felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: variour small fixes.

Browse source 
See #409
This commit is contained in:
Alexandre Pujol 2024-07-14 12:12:30 +01:00
parent bd1239b46a
commit 9c9f743e1e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 26 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/bus/ibus-daemon
View file

@ -42,6 +42,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{lib}/{,ibus/}ibus-* rPUx, @{lib}/{,ibus/}ibus-* rPUx,
@{lib}/ibus-*/ibus-* rPUx,
/usr/share/ibus/{,**} r, /usr/share/ibus/{,**} r,
/usr/share/ibus-table/{,**} r, /usr/share/ibus-table/{,**} r,

5
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -84,6 +84,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/*/ r, @{PROC}/*/ r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,

5
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -3,6 +3,11 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# TODO: Rethink this profile:
# - Access to gio from a profile is handled by child-open-*
# - Direct access should only be needed is some special context and it should not
# require access to that much resources.
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>

2
apparmor.d/groups/gnome/gsd-color
View file

@ -21,6 +21,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet stream,
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color

2
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -21,6 +21,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet stream,
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard

1
apparmor.d/groups/gnome/gsd-power
View file

@ -30,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet stream,
network netlink raw, network netlink raw,
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,

10
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -31,13 +31,17 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/{,opensc/}opensc.conf r, /etc/{,opensc/}opensc.conf r,
/etc/tpm2-tss/* r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_config_dirs}/dconf/user r,
/var/tmp/ r, /var/tmp/ r,
/tmp/ r, /tmp/ r,
owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_config_dirs}/dconf/user r,
owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
include if exists <local/gsd-smartcard> include if exists <local/gsd-smartcard>

1
apparmor.d/groups/systemd/systemd-sleep-tlp
View file

@ -12,6 +12,7 @@ profile systemd-sleep-tlp @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{bin}/tlp rPUx, @{bin}/tlp rPUx,
include if exists <local/systemd-sleep-tlp> include if exists <local/systemd-sleep-tlp>

2
apparmor.d/profiles-s-z/usbguard-daemon
View file

@ -24,8 +24,8 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/usbguard/{,**} r,
/etc/usbguard/*.conf rw, /etc/usbguard/*.conf rw,
/etc/usbguard/IPCAccessControl.d/{,*} r,
owner @{run}/usbguard.pid rwk, owner @{run}/usbguard.pid rwk,

1
dists/flags/main.flags
View file

@ -353,6 +353,7 @@ systemd-portabled complain
systemd-remount-fs complain systemd-remount-fs complain
systemd-resolve complain systemd-resolve complain
systemd-shutdown complain systemd-shutdown complain
systemd-sleep-tlp complain
systemd-socket-proxyd complain systemd-socket-proxyd complain
systemd-udevd attach_disconnected,complain systemd-udevd attach_disconnected,complain
systemd-user-sessions complain systemd-user-sessions complain