feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
ee328f727b
commit
a46dfaad61
17 changed files with 59 additions and 80 deletions
|
|
@ -23,6 +23,8 @@ profile xdg-email @{exec_path} flags=(complain) {
|
|||
@{bin}/which rix,
|
||||
@{bin}/xdg-mime rPx,
|
||||
|
||||
@{thunderbird_path} rPx,
|
||||
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/xdg-email>
|
||||
|
|
|
|||
|
|
@ -36,6 +36,9 @@ profile epiphany-search-provider @{exec_path} {
|
|||
owner @{user_cache_dirs}/epiphany/{,**} rwk,
|
||||
owner @{user_share_dirs}/epiphany/{,**} rwk,
|
||||
|
||||
owner /tmp/ContentRuleList@{rand6} rw,
|
||||
owner /tmp/Serialized* rw,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -65,8 +65,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/gdm{3,}/gdm.pid rw,
|
||||
@{run}/gdm{3,}/greeter/ rw,
|
||||
@{run}/systemd/seats/seat@{int} r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/*.ref r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
|
||||
|
|
|
|||
|
|
@ -31,6 +31,9 @@ profile gdm-generate-config @{exec_path} {
|
|||
/var/lib/ r,
|
||||
/var/lib/gdm{3,}/{,**} r,
|
||||
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults rw,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gnome-contacts
|
||||
profile gnome-contacts @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
@ -23,9 +27,12 @@ profile gnome-contacts @{exec_path} {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
# dbus: own bus=session name=org.gnome.Contacts
|
||||
|
||||
/usr/share/applications/{,*.desktop} r,
|
||||
# dbus: talk bus=session name=org.gnome.evolution.dataserver.AddressBookFactory label=evolution-addressbook-factory
|
||||
# dbus: talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
|
||||
owner @{user_config_dirs}/gnome-contacts/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -9,8 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/bootctl
|
||||
profile bootctl @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability mknod,
|
||||
capability net_admin,
|
||||
|
|
@ -42,7 +43,7 @@ profile bootctl @{exec_path} {
|
|||
|
||||
@{run}/host/container-manager r,
|
||||
|
||||
@{sys}//class/tpmrm/ r,
|
||||
@{sys}/class/tpmrm/ r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
|
||||
|
|
@ -68,8 +69,8 @@ profile bootctl @{exec_path} {
|
|||
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
|
||||
@{sys}/firmware/efi/fw_platform_size r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/sys/kernel/random/poolsize r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
|
||||
# Inherit silencer
|
||||
deny network inet6 stream,
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
|
|||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
||||
# mqueue read type=posix /,
|
||||
# mqueue r type=posix /,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/dpkg rPx -> child-dpkg,
|
||||
@{bin}/hwe-support-status rPx,
|
||||
@{bin}/ischroot rix,
|
||||
|
|
@ -56,6 +57,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/X11/{,**} r,
|
||||
|
||||
/etc/gtk-3.0/settings.ini r,
|
||||
/etc/pulse/client.conf r,
|
||||
/etc/pulse/client.conf.d/{,**} r,
|
||||
/etc/update-manager/{,**} r,
|
||||
|
||||
/boot/ r,
|
||||
|
|
@ -68,6 +71,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
||||
|
||||
owner @{user_config_dirs}/pulse/cookie rk,
|
||||
|
||||
owner @{run}/user/@{uid}/pulse/ r,
|
||||
owner @{run}/user/@{uid}/pulse/native rw,
|
||||
|
||||
@{run}/systemd/inhibit/*.ref w,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
@ -75,6 +83,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/shm/ r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue