felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'roddhjav:main' into main

Browse source
This commit is contained in:
Besanon 2024-07-21 15:55:35 +02:00 committed by GitHub
commit b809e43b0a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
35 changed files with 145 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/app-open
View file

@ -50,6 +50,9 @@
@{bin}/vlc rPUx, @{bin}/vlc rPUx,
@{bin}/xbrlapi rPx, @{bin}/xbrlapi rPx,
#aa:only opensuse
@{lib}/YaST2/** rPUx,
include if exists <abstractions/app-open.d> include if exists <abstractions/app-open.d>

9
apparmor.d/abstractions/app/firefox
View file

@ -100,6 +100,12 @@
owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon r,
owner @{tmp}/tmpaddon-@{int} r, owner @{tmp}/tmpaddon-@{int} r,
owner /dev/shm/org.chromium.@{rand6} rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@ -144,9 +150,6 @@
/dev/hidraw@{int} rw, /dev/hidraw@{int} rw,
/dev/tty rw, /dev/tty rw,
/dev/video@{int} rw, /dev/video@{int} rw,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner /dev/tty@{int} rw, # File Inherit owner /dev/tty@{int} rw, # File Inherit
# Silencer # Silencer

2
apparmor.d/abstractions/freedesktop.org.d/complete
View file

@ -13,8 +13,6 @@
@{system_share_dirs}/ r, @{system_share_dirs}/ r,
@{system_share_dirs}/mime/ r, @{system_share_dirs}/mime/ r,
/usr/share/mime/ r,
/etc/gnome/defaults.list r, /etc/gnome/defaults.list r,
/etc/xfce4/defaults.list r, /etc/xfce4/defaults.list r,

2
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -54,6 +54,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r,
owner @{PROC}/@{pid}/cmdline r,
/dev/dri/card@{int} rw, /dev/dri/card@{int} rw,
/dev/dri/renderD128 rw, /dev/dri/renderD128 rw,

3
apparmor.d/groups/bus/dbus-session
View file

@ -40,6 +40,7 @@ profile dbus-session flags=(attach_disconnected) {
@{bin}/** PUx, @{bin}/** PUx,
@{lib}/** PUx, @{lib}/** PUx,
@{user_share_dirs}/*/** PUx,
/usr/share/*/** PUx, /usr/share/*/** PUx,
/etc/dbus-1/{,**} r, /etc/dbus-1/{,**} r,
@ -53,6 +54,8 @@ profile dbus-session flags=(attach_disconnected) {
owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/.ref rw,
owner @{HOME}/.var/app/*/**/logs/* rw, owner @{HOME}/.var/app/*/**/logs/* rw,
owner @{user_share_dirs}/dbus-1/services/{,**} r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/ rw,
owner @{run}/user/@{uid}/dbus-1/services/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw,

1
apparmor.d/groups/freedesktop/plymouthd
View file

@ -42,6 +42,7 @@ profile plymouthd @{exec_path} {
/etc/vconsole.conf r, /etc/vconsole.conf r,
/var/lib/plymouth/{,**} rw, /var/lib/plymouth/{,**} rw,
/var/log/plymouth-*.log w,
@{run}/plymouth/{,**} rw, @{run}/plymouth/{,**} rw,

18
apparmor.d/groups/gnome/gdm-prime-defaut Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default
profile gdm-defaut @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/gdm-prime-defaut>
}
# vim:syntax=apparmor

9
apparmor.d/groups/gnome/gdm-session
View file

@ -34,21 +34,14 @@ profile gdm-session @{exec_path} {
# only: xorg # only: xorg
@{bin}/Xorg rPx, @{bin}/Xorg rPx,
/etc/gdm{3,}/Prime/Default rix, /etc/gdm{3,}/Prime/Default rPx,
/etc/gdm{3,}/Xsession rPx, /etc/gdm{3,}/Xsession rPx,
/usr/share/gdm{3,}/gdm.schemas r, /usr/share/gdm{3,}/gdm.schemas r,
/etc/default/locale r,
/etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/custom.conf r,
/etc/gdm{3,}/daemon.conf r, /etc/gdm{3,}/daemon.conf r,
/etc/locale.conf r,
/etc/sysconfig/console r,
/etc/sysconfig/displaymanager r, /etc/sysconfig/displaymanager r,
/etc/sysconfig/language r,
/etc/sysconfig/mail r,
/etc/sysconfig/proxy r,
/etc/sysconfig/windowmanager r,
owner @{gdm_cache_dirs}/gdm/ rw, owner @{gdm_cache_dirs}/gdm/ rw,
owner @{gdm_cache_dirs}/gdm/Xauthority rw, owner @{gdm_cache_dirs}/gdm/Xauthority rw,

5
apparmor.d/groups/gnome/gnome-control-center
View file

@ -37,9 +37,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
dbus bus=session,
dbus bus=system,
#aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.gnome.Settings
#aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
@ -68,7 +65,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{bin}/pkexec rCx -> pkexec, @{bin}/pkexec rCx -> pkexec,
@{bin}/software-properties-gtk rPx, @{bin}/software-properties-gtk rPx,
@{bin}/usermod rPx, @{bin}/usermod rPx,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/cups/backend/snmp rPx, @{lib}/cups/backend/snmp rPx,
@{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-goa-helper rPx,
@{lib}/gnome-control-center-print-renderer rPx, @{lib}/gnome-control-center-print-renderer rPx,

7
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -6,7 +6,10 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}ding.js @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com
@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com
@{exec_path} = @{share_dirs}/{,app/}ding.js
profile gnome-extension-ding @{exec_path} { profile gnome-extension-ding @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
@ -57,7 +60,7 @@ profile gnome-extension-ding @{exec_path} {
@{bin}/gnome-control-center rPx, @{bin}/gnome-control-center rPx,
@{bin}/nautilus rPx, @{bin}/nautilus rPx,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}* r, @{share_dirs}/{,**} r,
/usr/share/thumbnailers/{,*.thumbnailer} r, /usr/share/thumbnailers/{,*.thumbnailer} r,
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,

16
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/ @{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io
@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/ @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io
@{exec_path} = @{share_dirs}/service/daemon.js @{exec_path} = @{share_dirs}/service/daemon.js
profile gnome-extension-gsconnect @{exec_path} { profile gnome-extension-gsconnect @{exec_path} {
@ -17,9 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -32,10 +30,10 @@ profile gnome-extension-gsconnect @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{bin}/env rix, @{bin}/env rix,
@{bin}/gjs-console rix, @{bin}/gjs-console rix,
@{bin}/openssl rix, @{bin}/openssl rix,
@{sh_path} rix,
@{bin}/ssh-add rix, @{bin}/ssh-add rix,
@{bin}/ssh-keygen rPx, @{bin}/ssh-keygen rPx,
@ -49,18 +47,12 @@ profile gnome-extension-gsconnect @{exec_path} {
@{share_dirs}/{,**} r, @{share_dirs}/{,**} r,
@{share_dirs}/gsconnect-preferences rix, @{share_dirs}/gsconnect-preferences rix,
/etc/machine-id r,
owner @{user_cache_dirs}/gsconnect/{,**} rw, owner @{user_cache_dirs}/gsconnect/{,**} rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/gsconnect/{,**} rw,
owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list w,
owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw,
owner @{user_share_dirs}/ r,
owner @{run}/user/@{uid}/gsconnect/ w, owner @{run}/user/@{uid}/gsconnect/ w,
@{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/chassis_type r,

1
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -38,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
@{bin}/ssh-add rix, @{bin}/ssh-add rix,
@{bin}/ssh-agent rPx, @{bin}/ssh-agent rPx,
@{lib}/gcr-ssh-askpass rPUx,
/etc/gcrypt/hwf.deny r, /etc/gcrypt/hwf.deny r,

5
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -51,10 +51,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/dbus-daemon rPx -> dbus-session, @{bin}/tput rix,
@{bin}/env rix,
@{bin}/gnome-session rPx,
@{bin}/gnome-shell rPx,
@{bin}/session-migration rPx, @{bin}/session-migration rPx,
@{lib}/gnome-session-check-accelerated rix, @{lib}/gnome-session-check-accelerated rix,

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -188,7 +188,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{lib}/gio-launch-desktop rCx -> open, @{lib}/gio-launch-desktop rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx,
/usr/share/gnome-shell/extensions/*/** rPUx,
/opt/**/share/icons/{,**} r, /opt/**/share/icons/{,**} r,
/opt/*/**/*.png r, /opt/*/**/*.png r,

1
apparmor.d/groups/gnome/gnome-software
View file

@ -78,6 +78,7 @@ profile gnome-software @{exec_path} {
owner @{user_cache_dirs}/flatpak/{,**} rwl, owner @{user_cache_dirs}/flatpak/{,**} rwl,
owner @{user_cache_dirs}/gnome-software/{,**} rw, owner @{user_cache_dirs}/gnome-software/{,**} rw,
owner @{user_config_dirs}/flatpak/{,**} r,
owner @{user_config_dirs}/pulse/*.conf r, owner @{user_config_dirs}/pulse/*.conf r,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,

4
apparmor.d/groups/gnome/gnome-tweaks
View file

@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} {
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/python> include <abstractions/python>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
@ -38,6 +39,9 @@ profile gnome-tweaks @{exec_path} {
owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
owner @{user_share_dirs}/recently-used.xbel* rw, owner @{user_share_dirs}/recently-used.xbel* rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

2
apparmor.d/groups/gpg/gpg
View file

@ -65,6 +65,8 @@ profile gpg @{exec_path} {
owner /tmp/@{int}@{int} rw, owner /tmp/@{int}@{int} rw,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw,

4
apparmor.d/groups/grub/grub-mkconfig
View file

@ -32,6 +32,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
@{bin}/find rix, @{bin}/find rix,
@{bin}/findmnt rPx, @{bin}/findmnt rPx,
@{bin}/gettext rix, @{bin}/gettext rix,
@{bin}/grub-editenv rPx,
@{bin}/grub-mkrelpath rPx, @{bin}/grub-mkrelpath rPx,
@{bin}/grub-probe rPx, @{bin}/grub-probe rPx,
@{bin}/grub-script-check rPx, @{bin}/grub-script-check rPx,
@ -60,6 +61,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
@{bin}/zpool rPx, @{bin}/zpool rPx,
/etc/grub.d/{,**} rix, /etc/grub.d/{,**} rix,
@{lib}/grub-customizer/* rix,
@{lib}/grub/grub-sort-version rPx, @{lib}/grub/grub-sort-version rPx,
@{lib}/libostree/grub[0-9]-@{int}_ostree rix, @{lib}/libostree/grub[0-9]-@{int}_ostree rix,
@ -81,7 +83,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
/boot/{,**} r, /boot/{,**} r,
/boot/grub/{,**} rw, /boot/grub/{,**} rw,
# owner /tmp/** rw, /tmp/grub-*.@{rand10}/{,**} rw,
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,

2
apparmor.d/groups/grub/grub-probe
View file

@ -13,6 +13,7 @@ profile grub-probe @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
capability dac_read_search,
capability sys_admin, capability sys_admin,
@{exec_path} mr, @{exec_path} mr,
@ -36,6 +37,7 @@ profile grub-probe @{exec_path} {
/dev/bus/ r, /dev/bus/ r,
/dev/bus/usb/ r, /dev/bus/usb/ r,
/dev/bus/usb/@{int}/ r, /dev/bus/usb/@{int}/ r,
/dev/char/ r,
/dev/cpu/ r, /dev/cpu/ r,
/dev/cpu/@{int}/ r, /dev/cpu/@{int}/ r,
/dev/dma_heap/ r, /dev/dma_heap/ r,

3
apparmor.d/groups/hyprland/hyprpicker
View file

@ -16,6 +16,9 @@ profile hyprpicker @{exec_path} {
/usr/share/icons/** r, /usr/share/icons/** r,
owner @{run}/user/@{uid}/.hyprpicker* rw, owner @{run}/user/@{uid}/.hyprpicker* rw,
owner /dev/shm/wlroots-@{rand6} r,
owner /dev/tty@{int} rw,
include if exists <local/hyprpicker> include if exists <local/hyprpicker>
} }

5
apparmor.d/groups/ssh/ssh
View file

@ -27,12 +27,11 @@ profile ssh @{exec_path} {
@{bin}/{c,k,tc,z}sh rix, @{bin}/{c,k,tc,z}sh rix,
@{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config r,
@{etc_ro}/ssh/ssh_config.d/{,*} r,
@{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config r,
@{etc_ro}/ssh/sshd_config.d/{,*} r, @{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/machine-id r, /etc/machine-id r,
/etc/ssh/ssh_config r,
/etc/ssh/ssh_config.d/{,*} r,
owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/ r,
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/config r,

2
apparmor.d/groups/systemd/systemd-logind
View file

@ -79,7 +79,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+hid:* r, @{run}/udev/data/+hid:* r,
@{run}/udev/data/+i2c:* r, @{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+wakeup:* r,
@{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c13:@{int} r, # For /dev/input/*

2
apparmor.d/profiles-a-f/agetty
View file

@ -30,7 +30,7 @@ profile agetty @{exec_path} {
/{etc,run,lib,usr/lib}/issue.d/{,*} r, /{etc,run,lib,usr/lib}/issue.d/{,*} r,
/etc/inittab r, /etc/inittab r,
/etc/login.defs r, /etc/login.defs r,
/etc/login.defs.d/ r, /etc/login.defs.d/{,*} r,
/etc/os-release r, /etc/os-release r,
/usr/etc/login.defs r, /usr/etc/login.defs r,

1
apparmor.d/profiles-a-f/file-roller
View file

@ -25,6 +25,7 @@ profile file-roller @{exec_path} {
# Archivers # Archivers
@{bin}/7z rix, @{bin}/7z rix,
@{bin}/7zz rix,
@{bin}/ar rix, @{bin}/ar rix,
@{bin}/bzip2 rix, @{bin}/bzip2 rix,
@{bin}/cpio rix, @{bin}/cpio rix,

31
apparmor.d/profiles-a-f/firewalld
View file

@ -7,38 +7,26 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/firewalld @{exec_path} = @{bin}/firewalld
profile firewalld @{exec_path} { profile firewalld @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
capability mknod, capability mknod,
capability net_admin, capability net_admin,
capability net_raw, capability net_raw,
capability setpcap, capability setpcap,
capability sys_module,
network inet raw, network inet raw,
network inet6 raw, network inet6 raw,
network netlink raw, network netlink raw,
dbus receive bus=system path=/org/fedoraproject/FirewallD1
interface=org.fedoraproject.FirewallD1.direct
member=passthrough
peer=(name=:*, label=libvirtd),
dbus receive bus=system path=/org/fedoraproject/FirewallD1
interface=org.fedoraproject.FirewallD1.zone
member={changeZoneOfInterface,getZones}
peer=(name=:*, label=libvirtd),
dbus receive bus=system path=/org/fedoraproject/FirewallD1
interface=org.fedoraproject.FirewallD1.zone
member={changeZoneOfInterface,removeInterface}
peer=(name=:*, label=libvirtd),
#aa:dbus own bus=system name=org.fedoraproject.FirewallD1 #aa:dbus own bus=system name=org.fedoraproject.FirewallD1
@{exec_path} mr, @{exec_path} mr,
@ -49,11 +37,12 @@ profile firewalld @{exec_path} {
@{bin}/ebtables-legacy-restore rix, @{bin}/ebtables-legacy-restore rix,
@{bin}/false rix, @{bin}/false rix,
@{bin}/ipset rix, @{bin}/ipset rix,
@{bin}/kmod rPx, @{bin}/kmod rix,
@{bin}/modprobe rix,
@{bin}/xtables-legacy-multi rix, @{bin}/xtables-legacy-multi rix,
@{bin}/xtables-nft-multi rix, @{bin}/xtables-nft-multi rix,
/usr/local/lib/python3.10/dist-packages/ r, /usr/local/lib/python3.@{int}/dist-packages/ r,
/usr/share/libalternatives/ r, /usr/share/libalternatives/ r,
/usr/share/libalternatives/ebtables*/{,*} r, /usr/share/libalternatives/ebtables*/{,*} r,
@ -68,8 +57,12 @@ profile firewalld @{exec_path} {
/var/log/firewalld rw, /var/log/firewalld rw,
@{run}/firewalld/{,*} rw, @{run}/firewalld/{,*} rw,
@{run}/modprobe.d/{,*.conf} r,
@{run}/xtables.lock rwk, @{run}/xtables.lock rwk,
@{sys}/module/compression r,
@{sys}/module/*/initstate r,
@{PROC}/sys/kernel/modprobe r, @{PROC}/sys/kernel/modprobe r,
@{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

6
apparmor.d/profiles-g-l/ifup
View file

@ -106,10 +106,8 @@ profile ifup @{exec_path} {
profile sysctl { profile sysctl {
include <abstractions/base> include <abstractions/base>
# capability mac_admin, capability net_admin,
capability net_admin, capability sys_admin,
capability sys_admin,
# capability sys_resource,
@{bin}/sysctl mr, @{bin}/sysctl mr,

34
apparmor.d/profiles-m-r/nvidia-smi Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/nvidia-smi
profile nvidia-smi @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nvidia-strict>
@{exec_path} mr,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{PROC}/devices r,
@{PROC}/driver/nvidia/capabilities/mig/config r,
@{PROC}/driver/nvidia/capabilities/mig/monitor r,
owner @{PROC}/@{pid}/cmdline r,
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
/dev/nvidia-caps/ rw,
/dev/nvidia-caps/nvidia-cap@{int} r,
/dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools r,
include if exists <local/nvidia-smi>
}
# vim:syntax=apparmor

6
apparmor.d/profiles-m-r/os-prober
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile os-prober @{exec_path} flags=(attach_disconnected) { profile os-prober @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read>
capability dac_read_search, capability dac_read_search,
capability sys_admin, capability sys_admin,
@ -59,11 +60,12 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
/ r, / r,
/boot/{efi/,} r, /boot/{efi/,} r,
/boot/{efi/,}EFI/ r, /boot/{efi/,}EFI/ r,
/boot/{efi/,}EFI/*/ r, /boot/{efi/,}EFI/**/ r,
owner @{tmp}/os-prober.*/{,**} rw, owner @{tmp}/os-prober.*/{,**} rw,
@{sys}/block/ r, @{run}/mount/utab r,
@{sys}/devices/@{pci}/block/*/ r, @{sys}/devices/@{pci}/block/*/ r,
@{sys}/devices/virtual/block/*/ r, @{sys}/devices/virtual/block/*/ r,

3
apparmor.d/profiles-m-r/pcscd
View file

@ -16,12 +16,13 @@ profile pcscd @{exec_path} {
network netlink raw, network netlink raw,
ptrace (read) peer=veracrypt,
ptrace (read) peer=@{p_systemd_user}, ptrace (read) peer=@{p_systemd_user},
ptrace (read) peer=gsd-smartcard, ptrace (read) peer=gsd-smartcard,
ptrace (read) peer=keepassxc,
ptrace (read) peer=pkcs11-register, ptrace (read) peer=pkcs11-register,
ptrace (read) peer=rngd, ptrace (read) peer=rngd,
ptrace (read) peer=scdaemon, ptrace (read) peer=scdaemon,
ptrace (read) peer=veracrypt,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/profiles-m-r/power-profiles-daemon
View file

@ -28,6 +28,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
/var/lib/power-profiles-daemon/{,**} rw, /var/lib/power-profiles-daemon/{,**} rw,
@{run}/udev/data/+platform:* r, @{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply:* r,
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/platform/devices/ r, @{sys}/bus/platform/devices/ r,

6
apparmor.d/profiles-s-z/smartd
View file

@ -14,11 +14,9 @@ profile smartd @{exec_path} {
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_rawio, capability net_admin,
capability sys_admin, capability sys_admin,
capability sys_rawio,
# Needed?
audit capability net_admin,
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/profiles-s-z/su
View file

@ -26,6 +26,8 @@ profile su @{exec_path} {
@{bin}/@{shells} rUx, @{bin}/@{shells} rUx,
@{bin}/nologin rPx, @{bin}/nologin rPx,
@{etc_ro}/default/su r,
include if exists <local/su> include if exists <local/su>
} }

15
apparmor.d/profiles-s-z/w3m
View file

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 valoq <valoq@mailbox.org> # Copyright (C) 2024 valoq <valoq@mailbox.org>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
@ -9,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/w3m @{exec_path} = @{bin}/w3m
profile w3m @{exec_path} { profile w3m @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
@ -21,13 +23,20 @@ profile w3m @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{lib}/w3m/cgi-bin/* rix,
@{lib}/w3m/* rix,
/usr/share/terminfo/{,**} r, /usr/share/terminfo/{,**} r,
/etc/mime.types r,
/etc/w3m/{,**} r, /etc/w3m/{,**} r,
owner @{HOME}/.w3m/{,**} r,
owner @{user_config_dirs}/w3m/{,**} r,
owner /tmp/@{rand6}/{,**} rw, owner @{HOME}/.w3m/{,**} rw,
owner @{user_config_dirs}/w3m/{,**} rw,
owner @{tmp}/@{rand6}/{,**} rw,
include if exists <local/w3m> include if exists <local/w3m>
} }

3
apparmor.d/profiles-s-z/wsdd
View file

@ -10,9 +10,12 @@ include <tunables/global>
profile wsdd @{exec_path} { profile wsdd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs>
network inet dgram, network inet dgram,
network inet stream,
network inet6 dgram, network inet6 dgram,
network inet6 stream,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

2
dists/flags/main.flags
View file

@ -106,6 +106,7 @@ fail2ban-server attach_disconnected,complain
fdisk complain fdisk complain
firewall-applet attach_disconnected,complain firewall-applet attach_disconnected,complain
firewall-config complain firewall-config complain
firewalld attach_disconnected,complain
flameshot complain flameshot complain
flatpak attach_disconnected,mediate_deleted,complain flatpak attach_disconnected,mediate_deleted,complain
flatpak-app attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain
@ -254,6 +255,7 @@ nmap complain
nmcli complain nmcli complain
nvidia-detector complain nvidia-detector complain
nvidia-persistenced complain nvidia-persistenced complain
nvidia-smi complain
okular complain okular complain
ollama attach_disconnected,complain ollama attach_disconnected,complain
os-prober attach_disconnected,complain os-prober attach_disconnected,complain