felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-05-02 17:33:39 +01:00
parent abaf9fdc7c
commit c950c74bf7
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
29 changed files with 96 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/gnome/gdm-xsession
View file

@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
include <abstractions/dconf>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@ -33,12 +34,10 @@ profile gdm-xsession @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/X11/{,**} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# file_inherit
/dev/tty rw,
/dev/tty[0-9]* rw,
profile dbus {

2
apparmor.d/groups/gnome/gnome-contacts-search-provider
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-contacts-search-provider
profile gnome-contacts-search-provider @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/opencl>
include <abstractions/openssl>
@ -21,7 +22,6 @@ profile gnome-contacts-search-provider @{exec_path} {
owner @{user_share_dirs}/folks/relationships.ini r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,

2
apparmor.d/groups/gnome/gnome-disk-image-mounter
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-disk-image-mounter
profile gnome-disk-image-mounter @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
@ -23,7 +24,6 @@ profile gnome-disk-image-mounter @{exec_path} {
owner @{MOUNTS}/*/{,**} r,
owner /tmp/*/{,**} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,

8
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2017-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -8,15 +8,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
profile gnome-keyring-daemon @{exec_path} {
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/openssl>
capability ipc_lock,
signal (receive) set=(term) peer=gdm,
signal (send) set=(term) peer=ssh-agent,
@{exec_path} mr,
/{usr/,}bin/ssh-add rix,
/{usr/,}bin/ssh-agent rPx,

2
apparmor.d/groups/gnome/gnome-shell-calendar-server
View file

@ -9,13 +9,13 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-shell-calendar-server
profile gnome-shell-calendar-server @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,

6
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-system-monitor
profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/gnome>
include <abstractions/nameservice-strict>
@ -34,10 +35,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{run}/systemd/sessions/[0-9]*{,.ref} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/collisions r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/rx_{bytes,errors,packets} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/tx_{bytes,errors,packets} r,
@ -60,7 +62,5 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/wchan r,
@{PROC}/vmstat r,
@{run}/systemd/sessions/[0-9]*{,.ref} r,
include if exists <local/gnome-system-monitor>
}

2
apparmor.d/groups/gnome/goa-daemon
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/goa-daemon
profile goa-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/openssl>
@ -27,7 +28,6 @@ profile goa-daemon @{exec_path} {
owner @{user_config_dirs}/goa-1.0/accounts.conf r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,

5
apparmor.d/groups/gnome/gsd-a11y-settings
View file

@ -9,18 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-a11y-settings
profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
signal (receive) set=(term, hup) peer=gdm*,
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner /dev/tty[0-9]* rw,

17
apparmor.d/groups/gnome/gsd-color
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-color
profile gsd-color @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
@ -17,27 +18,25 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/mime/mime.cache r,
/usr/share/X11/xkb/** r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.local/share/icc/ rw,
/var/lib/gdm/.local/share/icc/edid-*.icc rw,
/var/lib/flatpak/exports/share/mime/mime.cache r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner @{user_share_dirs}/icc/ r,
owner @{user_share_dirs}/icc/edid-*.icc rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/tty[0-9]* rw,
include if exists <local/gsd-color>

5
apparmor.d/groups/gnome/gsd-datetime
View file

@ -9,18 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-datetime
profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
signal (receive) set=(term, hup) peer=gdm*,
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner /dev/tty[0-9]* rw,

5
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/dconf>
include <abstractions/thumbnails-cache-read>
signal (receive) set=(term, hup) peer=gdm*,
@ -19,16 +20,16 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
/etc/fstab r,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_share_dirs}/applications/ rw,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner @{PROC}/@{pids}/mountinfo r,

11
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
@ -20,6 +21,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
@ -36,17 +38,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.config/pulse/client.conf r,
/var/lib/gdm/.config/pulse/cookie rk,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner /dev/tty[0-9]* rw,

19
apparmor.d/groups/gnome/gsd-power
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
@ -20,6 +21,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
@ -28,13 +30,17 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm/.cache/event-sound-cache.tdb.* rwk,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.config/pulse/client.conf r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{sys}/bus/ r,
@{sys}/class/ r,
@ -52,13 +58,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/platform/**/leds/*backlight*/max_brightness r,
@{sys}/devices/platform/**/leds/*backlight*/brightness rw,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,

5
apparmor.d/groups/gnome/gsd-sharing
View file

@ -9,18 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-sharing
profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
signal (receive) set=(term, hup) peer=gdm*,
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner /dev/tty[0-9]* rw,

5
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -9,18 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-smartcard
profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
signal (receive) set=(term, hup) peer=gdm*,
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/gsd-usb-protection
View file

@ -9,12 +9,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-usb-protection
profile gsd-usb-protection @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,

13
apparmor.d/groups/gnome/gsd-wacom
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gsd-wacom
profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
@ -17,22 +18,20 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/etc/machine-id r,
/usr/share/libwacom/{,*} r,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/libwacom/{,*} r,
/usr/share/mime/mime.cache r,
/usr/share/X11/xkb/** r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
/etc/machine-id r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/dconf/profile/gdm r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/gdm/.config/dconf/user r,
owner /dev/tty[0-9]* rw,