felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tunables

Browse source
This commit is contained in:
nobody43 2023-08-05 20:56:08 +00:00
parent 4894d6a3c4
commit 9c598f7a04
89 changed files with 196 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/X-strict
View file

@ -28,7 +28,7 @@
@{run}/user/@{uid}/xauth_* rl, @{run}/user/@{uid}/xauth_* rl,
# Xwayland # Xwayland
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
/etc/X11/cursors/{,**} r, /etc/X11/cursors/{,**} r,
/usr/share/X11/{,**} r, /usr/share/X11/{,**} r,

8
apparmor.d/abstractions/qt5-shader-cache
View file

@ -6,10 +6,10 @@
abi <abi/3.0>, abi <abi/3.0>,
owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache/#@{number} rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{number},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{number} rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{number},
include if exists <abstractions/qt5-shader-cache.d> include if exists <abstractions/qt5-shader-cache.d>

2
apparmor.d/groups/akonadi/akonadi_archivemail_agent
View file

@ -31,7 +31,7 @@ profile akonadi_archivemail_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/akonadi_archivemail_agentrc r, owner @{user_config_dirs}/akonadi_archivemail_agentrc r,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent r, owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent r,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent_changes{,.dat} rw, owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent_changes{,.dat} rw,

2
apparmor.d/groups/akonadi/akonadi_mailfilter_agent
View file

@ -36,7 +36,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r, owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r,
owner @{user_config_dirs}/akonadi_*_resource_*rc r, owner @{user_config_dirs}/akonadi_*_resource_*rc r,
owner @{user_config_dirs}/akonadi_mailfilter_agentrc r, owner @{user_config_dirs}/akonadi_mailfilter_agentrc r,

2
apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
View file

@ -33,7 +33,7 @@ profile akonadi_newmailnotifier_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r, owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_newmailnotifier_agent_changes{,_changes.dat,.dat} rw, owner @{user_config_dirs}/akonadi/agent_config_akonadi_newmailnotifier_agent_changes{,_changes.dat,.dat} rw,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,

2
apparmor.d/groups/apt/apt
View file

@ -239,7 +239,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
@{bin}/systemd-tty-ask-password-agent rix, @{bin}/systemd-tty-ask-password-agent rix,
owner @{run}/systemd/ask-password-block/* rw, owner @{run}/systemd/ask-password-block/{,*} rw,
owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/private rw, owner @{run}/systemd/private rw,

2
apparmor.d/groups/apt/dpkg-query
View file

@ -22,7 +22,7 @@ profile dpkg-query @{exec_path} {
/var/lib/dpkg/** r, /var/lib/dpkg/** r,
# file_inherit # file_inherit
/tmp/#[0-9]*[0-9] rw, /tmp/#@{number} rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <local/dpkg-query> include if exists <local/dpkg-query>

3
apparmor.d/groups/browsers/firefox
View file

@ -189,7 +189,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/ r, owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r, owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,

8
apparmor.d/groups/bus/ibus-dconf
View file

@ -33,16 +33,16 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
/etc/dconf/db/ibus r, /etc/dconf/db/ibus r,
/etc/dconf/profile/ibus r, /etc/dconf/profile/ibus r,
/var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, /var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.cache/dconf/ w, /var/lib/gdm{3,}/.cache/dconf/ w,
/var/lib/gdm{3,}/.cache/dconf/user rw, /var/lib/gdm{3,}/.cache/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/ w, /var/lib/gdm{3,}/.config/dconf/ w,
/var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

4
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -21,8 +21,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, /var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9] r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

4
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -73,10 +73,10 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,

2
apparmor.d/groups/bus/ibus-memconf
View file

@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
include if exists <local/ibus-memconf> include if exists <local/ibus-memconf>
} }

2
apparmor.d/groups/bus/ibus-portal
View file

@ -38,7 +38,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

6
apparmor.d/groups/bus/ibus-x11
View file

@ -45,13 +45,13 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/children/child-dpkg
View file

@ -45,7 +45,7 @@ profile child-dpkg {
/var/log/dpkg.log ra, /var/log/dpkg.log ra,
# file_inherit # file_inherit
/tmp/#[0-9]*[0-9] rw, /tmp/#@{number} rw,
include if exists <local/child-dpkg> include if exists <local/child-dpkg>
} }

2
apparmor.d/groups/children/child-dpkg-divert
View file

@ -26,7 +26,7 @@ profile child-dpkg-divert {
/var/lib/dpkg/diversions r, /var/lib/dpkg/diversions r,
# file_inherit # file_inherit
/tmp/#[0-9]*[0-9] rw, /tmp/#@{number} rw,
include if exists <local/child-dpkg-divert> include if exists <local/child-dpkg-divert>
} }

8
apparmor.d/groups/children/child-systemctl
View file

@ -39,10 +39,10 @@ profile child-systemctl flags=(attach_disconnected) {
/etc/systemd/user/{,**} rwl, /etc/systemd/user/{,**} rwl,
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/ r, /{run,var}/log/journal/@{md5}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r, /{run,var}/log/journal/@{md5}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
@{run}/systemd/private rw, @{run}/systemd/private rw,

2
apparmor.d/groups/cron/cron
View file

@ -53,7 +53,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/*.ref rw, @{run}/systemd/sessions/*.ref rw,
owner /tmp/#[0-9]*[0-9] rw, owner /tmp/#@{number} rw,
owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/loginuid rw,

5
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -49,9 +49,11 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
@{bin}/passwd rPx, @{bin}/passwd rPx,
@{bin}/userdel rPx, @{bin}/userdel rPx,
@{bin}/usermod rPx, @{bin}/usermod rPx,
@{bin}/locale rPUx,
/usr/share/language-tools/language-validate rPx, /usr/share/language-tools/language-validate rPx,
/usr/share/language-tools/set-language-helper rPUx, /usr/share/language-tools/set-language-helper rPUx,
/usr/share/language-tools/save-to-pam-env rPUx,
/usr/share/accountsservice/{,**} r, /usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/*.xml r, /usr/share/dbus-1/interfaces/*.xml r,
@ -68,7 +70,8 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw, owner /var/lib/AccountsService/** rw,
@{HOME}/ r, @{HOME}/ r,
owner @{HOME}/.pam_environment r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/loginuid rw,

1
apparmor.d/groups/freedesktop/dconf
View file

@ -17,6 +17,7 @@ profile dconf @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/dconf/db/** rw, /etc/dconf/db/** rw,
/etc/gdm{3,}/greeter.dconf-defaults r,
/usr/share/gdm/dconf/{,**} r, /usr/share/gdm/dconf/{,**} r,

2
apparmor.d/groups/freedesktop/dconf-editor
View file

@ -24,7 +24,7 @@ profile dconf-editor @{exec_path} {
owner @{user_config_dirs}/glib-2.0/ rw, owner @{user_config_dirs}/glib-2.0/ rw,
owner @{user_config_dirs}/glib-2.0/settings/ rw, owner @{user_config_dirs}/glib-2.0/settings/ rw,
owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw, owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -168,7 +168,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/user/@{uid}/xauth_* rl, @{run}/user/@{uid}/xauth_* rl,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -50,7 +50,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/flatpak/ w, owner @{user_share_dirs}/flatpak/ w,
owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/ rw,
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
owner @{user_share_dirs}/flatpak/db/background rw, owner @{user_share_dirs}/flatpak/db/background rw,
owner @{user_share_dirs}/flatpak/db/notifications rw, owner @{user_share_dirs}/flatpak/db/notifications rw,

2
apparmor.d/groups/freedesktop/xorg
View file

@ -141,7 +141,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/dev/fb[0-9] rw, /dev/fb[0-9] rw,
/dev/input/event[0-9]* rw, /dev/input/event[0-9]* rw,
/dev/shm/#[0-9]*[0-9] rw, /dev/shm/#@{number} rw,
/dev/shm/shmfd-* rw, /dev/shm/shmfd-* rw,
/dev/tty rw, /dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,

2
apparmor.d/groups/freedesktop/xwayland
View file

@ -37,7 +37,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner /tmp/server-[0-9]*.xkm rwk, owner /tmp/server-[0-9]*.xkm rwk,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
owner @{run}/user/@{uid}/xwayland-shared-?????? rw, owner @{run}/user/@{uid}/xwayland-shared-?????? rw,
@{sys}/bus/pci/devices/ r, @{sys}/bus/pci/devices/ r,

2
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -82,6 +82,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/etc/sysconfig/displaymanager r, /etc/sysconfig/displaymanager r,
/etc/sysconfig/windowmanager r, /etc/sysconfig/windowmanager r,
owner @{HOME}/.pam_environment r,
owner @{run}/user/@{uid}/keyring/control rw, owner @{run}/user/@{uid}/keyring/control rw,
@{run}/cockpit/active.motd r, @{run}/cockpit/active.motd r,

12
apparmor.d/groups/gnome/gnome-control-center
View file

@ -85,6 +85,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{lib}/gnome-control-center-print-renderer rPx, @{lib}/gnome-control-center-print-renderer rPx,
@{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix, /usr/share/language-tools/language2locale rix,
/usr/share/language-tools/language-options rPUx,
/snap/*/[0-9]*/**.png r, /snap/*/[0-9]*/**.png r,
/usr/share/backgrounds/{,**} r, /usr/share/backgrounds/{,**} r,
@ -99,6 +100,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r,
/usr/share/gnome/gnome-version.xml r, /usr/share/gnome/gnome-version.xml r,
/usr/share/libdrm/*.ids r, /usr/share/libdrm/*.ids r,
/usr/share/language-tools/main-countries r,
/usr/share/mime/{,**} r, /usr/share/mime/{,**} r,
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,
/usr/share/thumbnailers/{,*} r, /usr/share/thumbnailers/{,*} r,
@ -133,7 +135,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{user_config_dirs}/mimeapps.list* rw, owner @{user_config_dirs}/mimeapps.list* rw,
owner @{user_config_dirs}/rygel.conf{,.??????} rw, owner @{user_config_dirs}/rygel.conf{,.??????} rw,
owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw,
@ -142,13 +145,17 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/webkitgtk/{,**} r, owner @{user_share_dirs}/webkitgtk/{,**} r,
owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
owner @{user_share_dirs}/gnome-remote-desktop/ w,
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{.??????,} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/wayland-@{number} rw,
@{run}/cups/cups.sock rw, @{run}/cups/cups.sock rw,
@{run}/samba/ rw, @{run}/samba/ rw,
@{run}/systemd/sessions/ r, @{run}/systemd/sessions/ r,
@ -189,6 +196,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/*/comm rw, owner @{PROC}/@{pid}/task/*/comm rw,
owner @{PROC}/@{pid}/loginuid r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/zoneinfo r, @{PROC}/zoneinfo r,

6
apparmor.d/groups/gnome/gnome-remote-desktop-daemon
View file

@ -13,12 +13,18 @@ profile gnome-remote-desktop-daemon @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/openssl>
include <abstractions/vulkan> include <abstractions/vulkan>
network inet stream,
network inet6 stream,
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/wayland-@{number} rw,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/meminfo r,

16
apparmor.d/groups/gnome/gnome-shell
View file

@ -514,20 +514,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/etc/xdg/menus/gnome-applications.menu r, /etc/xdg/menus/gnome-applications.menu r,
/var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/ w,
/var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
/var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl,
/var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw, /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
/var/lib/gdm{3,}/.cache/libgweather/ r, /var/lib/gdm{3,}/.cache/libgweather/ r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
/var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/pulse/ r, /var/lib/gdm{3,}/.config/pulse/ r,
/var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.config/pulse/cookie rwk,
@ -554,7 +554,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_games_dirs}/**/*.{png,jpg} r, owner @{user_games_dirs}/**/*.{png,jpg} r,
owner @{user_music_dirs}/**/*.{png,jpg} r, owner @{user_music_dirs}/**/*.{png,jpg} r,
owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/ibus/ w,
owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/monitors.xml{,~} rwl,
owner @{user_config_dirs}/pulse/ r, owner @{user_config_dirs}/pulse/ r,
@ -578,10 +578,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rwk, owner @{run}/user/@{uid}/wayland-@{number} rwk,
owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/.org.chromium.Chromium.* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

1
apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-shell-hotplug-sniffer @{exec_path} = @{lib}/gnome-shell-hotplug-sniffer
profile gnome-shell-hotplug-sniffer @{exec_path} { profile gnome-shell-hotplug-sniffer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -79,6 +79,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/mountinfo r,
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -142,7 +142,7 @@ profile gsd-xsettings @{exec_path} {
owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

2
apparmor.d/groups/gnome/mutter-x11-frames
View file

@ -23,7 +23,7 @@ profile mutter-x11-frames @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
include if exists <local/mutter-x11-frames> include if exists <local/mutter-x11-frames>
} }

1
apparmor.d/groups/grub/grub-install
View file

@ -29,6 +29,7 @@ profile grub-install @{exec_path} flags=(complain) {
/etc/default/grub.d/{,**} r, /etc/default/grub.d/{,**} r,
/etc/default/grub r, /etc/default/grub r,
/boot/efi/EFI/ubuntu/* w,
/boot/efi/EFI/BOOT/{,**} rw, /boot/efi/EFI/BOOT/{,**} rw,
/boot/EFI/*/grubx*.efi rw, /boot/EFI/*/grubx*.efi rw,
/boot/grub/{,**} rw, /boot/grub/{,**} rw,

3
apparmor.d/groups/grub/grub-multi-install
View file

@ -17,6 +17,7 @@ profile grub-multi-install @{exec_path} {
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/cut rix,
@{bin}/dpkg-query rpx, @{bin}/dpkg-query rpx,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/sed rix, @{bin}/sed rix,
@ -33,5 +34,7 @@ profile grub-multi-install @{exec_path} {
owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/maps r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/dev/disk/by-id/ r,
include if exists <local/grub-multi-install> include if exists <local/grub-multi-install>
} }

2
apparmor.d/groups/gvfs/gvfsd-dav
View file

@ -28,7 +28,7 @@ profile gvfsd-dav @{exec_path} {
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

2
apparmor.d/groups/gvfs/gvfsd-dnssd
View file

@ -57,7 +57,7 @@ profile gvfsd-dnssd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-Z0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
include if exists <local/gvfsd-dnssd> include if exists <local/gvfsd-dnssd>
} }

2
apparmor.d/groups/gvfs/gvfsd-http
View file

@ -24,7 +24,7 @@ profile gvfsd-http @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{run}/user/@{uid}/gvfsd/socket-* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,

2
apparmor.d/groups/gvfs/gvfsd-mtp
View file

@ -23,7 +23,7 @@ profile gvfsd-mtp @{exec_path} {
owner @{HOME}/{,**} rw, owner @{HOME}/{,**} rw,
owner @{MOUNTS}/{,**} rw, owner @{MOUNTS}/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
include if exists <local/gvfsd-mtp> include if exists <local/gvfsd-mtp>
} }

2
apparmor.d/groups/gvfs/gvfsd-network
View file

@ -51,7 +51,7 @@ profile gvfsd-network @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
include if exists <local/gvfsd-network> include if exists <local/gvfsd-network>
} }

2
apparmor.d/groups/gvfs/gvfsd-recent
View file

@ -26,7 +26,7 @@ profile gvfsd-recent @{exec_path} {
owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/recently-used.xbel r,
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/groups/gvfs/gvfsd-smb
View file

@ -23,7 +23,7 @@ profile gvfsd-smb @{exec_path} {
/etc/samba/smb.conf r, /etc/samba/smb.conf r,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
include if exists <local/gvfsd-smb> include if exists <local/gvfsd-smb>
} }

2
apparmor.d/groups/gvfs/gvfsd-smb-browse
View file

@ -58,7 +58,7 @@ profile gvfsd-smb-browse @{exec_path} {
owner @{run}/samba/ rw, owner @{run}/samba/ rw,
owner @{run}/samba/gencache.tdb rwk, owner @{run}/samba/gencache.tdb rwk,
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{user_cache_dirs}/samba/ w, owner @{user_cache_dirs}/samba/ w,
owner @{user_cache_dirs}/samba/gencache.tdb rwk, owner @{user_cache_dirs}/samba/gencache.tdb rwk,

2
apparmor.d/groups/gvfs/gvfsd-trash
View file

@ -50,7 +50,7 @@ profile gvfsd-trash @{exec_path} {
owner @{MOUNTS}/{,**} rw, owner @{MOUNTS}/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{run}/mount/utab r, @{run}/mount/utab r,

2
apparmor.d/groups/kde/baloo
View file

@ -38,7 +38,7 @@ profile baloo @{exec_path} {
owner @{MOUNTS}/{,**} r, owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r, owner /tmp/*/{,**} r,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc rwl,
owner @{user_config_dirs}/baloofilerc.lock rwkl, owner @{user_config_dirs}/baloofilerc.lock rwkl,

2
apparmor.d/groups/kde/kalendarac
View file

@ -31,7 +31,7 @@ profile kalendarac @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi-firstrunrc r,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emaildefaults r,

2
apparmor.d/groups/kde/kcminit
View file

@ -27,7 +27,7 @@ profile kcminit @{exec_path} {
owner @{HOME}/.Xdefaults r, owner @{HOME}/.Xdefaults r,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl, owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl,
owner @{user_config_dirs}/gtkrc{,.??????} rwl, owner @{user_config_dirs}/gtkrc{,.??????} rwl,
owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kcminputrc r,

2
apparmor.d/groups/kde/kconf_update
View file

@ -32,7 +32,7 @@ profile kconf_update @{exec_path} {
/etc/xdg/kdeglobals r, /etc/xdg/kdeglobals r,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/kconf_updaterc r, owner @{user_config_dirs}/kconf_updaterc r,
owner @{user_config_dirs}/kconf_updaterc* rwl, owner @{user_config_dirs}/kconf_updaterc* rwl,
owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kdeglobals r,

2
apparmor.d/groups/kde/kde-powerdevil
View file

@ -29,7 +29,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/powerdevilrc rwl, owner @{user_config_dirs}/powerdevilrc rwl,

2
apparmor.d/groups/kde/kded5
View file

@ -68,7 +68,7 @@ profile kded5 @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/bluedevilglobalrc rk, owner @{user_config_dirs}/bluedevilglobalrc rk,
owner @{user_config_dirs}/bluedevilglobalrc* rwkl, owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,

2
apparmor.d/groups/kde/kglobalaccel5
View file

@ -22,9 +22,9 @@ profile kglobalaccel5 @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/kglobalshortcutsrc* rwl,
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
owner @{user_config_dirs}/#[0-9]* rw,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,

6
apparmor.d/groups/kde/kwalletmanager5
View file

@ -38,12 +38,12 @@ profile kwalletmanager5 @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/#[0-9]*[0-9] rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/kwalletmanager5rc rw, owner @{user_config_dirs}/kwalletmanager5rc rw,
owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/kwalletmanager5rc.lock rwk, owner @{user_config_dirs}/kwalletmanager5rc.lock rwk,
owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc rw,
owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/kwalletrc.lock rwk, owner @{user_config_dirs}/kwalletrc.lock rwk,
owner @{user_config_dirs}/session/#[0-9]*[0-9] rw, owner @{user_config_dirs}/session/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9], owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9],

2
apparmor.d/groups/kde/kwin_x11
View file

@ -57,7 +57,7 @@ profile kwin_x11 @{exec_path} {
owner @{user_cache_dirs}/qtshadercache-*/@{hex} r, owner @{user_cache_dirs}/qtshadercache-*/@{hex} r,
owner @{user_cache_dirs}/session/#[0-9]* rw, owner @{user_cache_dirs}/session/#[0-9]* rw,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kdeglobals r,

4
apparmor.d/groups/kde/plasmashell
View file

@ -92,7 +92,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/#[0-9]* rwk, owner @{user_cache_dirs}/#[0-9]* rwk,
owner @{user_cache_dirs}/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca5_* rl, owner @{user_cache_dirs}/ksycoca5_* rl,
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
@ -103,7 +103,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl, owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
owner @{user_config_dirs}/*kde*.desktop* r, owner @{user_config_dirs}/*kde*.desktop* r,
owner @{user_config_dirs}/#[0-9]* rwk, owner @{user_config_dirs}/#@{number} rwk,
owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi-firstrunrc r,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/baloofilerc r,

2
apparmor.d/groups/kde/startplasma-x11
View file

@ -42,7 +42,7 @@ profile startplasma-x11 @{exec_path} {
owner @{user_cache_dirs}/ksycoca5_* rwkl, owner @{user_cache_dirs}/ksycoca5_* rwkl,
owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/gtkrc rl, owner @{user_config_dirs}/gtkrc rl,
owner @{user_config_dirs}/gtkrc-2.0 rl, owner @{user_config_dirs}/gtkrc-2.0 rl,
owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kcminputrc r,

4
apparmor.d/groups/network/mullvad-gui
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /opt/Mullvad*/mullvad-gui @{exec_path} = /opt/Mullvad*/mullvad-gui
profile mullvad-gui @{exec_path} flags=(attach_disconnected) { profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/chromium-common> include <abstractions/chromium-common>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -51,7 +51,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/dconf/user rw,
owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
@{run}/systemd/inhibit/*.ref rw, @{run}/systemd/inhibit/*.ref rw,

10
apparmor.d/groups/systemd/coredumpctl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/coredumpctl @{exec_path} = @{bin}/coredumpctl
profile coredumpctl @{exec_path} flags=(complain) { profile coredumpctl @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -30,10 +30,10 @@ profile coredumpctl @{exec_path} flags=(complain) {
/var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r, /var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r,
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/ r, /{run,var}/log/journal/@{md5}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r, /{run,var}/log/journal/@{md5}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
owner /tmp/*.coredump w, owner /tmp/*.coredump w,
owner /tmp/core.* w, owner /tmp/core.* w,

12
apparmor.d/groups/systemd/journalctl
View file

@ -34,12 +34,12 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
/var/lib/systemd/catalog/.#database* rw, /var/lib/systemd/catalog/.#database* rw,
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/ r, /{run,var}/log/journal/@{md5}/ rw,
/{run,var}/log/journal/@{hex}/system.journal* r, /{run,var}/log/journal/@{md5}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*, owner /{run,var}/log/journal/@{md5}/fss wl -> /var/log/journal/@{md5}/fss.tmp.*,
owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw, owner /{run,var}/log/journal/@{md5}/fss.tmp.* rw,
owner /var/tmp/#[0-9]* rw, owner /var/tmp/#[0-9]* rw,
@{run}/host/container-manager r, @{run}/host/container-manager r,

8
apparmor.d/groups/systemd/networkctl
View file

@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
# To be able to read logs # To be able to read logs
@{run}/log/ r, @{run}/log/ r,
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/ r, /{run,var}/log/journal/@{md5}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r, /{run,var}/log/journal/@{md5}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
@{run}/systemd/netif/links/[0-9]* r, @{run}/systemd/netif/links/[0-9]* r,
@{run}/systemd/netif/state r, @{run}/systemd/netif/state r,

2
apparmor.d/groups/systemd/systemd-journald
View file

@ -30,7 +30,7 @@ profile systemd-journald @{exec_path} {
@{run}/log/ rw, @{run}/log/ rw,
/{run,var}/log/journal/ rw, /{run,var}/log/journal/ rw,
/{run,var}/log/journal/@{hex}/{,*} rw, /{run,var}/log/journal/@{md5}/{,*} rw,
owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/journal/{,**} rw,
owner @{run}/systemd/notify rw, owner @{run}/systemd/notify rw,

6
apparmor.d/groups/systemd/systemd-user-generators-autostart
View file

@ -10,14 +10,18 @@ include <tunables/global>
profile systemd-user-generators-autostart @{exec_path} { profile systemd-user-generators-autostart @{exec_path} {
include <abstractions/base> include <abstractions/base>
ptrace (read) peer=unconfined,
@{exec_path} mr, @{exec_path} mr,
/etc/xdg/autostart/*.desktop r, /etc/xdg/autostart/{,*.desktop} r,
owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw, owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,
@{PROC}/@{pids}/cgroup r,
include if exists <local/systemd-user-generators-autostart> include if exists <local/systemd-user-generators-autostart>
} }

2
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -77,7 +77,7 @@ profile apport-gtk @{exec_path} {
/var/log/installer/media-info r, /var/log/installer/media-info r,
@{run}/snapd.socket rw, @{run}/snapd.socket rw,
owner @{run}/user/.mutter-Xwaylandauth.* rw, owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw,
/tmp/[a-z0-9]* rw, /tmp/[a-z0-9]* rw,
/tmp/apport_core_* rw, /tmp/apport_core_* rw,

8
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -102,10 +102,10 @@ profile subiquity-console-conf @{exec_path} {
@{run}/log/ rw, @{run}/log/ rw,
/{run,var}/log/journal/ rw, /{run,var}/log/journal/ rw,
/{run,var}/log/journal/@{hex}/ rw, /{run,var}/log/journal/@{md5}/ rw,
/{run,var}/log/journal/@{hex}/system.journal* rw, /{run,var}/log/journal/@{md5}/system.journal* rw,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,

2
apparmor.d/profiles-a-f/aa-log
View file

@ -26,7 +26,7 @@ profile aa-log @{exec_path} {
/var/log/syslog* r, /var/log/syslog* r,
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/{,*} r, /{run,var}/log/journal/@{md5}/{,*} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

4
apparmor.d/profiles-a-f/birdtray
View file

@ -37,8 +37,8 @@ profile birdtray @{exec_path} {
owner @{user_config_dirs}/ulduzsoft/ rw, owner @{user_config_dirs}/ulduzsoft/ rw,
owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*,
owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{number},
owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w, owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w,

4
apparmor.d/profiles-a-f/blkid
View file

@ -20,7 +20,7 @@ profile blkid @{exec_path} {
/etc/blkid.conf r, /etc/blkid.conf r,
# When the system doesn't have the /run/ dir, the cache file is placed under /etc/ # When the system doesn't have the /run/ dir, the cache file is placed under /etc/
@{etc_rw}/blkid.tab{,-*} rw, @{etc_rw}/blkid.tab{,-@{rand6}} rw,
@{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab,
# Image files # Image files
@ -29,7 +29,7 @@ profile blkid @{exec_path} {
# The standard location of the cache file # The standard location of the cache file
# Without owner here if this tool should be used as a regular user # Without owner here if this tool should be used as a regular user
@{run}/blkid/ rw, @{run}/blkid/ rw,
@{run}/blkid/blkid.tab{,-*} rw, @{run}/blkid/blkid.tab{,-@{rand6}} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# For the EVALUATE=scan method # For the EVALUATE=scan method

2
apparmor.d/profiles-a-f/btrfs
View file

@ -38,7 +38,7 @@ profile btrfs @{exec_path} {
# For fsck of the btrfs filesystem directly from gparted # For fsck of the btrfs filesystem directly from gparted
owner /tmp/gparted-*/ rw, owner /tmp/gparted-*/ rw,
@{run}/blkid/blkid.tab{,-*} rw, @{run}/blkid/blkid.tab{,-@{rand6}} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/partitions r, @{PROC}/partitions r,

2
apparmor.d/profiles-a-f/btrfstune
View file

@ -16,7 +16,7 @@ profile btrfstune @{exec_path} {
@{PROC}/partitions r, @{PROC}/partitions r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
include if exists <local/btrfstune> include if exists <local/btrfstune>

2
apparmor.d/profiles-a-f/cfdisk
View file

@ -25,7 +25,7 @@ profile cfdisk @{exec_path} {
# A place for file images # A place for file images
owner @{user_img_dirs}/{,**} rwk, owner @{user_img_dirs}/{,**} rwk,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/partitions r, @{PROC}/partitions r,

2
apparmor.d/profiles-a-f/cupsd
View file

@ -92,7 +92,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pids}/fd r, @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner /tmp/*_latest_print_info w, owner /tmp/*_latest_print_info w,

2
apparmor.d/profiles-a-f/dumpe2fs
View file

@ -18,7 +18,7 @@ profile dumpe2fs @{exec_path} {
# Image files # Image files
owner @{user_img_dirs}/{,**} r, owner @{user_img_dirs}/{,**} r,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,

2
apparmor.d/profiles-a-f/e2fsck
View file

@ -30,7 +30,7 @@ profile e2fsck @{exec_path} {
@{run}/blkid/ rw, @{run}/blkid/ rw,
@{run}/systemd/fsck.progress rw, @{run}/systemd/fsck.progress rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
@{sys}/devices/**/power_supply/AC/online r, @{sys}/devices/**/power_supply/AC/online r,

2
apparmor.d/profiles-a-f/fsck
View file

@ -30,7 +30,7 @@ profile fsck @{exec_path} {
owner @{run}/fsck/ rw, owner @{run}/fsck/ rw,
owner @{run}/fsck/*.lock rwk, owner @{run}/fsck/*.lock rwk,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/systemd/fsck.progress rw, @{run}/systemd/fsck.progress rw,

2
apparmor.d/profiles-a-f/fwupd
View file

@ -102,7 +102,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/var/tmp/etilqs_@{hex} rw, /var/tmp/etilqs_@{hex} rw,
/boot/{,**} r, /boot/{,**} r,
/boot/EFI/*/.goutputstream-* rw, /boot/EFI/*/.goutputstream-@{rand6} rw,
/boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
/boot/EFI/*/fwupdx[0-9]*.efi rw, /boot/EFI/*/fwupdx[0-9]*.efi rw,
@{lib}/fwupd/efi/fwupdx[0-9]*.efi r, @{lib}/fwupd/efi/fwupdx[0-9]*.efi r,

2
apparmor.d/profiles-g-l/glib-pacrunner
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{lib}/glib-pacrunner @{exec_path} = @{lib}/glib-pacrunner
profile glib-pacrunner @{exec_path} { profile glib-pacrunner @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet dgram, network inet dgram,

8
apparmor.d/profiles-g-l/hw-probe
View file

@ -132,10 +132,10 @@ profile hw-probe @{exec_path} {
@{run}/log/ rw, @{run}/log/ rw,
/{run,var}/log/journal/ rw, /{run,var}/log/journal/ rw,
/{run,var}/log/journal/@{hex}/ rw, /{run,var}/log/journal/@{md5}/ rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/system.journal* rw, /{run,var}/log/journal/@{md5}/system.journal* rw,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,

2
apparmor.d/profiles-m-r/mke2fs
View file

@ -31,7 +31,7 @@ profile mke2fs @{exec_path} {
# For virt-resize # For virt-resize
owner /var/tmp/.guestfs-[0-9]*/** rwk, owner /var/tmp/.guestfs-[0-9]*/** rwk,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/swaps r, @{PROC}/swaps r,

2
apparmor.d/profiles-m-r/mono-sgen
View file

@ -37,7 +37,7 @@ profile mono-sgen @{exec_path} {
owner @{user_config_dirs}/openra/{,**} rw, owner @{user_config_dirs}/openra/{,**} rw,
owner @{user_config_dirs}/.mono/{,**} r, owner @{user_config_dirs}/.mono/{,**} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
owner /tmp/*.* rw, owner /tmp/*.* rw,
owner /tmp/CASESENSITIVETEST* rw, owner /tmp/CASESENSITIVETEST* rw,

2
apparmor.d/profiles-m-r/obexd
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{lib}/bluetooth/obexd @{exec_path} = @{lib}/bluetooth/obexd
profile obexd @{exec_path} { profile obexd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
network bluetooth stream, network bluetooth stream,

2
apparmor.d/profiles-m-r/pinentry-gtk-2
View file

@ -18,7 +18,7 @@ profile pinentry-gtk-2 @{exec_path} {
/usr/share/gtk-2.0/gtkrc r, /usr/share/gtk-2.0/gtkrc r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
include if exists <local/pinentry-gtk-2> include if exists <local/pinentry-gtk-2>
} }

4
apparmor.d/profiles-m-r/qnapi
View file

@ -57,8 +57,8 @@ profile qnapi @{exec_path} {
owner @{user_config_dirs}/qnapi.ini rw, owner @{user_config_dirs}/qnapi.ini rw,
owner @{user_config_dirs}/qnapi.ini.lock rwk, owner @{user_config_dirs}/qnapi.ini.lock rwk,
owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,

3
apparmor.d/profiles-m-r/run-parts
View file

@ -116,6 +116,7 @@ profile run-parts @{exec_path} {
/etc/kernel/postinst.d/initramfs-tools rCx -> kernel, /etc/kernel/postinst.d/initramfs-tools rCx -> kernel,
/etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel,
/etc/kernel/postinst.d/zz-update-grub rCx -> kernel, /etc/kernel/postinst.d/zz-update-grub rCx -> kernel,
/etc/kernel/postinst.d/zz-shim rCx -> kernel,
/etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel,
/etc/kernel/postrm.d/ r, /etc/kernel/postrm.d/ r,
@ -128,7 +129,7 @@ profile run-parts @{exec_path} {
/etc/kernel/prerm.d/ r, /etc/kernel/prerm.d/ r,
/etc/kernel/prerm.d/dkms rCx -> kernel, /etc/kernel/prerm.d/dkms rCx -> kernel,
owner /tmp/#[0-9]*[0-9] rw, owner /tmp/#@{number} rw,
owner /tmp/$anacron* rw, owner /tmp/$anacron* rw,
owner @{sys}/class/power_supply/ r, owner @{sys}/class/power_supply/ r,

4
apparmor.d/profiles-m-r/rustdesk
View file

@ -89,7 +89,7 @@ profile rustdesk @{exec_path} {
# service and GUI intercommunication # service and GUI intercommunication
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
@{run}/user/@{uid}/.mutter-Xwaylandauth.?????? r, @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
@{run}/user/@{uid}/gdm{,3}/Xauthority r, @{run}/user/@{uid}/gdm{,3}/Xauthority r,
/tmp/[rR]ust[dD]esk/{,**} rw, /tmp/[rR]ust[dD]esk/{,**} rw,
/tmp/.X11-unix/ r, /tmp/.X11-unix/ r,
@ -103,7 +103,7 @@ profile rustdesk @{exec_path} {
owner @{run}/user/@{uid}/pulse/native rw, owner @{run}/user/@{uid}/pulse/native rw,
owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/cookie rwk, owner @{user_config_dirs}/pulse/cookie rwk,
owner @{user_config_dirs}/pulse/*-runtime{,.tmp} rw, owner @{user_config_dirs}/pulse/@{md5}-runtime{,.tmp} rw,
owner /tmp/pulse-*/ rw, owner /tmp/pulse-*/ rw,
# gtk-tiny # gtk-tiny

3
apparmor.d/profiles-s-z/scrcpy
View file

@ -31,7 +31,8 @@ profile scrcpy @{exec_path} {
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
include if exists <local/scrcpy> include if exists <local/scrcpy>
} }

2
apparmor.d/profiles-s-z/system-config-printer
View file

@ -60,7 +60,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/ rw,
owner @{HOME}/.cups/lpoptions rw, owner @{HOME}/.cups/lpoptions rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@{run}/cups/cups.sock rw, @{run}/cups/cups.sock rw,
owner /tmp/* rw, owner /tmp/* rw,

2
apparmor.d/profiles-s-z/tune2fs
View file

@ -25,7 +25,7 @@ profile tune2fs @{exec_path} {
# Image files # Image files
owner @{user_img_dirs}/{,**} rw, owner @{user_img_dirs}/{,**} rw,
owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/swaps r, @{PROC}/swaps r,

2
apparmor.d/profiles-s-z/udisksd
View file

@ -139,7 +139,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w, @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
@{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
@{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/*/{,**} rw,
@{sys}/devices/virtual/block/loop[0-9]*/uevent rw, @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,

2
apparmor.d/profiles-s-z/zpool
View file

@ -23,7 +23,7 @@ profile zpool @{exec_path} {
@{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab rw,
@{run}/blkid/blkid.tab.old rwl, @{run}/blkid/blkid.tab.old rwl,
@{run}/blkid/blkid.tab-* rwl, @{run}/blkid/blkid.tab-@{rand6} rwl,
/tmp/tmp.* rw, /tmp/tmp.* rw,

22
apparmor.d/tunables/multiarch.d/apparmor.d
View file

@ -6,11 +6,29 @@
# To allow extended personalisation without breaking everything. # To allow extended personalisation without breaking everything.
# All apparmor profiles should always use the variables defined here. # All apparmor profiles should always use the variables defined here.
# Single hex character
@{h}=[0-9a-fA-F]
# Single alphanumeric character
@{c}=[0-9a-zA-Z]
# Only number (0-9999999999)
@{number}={[0-9],[0-9][0-9],[0-9][0-9][0-9],[0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}
# Any six characters
@{rand6}=@{c}@{c}@{c}@{c}@{c}@{c}
# Any eight characters
@{rand8}=@{c}@{c}@{c}@{c}@{c}@{c}@{c}@{c}
# MD5 hash
@{md5}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
# Universally unique identifier # Universally unique identifier
@{uuid}=[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]* @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
# Hexadecimal # Hexadecimal
@{hex}=[0-9a-fA-F]* @{hex}=@{h}*@{h}
# Date and time # Date and time
@{date}=[0-9][0-9][0-9][0-9]-[1-12]-[1-31] @{date}=[0-9][0-9][0-9][0-9]-[1-12]-[1-31]