refractor: move more profiles to groups.
This commit is contained in:
Alexandre Pujol
parent
33681e14f2
commit
8ba3dbd90f
38 changed files with 3 additions and 2 deletions
|
|
@ -1,62 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 EricLin <ericlin050914@gmail.com>
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/ufw
|
||||
profile ufw @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/attached/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet raw,
|
||||
network inet6 dgram,
|
||||
network inet6 raw,
|
||||
network netlink raw,
|
||||
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/cat ix,
|
||||
@{bin}/env r,
|
||||
@{bin}/python3.@{int} ix,
|
||||
@{bin}/sysctl ix,
|
||||
@{bin}/xtables-legacy-multi ix,
|
||||
@{bin}/xtables-nft-multi ix,
|
||||
@{lib}/ufw/ufw-init ix,
|
||||
|
||||
/etc/default/ufw rw,
|
||||
/etc/ufw/ rw,
|
||||
/etc/ufw/** rwk,
|
||||
|
||||
@{run}/xtables.lock rwk,
|
||||
owner @{run}/ufw.lock rwk,
|
||||
|
||||
owner @{tmp}/@{word8} rw,
|
||||
owner @{tmp}/tmp@{word8} rw,
|
||||
owner /var/tmp/@{word8} rw,
|
||||
owner /var/tmp/tmp@{word8} rw,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/net/ip_tables_names r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/net/ipv{4,6}/** rw,
|
||||
@{PROC}/sys/kernel/modprobe r,
|
||||
|
||||
include if exists <local/ufw>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/usb-devices
|
||||
profile usb-devices @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/cut rix,
|
||||
@{bin}/find rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/sort rix,
|
||||
|
||||
# For shell pwd
|
||||
/root/ r,
|
||||
|
||||
include if exists <local/usb-devices>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/usbguard
|
||||
profile usbguard @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
capability chown,
|
||||
capability fowner,
|
||||
capability dac_override,
|
||||
|
||||
# Needed to create policy (usbguard generate-policy)
|
||||
network netlink dgram,
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(label="usbguard-daemon",addr=@@{int}),
|
||||
|
||||
#aa:dbus own bus=system name=org.usbguard1
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/usbguard/*.conf rw,
|
||||
/etc/usbguard/IPCAccessControl.d/{,*} rw,
|
||||
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
# For "usbguard generate-policy"
|
||||
@{sys}/devices/@{pci}/uevent r,
|
||||
|
||||
include if exists <local/usbguard>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/usbguard-applet-qt
|
||||
profile usbguard-applet-qt @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/X>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/qt5-compose-cache-write>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# Needed?
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{user_config_dirs}/USBGuard/ rw,
|
||||
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int},
|
||||
|
||||
/dev/shm/#@{int} rw,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_@{int}-[a-zA-Z0-9]*/{,**} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
include if exists <local/usbguard-applet-qt>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/usbguard-daemon
|
||||
profile usbguard-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
capability chown,
|
||||
capability fowner,
|
||||
capability dac_override,
|
||||
|
||||
network netlink dgram,
|
||||
|
||||
unix (bind, listen) type=stream,
|
||||
unix (connect) type=stream peer=(label=usbguard-dbus, addr=none),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/usbguard/{,**} r,
|
||||
/etc/usbguard/*.conf rw,
|
||||
|
||||
owner @{run}/usbguard.pid rwk,
|
||||
|
||||
/var/log/usbguard/usbguard-audit.log rw,
|
||||
|
||||
/dev/shm/ r,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-*/ rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
@{sys}/devices/@{pci}/uevent r,
|
||||
|
||||
include if exists <local/usbguard-daemon>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/usbguard-dbus
|
||||
profile usbguard-dbus @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
|
||||
# Needed?
|
||||
deny capability sys_nice,
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(label=usbguard-daemon, addr=@@{int}),
|
||||
|
||||
@{exec_path} mr,
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
include if exists <local/usbguard-dbus>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/usbguard-notifier
|
||||
profile usbguard-notifier @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
|
||||
/dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
||||
include if exists <local/usbguard-notifier>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022 Jeroen Rijken
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/whereis
|
||||
profile whereis @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,*/} r,
|
||||
@{lib}/ r,
|
||||
@{lib}/go-*/bin/ r,
|
||||
/usr/{local/,}games/ r,
|
||||
/usr/include/ r,
|
||||
/usr/local/{,etc/,lib/} r,
|
||||
/usr/local/{s,}bin/{,*/} r,
|
||||
/usr/share/ r,
|
||||
/usr/share/info/{**,} r,
|
||||
/usr/share/man/{**,} r,
|
||||
/usr/src/{**,} r,
|
||||
|
||||
/opt/ r,
|
||||
/opt/**/bin/ r,
|
||||
/opt/**/lib/ r,
|
||||
|
||||
@{etc_ro}/ r,
|
||||
|
||||
/snap/bin/ r,
|
||||
/var/lib/flatpak/exports/bin/ r,
|
||||
|
||||
owner @{HOME}/{.,}go/bin/ r,
|
||||
owner @{user_bin_dirs}/ r,
|
||||
|
||||
include if exists <local/whereis>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/wireplumber
|
||||
profile wireplumber @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/audio-server>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/video>
|
||||
|
||||
network bluetooth raw,
|
||||
network bluetooth seqpacket,
|
||||
network bluetooth stream,
|
||||
network netlink raw,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int}
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
|
||||
/opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
|
||||
|
||||
/usr/share/alsa-card-profile/{,**} r,
|
||||
/usr/share/spa-*/bluez@{int}/{,*} r,
|
||||
/usr/share/wireplumber/{,**} r,
|
||||
|
||||
owner @{desktop_local_dirs}/ w,
|
||||
owner @{desktop_local_dirs}/state/ w,
|
||||
owner @{desktop_local_dirs}/state/wireplumber/{,**} rw,
|
||||
|
||||
owner @{HOME}/.local/ w,
|
||||
owner @{user_state_dirs}/ w,
|
||||
owner @{user_state_dirs}/wireplumber/{,**} rw,
|
||||
owner @{user_config_dirs}/wireplumber/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/pipewire-@{int} rw,
|
||||
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
@{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/media/devices/ r,
|
||||
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
|
||||
@{sys}/devices/**/device:*/{,**/}path r,
|
||||
@{sys}/devices/**/sound/**/pcm_class r,
|
||||
@{sys}/devices/**/sound/**/uevent r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/media@{int} rw,
|
||||
|
||||
include if exists <local/wireplumber>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
Loading…
Add table
Add a link
Reference in a new issue