felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revert "tty and pts are part of abstractions/consoles"

Browse source 
This reverts commit 51a33f3f5e.
This commit is contained in:
Jeroen Rijken 2022-08-19 20:05:15 +02:00 committed by Alex
parent 35087ea4bb
commit af603fbc62
59 changed files with 65 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
View file

@ -81,7 +81,6 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
#include <abstractions/audio> #include <abstractions/audio>
#include <abstractions/bash> #include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/cups-client> #include <abstractions/cups-client>
#include <abstractions/dbus> #include <abstractions/dbus>
#include <abstractions/dbus-session> #include <abstractions/dbus-session>
@ -152,6 +151,8 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
/usr/bin/kgpg rix, /usr/bin/kgpg rix,
/usr/bin/kleopatra rix, /usr/bin/kleopatra rix,
/dev/tty rw,
/usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx, /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx,
owner @{user_cache_dirs}/gstreamer-???/** rw, owner @{user_cache_dirs}/gstreamer-???/** rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this

3
apparmor.d/groups/apt/apt-mark
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-mark @{exec_path} = /{usr/,}bin/apt-mark
profile apt-mark @{exec_path} { profile apt-mark @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common> include <abstractions/apt-common>
@{exec_path} mr, @{exec_path} mr,
@ -26,5 +25,7 @@ profile apt-mark @{exec_path} {
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
/dev/pts/[0-9]* rw,
include if exists <local/apt-mark> include if exists <local/apt-mark>
} }

4
apparmor.d/groups/bus/dbus-run-session
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session @{exec_path} = /{usr/,}bin/dbus-run-session
profile dbus-run-session @{exec_path} { profile dbus-run-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
signal (receive) set=(term, kill, hup) peer=gdm*, signal (receive) set=(term, kill, hup) peer=gdm*,
@ -32,6 +31,9 @@ profile dbus-run-session @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
# file_inherit
/dev/tty rw,
/dev/tty[0-9]* rw,
include if exists <local/dbus-run-session> include if exists <local/dbus-run-session>
} }

1
apparmor.d/groups/freedesktop/fc-cache
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*} @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
profile fc-cache @{exec_path} { profile fc-cache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>

1
apparmor.d/groups/freedesktop/plymouth
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth @{exec_path} = /{usr/,}bin/plymouth
profile plymouth @{exec_path} { profile plymouth @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"), unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),

2
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-mime @{exec_path} = /{usr/,}bin/xdg-mime
profile xdg-mime @{exec_path} flags=(attach_disconnected) { profile xdg-mime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@{exec_path} r, @{exec_path} r,
@ -48,6 +47,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/tty rw,
# When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes: # following root processes:

1
apparmor.d/groups/freedesktop/xdg-open
View file

@ -50,6 +50,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
# file_inherit # file_inherit
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/tty rw,
profile dbus { profile dbus {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/groups/freedesktop/xkbcomp
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xkbcomp @{exec_path} = /{usr/,}bin/xkbcomp
profile xkbcomp @{exec_path} flags=(attach_disconnected) { profile xkbcomp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
@ -33,6 +32,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
owner /tmp/server-[0-9]*.xkm rwk, owner /tmp/server-[0-9]*.xkm rwk,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
deny /dev/input/event[0-9]* rw, deny /dev/input/event[0-9]* rw,

2
apparmor.d/groups/freedesktop/xorg
View file

@ -13,7 +13,6 @@ include <tunables/global>
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
profile xorg @{exec_path} flags=(attach_disconnected) { profile xorg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
@ -132,6 +131,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/dev/input/event[0-9]* rw, /dev/input/event[0-9]* rw,
/dev/shm/#[0-9]*[0-9] rw, /dev/shm/#[0-9]*[0-9] rw,
/dev/shm/shmfd-* rw, /dev/shm/shmfd-* rw,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
/dev/vga_arbiter rw, # Graphic card modules /dev/vga_arbiter rw, # Graphic card modules

2
apparmor.d/groups/freedesktop/xwayland
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/Xwayland @{exec_path} = /{usr/,}bin/Xwayland
profile xwayland @{exec_path} flags=(attach_disconnected) { profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/mesa> include <abstractions/mesa>
@ -42,6 +41,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/comm r, owner @{PROC}/@{pids}/comm r,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
/dev/tty rw,
include if exists <local/xwayland> include if exists <local/xwayland>
} }

2
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = @{libexec}/gdm-session-worker @{exec_path} = @{libexec}/gdm-session-worker
profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -88,6 +87,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{PROC}/1/limits r, @{PROC}/1/limits r,
@{PROC}/keys r, @{PROC}/keys r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <local/gdm-session-worker> include if exists <local/gdm-session-worker>

1
apparmor.d/groups/gnome/gdm-xsession
View file

@ -43,6 +43,7 @@ profile gdm-xsession @{exec_path} {
/{usr/,}bin/dbus-update-activation-environment mr, /{usr/,}bin/dbus-update-activation-environment mr,
# file_inherit # file_inherit
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
} }

2
apparmor.d/groups/gnome/gjs-console
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gjs-console @{exec_path} = /{usr/,}bin/gjs-console
profile gjs-console @{exec_path} flags=(attach_disconnected) { profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
@ -59,6 +58,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
/dev/ r, /dev/ r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <local/gjs-console> include if exists <local/gjs-console>

2
apparmor.d/groups/gnome/gnome-extensions-app
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-extensions-app @{exec_path} = /{usr/,}bin/gnome-extensions-app
profile gnome-extensions-app @{exec_path} { profile gnome-extensions-app @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -18,6 +17,7 @@ profile gnome-extensions-app @{exec_path} {
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,
/dev/tty rw,
include if exists <local/gnome-extensions-app> include if exists <local/gnome-extensions-app>
} }

2
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-session-binary @{exec_path} = @{libexec}/gnome-session-binary
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -142,6 +141,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
include if exists <usr/gnome-session-binary.d> include if exists <usr/gnome-session-binary.d>

2
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-xsettings @{exec_path} = @{libexec}/gsd-xsettings
profile gsd-xsettings @{exec_path} { profile gsd-xsettings @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -71,6 +70,7 @@ profile gsd-xsettings @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
profile run-parts { profile run-parts {

2
apparmor.d/groups/gnome/nautilus
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/nautilus @{exec_path} = /{usr/,}bin/nautilus
profile nautilus @{exec_path} flags=(attach_disconnected) { profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -62,6 +61,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pids}/net/wireless r, @{PROC}/@{pids}/net/wireless r,
/dev/tty rw,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
include if exists <local/nautilus> include if exists <local/nautilus>

2
apparmor.d/groups/network/mullvad-gui
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = "/opt/Mullvad VPN/mullvad-gui" @{exec_path} = "/opt/Mullvad VPN/mullvad-gui"
profile mullvad-gui @{exec_path} { profile mullvad-gui @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/chromium-common> include <abstractions/chromium-common>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
@ -70,6 +69,7 @@ profile mullvad-gui @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/uid_map w,
/dev/tty rw,
include if exists <local/mullvad-gui> include if exists <local/mullvad-gui>
} }

2
apparmor.d/groups/network/nm-openvpn-service
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/nm-openvpn-service @{exec_path} = /{usr/,}lib/nm-openvpn-service
profile nm-openvpn-service @{exec_path} { profile nm-openvpn-service @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability kill, capability kill,
@ -28,6 +27,7 @@ profile nm-openvpn-service @{exec_path} {
@{run}/NetworkManager/nm-openvpn-@{uuid} rw, @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
/dev/net/tun rw, /dev/net/tun rw,
/dev/tty rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/network/wg-quick
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/wg-quick @{exec_path} = /{usr/,}bin/wg-quick
profile wg-quick @{exec_path} { profile wg-quick @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability net_admin, capability net_admin,
@ -40,6 +39,7 @@ profile wg-quick @{exec_path} {
@{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
/dev/tty rw,
# Force the use as root # Force the use as root
deny /{usr/,}bin/sudo x, deny /{usr/,}bin/sudo x,

2
apparmor.d/groups/pacman/archlinux-java
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/archlinux-java @{exec_path} = /{usr/,}bin/archlinux-java
profile archlinux-java @{exec_path} { profile archlinux-java @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -26,6 +25,7 @@ profile archlinux-java @{exec_path} {
/{usr/,}lib/jvm/default w, /{usr/,}lib/jvm/default w,
/{usr/,}lib/jvm/default-runtime w, /{usr/,}lib/jvm/default-runtime w,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/paccache
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/paccache @{exec_path} = /{usr/,}bin/paccache
profile paccache @{exec_path} { profile paccache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -36,6 +35,7 @@ profile paccache @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
include if exists <local/paccache> include if exists <local/paccache>
} }

2
apparmor.d/groups/pacman/pacdiff
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pacdiff @{exec_path} = /{usr/,}bin/pacdiff
profile pacdiff @{exec_path} flags=(attach_disconnected) { profile pacdiff @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -37,6 +36,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
/usr/{,**} r, /usr/{,**} r,
/var/{,**} r, /var/{,**} r,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny /apparmor/.null rw, deny /apparmor/.null rw,

2
apparmor.d/groups/pacman/pacman-hook-dconf
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/dconf-update @{exec_path} = /usr/share/libalpm/scripts/dconf-update
profile pacman-hook-dconf @{exec_path} { profile pacman-hook-dconf @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -21,6 +20,7 @@ profile pacman-hook-dconf @{exec_path} {
/etc/dconf/db/{,**} rw, /etc/dconf/db/{,**} rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-depmod
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/depmod @{exec_path} = /usr/share/libalpm/scripts/depmod
profile pacman-hook-depmod @{exec_path} { profile pacman-hook-depmod @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -24,6 +23,7 @@ profile pacman-hook-depmod @{exec_path} {
/usr/lib/modules/*/{,**} rw, /usr/lib/modules/*/{,**} rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-dkms
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/dkms @{exec_path} = /usr/share/libalpm/scripts/dkms
profile pacman-hook-dkms @{exec_path} { profile pacman-hook-dkms @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -28,6 +27,7 @@ profile pacman-hook-dkms @{exec_path} {
/etc/dkms/{,*} r, /etc/dkms/{,*} r,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-fontconfig
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/40-fontconfig-config @{exec_path} = /usr/share/libalpm/scripts/40-fontconfig-config
profile pacman-hook-fontconfig @{exec_path} { profile pacman-hook-fontconfig @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -22,6 +21,7 @@ profile pacman-hook-fontconfig @{exec_path} {
/etc/fonts/conf.d/* rwl, /etc/fonts/conf.d/* rwl,
/usr/share/fontconfig/conf.default/* r, /usr/share/fontconfig/conf.default/* r,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-gio
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/gio-querymodules @{exec_path} = /usr/share/libalpm/scripts/gio-querymodules
profile pacman-hook-gio @{exec_path} { profile pacman-hook-gio @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -24,6 +23,7 @@ profile pacman-hook-gio @{exec_path} {
/usr/lib/gio/modules/ rw, /usr/lib/gio/modules/ rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-gtk
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache @{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache
profile pacman-hook-gtk @{exec_path} { profile pacman-hook-gtk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -24,6 +23,7 @@ profile pacman-hook-gtk @{exec_path} {
/usr/share/icons/{,**} rw, /usr/share/icons/{,**} rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install
profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) { profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -33,6 +32,7 @@ profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected)
/ r, / r,
owner /boot/vmlinuz-* rw, owner /boot/vmlinuz-* rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-remove @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-remove
profile pacman-hook-mkinitcpio-remove @{exec_path} { profile pacman-hook-mkinitcpio-remove @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -29,6 +28,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
/boot/initramfs-*.img rw, /boot/initramfs-*.img rw,
/boot/initramfs-*-fallback.img rw, /boot/initramfs-*-fallback.img rw,
/dev/tty rw,
# Inherit Silencer # Inherit Silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-perl
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh
profile pacman-hook-perl @{exec_path} { profile pacman-hook-perl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
capability mknod, capability mknod,
@ -24,6 +23,7 @@ profile pacman-hook-perl @{exec_path} {
/{usr/,}lib/perl[0-9]*/{,**} r, /{usr/,}lib/perl[0-9]*/{,**} r,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/groups/pacman/pacman-hook-systemd
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/systemd-hook @{exec_path} = /usr/share/libalpm/scripts/systemd-hook
profile pacman-hook-systemd @{exec_path} { profile pacman-hook-systemd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -30,6 +29,7 @@ profile pacman-hook-systemd @{exec_path} {
/usr/ rw, /usr/ rw,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

1
apparmor.d/groups/pacman/pacman-key
View file

@ -35,6 +35,7 @@ profile pacman-key @{exec_path} {
/etc/pacman.d/gnupg/gpg.conf r, /etc/pacman.d/gnupg/gpg.conf r,
/dev/tty rw,
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>

4
apparmor.d/groups/systemd/systemd-analyze
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-analyze @{exec_path} = /{usr/,}bin/systemd-analyze
profile systemd-analyze @{exec_path} { profile systemd-analyze @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/systemd-common> include <abstractions/systemd-common>
@ -74,5 +73,8 @@ profile systemd-analyze @{exec_path} {
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,
@{PROC}/swaps r, @{PROC}/swaps r,
/dev/tty rw,
/dev/pts/1 rw,
include if exists <local/systemd-analyze> include if exists <local/systemd-analyze>
} }

2
apparmor.d/groups/systemd/systemd-environment-d-generator
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/user-environment-generators/* @{exec_path} = /{usr/,}lib/systemd/user-environment-generators/*
profile systemd-environment-d-generator @{exec_path} { profile systemd-environment-d-generator @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/systemd-common> include <abstractions/systemd-common>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -25,6 +24,7 @@ profile systemd-environment-d-generator @{exec_path} {
owner @{user_config_dirs}/environment.d/{,*.conf} r, owner @{user_config_dirs}/environment.d/{,*.conf} r,
/dev/tty rw,
include if exists <local/systemd-environment-d-generator> include if exists <local/systemd-environment-d-generator>
} }

2
apparmor.d/groups/systemd/systemd-sleep
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sleep @{exec_path} = /{usr/,}lib/systemd/systemd-sleep
profile systemd-sleep @{exec_path} { profile systemd-sleep @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/systemd-common> include <abstractions/systemd-common>
@ -30,6 +29,7 @@ profile systemd-sleep @{exec_path} {
@{PROC}/driver/nvidia/suspend w, @{PROC}/driver/nvidia/suspend w,
/dev/tty rw,
include if exists <local/systemd-sleep> include if exists <local/systemd-sleep>
} }

2
apparmor.d/groups/virt/k3s
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}{local/,}bin/k3s @{exec_path} = /{usr/,}{local/,}bin/k3s
profile k3s @{exec_path} { profile k3s @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -168,6 +167,7 @@ profile k3s @{exec_path} {
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
/dev/kmsg r, /dev/kmsg r,
/dev/pts/[0-9]* rw,
include if exists <local/k3s> include if exists <local/k3s>
} }

2
apparmor.d/profiles-a-f/acpid
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/acpid @{exec_path} = /{usr/,}{s,}bin/acpid
profile acpid @{exec_path} flags=(attach_disconnected) { profile acpid @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -34,6 +33,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/loginuid r,
/dev/input/{,**} r, /dev/input/{,**} r,
/dev/tty rw,
include if exists <local/acpid> include if exists <local/acpid>
} }

2
apparmor.d/profiles-a-f/apparmor.systemd
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd @{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} flags=(complain) { profile apparmor.systemd @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability mac_admin, capability mac_admin,
@ -42,6 +41,7 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
@{PROC}/filesystems r, @{PROC}/filesystems r,
@{PROC}/mounts r, @{PROC}/mounts r,
/dev/tty rw,
include if exists <local/apparmor.systemd> include if exists <local/apparmor.systemd>
} }

2
apparmor.d/profiles-a-f/askpass
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh @{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh
profile askpass @{exec_path} { profile askpass @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -26,6 +25,7 @@ profile askpass @{exec_path} {
owner /tmp/tmp.* rw, owner /tmp/tmp.* rw,
/dev/tty rw,
include if exists <local/askpass> include if exists <local/askpass>
} }

2
apparmor.d/profiles-a-f/augenrules
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/augenrules @{exec_path} = /{usr/,}bin/augenrules
profile augenrules @{exec_path} { profile augenrules @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -20,6 +19,7 @@ profile augenrules @{exec_path} {
owner /tmp/aurules.* rw, owner /tmp/aurules.* rw,
/dev/tty rw,
include if exists <local/augenrules> include if exists <local/augenrules>
} }

2
apparmor.d/profiles-a-f/aurpublish
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/share/aurpublish/*.hook @{exec_path} = /usr/share/aurpublish/*.hook
profile aurpublish @{exec_path} { profile aurpublish @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
signal (receive) peer=git, signal (receive) peer=git,
@ -26,6 +25,7 @@ profile aurpublish @{exec_path} {
owner @{user_projects_dirs}/**/.SRCINFO rw, owner @{user_projects_dirs}/**/.SRCINFO rw,
owner @{user_projects_dirs}/**/PKGBUILD r, owner @{user_projects_dirs}/**/PKGBUILD r,
/dev/tty rw,
include if exists <local/aurpublish> include if exists <local/aurpublish>
} }

2
apparmor.d/profiles-a-f/blueman
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/blueman-* @{exec_path} = /{usr/,}bin/blueman-*
profile blueman @{exec_path} flags=(attach_disconnected) { profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
@ -68,6 +67,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
/dev/rfkill r, /dev/rfkill r,
/dev/shm/ r, /dev/shm/ r,
/dev/tty rw,
profile open { profile open {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-a-f/evince
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced @{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced
profile evince @{exec_path} { profile evince @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/openssl> include <abstractions/openssl>
@ -41,6 +40,7 @@ profile evince @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
/dev/tty rw,
include if exists <local/evince> include if exists <local/evince>
} }

2
apparmor.d/profiles-a-f/firecfg
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/firecfg @{exec_path} = /{usr/,}bin/firecfg
profile firecfg @{exec_path} flags=(attach_disconnected) { profile firecfg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -35,6 +34,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
@{user_share_dirs}/applications/ r, @{user_share_dirs}/applications/ r,
@{user_share_dirs}/applications/*.desktop rw, @{user_share_dirs}/applications/*.desktop rw,
/dev/tty rw,
deny /apparmor/.null rw, deny /apparmor/.null rw,

2
apparmor.d/profiles-a-f/fwupdmgr
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/fwupdmgr @{exec_path} = /{usr/,}bin/fwupdmgr
profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -66,6 +65,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
profile dbus { profile dbus {
include <abstractions/base> include <abstractions/base>

3
apparmor.d/profiles-g-l/install-info
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/install-info @{exec_path} = /{usr/,}bin/install-info
profile install-info @{exec_path} { profile install-info @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search, capability dac_read_search,
@ -21,6 +20,8 @@ profile install-info @{exec_path} {
/usr/share/info/{,**} r, /usr/share/info/{,**} r,
/usr/share/info/dir rw, /usr/share/info/dir rw,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,
deny network inet stream, deny network inet stream,

3
apparmor.d/profiles-m-r/mount-zfs
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount.zfs @{exec_path} = /{usr/,}{s,}bin/mount.zfs
profile mount-zfs @{exec_path} flags=(complain) { profile mount-zfs @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -17,6 +16,8 @@ profile mount-zfs @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/dev/pts/[0-9]* rw,
@{MOUNTDIRS}/ r, @{MOUNTDIRS}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
@{MOUNTS}/*/ r, @{MOUNTS}/*/ r,

2
apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions @{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions
profile needrestart-iucode-scan-versions @{exec_path} { profile needrestart-iucode-scan-versions @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -30,6 +29,7 @@ profile needrestart-iucode-scan-versions @{exec_path} {
@{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r, @{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r,
/dev/tty rw,
include if exists <local/needrestart-iucode-scan-versions> include if exists <local/needrestart-iucode-scan-versions>
} }

2
apparmor.d/profiles-m-r/pass
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pass @{exec_path} = /{usr/,}bin/pass
profile pass @{exec_path} { profile pass @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -66,6 +65,7 @@ profile pass @{exec_path} {
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r, @{PROC}/uptime r,
/dev/tty rw,
profile editor { profile editor {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-m-r/pkttyagent
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pkttyagent @{exec_path} = /{usr/,}bin/pkttyagent
profile pkttyagent @{exec_path} { profile pkttyagent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -40,6 +39,7 @@ profile pkttyagent @{exec_path} {
owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/stat r,
/dev/tty rw,
include if exists <local/pkttyagent> include if exists <local/pkttyagent>
} }

2
apparmor.d/profiles-m-r/resolvconf
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}sbin/resolvconf @{exec_path} = /{usr/,}sbin/resolvconf
profile resolvconf @{exec_path} { profile resolvconf @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -34,6 +33,7 @@ profile resolvconf @{exec_path} {
owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/{,**} rw,
owner @{run}/resolvconf/run-lock wk, owner @{run}/resolvconf/run-lock wk,
/dev/tty rw,
include if exists <local/resolvconf> include if exists <local/resolvconf>
} }

2
apparmor.d/profiles-s-z/start-pulseaudio-x11
View file

@ -9,13 +9,13 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/start-pulseaudio-x11 @{exec_path} = /{usr/,}bin/start-pulseaudio-x11
profile start-pulseaudio-x11 @{exec_path} { profile start-pulseaudio-x11 @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pactl rPx, /{usr/,}bin/pactl rPx,
/dev/tty rw,
include if exists <local/start-pulseaudio-x11> include if exists <local/start-pulseaudio-x11>
} }

2
apparmor.d/profiles-s-z/udisksctl
View file

@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/udisksctl @{exec_path} = /{usr/,}bin/udisksctl
profile udisksctl @{exec_path} { profile udisksctl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -20,6 +19,7 @@ profile udisksctl @{exec_path} {
/{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager,
/dev/tty rw,
include if exists <local/udisksctl> include if exists <local/udisksctl>
} }

2
apparmor.d/profiles-s-z/update-ca-trust
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/update-ca-trust @{exec_path} = /{usr/,}bin/update-ca-trust
profile update-ca-trust @{exec_path} { profile update-ca-trust @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
capability dac_read_search, capability dac_read_search,
@ -31,6 +30,7 @@ profile update-ca-trust @{exec_path} {
/etc/ssl/certs/{,*} rw, /etc/ssl/certs/{,*} rw,
/etc/ssl/certs/java/cacerts{,.*} w, /etc/ssl/certs/java/cacerts{,.*} w,
/dev/tty rw,
# Inherit silencer # Inherit silencer
deny network inet6 stream, deny network inet6 stream,

2
apparmor.d/profiles-s-z/wl-copy
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/wl-{copy,paste} @{exec_path} = /{usr/,}bin/wl-{copy,paste}
profile wl-copy @{exec_path} { profile wl-copy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
@ -20,6 +19,7 @@ profile wl-copy @{exec_path} {
owner /tmp/wl-copy-buffer-*/{,**} rw, owner /tmp/wl-copy-buffer-*/{,**} rw,
/dev/tty rw,
include if exists <local/wl-copy> include if exists <local/wl-copy>
} }

2
apparmor.d/profiles-s-z/zpool
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool @{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
profile zpool @{exec_path} { profile zpool @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
capability sys_admin, capability sys_admin,
@ -35,6 +34,7 @@ profile zpool @{exec_path} {
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/sys/kernel/spl/hostid r, @{PROC}/sys/kernel/spl/hostid r,
/dev/pts/[0-9]* rw,
/dev/zfs rw, /dev/zfs rw,
include if exists <local/zpool> include if exists <local/zpool>

2
apparmor.d/profiles-s-z/zsysd
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl @{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl
profile zsysd @{exec_path} flags=(complain) { profile zsysd @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -43,6 +42,7 @@ profile zsysd @{exec_path} flags=(complain) {
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/dev/pts/[0-9]* rw,
/dev/zfs rw, /dev/zfs rw,
include if exists <local/zsysd> include if exists <local/zsysd>