feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
e02b12aa6d
commit
c148aa978c
30 changed files with 202 additions and 71 deletions
|
|
@ -85,12 +85,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/log/unattended-upgrades/*.log rw,
|
||||
/var/log/unattended-upgrades/{,**} rw,
|
||||
|
||||
/var/lib/apt/periodic/unattended-upgrades-stamp w,
|
||||
/var/lib/dpkg/lock rwk,
|
||||
/var/lib/dpkg/lock-frontend rwk,
|
||||
/var/lib/dpkg/updates/ r,
|
||||
/var/lib/update-notifier/dpkg-run-stamp rw,
|
||||
|
||||
/var/cache/apt/{,**} rwk,
|
||||
/var/lib/apt/extended_states{,.*} rw,
|
||||
|
|
|
|||
|
|
@ -154,6 +154,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/irq r,
|
||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
|
||||
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
||||
deny @{sys}/devices/system/cpu/present r,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/fc-cache{,-32}
|
||||
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
|
||||
profile fc-cache @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ profile plymouthd @{exec_path} {
|
|||
@{sys}/class/drm/ r,
|
||||
@{sys}/class/graphics/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/{,uevent} r,
|
||||
@{sys}/devices/virtual/graphics/fbcon/uevent r,
|
||||
@{sys}/devices/virtual/tty/console/active r,
|
||||
@{sys}/firmware/acpi/bgrt/{,*} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,UPower*},
|
||||
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
|
||||
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/snap rPx,
|
||||
|
||||
# Allowed apps to open
|
||||
/{usr/,}bin/firefox rPx -> firefox,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -11,8 +12,13 @@ profile xdg-email @{exec_path} flags=(complain) {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} r,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/gio rPx,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/which rix,
|
||||
/{usr/,}bin/xdg-mime rPx,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pids}/comm r,
|
||||
|
|
|
|||
|
|
@ -49,6 +49,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
@{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
|
|
|||
|
|
@ -10,14 +10,23 @@ include <tunables/global>
|
|||
profile gnome-characters-backgroudservice @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/gjs-console rix,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/etc/gtk-3.0/settings.ini r,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
||||
include if exists <local/gnome-characters-backgroudservice>
|
||||
}
|
||||
|
|
@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/bwrap rPUx,
|
||||
/{usr/,}bin/openvpn rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
||||
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
||||
/usr/share/language-tools/language2locale rix,
|
||||
|
||||
|
|
@ -70,6 +71,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/zoneinfo/{,**} r,
|
||||
|
||||
/etc/machine-info r,
|
||||
/etc/pipewire/client.conf.d/ r,
|
||||
/etc/security/pwquality.conf r,
|
||||
/etc/security/pwquality.conf.d/{,**} r,
|
||||
|
|
@ -98,6 +100,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
|
||||
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
|
||||
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
|
||||
@{run}/cups/cups.sock rw,
|
||||
@{run}/samba/ rw,
|
||||
|
|
@ -120,9 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/class/input/ r,
|
||||
@{sys}/devices/**/{name,vendor,product,uevent} r,
|
||||
@{sys}/devices/platform/**/uevent r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
@{sys}/devices/virtual/**/uevent r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
|
||||
@{sys}/firmware/acpi/pm_profile r,
|
||||
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,6 +39,8 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
||||
|
|
|
|||
|
|
@ -195,7 +195,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
|
||||
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
|
||||
owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/systemd/notify rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
|
||||
|
||||
|
|
@ -245,6 +245,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
|
||||
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ profile tailscaled @{exec_path} {
|
|||
owner /var/lib/tailscale/{,**} rw,
|
||||
owner @{run}/tailscale/{,**} rw,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
@{PROC}/ r,
|
||||
|
|
|
|||
|
|
@ -37,10 +37,6 @@ profile pacman-key @{exec_path} {
|
|||
|
||||
/dev/tty rw,
|
||||
|
||||
# Inherit Silencer
|
||||
deny network inet6 stream,
|
||||
deny network inet stream,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
@ -61,10 +57,9 @@ profile pacman-key @{exec_path} {
|
|||
@{HOME}/.gnupg/gpg.conf r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
|
||||
|
||||
# Inherit Silencer
|
||||
deny network inet6 stream,
|
||||
deny network inet stream,
|
||||
}
|
||||
|
||||
include if exists <local/pacman-key>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2020-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -15,6 +15,8 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability net_admin,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{run}/host/container-manager r,
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ profile check-new-release-gtk @{exec_path} {
|
|||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
||||
include if exists <local/check-new-release-gtk>
|
||||
|
|
|
|||
|
|
@ -13,13 +13,26 @@ profile packagekitd @{exec_path} {
|
|||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability kill,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_nice,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
signal send set=int peer=apt-methods-*,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/PackageKit
|
||||
interface=org.freedesktop.{DBus.*,PackageKit},
|
||||
|
||||
dbus send bus=system path=/[0-9]*_@{hex}
|
||||
interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
|
@ -28,9 +41,17 @@ profile packagekitd @{exec_path} {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
|
||||
interface=org.freedesktop.DBus
|
||||
member=RequestName,
|
||||
member={RequestName,GetConnectionUnixUser},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=CheckAuthorization,
|
||||
|
||||
dbus receive bus=system path=/[0-9]*_@{hex}
|
||||
interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction},
|
||||
# peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
|
|
@ -53,17 +74,42 @@ profile packagekitd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/appstreamcli rPx,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}bin/echo rix,
|
||||
/{usr/,}bin/gdbus rix,
|
||||
/{usr/,}bin/ischroot rix,
|
||||
/{usr/,}bin/test rix,
|
||||
/{usr/,}bin/touch rix,
|
||||
/{usr/,}lib/apt/methods/* rPx,
|
||||
/{usr/,}lib/cnf-update-db rPx,
|
||||
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
|
||||
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/dpkg/cputable r,
|
||||
|
||||
/etc/PackageKit/PackageKit.conf r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
/var/cache/PackageKit/downloads/ r,
|
||||
|
||||
/var/lib/apt/lists/** rw,
|
||||
/var/lib/apt/lists/lock rwk,
|
||||
/var/lib/apt/periodic/update-success-stamp rw,
|
||||
/var/lib/dpkg/info/{,*} r,
|
||||
/var/lib/PackageKit/{,*} rw,
|
||||
/var/lib/PackageKit/transactions.db rwk,
|
||||
|
||||
owner @{run}/systemd/users/@{uid} r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
||||
include if exists <local/packagekitd>
|
||||
}
|
||||
|
|
@ -40,6 +40,8 @@ profile update-motd-updates-available @{exec_path} {
|
|||
|
||||
/var/lib/update-notifier/{,*} rw,
|
||||
|
||||
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
|
||||
|
||||
/var/cache/apt/ r,
|
||||
/var/cache/apt/** rwk,
|
||||
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/system/cpu/ r,
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r,
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
@{sys}/devices/system/cpu/present r,
|
||||
@{sys}/devices/system/cpu/present/ r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/virtlogd.pid rwk,
|
||||
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue