felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-09-12 22:26:47 +01:00
parent 9e7c4c7ec8
commit ab7f45bc31
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
26 changed files with 53 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/profiles-s-z/YACReader
View file

@ -37,8 +37,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/YACReader/YACReader/ rw,
owner @{user_share_dirs}/YACReader/YACReader/** rwlk,
/dev/shm/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,

8
apparmor.d/profiles-s-z/sfdisk
View file

@ -10,15 +10,9 @@ include <tunables/global>
@{exec_path} = @{bin}/sfdisk
profile sfdisk @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-write>
# Needed to avoid the following error:
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
#
# Checking that no-one is using this disk right now ... FAILED
# This disk is currently in use - repartitioning is probably a bad idea.
# Umount all file systems, and swapoff all swap partitions on this disk.
# Use the --no-reread flag to suppress this check.
capability sys_admin,
@{exec_path} mr,

1
apparmor.d/profiles-s-z/steam
View file

@ -327,7 +327,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,

2
apparmor.d/profiles-s-z/steam-runtime
View file

@ -42,7 +42,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
@{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-* rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
@{app_dirs}/@{runtime}/run rix,

3
apparmor.d/profiles-s-z/thunderbird
View file

@ -158,8 +158,7 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
/dev/shm/ r,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.chromium.@{rand6} rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

1
apparmor.d/profiles-s-z/udisksd
View file

@ -119,6 +119,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{sys}/bus/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/@{int}/address r,
@{sys}/bus/scsi/devices/ r,
@{sys}/class/ r,
@{sys}/class/nvme-subsystem/ r,
@{sys}/class/nvme/ r,