felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: reorganise the freedesktop group.

Browse source
This commit is contained in:
Alexandre Pujol 2022-05-07 13:18:36 +01:00
parent 3f664e5b2c
commit 940c9de083
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
61 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

120
apparmor.d/profiles-a-f/blueman Normal file
View file

@ -0,0 +1,120 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/blueman-*
profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/python>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/audio>
network inet stream,
network inet6 stream,
network bluetooth raw,
ptrace (read) peer=gjs-console,
@{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/blueman-tray rPx,
/{usr/,}bin/ r,
/{usr/,}bin/{b,d}ash rix,
/{usr/,}bin/xdg-open rCx -> open,
/usr/share/blueman/{,**} r,
/usr/share/X11/xkb/{,**} r,
owner @{user_cache_dirs}/blueman-tray-[0-9]* rw,
owner @{user_cache_dirs}/blueman-services-[0-9]* rw,
owner @{user_cache_dirs}/blueman-adapters-[0-9]* rw,
owner @{user_cache_dirs}/blueman-manager-[0-9]* rw,
owner @{user_cache_dirs}/blueman-applet-[0-9]* rw,
owner @{user_cache_dirs}/obexd/ rw,
owner @{user_cache_dirs}/obexd/* rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{HOME}/ r,
owner @{HOME}/bluetooth*/ r,
owner @{HOME}/bluetooth*/* rw,
# For sending a note (disabled since the feature doesn't seem to work)
#owner /tmp/* rw,
#owner /var/tmp/* rw,
#owner /tmp/note*.vnt rw,
/var/lib/blueman/network.state r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/cmdline r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/dev/tty rw,
/dev/rfkill r,
/dev/shm/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xprop rix,
/{usr/,}bin/file rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/mimetype rix,
/usr/share/perl5/** r,
/etc/magic r,
owner @{HOME}/ r,
owner @{HOME}/bluetooth*/* r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/blueman>
}

48
apparmor.d/profiles-a-f/blueman-mechanism Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/blueman-mechanism
@{exec_path} += /{usr/,}lib/blueman/blueman-mechanism
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
capability mknod,
capability net_admin,
capability sys_nice,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/python3.[0-9]* r,
@{libexec}/ r,
/var/lib/blueman/network.state rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
/dev/rfkill rw,
# For network AP
#/{usr/,}bin/ip rix,
#/{usr/,}{s,}bin/xtables-nft-multi rix,
#/{usr/,}{s,}bin/dnsmasq rPx,
#/{usr/,}{s,}bin/dhclient rPx,
# @{PROC}/sys/net/ipv4/ip_forward w,
# @{PROC}/sys/net/ipv4/conf/ r,
# @{PROC}/sys/net/ipv4/conf/*/forwarding w,
#owner @{run}/blueman-iptables rw,
#owner @{run}/blueman-netconfig rw,
include if exists <local/blueman-mechanism>
}

24
apparmor.d/profiles-a-f/blueman-rfcomm-watcher Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/blueman-rfcomm-watcher
profile blueman-rfcomm-watcher @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{libexec}/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{HOME}/.Xauthority r,
include if exists <local/blueman-rfcomm-watcher>
}

16
apparmor.d/profiles-a-f/bluemoon Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/bluemoon
profile bluemoon @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/bluemoon>
}

22
apparmor.d/profiles-a-f/bluetoothctl Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/bluetoothctl
profile bluetoothctl @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/inputrc r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/.bluetoothctl_history rw,
owner @{user_cache_dirs}/.bluetoothctl_history-@{pid}.tmp rw,
include if exists <local/bluetoothctl>
}

46
apparmor.d/profiles-a-f/bluetoothd Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/bluetooth/bluetoothd
@{exec_path} += @{libexec}/bluetooth/bluetoothd
profile bluetoothd @{exec_path} {
include <abstractions/base>
# Needed for configuring HCI interfaces
capability net_admin,
capability net_bind_service,
network bluetooth raw,
network bluetooth seqpacket,
network bluetooth stream,
network alg seqpacket,
network netlink raw,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/bluetooth/plugins/*.so mr,
/etc/bluetooth/{,*.conf} r,
/dev/uhid rw,
/dev/uinput rw,
/dev/rfkill rw,
/dev/hidraw[0-9]* rw,
@{run}/sdp rw,
@{run}/udev/data/+hid:* r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/platform/**/rfkill/**/name r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r,
/var/lib/bluetooth/{,**} rw,
include if exists <local/bluetoothd>
}

27
apparmor.d/profiles-a-f/fc-cache
View file

@ -1,27 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fc-cache{,-32}
profile fc-cache @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-write>
@{exec_path} mr,
/var/cache/fontconfig/{,**} rw,
/var/cache/fontconfig/*.cache-[0-9]* rwk,
/var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
/var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
# Silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/fc-cache>
}

18
apparmor.d/profiles-a-f/fc-list
View file

@ -1,18 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fc-list
profile fc-list @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
/{usr/,}bin/fc-list mr,
include if exists <local/fc-list>
}