felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (1)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 13:20:25 +01:00
parent 59469b57b4
commit bb71f49598
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
125 changed files with 955 additions and 959 deletions
Download patch file Download diff file Expand all files Collapse all files

109
apparmor.d/groups/apps/android-studio
View file

@ -44,40 +44,38 @@ profile android-studio @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/chattr rix,
@{bin}/chmod rix,
@{bin}/cut rix,
@{bin}/dirname rix,
@{bin}/kill rix,
@{bin}/ldconfig rix,
@{bin}/mktemp rix,
@{bin}/nice rix,
@{bin}/python3.[0-9]* rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/setsid rix,
@{bin}/uname rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xargs rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
@{bin}/git rPx,
@{bin}/lsusb rPx,
@{bin}/ps rPx,
@{bin}/xdg-mime rPx,
@{bin}/xprop rPx,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/chattr rix,
/{usr/,}bin/setsid rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/kill rix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/lsb_release rCx -> lsb-release,
@{bin}/xdg-open rCx -> open,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/git rPx,
/{usr/,}bin/lsb_release rCx -> lsb-release,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
@{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/etc/java-[0-9]*-openjdk/** r,
/usr/share/java/java-atk-wrapper.jar r,
@ -89,8 +87,7 @@ profile android-studio @{exec_path} {
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
/usr/ r,
/{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,
@{lib}/ r,
@{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix,
@ -99,12 +96,12 @@ profile android-studio @{exec_path} {
# Currently there is only the target platform of API Level 23 packaged, so only apps targeted at
# android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in
# order to use the SDK, build scripts need to be modified.
/{usr/,}lib/android-sdk/ r,
/{usr/,}lib/android-sdk/** mrkix,
@{lib}/android-sdk/ r,
@{lib}/android-sdk/** mrkix,
/usr/share/android-sdk-platform-*/{,**} r,
deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w,
deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w,
deny /{usr/,}lib/android-sdk/.knownPackages w,
deny @{lib}/android-sdk/build-tools/*/package.xml w,
deny @{lib}/android-sdk/platforms/android-*/package.xml w,
deny @{lib}/android-sdk/.knownPackages w,
# This one is used if the standard android SDK location is missing
@{AS_SDKDIR}/ rw,
@ -220,7 +217,7 @@ profile android-studio @{exec_path} {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -234,11 +231,11 @@ profile android-studio @{exec_path} {
signal (receive) set=(term, kill) peer=android-studio,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/lsb_release r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
@{bin}/ r,
@{bin}/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
@ -259,27 +256,27 @@ profile android-studio @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
@{bin}/spacefm rPx,
@{bin}/smplayer rPx,
@{bin}/vlc rPx,
@{bin}/mpv rPx,
@{bin}/geany rPx,
@{bin}/viewnior rPUx,
@{bin}/qpdfview rPx,
@{bin}/ebook-viewer rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

70
apparmor.d/groups/apps/atom
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom @{bin}/atom
profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -40,40 +40,40 @@ profile atom @{exec_path} {
/usr/share/atom/resources/**/libexec/** rix,
deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/ r,
#/{usr/,}bin/{,ba,da}sh rix,
#/{usr/,}bin/zsh rix,
#/{usr/,}bin/env rix,
#/{usr/,}bin/rmdir rix,
#/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/ls rix,
#/{usr/,}bin/{m,g,}awk rix,
#/{usr/,}bin/tty rix,
#/{usr/,}bin/dircolors rix,
#/{usr/,}bin/cut rix,
#/{usr/,}bin/xwininfo rix,
#/{usr/,}bin/date rix,
deny @{bin}/ r,
#@{bin}/{,ba,da}sh rix,
#@{bin}/zsh rix,
#@{bin}/env rix,
#@{bin}/rmdir rix,
#@{bin}/{,e}grep rix,
#@{bin}/ls rix,
#@{bin}/{m,g,}awk rix,
#@{bin}/tty rix,
#@{bin}/dircolors rix,
#@{bin}/cut rix,
#@{bin}/xwininfo rix,
#@{bin}/date rix,
# The expr and uname tools are needed or Atom won't start with the following error:
# Your platform () is not supported.
/{usr/,}bin/expr rix,
/{usr/,}bin/uname rix,
@{bin}/expr rix,
@{bin}/uname rix,
# The following also are needed to start Atom
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/nohup rix,
/{usr/,}bin/cat rix,
@{bin}/basename rix,
@{bin}/readlink rix,
@{bin}/dirname rix,
@{bin}/mkdir rix,
@{bin}/nohup rix,
@{bin}/cat rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPx,
@{bin}/xdg-settings rPx,
/{usr/,}bin/git rPx,
@{bin}/git rPx,
# Needed to sign commits
/{usr/,}bin/gpg{,2} rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
# /home/ r,
# Reading of the user home dir is required or the following error will be printed:
@ -139,7 +139,7 @@ profile atom @{exec_path} {
owner /tmp/net-export/ rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile gpg {
@ -148,7 +148,7 @@ profile atom @{exec_path} {
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -163,19 +163,19 @@ profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

34
apparmor.d/groups/apps/calibre
View file

@ -7,12 +7,12 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += /{usr/,}bin/calibredb
@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} += /{usr/,}bin/fetch-ebook-metadata
@{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer
@{exec_path} += /{usr/,}bin/web2disk
@{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += @{bin}/calibredb
@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} += @{bin}/fetch-ebook-metadata
@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer
@{exec_path} += @{bin}/web2disk
profile calibre @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
@ -83,20 +83,20 @@ profile calibre @{exec_path} {
peer=(name=:*),
@{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig{,.real} rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/file rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
@{bin}/ldconfig{,.real} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/file rix,
@{bin}/uname rix,
@{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/{usr/,}bin/pdftoppm rPUx, # (#FIXME#)
/{usr/,}bin/pdfinfo rPUx,
/{usr/,}bin/pdftohtml rPUx,
@{bin}/pdftoppm rPUx, # (#FIXME#)
@{bin}/pdfinfo rPUx,
@{bin}/pdftohtml rPUx,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-mime rPx,
@{bin}/xdg-open rPx -> child-open,
@{bin}/xdg-mime rPx,
/usr/share/calibre/{,**} r,
/usr/share/hwdata/pnp.ids r,

16
apparmor.d/groups/apps/code
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/code /usr/share/code/{bin/,}code
@{exec_path} = @{bin}/code /usr/share/code/{bin/,}code
profile code @{exec_path} {
include <abstractions/base>
include <abstractions/chromium-common>
@ -24,16 +24,16 @@ profile code @{exec_path} {
@{exec_path} mrix,
/{usr/,}lib/code/extensions/git/dist/askpass.sh rPx,
/{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx,
@{lib}/code/extensions/git/dist/askpass.sh rPx,
@{lib}/code/extensions/git/dist/git-editor.sh rPx,
# The shell is not confined on purpose.
/{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx,
@{bin}/{,b,d,rb}ash rUx,
@{bin}/{c,k,tc,z}sh rUx,
/{usr/,}bin/git rPx,
/{usr/,}bin/gpg{,2} rPUx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
@{bin}/git rPx,
@{bin}/gpg{,2} rPUx,
@{bin}/lsb_release rPx -> lsb_release,
# /usr/share/code/** r,
# /usr/share/code/libffmpeg.so mr,

50
apparmor.d/groups/apps/discord
View file

@ -12,7 +12,7 @@ include <tunables/global>
@{DISCORD_HOMEDIR} += @{HOME}/.config/discordptb
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} /{usr/,}bin/discord{,-ptb}
@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} @{bin}/discord{,-ptb}
profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -42,13 +42,13 @@ profile discord @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
#/{usr/,}bin/lsb_release rCx -> lsb_release,
#/{usr/,}bin/xdg-mime rCx -> xdg-mime,
deny /{usr/,}bin/lsb_release mrx,
deny /{usr/,}bin/xdg-mime mrx,
@{bin}/xdg-open rCx -> open,
#@{bin}/lsb_release rCx -> lsb_release,
#@{bin}/xdg-mime rCx -> xdg-mime,
deny @{bin}/lsb_release mrx,
deny @{bin}/xdg-mime mrx,
@{DISCORD_LIBDIR}/ r,
@{DISCORD_LIBDIR}/** r,
@ -107,7 +107,7 @@ profile discord @{exec_path} {
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -117,14 +117,14 @@ profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
/{usr/,}bin/xdg-mime mr,
@{bin}/xdg-mime mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/sed rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/cut rix,
@{bin}/{,e}grep rix,
@{bin}/head rix,
@{bin}/sed rix,
# file_inherit
/usr/share/discord/** r,
@ -142,11 +142,11 @@ profile discord @{exec_path} {
signal (receive) set=(kill, term) peer=discord,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/lsb_release r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
@{bin}/ r,
@{bin}/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
@ -167,19 +167,19 @@ profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
@{lib}/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

42
apparmor.d/groups/apps/dropbox
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
@{exec_path} = /{usr/,}bin/dropbox
@{exec_path} = @{bin}/dropbox
profile dropbox @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -28,8 +28,8 @@ profile dropbox @{exec_path} {
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/ r,
@{bin}/python3.[0-9]* r,
# Dropbox home files
owner @{HOME}/ r,
@ -50,14 +50,14 @@ profile dropbox @{exec_path} {
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
@{bin}/{,ba,da}sh rix,
@{bin}/readlink rix,
@{bin}/dirname rix,
@{bin}/uname rix,
@{bin}/ldconfig rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}objdump rix,
# Needed for updating Dropbox
owner /tmp/.dropbox-dist-new-*/{,**} rw,
@ -72,7 +72,7 @@ profile dropbox @{exec_path} {
deny owner @{user_config_dirs}/autostart/dropbox.desktop rw,
# What's this for?
/{usr/,}bin/mount mrix,
@{bin}/mount mrix,
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
@{sys}/devices/virtual/block/loop[0-9]/ r,
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
@ -115,30 +115,30 @@ profile dropbox @{exec_path} {
deny @{sys}/module/apparmor/parameters/enabled r,
# External apps
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

12
apparmor.d/groups/apps/filezilla
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/filezilla
@{exec_path} = @{bin}/filezilla
profile filezilla @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -20,13 +20,13 @@ profile filezilla @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/uname rix,
# When using SFTP protocol
/{usr/,}bin/fzsftp rPx,
@{bin}/fzsftp rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx -> lsb_release,
owner @{HOME}/ r,
owner @{user_config_dirs}/filezilla/ rw,
@ -53,7 +53,7 @@ profile filezilla @{exec_path} {
owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# FTP share folder
owner @{MOUNTS}/ftp/ r,

16
apparmor.d/groups/apps/flameshot
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/flameshot
@{exec_path} = @{bin}/flameshot
profile flameshot @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -33,9 +33,9 @@ profile flameshot @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/whoami rix,
@{bin}/whoami rix,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Flameshot home files
owner @{user_config_dirs}/flameshot/ rw,
@ -73,12 +73,12 @@ profile flameshot @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,

30
apparmor.d/groups/apps/freetube
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} = @{lib}/freetube
@{FT_LIBDIR} += @{lib}/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue
@ -83,14 +83,14 @@ profile freetube @{exec_path} {
owner @{run}/user/@{uid}/ r,
# no new privs
/{usr/,}bin/xdg-settings rPx,
@{bin}/xdg-settings rPx,
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/vlc rPx,
@{lib}/firefox/firefox rPx,
@{bin}/mpv rPx,
@{bin}/vlc rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -100,21 +100,21 @@ profile freetube @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/vlc rPx,
@{lib}/firefox/firefox rPx,
@{bin}/mpv rPx,
@{bin}/vlc rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

4
apparmor.d/groups/apps/freetube-chrome-sandbox
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} = @{lib}/freetube
@{FT_LIBDIR} += @{lib}/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue

20
apparmor.d/groups/apps/geany
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/geany
@{exec_path} = @{bin}/geany
profile geany @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -27,10 +27,10 @@ profile geany @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
# For the sorting feature
/{usr/,}bin/sort rix,
@{bin}/sort rix,
# When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following
# root processes:
@ -38,10 +38,10 @@ profile geany @{exec_path} {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Geany works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
@ -105,9 +105,9 @@ profile geany @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

20
apparmor.d/groups/apps/okular
View file

@ -8,7 +8,7 @@ include <tunables/global>
@{okular_ext} = [pP][dD][fF]
@{exec_path} = /{usr/,}bin/okular
@{exec_path} = @{bin}/okular
profile okular @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -78,13 +78,13 @@ profile okular @{exec_path} {
/etc/machine-id r,
# Search phrase in google
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
/usr/share/kservices5/searchproviders/{,*.desktop} r,
/usr/share/kservices5/{,*.protocol} r,
/etc/xdg/kshorturifilterrc r,
# Print to pdf
/{usr/,}bin/ps2pdf rPUx,
@{bin}/ps2pdf rPUx,
owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
@ -93,26 +93,26 @@ profile okular @{exec_path} {
/usr/share/kf5/licenses/GPL_V2 r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

4
apparmor.d/groups/apps/signal-desktop
View file

@ -76,9 +76,9 @@ profile signal-desktop @{exec_path} {
/etc/machine-id r,
# No new privs
/{usr/,}bin/xdg-settings rPx,
@{bin}/xdg-settings rPx,
/{usr/,}bin/getconf rix,
@{bin}/getconf rix,
include if exists <local/signal-desktop>
}

2
apparmor.d/groups/apps/spotify
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify
@{exec_path} = @{bin}/spotify /usr/share/spotify/spotify
profile spotify @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>

38
apparmor.d/groups/apps/telegram-desktop
View file

@ -8,7 +8,7 @@ include <tunables/global>
@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram
@{exec_path} = /{usr/,}bin/telegram-desktop
@{exec_path} = @{bin}/telegram-desktop
profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -38,13 +38,13 @@ profile telegram-desktop @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
# Launch external apps
/{usr/,}bin/xdg-open rCx -> open,
@{bin}/xdg-open rCx -> open,
# What's this for?
deny /{usr/,}bin/fc-list rx,
deny @{bin}/fc-list rx,
# Telegram files
/usr/share/TelegramDesktop/{,**} r,
@ -81,11 +81,11 @@ profile telegram-desktop @{exec_path} {
/usr/share/qt5ct/** r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/geany rPx,
@{lib}/firefox/firefox rPx,
@{bin}/smplayer rPx,
@{bin}/viewnior rPUx,
@{bin}/qpdfview rPx,
@{bin}/geany rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -95,23 +95,23 @@ profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{TELEGRAM_WORK_DIR}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/geany rPx,
@{lib}/firefox/firefox rPx,
@{bin}/smplayer rPx,
@{bin}/qpdfview rPx,
@{bin}/viewnior rPUx,
@{bin}/geany rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

84
apparmor.d/groups/apps/thunderbird
View file

@ -8,15 +8,15 @@ abi <abi/3.0>,
include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox
@{FIREFOX_BIN} = @{lib}/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
@{MOZ_LIBDIR} = @{lib}/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird
@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin}
@{exec_path} += /{usr/,}bin/thunderbird
@{exec_path} += @{bin}/thunderbird
profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -103,14 +103,14 @@ profile thunderbird @{exec_path} {
@{exec_path} mrix,
@{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/date rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/sed rix,
@{bin}/date rix,
@{bin}/tr rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dig rix,
@{bin}/ps rPx,
@{bin}/dig rix,
# Thunderbird files
/usr/share/thunderbird/{,**} r,
@ -146,14 +146,14 @@ profile thunderbird @{exec_path} {
owner @{user_share_dirs}/ r,
# Spellcheck
/{usr/,}bin/locale rix,
@{bin}/locale rix,
# System integration
/etc/mime.types r,
owner @{user_config_dirs}/mimeapps.list.* rw,
# KDE system keyring
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
@{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/usr/share/xul-ext/kwallet5/* r,
/etc/xul-ext/kwallet5.js r,
owner @{user_config_dirs}/kwalletrc r,
@ -216,25 +216,25 @@ profile thunderbird @{exec_path} {
/usr/share/sounds/freedesktop/stereo/*.oga r,
# Silencer
deny /{usr/,}lib/thunderbird/** w,
deny @{lib}/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-{open,mime} rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-{open,mime} rCx -> open,
@{bin}/exo-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Needed for enigmail
/usr/share/xul-ext/enigmail/{,**} r,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg-connect-agent rCx -> gpg,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpg-connect-agent rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
# Allowed apps to open
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{bin}/qpdfview rPx,
@{bin}/viewnior rPUx,
@{bin}/engrampa rPx,
@{bin}/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit
@ -252,11 +252,11 @@ profile thunderbird @{exec_path} {
network inet6 stream,
network netlink raw,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpg-connect-agent mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
@{bin}/gpgconf mr,
@{bin}/gpg{,2} mr,
@{bin}/gpg-connect-agent mr,
@{bin}/gpgsm mr,
@{bin}/gpg-agent rix,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -298,25 +298,25 @@ profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{bin}/xdg-open mr,
@{bin}/exo-open mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/xfce4-mime-helper rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,m,g}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
@{bin}/xfce4-mime-helper rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
@{bin}/qpdfview rPx,
@{bin}/viewnior rPUx,
@{bin}/engrampa rPx,
@{bin}/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit

24
apparmor.d/groups/apps/vlc
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{c,}vlc
@{exec_path} = @{bin}/{c,}vlc
profile vlc @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -145,7 +145,7 @@ profile vlc @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
@{bin}/xdg-screensaver rCx -> xdg-screensaver,
/usr/share/hwdata/pnp.ids r,
/usr/share/qt5ct/** r,
@ -197,22 +197,22 @@ profile vlc @{exec_path} {
owner /dev/tty[0-9]* rw,
# Silencer
deny /{usr/,}lib/@{multiarch}/vlc/{,**} w,
deny @{lib}/@{multiarch}/vlc/{,**} w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
@{bin}/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xset rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r,