felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-03 20:13:11 +01:00
parent 8142ad657d
commit c32b19a808
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
40 changed files with 218 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/apt/apt
View file

@ -33,6 +33,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix, /{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix, /{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix, /{usr/,}bin/test rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
@ -49,7 +50,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/dpkg-source rcx -> dpkg-source, /{usr/,}bin/dpkg-source rcx -> dpkg-source,
/{usr/,}bin/etckeeper rPx, /{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx, /{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx, /usr/share/command-not-found/cnf-update-db rPx,
@ -81,6 +85,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/var/lib/dpkg/lock{,-frontend} rwk, /var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
/dev/ptmx rw, /dev/ptmx rw,

1
apparmor.d/groups/apt/unattended-upgrade
View file

@ -37,6 +37,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg rPx,
/{usr/,}bin/etckeeper rPx, /{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/python3.[0-9]* rix, /{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,

2
apparmor.d/groups/apt/unattended-upgrade-shutdown
View file

@ -14,6 +14,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ischroot rix,
/usr/share/unattended-upgrades/{,*} r, /usr/share/unattended-upgrades/{,*} r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,

2
apparmor.d/groups/bus/dbus-daemon
View file

@ -81,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/oom_score_adj rw,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,

11
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -15,6 +15,8 @@ profile accounts-daemon @{exec_path} {
include <abstractions/wutmp> include <abstractions/wutmp>
capability dac_read_search, capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
@ -25,9 +27,10 @@ profile accounts-daemon @{exec_path} {
/usr/share/accountsservice/{,**} r, /usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/*.xml r, /usr/share/dbus-1/interfaces/*.xml r,
/etc/gdm/ r, /etc/default/locale r,
/etc/gdm/custom.conf rw, /etc/gdm{3,}/ r,
/etc/gdm/custom.conf.* rw, /etc/gdm{3,}/custom.conf rw,
/etc/gdm{3,}/custom.conf.* rw,
/etc/machine-id r, /etc/machine-id r,
/etc/shadow r, /etc/shadow r,
/etc/shells r, /etc/shells r,
@ -35,6 +38,8 @@ profile accounts-daemon @{exec_path} {
owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw, owner /var/lib/AccountsService/** rw,
@{HOME}/ r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

2
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -37,7 +37,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/lightdm/.Xauthority r, /var/lib/lightdm/.Xauthority r,
/var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/dconf/user r,

3
apparmor.d/groups/freedesktop/colord-session
View file

@ -6,7 +6,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session @{exec_path} = /{usr/,}lib/colord/colord-session
@{exec_path} += @{libexec}/colord-session
profile colord-session @{exec_path} flags=(complain) { profile colord-session @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>

119
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -16,12 +16,17 @@ profile pulseaudio @{exec_path} {
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gstreamer>
include <abstractions/hosts_access>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
ptrace (trace) peer=@{profile_name}, ptrace (trace) peer=@{profile_name},
signal (receive) peer=pacmd, signal (receive) peer=pacmd,
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
@ -29,65 +34,6 @@ profile pulseaudio @{exec_path} {
network bluetooth stream, network bluetooth stream,
network bluetooth seqpacket, network bluetooth seqpacket,
@{exec_path} mrix,
/{usr/,}lib{exec,}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
# PulseAudio files
/usr/share/pulseaudio/{,**} r,
/{usr/,}lib/pulse-*/modules/*.so mr,
# PulseAudio home config files
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
# Needed when PulseAudio is started via the start-pulseaudio-x11 script
owner @{HOME}/.Xauthority r,
# Needed when PulseAudio is started via gdm
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
owner @{HOME}/.ICEauthority r,
# TCP wrap
/etc/hosts.{allow,deny} r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
deny @{sys}/module/apparmor/parameters/enabled r,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# DBus
dbus (send) dbus (send)
bus=session bus=session
path=/org/freedesktop/DBus path=/org/freedesktop/DBus
@ -139,14 +85,18 @@ profile pulseaudio @{exec_path} {
member=GetManagedObjects member=GetManagedObjects
peer=(name=org.bluez), peer=(name=org.bluez),
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), @{exec_path} mrix,
unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
# The orcexec.* file is JIT compiled code for various GStreamer elements. /{usr/,}@{libexec}/pulse/gsettings-helper mrix,
# If one is blocked the next is used instead. /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
owner @{run}/user/@{uid}/orcexec.* mrw, /{usr/,}lib/pulse-*/modules/*.so mr,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw, /usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pulseaudio/{,**} r,
/usr/share/ubuntu/applications/{,*} r,
/var/lib/snapd/desktop/applications/ r,
# For GDM # For GDM
owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw,
@ -164,13 +114,42 @@ profile pulseaudio @{exec_path} {
owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k, owner /var/lib/lightdm/.config/pulse/cookie k,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.ICEauthority r,
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
deny @{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
# Snap
/var/lib/snapd/desktop/applications/ r,
/usr/{local/,}share/ubuntu/applications/{,*} r,
include if exists <local/pulseaudio> include if exists <local/pulseaudio>
} }

1
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -28,7 +28,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
/ r, / r,
/.flatpak-info r, /.flatpak-info r,
/{usr/,}lib/x r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile xdg-desktop-portal-gnome @{exec_path} { profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/gtk> include <abstractions/gtk>

11
apparmor.d/groups/gnome/gdm
View file

@ -26,13 +26,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/plymouth rPx, /{usr/,}{s,}prime-switch rPx,
/{usr/,}lib/gdm-session-worker rPx, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/plymouth rPx,
/etc/gdm{3,}/PrimeOff/Default rix,
@{libexec}/gdm-session-worker rPx,
/usr/share/gdm/gdm.schemas r, /usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r, /usr/share/wayland-sessions/*.desktop r,
/usr/share/xsessions/*.desktop r, /usr/share/xsessions/*.desktop r,
/etc/default/locale r,
/etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/custom.conf r,
/etc/locale.conf r, /etc/locale.conf r,
@ -49,6 +53,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{run}/udev/tags/master-of-seat/ r, @{run}/udev/tags/master-of-seat/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/boot_vga r,
@{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/virtual/tty/tty[0-9]*/active r,

9
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -45,6 +45,10 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{libexec}/gdm-wayland-session rPx, @{libexec}/gdm-wayland-session rPx,
@{libexec}/gdm-x-session rPx, @{libexec}/gdm-x-session rPx,
/etc/gdm{3,}/{Pre,Post}Session/Default rix, /etc/gdm{3,}/{Pre,Post}Session/Default rix,
/etc/gdm{3,}/PrimeOff/Default rix,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
/etc/default/locale r, /etc/default/locale r,
/etc/environment r, /etc/environment r,
@ -56,8 +60,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/etc/security/limits.d/{,*.conf} r, /etc/security/limits.d/{,*.conf} r,
/etc/shells r, /etc/shells r,
/usr/share/gdm/gdm.schemas r, owner @{run}/user/@{uid}/keyring/control rw,
/usr/share/wayland-sessions/*.desktop r,
@{run}/faillock/[a-zA-z0-9]* rwk, @{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/gdm/custom.conf r, @{run}/gdm/custom.conf r,
@ -65,8 +68,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{run}/utmp rwk, @{run}/utmp rwk,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw, owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,

9
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -22,18 +22,19 @@ profile gdm-wayland-session @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# It can run hooks, how to handle them nicely? rCx? them mostly include if exist
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix, /{usr/,}bin/env rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gnome-session rix, /{usr/,}bin/gnome-session rix,
/{usr/,}bin/grep rix, /{usr/,}bin/grep rix,
/{usr/,}bin/gsettings rix, /{usr/,}bin/gsettings rix,
/{usr/,}bin/head rix,
/{usr/,}bin/locale rix, /{usr/,}bin/locale rix,
/{usr/,}bin/locale-check rix, /{usr/,}bin/locale-check rix,
/{usr/,}bin/qmake rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/tty rix, /{usr/,}bin/tty rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/zsh rix, /{usr/,}bin/zsh rix,
/{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-daemon rPx,
@ -42,12 +43,14 @@ profile gdm-wayland-session @{exec_path} {
/{usr/,}bin/flatpak rPUx, /{usr/,}bin/flatpak rPUx,
@{libexec}/gnome-session-binary rPx, @{libexec}/gnome-session-binary rPx,
/{usr/,}bin/gettext.sh r,
/usr/share/im-config/{,**} r, /usr/share/im-config/{,**} r,
/etc/default/im-config r, /etc/default/im-config r,
/etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/custom.conf r,
/etc/machine-id r, /etc/machine-id r,
/etc/shells r, /etc/shells r,
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r, /etc/X11/Xsession.d/*im-config_launch r,
/usr/share/gdm/gdm.schemas r, /usr/share/gdm/gdm.schemas r,

2
apparmor.d/groups/gnome/gnome-calendar
View file

@ -30,7 +30,5 @@ profile gnome-calendar @{exec_path} {
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
include if exists <local/gnome-calendar> include if exists <local/gnome-calendar>
} }

4
apparmor.d/groups/gnome/gnome-contacts
View file

@ -14,6 +14,7 @@ profile gnome-contacts @{exec_path} {
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/gnome> include <abstractions/gnome>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl> include <abstractions/opencl>
include <abstractions/openssl> include <abstractions/openssl>
@ -28,14 +29,11 @@ profile gnome-contacts @{exec_path} {
/usr/share/applications/{,*.desktop} r, /usr/share/applications/{,*.desktop} r,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_config_dirs}/gnome-contacts/{,**} rw,
owner @{user_share_dirs}/folks/relationships.ini r, owner @{user_share_dirs}/folks/relationships.ini r,
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
include if exists <local/gnome-contacts> include if exists <local/gnome-contacts>
} }

1
apparmor.d/groups/gnome/gnome-control-center
View file

@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/maps r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/statm r,

5
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -10,8 +10,9 @@ include <tunables/global>
profile gnome-extension-ding @{exec_path} { profile gnome-extension-ding @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf>
include <abstractions/freedesktop.org>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
@{exec_path} mr, @{exec_path} mr,
@ -22,7 +23,7 @@ profile gnome-extension-ding @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
/usr/share/themes/{,**} r, /usr/share/themes/{,**} r,
/usr/share/thumbnailers/*.thumbnailer r, /usr/share/thumbnailers/{,*.thumbnailer} r,
/usr/share/X11/{,**} r, /usr/share/X11/{,**} r,
/var/lib/snapd/desktop/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r,

8
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -43,17 +43,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/aa-notify rPx, /{usr/,}bin/aa-notify rPx,
/{usr/,}bin/blueman-applet rPx, /{usr/,}bin/blueman-applet rPx,
/{usr/,}bin/xdg-user-dirs-update rPx,
/{usr/,}bin/firewall-applet rPUx, /{usr/,}bin/firewall-applet rPUx,
/{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}bin/gnome-keyring-daemon rPx,
/{usr/,}bin/gnome-shell rPx, /{usr/,}bin/gnome-shell rPx,
/{usr/,}bin/im-launch rPx, /{usr/,}bin/im-launch rPx,
/{usr/,}bin/pkcs11-register rPx, /{usr/,}bin/pkcs11-register rPx,
/{usr/,}bin/snap rPUx, /{usr/,}bin/snap rPUx,
/{usr/,}bin/spice-vdagent rPx,
/{usr/,}bin/start-pulseaudio-x11 rPx, /{usr/,}bin/start-pulseaudio-x11 rPx,
/{usr/,}bin/ubuntu-report rPx, /{usr/,}bin/ubuntu-report rPx,
/{usr/,}bin/update-notifier rPx, /{usr/,}bin/update-notifier rPx,
/{usr/,}bin/xbrlapi rPx, /{usr/,}bin/xbrlapi rPx,
/{usr/,}bin/xdg-user-dirs-update rPx,
/{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
@{libexec}/at-spi-bus-launcher rPx, @{libexec}/at-spi-bus-launcher rPx,
@{libexec}/evolution-data-server/evolution-alarm-notify rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx,
@ -98,14 +99,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/ r,
owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/applications/mimeinfo.cache r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/systemd/notify w,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw, @{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

1
apparmor.d/groups/gnome/gnome-shell
View file

@ -125,6 +125,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/.org.chromium.Chromium.* rw,

2
apparmor.d/groups/gnome/gsd-color
View file

@ -10,8 +10,8 @@ include <tunables/global>
profile gsd-color @{exec_path} flags=(attach_disconnected) { profile gsd-color @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/gtk> include <abstractions/gtk>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,

2
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -10,8 +10,8 @@ include <tunables/global>
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf> include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/gtk> include <abstractions/gtk>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,

5
apparmor.d/groups/gnome/tracker-miner
View file

@ -12,17 +12,16 @@ profile tracker-miner @{exec_path} {
include <abstractions/dbus-session-strict> # TODO: FIXME: See if we keep them like this. include <abstractions/dbus-session-strict> # TODO: FIXME: See if we keep them like this.
include <abstractions/dconf> include <abstractions/dconf>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/private-files-strict> include <abstractions/private-files-strict>
include <abstractions/private-files> include <abstractions/private-files>
@{exec_path} mr, @{exec_path} mr,
/usr/share/applications/{,mimeinfo.cache,*.list} r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mime/mime.cache r,
/usr/share/tracker3-miners/{,**} r, /usr/share/tracker3-miners/{,**} r,
/usr/share/tracker3/{,**} r, /usr/share/tracker3/{,**} r,
/usr/share/ubuntu/applications/ r, /usr/share/ubuntu/applications/ r,
@ -43,8 +42,6 @@ profile tracker-miner @{exec_path} {
owner @{MOUNTS}/*/{,**} r, owner @{MOUNTS}/*/{,**} r,
owner /tmp/*/{,**} r, owner /tmp/*/{,**} r,
owner @{user_share_dirs}/{applications/,mime/mime.cache} r,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_config_dirs}/tracker3/{,**} rwk, owner @{user_config_dirs}/tracker3/{,**} rwk,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_cache_dirs}/tracker3/files/{,**} rwk,

4
apparmor.d/groups/pacman/pacman
View file

@ -21,6 +21,7 @@ profile pacman @{exec_path} {
capability dac_read_search, capability dac_read_search,
capability fowner, capability fowner,
capability fsetid, capability fsetid,
capability kill,
capability mknod, capability mknod,
capability net_admin, capability net_admin,
capability setfcap, capability setfcap,
@ -83,6 +84,7 @@ profile pacman @{exec_path} {
/{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/glib-compile-schemas rPx,
/{usr/,}bin/groupadd rPx, /{usr/,}bin/groupadd rPx,
/{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
/{usr/,}bin/install-catalog rPx,
/{usr/,}bin/install-info rPx, /{usr/,}bin/install-info rPx,
/{usr/,}bin/journalctl rPx, /{usr/,}bin/journalctl rPx,
/{usr/,}bin/locale-gen rPx, /{usr/,}bin/locale-gen rPx,
@ -124,7 +126,9 @@ profile pacman @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,

6
apparmor.d/groups/ssh/sshd
View file

@ -51,12 +51,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}{s,}bin/nologin rPx,
/{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx, /{usr/,}bin/{c,k,tc,z}sh rUx,
/{usr/,}{s,}bin/nologin rPx, /{usr/,}bin/false rix,
/{usr/,}bin/passwd rPx, /{usr/,}bin/passwd rPx,
/{usr/,}lib/openssh/sftp-server rPx, /{usr/,}lib/openssh/sftp-server rPx,
/{usr/,}bin/false rix,
/etc/default/locale r, /etc/default/locale r,
/etc/environment r, /etc/environment r,
@ -78,8 +78,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{run}/motd.dynamic rw, @{run}/motd.dynamic rw,
@{run}/motd.dynamic.new rw, @{run}/motd.dynamic.new rw,
@{run}/resolvconf/resolv.conf r, @{run}/resolvconf/resolv.conf r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/notify w, @{run}/systemd/notify w,
@{run}/systemd/sessions/*.ref rw,
@{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw,
@{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw,

4
apparmor.d/groups/systemd/bootctl
View file

@ -24,12 +24,14 @@ profile bootctl @{exec_path} {
/{boot,efi}/ r, /{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r, /{boot,efi}/EFI/{,**} r,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w, /{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
/{boot,efi}/EFI/systemd/systemd-boot*.efi w, /{boot,efi}/EFI/systemd/systemd-boot*.efi w,
/{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw, /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
/{boot,efi}/loader/.#entries.srel* w,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/loader/entries.srel w,
/{boot,efi}/loader/random-seed w, /{boot,efi}/loader/random-seed w,
/etc/machine-id r, /etc/machine-id r,

6
apparmor.d/groups/systemd/networkctl
View file

@ -11,12 +11,11 @@ include <tunables/global>
profile networkctl @{exec_path} flags=(complain) { profile networkctl @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
# To be able to manage network interfaces,
capability net_admin, capability net_admin,
# Needed? (#FIXME#) # Needed? (#FIXME#)
audit deny capability sys_resource, audit capability sys_resource,
audit deny capability sys_module, audit capability sys_module,
signal send peer=child-pager, signal send peer=child-pager,
@ -49,6 +48,7 @@ profile networkctl @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
include if exists <local/networkctl> include if exists <local/networkctl>

9
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -17,7 +17,11 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{run}/systemd/notify rw,
@{run}/udev/data/+dmi:id r,
@{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/bios_version r,
@{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@ -25,7 +29,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/uevent r, @{sys}/devices/virtual/dmi/id/uevent r,
@{run}/udev/data/+dmi:id r,
@{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/dmi/entries/*/raw r,
/etc/.#hostname* rw, /etc/.#hostname* rw,

6
apparmor.d/groups/ubuntu/apport-checkreports
View file

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = /usr/share/apport/apport-checkreports @{exec_path} = /usr/share/apport/apport-checkreports
profile apport-checkreports @{exec_path} { profile apport-checkreports @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python>
@{exec_path} mr, @{exec_path} mr,
@ -21,6 +22,9 @@ profile apport-checkreports @{exec_path} {
/usr/share/apport/ r, /usr/share/apport/ r,
/etc/apt/apt.conf.d/{,**} r, /etc/apt/apt.conf.d/{,**} r,
/etc/default/apport r,
/var/crash/ r,
include if exists <local/apport-checkreports> include if exists <local/apport-checkreports>
} }

1
apparmor.d/groups/ubuntu/package-system-locked
View file

@ -11,6 +11,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
capability dac_read_search, capability dac_read_search,
capability sys_ptrace,
capability syslog, capability syslog,
ptrace (read), ptrace (read),

2
apparmor.d/profiles-a-f/aurpublish
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile aurpublish @{exec_path} { profile aurpublish @{exec_path} {
include <abstractions/base> include <abstractions/base>
signal (receive) peer=git,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,

7
apparmor.d/profiles-a-f/borg
View file

@ -18,8 +18,11 @@ profile borg @{exec_path} {
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
@ -66,15 +69,11 @@ profile borg @{exec_path} {
# Dirs that can be backed up # Dirs that can be backed up
/ r, / r,
/boot/{,**} r,
/efi/{,**} r,
/etc/{,**} r, /etc/{,**} r,
/home/{,**} r, /home/{,**} r,
@{MOUNTS}/{,**} r, @{MOUNTS}/{,**} r,
/opt/{,**} r,
/root/{,**} r, /root/{,**} r,
/srv/{,**} r, /srv/{,**} r,
/usr/{,**} r,
/var/{,**} r, /var/{,**} r,
# The backup dirs # The backup dirs

2
apparmor.d/profiles-g-l/git
View file

@ -27,6 +27,8 @@ profile git @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (send) peer=aurpublish,
@{exec_path} mrix, @{exec_path} mrix,
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you

67
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -19,37 +20,36 @@ profile mkinitramfs @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ r, /{usr/,}{s,}bin/ r,
/{usr/,}bin/ r,
/{usr/,}lib/ r, /{usr/,}lib/ r,
/{usr/,}lib64/ r, /{usr/,}lib64/ r,
/{usr/,}bin/getopt rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/touch rix, /{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/id rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/env rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix, /{usr/,}bin/bzip2 rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/env rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/lzma rix, /{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix, /{usr/,}bin/lzop rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/xz rix, /{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix, /{usr/,}bin/zstd rix,
@ -87,20 +87,21 @@ profile mkinitramfs @{exec_path} {
/var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
owner /var/tmp/mkinitramfs-* rw, owner /var/tmp/mkinitramfs-* rw,
@{PROC}/modules r, owner @{PROC}/@{uid}/fd/ r,
@{PROC}/modules r,
profile ldd { profile ldd {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict>
/{usr/,}bin/ldd mr, /{usr/,}bin/ldd mr,
/{usr/,}bin/kmod mr, /{usr/,}bin/kmod mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/@{multiarch}/ld-*.so rix, /{usr/,}lib/@{multiarch}/ld-*.so* rix,
/{usr/,}lib{,x}32/ld-*.so rix, /{usr/,}lib{,x}32/ld-*.so rix,
} }
@ -110,7 +111,10 @@ profile mkinitramfs @{exec_path} {
capability sys_chroot, capability sys_chroot,
/{usr/,}sbin/ldconfig mr, /{usr/,}{s,}bin/ldconfig mr,
/{usr/,}{s,}bin/ldconfig.real rix,
/{usr/,}bin/{,ba,da}sh rix,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
@ -148,11 +152,14 @@ profile mkinitramfs @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/openssl>
/{usr/,}bin/kmod mr, /{usr/,}bin/kmod mr,
@{PROC}/cmdline r, @{PROC}/cmdline r,
/etc/depmod.d/ r,
/etc/depmod.d/*.conf r,
/etc/modprobe.d/ r, /etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r, /etc/modprobe.d/*.conf r,

2
apparmor.d/profiles-m-r/qemu-ga
View file

@ -12,6 +12,8 @@ profile qemu-ga @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/qemu/qemu-ga.conf r,
owner @{run}/qga.state* rw, owner @{run}/qga.state* rw,
/dev/vport[0-9]*p[0-9]* rw, /dev/vport[0-9]*p[0-9]* rw,

24
apparmor.d/profiles-m-r/rsyslogd
View file

@ -16,25 +16,12 @@ profile rsyslogd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice> include <abstractions/nameservice>
# Needed to remove the following error: capability chown, # For creating new log files and changing their owner/group
# rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. capability net_admin, # For remote logs
capability syslog, capability setgid, # For downgrading privileges
# For remote logs
capability net_admin,
# for creating new log files and changing their owner/group
capability chown,
# downgrade privileges on Ubuntu
capability setgid,
capability setuid, capability setuid,
capability syslog,
# Needed?
deny capability sys_nice,
# capability sys_ptrace,
# ptrace (read),
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/@{multiarch}/rsyslog/*.so mr, /{usr/,}lib/@{multiarch}/rsyslog/*.so mr,
@ -47,6 +34,7 @@ profile rsyslogd @{exec_path} {
owner @{run}/rsyslogd.pid{,.tmp} rwk, owner @{run}/rsyslogd.pid{,.tmp} rwk,
owner @{run}/systemd/journal/syslog w, owner @{run}/systemd/journal/syslog w,
@{run}/systemd/notify rw,
# log files and devices # log files and devices
/var/log/** rw, /var/log/** rw,

2
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -20,7 +20,7 @@ profile spice-vdagent @{exec_path} {
owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
owner @{run}/spice-vdagentd/spice-vdagent-sock rw, @{run}/spice-vdagentd/spice-vdagent-sock rw,
@{sys}/devices/pci[0-9]*/**/{device,vendor} r, @{sys}/devices/pci[0-9]*/**/{device,vendor} r,

7
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -6,15 +6,18 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/spice-vdagentd @{exec_path} = /{usr/,}{s,}bin/spice-vdagentd
profile spice-vdagentd @{exec_path} { profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
capability sys_nice, capability sys_nice,
@{exec_path} mr, @{exec_path} mr,
owner @{run}/spice-vdagentd/spice-vdagent-sock r,
owner @{run}/spice-vdagentd/spice-vdagentd.pid rw, owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,
@{run}/systemd/journal/dev-log w,
@{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/seats/seat[0-9]* r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

4
apparmor.d/profiles-s-z/switcheroo-control
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{libexec}/switcheroo-control @{exec_path} = @{libexec}/switcheroo-control
profile switcheroo-control @{exec_path} { profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
capability sys_nice, capability sys_nice,
@ -18,6 +18,8 @@ profile switcheroo-control @{exec_path} {
@{run}/udev/data/+drm:* r, @{run}/udev/data/+drm:* r,
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/drm/ r, @{sys}/class/drm/ r,

34
apparmor.d/profiles-s-z/ucf
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -14,25 +15,26 @@ profile ucf @{exec_path} flags=(complain) {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/basename rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/id rix, /{usr/,}bin/cp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mawk rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/stat rix, /{usr/,}bin/stat rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/which{,.debianutils} rix,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open

21
apparmor.d/profiles-s-z/update-command-not-found
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -8,33 +9,33 @@ include <tunables/global>
@{exec_path} = /usr/share/command-not-found/cnf-update-db @{exec_path} = /usr/share/command-not-found/cnf-update-db
@{exec_path} += /{usr/,}{s,}bin/update-command-not-found @{exec_path} += /{usr/,}{s,}bin/update-command-not-found
@{exec_path} += /{usr/,}lib/cnf-update-db
profile update-command-not-found @{exec_path} { profile update-command-not-found @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
#capability sys_tty_config,
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}lib/apt/apt-helper rix, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}lib/apt/apt-helper rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/command-not-found/ r,
/var/lib/command-not-found/commands.db* rwk,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/usr/share/command-not-found/{,**} r, /usr/share/command-not-found/{,**} r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,
/usr/share/dpkg/cputable r, /var/lib/command-not-found/ r,
/usr/share/dpkg/tupletable r, /var/lib/command-not-found/commands.db* rwk,
/var/lib/apt/lists/ r, /var/lib/apt/lists/ r,
/var/lib/apt/lists/*_Contents-* r, /var/lib/apt/lists/*_Contents-* r,
/var/lib/apt/lists/*_Commands-* r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,