Update various profiles
Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
This commit is contained in:
Jeroen Rijken
Alex
parent
92a1d9f65f
commit
b532dd6827
47 changed files with 459 additions and 26 deletions
|
|
@ -18,6 +18,8 @@ profile brave @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/chromium>
|
||||
|
||||
unix (send, receive) type=stream peer=brave-crashpad-handler,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/man rPUx, # For "brave --help"
|
||||
|
|
@ -25,8 +27,10 @@ profile brave @{exec_path} {
|
|||
/usr/share/chromium/extensions/ r,
|
||||
|
||||
/etc/opt/chrome/ r,
|
||||
/etc/opt/chrome/native-messaging-hosts/* r,
|
||||
|
||||
owner @{user_config_dirs}/BraveSoftware/ rw,
|
||||
owner @{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
|
||||
|
||||
|
|
@ -42,6 +46,7 @@ profile brave @{exec_path} {
|
|||
|
||||
# Silencer
|
||||
deny /etc/opt/chrome/ w,
|
||||
deny /dev/disk/by-uuid/ r,
|
||||
|
||||
include if exists <local/brave>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,11 +16,15 @@ profile brave-crashpad-handler @{exec_path} {
|
|||
|
||||
capability sys_ptrace,
|
||||
|
||||
unix (send, receive) type=stream peer=(label=brave),
|
||||
|
||||
ptrace peer=brave,
|
||||
signal (send) peer=brave,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
owner @{user_config_dirs}/BraveSoftware/Brave-Browser/CrashpadMetrics-active.pma rw,
|
||||
owner @{user_config_dirs}/BraveSoftware/Brave-Browser/CrashpadMetrics.pma rw,
|
||||
owner "@{config_dirs}/Crash Reports/**" rwk,
|
||||
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile brave-wrapper @{exec_path} {
|
|||
|
||||
@{lib_dirs}/brave rPx,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ w,
|
||||
owner @{PROC}/@{pid}/fd/@{int} w,
|
||||
|
||||
# Silencer
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235
|
||||
@{lib}/@{multiarch}/tumbler-1/tumblerd rPUx,
|
||||
@{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||
@{lib}/@{multiarch}/libexec/ksmserver-logout-greeter rPx,
|
||||
@{lib}/* rPUx,
|
||||
@{lib}/atril/atrild rPx,
|
||||
@{lib}/dbus-1*/dbus-daemon-launch-helper rPx,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile plymouth @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/consoles>
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
|
||||
|
|
|
|||
|
|
@ -50,11 +50,37 @@ profile pulseaudio @{exec_path} {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
member=Found
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member=ItemRemove
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=org.bluez),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
member={Found,Free}
|
||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||
|
||||
# No label in rule
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit@{int}
|
||||
interface=org.freedesktop.RealtimeKit@{int}
|
||||
member=MakeThreadHighPriority
|
||||
peer=(name=org.freedesktop.RealtimeKit@{int}),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{lib}/pulse/gsettings-helper rix,
|
||||
|
|
@ -104,6 +130,7 @@ profile pulseaudio @{exec_path} {
|
|||
|
||||
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
|
||||
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
|
||||
@{sys}/devices/virtual/video4linux/video@{int}/uevent r,
|
||||
|
||||
deny @{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
|
|
|
|||
|
|
@ -34,6 +34,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
member=MakeThread*
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=CheckPermissions
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
# dbus: own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/documents
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/xsetroot
|
||||
profile xsetroot @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ profile dolphin @{exec_path} {
|
|||
@{bin}/ldd rix,
|
||||
@{lib}/kf5/kioslave5 rPx,
|
||||
@{lib}/@{multiarch}/kf5/kioslave5 rPx,
|
||||
@{lib}/@{multiarch}/libexec/kf5/kioslave5 rPx,
|
||||
|
||||
/usr/share/kf5/kmoretools/{,**} r,
|
||||
/usr/share/kio/{,**} r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/kcminit
|
||||
profile kcminit @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/kde-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -121,6 +121,7 @@ profile kded5 @{exec_path} {
|
|||
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||
owner @{user_config_dirs}/plasma-nm r,
|
||||
owner @{user_config_dirs}/touchpadrc r,
|
||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||
|
|
@ -147,6 +148,7 @@ profile kded5 @{exec_path} {
|
|||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cmdline/ r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/fdinfo/@{int} r,
|
||||
@{PROC}/@{pids}/fd/info/@{int} r,
|
||||
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
|
|||
|
|
@ -22,8 +22,9 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (send) set=(hup),
|
||||
|
||||
@{exec_path} mr,
|
||||
@{bin}/@{shells} rUx,
|
||||
@{exec_path} mr,
|
||||
@{bin}/@{shells} rUx,
|
||||
@{browsers_path} rPx,
|
||||
@{lib}/@{multiarch}/utempter/utempter rPUx,
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,10 @@ include <tunables/global>
|
|||
@{exec_path} += @{lib}/@{multiarch}/libexec/kscreenlocker_greet
|
||||
profile kscreenlocker-greet @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
|
|
@ -25,6 +29,13 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
signal (receive) set=(usr1, term) peer=ksmserver,
|
||||
signal (receive) set=(term) peer=kwin_wayland,
|
||||
|
||||
unix (send,receive) type=stream peer=(label="ksmserver",addr=none),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=sddm),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/libheif/ r,
|
||||
|
|
@ -57,6 +68,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
|
||||
owner @{HOME}/.face.icon r,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{user_pictures_dirs}/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
|
@ -85,6 +97,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/loginuid r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
|
|||
|
|
@ -9,13 +9,16 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/ksmserver
|
||||
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
||||
|
||||
|
||||
unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/rm rix,
|
||||
|
|
@ -32,27 +35,33 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/kscreenlockerrc r,
|
||||
/etc/xdg/menus/ r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/ r,
|
||||
|
||||
owner @{HOME}/@{rand6} rw,
|
||||
owner @{HOME}/.Xauthority rw,
|
||||
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rl,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rwlk,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc rw,
|
||||
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
|
||||
owner @{user_share_dirs}/kservices5/ r,
|
||||
owner @{user_share_dirs}/kservices5/ServiceMenus/ r,
|
||||
|
||||
owner /tmp/@{rand6} rw,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
|
|
|||
66
apparmor.d/groups/kde/ksmserver-logout-greeter
Normal file
66
apparmor.d/groups/kde/ksmserver-logout-greeter
Normal file
|
|
@ -0,0 +1,66 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Jeroen Rijken
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/@{multiarch}/libexec/ksmserver-logout-greeter
|
||||
profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dri>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/kde-icon-cache-write>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5-shader-cache>
|
||||
include <abstractions/qt5>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
||||
/ r,
|
||||
/etc/machine-id r,
|
||||
/etc/timezone r,
|
||||
|
||||
/usr/share/plasma/desktoptheme/** r,
|
||||
/usr/share/plasma/look-and-feel/** r,
|
||||
/var/lib/AccountsService/icons/ r,
|
||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/flatpak/exports/share/mime/generic-icons r,
|
||||
|
||||
@{lib}/os-release r,
|
||||
|
||||
owner @{user_cache_dirs}/ r,
|
||||
owner @{user_cache_dirs}/#@{int} rwlk,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/ r,
|
||||
owner @{user_cache_dirs}/ksmserver-logout-greeter/qmlcache/{,*} r,
|
||||
owner @{user_cache_dirs}/plasma_theme_breeze-dark_v5.114.0.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements r,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} l -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
||||
owner @{user_share_dirs}/icons/{**,} r,
|
||||
owner @{user_share_dirs}/mime/generic-icons r,
|
||||
|
||||
owner @{PROC}/@{pid}/exe r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
include if exists <local/ksmserver-logout-greeter>
|
||||
}
|
||||
|
|
@ -53,7 +53,7 @@ profile kwin_x11 @{exec_path} {
|
|||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/session/kwin_* rwk,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
||||
owner @{user_config_dirs}/session/#@{int} rw,
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/kwin.@{rand6} rwl,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/plasma-browser-integration-host
|
||||
profile plasma-browser-integration-host @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -19,17 +21,26 @@ profile plasma-browser-integration-host @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
|
||||
/usr/share/kservices5/{,**} r,
|
||||
|
||||
/etc/xdg/menus/ r,
|
||||
/etc/xdg/taskmanagerrulesrc r,
|
||||
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
/var/lib/flatpak/exports/share/mime/ r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
|
||||
owner @{user_share_dirs}/kservices5/ r,
|
||||
owner @{user_share_dirs}/kservices5/ServiceMenus/ r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
include if exists <local/plasma-browser-integration-host>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
include <abstractions/audio>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/devices-usb>
|
||||
|
|
@ -36,6 +37,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
ptrace (read) peer=akonadi*,
|
||||
ptrace (read) peer=kalendarac,
|
||||
ptrace (read) peer=kded5,
|
||||
ptrace (read) peer=ksmserver-logout-greeter,
|
||||
ptrace (read) peer=kwin_x11,
|
||||
ptrace (read) peer=libreoffice*,
|
||||
ptrace (read) peer=pinentry-qt,
|
||||
|
|
@ -85,6 +87,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
|
||||
@{HOME}/ r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
owner @{user_pictures_dirs}/{,**} r,
|
||||
|
||||
owner @{user_templates_dirs}/ r,
|
||||
|
||||
|
|
@ -127,6 +130,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||
owner @{user_config_dirs}/plasma* rwlk,
|
||||
owner @{user_config_dirs}/pulse/ rw,
|
||||
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||
|
|
@ -152,6 +156,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_share_dirs}/user-places.xbel{,*} rwl -> @{user_share_dirs}/#@{int},
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
/tmp/.mount_nextcl@{rand6}/{,*} r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/user/@{uid}/gvfs/ r,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
|
|
@ -42,6 +46,21 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
signal (send) set=(term) peer=sddm-greeter,
|
||||
signal (send) set=(kill, term) peer=xorg,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=kscreenlocker-greet),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/@{multiarch}/sddm/sddm-helper rix,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/sddm-greeter
|
||||
profile sddm-greeter @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
|
|
@ -60,6 +64,7 @@ profile sddm-greeter @{exec_path} {
|
|||
owner @{HOME}/.glvnd* mrw,
|
||||
|
||||
owner /tmp/runtime-sddm/ rw,
|
||||
owner /tmp/sddm-:@{int}-@{rand6} rw,
|
||||
|
||||
owner @{run}/sddm/{,*} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -50,6 +50,26 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
member=GetManagedObjects
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=InterfacesRemoved
|
||||
peer=(name=:*, label=bluetoothd),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label=bluetoothd),
|
||||
|
||||
dbus send bus=system path=/org/fedoraproject/FirewallD1
|
||||
interface=org.fedoraproject.FirewallD1.zone
|
||||
member={changeZoneOfInterface,removeInterface}
|
||||
peer=(name=org.freedesktop.DBus, label=firewalld),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=InterfacesAdded
|
||||
peer=(name=org.freedesktop.DBus, label=nm-online),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/nm_dispatcher
|
||||
interface=org.freedesktop.nm_dispatcher
|
||||
member=Action
|
||||
|
|
|
|||
|
|
@ -26,11 +26,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{sh_path} rix,
|
||||
@{bin}/basename rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/chronyc rPUx,
|
||||
@{bin}/date rix,
|
||||
@{bin}/gawk rix,
|
||||
@{bin}/grep rix,
|
||||
@{bin}/id rix,
|
||||
@{bin}/invoke-rc.d rCx -> invoke-rc,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/netconfig rPUx,
|
||||
|
|
@ -39,7 +41,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/rm rix,
|
||||
@{bin}/run-parts rCx -> run-parts,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/systemctl rix,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-cat rPx,
|
||||
@{bin}/tr rix,
|
||||
/usr/share/tlp/tlp-readconfs rPUx,
|
||||
|
|
@ -48,6 +50,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/NetworkManager/dispatcher.d/** rix,
|
||||
/etc/NetworkManager/dispatcher.d/ r,
|
||||
/etc/NetworkManager/dispatcher.d/** rix,
|
||||
/etc/dhcp/dhclient-exit-hooks.d/ntp r,
|
||||
|
||||
/usr/share/tlp/{,**} rw,
|
||||
|
||||
|
|
@ -57,6 +60,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/notify rw,
|
||||
@{run}/tlp/{,*} rw,
|
||||
@{run}/chrony-dhcp/ rw,
|
||||
@{run}/ntp.conf.dhcp rw,
|
||||
|
||||
@{sys}/class/net/ r,
|
||||
|
||||
|
|
@ -64,6 +68,45 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/tty rw,
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
/ r,
|
||||
|
||||
@{etc_ro}/ r,
|
||||
@{etc_ro}/systemd/ r,
|
||||
@{etc_ro}/systemd/system/ r,
|
||||
@{etc_ro}/systemd/system/ntp.service r,
|
||||
|
||||
owner @{run}/systemd/private rw,
|
||||
@{run}/utmp k,
|
||||
|
||||
/dev r,
|
||||
|
||||
include if exists <local/nm-dispatcher_systemctl>
|
||||
}
|
||||
|
||||
profile invoke-rc {
|
||||
include <abstractions/base>
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/ls rix,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
|
||||
/ r,
|
||||
|
||||
/etc/ r,
|
||||
@{etc_ro}/rc{[0-9],S}.d/{,*} r,
|
||||
@{etc_ro}/init.d/ntp r,
|
||||
|
||||
owner @{PROC}/filesystems r,
|
||||
|
||||
include if exists <local/nm-dispatcher_invoke-rc>
|
||||
}
|
||||
|
||||
profile run-parts {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -178,6 +178,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/c21:@{int} r, # Generic SCSI access
|
||||
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
@{run}/udev/data/c89:@{int} r, # ?
|
||||
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
|
||||
@{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport*
|
||||
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue