felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): cleanup profiles using the new abs.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-13 00:47:50 +02:00
parent 51bcdd5e14
commit 8c6b0ce33f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
6 changed files with 8 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/app/chromium
View file

@ -34,7 +34,7 @@
include <abstractions/common/chromium>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/devices-usb-read>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/nameservice-strict>

3
apparmor.d/abstractions/common/app
View file

@ -28,8 +28,11 @@
include <abstractions/gstreamer>
include <abstractions/input>
include <abstractions/nameservice-strict>
include <abstractions/notifications>
include <abstractions/p11-kit>
include <abstractions/path>
include <abstractions/screensaver>
include <abstractions/secrets-service>
include <abstractions/sqlite>
include <abstractions/ssl_certs>

5
apparmor.d/abstractions/common/game
View file

@ -20,6 +20,7 @@
include <abstractions/input>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/uinput>
@{bin}/uname rix,
@{bin}/xdg-settings rPx,
@ -67,9 +68,6 @@
owner /dev/shm/mono.@{int} rw,
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@ -80,7 +78,6 @@
@{sys}/devices/@{pci}/net/*/carrier r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/ r,

2
apparmor.d/groups/bluetooth/bluetoothd
View file

@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.hostname1>
include <abstractions/uinput>
# Needed for configuring HCI interfaces
capability net_admin,
@ -57,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/kernel/hostname r,
/dev/uhid rw,
/dev/uinput rw,
/dev/rfkill rw,
/dev/hidraw@{int} rw,

4
apparmor.d/groups/steam/steam
View file

@ -41,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/uinput>
include <abstractions/video>
capability sys_ptrace,
@ -245,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/input/ r,
/dev/uinput w,
deny /opt/** r,
@ -353,8 +353,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/**/report_descriptor r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r,
@{PROC}/version r,

2
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -11,6 +11,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1.Session>
include <abstractions/uinput>
capability sys_nice,
@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/cgroup r,
/dev/uinput rw,
/dev/vport@{int}p@{int} rw,
include if exists <local/spice-vdagentd>