diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 0681b4a5c..680eb5686 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,8 +3,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - @{bin}/* rPUx, /usr/local/{s,}bin/* rPUx, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 03de251ec..b8806d0af 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,8 +3,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - @{bin}/* rPUx, /opt/*/** rPUx, /usr/share/*/* rPUx, diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common index b6ad71222..dcfd601b4 100644 --- a/apparmor.d/abstractions/apt-common +++ b/apparmor.d/abstractions/apt-common @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 03e7e9114..b6e9de32b 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -12,8 +12,6 @@ # @{config_dirs} = @{user_config_dirs}/chromium # @{cache_dirs} = @{user_cache_dirs}/chromium - abi , - include include include diff --git a/apparmor.d/abstractions/chromium-common b/apparmor.d/abstractions/chromium-common index cd8444037..00a830bba 100644 --- a/apparmor.d/abstractions/chromium-common +++ b/apparmor.d/abstractions/chromium-common @@ -6,10 +6,7 @@ # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/chromium instead. - abi , - - # The following rules are needed only when the kernel.unprivileged_userns_clone option is set - # to "1". + # Only needed when kernel.unprivileged_userns_clone is set to "1" capability sys_admin, capability sys_chroot, capability setuid, @@ -18,6 +15,14 @@ owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner @{user_share_dirs}/.org.chromium.Chromium.* rw, + /tmp/ r, /var/tmp/ r, owner /tmp/.org.chromium.Chromium.* rw, @@ -30,15 +35,4 @@ /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.* rw, - owner @{user_share_dirs}/.org.chromium.Chromium.* rw, - - # Should this be read-only? (##FIXME##) - # To remove the following error: - # Error initializing NSS with a persistent database - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 299d3f9d3..7656cf9ae 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -2,8 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - include include include diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 65a75bd5c..9d9db462e 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - /dev/ r, /dev/bus/usb/ r, /dev/bus/usb/@{int}/ r, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 93b783f79..fe1586df7 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -3,8 +3,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - # The /sys/ entries probably should be tightened /dev/ r, diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index dabe8bb3c..b73818227 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -3,8 +3,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - # The /sys/ entries probably should be tightened /dev/ r, diff --git a/apparmor.d/abstractions/flatpak-snap b/apparmor.d/abstractions/flatpak-snap index 162031d50..bc6766faa 100644 --- a/apparmor.d/abstractions/flatpak-snap +++ b/apparmor.d/abstractions/flatpak-snap @@ -4,8 +4,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - # Flatpak /var/lib/flatpak/exports/share/{,**} r, /var/lib/flatpak/app/**/export/share/applications/{,*.desktop} r, diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index a743f9ca8..2873ebe45 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - # The fontconfig cache can be generated via the following command: # $ fc-cache -f -v # There's no need to give apps the ability to create cache for their own. Apps can generate the diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 5c70ea37e..c9bb799cd 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,8 +3,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{user_cache_dirs}/fontconfig/ rw, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, diff --git a/apparmor.d/abstractions/fzf b/apparmor.d/abstractions/fzf index bc86811e1..fa7edfe7f 100644 --- a/apparmor.d/abstractions/fzf +++ b/apparmor.d/abstractions/fzf @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{HOME}/.fzf/{,**} r, owner @{HOME}/.fzf.* r, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index b973b346f..89777a8b4 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -2,8 +2,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - include include include diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index a8e56304c..0df8e05b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -2,8 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - include include include diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 963eaac2a..1b19173b0 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -2,8 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - include @{bin}/nvidia-modprobe Px -> nvidia_modprobe, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index aa6ad4937..651b477d2 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -2,8 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - include include include diff --git a/apparmor.d/abstractions/kde4 b/apparmor.d/abstractions/kde4 index 8a712dc2d..819a4e2b6 100644 --- a/apparmor.d/abstractions/kde4 +++ b/apparmor.d/abstractions/kde4 @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - /usr/share/kde4/** r, @{lib}/kde4/*.so mr, diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 6b20c5f97..9cfcb76f4 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - @{etc_ro}/default/nss r, @{etc_ro}/gai.conf r, @{etc_ro}/group r, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index f011dee43..3ebb4d2b0 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -2,9 +2,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index af35540e7..05c4091f0 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw, diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index 4d02f3f33..fd256c5e2 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -3,8 +3,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{HOME}/thumbnails/ r, owner @{HOME}/thumbnails/{large,normal}/ r, owner @{HOME}/thumbnails/{large,normal}/@{hex}.png r, diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index a50a94ce7..80e2f833f 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{HOME}/thumbnails/ rw, owner @{HOME}/thumbnails/{large,normal}/ rw, owner @{HOME}/thumbnails/{large,normal}/#@{int} rw, diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 7a7cce018..ee23bce39 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{HOME}/@{XDG_DESKTOP_DIR}/ w, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w, diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 45a21fd6b..4addfdac9 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -6,8 +6,6 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. - abi , - @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, /usr/share/zsh/{,**} r,