feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
ecb7f2e79f
commit
a1b86b56d2
31 changed files with 75 additions and 131 deletions
|
|
@ -40,6 +40,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/user-read>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
# userns,
|
||||
|
||||
capability sys_admin, # If kernel.unprivileged_userns_clone = 1
|
||||
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
|
||||
capability sys_ptrace,
|
||||
|
|
|
|||
|
|
@ -12,15 +12,10 @@ profile dconf-editor @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/gnome-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/{,*} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
# When GSETTINGS_BACKEND=keyfile
|
||||
owner @{user_config_dirs}/glib-2.0/ rw,
|
||||
owner @{user_config_dirs}/glib-2.0/settings/ rw,
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/pactl rix,
|
||||
@{bin}/pipewire-media-session rPx,
|
||||
|
|
|
|||
|
|
@ -85,6 +85,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/lightdm/{,**} rw,
|
||||
|
||||
/tmp/ r,
|
||||
/tmp/server-[0-9].xkm rw,
|
||||
owner /tmp/.tX[0-9]-lock rwk,
|
||||
owner /tmp/.X[0-9]-lock rwkl -> /tmp/.tX[0-9]-lock,
|
||||
owner /tmp/server-* rwk,
|
||||
|
|
|
|||
|
|
@ -36,10 +36,6 @@ profile evolution-alarm-notify @{exec_path} {
|
|||
/usr/share/evolution-data-server/{,**} r,
|
||||
/usr/share/{,zoneinfo-}icu/{,**} r,
|
||||
|
||||
# freedesktop.org-strict
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/*ubuntu/applications/ r,
|
||||
|
||||
/etc/timezone r,
|
||||
|
||||
include if exists <local/evolution-alarm-notify>
|
||||
|
|
|
|||
|
|
@ -15,33 +15,21 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/libdrm/*.ids r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
/usr/share/pixmaps/{,**} r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
||||
|
|
|
|||
|
|
@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter/applications/*.desktop r,
|
||||
/usr/share/gvfs/remote-volume-monitors/{,*} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/osinfo/{,**} r,
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ profile gvfsd-dav @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,8 @@ profile gvfsd-network @{exec_path} {
|
|||
include <abstractions/bus-session>
|
||||
include <abstractions/dconf-write>
|
||||
|
||||
dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int},
|
||||
|
||||
dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
|
||||
interface=org.gtk.vfs.Spawner
|
||||
member=Spawned
|
||||
|
|
@ -38,9 +40,6 @@ profile gvfsd-network @{exec_path} {
|
|||
member=GetConnection
|
||||
peer=(name=:*, label=gnome-control-center),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gtk.vfs.mountpoint_[0-9]*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile networkctl @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.network1>
|
||||
|
||||
capability net_admin,
|
||||
capability sys_module,
|
||||
|
|
|
|||
|
|
@ -72,6 +72,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
/ r,
|
||||
/boot/{,**} r,
|
||||
/efi/{,**} r,
|
||||
/swap/swapfile r,
|
||||
/swapfile r,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,13 +14,11 @@ profile check-new-release-gtk @{exec_path} {
|
|||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -35,12 +33,8 @@ profile check-new-release-gtk @{exec_path} {
|
|||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
|
||||
/usr/share/distro-info/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/ubuntu-release-upgrader/{,**} r,
|
||||
/usr/share/update-manager/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
||||
/etc/update-manager/{,**} r,
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ profile cockpit-bridge @{exec_path} {
|
|||
@{sys}/class/hwmon/ r,
|
||||
@{sys}/devices/**/hwmon@{int}/ r,
|
||||
@{sys}/devices/**/hwmon@{int}/{name,temp*} r,
|
||||
@{sys}/fs/cgroup/ r,
|
||||
@{sys}/fs/cgroup/**/ r,
|
||||
@{sys}/fs/cgroup/**/cpu.{stat,weight} r,
|
||||
@{sys}/fs/cgroup/**/memory* r,
|
||||
|
|
|
|||
|
|
@ -27,16 +27,17 @@ profile cockpit-pcp @{exec_path} {
|
|||
/var/lib/pcp/{,**} rw,
|
||||
|
||||
/var/log/pcp/pmlogger/ r,
|
||||
/var/log/pcp/pmlogger/** r,
|
||||
|
||||
@{sys}/fs/cgroup/{,**/} r,
|
||||
@{sys}/fs/cgroup/**/{memory,cpu}* r,
|
||||
@{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
|
||||
@{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
|
||||
|
||||
@{PROC}/@{pid}/net/dev r,
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/swaps r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/@{pid}/net/dev r,
|
||||
|
||||
include if exists <local/cockpit-pcp>
|
||||
}
|
||||
|
|
@ -32,9 +32,8 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=overlayfs -> /var/lib/docker/overlay2/*/merged/,
|
||||
mount /var/lib/docker/overlay2/**/,
|
||||
mount options=(rw, bind) -> /run/docker/netns/*,
|
||||
mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
|
||||
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
|
||||
mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
|
||||
mount options=(rw, rslave) -> /,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue