felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): deny gvfs-metadata when possible.

Browse source
This commit is contained in:
Alexandre Pujol 2022-09-24 17:59:20 +01:00
parent fcee586e9e
commit ae6cecde52
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
23 changed files with 42 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -13,8 +13,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
@ -25,5 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
/dev/dri/card[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/xdg-dbus-proxy>
}

3
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -39,7 +39,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r,
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/user/@{uid}/ r,
@ -60,6 +59,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>

3
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -27,11 +27,12 @@ profile evolution-source-registry @{exec_path} {
owner @{user_config_dirs}/evolution/sources/{,*} rw,
owner @{user_share_dirs}/evolution/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/evolution/{,**} rwk,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/evolution-source-registry>
}

3
apparmor.d/groups/gnome/gnome-control-center
View file

@ -91,7 +91,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/mimeapps.list.* rw,
owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
owner @{user_share_dirs}/webkitgtk/{,**} r,
@ -148,5 +147,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/dev/media[0-9]* r,
/dev/video[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-control-center>
}

5
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -60,12 +60,11 @@ profile gnome-extension-ding @{exec_path} {
owner @{user_share_dirs}/nautilus/scripts/ r,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-extension-ding>
}

3
apparmor.d/groups/gnome/gnome-music
View file

@ -45,7 +45,6 @@ profile gnome-music @{exec_path} {
owner @{user_cache_dirs}/media-art/album-*.jpeg rw,
owner @{user_share_dirs}/grilo-plugins/ rwk,
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,
owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@ -54,5 +53,7 @@ profile gnome-music @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-music>
}

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/desktop-directories/{,**} r,
owner @{user_share_dirs}/gnome-shell/{,**} rw,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
owner @{user_cache_dirs}/gnome-boxes/*.png r,
@ -203,5 +202,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/dev/input/event[0-9]* rw,
/dev/tty[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-shell>
}

4
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -37,8 +37,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
/var/lib/snapd/desktop/icons/ r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/user/@{uid}/doc/ rw,
@{run}/systemd/sessions/* r,
@ -69,5 +67,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/wchan r,
@{PROC}/vmstat r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-system-monitor>
}

3
apparmor.d/groups/gnome/gnome-tweaks
View file

@ -33,11 +33,12 @@ profile gnome-tweaks @{exec_path} {
owner @{user_config_dirs}/autostart/*.desktop r,
owner @{user_share_dirs}/backgrounds/{,**} r,
owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_share_dirs}/recently-used.xbel* rw,
owner @{user_share_dirs}/sounds/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-tweaks>
}

1
apparmor.d/groups/gnome/tracker-extract
View file

@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} {
owner /tmp/*/{,**} r,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
owner @{user_share_dirs}/gvfs-metadata/** r,
owner /tmp/tracker-extract-3-files.*/{,*} rw,

4
apparmor.d/groups/network/mullvad-gui
View file

@ -46,7 +46,7 @@ profile mullvad-gui @{exec_path} {
/var/lib/dbus/machine-id r,
owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
owner @{user_share_dirs}/gvfs-metadata/* r,
owner @{user_cache_dirs}/dconf/user rw,
owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
@ -73,5 +73,7 @@ profile mullvad-gui @{exec_path} {
/dev/tty rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/mullvad-gui>
}

3
apparmor.d/groups/ubuntu/update-manager
View file

@ -87,7 +87,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
/var/lib/update-manager/{,**} rw,
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@ -99,5 +98,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
/dev/ptmx rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/update-manager>
}