrt rix,
@{bin}/ionice rix, @{bin}/ionice rix,
@{bin}/deja-dup Px,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

3
apparmor.d/groups/gnome/gdm-generate-config
View file

@ -18,7 +18,7 @@ profile gdm-generate-config @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
ptrace read, # ptrace read,
@{exec_path} mr, @{exec_path} mr,
@ -45,7 +45,6 @@ profile gdm-generate-config @{exec_path} {
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r, @{PROC}/uptime r,
profile pgrep { profile pgrep {

11
apparmor.d/groups/gnome/gjs-console
View file

@ -64,6 +64,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/gnome-shell/{,**} r, /usr/share/gnome-shell/{,**} r,
/usr/share/thumbnailers/{,**} r,
/tmp/ r, /tmp/ r,
/var/tmp/ r, /var/tmp/ r,
@ -76,9 +77,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/ rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_share_dirs}/nautilus/scripts/ r,
owner @{user_desktop_dirs}/ r,
owner @{user_templates_dirs}/ r,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@ -91,6 +98,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/dev/ r, /dev/ r,
/dev/tty rw, /dev/tty rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/gjs-console> include if exists <local/gjs-console>
} }

6
apparmor.d/groups/gnome/yelp
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/yelp @{bin}/gnome-help @{exec_path} = @{bin}/yelp @{bin}/gnome-help
profile yelp @{exec_path} { profile yelp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-system> include <abstractions/bus-system>
@ -30,7 +30,9 @@ profile yelp @{exec_path} {
/etc/xml/{,**} r, /etc/xml/{,**} r,
@{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,

6
apparmor.d/groups/snap/snap
View file

@ -68,9 +68,13 @@ profile snap @{exec_path} flags=(attach_disconnected) {
/var/cache/snapd/names r, /var/cache/snapd/names r,
@{DESKTOP_HOME}/snap/{,**} rw, @{DESKTOP_HOME}/snap/{,**} rw,
@{HOME}/snap/{,**} rw,
/snap/{,**} rw, /snap/{,**} rw,
@{HOME}/snap/{,**} rw,
owner @{HOME}/ r,
owner @{HOME}/.snap.mkdir-new/ rw,
owner @{HOME}/.snap/{,**} rw,
owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw,
@{run}/user/@{uid}/bus rw, @{run}/user/@{uid}/bus rw,

2
apparmor.d/groups/snap/snap-seccomp
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snap-seccomp @{exec_path} = @{lib_dirs}/snapd/snap-seccomp
profile snap-seccomp @{exec_path} { profile snap-seccomp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

1
apparmor.d/groups/snap/snapd
View file

@ -34,7 +34,6 @@ profile snapd @{exec_path} {
capability setuid, capability setuid,
capability sys_admin, capability sys_admin,
capability sys_ptrace, capability sys_ptrace,
capability sys_resource,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,

1
apparmor.d/groups/ssh/sshd-session
View file

@ -55,6 +55,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/@{shells} Ux, #aa:exclude RBAC
@{bin}/userdbctl Px,
@{lib}/{openssh,ssh}/sshd-auth Px, @{lib}/{openssh,ssh}/sshd-auth Px,
@{etc_rw}/motd r, @{etc_rw}/motd r,

20
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -29,10 +29,12 @@ profile apport-gtk @{exec_path} {
network inet6 stream, network inet6 stream,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{python_path} rix,
@{bin}/{f,}grep rix, @{bin}/{f,}grep rix,
@{bin}/apt-cache rPx, @{bin}/apt-cache rPx,
@{bin}/cut rix, @{bin}/cut rix,
@ -43,20 +45,24 @@ profile apport-gtk @{exec_path} {
@{bin}/gsettings rPx, @{bin}/gsettings rPx,
@{bin}/ischroot rPx, @{bin}/ischroot rPx,
@{bin}/journalctl rPx, @{bin}/journalctl rPx,
@{sbin}/killall5 rix,
@{bin}/kmod rPx, @{bin}/kmod rPx,
@{bin}/ldd rix, @{bin}/ldd rix,
@{bin}/lsb_release rPx, @{bin}/lsb_release rPx,
@{bin}/md5sum rix, @{bin}/md5sum rix,
@{bin}/pkexec rCx -> pkexec, @{bin}/pkexec rCx -> pkexec,
@{bin}/readlink rix,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/uname rix, @{bin}/uname rix,
@{bin}/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
@{sbin}/killall5 rix,
@{lib}/{,colord/}colord-sane rPx, @{lib}/{,colord/}colord-sane rPx,
@{lib}/@{multiarch}/ld*.so* rix, @{lib}/@{multiarch}/ld*.so* rix,
/usr/share/apport/root_info_wrapper rix, /usr/share/apport/root_info_wrapper rix,
@{bin}/* r,
@{sbin}/* r,
/usr/share/apport/{,**} r, /usr/share/apport/{,**} r,
/usr/share/apport/general-hooks/*.py r, /usr/share/apport/general-hooks/*.py r,
@ -79,9 +85,10 @@ profile apport-gtk @{exec_path} {
/var/crash/ rw, /var/crash/ rw,
owner /var/crash/*.@{uid}.{crash,upload} rw, owner /var/crash/*.@{uid}.{crash,upload} rw,
@{run}/cloud-init/cloud.cfg r,
@{run}/snapd.socket rw, @{run}/snapd.socket rw,
owner @{tmp}/@{rand8} rw, owner @{tmp}/@{word8} rw,
owner @{tmp}/apport_core_@{rand8} rw, owner @{tmp}/apport_core_@{rand8} rw,
owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, owner @{tmp}/launchpadlib.cache.@{rand8}/ rw,
owner @{tmp}/tmp@{rand8}/{,**} rw, owner @{tmp}/tmp@{rand8}/{,**} rw,
@ -135,6 +142,15 @@ profile apport-gtk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/systemctl> include <abstractions/app/systemctl>
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.systemd1, label=unconfined),
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetUnitFileState
peer=(name=org.freedesktop.systemd1, label=unconfined),
include if exists <local/apport-gtk_systemctl> include if exists <local/apport-gtk_systemctl>
} }

1
apparmor.d/groups/ubuntu/apt_news
View file

@ -14,6 +14,7 @@ profile apt_news @{exec_path} flags=(attach_disconnected) {
include <abstractions/python> include <abstractions/python>
capability chown, capability chown,
capability fowner,
capability kill, capability kill,
capability setgid, capability setgid,
capability setuid, capability setuid,

12
apparmor.d/groups/ubuntu/ubuntu-fan-net
View file

@ -14,10 +14,22 @@ profile ubuntu-fan-net @{exec_path} {
@{sh_path} mr, @{sh_path} mr,
@{bin}/{m,g,}awk ix, @{bin}/{m,g,}awk ix,
@{bin}/kmod Cx -> kmod,
@{bin}/{,e}grep ix, @{bin}/{,e}grep ix,
@{bin}/networkctl Px, @{bin}/networkctl Px,
@{sbin}/fanctl Px, @{sbin}/fanctl Px,
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
capability sys_module,
@{sys}/module/compression r,
include if exists <local/ubuntu-fan-net_kmod>
}
include if exists <local/ubuntu-fan-net> include if exists <local/ubuntu-fan-net>
} }

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -25,7 +25,7 @@ profile update-notifier @{exec_path} {
unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
#aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=system name=org.debian.apt label=apt
#aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/ubuntu/update-notifier-crash
View file

@ -16,7 +16,7 @@ profile update-notifier-crash @{exec_path} {
@{bin}/{,e}grep ix, @{bin}/{,e}grep ix,
@{bin}/groups Px, @{bin}/groups Px,
@{bin}/systemctl Cx -> systemctl, @{bin}/systemctl Cx -> systemctl,
@{bin}/which{,.debianutils} ix, @{bin}/which{,.debianutils} rix,
@{sh_path} mr, @{sh_path} mr,
/usr/share/apport/apport-checkreports Px, /usr/share/apport/apport-checkreports Px,

1
apparmor.d/groups/utils/login
View file

@ -54,6 +54,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
/etc/shells r, /etc/shells r,
/var/lib/faillock/@{user} rwk, /var/lib/faillock/@{user} rwk,
/var/lib/lastlog/ r,
/var/log/btmp{,.@{int}} r, /var/log/btmp{,.@{int}} r,
owner @{user_cache_dirs}/motd.legal-displayed rw, owner @{user_cache_dirs}/motd.legal-displayed rw,

2
apparmor.d/groups/virt/cockpit-tls
View file

@ -17,7 +17,7 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) {
/etc/cockpit/ws-certs.d/{,**} r, /etc/cockpit/ws-certs.d/{,**} r,
@{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw,
@{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw,
owner @{run}/cockpit/tls/{,**} rw, owner @{run}/cockpit/tls/{,**} rw,

15
apparmor.d/groups/virt/cockpit-wsinstance-factory
View file

@ -11,12 +11,23 @@ profile cockpit-wsinstance-factory @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system,
capability net_admin, capability net_admin,
unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system,
dbus receive bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=JobRemoved
peer=(name=@{busname}, label="@{p_systemd}"),
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=StartUnit
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
@{exec_path} mr, @{exec_path} mr,
@{run}/cockpit/wsinstance/https-factory.sock w,
include if exists <local/cockpit-wsinstance-factory> include if exists <local/cockpit-wsinstance-factory>
} }

19
apparmor.d/profiles-a-f/dhclient-script
View file

@ -46,18 +46,18 @@ profile dhclient-script @{exec_path} {
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
@{bin}/sed rix, @{bin}/sed rix,
@{sbin}/sysctl rix, @{sbin}/sysctl rCx -> sysctl,
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/xxd rix, @{bin}/xxd rix,
@{etc_rw}/resolv.conf rw,
@{etc_rw}/resolv.conf.dhclient-new.@{pid} rw,
@{etc_rw}/samba/dhcp.conf{,.new} rw,
/etc/default/ddclient r, /etc/default/ddclient r,
/etc/dhcp/{,**} r, /etc/dhcp/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/iproute2/rt_tables r, /etc/iproute2/rt_tables r,
/etc/iproute2/rt_tables.d/{,*} r, /etc/iproute2/rt_tables.d/{,*} r,
@{etc_rw}/resolv.conf rw,
@{etc_rw}/resolv.conf.dhclient-new.@{pid} rw,
@{etc_rw}/samba/dhcp.conf{,.new} rw,
/var/lib/dhcp/dhclient.leases r, /var/lib/dhcp/dhclient.leases r,
/var/lib/samba/dhcp.conf{,.new} rw, /var/lib/samba/dhcp.conf{,.new} rw,
@ -71,7 +71,16 @@ profile dhclient-script @{exec_path} {
@{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
@{PROC}/sys/net/ipv6/conf/*/stable_secret w,
profile sysctl {
include <abstractions/base>
@{sbin}/sysctl mr,
@{PROC}/sys/net/ipv6/conf/*/stable_secret w,
include if exists <local/dhclient-script_sysctl>
}
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-a-f/dracut-install
View file

@ -13,6 +13,8 @@ profile dracut-install @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/cp rix,
/etc/modprobe.d/{,**} r, /etc/modprobe.d/{,**} r,
@{sys}/devices/platform/{,**/} r, @{sys}/devices/platform/{,**/} r,

4
apparmor.d/profiles-g-l/kernel
View file

@ -67,6 +67,10 @@ profile kernel @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
capability sys_module,
@{sys}/module/compression r,
include if exists <local/kernel_kmod> include if exists <local/kernel_kmod>
} }

1
apparmor.d/profiles-g-l/lsb-release
View file

@ -17,6 +17,7 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/ r,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/cut rix, @{bin}/cut rix,

2
apparmor.d/profiles-m-r/initramfs-hooks
View file

@ -17,7 +17,7 @@ profile initramfs-hooks @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@{bin}/cpio ix, @{bin}/cpio ix,
@{bin}/dpkg Cx -> child-dpkg, @{bin}/dpkg Px,
@{bin}/fc-cache ix, @{bin}/fc-cache ix,
@{bin}/ischroot Px, @{bin}/ischroot Px,
@{bin}/ldd Cx -> ldd, @{bin}/ldd Cx -> ldd,

10
apparmor.d/profiles-m-r/motd
View file

@ -9,9 +9,13 @@ include <tunables/global>
@{exec_path} = /etc/update-motd.d/* @{exec_path} = /etc/update-motd.d/*
profile motd @{exec_path} { profile motd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
capability net_admin, capability net_admin,
network inet6 stream,
network inet6 stream,
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,
@ -44,7 +48,7 @@ profile motd @{exec_path} {
/var/lib/ubuntu-advantage/messages/motd-esm-announce r, /var/lib/ubuntu-advantage/messages/motd-esm-announce r,
/var/lib/cloud/instances/nocloud/cloud-config.txt r, /var/lib/cloud/instances/nocloud/cloud-config.txt r,
# /tmp/tmp.@{rand10} rw, /tmp/tmp.@{rand10} rw,
@{run}/cloud-init/cloud.cfg r, @{run}/cloud-init/cloud.cfg r,
@{run}/motd.d/{,*} r, @{run}/motd.d/{,*} r,
@ -62,6 +66,8 @@ profile motd @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
capability net_admin,
network inet dgram, network inet dgram,
network inet stream, network inet stream,
network inet6 dgram, network inet6 dgram,
@ -70,6 +76,8 @@ profile motd @{exec_path} {
@{bin}/wget mr, @{bin}/wget mr,
/etc/wgetrc r,
/tmp/tmp.@{rand10} rw, /tmp/tmp.@{rand10} rw,
include if exists <local/motd_wget> include if exists <local/motd_wget>

2
apparmor.d/profiles-m-r/power-profiles-daemon
View file

@ -38,10 +38,10 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/devices/**/status r,
@{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/power_supply/*/scope r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
@{sys}/devices/system/cpu/*_pstate/status r,
@{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw,
@{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/ r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw,

1
apparmor.d/profiles-m-r/qdbus
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus @{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus
profile qdbus @{exec_path} { profile qdbus @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/profiles-s-z/switcheroo-control
View file

@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-system> include <abstractions/bus-system>
capability net_admin, capability net_admin,
capability sys_admin,
capability sys_nice, capability sys_nice,
network netlink raw, network netlink raw,

2
apparmor.d/profiles-s-z/update-info-dir
View file

@ -18,6 +18,8 @@ profile update-info-dir @{exec_path} {
@{bin}/find ix, @{bin}/find ix,
@{bin}/rm ix, @{bin}/rm ix,
/etc/environment r,
include if exists <local/update-info-dir> include if exists <local/update-info-dir>
} }

10
apparmor.d/profiles-s-z/whoopsie
View file

@ -10,10 +10,17 @@ include <tunables/global>
profile whoopsie @{exec_path} { profile whoopsie @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
capability setgid, capability setgid,
capability setuid, capability setuid,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/var/crash/ r, /var/crash/ r,
@ -22,6 +29,9 @@ profile whoopsie @{exec_path} {
/var/lib/whoopsie/whoopsie-id rw, /var/lib/whoopsie/whoopsie-id rw,
/var/lib/whoopsie/whoopsie-id.@{rand6} rw, /var/lib/whoopsie/whoopsie-id.@{rand6} rw,
/var/crash/*.@{uid}.crash r,
owner /var/crash/*.@{uid}.uploaded rw,
owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/ rw,
owner @{run}/lock/whoopsie/lock rwk, owner @{run}/lock/whoopsie/lock rwk,

1
apparmor.d/profiles-s-z/wsdd
View file

@ -27,6 +27,7 @@ profile wsdd @{exec_path} {
owner /var/lib/libuuid/clock.txt rw, owner /var/lib/libuuid/clock.txt rw,
@{run}/uuidd/request rw,
owner @{run}/user/@{uid}/gvfsd/wsdd w, owner @{run}/user/@{uid}/gvfsd/wsdd w,
include if exists <local/wsdd> include if exists <local/wsdd>

2
apparmor.d/profiles-s-z/xbrlapi
View file

@ -16,6 +16,8 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/.xsession-errors w,
include if exists <local/xbrlapi> include if exists <local/xbrlapi>
} }