felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): general profile update.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-31 23:00:13 +02:00
parent 7cfff26ee2
commit a1ba00bec3
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
43 changed files with 121 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apparmor/apparmor_parser
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} @{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib}
@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
profile apparmor_parser @{exec_path} flags=(attach_disconnected) { profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
deny network netlink raw, # file_inherit deny network netlink raw, # file_inherit
deny /apparmor/.null rw, /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad?
include if exists <local/apparmor_parser> include if exists <local/apparmor_parser>
} }

4
apparmor.d/groups/apt/debconf-frontend
View file

@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
@{bin}/stty ix, @{bin}/stty ix,
@{sbin}/update-secureboot-policy Px, @{sbin}/update-secureboot-policy Px,
# debconf apps # Debconf apps
@{bin}/adequate Px, @{bin}/adequate Px,
@{bin}/debconf-apt-progress Px, @{bin}/debconf-apt-progress Px,
@{bin}/linux-check-removal Px, @{bin}/linux-check-removal Px,
@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) {
@{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms-* rPUx,
@{lib}/dkms/dkms_* rPUx, @{lib}/dkms/dkms_* rPUx,
/etc/libpaper.d/texlive-base rPUx,
/usr/share/debconf/{,**} r, /usr/share/debconf/{,**} r,
/etc/inputrc r, /etc/inputrc r,

1
apparmor.d/groups/apt/dpkg-scripts
View file

@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} {
@{run}/** rw, @{run}/** rw,
@{efi}/grub/* rw, @{efi}/grub/* rw,
/tmp/fmtutil.@{rand8} rw,
/tmp/grub.@{rand10} rw, /tmp/grub.@{rand10} rw,
/tmp/sed@{rand6} rw, /tmp/sed@{rand6} rw,
/tmp/tmp.@{rand10} rw, /tmp/tmp.@{rand10} rw,

5
apparmor.d/groups/bluetooth/obexd
View file

@ -25,6 +25,11 @@ profile obexd @{exec_path} {
member=Release member=Release
peer=(name=:*, label="@{p_bluetoothd}"), peer=(name=:*, label="@{p_bluetoothd}"),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,

3
apparmor.d/groups/cron/anacron
View file

@ -28,6 +28,7 @@ profile anacron @{exec_path} {
@{tmp}/file@{rand6} rw, @{tmp}/file@{rand6} rw,
/tmp/anacron-@{rand6} rw, /tmp/anacron-@{rand6} rw,
/tmp/anacron-@{rand6}@{c} rw,
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
@ -39,7 +40,9 @@ profile anacron @{exec_path} {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/file@{rand6} rw, owner @{tmp}/file@{rand6} rw,
/tmp/anacron-@{rand6} rw, /tmp/anacron-@{rand6} rw,
/tmp/anacron-@{rand6}@{c} rw,
include if exists <local/anacron_run-parts> include if exists <local/anacron_run-parts>
} }

4
apparmor.d/groups/cups/cups-browsed
View file

@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} {
/etc/cups/{,**} r, /etc/cups/{,**} r,
/var/cache/cups/{,**} rw,
/var/log/cups/{,**} rw, /var/log/cups/{,**} rw,
/var/cache/cups/{,**} rw,
owner /var/cache/cups-browsed/{,**} rw,
owner @{tmp}/@{hex} rw, owner @{tmp}/@{hex} rw,
@{run}/cups/certs/* r, @{run}/cups/certs/* r,

3
apparmor.d/groups/flatpak/flatpak
View file

@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
capability setuid, capability setuid,
unix type=seqpacket peer=(label=flatpak-system-helper),
unix type=stream peer=(label=flatpak),
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
umount /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/,

8
apparmor.d/groups/flatpak/flatpak-system-helper
View file

@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} {
ptrace read, ptrace read,
unix type=seqpacket peer=(label=dbus-system),
unix type=seqpacket peer=(label=flatpak),
unix type=seqpacket peer=(label=flatpak//fusermount),
unix type=seqpacket peer=(label=unconfined),
#aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper
@{exec_path} mr, @{exec_path} mr,
@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} {
@{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary-sig.@{rand6} r,
@{tmp}/remote-summary.@{rand6} r, @{tmp}/remote-summary.@{rand6} r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/status r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,

8
apparmor.d/groups/freedesktop/wireplumber
View file

@ -47,8 +47,8 @@ profile wireplumber @{exec_path} {
/usr/share/wireplumber/{,**} r, /usr/share/wireplumber/{,**} r,
owner @{desktop_local_dirs}/ w, owner @{desktop_local_dirs}/ w,
owner @{desktop_local_dirs}/state/ w, owner @{desktop_state_dirs}/ w,
owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, owner @{desktop_state_dirs}/wireplumber/{,**} rw,
owner @{HOME}/.local/ w, owner @{HOME}/.local/ w,
owner @{user_state_dirs}/ w, owner @{user_state_dirs}/ w,
@ -81,8 +81,10 @@ profile wireplumber @{exec_path} {
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/1/status r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/media@{int} rw, /dev/media@{int} rw,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{bin}/kreadconfig{,5} rPx, @{bin}/kreadconfig{,5} rPx,
@{lib}/xdg-desktop-portal-validate-icon rPx, @{lib}/xdg-desktop-portal-validate-icon rPx,
@{open_path} rPx -> child-open, @{open_path} mrPx -> child-open,
/ r, / r,
@{att}/.flatpak-info r, @{att}/.flatpak-info r,

13
apparmor.d/groups/gnome/deja-dup-monitor
View file

@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} {
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas> include <abstractions/gschemas>
include <abstractions/nameservice-strict>
include <abstractions/notifications>
network netlink raw, network netlink raw,
@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} {
member=GetAll member=GetAll
peer=(name=@{busname}, label=power-profiles-daemon), peer=(name=@{busname}, label=power-profiles-daemon),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
@{bin}/chrt rix, @{bin}/chrt rix,
@{bin}/ionice rix, @{bin}/ionice rix,
@{bin}/deja-dup Px, @{bin}/deja-dup Px,
/usr/share/gvfs/remote-volume-monitors/{,**} r,
/var/tmp/ r, /var/tmp/ r,
/tmp/ r, /tmp/ r,
@{run}/mount/utab r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/deja-dup-monitor> include if exists <local/deja-dup-monitor>
} }

11
apparmor.d/groups/gnome/gdm-session
View file

@ -14,11 +14,12 @@ profile gdm-session @{exec_path} {
include <abstractions/bus/org.gnome.DisplayManager> include <abstractions/bus/org.gnome.DisplayManager>
include <abstractions/bus/session/org.freedesktop.systemd1> include <abstractions/bus/session/org.freedesktop.systemd1>
signal (receive) set=(hup term) peer=gdm-session-worker, signal receive set=(hup term) peer=gdm-session-worker,
signal (receive) set=(term) peer=gdm, signal receive set=(term) peer=gdm,
signal (send) set=(term) peer=dbus-session, signal send set=(term) peer=dbus-session,
signal (send) set=(term) peer=gnome-session-binary, signal send set=(term) peer=gnome-session-binary,
signal (send) set=(term) peer=xorg, signal send set=(term) peer=xorg,
signal send set=term peer=gnome-session,
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

1
apparmor.d/groups/gnome/gnome-calculator
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gnome-calculator @{exec_path} { profile gnome-calculator @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
# Needed to get currency exchange rates # Needed to get currency exchange rates

3
apparmor.d/groups/gnome/gnome-control-center
View file

@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw,
owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/mimeapps.list w,
owner @{user_config_dirs}/mimeapps.list.@{rand6} rw,
owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
owner @{user_games_dirs}/**.png r, owner @{user_games_dirs}/**.png r,

3
apparmor.d/groups/gnome/gnome-session
View file

@ -9,7 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-session @{exec_path} = @{bin}/gnome-session
profile gnome-session @{exec_path} { profile gnome-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/shells> include <abstractions/shells>

5
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
signal (receive) set=(term, hup) peer=gdm*, signal receive set=(term, hup) peer=gdm*,
signal (send) set=(term) peer=gsd-*, signal send set=(term) peer=gsd-*,
#aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus own bus=session name=org.gnome.SessionManager
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/xdg/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r,
owner @{gdm_cache_dirs}/gdm/Xauthority r, owner @{gdm_cache_dirs}/gdm/Xauthority r,
owner @{gdm_config_dirs}/ rw,
owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/dconf/user rw,
owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/ rw,
owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,

1
apparmor.d/groups/gnome/gnome-shell-calendar-server
View file

@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
#aa:dbus own bus=session name=org.gnome.Shell.CalendarServer #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer

5
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
ptrace (read), ptrace read,
signal (send) set=(kill term cont stop), signal send set=(kill term cont stop),
#aa:dbus own bus=session name=org.gnome.SystemMonitor #aa:dbus own bus=session name=org.gnome.SystemMonitor
@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/smaps r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r, @{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/status r,
@{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/wchan r,
@{PROC}/diskstats r, @{PROC}/diskstats r,
@{PROC}/vmstat r, @{PROC}/vmstat r,

1
apparmor.d/groups/gnome/gnome-text-editor
View file

@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} {
include <abstractions/bus/org.freedesktop.FileManager1> include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/enchant> include <abstractions/enchant>
include <abstractions/nameservice-strict>
include <abstractions/user-read-strict> include <abstractions/user-read-strict>
include <abstractions/user-write-strict> include <abstractions/user-write-strict>

1
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/notifications>
include <abstractions/thumbnails-cache-write> include <abstractions/thumbnails-cache-write>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,

1
apparmor.d/groups/gnome/gsd-usb-protection
View file

@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas> include <abstractions/gschemas>
include <abstractions/screensaver>
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection

7
apparmor.d/groups/gnome/gsd-wwan
View file

@ -10,10 +10,17 @@ include <tunables/global>
profile gsd-wwan @{exec_path} { profile gsd-wwan @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
include if exists <local/gsd-wwan> include if exists <local/gsd-wwan>

2
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} {
dbus receive bus=system path=/org/freedesktop/Accounts dbus receive bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts interface=org.freedesktop.Accounts
member=UserAdded member={UserAdded,UserDeleted}
peer=(name=@{busname}, label="@{p_accounts_daemon}"), peer=(name=@{busname}, label="@{p_accounts_daemon}"),
dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}

1
apparmor.d/groups/gnome/ptyxis
View file

@ -12,6 +12,7 @@ profile ptyxis @{exec_path} {
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/notifications>
unix type=stream peer=(label=ptyxis-agent), unix type=stream peer=(label=ptyxis-agent),

1
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/apt-config rPx, @{bin}/apt-config rPx,
@{bin}/plasma-discover rPx,
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,

1
apparmor.d/groups/procps/htop
View file

@ -112,6 +112,7 @@ profile htop @{exec_path} {
@{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r, @{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/status r,
@{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/ r,

2
apparmor.d/groups/ssh/sshd
View file

@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
@{sbin}/sshd.hmac r,
@{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/@{shells} Ux, #aa:exclude RBAC
@{bin}/false ix, @{bin}/false ix,
@{sbin}/nologin Px, @{sbin}/nologin Px,

3
apparmor.d/groups/systemd/systemd-coredump
View file

@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
@{att}/@{run}/systemd/coredump rw, @{att}/@{run}/systemd/coredump rw,
@{run}/systemd/coredump rw, @{run}/systemd/coredump rw,
@{PROC}/@{pids}/auxv r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/comm r, @{PROC}/@{pids}/comm r,
@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
@{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/fdinfo/@{int} r,
@{PROC}/@{pids}/limits r, @{PROC}/@{pids}/limits r,
@{PROC}/@{pids}/maps r,
@{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/ns/ r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/status r,
owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/setgroups r,
include if exists <local/systemd-coredump> include if exists <local/systemd-coredump>

3
apparmor.d/groups/systemd/systemd-detect-virt
View file

@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
/dev/cpu/@{int}/msr r, /dev/cpu/@{int}/msr r,
deny capability net_admin,
deny capability perfmon,
include if exists <local/systemd-detect-virt> include if exists <local/systemd-detect-virt>
} }

3
apparmor.d/groups/systemd/systemd-remount-fs
View file

@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) {
@{bin}/mount rix, @{bin}/mount rix,
/etc/blkid.conf r, @{etc_ro}/blkid.conf r,
@{etc_ro}/blkid.conf.d/{,**} r,
/etc/fstab r, /etc/fstab r,
@{run}/host/container-manager r, @{run}/host/container-manager r,

8
apparmor.d/groups/systemd/systemd-udevd
View file

@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
capability sys_module,
@{sh_path} rix,
@{bin}/kmod ix,
@{sys}/module/*/initstate r,
@{sys}/module/compression r,
include if exists <local/systemd-udevd_kmod> include if exists <local/systemd-udevd_kmod>
} }

8
apparmor.d/groups/systemd/zram-generator
View file

@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/kmod rCx, @{bin}/kmod rCx -> kmod,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{lib}/systemd/systemd-makefs rPx, @{lib}/systemd/systemd-makefs rPx,
@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) {
owner /dev/pts/@{int} rw, owner /dev/pts/@{int} rw,
profile kmod { profile kmod flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
capability sys_module,
@{sys}/module/compression r,
include if exists <local/zram-generator_kmod> include if exists <local/zram-generator_kmod>
} }

1
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} {
include <abstractions/common/apt> include <abstractions/common/apt>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>

2
apparmor.d/groups/utils/who
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/who @{exec_path} = @{bin}/{,gnu}who
profile who @{exec_path} { profile who @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

1
apparmor.d/profiles-a-f/finalrd
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/finalrd @{exec_path} = @{bin}/finalrd
profile finalrd @{exec_path} { profile finalrd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read>
capability dac_read_search, capability dac_read_search,
capability sys_admin, capability sys_admin,

1
apparmor.d/profiles-g-l/gsettings
View file

@ -16,7 +16,6 @@ profile gsettings @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,

3
apparmor.d/profiles-g-l/issue-generator
View file

@ -19,6 +19,7 @@ profile issue-generator @{exec_path} {
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/chmod rix, @{bin}/chmod rix,
@{bin}/cmp rix, @{bin}/cmp rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix, @{bin}/mktemp rix,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/rm rix, @{bin}/rm rix,
@ -30,7 +31,7 @@ profile issue-generator @{exec_path} {
@{run}/agetty.reload w, @{run}/agetty.reload w,
@{run}/issue rw, @{run}/issue rw,
@{run}/issue.@{rand10} rw, @{run}/issue.@{rand10} rw,
@{run}/issue.d/{,**} r, @{run}/issue.d/{,**} rw,
/dev/tty rw, /dev/tty rw,

2
apparmor.d/profiles-m-r/mimetype
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype
profile mimetype @{exec_path} { profile mimetype @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/mime>
include <abstractions/perl> include <abstractions/perl>
@{exec_path} r, @{exec_path} r,

1
apparmor.d/profiles-s-z/signal-desktop
View file

@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.kde.StatusNotifierWatcher> include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/common/electron> include <abstractions/common/electron>
include <abstractions/devices-usb-read> include <abstractions/devices-usb-read>
include <abstractions/notifications>
include <abstractions/screensaver> include <abstractions/screensaver>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/video> include <abstractions/video>

1
apparmor.d/profiles-s-z/udev-fido_id
View file

@ -14,6 +14,7 @@ profile udev-fido_id @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
/etc/udev/udev.conf.d/{,**} r,
@{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/@{pci}/report_descriptor r,
@{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r,

3
apparmor.d/profiles-s-z/update-info-dir
View file

@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} r, @{sh_path} r,
@{bin}/install-info Px, @{bin}/cp ix,
@{bin}/find ix, @{bin}/find ix,
@{bin}/install-info Px,
@{bin}/rm ix, @{bin}/rm ix,
/etc/environment r, /etc/environment r,

8
apparmor.d/profiles-s-z/wsdd
View file

@ -9,9 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/wsdd @{exec_path} = @{bin}/wsdd
profile wsdd @{exec_path} { profile wsdd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
# wsdd can create its own chroot as a built-in security mechanism.
# This is used by default in the systemd wsdd-server service.
capability sys_chroot,
network inet dgram, network inet dgram,
network inet stream, network inet stream,
network inet6 dgram, network inet6 dgram,
@ -28,7 +33,8 @@ profile wsdd @{exec_path} {
owner /var/lib/libuuid/clock.txt rw, owner /var/lib/libuuid/clock.txt rw,
@{run}/uuidd/request rw, @{run}/uuidd/request rw,
owner @{run}/user/@{uid}/gvfsd/wsdd w, owner @{run}/user/@{uid}/wsdd w,
owner @{run}/user/@{uid}/*/wsdd w,
include if exists <local/wsdd> include if exists <local/wsdd>
} }

2
apparmor.d/profiles-s-z/xournalpp
View file

@ -37,7 +37,7 @@ profile xournalpp @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/snd/controlC@{int} w, /dev/snd/controlC@{int} w,
/dev/snd/pcmC@{rand4} rw, /dev/snd/pcmC@{int}D@{int}[cp] w,
include if exists <local/xournalpp> include if exists <local/xournalpp>
} }