felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (1)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 13:20:25 +01:00
parent 59469b57b4
commit bb71f49598
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
125 changed files with 955 additions and 959 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/browsers/brave
View file

@ -20,7 +20,7 @@ profile brave @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/man rPUx, # For "brave --help"
@{bin}/man rPUx, # For "brave --help"
@{chromium_lib_dirs}/swiftshader/libGLESv2.so mr,
@{chromium_lib_dirs}/swiftshader/libEGL.so mr,

14
apparmor.d/groups/browsers/brave-wrapper
View file

@ -16,13 +16,13 @@ profile brave-wrapper @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/dirname rix,
@{bin}/mkdir rix,
@{bin}/readlink rix,
@{bin}/touch rix,
@{bin}/which{,.debianutils} rix,
@{chromium_lib_dirs}/brave rPx,

2
apparmor.d/groups/browsers/chrome
View file

@ -20,7 +20,7 @@ profile chrome @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/man rPUx, # For "chrome --help"
@{bin}/man rPUx, # For "chrome --help"
@{chromium_lib_dirs}/google-@{chromium_name} rPx,

14
apparmor.d/groups/browsers/chrome-wrapper
View file

@ -16,13 +16,13 @@ profile chrome-wrapper @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/dirname rix,
@{bin}/mkdir rix,
@{bin}/readlink rix,
@{bin}/touch rix,
@{bin}/which{,.debianutils} rix,
@{chromium_lib_dirs}/chrome rPx,

2
apparmor.d/groups/browsers/chromium
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{chromium_name} = chromium
@{chromium_domain} = org.chromium.Chromium
@{chromium_lib_dirs} = /{usr/,}lib/@{chromium_name}
@{chromium_lib_dirs} = @{lib}/@{chromium_name}
@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name}
@{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name}

2
apparmor.d/groups/browsers/chromium-crashpad-handler
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{chromium_config_dirs} = @{user_config_dirs}/chromium
@{exec_path} = /{usr/,}lib/chromium/chrome_crashpad_handler
@{exec_path} = @{lib}/chromium/chrome_crashpad_handler
profile chromium-crashpad-handler @{exec_path} {
include <abstractions/base>

4
apparmor.d/groups/browsers/chromium-sandbox
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/chromium/chrome-sandbox
@{exec_path} = @{lib}/chromium/chrome-sandbox
profile chromium-sandbox @{exec_path} {
include <abstractions/base>
@ -20,7 +20,7 @@ profile chromium-sandbox @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/chromium/chromium rPx,
@{lib}/chromium/chromium rPx,
@{PROC}/@{pids}/ r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,

30
apparmor.d/groups/browsers/chromium-wrapper
View file

@ -7,29 +7,29 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/chromium
@{exec_path} = @{bin}/chromium
profile chromium-wrapper @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
@{exec_path} r,
/{usr/,}lib/chromium/chromium rPx,
@{lib}/chromium/chromium rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/expr rix,
@{bin}/ls rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/tr rix,
@{bin}/uname rix,
/{usr/,}bin/man rPUx, # For "chromium --help"
# /{usr/,}bin/gdb rPUx,
@{bin}/man rPUx, # For "chromium --help"
# @{bin}/gdb rPUx,
/usr/share/chromium/extensions/ r,

38
apparmor.d/groups/browsers/firefox
View file

@ -8,11 +8,11 @@ abi <abi/3.0>,
include <tunables/global>
@{firefox_name} = firefox{,.sh,-esr,-bin}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name}
@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name}
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = /{usr/,}bin/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name}
@{exec_path} = @{bin}/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name}
profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
@ -128,8 +128,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/basename rix,
@{firefox_lib_dirs}/{,**} r,
@{firefox_lib_dirs}/*.so mr,
@ -139,28 +139,28 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{firefox_lib_dirs}/pingsender rPx,
@{firefox_lib_dirs}/plugin-container rPx,
@{firefox_lib_dirs}/vaapitest rPUx,
/{usr/,}lib/mozilla/kmozillahelper rPUx,
@{lib}/mozilla/kmozillahelper rPUx,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/{usr/,}lib/mozilla/plugins/ r,
/{usr/,}lib/mozilla/plugins/libvlcplugin.so mr,
@{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
@{lib}/mozilla/plugins/ r,
@{lib}/mozilla/plugins/libvlcplugin.so mr,
# Desktop integration
@{libexec}/gvfsd-metadata rPx,
/{usr/,}bin/exo-open rPx -> child-open,
/{usr/,}bin/gnome-software rPx,
/{usr/,}bin/kreadconfig5 rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/update-mime-database rPx,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
@{bin}/exo-open rPx -> child-open,
@{bin}/gnome-software rPx,
@{bin}/kreadconfig5 rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/update-mime-database rPx,
@{bin}/xdg-open rPx -> child-open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{lib}/gvfsd-metadata rPx,
# Common extensions
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
/{usr/,}bin/browserpass rPx,
@{bin}/browserpass rPx,
# As a temporary solution - see issue #128
/{usr/,}bin/keepassxc-proxy rix,
@{bin}/keepassxc-proxy rix,
/usr/share/doc/{,**} r,
/usr/share/egl/{,**} r,

4
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{firefox_name} = firefox{,.sh,-esr,-bin}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name}
@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name}
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/
@ -35,7 +35,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
@{firefox_lib_dirs}/minidump-analyzer rPx,
/{usr/,}bin/mv rix,
@{bin}/mv rix,
/usr/share/X11/xkb/** r,

2
apparmor.d/groups/browsers/firefox-kmozillahelper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/mozilla/kmozillahelper
@{exec_path} = @{lib}/mozilla/kmozillahelper
profile firefox-kmozillahelper @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/groups/browsers/firefox-minidump-analyzer
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{MOZ_HOMEDIR} = @{HOME}/.mozilla
@{firefox_name} = firefox{,.sh,-esr,-bin}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name}
@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name}
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/

2
apparmor.d/groups/browsers/firefox-pingsender
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{firefox_name} = firefox{,-esr}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/
@{firefox_lib_dirs} = @{lib}/@{firefox_name}/ /opt/@{firefox_name}/
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{exec_path} = @{firefox_lib_dirs}/pingsender

2
apparmor.d/groups/browsers/firefox-plugin-container
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{firefox_name} = firefox{,.sh,-esr,-bin}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name}
@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name}
@{exec_path} = @{firefox_lib_dirs}/plugin-container
profile firefox-plugin-container @{exec_path} {

2
apparmor.d/groups/browsers/opera
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{chromium_name} = opera{,-beta,-developer}
@{chromium_domain} = com.opera.Opera
@{chromium_lib_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name}
@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name}
@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name}
@{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name}

2
apparmor.d/groups/browsers/opera-crashreporter
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{chromium_name} = opera{,-beta,-developer}
@{chromium_lib_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name}
@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name}
@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name}
@{exec_path} = @{chromium_lib_dirs}/opera_crashreporter

2
apparmor.d/groups/browsers/opera-sandbox
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{chromium_name} = opera{,-beta,-developer}
@{chromium_lib_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name}
@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name}
@{exec_path} = @{chromium_lib_dirs}/opera_sandbox
profile opera-sandbox @{exec_path} {