feat(abs): add the media-control abstraction
This commit is contained in:
Alexandre Pujol
parent
ec88fcbfcb
commit
c2ecc756b2
12 changed files with 37 additions and 30 deletions
20
apparmor.d/abstractions/media-control
Normal file
20
apparmor.d/abstractions/media-control
Normal file
|
|
@ -0,0 +1,20 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2021 Canonical Ltd
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
# Allows access to media controller such as microphones, and video capture hardware.
|
||||||
|
# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
# Control of media devices
|
||||||
|
/dev/media@{int} rwk,
|
||||||
|
|
||||||
|
# Access to V4L subnodes configuration
|
||||||
|
# See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html
|
||||||
|
/dev/v4l-subdev@{int} rw,
|
||||||
|
|
||||||
|
include if exists <abstractions/media-control.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
|
@ -15,6 +15,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
||||||
include <abstractions/camera>
|
include <abstractions/camera>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
@ -66,8 +67,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{PROC}/@{pid}/attr/apparmor/current r,
|
owner @{PROC}/@{pid}/attr/apparmor/current r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/media@{int} rw,
|
|
||||||
|
|
||||||
include if exists <local/pipewire>
|
include if exists <local/pipewire>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,7 @@ profile pulseaudio @{exec_path} {
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/hosts_access>
|
include <abstractions/hosts_access>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
ptrace (trace) peer=@{profile_name},
|
ptrace (trace) peer=@{profile_name},
|
||||||
|
|
@ -113,8 +114,6 @@ profile pulseaudio @{exec_path} {
|
||||||
owner @{PROC}/@{pids}/stat r,
|
owner @{PROC}/@{pids}/stat r,
|
||||||
owner @{PROC}/@{pids}/cmdline r,
|
owner @{PROC}/@{pids}/cmdline r,
|
||||||
|
|
||||||
/dev/media@{int} r,
|
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
owner /dev/tty@{int} rw,
|
owner /dev/tty@{int} rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ profile wireplumber @{exec_path} {
|
||||||
include <abstractions/bus/org.freedesktop.UPower>
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
include <abstractions/camera>
|
include <abstractions/camera>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
network bluetooth raw,
|
network bluetooth raw,
|
||||||
|
|
@ -65,7 +66,6 @@ profile wireplumber @{exec_path} {
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
||||||
@{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
|
@{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
|
||||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
|
||||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||||
|
|
||||||
|
|
@ -86,7 +86,6 @@ profile wireplumber @{exec_path} {
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/media@{int} rw,
|
|
||||||
/dev/udmabuf rw,
|
/dev/udmabuf rw,
|
||||||
|
|
||||||
include if exists <local/wireplumber>
|
include if exists <local/wireplumber>
|
||||||
|
|
|
||||||
|
|
@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.freedesktop.timedate1>
|
include <abstractions/bus/org.freedesktop.timedate1>
|
||||||
|
include <abstractions/camera>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
|
@ -80,9 +82,6 @@ profile gnome-boxes @{exec_path} {
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
/dev/media@{int} rw,
|
|
||||||
/dev/video@{int} rw,
|
|
||||||
|
|
||||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
profile virsh {
|
profile virsh {
|
||||||
|
|
|
||||||
|
|
@ -17,11 +17,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus/org.freedesktop.Avahi>
|
include <abstractions/bus/org.freedesktop.Avahi>
|
||||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||||
|
include <abstractions/camera>
|
||||||
include <abstractions/cups-client>
|
include <abstractions/cups-client>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
|
@ -191,8 +193,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{PROC}/@{pid}/task/*/comm rw,
|
owner @{PROC}/@{pid}/task/*/comm rw,
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
/dev/media@{int} r,
|
|
||||||
/dev/video@{int} rw,
|
|
||||||
|
|
||||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -32,18 +32,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/bus/org.freedesktop.systemd1>
|
include <abstractions/bus/org.freedesktop.systemd1>
|
||||||
include <abstractions/bus/org.freedesktop.UPower>
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
|
include <abstractions/camera>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/fontconfig-cache-write>
|
include <abstractions/fontconfig-cache-write>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/ibus>
|
include <abstractions/ibus>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/notifications>
|
include <abstractions/notifications>
|
||||||
include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/video>
|
|
||||||
|
|
||||||
capability sys_nice,
|
capability sys_nice,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
@ -321,7 +322,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
|
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
|
||||||
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
||||||
@{run}/udev/data/+sound:card@{int} r, # for sound card
|
@{run}/udev/data/+sound:card@{int} r, # for sound card
|
||||||
@{run}/udev/data/+usb:* r, # Identifies all USB devices
|
|
||||||
@{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
|
@{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
|
||||||
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
|
@{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners)
|
||||||
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
|
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
|
||||||
|
|
@ -379,7 +379,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
|
|
||||||
/dev/media@{int} rw,
|
|
||||||
/dev/tty@{int} rw,
|
/dev/tty@{int} rw,
|
||||||
@{att}/dev/dri/card@{int} rw,
|
@{att}/dev/dri/card@{int} rw,
|
||||||
@{att}/dev/input/event@{int} rw,
|
@{att}/dev/input/event@{int} rw,
|
||||||
|
|
|
||||||
|
|
@ -68,9 +68,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/media@{int} rw,
|
|
||||||
/dev/video@{int} rw,
|
|
||||||
|
|
||||||
include if exists <local/localsearch>
|
include if exists <local/localsearch>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,14 +10,15 @@ include <tunables/global>
|
||||||
profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
|
profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-client>
|
||||||
|
include <abstractions/camera>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
include <abstractions/video>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -52,8 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm w,
|
owner @{PROC}/@{pid}/task/@{tid}/comm w,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
|
|
||||||
/dev/media@{int} r,
|
|
||||||
|
|
||||||
include if exists <local/org.gnome.NautilusPreviewer>
|
include if exists <local/org.gnome.NautilusPreviewer>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,10 +11,12 @@ include <tunables/global>
|
||||||
profile cheese @{exec_path} {
|
profile cheese @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-client>
|
||||||
|
include <abstractions/camera>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/thumbnails-cache-write>
|
include <abstractions/thumbnails-cache-write>
|
||||||
|
|
||||||
|
|
@ -49,9 +51,6 @@ profile cheese @{exec_path} {
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/media@{int} rw,
|
|
||||||
/dev/video@{int} rw,
|
|
||||||
|
|
||||||
include if exists <local/cheese>
|
include if exists <local/cheese>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,14 +9,12 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/v4l2-ctl
|
@{exec_path} = @{bin}/v4l2-ctl
|
||||||
profile v4l2-ctl @{exec_path} {
|
profile v4l2-ctl @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/camera>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/media-control>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/dev/media@{int} rw,
|
|
||||||
/dev/video@{int} rw,
|
|
||||||
|
|
||||||
include if exists <local/v4l2-ctl>
|
include if exists <local/v4l2-ctl>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,12 +16,14 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
|
include <abstractions/camera>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
|
include <abstractions/media-control>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
|
@ -101,9 +103,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
/dev/media@{int} r,
|
|
||||||
/dev/video@{int} rw,
|
|
||||||
|
|
||||||
# Silence the noise
|
# Silence the noise
|
||||||
deny /usr/share/virt-manager/{,**} w,
|
deny /usr/share/virt-manager/{,**} w,
|
||||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue