felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update profile from #25 (2).

Browse source
This commit is contained in:
Alexandre Pujol 2022-02-09 19:35:18 +00:00
parent 2f77653cba
commit 810985a0cd
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
38 changed files with 103 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/bus/dbus-daemon
View file

@ -68,6 +68,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.local/share/icc/ r,
/var/lib/gdm/.local/share/icc/edid-*.icc r,
# Extra rules for Flatpak
/var/lib/flatpak/exports/share/dbus-1/{,**} r,
/var/lib/flatpak/app/**/export/share/dbus-1/services/{,**} r,
/dev/dri/card[0-9]* rw,
/dev/input/event[0-9]* rw,

3
apparmor.d/groups/desktop/at-spi-bus-launcher
View file

@ -26,7 +26,8 @@ profile at-spi-bus-launcher @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dbus-daemon rPx,
/{usr/,}bin/dbus-daemon rPx,
/{usr/,}bin/dbus-broker-launch rPUx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cgroup r,

20
apparmor.d/groups/desktop/colord
View file

@ -18,17 +18,25 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/colord/colord-sane rPx,
@{libexec}/colord-sane rPx,
@{libexec}/colord-sane rPx,
/etc/machine-id r,
/etc/udev/hwdb.bin r,
/usr/share/mime/mime.cache r,
/usr/share/color/icc/{,**} r,
owner /var/lib/colord/** r,
owner /var/lib/colord/.cache/ rw,
owner /var/lib/colord/.cache/** rw,
owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/gdm/.local/share/icc/edid-*.icc r,
/etc/udev/hwdb.bin r,
@{user_share_dirs}/icc/edid-*.icc r,
/usr/share/color/icc/{,**} r,
@{run}/systemd/sessions/[0-9]* r,
@{sys}/class/drm/ r,
@{sys}/class/video4linux/ r,
@ -39,11 +47,5 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
/usr/share/mime/mime.cache r,
@{user_share_dirs}/icc/edid-*.icc r,
@{run}/systemd/sessions/[0-9]* r,
include if exists <local/colord>
}

3
apparmor.d/groups/gnome/gdm
View file

@ -24,7 +24,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/gdm-session-worker rPx,
/{usr/,}bin/plymouth rPUx,
/{usr/,}lib/gdm-session-worker rPx,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,

1
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -22,6 +22,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
capability setgid,
capability setuid,
capability sys_nice,
capability sys_resource,
capability sys_tty_config,
signal (receive) set=term peer=gdm,

3
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -33,8 +33,9 @@ profile gdm-wayland-session @{exec_path} {
/{usr/,}bin/flatpak rPUx,
/{usr/,}lib/gnome-session-binary rPx,
/etc/shells r,
/etc/gdm/custom.conf r,
/etc/machine-id r,
/etc/shells r,
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

3
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View file

@ -25,6 +25,9 @@ profile gnome-control-center-print-renderer @{exec_path} {
/usr/share/pixmaps/{,**} r,
/usr/share/X11/xkb/** r,
/var/lib/flatpak/exports/share/icons/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_share_dirs}/icons/{,**} r,

6
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -34,15 +34,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/aa-notify rPx,
/{usr/,}bin/blueman-applet rPx,
/{usr/,}bin/firewall-applet rPUx,
/{usr/,}bin/gnome-keyring-daemon rPx,
/{usr/,}bin/gnome-shell rPx,
/{usr/,}bin/pkcs11-register rPx,
/{usr/,}bin/start-pulseaudio-x11 rPx,
/{usr/,}bin/xbrlapi rPx,
/{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
/{usr/,}lib/gsd-* rPx,
/{usr/,}bin/pkcs11-register rPx,
/{usr/,}bin/start-pulseaudio-x11 rPx,
/usr/share/applications/org.gnome.Shell.desktop r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

5
apparmor.d/groups/gnome/gnome-shell
View file

@ -68,7 +68,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
/var/lib/gdm/.config/pulse/ r,
/var/lib/gdm/.config/pulse/client.conf r,
/var/lib/gdm/.config/pulse/cookie rw,
/var/lib/gdm/.config/pulse/cookie rwk,
/var/lib/gdm/.local/share/applications/{,**} r,
/var/lib/gdm/.local/share/gnome-shell/ rw,
@ -106,6 +106,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
@{run}/systemd/users/@{uid} r,
@{run}/systemd/seats/seat[0-9]* r,
@{run}/systemd/sessions/ r,

2
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -30,6 +30,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-system-monitor/{,**} r,
/usr/share/pixmaps/{,**} r,
/etc/machine-id r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include <abstractions/dconf>

1
apparmor.d/groups/gnome/gsd-color
View file

@ -25,6 +25,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.local/share/icc/ rw,
/var/lib/gdm/.local/share/icc/edid-*.icc rw,
/var/lib/flatpak/exports/share/mime/mime.cache r,
owner @{run}/user/@{uid}/gdm/Xauthority r,

2
apparmor.d/groups/gnome/gsd-print-notifications
View file

@ -20,6 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/gsd-printer rPx,
/etc/machine-id r,
owner @{PROC}/@{pid}/fd/ r,
owner /dev/tty[0-9]* rw,

1
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -35,6 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
@{run}/systemd/sessions/[0-9]* r,
/etc/fstab r,
/etc/machine-id r,
# Mount points
@{MOUNTS}/*/ r,

1
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -37,6 +37,7 @@ profile gvfsd-fuse @{exec_path} {
umount @{run}/user/@{uid}/**/,
/etc/fuse.conf r,
/etc/machine-id r,
/dev/fuse rw,

21
apparmor.d/groups/network/NetworkManager
View file

@ -10,8 +10,8 @@ include <tunables/global>
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet stream,
network inet6 stream,
@ -35,17 +35,18 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/nm-dhcp-helper rPx,
/{usr/,}lib/nm-dispatcher rPx,
/{usr/,}lib/nm-iface-helper rPx,
/{usr/,}lib/nm-initrd-generator rPx,
/{usr/,}lib/nm-openvpn-auth-dialog rPx,
/{usr/,}lib/nm-openvpn-service rPx,
/{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/resolvconf rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}lib/nm-dhcp-helper rPx,
/{usr/,}lib/nm-dispatcher rPx,
/{usr/,}lib/nm-iface-helper rPx,
/{usr/,}lib/nm-initrd-generator rPx,
/{usr/,}lib/nm-openvpn-auth-dialog rPx,
/{usr/,}lib/nm-openvpn-service rPx,
/{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
/dev/rfkill rw,
/ r,

2
apparmor.d/groups/systemd/bootctl
View file

@ -34,8 +34,10 @@ profile bootctl @{exec_path} {
/etc/machine-id r,
@{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
@{sys}/firmware/dmi/entries/*/raw r,
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/Boot[0-9A-F]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
@{sys}/firmware/efi/efivars/BootOrder-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,

1
apparmor.d/groups/systemd/systemd-coredump
View file

@ -32,6 +32,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
/var/lib/systemd/coredump/ r,
/var/lib/systemd/coredump/** rwl,
/var/lib/systemd/coredump/#[0-9]* rwl,
owner @{PROC}/@{pid}/setgroups r,
@{PROC}/@{pids}/comm r,

1
apparmor.d/groups/systemd/systemd-makefs
View file

@ -16,6 +16,7 @@ profile systemd-makefs @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/mkswap rPx,
/{usr/,}bin/mkfs.* rPx,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,

7
apparmor.d/groups/systemd/systemd-oomd
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-oomd
profile systemd-oomd @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
capability dac_override,
capability kill,
@ -17,11 +18,9 @@ profile systemd-oomd @{exec_path} {
/etc/systemd/oomd.conf r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{sys}/fs/cgroup/cgroup.controllers r,
@{PROC}/pressure/{cpu,io,memory} r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
include if exists <local/systemd-oomd>
}

2
apparmor.d/groups/systemd/systemd-user-runtime-dir
View file

@ -24,6 +24,8 @@ profile systemd-user-runtime-dir @{exec_path} {
@{exec_path} mr,
/etc/machine-id r,
@{run}/user/@{uid}/{,**} rw,
@{PROC}/1/environ r,

7
apparmor.d/groups/systemd/zram-generator
View file

@ -18,12 +18,15 @@ profile zram-generator @{exec_path} {
/etc/systemd/zram-generator.conf r,
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset} rw,
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset,comp_algorithm} rw,
@{sys}/block/zram[0-9]*/{disksize,reset} rw,
owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw,
owner @{run}/systemd/generator/dev-zram[0-9]*.swap rw,
owner @{run}/systemd/generator/swap.target.wants/{,dev-zram[0-9]*.swap} rw,
owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
@{PROC}/crypto r,
include if exists <local/zram-generator>
}