felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ready

Browse source
This commit is contained in:
nobodysu 2022-08-29 00:52:38 +03:00
parent c9acd76825
commit 8284fa57dd
6 changed files with 248 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

43
apparmor.d/groups/apps/thunderbird
View file

@ -8,6 +8,9 @@ abi <abi/3.0>,
include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird
@ -17,12 +20,13 @@ include <tunables/global>
profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/wayland>
include <abstractions/mesa>
include <abstractions/opencl-intel>
include <abstractions/nvidia>
include <abstractions/vulkan>
include <abstractions/mesa>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@ -30,10 +34,9 @@ profile thunderbird @{exec_path} {
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/dconf-write>
include <abstractions/ibus>
include <abstractions/dconf-write>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
@ -54,28 +57,30 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
dbus (send) bus=session path=/org/freedesktop/DBus
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]*
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
dbus (send) bus=system path=/org/freedesktop/UPower
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name=org.freedesktop.UPower),
dbus (send) bus=session path=/ca/desrt/dconf/Writer/user
dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member={Change,Notify}
peer=(name=ca.desrt.dconf),
dbus (bind) bus=session
dbus bind bus=session
name=org.mozilla.thunderbird.*,
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
@{exec_path} mrix,
@ -121,6 +126,7 @@ profile thunderbird @{exec_path} {
owner @{HOME}/ r,
owner @{HOME}/Mail/ rw,
owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
owner @{user_share_dirs}/ r,
# Fix error in libglib while saving files as
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -143,7 +149,6 @@ profile thunderbird @{exec_path} {
/usr/share/qt5ct/** r,
# gnome-tiny
/etc/gnome/defaults.list r,
/usr/share/gvfs/remote-volume-monitors/{,*} r,
@{run}/mount/utab r,
@ -195,13 +200,12 @@ profile thunderbird @{exec_path} {
/etc/timezone r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/ubuntu/applications/{,*} r,
# Silencer
deny /{usr/,}lib/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-{open,mime} rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@ -213,11 +217,11 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/gpgsm rCx -> gpg,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -284,21 +288,22 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/xfce4-mime-helper rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

138
apparmor.d/groups/apps/vlc
View file

@ -52,24 +52,27 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/{c,}vlc
profile vlc @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/opencl-intel>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/vulkan>
include <abstractions/nvidia>
include <abstractions/audio>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/vlc-art-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/user-download-strict>
include <abstractions/private-files-strict>
include <abstractions/ssl_certs>
include <abstractions/ibus>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
include <abstractions/dconf-write>
include <abstractions/devices-usb>
include <abstractions/vlc-art-cache-write>
signal (receive) set=(term, kill) peer=anyremote//*,
@ -79,6 +82,115 @@ profile vlc @{exec_path} {
network inet6 stream,
network netlink raw,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.a11y.Bus),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member={Get,RegisterStatusNotifierItem}
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher),
dbus send bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(name=:*),
dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*),
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
dbus receive bus=session path=/MenuBar
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={LayoutUpdated,ItemsPropertiesUpdated}
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*),
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
peer=(name="{org.freedesktop.DBus,:*}"), # all members
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.*
peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members
# dbus send bus=system path=/
# interface=org.freedesktop.DBus.Peer
# member=Ping,
# peer=(name="org.freedesktop.Avahi"),
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch}
peer=(name=org.freedesktop.DBus),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry),
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name=:*),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry),
dbus bind bus=session
name=org.kde.StatusNotifierItem-*,
dbus bind bus=session
name=org.mpris.MediaPlayer2.vlc{,.instance*},
@{exec_path} mrix,
# Which media files VLC should be able to open
@ -94,9 +206,6 @@ profile vlc @{exec_path} {
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{vlc_ext} r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# VLC files
/usr/share/vlc/{,**} r,
@ -104,7 +213,7 @@ profile vlc @{exec_path} {
owner @{HOME}/ r,
owner @{user_config_dirs}/vlc/ rw,
owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9],
owner @{user_share_dirs}/vlc/{,*} rw,
owner @{user_share_dirs}/vlc/{,**} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/vlc/{,**} rw,
@ -114,12 +223,15 @@ profile vlc @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/dev/snd/ r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/@{pids}/net/if_inet6 r,
deny @{PROC}/sys/kernel/random/boot_id r,
# Udev enumeration
@ -136,6 +248,7 @@ profile vlc @{exec_path} {
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
@ -147,7 +260,6 @@ profile vlc @{exec_path} {
owner /dev/tty[0-9]* rw,
owner @{HOME}/.anyRemote/anyremote.stdout w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
@ -169,6 +281,8 @@ profile vlc @{exec_path} {
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
include if exists <local/vlc_xdg-screensaver>
}
include if exists <local/vlc>

4
apparmor.d/groups/apt/command-not-found
View file

@ -8,6 +8,7 @@ include <tunables/global>
@{exec_path} = /usr/share/command-not-found/command-not-found
@{exec_path} += /{usr/,}bin/command-not-found
@{exec_path} += /{usr/,}lib/command-not-found
profile command-not-found @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@ -23,5 +24,8 @@ profile command-not-found @{exec_path} {
/usr/share/command-not-found/{,**} r,
# Silencer
deny /usr/lib/ r,
include if exists <local/command-not-found>
}

55
apparmor.d/groups/browsers/firefox
View file

@ -18,8 +18,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio>
include <abstractions/dconf-write>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
@ -41,6 +41,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
ptrace peer=@{profile_name},
unix (send, receive) type=stream addr=none peer=(label=xorg),
signal (send) set=(term, kill) peer=keepassxc-proxy,
signal (send) set=(term, kill) peer=firefox-*,
@ -50,42 +52,42 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
network inet6 stream,
network netlink raw,
dbus (send) bus=session path=/org/freedesktop/DBus
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus (send) bus=session path=/ScreenSaver
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
dbus (send) bus=session path=/org/freedesktop/portal/desktop
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus (receive) bus=session path=/org/freedesktop/portal/desktop
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=SettingChanged
peer=(name=:*),
dbus (send) bus=session path=/org/freedesktop/portal/desktop
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={GetAll,Read}
peer=(name=:*),
dbus (send) bus=system path=/org/freedesktop/UPower
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name=org.freedesktop.UPower),
dbus (send) bus=session path=/org/freedesktop/PowerManagement/Inhibit
dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit
interface=org.freedesktop.PowerManagement.Inhibit
member=Inhibit
peer=(name=org.freedesktop.PowerManagement),
dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]*
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID}
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
@ -94,32 +96,39 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
member={GetAll,PropertiesChanged}
peer=(name="{org.freedesktop.DBus,:*}"),
dbus (receive) bus=session path=/org/mpris/MediaPlayer2
dbus receive bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.Playlists
member=GetPlaylists
peer=(name=:*),
dbus (receive) bus=system path=/org/freedesktop/login[0-9]*
dbus receive bus=system path=/org/freedesktop/login[0-9]*
interface=org.freedesktop.login[0-9]*.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
peer=(name=:*),
dbus (send) bus=session path=/org/gtk/vfs/metadata
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=GetTreeFromDevice
peer=(name=:*),
dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,VolumeAdded,VolumeRemoved,VolumeChanged}
peer=(name=:*),
dbus send bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox
member=OpenURL
peer=(name=org.mozilla.firefox.* label=firefox),
dbus (bind) bus=session
dbus receive bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox
member=OpenURL
peer=(name=:* label=firefox),
dbus bind bus=session
name=org.mpris.MediaPlayer2.firefox.*,
dbus (bind) bus=session
dbus bind bus=session
name=org.mozilla.firefox.*,
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@ -178,11 +187,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/etc/opensc.conf r,
/etc/xul-ext/kwallet5.js r,
# Ubuntu
/etc/gnome/*.list r,
/etc/xfce4/*.list r,
/usr/share/xfce4/applications/{,*.list} r,
/usr/share/*ubuntu/applications/{,*.list} r,
# gnome-tiny
@{run}/mount/utab r,
owner @{HOME}/ r,
@ -196,7 +202,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]*} r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_cache_dirs}/ rw,
@ -233,6 +239,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{sys}/devices/system/cpu/possible r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/present r,

43
apparmor.d/profiles-a-f/engrampa
View file

@ -23,43 +23,56 @@ profile engrampa @{exec_path} {
include <abstractions/dbus-gtk>
include <abstractions/ibus>
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetId
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus (send) bus=session path=/ca/desrt/dconf/Writer/user
dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member={Change,Notify}
peer=(name=ca.desrt.dconf),
dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,List}
peer=(name=:*),
dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus (send) bus=session path=/org/gtk/vfs/mounttracker
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member={ListMounts2,LookupMount}
peer=(name=:*),
dbus (receive) bus=session path=/org/gtk/vfs/mounttracker
dbus receive bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=Mounted
peer=(name=:*),
dbus (send) bus=session path=/org/gtk/vfs/Daemon
dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=GetConnection
peer=(name=:*),
dbus receive bus=session path=/org/gtk/Application/anonymous
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/[0-9]*}
interface=org.gtk.Actions
member=DescribeAll
peer=(name=:*),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@ -118,12 +131,6 @@ profile engrampa @{exec_path} {
# gnome-tiny
@{run}/mount/utab r,
# Ubuntu
/etc/gnome/*.list r,
/etc/xfce4/*.list r,
/usr/share/xfce4/applications/{,*.list} r,
/usr/share/xubuntu/applications/{,*.list} r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mountinfo r,
@ -132,10 +139,10 @@ profile engrampa @{exec_path} {
/etc/fstab r,
# Allowed apps to open
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/ristretto rPUx,
# file_inherit
@ -160,7 +167,7 @@ profile engrampa @{exec_path} {
# Allowed apps to open
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx,
# file_inherit

66
apparmor.d/profiles-m-r/qbittorrent
View file

@ -6,11 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{exec_path} = /{usr/,}bin/qbittorrent
profile qbittorrent @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/nameservice-strict>
include <abstractions/X-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@ -20,21 +24,20 @@ profile qbittorrent @{exec_path} {
include <abstractions/qt5>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/dconf-write>
include <abstractions/ibus>
include <abstractions/dconf-write>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-gtk>
include <abstractions/wayland>
include <abstractions/dri-enumerate>
include <abstractions/wayland>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
signal (send) set=(term, kill) peer=qbittorrent//python3,
signal send set=(term, kill) peer=qbittorrent//python3,
network inet dgram,
network inet6 dgram,
@ -43,67 +46,67 @@ profile qbittorrent @{exec_path} {
network netlink dgram,
network netlink raw,
dbus (send) bus=session path=/StatusNotifierWatcher
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierItem
dbus send bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewToolTip,NewIcon}
peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/StatusNotifierItem
dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(name=:*),
dbus (receive) bus=session path=/StatusNotifierItem
dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus (receive) bus=session path=/MenuBar
dbus receive bus=session path=/MenuBar
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus (send) bus=session path=/MenuBar
dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member=ItemsPropertiesUpdated
peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/MenuBar
dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*),
dbus (send) bus=session path=/org/freedesktop/DBus
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus (bind) bus=session
dbus bind bus=session
name=org.kde.StatusNotifierItem-*,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
@ -167,9 +170,6 @@ profile qbittorrent @{exec_path} {
# file_inherit
owner /dev/tty[0-9]* rw,
# X-tiny
owner @{run}/user/@{uid}/ICEauthority r,
# gnome-tiny
/usr/share/gvfs/remote-volume-monitors/{,*} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -186,18 +186,28 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/nautilus rPx,
@{FIREFOX_BIN} rPx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
include <abstractions/dbus-gtk>
dbus (send) bus=session path=/org/gnome/{Nautilus,Totem,gedit}
interface=org.freedesktop.Application
member=Open
peer=(name="org.gnome.{Nautilus,Totem,gedit}"),
dbus send bus=session path=/org/gnome/{Nautilus,Totem,gedit}
interface=org.freedesktop.Application
member=Open
peer=(name="org.gnome.{Nautilus,Totem,gedit}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
/{usr/,}bin/xdg-open mr,
@ -210,8 +220,8 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/engrampa rPx,
@{FIREFOX_BIN} rPx,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{g,m,}awk rix,
@ -240,7 +250,7 @@ profile qbittorrent @{exec_path} {
include <abstractions/ssl_certs>
include <abstractions/nameservice-strict>
signal (receive) set=(term, kill) peer=qbittorrent,
signal receive set=(term, kill) peer=qbittorrent,
network inet dgram,
network inet6 dgram,