feat(profile): improve support for ubuntu & kubuntu.
This commit is contained in:
Alexandre Pujol
parent
523522dd1d
commit
7e79d5abef
47 changed files with 180 additions and 40 deletions
|
|
@ -31,6 +31,11 @@
|
|||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
|
||||
# Session bus
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
|
|
@ -38,6 +43,11 @@
|
|||
member=GetAll
|
||||
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=Get
|
||||
|
|
|
|||
|
|
@ -6,6 +6,10 @@
|
|||
|
||||
include <abstractions/graphics>
|
||||
|
||||
@{sys}/devices/@{pci}/numa_node r,
|
||||
|
||||
@{PROC}/devices r,
|
||||
|
||||
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
/dev/nvidia-uvm rw,
|
||||
/dev/nvidia-uvm-tools rw,
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@
|
|||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/knotifications{5,6}/*.notifyrc r,
|
||||
/usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu
|
||||
|
||||
/etc/xdg/baloofilerc r,
|
||||
/etc/xdg/kcminputrc r,
|
||||
|
|
@ -44,7 +45,7 @@
|
|||
owner @{user_config_dirs}/menus/ r,
|
||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||
owner @{user_config_dirs}/session/ rw,
|
||||
owner @{user_config_dirs}/session/@{profile_name}* rwlk,
|
||||
owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk,
|
||||
owner @{user_config_dirs}/session/#@{int} rw,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
|
|
|
|||
|
|
@ -42,4 +42,6 @@
|
|||
|
||||
@{PROC}/sys/dev/xe/observation_paranoid r,
|
||||
|
||||
/dev/udmabuf rw, # In upstream, but not released yet
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/common/debconf>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/cat ix,
|
||||
|
|
|
|||
|
|
@ -168,6 +168,7 @@ profile dpkg-scripts @{exec_path} {
|
|||
/usr/local/ r,
|
||||
/usr/local/lib/ r,
|
||||
|
||||
/var/cache/ldconfig/ rw,
|
||||
owner /var/cache/ldconfig/aux-cache* rw,
|
||||
|
||||
include if exists <local/dpkg-scripts_ldconfig>
|
||||
|
|
|
|||
|
|
@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/touch ix,
|
||||
@{bin}/uname ix,
|
||||
|
||||
@{bin}/dpkg-deb px,
|
||||
@{bin}/apt-listchanges Px,
|
||||
@{bin}/df Px,
|
||||
@{bin}/dmesg Px,
|
||||
@{bin}/dpkg Px,
|
||||
@{bin}/dpkg-deb px,
|
||||
@{bin}/dpkg-divert Px,
|
||||
@{bin}/etckeeper Px,
|
||||
@{bin}/ischroot Px,
|
||||
|
|
@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/pki/fwupd/{,**} r,
|
||||
/etc/profile.d/* r,
|
||||
/etc/ssh/moduli r,
|
||||
/etc/ssh/ssh_config r,
|
||||
@{etc_ro}/ssh/sshd_config r,
|
||||
@{etc_ro}/ssh/sshd_config.d/{,*} r,
|
||||
/etc/ufw/{,**} r,
|
||||
/etc/update-manager/{,**} r,
|
||||
/etc/update-motd.d/{,**} r,
|
||||
|
|
@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/vmware-tools/{,**} r,
|
||||
|
||||
/var/log/unattended-upgrades/{,**} rw,
|
||||
/var/crash/*.crash w,
|
||||
/var/crash/*.crash rw,
|
||||
|
||||
/var/lib/apt/periodic/unattended-upgrades-stamp w,
|
||||
/var/lib/dpkg/info/{,*} r,
|
||||
|
|
@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/apt/lists/ rw,
|
||||
/var/lib/apt/lists/partial/ rw,
|
||||
/var/lib/apt/periodic/ w,
|
||||
/var/log/apt/{term,history}.log w,
|
||||
/var/log/apt/eipp.log.xz w,
|
||||
/var/log/apt/*.log* rw,
|
||||
|
||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
owner @{run}/unattended-upgrades.lock rwk,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
|
|
|
|||
|
|
@ -10,8 +10,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/bluetooth/obexd
|
||||
profile obexd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/ca.desrt.dconf.Writer>
|
||||
include <abstractions/user-download-strict>
|
||||
|
||||
network bluetooth stream,
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# Silencer
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||
|
||||
include if exists <local/chromium-wrapper>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/ r,
|
||||
|
||||
owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r,
|
||||
owner @{cache_dirs}/firefox/*/startupCache/startupCache* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -23,8 +23,9 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
signal (receive) set=(term hup kill) peer=dbus-session,
|
||||
signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
|
||||
signal receive set=(term hup kill) peer=dbus-session,
|
||||
signal receive set=(term hup kill) peer=gdm{,-session-worker},
|
||||
signal receive set=(term hup kill) peer=gnome-session-binary,
|
||||
|
||||
unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0),
|
||||
|
||||
|
|
@ -71,10 +72,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/kernel/security/apparmor/features/dbus/mask r,
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/1/cgroup r,
|
||||
owner @{PROC}/@{pid}/attr/apparmor/current r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{desktop_config_dirs}/ibus/bus/ r,
|
||||
owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/ibus-memconf>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -76,10 +76,8 @@ profile wireplumber @{exec_path} {
|
|||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/1/cmdline r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/media@{int} rw,
|
||||
|
|
|
|||
|
|
@ -45,6 +45,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.host.portal.Registry
|
||||
member=Register
|
||||
peer=(name=@{busname}),
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.NetworkMonitor
|
||||
member=GetStatus
|
||||
peer=(name=@{busname}, label=snap.*),
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
|
||||
|
||||
|
|
|
|||
|
|
@ -47,6 +47,10 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
|
|||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
dbus receive bus=session path=/org/gnome/Shell
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
|
|
|
|||
|
|
@ -12,8 +12,12 @@ profile xrandr @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{run}/sddm/xauth_@{rand6} r,
|
||||
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xrandr>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term hup) peer=kwin_wayland,
|
||||
signal (receive) set=(term hup) peer=login,
|
||||
|
||||
unix type=stream addr=none peer=(label=gnome-shell, addr=none),
|
||||
unix type=stream peer=(label=gnome-shell),
|
||||
unix type=stream peer=(label=kwin_wayland),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -33,10 +33,16 @@ profile deja-dup-monitor @{exec_path} {
|
|||
member=GetAll
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=power-profiles-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/chrt rix,
|
||||
@{bin}/ionice rix,
|
||||
@{bin}/deja-dup Px,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile gdm-generate-config @{exec_path} {
|
|||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
ptrace read,
|
||||
# ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -45,7 +45,6 @@ profile gdm-generate-config @{exec_path} {
|
|||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/tty/drivers r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
profile pgrep {
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gnome-shell/{,**} r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
|
|
@ -76,9 +77,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{HOME}/ r,
|
||||
|
||||
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
||||
owner @{user_share_dirs}/nautilus/scripts/ r,
|
||||
|
||||
owner @{user_desktop_dirs}/ r,
|
||||
owner @{user_templates_dirs}/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
@ -91,6 +98,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/ r,
|
||||
/dev/tty rw,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
include if exists <local/gjs-console>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/yelp @{bin}/gnome-help
|
||||
profile yelp @{exec_path} {
|
||||
profile yelp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-system>
|
||||
|
|
@ -30,7 +30,9 @@ profile yelp @{exec_path} {
|
|||
|
||||
/etc/xml/{,**} r,
|
||||
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,
|
||||
|
|
|
|||
|
|
@ -68,9 +68,13 @@ profile snap @{exec_path} flags=(attach_disconnected) {
|
|||
/var/cache/snapd/names r,
|
||||
|
||||
@{DESKTOP_HOME}/snap/{,**} rw,
|
||||
@{HOME}/snap/{,**} rw,
|
||||
/snap/{,**} rw,
|
||||
|
||||
@{HOME}/snap/{,**} rw,
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.snap.mkdir-new/ rw,
|
||||
owner @{HOME}/.snap/{,**} rw,
|
||||
|
||||
owner @{tmp}/snapd-auto-import-mount-@{int}/ rw,
|
||||
|
||||
@{run}/user/@{uid}/bus rw,
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ include <tunables/global>
|
|||
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
|
||||
|
||||
@{exec_path} = @{lib_dirs}/snapd/snap-seccomp
|
||||
profile snap-seccomp @{exec_path} {
|
||||
profile snap-seccomp @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@ profile snapd @{exec_path} {
|
|||
capability setuid,
|
||||
capability sys_admin,
|
||||
capability sys_ptrace,
|
||||
capability sys_resource,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{bin}/@{shells} Ux, #aa:exclude RBAC
|
||||
@{bin}/userdbctl Px,
|
||||
@{lib}/{openssh,ssh}/sshd-auth Px,
|
||||
|
||||
@{etc_rw}/motd r,
|
||||
|
|
|
|||
|
|
@ -29,10 +29,12 @@ profile apport-gtk @{exec_path} {
|
|||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{python_path} rix,
|
||||
@{bin}/{f,}grep rix,
|
||||
@{bin}/apt-cache rPx,
|
||||
@{bin}/cut rix,
|
||||
|
|
@ -43,20 +45,24 @@ profile apport-gtk @{exec_path} {
|
|||
@{bin}/gsettings rPx,
|
||||
@{bin}/ischroot rPx,
|
||||
@{bin}/journalctl rPx,
|
||||
@{sbin}/killall5 rix,
|
||||
@{bin}/kmod rPx,
|
||||
@{bin}/ldd rix,
|
||||
@{bin}/lsb_release rPx,
|
||||
@{bin}/md5sum rix,
|
||||
@{bin}/pkexec rCx -> pkexec,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{sbin}/killall5 rix,
|
||||
@{lib}/{,colord/}colord-sane rPx,
|
||||
@{lib}/@{multiarch}/ld*.so* rix,
|
||||
/usr/share/apport/root_info_wrapper rix,
|
||||
|
||||
@{bin}/* r,
|
||||
@{sbin}/* r,
|
||||
|
||||
/usr/share/apport/{,**} r,
|
||||
/usr/share/apport/general-hooks/*.py r,
|
||||
|
||||
|
|
@ -79,9 +85,10 @@ profile apport-gtk @{exec_path} {
|
|||
/var/crash/ rw,
|
||||
owner /var/crash/*.@{uid}.{crash,upload} rw,
|
||||
|
||||
@{run}/cloud-init/cloud.cfg r,
|
||||
@{run}/snapd.socket rw,
|
||||
|
||||
owner @{tmp}/@{rand8} rw,
|
||||
owner @{tmp}/@{word8} rw,
|
||||
owner @{tmp}/apport_core_@{rand8} rw,
|
||||
owner @{tmp}/launchpadlib.cache.@{rand8}/ rw,
|
||||
owner @{tmp}/tmp@{rand8}/{,**} rw,
|
||||
|
|
@ -135,6 +142,15 @@ profile apport-gtk @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/app/systemctl>
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.systemd1, label=unconfined),
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=GetUnitFileState
|
||||
peer=(name=org.freedesktop.systemd1, label=unconfined),
|
||||
|
||||
include if exists <local/apport-gtk_systemctl>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ profile apt_news @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/python>
|
||||
|
||||
capability chown,
|
||||
capability fowner,
|
||||
capability kill,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
|
|
|||
|
|
@ -14,10 +14,22 @@ profile ubuntu-fan-net @{exec_path} {
|
|||
|
||||
@{sh_path} mr,
|
||||
@{bin}/{m,g,}awk ix,
|
||||
@{bin}/kmod Cx -> kmod,
|
||||
@{bin}/{,e}grep ix,
|
||||
@{bin}/networkctl Px,
|
||||
@{sbin}/fanctl Px,
|
||||
|
||||
profile kmod {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/kmod>
|
||||
|
||||
capability sys_module,
|
||||
|
||||
@{sys}/module/compression r,
|
||||
|
||||
include if exists <local/ubuntu-fan-net_kmod>
|
||||
}
|
||||
|
||||
include if exists <local/ubuntu-fan-net>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile update-notifier @{exec_path} {
|
|||
unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
|
||||
|
||||
#aa:dbus talk bus=system name=org.debian.apt label=apt
|
||||
#aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
|
||||
#aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ profile update-notifier-crash @{exec_path} {
|
|||
@{bin}/{,e}grep ix,
|
||||
@{bin}/groups Px,
|
||||
@{bin}/systemctl Cx -> systemctl,
|
||||
@{bin}/which{,.debianutils} ix,
|
||||
@{bin}/which{,.debianutils} rix,
|
||||
@{sh_path} mr,
|
||||
/usr/share/apport/apport-checkreports Px,
|
||||
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/shells r,
|
||||
|
||||
/var/lib/faillock/@{user} rwk,
|
||||
/var/lib/lastlog/ r,
|
||||
/var/log/btmp{,.@{int}} r,
|
||||
|
||||
owner @{user_cache_dirs}/motd.legal-displayed rw,
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/cockpit/ws-certs.d/{,**} r,
|
||||
|
||||
@{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r,
|
||||
@{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw,
|
||||
@{att}/@{run}/cockpit/wsinstance/https-factory.sock rw,
|
||||
|
||||
owner @{run}/cockpit/tls/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -11,12 +11,23 @@ profile cockpit-wsinstance-factory @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
|
||||
unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system,
|
||||
|
||||
capability net_admin,
|
||||
|
||||
unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=JobRemoved
|
||||
peer=(name=@{busname}, label="@{p_systemd}"),
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=StartUnit
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{run}/cockpit/wsinstance/https-factory.sock w,
|
||||
|
||||
include if exists <local/cockpit-wsinstance-factory>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -46,18 +46,18 @@ profile dhclient-script @{exec_path} {
|
|||
@{bin}/rm rix,
|
||||
@{bin}/run-parts rCx -> run-parts,
|
||||
@{bin}/sed rix,
|
||||
@{sbin}/sysctl rix,
|
||||
@{sbin}/sysctl rCx -> sysctl,
|
||||
@{bin}/tr rix,
|
||||
@{bin}/xxd rix,
|
||||
|
||||
@{etc_rw}/resolv.conf rw,
|
||||
@{etc_rw}/resolv.conf.dhclient-new.@{pid} rw,
|
||||
@{etc_rw}/samba/dhcp.conf{,.new} rw,
|
||||
/etc/default/ddclient r,
|
||||
/etc/dhcp/{,**} r,
|
||||
/etc/fstab r,
|
||||
/etc/iproute2/rt_tables r,
|
||||
/etc/iproute2/rt_tables.d/{,*} r,
|
||||
@{etc_rw}/resolv.conf rw,
|
||||
@{etc_rw}/resolv.conf.dhclient-new.@{pid} rw,
|
||||
@{etc_rw}/samba/dhcp.conf{,.new} rw,
|
||||
|
||||
/var/lib/dhcp/dhclient.leases r,
|
||||
/var/lib/samba/dhcp.conf{,.new} rw,
|
||||
|
|
@ -71,8 +71,17 @@ profile dhclient-script @{exec_path} {
|
|||
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
profile sysctl {
|
||||
include <abstractions/base>
|
||||
|
||||
@{sbin}/sysctl mr,
|
||||
|
||||
@{PROC}/sys/net/ipv6/conf/*/stable_secret w,
|
||||
|
||||
include if exists <local/dhclient-script_sysctl>
|
||||
}
|
||||
|
||||
profile run-parts {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,8 @@ profile dracut-install @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/cp rix,
|
||||
|
||||
/etc/modprobe.d/{,**} r,
|
||||
|
||||
@{sys}/devices/platform/{,**/} r,
|
||||
|
|
|
|||
|
|
@ -67,6 +67,10 @@ profile kernel @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/app/kmod>
|
||||
|
||||
capability sys_module,
|
||||
|
||||
@{sys}/module/compression r,
|
||||
|
||||
include if exists <local/kernel_kmod>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/ r,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/cut rix,
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile initramfs-hooks @{exec_path} {
|
|||
@{sh_path} rix,
|
||||
@{coreutils_path} rix,
|
||||
@{bin}/cpio ix,
|
||||
@{bin}/dpkg Cx -> child-dpkg,
|
||||
@{bin}/dpkg Px,
|
||||
@{bin}/fc-cache ix,
|
||||
@{bin}/ischroot Px,
|
||||
@{bin}/ldd Cx -> ldd,
|
||||
|
|
|
|||
|
|
@ -9,9 +9,13 @@ include <tunables/global>
|
|||
@{exec_path} = /etc/update-motd.d/*
|
||||
profile motd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability net_admin,
|
||||
|
||||
network inet6 stream,
|
||||
network inet6 stream,
|
||||
|
||||
@{exec_path} mr,
|
||||
@{bin}/ r,
|
||||
|
||||
|
|
@ -44,7 +48,7 @@ profile motd @{exec_path} {
|
|||
/var/lib/ubuntu-advantage/messages/motd-esm-announce r,
|
||||
/var/lib/cloud/instances/nocloud/cloud-config.txt r,
|
||||
|
||||
# /tmp/tmp.@{rand10} rw,
|
||||
/tmp/tmp.@{rand10} rw,
|
||||
|
||||
@{run}/cloud-init/cloud.cfg r,
|
||||
@{run}/motd.d/{,*} r,
|
||||
|
|
@ -62,6 +66,8 @@ profile motd @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
capability net_admin,
|
||||
|
||||
network inet dgram,
|
||||
network inet stream,
|
||||
network inet6 dgram,
|
||||
|
|
@ -70,6 +76,8 @@ profile motd @{exec_path} {
|
|||
|
||||
@{bin}/wget mr,
|
||||
|
||||
/etc/wgetrc r,
|
||||
|
||||
/tmp/tmp.@{rand10} rw,
|
||||
|
||||
include if exists <local/motd_wget>
|
||||
|
|
|
|||
|
|
@ -38,10 +38,10 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/class/ r,
|
||||
@{sys}/class/drm/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/devices/**/status r,
|
||||
@{sys}/devices/**/power_supply/*/scope r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
|
||||
@{sys}/devices/system/cpu/*_pstate/status r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw,
|
||||
@{sys}/devices/system/cpu/cpufreq/ r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus
|
||||
profile qdbus @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus-system>
|
||||
|
||||
capability net_admin,
|
||||
capability sys_admin,
|
||||
capability sys_nice,
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ profile update-info-dir @{exec_path} {
|
|||
@{bin}/find ix,
|
||||
@{bin}/rm ix,
|
||||
|
||||
/etc/environment r,
|
||||
|
||||
include if exists <local/update-info-dir>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,10 +10,17 @@ include <tunables/global>
|
|||
profile whoopsie @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
network inet dgram,
|
||||
network inet stream,
|
||||
network inet6 dgram,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/crash/ r,
|
||||
|
|
@ -22,6 +29,9 @@ profile whoopsie @{exec_path} {
|
|||
/var/lib/whoopsie/whoopsie-id rw,
|
||||
/var/lib/whoopsie/whoopsie-id.@{rand6} rw,
|
||||
|
||||
/var/crash/*.@{uid}.crash r,
|
||||
owner /var/crash/*.@{uid}.uploaded rw,
|
||||
|
||||
owner @{run}/lock/whoopsie/ rw,
|
||||
owner @{run}/lock/whoopsie/lock rwk,
|
||||
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ profile wsdd @{exec_path} {
|
|||
|
||||
owner /var/lib/libuuid/clock.txt rw,
|
||||
|
||||
@{run}/uuidd/request rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/wsdd w,
|
||||
|
||||
include if exists <local/wsdd>
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/xbrlapi>
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue