refractor: move more profiles to groups.
This commit is contained in:
Alexandre Pujol
parent
fadc08b1ea
commit
9d74168be2
51 changed files with 0 additions and 0 deletions
|
|
@ -1,36 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/su
|
||||
profile su @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-root>
|
||||
include <abstractions/app/sudo>
|
||||
|
||||
capability chown, # pseudo-terminal
|
||||
|
||||
signal (send) set=(term,kill),
|
||||
signal (receive) set=(int,quit,term),
|
||||
signal (receive) set=(cont,hup) peer=sudo,
|
||||
|
||||
unix (bind) type=dgram,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/@{shells} rUx,
|
||||
@{bin}/nologin rPx,
|
||||
|
||||
@{etc_ro}/default/su r,
|
||||
|
||||
@{HOME}/.xauth@{rand6} rw,
|
||||
|
||||
include if exists <local/su>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/sulogin
|
||||
profile sulogin @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_admin,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
# The shell is not confined on purpose.
|
||||
@{bin}/@{shells} rUx,
|
||||
|
||||
/etc/shadow r,
|
||||
|
||||
@{PROC}/consoles r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/sulogin>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/swapon @{bin}/swapoff
|
||||
profile swapon @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/disks-write>
|
||||
|
||||
capability sys_admin,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
owner /swap.img rw,
|
||||
owner /swap/swapfile rw,
|
||||
owner /swapfile rw,
|
||||
|
||||
@{PROC}/swaps r,
|
||||
|
||||
/dev/pts/@{int} rw,
|
||||
|
||||
include if exists <local/swapon>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/sync
|
||||
profile sync @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
# All paths where sync can be used to flush all write operations on a single file to disk
|
||||
/{,**} rw,
|
||||
|
||||
include if exists <local/sync>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# TODO: Rethink this profile. Should not be called by another profile.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/sysctl
|
||||
profile sysctl @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability net_admin,
|
||||
capability sys_admin,
|
||||
capability sys_ptrace,
|
||||
capability sys_resource,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/sysctl.conf r,
|
||||
/etc/sysctl.d/{,**} r,
|
||||
/usr/lib/sysctl.d/{,**} r,
|
||||
|
||||
@{PROC}/sys/ r,
|
||||
@{PROC}/sys/** rw,
|
||||
|
||||
# Inherit Silencer
|
||||
deny network inet6 stream,
|
||||
deny network inet stream,
|
||||
|
||||
/etc/ufw/sysctl.conf r, # Add support for ufw
|
||||
|
||||
include if exists <local/sysctl>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/top
|
||||
profile top @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability dac_read_search,
|
||||
capability kill,
|
||||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
||||
signal send,
|
||||
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/topdefaultrc r,
|
||||
/etc/toprc r,
|
||||
|
||||
owner @{user_config_dirs}/procps/ rw,
|
||||
owner @{user_config_dirs}/procps/toprc rw,
|
||||
|
||||
@{run}/systemd/sessions/ r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/cpumap r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/environ r,
|
||||
@{PROC}/@{pids}/oom_{,score_}adj r,
|
||||
@{PROC}/@{pids}/oom_score r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/statm r,
|
||||
@{PROC}/@{pids}/task/ r,
|
||||
@{PROC}/@{pids}/task/@{tid}/cgroup r,
|
||||
@{PROC}/@{pids}/task/@{tid}/cmdline r,
|
||||
@{PROC}/@{pids}/task/@{tid}/environ r,
|
||||
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
|
||||
@{PROC}/@{pids}/task/@{tid}/oom_score r,
|
||||
@{PROC}/@{pids}/task/@{tid}/stat r,
|
||||
@{PROC}/@{pids}/task/@{tid}/statm r,
|
||||
@{PROC}/@{pids}/task/@{tid}/status r,
|
||||
@{PROC}/@{pids}/task/@{tid}/wchan r,
|
||||
@{PROC}/@{pids}/wchan r,
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/tty/drivers r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
include if exists <local/top>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/uname
|
||||
profile uname @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{att}/dev/tty@{int} rw,
|
||||
|
||||
deny network,
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/* r,
|
||||
deny owner @{user_share_dirs}/zed/**/data.mdb rw,
|
||||
|
||||
include if exists <local/uname>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/uptime
|
||||
profile uptime @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{PROC}/uptime r,
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
include if exists <local/uptime>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,78 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/useradd
|
||||
profile useradd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability fsetid,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/nscd rix,
|
||||
@{bin}/usermod rPx,
|
||||
|
||||
@{bin}/pam_tally2 rCx -> pam_tally2,
|
||||
|
||||
/etc/default/useradd r,
|
||||
@{etc_ro}/login.defs r,
|
||||
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,
|
||||
|
||||
/etc/group.lock wl -> /etc/group.@{pid},
|
||||
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
|
||||
/etc/passwd.lock wl -> /etc/passwd.@{pid},
|
||||
/etc/shadow.lock wl -> /etc/shadow.@{pid},
|
||||
/etc/subgid.lock wl -> /etc/subgid.@{pid},
|
||||
/etc/subuid.lock wl -> /etc/subuid.@{pid},
|
||||
|
||||
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
|
||||
# modify the /etc/passwd or /etc/shadow password database.
|
||||
/etc/.pwd.lock rwk,
|
||||
|
||||
/var/log/faillog rw,
|
||||
/var/log/lastlog rw,
|
||||
|
||||
# To create user dirs and copy files from /etc/skel/ to them
|
||||
@{HOME}/ rw,
|
||||
@{HOME}/** wl,
|
||||
@{HOME}/**/ r,
|
||||
/var/lib/*/{,*} rw,
|
||||
/etc/skel/{,.**} r,
|
||||
|
||||
profile pam_tally2 {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_write,
|
||||
|
||||
@{bin}/pam_tally2 mr,
|
||||
|
||||
/var/log/tallylog rw,
|
||||
|
||||
include if exists <local/useradd_pam_tally2>
|
||||
}
|
||||
|
||||
include if exists <local/useradd>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/userdel
|
||||
profile userdel @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fsetid,
|
||||
capability sys_ptrace,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{etc_ro}/login.defs r,
|
||||
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,
|
||||
|
||||
/etc/passwd.lock wl -> /etc/passwd.@{pid},
|
||||
/etc/shadow.lock wl -> /etc/shadow.@{pid},
|
||||
/etc/group.lock wl -> /etc/group.@{pid},
|
||||
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
|
||||
/etc/subuid.lock wl -> /etc/subuid.@{pid},
|
||||
/etc/subgid.lock wl -> /etc/subgid.@{pid},
|
||||
|
||||
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
|
||||
# modify the /etc/passwd or /etc/shadow password database.
|
||||
/etc/.pwd.lock rwk,
|
||||
|
||||
# To remove user home files
|
||||
@{HOME}/{,**} rw,
|
||||
/var/ r,
|
||||
/var/lib/ r,
|
||||
/var/lib/*/{,**} rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/task/ r,
|
||||
|
||||
include if exists <local/userdel>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,60 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/usermod
|
||||
profile usermod @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability fsetid,
|
||||
capability sys_ptrace,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/nscd rix,
|
||||
|
||||
@{etc_ro}/login.defs r,
|
||||
/etc/subuid r,
|
||||
|
||||
/etc/{passwd,shadow,gshadow,group} rw,
|
||||
/etc/{passwd,shadow,gshadow,group}.@{pid} w,
|
||||
/etc/{passwd,shadow,gshadow,group}- w,
|
||||
/etc/{passwd,shadow,gshadow,group}+ rw,
|
||||
|
||||
/etc/passwd.lock wl -> /etc/passwd.@{pid},
|
||||
/etc/group.lock wl -> /etc/group.@{pid},
|
||||
/etc/shadow.lock wl -> /etc/shadow.@{pid},
|
||||
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
|
||||
|
||||
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
|
||||
# modify the /etc/passwd or /etc/shadow password database.
|
||||
/etc/.pwd.lock rwk,
|
||||
|
||||
# To create and move user dirs
|
||||
@{HOME}/{,**} rw,
|
||||
/var/ r,
|
||||
/var/lib/ r,
|
||||
/var/lib/*/{,**} rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/task/ r,
|
||||
|
||||
include if exists <local/usermod>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022 Jeroen Rijken
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/users
|
||||
profile users @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/log/wtmp rk,
|
||||
|
||||
@{run}/utmp rk,
|
||||
|
||||
include if exists <local/users>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/uuidd
|
||||
profile uuidd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
network inet dgram,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /var/lib/libuuid/clock.txt rwk,
|
||||
|
||||
@{run}/uuidd/request rw,
|
||||
@{att}/@{run}/uuidd/request rw,
|
||||
|
||||
include if exists <local/uuidd>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/uuidgen
|
||||
profile uuidgen @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
network inet dgram,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /var/lib/libuuid/clock.txt w,
|
||||
|
||||
@{run}/uuidd/request w,
|
||||
|
||||
include if exists <local/uuidgen>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/w
|
||||
profile w @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{run}/systemd/sessions/ r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
include if exists <local/w>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/who
|
||||
profile who @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability kill,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
deny owner @{user_share_dirs}/zed/**/data.mdb rw,
|
||||
|
||||
include if exists <local/who>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
Loading…
Add table
Add a link
Reference in a new issue