felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): minor improvement & update.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-12 23:00:52 +02:00 committed by Alex
parent e61529bd04
commit cd890bb81b
14 changed files with 24 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/abstractions/X-strict
View file

@ -4,7 +4,6 @@
abi <abi/4.0>,
# The unix socket to use to connect to the display
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

2
apparmor.d/abstractions/nvidia-strict
View file

@ -26,7 +26,7 @@
@{PROC}/modules r,
@{PROC}/sys/vm/max_map_count r,
@{PROC}/sys/vm/mmap_min_addr r,
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/task/@{tid}/comm r,

2
apparmor.d/groups/apparmor/aa-notify
View file

@ -102,6 +102,8 @@ profile aa-notify @{exec_path} {
/etc/apparmor.d/** rw,
/etc/apparmor/* r,
@{PROC}/@{pid}/mounts r,
include if exists <local/aa-notify_pkexec>
}

2
apparmor.d/groups/apt/unattended-upgrade
View file

@ -50,6 +50,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{bin}/apt-listchanges rPx,
@{bin}/dpkg rPx,
@{bin}/dpkg-divert rPx,
@{bin}/dpkg-preconfigure rPx,
@{bin}/etckeeper rPx,
@{bin}/lsb_release rPx -> lsb_release,
@ -64,6 +65,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/login.defs r,
@{etc_ro}/security/capability.conf r,
/etc/apport/report-ignore/ r,
/etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r,
/etc/debian_version r,

2
apparmor.d/groups/cups/cups-pk-helper-mechanism
View file

@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} {
/etc/cups/ppd/*.ppd r,
owner @{tmp}/[a-z0-9]* rw,
owner @{tmp}/@{int} rw,
@{run}/cups/cups.sock rw,

1
apparmor.d/groups/freedesktop/upowerd
View file

@ -56,6 +56,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r,
/dev/input/event* r,

2
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
signal send set=hup peer=xorg,
signal send set=hup peer=xwayland,
unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
#aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed

1
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -21,6 +21,7 @@ profile gnome-extension-gsconnect @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,

14
apparmor.d/groups/systemd/systemd-tty-ask-password-agent
View file

@ -17,13 +17,13 @@ profile systemd-tty-ask-password-agent @{exec_path} {
capability net_admin,
capability sys_resource,
signal receive set=(term cont) peer=*//systemctl,
signal receive set=(term cont) peer=deb-systemd-invoke,
signal receive set=(term cont) peer=default,
signal receive set=(term cont) peer=logrotate,
signal receive set=(term cont) peer=makepkg//sudo,
signal receive set=(term cont) peer=role_*,
signal receive set=(term cont) peer=rpm,
signal receive set=(term cont winch) peer=*//systemctl,
signal receive set=(term cont winch) peer=deb-systemd-invoke,
signal receive set=(term cont winch) peer=default,
signal receive set=(term cont winch) peer=logrotate,
signal receive set=(term cont winch) peer=makepkg//sudo,
signal receive set=(term cont winch) peer=role_*,
signal receive set=(term cont winch) peer=rpm,
@{exec_path} mrix,

2
apparmor.d/profiles-a-f/ffplay
View file

@ -30,7 +30,7 @@ profile ffplay @{exec_path} {
owner @{user_videos_dirs}/** rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
@{sys}/devices/system/node/node@{int}/meminfo r,
include if exists <local/ffplay>
}

1
apparmor.d/profiles-a-f/freetube
View file

@ -40,6 +40,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) {
@{bin}/xdg-settings rPx -> freetube//&xdg-settings,
deny @{sys}/devices/@{pci}/usb@{int}/** r,
deny /dev/ r,
include if exists <local/freetube>
}

2
apparmor.d/profiles-g-l/libreoffice
View file

@ -100,7 +100,7 @@ profile libreoffice @{exec_path} {
owner @{tmp}/*.tmp/{,**} rwk,
owner @{tmp}/hsperfdata_@{user}/ rw,
owner @{tmp}/hsperfdata_@{user}/@{int} rwk,
owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw,
owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw,
owner @{run}/user/@{uid}/#@{int} rw,

2
apparmor.d/profiles-m-r/rsyslogd
View file

@ -24,6 +24,8 @@ profile rsyslogd @{exec_path} {
capability sys_nice,
capability syslog,
signal receive set=hup peer=@{p_systemd},
@{exec_path} mr,
@{lib}/@{multiarch}/rsyslog/*.so mr,

6
apparmor.d/profiles-s-z/swtpm
View file

@ -14,11 +14,11 @@ profile swtpm @{exec_path} {
@{exec_path} mr,
/var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk,
/var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw,
/var/log/swtpm/libvirt/qemu/*-swtpm.log w,
owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk,
owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw,
/tmp/.swtpm_setup.pidfile.* rw,
/tmp/@{int}/.lock rwk,
/tmp/@{int}/TMP* rw,