refractor: moce a lot of profiles inside they own groups.
This commit is contained in:
Alexandre Pujol
parent
e5aad04be4
commit
9304c9a668
61 changed files with 1 additions and 9 deletions
|
|
@ -1,23 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/aa-enabled
|
||||
profile aa-enabled @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
include if exists <local/aa-enabled>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable
|
||||
profile aa-enforce @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/apparmor_parser rPx,
|
||||
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/apparmor/logprof.conf r,
|
||||
/etc/apparmor.d/{,**} rw,
|
||||
|
||||
@{etc_ro}/inputrc r,
|
||||
@{etc_ro}/inputrc.keys r,
|
||||
|
||||
owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
|
||||
owner /var/lib/snapd/apparmor/{,**} rw,
|
||||
|
||||
owner @{tmp}/@{rand8} rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
include if exists <local/aa-enforce>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/aa-log
|
||||
profile aa-log @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/journalctl rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/log/audit/* r,
|
||||
/var/log/syslog* r,
|
||||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/@{hex32}/{,*} r,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/aa-log>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/aa-notify
|
||||
profile aa-notify @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
@{etc_ro}/inputrc r,
|
||||
@{etc_ro}/inputrc.keys r,
|
||||
/etc/apparmor.d/{,**} r,
|
||||
/etc/apparmor/*.conf r,
|
||||
|
||||
/var/log/audit/audit.log r,
|
||||
|
||||
owner @{HOME}/.inputrc r,
|
||||
owner @{HOME}/.terminfo/@{int}/dumb r,
|
||||
|
||||
owner @{tmp}/@{word8} rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
|
||||
include if exists <local/aa-notify>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status
|
||||
profile aa-status @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sys}/kernel/security/apparmor/profiles r,
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/attr/apparmor/current r,
|
||||
@{PROC}/@{pids}/attr/current r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/aa-status>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/aa-teardown
|
||||
profile aa-teardown @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{lib}/apparmor/apparmor.systemd rPx,
|
||||
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/aa-teardown>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/aa-unconfined
|
||||
profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/netstat Px,
|
||||
@{bin}/ss Px,
|
||||
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/apparmor/logprof.conf r,
|
||||
@{etc_ro}/inputrc r,
|
||||
|
||||
owner @{tmp}/@{rand8} rw,
|
||||
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
|
||||
owner /var/tmp/@{rand8} rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pids}/attr/apparmor/current r,
|
||||
@{PROC}/@{pids}/attr/current r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
include if exists <local/aa-unconfined>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/apparmor/apparmor.systemd
|
||||
profile apparmor.systemd @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
capability mac_admin,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/{,e}grep rix,
|
||||
@{bin}/aa-status rPx,
|
||||
@{bin}/apparmor_parser rPx,
|
||||
@{bin}/getconf rix,
|
||||
@{bin}/ls rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/sort rix,
|
||||
@{bin}/sysctl rix,
|
||||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/xargs rix,
|
||||
|
||||
@{lib}/apparmor/rc.apparmor.functions r,
|
||||
|
||||
/etc/apparmor.d/ r,
|
||||
|
||||
@{sys}/fs/cgroup/systemd/ r,
|
||||
@{sys}/kernel/security/apparmor/{,**} r,
|
||||
@{sys}/kernel/security/apparmor/.remove rw,
|
||||
@{sys}/module/apparmor/ r,
|
||||
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/maps r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
@{PROC}/mounts r,
|
||||
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/apparmor.systemd>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
|
||||
|
||||
@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
|
||||
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability mac_admin,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib_dirs}/@{multiarch}/** mr,
|
||||
@{lib_dirs}/snapd/apparmor.d/{,**} r,
|
||||
@{lib_dirs}/snapd/apparmor/{,**} r,
|
||||
|
||||
/etc/apparmor.d/{,**} r,
|
||||
/etc/apparmor.d/cache.d/{,**} rw,
|
||||
/etc/apparmor/{,**} r,
|
||||
/etc/apparmor/cache.d/{,**} rw,
|
||||
/etc/apparmor/earlypolicy/{,**} rw,
|
||||
|
||||
/usr/share/apparmor-features/{,**} r,
|
||||
/usr/share/apparmor/{,**} r,
|
||||
|
||||
owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} r,
|
||||
owner /snap/core@{int}/@{int}/etc/apparmor/* r,
|
||||
owner /var/cache/apparmor/{,**} rw,
|
||||
owner /var/lib/docker/tmp/docker-default@{int} r,
|
||||
owner /var/lib/snapd/apparmor/{,**} r,
|
||||
owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
|
||||
|
||||
owner @{tmp}/cri-containerd.apparmor.d@{int} r,
|
||||
|
||||
@{sys}/kernel/security/apparmor/{,**} r,
|
||||
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
|
||||
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
deny network netlink raw, # file_inherit
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/apparmor_parser>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/beh
|
||||
profile cups-backend-beh @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-beh>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/bluetooth
|
||||
profile cups-backend-bluetooth @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-bluetooth>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/cups-brf
|
||||
profile cups-backend-brf @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
capability setuid,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-brf>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/dnssd
|
||||
profile cups-backend-dnssd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/org.freedesktop.Avahi>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-dnssd>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/hp{,fax}
|
||||
profile cups-backend-hp @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-hp>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/implicitclass
|
||||
profile cups-backend-implicitclass @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-implicitclass>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/ipp
|
||||
profile cups-backend-ipp @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-ipp>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/lpd
|
||||
profile cups-backend-lpd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-lpd>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/mdns
|
||||
profile cups-backend-mdns @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-mdns>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/parallel
|
||||
profile cups-backend-parallel @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-parallel>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/cups-pdf
|
||||
profile cups-backend-pdf @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-download-strict>
|
||||
|
||||
capability chown,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability dac_override,
|
||||
|
||||
unix peer=(label=cupsd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/gs rix,
|
||||
@{bin}/gsc rix,
|
||||
@{lib}/ghostscript/** mr,
|
||||
|
||||
/usr/share/ghostscript/{,**} r,
|
||||
|
||||
/etc/papersize r,
|
||||
/etc/cups/ r,
|
||||
/etc/cups/cups-pdf.conf r,
|
||||
/etc/cups/ppd/*.ppd r,
|
||||
|
||||
/var/log/cups/cups-pdf*_log w,
|
||||
/var/spool/cups-pdf/{,**} rw,
|
||||
/var/spool/cups/** r,
|
||||
/var/tmp/gs_* rw,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/cups-backend-pdf>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/serial
|
||||
profile cups-backend-serial @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
/dev/ttyS@{int} w,
|
||||
|
||||
include if exists <local/cups-backend-serial>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/snmp
|
||||
profile cups-backend-snmp @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/cups/snmp.conf r,
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-snmp>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/socket
|
||||
profile cups-backend-socket @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-socket>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/backend/usb
|
||||
profile cups-backend-usb @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/devices-usb>
|
||||
|
||||
capability net_admin,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/cups/usb/{,**} r,
|
||||
|
||||
/etc/cups/ppd/*.ppd r,
|
||||
/etc/papersize r,
|
||||
|
||||
include if exists <local/cups-backend-usb>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/cups-browsed
|
||||
profile cups-browsed @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.Avahi>
|
||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
|
||||
capability net_admin,
|
||||
capability net_bind_service,
|
||||
capability sys_nice,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=StateChanged
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=CheckPermissions
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/cups/locale/{,**} r,
|
||||
|
||||
/etc/cups/{,**} r,
|
||||
|
||||
/var/cache/cups/{,**} rw,
|
||||
/var/log/cups/{,**} rw,
|
||||
|
||||
@{run}/cups/certs/* r,
|
||||
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
|
||||
include if exists <local/cups-browsed>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/notifier/dbus
|
||||
profile cups-notifier-dbus @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(term) peer=cupsd,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
|
||||
|
||||
owner @{tmp}/cups-dbus-notifier-lockfile rwk,
|
||||
|
||||
include if exists <local/cups-notifier-dbus>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/notifier/mailto
|
||||
profile cups-notifier-mailto @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
include if exists <local/cups-notifier-mailto>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/cups/notifier/rss
|
||||
profile cups-notifier-rss @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
include if exists <local/cups-notifier-rss>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism
|
||||
@{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism
|
||||
profile cups-pk-helper-mechanism @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
capability sys_nice,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
#aa:dbus own bus=system name=org.opensuse.CupsPkHelper.Mechanism path=/
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/cups/ppd/*.ppd r,
|
||||
|
||||
owner @{tmp}/[a-z0-9]* rw,
|
||||
|
||||
@{run}/cups/cups.sock rw,
|
||||
|
||||
include if exists <local/cups-pk-helper-mechanism>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,106 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/cupsd
|
||||
profile cupsd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.Avahi>
|
||||
include <abstractions/bus/org.freedesktop.ColorManager>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability fsetid,
|
||||
capability kill,
|
||||
capability net_admin,
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability wake_alarm,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
network appletalk dgram,
|
||||
network ash dgram,
|
||||
network ax25 dgram,
|
||||
network bluetooth,
|
||||
network econet dgram,
|
||||
network ipx dgram,
|
||||
network netrom seqpacket,
|
||||
network rose dgram,
|
||||
network x25 seqpacket,
|
||||
|
||||
signal (send) set=(term) peer=cups-notifier-dbus,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/grep rix,
|
||||
@{bin}/gs rix,
|
||||
@{bin}/gsc rix,
|
||||
@{bin}/hostname rix,
|
||||
@{bin}/ippfind rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/printenv rix,
|
||||
@{bin}/python3.@{int} rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/smbspool rPx,
|
||||
@{bin}/touch rix,
|
||||
@{bin}/xz rix,
|
||||
@{lib}/cups/backend/* rPx,
|
||||
@{lib}/cups/cgi-bin/*.cgi rix,
|
||||
@{lib}/cups/daemon/* rix,
|
||||
@{lib}/cups/driver/* rix,
|
||||
@{lib}/cups/filter/* rix,
|
||||
@{lib}/cups/monitor/* rix,
|
||||
@{lib}/cups/notifier/* rPx,
|
||||
|
||||
/usr/share/cups/{,**} r,
|
||||
/usr/share/ghostscript/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
/usr/share/ppd/{,**} r,
|
||||
|
||||
/etc/cups/{,**} rw,
|
||||
/etc/foomatic/* r,
|
||||
/etc/papersize r,
|
||||
/etc/paperspecs r,
|
||||
/etc/pnm2ppa.conf r,
|
||||
/etc/printcap rwl,
|
||||
|
||||
/var/cache/cups/ rw,
|
||||
/var/cache/cups/** rwk,
|
||||
/var/log/cups/{,*} rw,
|
||||
/var/spool/cups/{,**} rw,
|
||||
|
||||
@{run}/cups/{,**} rw,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
owner @{tmp}/*_latest_print_info w,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/cupsd>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,149 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/flatpak
|
||||
profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.Accounts>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
userns,
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability net_admin,
|
||||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
|
||||
|
||||
ptrace (read) peer=flatpak-app,
|
||||
|
||||
signal send peer=flatpak-app,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bwrap rPx -> flatpak-app,
|
||||
@{bin}/fusermount{,3} rCx -> fusermount,
|
||||
@{bin}/gpg rCx -> gpg,
|
||||
@{bin}/gpgconf rCx -> gpg,
|
||||
@{bin}/gpgsm rCx -> gpg,
|
||||
@{lib}/revokefs-fuse rix,
|
||||
|
||||
/usr/share/flatpak/{,**} r,
|
||||
|
||||
/etc/flatpak/{,**} r,
|
||||
/etc/pulse/client.conf r,
|
||||
|
||||
/ r,
|
||||
|
||||
/var/lib/flatpak/{,**} rwlk,
|
||||
|
||||
/var/tmp/#@{int} rw,
|
||||
/var/tmp/flatpak-cache-@{rand6}/{,**/} r,
|
||||
owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk,
|
||||
|
||||
owner @{HOME}/.var/ w,
|
||||
owner @{HOME}/.var/app/{,**} rw,
|
||||
|
||||
# Can create dotfile directories for any app
|
||||
owner @{user_cache_dirs}/*/ w,
|
||||
owner @{user_config_dirs}/*/ w,
|
||||
owner @{user_share_dirs}/*/ w,
|
||||
owner @{user_games_dirs}/{,**/} w,
|
||||
owner @{user_documents_dirs}/ w,
|
||||
|
||||
owner @{user_cache_dirs}/flatpak/{,**} rw,
|
||||
owner @{user_config_dirs}/pulse/client.conf r,
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
@{user_share_dirs}/flatpak/{,**} r,
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/flatpak/{,**} rwl,
|
||||
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw,
|
||||
owner /dev/shm/flatpak*/{,**} rw,
|
||||
|
||||
@{run}/.userns r,
|
||||
@{run}/user/@{uid}/.dbus-proxy/ w,
|
||||
@{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/* rw,
|
||||
owner @{run}/user/@{uid}/.flatpak-cache rw,
|
||||
owner @{run}/user/@{uid}/.flatpak/ rw,
|
||||
owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**,
|
||||
owner @{run}/user/@{uid}/app/ w,
|
||||
owner @{run}/user/@{uid}/app/*/ w,
|
||||
owner @{run}/user/@{uid}/systemd/private rw,
|
||||
|
||||
@{sys}/module/nvidia/version r,
|
||||
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
/dev/fuse rw,
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{bin}/gpg{,2} mr,
|
||||
@{bin}/gpgconf mr,
|
||||
@{bin}/gpgsm mr,
|
||||
|
||||
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
|
||||
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/ rw,
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
|
||||
|
||||
include if exists <local/flatpak_gpg>
|
||||
}
|
||||
|
||||
profile fusermount {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_admin,
|
||||
|
||||
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
|
||||
umount /var/tmp/flatpak-cache-*/*/,
|
||||
|
||||
@{bin}/fusermount{,3} mr,
|
||||
|
||||
/etc/fuse.conf r,
|
||||
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
include if exists <local/flatpak_fusermount>
|
||||
}
|
||||
|
||||
include if exists <local/flatpak>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,100 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Default profile for all flatpak applications. Ideally, this profile should be
|
||||
# generated by flatpak itself with settings from the flatpak manifest and
|
||||
# fully separated from bwrap.
|
||||
|
||||
# Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order
|
||||
# to separate bwrap from the sandboxed app itself. It was generating issue with
|
||||
# zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install
|
||||
# some applications, flatpak needs write access to the sandbox content. This is
|
||||
# done through bwrap and therefore in this profile.
|
||||
#
|
||||
# 1. All of this will have to be improved. However, as of today, it is the only
|
||||
# way to not break some (major) flatpak app.
|
||||
# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
|
||||
# This this only defence in depth.
|
||||
# 3. The main purpose of this profile is to ensure all processes are confined.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/common/app>
|
||||
include <abstractions/common/bwrap>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability setuid, # Needed when bwrap is setup with setuid privileges.
|
||||
capability sys_resource,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink dgram,
|
||||
network netlink raw,
|
||||
network unix stream,
|
||||
|
||||
ptrace (read),
|
||||
ptrace trace peer=flatpak-app,
|
||||
|
||||
signal receive peer=flatpak,
|
||||
signal receive set=(int term) peer=flatpak-portal,
|
||||
signal receive set=(int) peer=flatpak-session-helper,
|
||||
|
||||
@{bin}/** rmix,
|
||||
@{lib}/** rmix,
|
||||
/app/** rmix,
|
||||
/usr/plugins/** rmix,
|
||||
/usr/share/flatpak/triggers/* rix,
|
||||
/usr/share/runtime/** rmix,
|
||||
/var/lib/flatpak/app/*/**/@{bin}/** rmix,
|
||||
/var/lib/flatpak/app/*/**/@{lib}/** rmix,
|
||||
|
||||
@{run}/flatpak/app/*/**so* rm,
|
||||
@{run}/parent/@{bin}/** rmix,
|
||||
@{run}/parent/@{lib}/** rmix,
|
||||
@{run}/parent/app/** rmix,
|
||||
|
||||
@{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache,
|
||||
@{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database,
|
||||
@{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database,
|
||||
@{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy,
|
||||
|
||||
@{lib}/kf5/kioslave5 rPx,
|
||||
@{lib}/kf6/kioworker rPx,
|
||||
|
||||
/etc/**/ rw,
|
||||
/etc/shells rw,
|
||||
|
||||
/app/.ref rk,
|
||||
/app/extra/** rw,
|
||||
/app/lib/** rk,
|
||||
/bindfile@{rand6} rw,
|
||||
/usr/.ref rk,
|
||||
|
||||
/var/lib/flatpak/app/{,**} r,
|
||||
/var/lib/flatpak/exports/** rw,
|
||||
/var/tmp/etilqs_@{hex16} rw,
|
||||
|
||||
@{run}/.userns r,
|
||||
@{run}/parent/** r,
|
||||
@{run}/parent/app/.ref rk,
|
||||
@{run}/parent/usr/.ref rk,
|
||||
owner @{run}/flatpak/{,**} rk,
|
||||
owner @{run}/flatpak/app/** rw,
|
||||
owner @{run}/flatpak/doc/** rw,
|
||||
owner @{run}/ld-so-cache-dir/* rw,
|
||||
owner @{run}/user/ r,
|
||||
|
||||
include if exists <usr/flatpak-app.d>
|
||||
include if exists <local/flatpak-app>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/flatpak-oci-authenticator
|
||||
profile flatpak-oci-authenticator @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
|
||||
#aa:dbus own bus=session name=org.flatpak.Authenticator.Oci
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
include if exists <local/flatpak-oci-authenticator>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/flatpak-portal
|
||||
profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace read,
|
||||
|
||||
signal send,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.portal.Flatpak
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/flatpak rPx,
|
||||
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{att}/ r,
|
||||
owner @{att}/.flatpak-info r,
|
||||
|
||||
owner @{HOME}/.var/app/*/**/.ref rw,
|
||||
owner @{HOME}/.var/app/*/**/logs/* rw,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
owner @{user_share_dirs}/mime/mime.cache r,
|
||||
|
||||
owner @{run}/user/@{uid}/.flatpak/@{int}/* r,
|
||||
owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r,
|
||||
|
||||
include if exists <local/flatpak-portal>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/flatpak-session-helper
|
||||
profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
signal send set=(hup int) peer=user_unconfined,
|
||||
signal send set=(int) peer=@{p_systemd},
|
||||
signal send set=(int) peer=flatpak-app,
|
||||
|
||||
#aa:dbus own bus=session name=org.freedesktop.Flatpak
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{shells_path} rUx -> user_unconfined,
|
||||
@{bin}/dbus-monitor rPUx,
|
||||
@{bin}/env rix,
|
||||
@{bin}/flatpak rPx,
|
||||
@{bin}/getent rix,
|
||||
@{bin}/p11-kit rix,
|
||||
@{bin}/pkexec rCx -> pkexec,
|
||||
@{bin}/printenv rix,
|
||||
@{bin}/ps rPx,
|
||||
@{bin}/test rix,
|
||||
@{bin}/touch rix,
|
||||
@{lib}/p11-kit/p11-kit-remote rix,
|
||||
@{lib}/p11-kit/p11-kit-server rix,
|
||||
/var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app,
|
||||
/var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app,
|
||||
|
||||
owner @{user_config_dirs}/mimeapps.list w,
|
||||
|
||||
owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
|
||||
owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
|
||||
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
profile pkexec {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/pkexec>
|
||||
|
||||
include if exists <local/flatpak-session-helper_pkexec>
|
||||
}
|
||||
|
||||
include if exists <local/flatpak-session-helper>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,78 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/flatpak-system-helper
|
||||
profile flatpak-system-helper @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability fowner,
|
||||
capability net_admin,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bwrap rPUx,
|
||||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/gpgconf rCx -> gpg,
|
||||
@{bin}/gpgsm rCx -> gpg,
|
||||
@{lib}/revokefs-fuse rix,
|
||||
|
||||
/etc/flatpak/{,**} r,
|
||||
/etc/machine-id r,
|
||||
|
||||
/usr/share/flatpak/remotes.d/ r,
|
||||
/usr/share/flatpak/triggers/ r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
/var/lib/flatpak/{,**} rwkl,
|
||||
/var/tmp/flatpak-cache-*/{,**} rw,
|
||||
|
||||
owner /{var/,}tmp/#@{int} rw,
|
||||
owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw,
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
|
||||
|
||||
@{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{bin}/gpg{,2} mr,
|
||||
@{bin}/gpgconf mr,
|
||||
@{bin}/gpgsm mr,
|
||||
|
||||
@{lib}/{,gnupg/}scdaemon rix,
|
||||
@{bin}/gpg-agent rix,
|
||||
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/ r,
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
include if exists <local/flatpak-system-helper_gpg>
|
||||
}
|
||||
|
||||
include if exists <local/flatpak-system-helper>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/flatpak-validate-icon
|
||||
profile flatpak-validate-icon @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
include if exists <local/flatpak-validate-icon>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
Loading…
Add table
Add a link
Reference in a new issue