feat(profile): modernize some profiles.
This commit is contained in:
Alexandre Pujol
parent
81b9de3aff
commit
9c859cec9d
14 changed files with 124 additions and 211 deletions
|
|
@ -10,23 +10,19 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gajim
|
||||
profile gajim @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/X>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/video>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/python>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/video>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -58,8 +54,12 @@ profile gajim @{exec_path} {
|
|||
@{lib}/firefox/firefox rPx,
|
||||
@{bin}/spacefm rPx,
|
||||
|
||||
# Gajim plugins
|
||||
/usr/share/gajim/plugins/{,**} r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
# Gajim home files
|
||||
owner @{HOME}/ r,
|
||||
|
|
@ -80,13 +80,6 @@ profile gajim @{exec_path} {
|
|||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
||||
# TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
|
||||
/var/tmp/ r,
|
||||
/tmp/ r,
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ profile gparted @{exec_path} {
|
|||
@{bin}/ps rPx,
|
||||
@{bin}/xhost rPx,
|
||||
@{bin}/pkexec rPx,
|
||||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
|
||||
# For shell pwd
|
||||
/ r,
|
||||
|
|
@ -60,25 +60,18 @@ profile gparted @{exec_path} {
|
|||
|
||||
profile udevadm {
|
||||
include <abstractions/base>
|
||||
|
||||
ptrace (read),
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
@{bin}/udevadm mr,
|
||||
|
||||
/etc/udev/udev.conf r,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/1/sched r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
@{sys}/** r,
|
||||
@{sys}/devices/virtual/block/**/uevent rw,
|
||||
@{sys}/devices/@{pci}/block/**/uevent rw,
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
include if exists <local/gparted_udevadm>
|
||||
}
|
||||
|
||||
profile killall flags=(attach_disconnected) {
|
||||
|
|
@ -99,6 +92,14 @@ profile gparted @{exec_path} {
|
|||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
|
||||
include if exists <local/gparted_killall>
|
||||
}
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
include if exists <local/gparted_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/gparted>
|
||||
|
|
|
|||
|
|
@ -69,8 +69,6 @@ profile hw-probe @{exec_path} {
|
|||
@{bin}/xinput rPx,
|
||||
@{bin}/xrandr rPx,
|
||||
|
||||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
|
||||
@{bin}/curl rCx -> curl,
|
||||
@{bin}/ethtool rCx -> netconfig,
|
||||
@{bin}/find rCx -> find,
|
||||
|
|
@ -80,6 +78,7 @@ profile hw-probe @{exec_path} {
|
|||
@{bin}/journalctl rCx -> journalctl,
|
||||
@{bin}/killall rCx -> killall,
|
||||
@{bin}/kmod rCx -> kmod,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-analyze rPx,
|
||||
@{bin}/udevadm rCx -> udevadm,
|
||||
|
||||
|
|
@ -166,25 +165,18 @@ profile hw-probe @{exec_path} {
|
|||
|
||||
profile udevadm {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
@{bin}/udevadm mr,
|
||||
|
||||
/etc/udev/udev.conf r,
|
||||
|
||||
@{run}/udev/data/* r,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/*/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/1/sched r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
include if exists <local/hw-probe_udevadm>
|
||||
}
|
||||
|
||||
|
|
@ -228,5 +220,12 @@ profile hw-probe @{exec_path} {
|
|||
include if exists <local/hw-probe_netconfig>
|
||||
}
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
include if exists <local/hw-probe_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/hw-probe>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,18 +13,14 @@ profile hypnotix @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-intel>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
signal (send) set=(term, kill) peer=youtube-dl,
|
||||
signal (send) set=(term, kill) peer=yt-dlp,
|
||||
|
|
@ -49,7 +45,6 @@ profile hypnotix @{exec_path} {
|
|||
@{lib}/firefox/firefox rPx,
|
||||
|
||||
/usr/share/hypnotix/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/vdpau_wrapper.cfg r,
|
||||
|
|
@ -60,8 +55,6 @@ profile hypnotix @{exec_path} {
|
|||
|
||||
owner @{user_music_dirs}/** r,
|
||||
|
||||
@{sys}/devices/@{pci}/drm/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -40,27 +40,16 @@ profile initd-kexec @{exec_path} {
|
|||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
|
||||
include <abstractions/systemctl>
|
||||
|
||||
capability sys_resource,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
@{bin}/systemd-tty-ask-password-agent rix,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/1/sched r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
/dev/kmsg w,
|
||||
|
||||
owner @{run}/systemd/ask-password/ rw,
|
||||
owner @{run}/systemd/ask-password-block/* rw,
|
||||
|
||||
include if exists <local/initd-kexec_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/initd-kexec>
|
||||
|
|
|
|||
|
|
@ -35,11 +35,10 @@ profile inxi @{exec_path} {
|
|||
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||
|
||||
@{bin}/ip rCx -> ip,
|
||||
@{lib}/systemd/systemd rCx -> systemd,
|
||||
@{bin}/kmod rCx -> kmod,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/udevadm rCx -> udevadm,
|
||||
|
||||
@{bin}/systemctl rPx -> child-systemctl,
|
||||
@{lib}/systemd/systemd rCx -> systemd,
|
||||
|
||||
# Do not strip env to avoid errors like the following:
|
||||
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
|
||||
|
|
@ -87,6 +86,14 @@ profile inxi @{exec_path} {
|
|||
|
||||
@{run}/ r,
|
||||
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/class/net/ r,
|
||||
@{sys}/firmware/acpi/tables/ r,
|
||||
@{sys}/bus/usb/devices/ r,
|
||||
@{sys}/devices/{,**} r,
|
||||
@{sys}/module/*/version r,
|
||||
@{sys}/power/wakeup_count r,
|
||||
|
||||
@{PROC}/asound/ r,
|
||||
@{PROC}/asound/version r,
|
||||
@{PROC}/sys/kernel/hostname r,
|
||||
|
|
@ -105,15 +112,6 @@ profile inxi @{exec_path} {
|
|||
/dev/disk/*/ r,
|
||||
/dev/dm-[0-9]* r,
|
||||
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/class/net/ r,
|
||||
@{sys}/firmware/acpi/tables/ r,
|
||||
@{sys}/bus/usb/devices/ r,
|
||||
@{sys}/devices/{,**} r,
|
||||
@{sys}/module/*/version r,
|
||||
@{sys}/power/wakeup_count r,
|
||||
|
||||
|
||||
profile ip {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
@ -125,38 +123,33 @@ profile inxi @{exec_path} {
|
|||
|
||||
/etc/iproute2/group r,
|
||||
|
||||
include if exists <local/inxi_ip>
|
||||
}
|
||||
|
||||
profile systemd {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
@{lib}/systemd/systemd mr,
|
||||
|
||||
/etc/systemd/user.conf r,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/sys/kernel/threads-max r,
|
||||
@{PROC}/1/cgroup r,
|
||||
|
||||
include if exists <local/inxi_systemd>
|
||||
}
|
||||
|
||||
profile udevadm {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
@{bin}/udevadm mr,
|
||||
|
||||
/etc/udev/udev.conf r,
|
||||
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/1/sched r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
@{sys}/devices/@{pci}/block/**/uevent r,
|
||||
@{run}/udev/data/b* r,
|
||||
|
||||
@{sys}/devices/@{pci}/block/**/uevent r,
|
||||
|
||||
include if exists <local/inxi_udevadm>
|
||||
}
|
||||
|
||||
profile kmod {
|
||||
|
|
@ -167,6 +160,14 @@ profile inxi @{exec_path} {
|
|||
@{PROC}/cmdline r,
|
||||
@{PROC}/modules r,
|
||||
|
||||
include if exists <local/inxi_kmod>
|
||||
}
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
include if exists <local/inxi_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/inxi>
|
||||
|
|
|
|||
|
|
@ -11,16 +11,11 @@ include <tunables/global>
|
|||
profile labwc @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -32,8 +27,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/libinput/ r,
|
||||
/usr/share/libinput/*.quirks r,
|
||||
/usr/share/themes/**/themerc r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
owner @{user_config_dirs}/labwc/ r,
|
||||
owner @{user_config_dirs}/labwc/* r,
|
||||
|
|
@ -61,9 +54,5 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
owner /tmp/.X@{int}-lock rw,
|
||||
owner /tmp/.X11-unix/ rw,
|
||||
owner /tmp/.X11-unix/X@{int} rw,
|
||||
|
||||
include if exists <local/labwc>
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue