diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 5ae7743fd..0998bbb44 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -29,3 +29,5 @@ owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/X.d/complete b/apparmor.d/abstractions/X.d/complete index 0b654a761..8a6636664 100644 --- a/apparmor.d/abstractions/X.d/complete +++ b/apparmor.d/abstractions/X.d/complete @@ -5,3 +5,5 @@ # Available Xsessions /usr/share/xsessions/{,*.desktop} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 69bcf9007..c31d328fb 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -11,4 +11,6 @@ /usr/ r, /usr/local/{s,}bin/ r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 4a6c795d6..5e7c50824 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -21,4 +21,6 @@ /usr/ r, /usr/local/bin/ r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index df0eac9a6..513924de6 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -51,3 +51,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c4359cc9c..41bbab892 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -110,8 +110,7 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, # Debian ubication + /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -151,10 +150,10 @@ owner @{tmp}/.@{domain}.* rw, owner @{tmp}/.@{domain}*/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir*/{,**} rw, - owner @{tmp}/tmp.* rw, - owner @{tmp}/tmp.*/ rw, - owner @{tmp}/tmp.*/** rwk, + audit owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand6} rw, + owner @{tmp}/tmp.@{rand6}/ rw, + owner @{tmp}/tmp.@{rand6}/** rwk, owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, @@ -210,3 +209,5 @@ deny @{user_share_dirs}/gvfs-metadata/* r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 9b9933b1a..f0972f3e7 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -26,3 +26,5 @@ owner @{user_config_dirs}/vim/{,**} r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index ba0c7f3ee..bf86f419c 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -17,6 +17,7 @@ include include include + include include include include @@ -69,12 +70,10 @@ /usr/share/xul-ext/kwallet5/* r, /etc/@{name}/{,**} r, - /etc/cups/client.conf r, /etc/fstab r, /etc/mailcap r, /etc/mime.types r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -82,7 +81,6 @@ /var/lib/nscd/services r, owner @{HOME}/ r, - owner @{HOME}/.cups/lpoptions r, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -160,3 +158,5 @@ deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 0cbb75171..f93a1c444 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -13,3 +13,5 @@ /dev/tty rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index a225ce11b..4bab75387 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -23,3 +23,5 @@ @{PROC}/uptime r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index f792fc085..6fba1adfd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -68,3 +68,5 @@ deny @{user_share_dirs}/gvfs-metadata/* r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index aa1e8eff4..62b4aafdf 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -26,3 +26,5 @@ owner @{PROC}/@{pid}/stat r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm new file mode 100644 index 000000000..72fb4c61b --- /dev/null +++ b/apparmor.d/abstractions/app/udevadm @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + ptrace read peer=@{p_systemd}, + + @{bin}/udevadm mr, + + /etc/udev/udev.conf r, + + @{run}/udev/data/* r, + + @{sys}/** r, + + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index f12e7fcc4..ca4a8e16c 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -41,6 +41,9 @@ owner @{user_config_dirs}/pulse/client.conf.d/{,*.conf} r, owner @{user_config_dirs}/pulse/cookie rwk, + owner @{user_config_dirs}/pipewire/ rw, + owner @{user_config_dirs}/pipewire/client.conf r, + owner @{user_share_dirs}/openal/hrtf/{,**} r, owner @{user_share_dirs}/sounds/__custom/index.theme r, @@ -55,3 +58,5 @@ owner /dev/shm/pulse-shm-@{int} rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 22aa6837c..619ba1111 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -43,3 +43,5 @@ /dev/sound/* rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio.d/complete b/apparmor.d/abstractions/audio.d/complete index 51838adcc..01d94e067 100644 --- a/apparmor.d/abstractions/audio.d/complete +++ b/apparmor.d/abstractions/audio.d/complete @@ -11,3 +11,5 @@ @{sys}/class/ r, @{sys}/class/sound/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 57ffc77f2..63819cc1b 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -11,3 +11,5 @@ @{lib}/security-misc/pam_faillock_not_if_x rPx, @{lib}/security-misc/pam-abort-on-locked-password rPx, @{lib}/security-misc/pam-info rPx, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index cc4b1a1e7..e9761b843 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -4,6 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Allow to receive some signals from new well-known profiles + signal (receive) peer=btop, signal (receive) peer=htop, signal (receive) peer=sudo, signal (receive) peer=top, @@ -28,3 +29,5 @@ @{PROC}/sys/kernel/core_pattern r, deny /apparmor/.null rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 86e9fc50b..eb4f65230 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -33,3 +33,5 @@ owner @{PROC}/@{pid}/mounts r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash.d/complete b/apparmor.d/abstractions/bash.d/complete index b8016f6d3..6d16109de 100644 --- a/apparmor.d/abstractions/bash.d/complete +++ b/apparmor.d/abstractions/bash.d/complete @@ -9,3 +9,5 @@ owner @{HOME}/.alias r, owner @{HOME}/.i18n r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index d69c9501a..f032f842b 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -17,3 +17,5 @@ owner @{run}/user/@{uid}/at-spi/bus_@{int} rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index f8d6ba37f..d5ca957e8 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -25,3 +25,5 @@ owner @{run}/user/@{uid}/bus rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 6d2a16beb..0148d0711 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -15,3 +15,5 @@ @{run}/dbus/system_bus_socket rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index a763bc5c1..3eceb53ab 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -20,3 +20,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index e3ad37725..290a86de8 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -4,3 +4,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 50cbab8a0..a8e3d52a5 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -48,3 +48,5 @@ peer=(name=:*, label=wpa-supplicant), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 38922c8b0..b4032e033 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -8,3 +8,5 @@ peer=(name=:*, label=power-profiles-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index ad2e358a2..55e4f414d 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -8,3 +8,5 @@ peer=(name=:*, label=switcheroo-control), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 17374de8b..7e7b21565 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -18,3 +18,5 @@ peer=(name=net.reactivated.Fprint, label=fprintd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 616029386..5103361c9 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -42,3 +42,5 @@ peer=(name=org.a11y.Bus), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 2417fb4e2..7c86817f5 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -43,3 +43,5 @@ peer=(name=org.bluez, label=bluetoothd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index c6ffc74bc..10a9e8fc0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -28,3 +28,5 @@ peer=(name=:*, label=accounts-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index fc7be18e4..8b24700db 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -23,3 +23,5 @@ peer=(name=:*, label=avahi-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index c8563e40a..3950b77aa 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -23,3 +23,5 @@ peer=(name=:*, label=colord), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 326c65849..b4e985b9e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -13,3 +13,5 @@ peer=(name=:*, label=nautilus), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 7ebcca741..836e99d94 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -33,3 +33,5 @@ peer=(name=:*, label=geoclue), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 75ee94bf8..217b588a4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -18,3 +18,5 @@ peer=(name=:*, label=ModemManager), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index d37f276b6..0fa92d3cc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -73,3 +73,5 @@ peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index c6d8fc6a6..90ee1aefc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -23,3 +23,5 @@ peer=(name=org.freedesktop.DBus, label=gjs-console), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index 6775a6e6f..7cdd9a3ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -22,3 +22,5 @@ peer=(name=org.freedesktop.PackageKit, label=packagekitd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 6f05ae688..3201e48ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -32,3 +32,5 @@ peer=(name=:*, label=polkitd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 9a0fdf9f2..474c4c625 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -28,3 +28,5 @@ peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index f3029c0b7..842057a1d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -8,3 +8,5 @@ peer=(name=org.freedesktop.ScreenSaver), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 82124c494..567740a35 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -13,3 +13,5 @@ peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 956356c55..79b882e51 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -53,3 +53,5 @@ peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 3d0963ae8..d8341d33c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -42,3 +42,5 @@ peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index 374c0693b..5f951381b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -13,3 +13,5 @@ peer=(name=:*, label=xdg-desktop-portal), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 8544b5036..54196d16b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -13,3 +13,5 @@ peer=(name=org.freedesktop.hostname1), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 5176d3f33..6b965a2f5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -13,3 +13,5 @@ peer=(name=:*, label=xdg-permission-store), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 6d8c9649e..a2865c7c9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -12,3 +12,5 @@ peer=(name=org.freedesktop.locale1), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 67d24772a..fdceceea4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -33,3 +33,5 @@ peer=(name=org.freedesktop.login1, label=systemd-logind), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 6541fb803..24d5c1452 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -38,3 +38,5 @@ peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 7abc771f2..268a21dea 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -8,3 +8,5 @@ peer=(name=org.freedesktop.network1, label=systemd-networkd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 5ce45ef8f..a2a1a94a0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -28,3 +28,5 @@ peer=(name=:*, label=xdg-desktop-portal), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 7c1260c7d..3057282c9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -8,3 +8,5 @@ peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index 5f53407c3..01ecf0786 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -28,3 +28,5 @@ peer=(name=:*, label=gnome-keyring-daemon), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 46d5fdc82..49e4b014d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -18,3 +18,5 @@ peer=(name=org.freedesktop.systemd1), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index 2f6bb9922..c0e852662 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -18,3 +18,5 @@ peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index d6748c8da..883c5c165 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -19,3 +19,5 @@ peer=(name=:*, label=systemd-timedated), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index 087a8f08c..9953ee8bf 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -13,3 +13,5 @@ peer=(name=:*, label=file-roller), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager index 3eeb35b69..05945a253 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -8,3 +8,5 @@ peer=(name=:*, label=gdm), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index 04d550761..d701792a6 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -28,3 +28,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 648e707c4..7ada64f05 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -18,3 +18,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 index 1a3dc2e0f..e547ab2c5 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -18,3 +18,5 @@ peer=(name=:*, label=nautilus), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver index 24c4e37ec..3e228ad1f 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -18,3 +18,5 @@ peer=(name=:*, label=gjs-console), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 07576ff52..4197fb4cf 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -60,3 +60,5 @@ peer=(name=org.gnome.SessionManager, label=gnome-session-binary), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index 4356c487b..72e4525bc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -28,3 +28,5 @@ peer=(name=:*, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index 1c3349dc7..73d958513 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -18,3 +18,5 @@ peer=(name=:*, label=gvfs-*-volume-monitor), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 5bbfd7594..35cd640d6 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -8,3 +8,5 @@ peer=(name=:*, label=gvfsd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index a547bc5d4..33d3c1c36 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -13,3 +13,5 @@ peer=(name=:*, label=gvfsd-metadata), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 262982bb1..4d59f0afc 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -18,3 +18,5 @@ peer=(name=:*, label=gvfsd), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 553195bbc..4fca40e84 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,3 +4,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 28ccc4a4b..67ac1fb6d 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -18,3 +18,5 @@ peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd index db103ba85..c0d2ecba2 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -3,3 +3,5 @@ # SPDX-License-Identifier: GPL-2.0-only include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index ff3b0f7f0..e44d8509c 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -15,10 +15,11 @@ include include include - # include + include include include include + include include include include @@ -63,7 +64,6 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, - @{run}/cups/cups.sock rw, # Allow access to cups printing socket. @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @@ -129,4 +129,6 @@ /dev/pts/ptmx rw, /dev/tty rw, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index baa14757d..77c5a0b7e 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -28,4 +28,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f2e76bcdf..a73626bb1 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -2,10 +2,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for bwrap - +# A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: -# - the attach_disconnected flag +# - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' # userns, @@ -31,6 +30,9 @@ umount /, umount /oldroot/, + #aa:only debian whonix + mount -> /newroot/{,**}, # Debian does not support the remount rule. + pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, @@ -51,3 +53,5 @@ owner @{PROC}/@{pid}/uid_map rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 1fc1d1555..2e98c515a 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -20,23 +20,25 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.* rw, + owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, /tmp/ r, /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.* rw, - owner @{tmp}/.org.chromium.Chromium.*/{,**} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, owner @{tmp}/scoped_dir*/ rw, owner @{tmp}/scoped_dir*/SingletonCookie w, owner @{tmp}/scoped_dir*/SingletonSocket w, owner @{tmp}/scoped_dir*/SS w, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.* rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 22aa0d784..732129c26 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -86,4 +86,6 @@ owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 275853d51..c93f9bc05 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -24,4 +24,6 @@ owner @{PROC}/@{pid}/cmdline r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game new file mode 100644 index 000000000..88bd3d1b6 --- /dev/null +++ b/apparmor.d/abstractions/common/steam-game @@ -0,0 +1,125 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + include + include + include + include + include + include + + @{bin}/uname rix, + @{bin}/xdg-settings rPx, + @{browsers_path} rPx, + + @{bin}/env r, + + @{app_dirs}/ r, + @{lib_dirs}/ r, + @{lib}/ r, + / r, + /home/ r, + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, + owner @{HOME}/.steam/steam.pid r, + owner @{HOME}/.steam/steam.pipe r, + + owner @{user_games_dirs}/ r, + owner @{user_games_dirs}/*/ r, + owner @{user_games_dirs}/*/{,**} rwkl, + + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{share_dirs}/ r, + owner @{share_dirs}/* r, + owner @{share_dirs}/appcache/** rk, + owner @{share_dirs}/config/ r, + owner @{share_dirs}/config/* rwk, + owner @{share_dirs}/logs/ rw, + owner @{share_dirs}/logs/* rwk, + owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, + owner @{share_dirs}/steamapps/ r, + owner @{share_dirs}/steamapps/common/ r, + owner @{share_dirs}/steamapps/common/[^S]*/** rwlk, + owner @{share_dirs}/steamapps/shadercache/{,**} rwk, + + @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/crashes/ rw, + owner @{tmp}/crashes/** rwk, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/net/*/carrier r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/ r, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/*/carrier r, + @{sys}/kernel/ r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/uptime r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/tty rw, + /dev/uinput rw, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index b98291bf5..0ed3a824b 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -18,4 +18,6 @@ /dev/kmsg w, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index ccf3d799a..a163af66d 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -6,3 +6,5 @@ @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 58aad166e..f25e1c3e6 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -25,3 +25,5 @@ owner @{run}/user/@{uid}/dconf/user rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index ccae3cf45..d8e1fdfb8 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -49,3 +49,5 @@ deny @{HOME}/.{,cache/}fontconfig/** mrwl, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index bc273a006..befea8bcb 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -63,3 +63,5 @@ owner @{user_share_dirs}/ rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 9d9db462e..5a2a8b742 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -22,4 +22,6 @@ @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 2b89a1308..10beb258d 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -95,3 +95,5 @@ @{run}/udev/data/+usb:* r, # for disk over usb hub include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index b6937698c..361b60d82 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -95,3 +95,5 @@ @{run}/udev/data/+usb:* r, # for disk over usb hub include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index b6c6dc23b..a1eb1cd41 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -32,3 +32,5 @@ /dev/dri/renderD129 rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index c5ed229c0..fe3cab891 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -12,3 +12,5 @@ owner @{user_config_dirs}/fish/{,**} r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 2873ebe45..216075648 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -46,3 +46,5 @@ deny "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index c9bb799cd..19fa7c53a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -39,3 +39,5 @@ link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 7313fbca1..3e669f4dc 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -22,3 +22,5 @@ /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.icons/{,**} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index ba566cd69..891e5a573 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -28,3 +28,5 @@ owner @{user_share_dirs}/ rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3d204be7d..90f705ac7 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -10,3 +10,5 @@ peer=(name=:*, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 85589272f..9b7954f0d 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -20,3 +20,5 @@ @{sys}/devices/system/node/node@{int}/meminfo r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index e9480d217..fe2d2001c 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -9,3 +9,5 @@ /dev/nvidia-uvm-tools rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 87bf1c1b3..60bac614e 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -54,3 +54,5 @@ /dev/dri/ r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 942713159..ac702a70f 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -40,3 +40,5 @@ owner @{user_config_dirs}/gtk-{3,4}.0/servers r, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/window_decorations.css r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index c09e3ad6f..33d034b5a 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -22,3 +22,5 @@ addr="@/home/*/.cache/ibus/dbus-????????", owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index c3206ba85..37038b129 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -7,3 +7,5 @@ owner @{user_config_dirs}/menus/{,**} r, owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index e05ad466a..c164bd434 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -34,3 +34,5 @@ owner @{user_config_dirs}/kwinrc r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 1a77e3e7c..ed3306e42 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -10,3 +10,5 @@ owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index ad10304c4..b1d474717 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -49,3 +49,5 @@ @{PROC}/sys/kernel/random/boot_id r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index e5102cb24..6521c9840 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -34,3 +34,5 @@ deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index 08d3b91bc..ef9d0c40d 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -9,3 +9,5 @@ /etc/nvidia/nvidia-application-profiles* r, /dev/char/195:@{int} rw, # Nvidia graphics devices + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/opencl-intel.d/complete b/apparmor.d/abstractions/opencl-intel.d/complete index c250a369a..1845cd61d 100644 --- a/apparmor.d/abstractions/opencl-intel.d/complete +++ b/apparmor.d/abstractions/opencl-intel.d/complete @@ -4,3 +4,5 @@ /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index 9638a61a5..e6eea6744 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -10,3 +10,5 @@ owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index 05c4091f0..4ac0f7f1d 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -12,3 +12,5 @@ owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/qt5.d/complete b/apparmor.d/abstractions/qt5.d/complete index fadb39931..6063b47e2 100644 --- a/apparmor.d/abstractions/qt5.d/complete +++ b/apparmor.d/abstractions/qt5.d/complete @@ -9,3 +9,5 @@ /usr/share/qt{,5,6}ct/{,**} r, owner @{user_config_dirs}/qt{,5,6}ct/{,**} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index 5583f599d..b269f2335 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -10,3 +10,5 @@ include include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index 3c947d2ae..dc164c6ba 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -12,3 +12,5 @@ owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} r, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 5bcca4d4b..01de0407e 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -12,3 +12,5 @@ owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index 212385774..1f4202818 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -80,3 +80,5 @@ @{MOUNTS}/*/.Trash-@{uid}/expunged/@{int}/** rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/trash.d/complete b/apparmor.d/abstractions/trash.d/complete index 29d5d021a..a80a1e5a6 100644 --- a/apparmor.d/abstractions/trash.d/complete +++ b/apparmor.d/abstractions/trash.d/complete @@ -25,3 +25,5 @@ # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner /{media,mnt}/*/*/.Trash-@{int}/{,**} rwl, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 24b430b10..03ae9e3e8 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -12,4 +12,6 @@ owner @{run}/user/@{uid}/uim/socket/uim-helper rw, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index ee23bce39..3feed5cd8 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -13,3 +13,5 @@ owner @{user_download_dirs}/** rwkl, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index b79e78eae..4187ab9e2 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -10,4 +10,6 @@ owner @{HOME}/[^.]** r, owner @{MOUNTS}/[^.]** r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 3ff81e66a..5211b0345 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -30,4 +30,6 @@ owner @{user_vm_dirs}/{,**} rk, owner @{user_work_dirs}/{,**} rk, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 51fe3e08d..223fc660a 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -30,4 +30,6 @@ owner @{user_vm_dirs}/{,**} wl, owner @{user_work_dirs}/{,**} wl, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 8f73b06e6..a529324f5 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -9,3 +9,5 @@ owner @{HOME}/[^.]** wl, owner @{MOUNTS}/[^.]** wl, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/video.d/complete b/apparmor.d/abstractions/video.d/complete index e36b3128b..97b7f1a2a 100644 --- a/apparmor.d/abstractions/video.d/complete +++ b/apparmor.d/abstractions/video.d/complete @@ -8,3 +8,5 @@ # Access to video /dev devices /dev/video@{int} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index ee56ef44c..fd86f1e81 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -14,9 +14,12 @@ /etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/implicit_layer.d/{,*.json} r, - owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache + owner @{user_share_dirs}/vulkan/ rw, + owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, + owner @{user_share_dirs}/vulkan/implicit_layer.d/*.json r, + @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/@{pci}/drm/ r, @@ -26,3 +29,5 @@ include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 9df2edd4b..8e5b68c08 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -4,3 +4,5 @@ /etc/glvnd/egl_vendor.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/egl/egl_external_platform.d/{,*.json} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 4e2e7dd02..245b9238d 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-wayland-@{int} r, + owner @{user_share_dirs}/sddm/wayland-session.log w, owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, @@ -9,3 +11,5 @@ owner /dev/shm/sway* rw, owner /dev/shm/dunst-@{rand6} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index eff45b142..067de9148 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -19,3 +19,5 @@ owner @{user_share_dirs}/ rw, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 4addfdac9..15711713c 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -26,4 +26,6 @@ owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, - include if exists \ No newline at end of file + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 8c033dd17..ddb62bf60 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -58,7 +58,7 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index fd7acf06e..6c8525f48 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -43,6 +43,7 @@ profile signal-desktop @{exec_path} { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{PROC}/@{pid}/fd/ r, @{PROC}/vmstat r, include if exists diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox index 697b82f27..8a5083143 100644 --- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox +++ b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox @@ -22,6 +22,8 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{lib_dirs}/signal-desktop{,-beta} rPx, @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/oom_adj w, + @{PROC}/@{pid}/oom_score_adj w, include if exists } diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 57620131d..7ed318aa7 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -55,6 +55,7 @@ profile debsign @{exec_path} { owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r, owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index fc0bb335f..ee371bee8 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -20,13 +20,6 @@ profile debsums @{exec_path} { @{sh_path} rix, @{bin}/{m,g,}awk rix, - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /var/lib/dpkg/info/* r, - - /etc/locale.nopurge r, - # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. @@ -35,6 +28,13 @@ profile debsums @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-divert rPx -> child-dpkg-divert, + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + /etc/locale.nopurge r, + + /var/lib/dpkg/info/* r, + # For shell pwd / r, /root/ r, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index a3cfa2431..a770662a7 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/** r, - /usr/share/*/** w, + /usr/share/*/** rw, /var/lib/dpkg/diversions rw, /var/lib/dpkg/diversions-new rw, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 69fbb8fc0..08cfc081a 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -15,7 +15,7 @@ include @{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/minidump-analyzer -profile firefox-minidump-analyzer @{exec_path} { +profile firefox-minidump-analyzer @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term, kill) peer=firefox, @@ -27,10 +27,10 @@ profile firefox-minidump-analyzer @{exec_path} { owner "@{config_dirs}/firefox/Crash Reports/" rw, owner "@{config_dirs}/firefox/Crash Reports/pending/" rw, owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, - owner @{config_dirs}/*.*/extensions/*.xpi r, - owner @{config_dirs}/*.*/minidumps/ rw, - owner @{config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw, - owner @{config_dirs}/*.*/storage/default/* r, + owner @{config_dirs}/{,firefox/}*.*/extensions/*.xpi r, + owner @{config_dirs}/{,firefox/}*.*/minidumps/ rw, + owner @{config_dirs}/{,firefox/}*.*/minidumps/@{uuid}.{dmp,extra} rw, + owner @{config_dirs}/{,firefox/}*.*/storage/default/* r, owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 0129c69a3..66fef2950 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,ibus/}ibus-memconf -profile ibus-memconf @{exec_path} { +profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include @@ -27,6 +27,8 @@ profile ibus-memconf @{exec_path} { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index aadae9bfe..59bd622f0 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -49,6 +49,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest{,.new} rw, /var/log/popularity-contest{,.new}.gpg rw, /var/log/popularity-contest.@{int} rw, + /var/log/popularity-contest.@{int}.gpg rw, # Store last successful http submission timestamp /var/lib/popularity-contest/ rw, @@ -66,15 +67,14 @@ profile cron-popularity-contest @{exec_path} { @{bin}/savelog mr, - @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/date rix, @{bin}/dirname rix, - @{bin}/rm rix, - @{bin}/mv rix, - @{bin}/touch rix, @{bin}/gzip rix, - + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, @@ -82,9 +82,9 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int} rw, /var/log/popularity-contest rw, - # file_inherit - owner @{tmp}/#@{int} rw, + owner @{tmp}/#@{int} rw, # file_inherit + include if exists } profile runuser { @@ -96,19 +96,18 @@ profile cron-popularity-contest @{exec_path} { @{bin}/runuser mr, @{sh_path} rix, - - @{bin}/popularity-contest rPx, - - owner @{PROC}/@{pids}/loginuid r, - @{PROC}/1/limits r, + @{bin}/popularity-contest rPx, @{etc_ro}/security/limits.d/ r, /var/log/popularity-contest.new w, - # file_inherit - owner @{tmp}/#@{int} rw, + @{PROC}/1/limits r, + owner @{PROC}/@{pids}/loginuid r, + owner @{tmp}/#@{int} rw, # file_inherit + + include if exists } profile gpg { @@ -126,9 +125,9 @@ profile cron-popularity-contest @{exec_path} { owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**, - # file_inherit - owner @{tmp}/#@{int} rw, + owner @{tmp}/#@{int} rw, # file_inherit + include if exists } profile popcon-upload { @@ -142,18 +141,18 @@ profile cron-popularity-contest @{exec_path} { network inet6 stream, network netlink raw, - /usr/share/popularity-contest/popcon-upload r, @{bin}/perl r, - @{bin}/gzip rix, + /usr/share/popularity-contest/popcon-upload r, + /var/log/ r, /var/log/popularity-contest.new.gpg r, /var/log/popularity-contest.@{int}.gpg r, - # file_inherit - owner @{tmp}/#@{int} rw, + owner @{tmp}/#@{int} rw, # file_inherit + include if exists } include if exists diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index bafc9a31b..39169eaf7 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -139,18 +139,7 @@ profile x11-xsession @{exec_path} { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, + include include if exists } diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index affeb182c..a3e5beebb 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -7,7 +7,9 @@ abi , include -@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}bin/fc-cache{,-32,-v*} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} + +@{exec_path} = @{bin_dirs}/fc-cache{,-32,-v*} profile fc-cache @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b8ee7c4ac..f7801cb62 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,6 +10,7 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -19,6 +20,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -70,10 +72,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, /usr/share/dconf/profile/gdm r, - /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/** r, - /etc/pipewire/client.conf.d/ r, /etc/sysconfig/proxy r, /var/lib/gdm{,3}/greeter-dconf-defaults r, @@ -83,7 +83,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - owner @{run}/user/@{uid}/pipewire-@{int} rw, @{PROC}/ r, @{PROC}/*/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 9ca2e9b59..91eb77602 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -22,7 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include + include network unix stream, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 54104e51d..7884a3fd7 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -42,7 +42,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { / r, owner /.flatpak-info r, - owner @{HOME}/*/{,**} r, + owner @{HOME}/** r, owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index df733b16a..4ea8970b3 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -18,6 +18,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, + @{bin}/cat rix, @{bin}/cut rix, @{bin}/file rix, @{bin}/head rix, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 43faaaf9a..9a53b96cf 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -42,6 +42,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, owner @{user_share_dirs}/flatpak/db/devices r, + owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index 9b655a40b..353bb7b1b 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -32,7 +32,7 @@ profile xdg-screensaver @{exec_path} { @{bin}/xset rPx, @{bin}/hostname rix, - /dev/dri/card[0-9] rw, + /dev/dri/card@{int} rw, owner @{HOME}/ r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 7d24d304a..7d577c4c4 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -41,7 +41,7 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, @{PROC}/uptime r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fd2462ffa..6abb6f1f2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -16,6 +16,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -93,7 +94,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/cups/client.conf r, /etc/machine-info r, /etc/rygel.conf r, /etc/security/pwquality.conf r, @@ -130,7 +130,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - @{run}/cups/cups.sock rw, @{run}/samba/ rw, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index f22cde879..2eda9bb05 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 217cc0d52..2f0c112e9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -407,6 +407,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/games/* PUx, /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f4e6a1262..e87cbcd7e 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -99,6 +99,9 @@ profile gnome-software @{exec_path} { owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk, owner @{run}/user/@{uid}/app/{,*/} rw, + owner /dev/shm/flatpak-com.*/ rw, + owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, + @{run}/systemd/inhibit/*.ref rw, @{sys}/module/nvidia/version r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 6d40144ce..de035a598 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -11,13 +11,12 @@ profile gnome-text-editor @{exec_path} { include include include + include include include @{exec_path} mr, - /usr/share/enchant-*/{,**} r, - owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 6846ecaa5..ad71bec7f 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -13,6 +13,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -34,10 +35,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib}/gsd-printer rPx, - /etc/cups/client.conf r, - - @{run}/cups/cups.sock rw, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 4003d1753..f5516c22c 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -30,8 +30,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 8987ae31a..1f5a088be 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -36,8 +36,7 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6646d69d7..5e073215a 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -65,8 +65,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex16} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 3c7b4eed8..7464a9842 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -16,6 +16,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include include @@ -76,7 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/wallpapers/{,**} r, /etc/appstream.conf r, - /etc/cups/client.conf r, /etc/fstab r, /etc/ksysguarddrc r, /etc/machine-id r, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index b72b5c8af..dacb3711c 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -34,11 +34,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, + include @{run}/udev/control rw, @{run}/udev/rules.d/90-netplan.rules rw, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 1a3a6ec46..4446ad039 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -55,7 +55,7 @@ profile aurpublish @{exec_path} { owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/maps r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 7207c714c..5a873f187 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -146,6 +146,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { # Silencer, deny @{HOME}/ r, + deny @{HOME}/**/ r, deny /tmp/ r, profile gpg { diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 2a75035e1..96be24919 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -117,6 +117,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ip rix, + @{bin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/tc rix, @@ -206,6 +207,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r, @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r, + @{sys}/devices/system/cpu/isolated r, @{sys}/devices/system/cpu/present r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/ r, diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad index e61709db1..a83e7fa0c 100644 --- a/apparmor.d/groups/xfce/mousepad +++ b/apparmor.d/groups/xfce/mousepad @@ -10,6 +10,7 @@ include profile mousepad @{exec_path} { include include + include include include include @@ -18,14 +19,9 @@ profile mousepad @{exec_path} { @{open_path} rPx -> child-open-help, - /usr/share/hunspell/{,**} r, - owner @{user_config_dirs}/Mousepad/ rw, owner @{user_config_dirs}/Mousepad/** rwk, - owner @{user_config_dirs}/enchant/ rw, - owner @{user_config_dirs}/enchant/ rwk, - owner @{user_share_dirs}/Mousepad/ rw, owner @{user_share_dirs}/Mousepad/** rwk, diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled index f85a84cd6..d5ebe0c10 100644 --- a/apparmor.d/profiles-a-f/aa-enabled +++ b/apparmor.d/profiles-a-f/aa-enabled @@ -18,4 +18,6 @@ profile aa-enabled @{exec_path} { owner @{PROC}/@{pid}/mounts r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index df5c7972d..a6f3d2b9e 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -32,4 +32,6 @@ profile aa-enforce @{exec_path} { owner @{PROC}/@{pid}/fd r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index c5bc84c76..6d1f690f6 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -35,3 +35,5 @@ profile aa-log @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7d10b57af..7c65b9be2 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -43,3 +43,5 @@ profile aa-notify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status index 7b94ce35f..5d5840f6f 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -30,3 +30,5 @@ profile aa-status @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown index c42501644..263c7b9af 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/profiles-a-f/aa-teardown @@ -23,4 +23,6 @@ profile aa-teardown @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook index 14e345864..f4252aeee 100644 --- a/apparmor.d/profiles-a-f/abook +++ b/apparmor.d/profiles-a-f/abook @@ -31,3 +31,5 @@ profile abook @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index ce1e57541..4f6132c25 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -22,3 +22,5 @@ profile acpi @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index ba559644c..9372f46b4 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -55,3 +55,5 @@ profile acpi-powerbtn flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 95eb98c61..10600e3d7 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -18,7 +18,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/{ba,da,}sh rix, + @{sh_path} rix, @{bin}/logger rix, /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn, @@ -37,3 +37,5 @@ profile acpid @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index bbdc782ab..13863c03a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -32,3 +32,5 @@ profile adb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index e816822ae..350f070b0 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -54,3 +54,5 @@ profile adduser @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index cbcb25574..fe3e7565f 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -109,3 +109,5 @@ profile adequate @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index bf83779a5..c15748c6a 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -42,3 +42,5 @@ profile agetty @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 8497cb986..80e64558a 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -33,4 +33,6 @@ profile alacarte @{exec_path} { owner @{PROC}/@{pid}/mounts r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index c0f821a10..bde626660 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -23,4 +23,6 @@ profile alsactl @{exec_path} { owner @{run}/alsa/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index c6c49ecca..ea2842a74 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -26,3 +26,5 @@ profile amixer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 40f14779c..8893f1d70 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -44,3 +44,5 @@ profile anacron @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 4fa47c613..b9031360f 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -138,3 +138,5 @@ profile anyremote @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index 44bdd100d..0bb417ae2 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -21,3 +21,5 @@ profile aplay @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index e993b3f85..a6d517b2a 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -48,4 +48,6 @@ profile apparmor.systemd @{exec_path} flags=(complain) { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index ee442861f..82acd0d0f 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -45,4 +45,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index e280c7055..6b6bad8d8 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -74,3 +74,5 @@ profile appstreamcli @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index cb2e5b37b..6baddcf18 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -37,3 +37,5 @@ profile arandr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 106afa48f..03836a9dc 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -56,3 +56,5 @@ profile archivemount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index d92b5dce9..47d784212 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -136,3 +136,5 @@ profile arduino @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 0eb54afe3..23f8628e5 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -49,3 +49,5 @@ profile arduino-builder @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index c97b00961..0c3849643 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -19,3 +19,5 @@ profile arduino-ctags @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 765234d6f..c5bd8d4f4 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -23,3 +23,5 @@ profile aspell @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index f7bf193a9..078fa0139 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -73,3 +73,5 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/at b/apparmor.d/profiles-a-f/at index 23d5d30d6..2da487b9c 100644 --- a/apparmor.d/profiles-a-f/at +++ b/apparmor.d/profiles-a-f/at @@ -29,4 +29,6 @@ profile at @{exec_path} { @{PROC}/@{pid}/loginuid r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 9da2f3041..b1b54f0fa 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -44,4 +44,6 @@ profile atd @{exec_path} { @{PROC}/loadavg r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index aa90818d6..02a0a018b 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -26,3 +26,5 @@ profile atftpd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index cb5317ded..947245d2a 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -49,3 +49,5 @@ profile atool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index a1caf6bc7..2163346cc 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -87,3 +87,5 @@ profile @{bin}/atril-previewer { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index d753d7f88..c44686d5a 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -18,3 +18,5 @@ profile atrild @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index daee68977..daaee243f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -19,4 +19,6 @@ profile auditctl @{exec_path} flags=(attach_disconnected) { /etc/audit/audit.rules r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 0775c6183..4e93a5d22 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -38,3 +38,5 @@ profile auditd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index f5a83b69a..5f192e8cc 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -34,3 +34,5 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index 0c514c76d..48b4cc8af 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -24,3 +24,5 @@ profile badblocks @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index dc9540643..caf8a50d2 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -20,3 +20,5 @@ profile biosdecode @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 93eb3d572..b6314e942 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -57,3 +57,5 @@ profile birdtray @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index ea688a331..f9db3e96f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -29,3 +29,5 @@ profile blkdeactivate @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index fef77c18a..ad8134064 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -41,3 +41,5 @@ profile blkid @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/profiles-a-f/blockdev index a69104221..1b6cc77cb 100644 --- a/apparmor.d/profiles-a-f/blockdev +++ b/apparmor.d/profiles-a-f/blockdev @@ -20,3 +20,5 @@ profile blockdev @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 13e3fed1b..9ac1c2c2b 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -65,3 +65,5 @@ profile blueman @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index 968c98f3c..152520fad 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -47,3 +47,5 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher index 9e24bf7b7..a8753ac8f 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -22,3 +22,5 @@ profile blueman-rfcomm-watcher @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/profiles-a-f/bluemoon index 5b975f1b9..06f4040f8 100644 --- a/apparmor.d/profiles-a-f/bluemoon +++ b/apparmor.d/profiles-a-f/bluemoon @@ -15,3 +15,5 @@ profile bluemoon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/profiles-a-f/bluetoothctl index 5af6e963e..603998f2c 100644 --- a/apparmor.d/profiles-a-f/bluetoothctl +++ b/apparmor.d/profiles-a-f/bluetoothctl @@ -21,3 +21,5 @@ profile bluetoothctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 499a7e3cb..75934102b 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -77,3 +77,5 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/bmon b/apparmor.d/profiles-a-f/bmon index 3ed3aae29..77feb3210 100644 --- a/apparmor.d/profiles-a-f/bmon +++ b/apparmor.d/profiles-a-f/bmon @@ -19,3 +19,5 @@ profile bmon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 29fd2aac9..47c16d1cd 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -50,3 +50,5 @@ profile boltd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index dffe9087f..107330419 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -117,3 +117,5 @@ profile borg @{exec_path} { include if exists include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index e616a9411..cfc5d3b0b 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -62,3 +62,5 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 3ec7b2f3b..b6c3556ec 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -60,3 +60,5 @@ profile btop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index cb651e1c2..f056d12ca 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -58,3 +58,5 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/profiles-a-f/btrfs-convert index 0143fd5c9..8b443cf6e 100644 --- a/apparmor.d/profiles-a-f/btrfs-convert +++ b/apparmor.d/profiles-a-f/btrfs-convert @@ -18,3 +18,5 @@ profile btrfs-convert @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index d25c836bf..03c2d47bd 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -19,3 +19,5 @@ profile btrfs-find-root @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index 63a54f7d6..c1508bb09 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -21,3 +21,5 @@ profile btrfs-image @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index f50198a9e..12d2b09d6 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -19,3 +19,5 @@ profile btrfs-map-logical @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/profiles-a-f/btrfs-select-super index 12efd68cd..f083363cf 100644 --- a/apparmor.d/profiles-a-f/btrfs-select-super +++ b/apparmor.d/profiles-a-f/btrfs-select-super @@ -18,3 +18,5 @@ profile btrfs-select-super @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/profiles-a-f/btrfstune index 4eb522481..cd8f7adfe 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -22,3 +22,5 @@ profile btrfstune @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 6ebd21052..ee3bab550 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -72,3 +72,5 @@ profile cawbird @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper index 5bb52d718..bc12ec50b 100644 --- a/apparmor.d/profiles-a-f/cc-remote-login-helper +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -15,3 +15,5 @@ profile cc-remote-login-helper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index f73936734..3795d9836 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -32,4 +32,6 @@ profile cctk @{exec_path} { /dev/wmi/dell-smbios r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ccze b/apparmor.d/profiles-a-f/ccze index 6ef28e832..e51310b63 100644 --- a/apparmor.d/profiles-a-f/ccze +++ b/apparmor.d/profiles-a-f/ccze @@ -21,3 +21,5 @@ profile ccze @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cert-sync b/apparmor.d/profiles-a-f/cert-sync index b3abfcbb8..e2770bda1 100644 --- a/apparmor.d/profiles-a-f/cert-sync +++ b/apparmor.d/profiles-a-f/cert-sync @@ -15,4 +15,6 @@ profile cert-sync @{exec_path} { @{bin}/mono-sgen rPx, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 48d129e3f..7559b5c84 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -33,3 +33,5 @@ profile cfdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index ee305de16..f19e70c26 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -25,3 +25,5 @@ profile cgdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 1a9b6d81d..6c51eead1 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -51,3 +51,5 @@ profile cgrulesengd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage index 21d41f149..3eaa0efb9 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/profiles-a-f/chage @@ -36,3 +36,5 @@ profile chage @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool index 577e08395..9dd650d51 100644 --- a/apparmor.d/profiles-a-f/changestool +++ b/apparmor.d/profiles-a-f/changestool @@ -37,3 +37,5 @@ profile changestool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index a2021522d..4873d3e06 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -47,3 +47,5 @@ profile check-bios-nx @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index e6c6a2e0a..bdd9719d3 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -79,3 +79,5 @@ profile check-support-status @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index d10245d4c..e0c312423 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -128,3 +128,5 @@ profile check-support-status-hook @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/profiles-a-f/chfn index 1d6a56c5e..162a08b84 100644 --- a/apparmor.d/profiles-a-f/chfn +++ b/apparmor.d/profiles-a-f/chfn @@ -45,3 +45,5 @@ profile chfn @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd index b0414fad0..1fd84f53c 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -31,3 +31,5 @@ profile chpasswd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index ca1896015..5aa5c5ed2 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -60,4 +60,6 @@ profile chronyd @{exec_path} flags=(attach_disconnected) { /dev/rtc{,@{int}} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index 75f98c7c0..ffcdb5bdf 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -46,3 +46,5 @@ profile chsh @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 885d16027..4de4543a4 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -70,3 +70,5 @@ profile claws-mail @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index 8dcd847df..393598746 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -101,3 +101,5 @@ profile code flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 8b4196580..6954ca966 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -29,3 +29,5 @@ profile code-extension-git-askpass @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor index 1708393d1..104e01281 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-editor +++ b/apparmor.d/profiles-a-f/code-extension-git-editor @@ -20,4 +20,6 @@ profile code-extension-git-editor @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper index e867892ab..707164b09 100644 --- a/apparmor.d/profiles-a-f/code-wrapper +++ b/apparmor.d/profiles-a-f/code-wrapper @@ -23,3 +23,5 @@ profile code-wrapper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton index 360957a7c..b27228807 100644 --- a/apparmor.d/profiles-a-f/compton +++ b/apparmor.d/profiles-a-f/compton @@ -25,3 +25,5 @@ profile compton @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index fa71598fc..1e1b10abc 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -204,3 +204,5 @@ profile conky @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index a8bac3a11..d7b41ff20 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -18,4 +18,6 @@ profile console-setup @{exec_path} { @{run}/console-setup/boot_completed w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index a1453d122..28a393470 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -41,3 +41,5 @@ profile convertall @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cppw-cpgr b/apparmor.d/profiles-a-f/cppw-cpgr index 1795b49d5..9e0aa0ad1 100644 --- a/apparmor.d/profiles-a-f/cppw-cpgr +++ b/apparmor.d/profiles-a-f/cppw-cpgr @@ -34,3 +34,5 @@ profile cppw-cpgr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 3c4f797e0..8df6f750e 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -21,3 +21,5 @@ profile cpuid @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index 8cd26fff2..d29bfbbee 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -15,4 +15,6 @@ profile cracklib-packer @{exec_path} { owner /var/cache/cracklib/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 41e816370..96fb4c706 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -18,3 +18,5 @@ profile crda @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh index d3e7a4a7c..5945ac6ea 100644 --- a/apparmor.d/profiles-a-f/cups-backend-beh +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -15,4 +15,6 @@ profile cups-backend-beh @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/profiles-a-f/cups-backend-bluetooth index 402c97f74..ba606c7ef 100644 --- a/apparmor.d/profiles-a-f/cups-backend-bluetooth +++ b/apparmor.d/profiles-a-f/cups-backend-bluetooth @@ -15,4 +15,6 @@ profile cups-backend-bluetooth @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf index a0e46cf07..2ea66ba05 100644 --- a/apparmor.d/profiles-a-f/cups-backend-brf +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -17,4 +17,6 @@ profile cups-backend-brf @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd index e047682f0..0bb1a34d1 100644 --- a/apparmor.d/profiles-a-f/cups-backend-dnssd +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -16,4 +16,6 @@ profile cups-backend-dnssd @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/profiles-a-f/cups-backend-hp index 268ef4e96..f82ce7e0a 100644 --- a/apparmor.d/profiles-a-f/cups-backend-hp +++ b/apparmor.d/profiles-a-f/cups-backend-hp @@ -15,4 +15,6 @@ profile cups-backend-hp @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass index 53dd31cea..6a50ec237 100644 --- a/apparmor.d/profiles-a-f/cups-backend-implicitclass +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -15,4 +15,6 @@ profile cups-backend-implicitclass @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp index e20771d28..706e1a5ae 100644 --- a/apparmor.d/profiles-a-f/cups-backend-ipp +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -15,4 +15,6 @@ profile cups-backend-ipp @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd index 198d8a561..077a913a0 100644 --- a/apparmor.d/profiles-a-f/cups-backend-lpd +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -15,4 +15,6 @@ profile cups-backend-lpd @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/profiles-a-f/cups-backend-mdns index 7945a8b5f..a520e9a19 100644 --- a/apparmor.d/profiles-a-f/cups-backend-mdns +++ b/apparmor.d/profiles-a-f/cups-backend-mdns @@ -15,4 +15,6 @@ profile cups-backend-mdns @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel index 54eb3f307..fe2e752ef 100644 --- a/apparmor.d/profiles-a-f/cups-backend-parallel +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -15,4 +15,6 @@ profile cups-backend-parallel @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf index 650b5f879..efbb2a85d 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -43,4 +43,6 @@ profile cups-backend-pdf @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial index 1788cce1a..e2ec19bce 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -17,4 +17,6 @@ profile cups-backend-serial @{exec_path} { /dev/ttyS@{int} w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp index a11035efd..1532db04b 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -21,4 +21,6 @@ profile cups-backend-snmp @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket index f65196454..338d2e2e6 100644 --- a/apparmor.d/profiles-a-f/cups-backend-socket +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -15,4 +15,6 @@ profile cups-backend-socket @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb index ec059f654..e647939f4 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -23,4 +23,6 @@ profile cups-backend-usb @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index 9a10d3de9..2abffbe16 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -52,3 +52,5 @@ profile cups-browsed @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 3fb7158e9..9632ca91d 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -11,17 +11,18 @@ profile cups-notifier-dbus @{exec_path} { include include include + include include signal (receive) set=(term) peer=cupsd, @{exec_path} mr, - /etc/cups/client.conf r, - owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner @{tmp}/cups-dbus-notifier-lockfile rwk, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto index 7c7e79972..aad9f73c3 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-mailto +++ b/apparmor.d/profiles-a-f/cups-notifier-mailto @@ -13,4 +13,6 @@ profile cups-notifier-mailto @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss index d00b3dd34..86dfecc9e 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-rss +++ b/apparmor.d/profiles-a-f/cups-notifier-rss @@ -13,4 +13,6 @@ profile cups-notifier-rss @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index e71c37fe1..7c67e3e6a 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -31,4 +31,6 @@ profile cups-pk-helper-mechanism @{exec_path} { @{run}/cups/cups.sock rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 13bcc3b8c..9511c7495 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -100,3 +100,5 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/czkawka-cli b/apparmor.d/profiles-a-f/czkawka-cli index cae6daa46..6ad4c553b 100644 --- a/apparmor.d/profiles-a-f/czkawka-cli +++ b/apparmor.d/profiles-a-f/czkawka-cli @@ -32,3 +32,5 @@ profile czkawka-cli @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index fb4fb601d..68a30c769 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -66,3 +66,5 @@ profile czkawka-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index 96e02b281..000e61013 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -30,3 +30,5 @@ profile ddclient @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 1f554c4c4..eaf12a933 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -107,3 +107,5 @@ profile deltachat-desktop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 322df24e0..67e52b376 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -59,3 +59,5 @@ profile deluser @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/profiles-a-f/df index 67cba3931..18b3687e1 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/profiles-a-f/df @@ -26,3 +26,5 @@ profile df @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index d8451a4d9..b4ccf6743 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -25,3 +25,5 @@ profile dfc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient index 5925c6381..20e45b87f 100644 --- a/apparmor.d/profiles-a-f/dhclient +++ b/apparmor.d/profiles-a-f/dhclient @@ -39,3 +39,5 @@ profile dhclient @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 45faf18a7..4261a8be7 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -81,3 +81,5 @@ profile dhclient-script @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 8d3d1e7dc..87b80e3da 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -34,3 +34,5 @@ profile dig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index 4fce76bcf..f06989836 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -50,3 +50,5 @@ profile dino-im @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index d551bbfc7..90206b44c 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -119,3 +119,5 @@ profile dkms @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index bf81fe314..f266791a1 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -46,3 +46,5 @@ profile dkms-autoinstaller @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dleyna-renderer-service b/apparmor.d/profiles-a-f/dleyna-renderer-service index 3fb0d800e..d56098048 100644 --- a/apparmor.d/profiles-a-f/dleyna-renderer-service +++ b/apparmor.d/profiles-a-f/dleyna-renderer-service @@ -23,4 +23,6 @@ profile dleyna-renderer-service @{exec_path} { owner @{user_config_dirs}/dleyna-renderer-service.conf rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dleyna-server-service b/apparmor.d/profiles-a-f/dleyna-server-service index bd74802f7..f41d250f6 100644 --- a/apparmor.d/profiles-a-f/dleyna-server-service +++ b/apparmor.d/profiles-a-f/dleyna-server-service @@ -25,4 +25,6 @@ profile dleyna-server-service @{exec_path} { owner @{user_config_dirs}/dleyna-server-service.conf w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 95ed3f08b..e17a72c84 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -63,3 +63,5 @@ profile dlocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmcrypt-get-device b/apparmor.d/profiles-a-f/dmcrypt-get-device index 11364c40c..2fa3fc6a9 100644 --- a/apparmor.d/profiles-a-f/dmcrypt-get-device +++ b/apparmor.d/profiles-a-f/dmcrypt-get-device @@ -24,3 +24,5 @@ profile dmcrypt-get-device @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 85943afa7..6dcd5cbb8 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -12,8 +12,8 @@ profile dmesg @{exec_path} { include include - capability syslog, capability dac_read_search, + capability syslog, @{exec_path} mr, @@ -28,8 +28,13 @@ profile dmesg @{exec_path} { /dev/kmsg r, - deny /{usr/,}local/bin/ r, deny @{bin}/{,*/} r, + deny /{usr/,}local/{,s}bin/ r, + deny /var/lib/flatpak/exports/bin/ r, + deny @{HOME}/.go/bin/ r, + deny @{user_bin_dirs}/ r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 952379e64..2d904eec0 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -14,3 +14,5 @@ profile dmeventd @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index d2200c256..061bc40ac 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -22,3 +22,5 @@ profile dmidecode @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index de1597160..03d47e395 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -56,3 +56,5 @@ profile dnscrypt-proxy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index af3bc6f99..05b4085b3 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -42,4 +42,6 @@ profile downloadhelper @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dring b/apparmor.d/profiles-a-f/dring index c5b6742f4..8d0045030 100644 --- a/apparmor.d/profiles-a-f/dring +++ b/apparmor.d/profiles-a-f/dring @@ -36,3 +36,5 @@ profile dring @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 7013ff532..e03ad1742 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -54,3 +54,5 @@ profile dumpcap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 1595d0f7d..725f725c5 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -25,3 +25,5 @@ profile dumpe2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index debb3bbe6..8fb895029 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -23,3 +23,5 @@ profile dunst @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl index 052647fde..42276c6c6 100644 --- a/apparmor.d/profiles-a-f/dunstctl +++ b/apparmor.d/profiles-a-f/dunstctl @@ -23,3 +23,5 @@ profile dunstctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index 22b36527d..3a8f16c2f 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -18,3 +18,5 @@ profile dunstify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 7e5c95c2f..8ce1ed3c7 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -39,3 +39,5 @@ profile e2fsck @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index 5948a831f..ccb4cc5a4 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -23,3 +23,5 @@ profile e2image @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index be21cded0..de648cac2 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -25,4 +25,6 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode index 8543b6412..8925e5e2d 100644 --- a/apparmor.d/profiles-a-f/edid-decode +++ b/apparmor.d/profiles-a-f/edid-decode @@ -17,3 +17,5 @@ profile edid-decode @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/profiles-a-f/eject index 83942708a..bd467c2be 100644 --- a/apparmor.d/profiles-a-f/eject +++ b/apparmor.d/profiles-a-f/eject @@ -30,3 +30,5 @@ profile eject @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index a2eff5a44..1dd15b4b9 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -46,4 +46,6 @@ profile element-desktop @{exec_path} { deny /var/lib/dbus/machine-id r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/elinks b/apparmor.d/profiles-a-f/elinks new file mode 100644 index 000000000..d926271f5 --- /dev/null +++ b/apparmor.d/profiles-a-f/elinks @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/elinks +profile elinks @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner @{user_config_dirs}/elinks/{,**} rw, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index d76f5c1de..78fa87937 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -92,3 +92,5 @@ profile engrampa @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index f96fe8f34..6f10293c7 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -76,4 +76,6 @@ profile etckeeper @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 266a7566d..73d73eb02 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -65,3 +65,5 @@ profile evince @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 3a792e662..7a2b939a6 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -18,4 +18,6 @@ profile evince-previewer @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 6faf30098..d4e63c924 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -19,4 +19,6 @@ profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index b8c4f43b9..9f03de7fc 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -17,3 +17,5 @@ profile execute-dcut @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 9700aae9e..10edc6164 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -50,3 +50,5 @@ profile execute-dput @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool index c21f991c8..23aac34d4 100644 --- a/apparmor.d/profiles-a-f/exiftool +++ b/apparmor.d/profiles-a-f/exiftool @@ -16,3 +16,5 @@ profile exiftool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 5a8badc50..3dae4cae6 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -59,3 +59,5 @@ profile exim4 @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index edc88b0dd..990c67b85 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -22,3 +22,5 @@ profile exo-compose-mail @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index 378ac1ae8..af38a5fa3 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -53,3 +53,5 @@ profile exo-helper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open index ebdf097a2..7d265e566 100644 --- a/apparmor.d/profiles-a-f/exo-open +++ b/apparmor.d/profiles-a-f/exo-open @@ -31,3 +31,5 @@ profile exo-open @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3brew b/apparmor.d/profiles-a-f/f3brew index b1ad450af..8572f369c 100644 --- a/apparmor.d/profiles-a-f/f3brew +++ b/apparmor.d/profiles-a-f/f3brew @@ -16,3 +16,5 @@ profile f3brew @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index f31f6cfe3..a5d327e72 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -12,53 +12,33 @@ profile f3fix @{exec_path} { include include - # To remove the following errors: - # Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the - # kernel of the change, probably because it/they are in use. As a result, the old partition(s) - # will remain in use. You should reboot now before making further changes. capability sys_admin, - - # Needed? (##FIXME##) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/dmidecode rPx, + @{bin}/udevadm rCx -> udevadm, - @{bin}/udevadm rCx -> udevadm, - - owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - # file_inherit - /dev/sd[a-z]* rw, + ptrace read, + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe index 684901944..c7843c91f 100644 --- a/apparmor.d/profiles-a-f/f3probe +++ b/apparmor.d/profiles-a-f/f3probe @@ -17,3 +17,5 @@ profile f3probe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index 03b9e1a13..a25e7e0cc 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -26,3 +26,5 @@ profile f3read @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index 4c3a67047..25282dff8 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -30,3 +30,5 @@ profile f3write @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 11d38537d..23fd61125 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -20,4 +20,6 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { /etc/fail2ban/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index f023a04b3..2706c8e43 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -39,4 +39,6 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index fb65aa386..df95d83c0 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -16,3 +16,5 @@ profile fatlabel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 08d5124ae..b94e0e49c 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -12,51 +12,30 @@ profile fatresize @{exec_path} { include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKFLSBUF) = -1 EACCES (Permission denied) capability sys_admin, - - # Needed? (##FIXME##) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/dmidecode rPx, + @{bin}/udevadm rCx -> udevadm, - @{bin}/udevadm rCx -> udevadm, - - owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, - + owner @{PROC}/@{pid}/mounts r, profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - # file_inherit - /dev/{s,v}d[a-z]* rw, - + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index cfc99a31a..815e3bc76 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -35,3 +35,5 @@ profile fdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 3bc1fecfb..864becf32 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -40,3 +40,5 @@ profile ffmpeg @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ffmpegthumbnailer b/apparmor.d/profiles-a-f/ffmpegthumbnailer new file mode 100644 index 000000000..34d37e759 --- /dev/null +++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ffmpegthumbnailer +profile ffmpegthumbnailer @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 528ebb6f2..0615d1042 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -34,3 +34,5 @@ profile ffplay @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index 97400e7b2..f5448d7ef 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -24,3 +24,5 @@ profile ffprobe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index de0479a3b..4e432e2f1 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -42,4 +42,6 @@ profile file-roller @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/profiles-a-f/filecap index 65c83bf90..afad4070c 100644 --- a/apparmor.d/profiles-a-f/filecap +++ b/apparmor.d/profiles-a-f/filecap @@ -29,3 +29,5 @@ profile filecap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 663e40251..7fb7c9e1b 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -14,6 +14,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { include capability dac_read_search, + capability sys_rawio, @{exec_path} mr, @@ -26,4 +27,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { deny unix (receive) type=stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index deacc3e77..c470d068a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -39,3 +39,5 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 4e40ab10b..143719f0d 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -77,4 +77,6 @@ profile firewalld @{exec_path} { owner @{PROC}/@{pids}/net/ip_tables_names r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flameshot b/apparmor.d/profiles-a-f/flameshot index 4d5c83fa9..877e42912 100644 --- a/apparmor.d/profiles-a-f/flameshot +++ b/apparmor.d/profiles-a-f/flameshot @@ -58,3 +58,5 @@ profile flameshot @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 81b60a200..4d3220a08 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -136,3 +136,5 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 9d06b4595..41d72d143 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -78,7 +78,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex} rw, + /var/tmp/etilqs_@{hex16} rw, @{run}/.userns r, @{run}/parent/** r, @@ -94,3 +94,5 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include if exists include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator index e01ee3c4f..9b379b55d 100644 --- a/apparmor.d/profiles-a-f/flatpak-oci-authenticator +++ b/apparmor.d/profiles-a-f/flatpak-oci-authenticator @@ -16,4 +16,6 @@ profile flatpak-oci-authenticator @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index d82c38653..570a3ea8c 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -34,6 +34,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, + owner @{HOME}/.var/app/*/**/.ref rw, + owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/mime/mime.cache r, @@ -41,4 +44,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 967787b3d..d27d0c24a 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -45,4 +45,6 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index cb49cd9d7..81a1231cb 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -73,3 +73,5 @@ profile flatpak-system-helper @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/profiles-a-f/flatpak-validate-icon index c5ca0488f..7669bb1e6 100644 --- a/apparmor.d/profiles-a-f/flatpak-validate-icon +++ b/apparmor.d/profiles-a-f/flatpak-validate-icon @@ -13,4 +13,6 @@ profile flatpak-validate-icon @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index dedf342e4..8498285d1 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -68,4 +68,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 2082dcfaa..6d7096ad7 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -62,3 +62,5 @@ profile font-manager @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fping b/apparmor.d/profiles-a-f/fping index 5b9efa624..5d30e4522 100644 --- a/apparmor.d/profiles-a-f/fping +++ b/apparmor.d/profiles-a-f/fping @@ -26,3 +26,5 @@ profile fping @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 2fc866c6b..d856867a3 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -37,3 +37,5 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 5e7d3d3b4..c6355c2ff 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -40,4 +40,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /dev/ r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 638baa825..0499beb0a 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -25,3 +25,5 @@ profile freefall @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index e1ddc2f2b..3e3dde2e9 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -68,3 +68,5 @@ profile fritzing @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 664b43b40..eb90c18d6 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -125,3 +125,5 @@ profile frontend @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 6341954ae..d04b32e96 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -40,3 +40,5 @@ profile fsck @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/profiles-a-f/fsck.btrfs index 7142f9cf1..470b5a3d3 100644 --- a/apparmor.d/profiles-a-f/fsck.btrfs +++ b/apparmor.d/profiles-a-f/fsck.btrfs @@ -19,3 +19,5 @@ profile fsck.btrfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/profiles-a-f/fsck.fat index 6b5567d7d..c188574ee 100644 --- a/apparmor.d/profiles-a-f/fsck.fat +++ b/apparmor.d/profiles-a-f/fsck.fat @@ -22,3 +22,5 @@ profile fsck.fat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index fb957c462..643371c60 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -28,4 +28,6 @@ profile fuse-overlayfs @{exec_path} { /dev/fuse rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 01893d9c0..e4d6cfd99 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -62,3 +62,5 @@ profile fuseiso @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 83d8e8092..6774ffa96 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -55,3 +55,5 @@ profile fusermount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 57e006500..316f6ebdd 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -65,7 +65,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/fwupd/{,**} rw, /var/lib/fwupd/pending.db rwk, - /var/tmp/etilqs_@{hex} rw, + /var/tmp/etilqs_@{hex16} rw, /boot/{,**} r, /boot/EFI/*/.goutputstream-@{rand6} rw, @@ -148,3 +148,5 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 7315c550f..6064c0ff1 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -66,3 +66,5 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 361f6c7c0..5888743ef 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -138,3 +138,5 @@ profile gajim @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 36cb8f90b..7db7a5cb8 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -94,3 +94,5 @@ profile ganyremote @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gconfd b/apparmor.d/profiles-g-l/gconfd index 03544d354..5dffe8a0c 100644 --- a/apparmor.d/profiles-g-l/gconfd +++ b/apparmor.d/profiles-g-l/gconfd @@ -22,3 +22,5 @@ profile gconfd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 13cf3e41e..8c3662ba1 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -32,3 +32,5 @@ profile gdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index cce69937f..a01425bb9 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -24,4 +24,6 @@ profile gdk-pixbuf-query-loaders @{exec_path} { /usr/share/gvfs/remote-volume-monitors/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index f4518370e..8fdffbf87 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -27,4 +27,6 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index a8ba53f4f..3520ec06e 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -22,4 +22,6 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) { deny network inet6 stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0944759cf..c92f18656 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -180,3 +180,5 @@ profile git @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index f0b837c6a..da5566f9f 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -25,3 +25,5 @@ profile gitstatusd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glib-compile-resources b/apparmor.d/profiles-g-l/glib-compile-resources index 6062bbff2..45e787840 100644 --- a/apparmor.d/profiles-g-l/glib-compile-resources +++ b/apparmor.d/profiles-g-l/glib-compile-resources @@ -20,3 +20,5 @@ profile glib-compile-resources @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 476b4ebfc..a9004c22f 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -29,3 +29,5 @@ profile glib-compile-schemas @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index 13ae9222f..e3dfec88c 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -28,3 +28,5 @@ profile glib-pacrunner @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 4d3027ac0..566f58ee3 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -25,3 +25,5 @@ profile globaltime @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 321aaa702..9ad458720 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -28,3 +28,5 @@ profile glxgears @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index a13a22e7eb..7defbaf80 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -21,3 +21,5 @@ profile glxinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 566bd7815..9ed18534e 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -53,3 +53,5 @@ profile gpa @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 1e6be52c8..f225b5c06 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -60,16 +60,10 @@ profile gparted @{exec_path} { profile udevadm { include - include + include - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/** r, @{sys}/devices/virtual/block/**/uevent rw, @{sys}/devices/@{pci}/block/**/uevent rw, - @{run}/udev/data/* r, include if exists } @@ -104,3 +98,5 @@ profile gparted @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index ede60499d..b60e386bb 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,30 +7,26 @@ abi , include -@{exec_path} = @{bin}/gpartedbin -@{exec_path} += @{lib}/gpartedbin -@{exec_path} += @{lib}/gparted/gpartedbin +@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin profile gpartedbin @{exec_path} { include include + include include include - include - include - include capability dac_read_search, capability ipc_lock, capability sys_admin, capability sys_rawio, - ptrace (read), + ptrace read, - signal (send) peer=mke2fs, + signal send peer=mke2fs, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/blkid rPx, @{bin}/dmidecode rPx, @@ -84,29 +80,21 @@ profile gpartedbin @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /dev/mapper/control rw, - profile mount { include + include capability sys_admin, - mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/, + mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, + mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @{bin}/mount mr, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/dev r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/ r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/{start,size} r, - - /dev/{s,v}d[a-z]* r, - /dev/{s,v}d[a-z]*[0-9]* r, - + include if exists } profile umount { @@ -128,29 +116,18 @@ profile gpartedbin @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, + include if exists } profile udevadm { include + include include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, - - /dev/mapper/control rw, - + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd index 150b7b499..11c1e9767 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -44,3 +44,5 @@ profile gpasswd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gping b/apparmor.d/profiles-g-l/gping index e629ab584..956a1781f 100644 --- a/apparmor.d/profiles-g-l/gping +++ b/apparmor.d/profiles-g-l/gping @@ -16,4 +16,6 @@ profile gping @{exec_path} { @{bin}/ping rPx, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index da33f7bca..97c89a433 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -31,16 +31,18 @@ profile gpo @{exec_path} { @{bin}/less rPx -> child-pager, @{bin}/more rPx -> child-pager, - owner @{PROC}/@{pid}/fd/ r, + /etc/inputrc r, + + /usr/share/gpodder/extensions/{,*.py} r, owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - /usr/share/gpodder/extensions/{,*.py} r, + owner /var/tmp/etilqs_@{hex16} rw, - /etc/inputrc r, - - owner /var/tmp/etilqs_@{hex} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 60fe931f3..10b8492e9 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -10,14 +10,12 @@ include @{exec_path} = @{bin}/gpodder profile gpodder @{exec_path} { include - include - include + include include - include - include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,64 +30,32 @@ profile gpodder @{exec_path} { @{sh_path} rix, @{bin}/uname rix, - owner @{HOME}/ r, - owner @{HOME}/gPodder/ rw, - owner @{HOME}/gPodder/** rwk, - - /usr/share/gpodder/{,**} r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - /etc/fstab r, - - owner /var/tmp/etilqs_@{hex} rw, - - /etc/mime.types r, - - /usr/share/*/*.desktop r, - - @{bin}/xdg-settings rPUx, - - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-settings rPx, + @{open_path} rPx -> child-open, # A/V players @{bin}/smplayer rPUx, @{bin}/vlc rPUx, @{bin}/mpv rPUx, - # Open in a web browser - @{lib}/firefox/firefox rPUx, + /usr/share/gpodder/{,**} r, + + /etc/fstab r, + /etc/mime.types r, + + owner @{HOME}/ r, + owner @{HOME}/gPodder/ rw, + owner @{HOME}/gPodder/** rwk, + + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 0c048b19e..f8e2c73f4 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -26,3 +26,5 @@ profile gpodder-migrate2tres @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 9177b7b3c..4444662fc 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -33,4 +33,6 @@ profile gpu-manager @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index b0fd33c5c..4c6e80c59 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -37,3 +37,5 @@ profile groupadd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel index 1d7ecb4bc..a28fb72f7 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -40,3 +40,5 @@ profile groupdel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod index acb53e6ff..a37273af6 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -41,3 +41,5 @@ profile groupmod @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 2affa7562..4c0f07d87 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -19,3 +19,5 @@ profile groups @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck index 190322e3f..3e42f90c7 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -34,3 +34,5 @@ profile grpck @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 17671f735..cd7ce37ce 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -26,3 +26,5 @@ profile gsettings @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal index d1b6994e4..ba7ba4da4 100644 --- a/apparmor.d/profiles-g-l/gsimplecal +++ b/apparmor.d/profiles-g-l/gsimplecal @@ -18,3 +18,5 @@ profile gsimplecal @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 6c4038e4a..f6f6b300f 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -110,3 +110,5 @@ profile gsmartcontrol @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index f5a817f6b..01b7d22e1 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -21,3 +21,5 @@ profile gsmartcontrol-root @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gssproxy b/apparmor.d/profiles-g-l/gssproxy index ca6b34ccf..6a16d1dc7 100644 --- a/apparmor.d/profiles-g-l/gssproxy +++ b/apparmor.d/profiles-g-l/gssproxy @@ -25,4 +25,6 @@ profile gssproxy @{exec_path} { owner @{PROC}/@{pids}/net/rpc/use-gss-proxy rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index eee4f7e51..e67def6d2 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -23,4 +23,6 @@ profile gtk-query-immodules @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index 917332e3d..a91dc3069 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -24,3 +24,5 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 9f3e50df2..96b114461 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -119,3 +119,5 @@ profile gtk-youtube-viewer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 02dd62dcd..02ac63e6f 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -197,3 +197,5 @@ profile hardinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 2e5471085..ff3870880 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -29,3 +29,5 @@ profile haveged @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr index f2150ba95..78c15672b 100644 --- a/apparmor.d/profiles-g-l/hbbr +++ b/apparmor.d/profiles-g-l/hbbr @@ -23,3 +23,5 @@ profile hbbr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index 783ee97a2..69ac0cc8c 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -28,3 +28,5 @@ profile hbbs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hciconfig b/apparmor.d/profiles-g-l/hciconfig index a1bd70d14..eb0319c5f 100644 --- a/apparmor.d/profiles-g-l/hciconfig +++ b/apparmor.d/profiles-g-l/hciconfig @@ -20,3 +20,5 @@ profile hciconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index efc3bbcb6..e0be907a6 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -38,3 +38,5 @@ profile hddtemp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 4abb330e9..f29bc1c20 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -34,3 +34,5 @@ profile hdparm @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index a802ea639..aaa550dfc 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -52,3 +52,5 @@ profile hexchat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/highlight b/apparmor.d/profiles-g-l/highlight index 4a5ef1402..fb90c4475 100644 --- a/apparmor.d/profiles-g-l/highlight +++ b/apparmor.d/profiles-g-l/highlight @@ -20,3 +20,5 @@ profile highlight @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index d063bf167..5894c85a0 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -27,3 +27,5 @@ profile host @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index d0c1cc18c..efda5b4a8 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -25,3 +25,5 @@ profile hostname @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 9c56a9986..d06991025 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -136,3 +136,5 @@ profile htop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hugeadm b/apparmor.d/profiles-g-l/hugeadm index 858f2740a..731483cf6 100644 --- a/apparmor.d/profiles-g-l/hugeadm +++ b/apparmor.d/profiles-g-l/hugeadm @@ -59,3 +59,5 @@ profile hugeadm @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index b3222265d..fcb585020 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -45,4 +45,6 @@ profile hugo @{exec_path} { @{PROC}/sys/net/core/somaxconn r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 8c179e0d9..7c6b87b6c 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -8,9 +8,10 @@ abi , include @{exec_path} = @{bin}/hw-probe -profile hw-probe @{exec_path} { +profile hw-probe @{exec_path} flags=(attach_disconnected) { include include + include capability sys_admin, @@ -20,111 +21,134 @@ profile hw-probe @{exec_path} { @{exec_path} rm, @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/dd rix, - @{bin}/efibootmgr rix, - @{bin}/efivar rix, - @{bin}/md5sum rix, - @{bin}/pwd rix, - @{bin}/sleep rix, - @{bin}/tar rix, - @{bin}/uname rix, - - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/dpkg rPx -> child-dpkg, - - @{bin}/acpi rPx, - @{bin}/amixer rPx, - @{bin}/aplay rPx, - @{bin}/biosdecode rPx, - @{bin}/cpuid rPx, - @{bin}/cpupower rPx, - @{bin}/df rPx, - @{bin}/dkms rPx, - @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, - @{bin}/edid-decode rPx, - @{bin}/fdisk rPx, - @{bin}/glxgears rPx, - @{bin}/glxinfo rPx, - @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, - @{bin}/hwinfo rPx, - @{bin}/i2cdetect rPx, - @{bin}/inxi rPx, - @{bin}/lsblk rPx, - @{bin}/lscpu rPx, - @{bin}/lspci rPx, - @{bin}/lsusb rPx, - @{bin}/memtester rPx, - @{bin}/rfkill rPx, - @{bin}/sensors rPx, - @{bin}/smartctl rPx, - @{bin}/upower rPx, - @{bin}/uptime rPx, - @{bin}/usb-devices rPx, - @{bin}/xdpyinfo rPx, - @{bin}/xinput rPx, - @{bin}/xrandr rPx, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/dd rix, + @{bin}/efibootmgr rix, + @{bin}/efivar rix, + @{bin}/find rix, + @{bin}/md5sum rix, + @{bin}/pwd rix, + @{bin}/sleep rix, + @{bin}/sort rix, + @{bin}/tar rix, + @{bin}/uname rix, + @{bin}/acpi rPx, + @{bin}/amixer rPx, + @{bin}/aplay rPx, + @{bin}/biosdecode rPx, + @{bin}/cpuid rPx, + @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, + @{bin}/df rPx, + @{bin}/dkms rPx, + @{bin}/dmesg rPx, + @{bin}/dmidecode rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/edid-decode rPx, @{bin}/ethtool rCx -> netconfig, - @{bin}/find rCx -> find, + @{bin}/fdisk rPx, + @{bin}/glxgears rPx, + @{bin}/glxinfo rPx, + @{bin}/hciconfig rPx, + @{bin}/hdparm rPx, + @{bin}/hwinfo rPx, + @{bin}/i2cdetect rPx, @{bin}/ifconfig rCx -> netconfig, + @{bin}/inxi rPx, @{bin}/iw rCx -> netconfig, @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsblk rPx, + @{bin}/lscpu rPx, + @{bin}/lspci rPx, + @{bin}/lsusb rPx, + @{bin}/memtester rPx, + @{bin}/nmcli rPx, + @{bin}/pacman rCx -> pacman, + @{bin}/rfkill rPx, + @{bin}/rpm rCx -> rpm, + @{bin}/sensors rPx, + @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, - - /usr/share/X11/xorg.conf.d/{,*.conf} r, + @{bin}/upower rPx, + @{bin}/uptime rPx, + @{bin}/usb-devices rPx, + @{bin}/xdpyinfo rPx, + @{bin}/xinput rPx, + @{bin}/xrandr rPx, /etc/modprobe.d/{,*.conf} r, - /etc/X11/xorg.conf.d/{,*.conf} r, - /var/log/Xorg.[0-9].log{,.old} r, + owner @{HOME}/HW_PROBE/{,**} rw, - owner /root/HW_PROBE/{,**} rw, - - owner @{tmp}/*/ rw, + audit owner @{tmp}/*/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, - - @{sys}/devices/virtual/dmi/id/* r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/**/power_supply/*/uevent r, - + @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, + @{sys}/module/*/ r, + @{sys}/module/*/{coresize,refcnt} r, + @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, + @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, + @{PROC}/modules r, @{PROC}/scsi/scsi r, - profile find { + /dev/{,**} r, + + profile pacman flags=(attach_disconnected) { include - include + include + + @{bin}/pacman mr, + + @{bin}/gpg rPx -> pacman//gpg, + @{bin}/gpgconf rPx -> pacman//gpg, + @{bin}/gpgsm rPx -> pacman//gpg, + + /etc/pacman.conf r, + /etc/pacman.d/{,**} r, + + /var/lib/pacman/{,**} r, + + include if exists + } + + profile rpm flags=(attach_disconnected) { + include + include capability dac_read_search, - @{bin}/find mr, + @{bin}/rpm mr, - /root/ r, + /var/ r, + /var/lib/ r, + /var/lib/rpm/ r, + /var/lib/rpm/rpmdb.sqlite rk, + /var/lib/rpm/rpmdb.sqlite-shm rwk, + /var/lib/rpm/rpmdb.sqlite-wal rw, - /dev/{,**} r, - - include if exists + include if exists } - profile journalctl { + profile journalctl flags=(attach_disconnected) { include @{bin}/journalctl mr, @@ -133,18 +157,18 @@ profile hw-probe @{exec_path} { /etc/machine-id r, @{run}/log/ rw, - /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex32}/ rw, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/system.journal* rw, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* rw, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner @{PROC}/@{pid}/stat r, include if exists } - profile killall { + profile killall flags=(attach_disconnected) { include capability sys_ptrace, @@ -155,47 +179,20 @@ profile hw-probe @{exec_path} { @{bin}/killall mr, - # The /proc/ dir is needed to avoid the following error: - # /proc: Permission denied @{PROC}/ r, @{PROC}/@{pids}/stat r, include if exists } - profile udevadm { + profile udevadm flags=(attach_disconnected) { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, + include include if exists } - profile kmod { - include - - @{bin}/kmod mr, - - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, - - @{PROC}/cmdline r, - @{PROC}/modules r, - - include if exists - } - - profile netconfig { + profile netconfig flags=(attach_disconnected) { include # Not needed @@ -220,7 +217,7 @@ profile hw-probe @{exec_path} { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include @@ -229,3 +226,5 @@ profile hw-probe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 277ce6e72..f56dd2b14 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -12,19 +12,10 @@ profile hwinfo @{exec_path} { include include - # Without the sys_admin CAP, some information, for instance the reserved I/O port address range - # in the /proc/ioports, will be hidden. - capability sys_admin, - - # For the kernel log entries to be shown in the output - capability syslog, - - # To remove the following errors: - # eth0: socket failed: Operation not permitted - capability net_raw, - - # Needed when passed disk related options (--block, --partition, --floppy) - capability sys_rawio, + capability net_raw, # Needed for network related options + capability sys_admin, # Needed for /proc/ioports + capability sys_rawio, # Needed for disk related options + capability syslog, # Needed for /proc/kmsg network inet dgram, network inet6 dgram, @@ -36,80 +27,73 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, + @{bin}/acpidump rPUx, @{bin}/dmraid rPUx, - @{PROC}/version r, - @{PROC}/cmdline r, - @{PROC}/dma r, - @{PROC}/interrupts r, - @{PROC}/modules r, - @{PROC}/tty/driver/serial r, - @{PROC}/ioports r, - @{PROC}/bus/input/devices r, - @{PROC}/partitions r, - @{PROC}/driver/nvram r, - @{PROC}/sys/dev/cdrom/info r, + /usr/share/hwinfo/{,**} r, - /dev/mem r, - /dev/nvram r, - /dev/psaux r, - /dev/console rw, - /dev/ttyS@{int} r, - /dev/fb@{int} r, + /var/lib/hardware/udi/{,**} r, + + owner @{tmp}/hwinfo*.txt rw, @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci_bus}/** r, - @{sys}/devices/**/input/**/dev r, + @{sys}/devices/@{pci}/** r, @{sys}/devices/**/{modalias,uevent} r, + @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/edd/{,**} r, - /var/lib/hardware/udi/ r, - - # For a log file - owner @{tmp}/hwinfo*.txt rw, + @{PROC}/bus/input/devices r, + @{PROC}/cmdline r, + @{PROC}/dma r, + @{PROC}/driver/nvram r, + @{PROC}/interrupts r, + @{PROC}/ioports r, + @{PROC}/modules r, + @{PROC}/partitions r, + @{PROC}/sys/dev/cdrom/info r, + @{PROC}/tty/driver/serial r, + @{PROC}/version r, + /dev/console rw, + /dev/fb@{int} r, + /dev/mem r, + /dev/nvram r, + /dev/psaux r, + /dev/ttyS@{int} r, profile kmod { include + include @{bin}/kmod mr, /etc/modprobe.d/{,*.conf} r, - @{PROC}/cmdline r, - - # file_inherit - /dev/ttyS@{int} r, owner @{tmp}/hwinfo*.txt rw, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{PROC}/cmdline r, + @{PROC}/modules r, + + include if exists } profile udevadm { include + include - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/** r, - @{run}/udev/data/* r, - - # file_inherit owner @{tmp}/hwinfo*.txt rw, + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index 4a0679f52..3a9a6131d 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -88,3 +88,5 @@ profile hypnotix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index baad4b969..f045b489d 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -17,3 +17,5 @@ profile i2cdetect @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index 4d3600a75..d2fbdff2c 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -36,3 +36,5 @@ profile i3lock @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index f0e0f35ff..fce4ff7d4 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -71,3 +71,5 @@ profile i3lock-fancy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index bd8df0f2e..66111ff55 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -22,4 +22,6 @@ profile iceauth @{exec_path} { owner @{run}/user/@{uid}/ICEauthority-n rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 7c92f2b9a..061313d42 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -21,3 +21,5 @@ profile id @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 74fe432ad..8dd7eaac0 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -30,3 +30,5 @@ profile ifconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 6ee7d10d2..74cf07da8 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -129,3 +129,5 @@ profile ifup @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index faf618d36..5520e990c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -40,3 +40,5 @@ profile im-launch @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/img2txt b/apparmor.d/profiles-g-l/img2txt new file mode 100644 index 000000000..1b3518777 --- /dev/null +++ b/apparmor.d/profiles-g-l/img2txt @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/img2txt +profile img2txt @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-g-l/imv-wayland b/apparmor.d/profiles-g-l/imv-wayland index 6bac7898b..72eaecc9c 100644 --- a/apparmor.d/profiles-g-l/imv-wayland +++ b/apparmor.d/profiles-g-l/imv-wayland @@ -27,3 +27,5 @@ profile imv @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index fcda63e83..f17356fcc 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -54,3 +54,5 @@ profile initd-kexec @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index ab1d54536..d36584ec9 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -78,3 +78,5 @@ profile initd-kexec-load @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod index 53c39142b..f8f975211 100644 --- a/apparmor.d/profiles-g-l/initd-kmod +++ b/apparmor.d/profiles-g-l/initd-kmod @@ -60,3 +60,5 @@ profile initd-kmod @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index 714d10a66..370cbf154 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -26,4 +26,6 @@ profile install-catalog @{exec_path} { /etc/sgml/sgml-ent.cat{,.new} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index 4060e715e..54e40386f 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -29,4 +29,6 @@ profile install-info @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index e8d110a99..ddbf2e31c 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -22,3 +22,5 @@ profile install-printerdriver @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 9f5632291..aba281c31 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -138,15 +138,7 @@ profile inxi @{exec_path} { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{run}/udev/data/b* r, - - @{sys}/devices/@{pci}/block/**/uevent r, + include include if exists } @@ -171,3 +163,5 @@ profile inxi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 5eb45817e..497e5cb1c 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -47,3 +47,5 @@ profile ioping @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index 7cf6e55e6..be2738443 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -39,3 +39,5 @@ profile iotop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 33f0c57d7..7fee79abc 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -51,3 +51,5 @@ profile ip @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index bc28ac5f0..dd750b8c9 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -17,3 +17,5 @@ profile ipcalc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 49f0dd90f..2226e6dd2 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -41,4 +41,6 @@ profile irqbalance @{exec_path} flags=(attach_disconnected) { @{PROC}/irq/@{int}/smp_affinity rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index f7b9fa5fe..a54b024ad 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -27,4 +27,6 @@ profile issue-generator @{exec_path} { @{run}/issue.d/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 3282afe9c..3b62c32ba 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -28,3 +28,5 @@ profile iw @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 4246f81e6..62bc16041 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -28,3 +28,5 @@ profile iwconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index cfa7f1b53..ef2a280e0 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -21,3 +21,5 @@ profile iwlist @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jackdbus b/apparmor.d/profiles-g-l/jackdbus index 9cf1be3b8..ed1094a17 100644 --- a/apparmor.d/profiles-g-l/jackdbus +++ b/apparmor.d/profiles-g-l/jackdbus @@ -26,4 +26,6 @@ profile jackdbus @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/jack/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index a2798cbc9..9d22933fc 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -57,3 +57,5 @@ profile jami-gnome @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index 27981fe73..424074da4 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -124,3 +124,5 @@ profile jdownloader @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index 3142c44d6..667b9304f 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -33,3 +33,5 @@ profile jekyll @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index a9eda288e..6c7f3c1ff 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -57,3 +57,5 @@ profile jgmenu @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jitterentropy-rngd b/apparmor.d/profiles-g-l/jitterentropy-rngd index 1434e560f..5b96e0c58 100644 --- a/apparmor.d/profiles-g-l/jitterentropy-rngd +++ b/apparmor.d/profiles-g-l/jitterentropy-rngd @@ -21,4 +21,6 @@ profile jitterentropy-rngd @{exec_path} { /dev/random w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index a90c7de8f..77127171c 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -62,3 +62,5 @@ profile jmtpfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 8f0ba584b..fef624841 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -98,3 +98,5 @@ profile kanyremote @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kcheckpass b/apparmor.d/profiles-g-l/kcheckpass index dd4343a32..9dddbe470 100644 --- a/apparmor.d/profiles-g-l/kcheckpass +++ b/apparmor.d/profiles-g-l/kcheckpass @@ -23,3 +23,5 @@ profile kcheckpass @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 5674abb4c..6858f1b45 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -27,3 +27,5 @@ profile kconfig-hardened-check @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index aeb155df1..20be091cc 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -99,3 +99,5 @@ profile keepassxc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli index cdc3e94e2..b1d6e0e86 100644 --- a/apparmor.d/profiles-g-l/keepassxc-cli +++ b/apparmor.d/profiles-g-l/keepassxc-cli @@ -15,3 +15,5 @@ profile keepassxc-cli @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index f913de295..5e9736108 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -47,3 +47,5 @@ profile keepassxc-proxy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index af6578713..93cb01b19 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -65,3 +65,5 @@ profile kernel-install @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 5b778b1fa..f3c7e3b37 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -28,3 +28,5 @@ profile kerneloops @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 01f6aac19..e6860c5b9 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -24,3 +24,5 @@ profile kerneloops-applet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 960af35a1..dc027eae6 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -28,3 +28,5 @@ profile kexec @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 4dbb2de6b..ac03c2501 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -76,3 +76,5 @@ profile kmod @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 87624f946..3d8800cc7 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -66,3 +66,5 @@ profile kodi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr index 469476329..932b869b8 100644 --- a/apparmor.d/profiles-g-l/kodi-xrandr +++ b/apparmor.d/profiles-g-l/kodi-xrandr @@ -16,9 +16,11 @@ profile kodi-xrandr @{exec_path} { owner @{HOME}/.Xauthority r, # file_inherit - @{sys}/devices/virtual/thermal/thermal_zone0/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r, owner @{HOME}/.kodi/temp/kodi.log w, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index 85849c429..a023293fa 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -46,3 +46,5 @@ profile kvm-ok @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 42548b880..8fa7552af 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -56,3 +56,5 @@ profile labwc @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 853416c3f..a9df8a2b3 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -45,4 +45,6 @@ profile landscape-sysinfo @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index 697328310..e33195eb1 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -32,4 +32,6 @@ profile landscape-sysinfo.wrapper @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 782b413e9..e77d997c5 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -22,4 +22,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/{,*} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index 91a78e0e5..fd0c403a4 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -28,3 +28,5 @@ profile last @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index f665d06b2..3df955097 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -22,3 +22,5 @@ profile lastlog @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index cad2260bb..313b34a23 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -10,9 +10,11 @@ include @{exec_path} += @{lib}/libreoffice/program/soffice profile libreoffice @{exec_path} { include + include include include include + include include include include @@ -52,13 +54,17 @@ profile libreoffice @{exec_path} { @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @{lib}/libreoffice/{,**} rm, + /usr/share/hyphen/{,**} r, /usr/share/libexttextcat/{,**} r, /usr/share/liblangtag/{,**} r, + /usr/share/libreoffice/{,**} r, + /usr/share/mythes/{,**} r, /etc/java-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, @@ -75,6 +81,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, @{PROC}/cgroups r, owner @{PROC}/@{pid}/cgroup r, @@ -88,3 +95,5 @@ profile libreoffice @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index 845cf92cf..d4ff8a7d7 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -36,3 +36,5 @@ profile light @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 6bd62f77f..8e8732c19 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -38,3 +38,5 @@ profile light-locker @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command index c77b1d07b..21daa1853 100644 --- a/apparmor.d/profiles-g-l/light-locker-command +++ b/apparmor.d/profiles-g-l/light-locker-command @@ -15,3 +15,5 @@ profile light-locker-command @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks index accbe2085..f2e6c74cf 100644 --- a/apparmor.d/profiles-g-l/lightworks +++ b/apparmor.d/profiles-g-l/lightworks @@ -26,3 +26,5 @@ profile lightworks @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt index ee5f0c71e..b4dc21398 100644 --- a/apparmor.d/profiles-g-l/lightworks-ntcardvt +++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt @@ -15,3 +15,5 @@ profile lightworks-ntcardvt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index 384fda9ea..615f51b62 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -109,3 +109,5 @@ profile linssid @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index a6fd4d8ed..41813c1a1 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -50,3 +50,5 @@ profile linux-check-removal @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index 3f866072e..998c48780 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -20,3 +20,5 @@ profile linux-version @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/profiles-g-l/locale-gen index 722349ea1..093074d1b 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -39,4 +39,6 @@ profile locale-gen @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge index 53e3fd930..30018bf00 100644 --- a/apparmor.d/profiles-g-l/localepurge +++ b/apparmor.d/profiles-g-l/localepurge @@ -57,3 +57,5 @@ profile localepurge @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index ba8c2c254..c93553030 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -73,3 +73,5 @@ profile login @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index ffc4099d3..6004b8a35 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -104,3 +104,5 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/profiles-g-l/losetup index 8c62398ec..fb8b448d1 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -24,4 +24,6 @@ profile losetup @{exec_path} { /dev/loop[0-9]* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/low-memory-monitor b/apparmor.d/profiles-g-l/low-memory-monitor index 625d147ac..4471dbd2e 100644 --- a/apparmor.d/profiles-g-l/low-memory-monitor +++ b/apparmor.d/profiles-g-l/low-memory-monitor @@ -17,4 +17,6 @@ profile low-memory-monitor @{exec_path} flags=(attach_disconnected) { owner @{PROC}/pressure/memory rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index e2a3207b5..56aad52b8 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -30,3 +30,5 @@ profile lsblk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index f59ee0e1e..804e67632 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -30,3 +30,5 @@ profile lscpu @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsinitramfs b/apparmor.d/profiles-g-l/lsinitramfs index ff3f52865..e5b6ff750 100644 --- a/apparmor.d/profiles-g-l/lsinitramfs +++ b/apparmor.d/profiles-g-l/lsinitramfs @@ -21,3 +21,5 @@ profile lsinitramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index d8aa90103..0d6936d22 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -44,3 +44,5 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb index 872ac8369..eadda4785 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -21,3 +21,5 @@ profile lsusb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 7256c4b76..0bd6ef2e8 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -50,3 +50,5 @@ profile lvm @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig index 2423886e8..f38bd6780 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -17,3 +17,5 @@ profile lvmconfig @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump index 1d97ecf73..9dbe000f7 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/profiles-g-l/lvmdump @@ -17,3 +17,5 @@ profile lvmdump @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld index 7c5852d67..7a4bc90b3 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -20,3 +20,5 @@ profile lvmpolld @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index 5bb7dc92f..a400ef80c 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -67,3 +67,5 @@ profile lxappearance @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index a9b3691d2..143472569 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -13,6 +13,8 @@ profile lynx @{exec_path} { include include include + include + include network inet dgram, network inet6 dgram, @@ -20,20 +22,21 @@ profile lynx @{exec_path} { network inet6 stream, @{exec_path} mr, - - /etc/lynx/{,*} r, - + @{sh_path} rix, + + /usr/share/terminfo/{,**} r, /usr/share/doc/lynx-common/** r, - /etc/mime.types r, - - @{sh_path} rix, + /etc/lynx.cfg r, + /etc/lynx.lss r, + /etc/lynx/{,**} r, /etc/mailcap r, + /etc/mime.types r, owner @{tmp}/lynxXXXX*/ rw, owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, - owner @{HOME}/ r, - include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/macchanger b/apparmor.d/profiles-m-r/macchanger index 7f0d334eb..8f4efc921 100644 --- a/apparmor.d/profiles-m-r/macchanger +++ b/apparmor.d/profiles-m-r/macchanger @@ -26,3 +26,5 @@ profile macchanger @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index c85b5e1d1..aa0195853 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -113,3 +113,5 @@ profile man_filter { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 74cef2862..beeba50e8 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -36,3 +36,5 @@ profile mandb @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon index 7d3ea0192..871434151 100644 --- a/apparmor.d/profiles-m-r/mate-notification-daemon +++ b/apparmor.d/profiles-m-r/mate-notification-daemon @@ -15,4 +15,6 @@ profile mate-notification-daemon @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 4f1c54ac1..a2631c768 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -21,4 +21,6 @@ profile mdevctl @{exec_path} { @{PROC}/@{pids}/maps r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo index bd1d1e41a..bb7c2d59b 100644 --- a/apparmor.d/profiles-m-r/mediainfo +++ b/apparmor.d/profiles-m-r/mediainfo @@ -16,3 +16,5 @@ profile mediainfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 4315a8157..4648d4ddf 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -45,3 +45,5 @@ profile mediainfo-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index bf26a1aa8..236041778 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -60,3 +60,5 @@ profile megasync @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/memtester b/apparmor.d/profiles-m-r/memtester index e25c98180..506892f0e 100644 --- a/apparmor.d/profiles-m-r/memtester +++ b/apparmor.d/profiles-m-r/memtester @@ -15,3 +15,5 @@ profile memtester @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index 6cd06a019..739d18e2f 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -57,3 +57,5 @@ profile merkaartor @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 63bea0ac2..142ccb78a 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -60,4 +60,6 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index e65d07613..da56703c3 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -30,3 +30,5 @@ profile mimetype @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 3eecbb2bb..4d4d26655 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -96,3 +96,5 @@ profile minitube @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b36117459..267fb9d1a 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -28,3 +28,5 @@ profile mission-control @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index 4fc5c9d08..038de3c73 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -39,3 +39,5 @@ profile mke2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 48ba79bac..237fc8006 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -28,3 +28,5 @@ profile mkfs-btrfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index 68fc2aaae..d7f7a1cc9 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -22,3 +22,5 @@ profile mkfs-fat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 304b5834f..30bc6afd9 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -59,7 +59,7 @@ profile mkinitramfs @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, - @{lib}/ld-linux.so.2 rCx -> ldd, + @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, @@ -181,3 +181,5 @@ profile mkinitramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/profiles-m-r/mkntfs index ee6153a83..ccfa5f4ed 100644 --- a/apparmor.d/profiles-m-r/mkntfs +++ b/apparmor.d/profiles-m-r/mkntfs @@ -20,3 +20,5 @@ profile mkntfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/profiles-m-r/mkswap index 81cd835b1..4c732c2c6 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -24,3 +24,5 @@ profile mkswap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 7350d7b7f..22251b87e 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -27,3 +27,5 @@ profile mkvmerge @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 63a978baf..595a24666 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -66,3 +66,5 @@ profile mkvtoolnix-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mlocate b/apparmor.d/profiles-m-r/mlocate index 6d2d33c9e..08fdee129 100644 --- a/apparmor.d/profiles-m-r/mlocate +++ b/apparmor.d/profiles-m-r/mlocate @@ -21,3 +21,5 @@ profile mlocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 9e84ee501..29125f192 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -42,4 +42,6 @@ profile modprobed-db @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index c6eb2a2ac..d75a5092b 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -41,4 +41,6 @@ profile molly-guard @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 88699a37b..cb220a7b6 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -105,3 +105,5 @@ profile monitorix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 72891c7bf..e010a83d7 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -44,3 +44,5 @@ profile mono-sgen @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 7c48c4d85..f122b8f27 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -69,3 +69,5 @@ profile mount @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 94a523e8f..bbadcc7e0 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -46,3 +46,5 @@ profile mount-cifs @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 9e7a488d4..698f350ce 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -70,3 +70,5 @@ profile mount-nfs @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index d2efa3054..bc47f0a30 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -44,3 +44,5 @@ profile mount-zfs @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpd b/apparmor.d/profiles-m-r/mpd index e222681be..14a6c4acf 100644 --- a/apparmor.d/profiles-m-r/mpd +++ b/apparmor.d/profiles-m-r/mpd @@ -47,3 +47,5 @@ profile mpd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 71f1e4cf9..46f239fce 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -58,3 +58,5 @@ profile mpsyt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 23aa2b9a1..1629176dd 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -107,3 +107,5 @@ profile mpv @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index b19df6cc7..75c95fffd 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -31,3 +31,5 @@ profile mtools @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr index 00d4c0629..5b341d8f5 100644 --- a/apparmor.d/profiles-m-r/mtr +++ b/apparmor.d/profiles-m-r/mtr @@ -28,3 +28,5 @@ profile mtr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet index 2605b9e25..4bf15b7d5 100644 --- a/apparmor.d/profiles-m-r/mtr-packet +++ b/apparmor.d/profiles-m-r/mtr-packet @@ -26,3 +26,5 @@ profile mtr-packet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index befffe09f..db29113ce 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -19,4 +19,6 @@ profile mullvad-setup @{exec_path} { deny network inet6 stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index a571e233d..918e5a0c2 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -32,4 +32,6 @@ profile multipath @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/fs/nr_open r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index dffcde3cc..510fb3417 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -42,4 +42,6 @@ profile multipathd @{exec_path} { /dev/mapper/control rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 6608498b7..879d2b9bf 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -64,3 +64,5 @@ profile mumble @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 07f5a0107..61b287329 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -24,3 +24,5 @@ profile mumble-overlay @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index f9ee44271..aca74e562 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -43,3 +43,5 @@ profile murmurd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 27060bf3c..1ed63e68e 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -157,3 +157,5 @@ profile mutt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index d01c714f6..e3222d2ff 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -83,3 +83,5 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index addce84cb..805f69678 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -23,4 +23,6 @@ profile needrestart-apt-pinvoke @{exec_path} { @{run}/needrestart/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index 1de2b3200..fff97e67c 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -22,4 +22,6 @@ profile needrestart-dpkg-status @{exec_path} { @{run}/needrestart/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 30a7bb801..37dd180c3 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -35,3 +35,5 @@ profile needrestart-iucode-scan-versions @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index 56c2a960f..f28d053cd 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -26,3 +26,5 @@ profile nemo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/profiles-m-r/netcap index 91de9da81..d1e5a2852 100644 --- a/apparmor.d/profiles-m-r/netcap +++ b/apparmor.d/profiles-m-r/netcap @@ -32,3 +32,5 @@ profile netcap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs index 22fc63a36..e39e64621 100644 --- a/apparmor.d/profiles-m-r/nethogs +++ b/apparmor.d/profiles-m-r/nethogs @@ -31,3 +31,5 @@ profile nethogs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index 12060ddb8..039109ea2 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -47,3 +47,5 @@ profile netstat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap index 9c6303bef..9398350e1 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -26,4 +26,6 @@ profile newgidmap @{exec_path} { @{PROC}/@{pids}/gid_map w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index 836da42f9..1878b9b5e 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -31,3 +31,5 @@ profile newgrp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap index b2d0a5e16..eeba22557 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -26,4 +26,6 @@ profile newuidmap @{exec_path} { @{PROC}/@{pids}/uid_map w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/profiles-m-r/nfsdcld index 52223b8f1..a02e226c6 100644 --- a/apparmor.d/profiles-m-r/nfsdcld +++ b/apparmor.d/profiles-m-r/nfsdcld @@ -22,4 +22,6 @@ profile nfsdcld @{exec_path} { /var/lib/nfs/rpc_pipefs/nfsd/* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index caa99aa4d..50ee826cf 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -30,3 +30,5 @@ profile nft @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 4a40f4180..0eb1eceba 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -47,3 +47,5 @@ profile nmap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin index 431ca92b3..fad964b64 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/profiles-m-r/nologin @@ -17,4 +17,6 @@ profile nologin @{exec_path} { owner @{PROC}/@{pid}/loginuid r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 1cf1ec1fd..9ee225d9d 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -23,3 +23,5 @@ profile nslookup @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index bf6fda62f..e5ae871b6 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -55,3 +55,5 @@ profile ntfs-3g @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/profiles-m-r/ntfs-3g-probe index 1b3d84d48..ef870e0f0 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g-probe +++ b/apparmor.d/profiles-m-r/ntfs-3g-probe @@ -18,3 +18,5 @@ profile ntfs-3g-probe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/profiles-m-r/ntfscat index cba96e5ef..069a597e9 100644 --- a/apparmor.d/profiles-m-r/ntfscat +++ b/apparmor.d/profiles-m-r/ntfscat @@ -20,3 +20,5 @@ profile ntfscat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index 871cd69d6..06fe65684 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -26,3 +26,5 @@ profile ntfsclone @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/profiles-m-r/ntfscluster index fb5406347..62aff85c8 100644 --- a/apparmor.d/profiles-m-r/ntfscluster +++ b/apparmor.d/profiles-m-r/ntfscluster @@ -20,3 +20,5 @@ profile ntfscluster @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/profiles-m-r/ntfscmp index 2df16e98e..c5ecddc5f 100644 --- a/apparmor.d/profiles-m-r/ntfscmp +++ b/apparmor.d/profiles-m-r/ntfscmp @@ -20,3 +20,5 @@ profile ntfscmp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp index 323848b52..3beeb2b7a 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -27,3 +27,5 @@ profile ntfscp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt index 4a9e437b8..e7ffe3188 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -22,3 +22,5 @@ profile ntfsdecrypt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/profiles-m-r/ntfsfallocate index 03d346e80..670092820 100644 --- a/apparmor.d/profiles-m-r/ntfsfallocate +++ b/apparmor.d/profiles-m-r/ntfsfallocate @@ -20,3 +20,5 @@ profile ntfsfallocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/profiles-m-r/ntfsfix index 513985be5..179b3b7a9 100644 --- a/apparmor.d/profiles-m-r/ntfsfix +++ b/apparmor.d/profiles-m-r/ntfsfix @@ -20,3 +20,5 @@ profile ntfsfix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/profiles-m-r/ntfsinfo index 808723b00..3156e7004 100644 --- a/apparmor.d/profiles-m-r/ntfsinfo +++ b/apparmor.d/profiles-m-r/ntfsinfo @@ -20,3 +20,5 @@ profile ntfsinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/profiles-m-r/ntfslabel index 4c780e65c..6eee15ef8 100644 --- a/apparmor.d/profiles-m-r/ntfslabel +++ b/apparmor.d/profiles-m-r/ntfslabel @@ -20,3 +20,5 @@ profile ntfslabel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/profiles-m-r/ntfsls index 7b0f63c53..56c2c28de 100644 --- a/apparmor.d/profiles-m-r/ntfsls +++ b/apparmor.d/profiles-m-r/ntfsls @@ -20,3 +20,5 @@ profile ntfsls @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/profiles-m-r/ntfsmove index f1263c8b6..876113c98 100644 --- a/apparmor.d/profiles-m-r/ntfsmove +++ b/apparmor.d/profiles-m-r/ntfsmove @@ -20,3 +20,5 @@ profile ntfsmove @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/profiles-m-r/ntfsrecover index 971eea643..43de112c1 100644 --- a/apparmor.d/profiles-m-r/ntfsrecover +++ b/apparmor.d/profiles-m-r/ntfsrecover @@ -20,3 +20,5 @@ profile ntfsrecover @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/profiles-m-r/ntfsresize index f6c2608fc..e0e8f58d2 100644 --- a/apparmor.d/profiles-m-r/ntfsresize +++ b/apparmor.d/profiles-m-r/ntfsresize @@ -20,3 +20,5 @@ profile ntfsresize @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/profiles-m-r/ntfssecaudit index a1a0add39..ee38f60a0 100644 --- a/apparmor.d/profiles-m-r/ntfssecaudit +++ b/apparmor.d/profiles-m-r/ntfssecaudit @@ -21,3 +21,5 @@ profile ntfssecaudit @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/profiles-m-r/ntfstruncate index a5d9aea5c..c9dec413a 100644 --- a/apparmor.d/profiles-m-r/ntfstruncate +++ b/apparmor.d/profiles-m-r/ntfstruncate @@ -20,3 +20,5 @@ profile ntfstruncate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete index 5b066d3f1..a01876961 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -24,3 +24,5 @@ profile ntfsundelete @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap index 056207ccd..acc6e8bbc 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -25,3 +25,5 @@ profile ntfsusermap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/profiles-m-r/ntfswipe index 1c9a62f3d..1471e1d27 100644 --- a/apparmor.d/profiles-m-r/ntfswipe +++ b/apparmor.d/profiles-m-r/ntfswipe @@ -20,3 +20,5 @@ profile ntfswipe @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send index efc10f9de..e27e15429 100644 --- a/apparmor.d/profiles-m-r/nullmailer-send +++ b/apparmor.d/profiles-m-r/nullmailer-send @@ -22,4 +22,6 @@ profile nullmailer-send @{exec_path} { /var/spool/nullmailer/{,**} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx index 672f33417..25903ed8b 100644 --- a/apparmor.d/profiles-m-r/numlockx +++ b/apparmor.d/profiles-m-r/numlockx @@ -21,3 +21,5 @@ profile numlockx @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvidia-detector b/apparmor.d/profiles-m-r/nvidia-detector index a29711965..b0465ef85 100644 --- a/apparmor.d/profiles-m-r/nvidia-detector +++ b/apparmor.d/profiles-m-r/nvidia-detector @@ -14,3 +14,5 @@ profile nvidia-detector @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvidia-persistenced b/apparmor.d/profiles-m-r/nvidia-persistenced index da68f30e2..33dac3dba 100644 --- a/apparmor.d/profiles-m-r/nvidia-persistenced +++ b/apparmor.d/profiles-m-r/nvidia-persistenced @@ -25,3 +25,5 @@ profile nvidia-persistenced @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index fa4c52f4c..d4bda6123 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -18,4 +18,6 @@ profile nvidia-settings @{exec_path} { /usr/share/pixmaps/{,**} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 0448b8db8..54c9c5959 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -48,4 +48,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { /dev/nvidia-caps/nvidia-cap@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index a5768aa00..070ac10af 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -26,3 +26,5 @@ profile obamenu @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index f3a4c9d37..37e94369e 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -38,3 +38,5 @@ profile obconf @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing index af0fda673..7aa4070c5 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -22,3 +22,5 @@ profile obex-folder-listing @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/profiles-m-r/obexautofs index 091a1df08..972829890 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -56,3 +56,5 @@ profile obexautofs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/profiles-m-r/obexctl index b6e78eff1..d87243b75 100644 --- a/apparmor.d/profiles-m-r/obexctl +++ b/apparmor.d/profiles-m-r/obexctl @@ -20,3 +20,5 @@ profile obexctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd index cb9f00b0d..9043489eb 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -33,3 +33,5 @@ profile obexd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/profiles-m-r/obexfs index 24c4063e5..4a746ecf1 100644 --- a/apparmor.d/profiles-m-r/obexfs +++ b/apparmor.d/profiles-m-r/obexfs @@ -52,3 +52,5 @@ profile obexfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/profiles-m-r/obexpush-atd index 3ea806849..17b0a2d37 100644 --- a/apparmor.d/profiles-m-r/obexpush-atd +++ b/apparmor.d/profiles-m-r/obexpush-atd @@ -15,3 +15,5 @@ profile obexpush-atd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/profiles-m-r/obexpushd index c6f4b6db7..33a922f41 100644 --- a/apparmor.d/profiles-m-r/obexpushd +++ b/apparmor.d/profiles-m-r/obexpushd @@ -26,3 +26,5 @@ profile obexpushd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop index 4a1688e70..724f83de7 100644 --- a/apparmor.d/profiles-m-r/obxprop +++ b/apparmor.d/profiles-m-r/obxprop @@ -20,3 +20,5 @@ profile obxprop @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/odt2txt b/apparmor.d/profiles-m-r/odt2txt new file mode 100644 index 000000000..9be8b8642 --- /dev/null +++ b/apparmor.d/profiles-m-r/odt2txt @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/odt2txt +profile odt2txt @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index d5248795f..d9b5a412e 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -29,3 +29,5 @@ profile on-ac-power @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/onefetch b/apparmor.d/profiles-m-r/onefetch index 02618d169..84a68634c 100644 --- a/apparmor.d/profiles-m-r/onefetch +++ b/apparmor.d/profiles-m-r/onefetch @@ -23,4 +23,6 @@ profile onefetch @{exec_path} { owner @{PROC}/@{pid}/stat r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 4788f38c6..ac0831f05 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -87,3 +87,5 @@ profile openbox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session index 185984063..61666f756 100644 --- a/apparmor.d/profiles-m-r/openbox-session +++ b/apparmor.d/profiles-m-r/openbox-session @@ -26,3 +26,5 @@ profile openbox-session @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index ee04dda66..571532b4f 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -69,3 +69,5 @@ profile orage @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 5333bc944..819c4c9bd 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -75,3 +75,5 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 972d45265..b61426196 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -153,3 +153,5 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index 9ebb1b1a0..752c3edd7 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -30,3 +30,5 @@ profile pacmd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 551dc7a9a..2f8092a02 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -31,3 +31,5 @@ profile pactl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pagesize b/apparmor.d/profiles-m-r/pagesize index 64e575927..f6615a71e 100644 --- a/apparmor.d/profiles-m-r/pagesize +++ b/apparmor.d/profiles-m-r/pagesize @@ -18,3 +18,5 @@ profile pagesize @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 48af5a9f3..3d805f24c 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -64,3 +64,5 @@ profile pam-auth-update @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 1c0836c1f..983ca7d42 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -22,4 +22,6 @@ profile pam-tmpdir-helper @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings index 0f9d039fd..cbcb539ed 100644 --- a/apparmor.d/profiles-m-r/pam/mappings +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -68,3 +68,5 @@ include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index bd0238323..9408674f8 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -12,63 +12,37 @@ profile parted @{exec_path} { include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) - # - # Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the - # kernel of the change, probably because it/they are in use. As a result, the old partition(s) - # will remain in use. You should reboot now before making further changes. capability sys_admin, - - # Needed? (#FIXME#) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - - @{bin}/dmidecode rPx, + @{bin}/dmidecode rPx, /etc/inputrc r, - # Image files owner @{user_img_dirs}/{,**} rwk, @{PROC}/devices r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, - /dev/mapper/ r, - /dev/mapper/control rw, - profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, - - # file_inherit - include # lots of files in this abstraction get inherited owner @{user_img_dirs}/{,**} rwk, + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 27edebbf5..9e384c66c 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -12,58 +12,31 @@ profile partprobe @{exec_path} { include include - # To remove the following errors: - # device-mapper: version ioctl on failed: Permission denied - # Incompatible libdevmapper 1.02.167 (2019-11-30) and kernel driver (unknown version). capability sys_admin, - - # To remove the following errors: - # kernel: device-mapper: core: partprobe: sending ioctl 1261 to DM device without required - # privilege. capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, + @{bin}/dmidecode rPx, - @{bin}/dmidecode rPx, - - owner @{PROC}/@{pid}/mounts r, - @{PROC}/swaps r, @{PROC}/devices r, - - /dev/mapper/ r, - /dev/mapper/control rw, - + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/1/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - # file_inherit - include # lots of files in this abstraction get inherited - /dev/mapper/control rw, - + include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 1dbcac174..724bd8f38 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -157,3 +157,5 @@ profile pass @{exec_path} { include if exists include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index d2ad4fd91..655804ccc 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/pimport profile pass-import @{exec_path} { include - include + include include + include + include network inet dgram, network inet6 dgram, @@ -39,3 +41,5 @@ profile pass-import @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 2ead4d034..8afbac8e5 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -34,4 +34,6 @@ profile passimd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 99d20eb10..f37f5651d 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -42,3 +42,5 @@ profile passwd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol index ad6d92aac..de3782b09 100644 --- a/apparmor.d/profiles-m-r/pavucontrol +++ b/apparmor.d/profiles-m-r/pavucontrol @@ -32,3 +32,5 @@ profile pavucontrol @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 9ff0fbcdd..99ad50a64 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -43,3 +43,5 @@ profile pcb-gtk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index c4b5cb689..085061b15 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -35,3 +35,5 @@ profile pcscd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext new file mode 100644 index 000000000..9980cff64 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftotext @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftotext +profile pdftotext @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom index baaa80dea..124d5c9c3 100644 --- a/apparmor.d/profiles-m-r/picom +++ b/apparmor.d/profiles-m-r/picom @@ -37,3 +37,5 @@ profile picom @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index ba557f810..e2ea46e57 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -30,4 +30,6 @@ profile pidof @{exec_path} { owner /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry index 3606078b7..c30bc5def 100644 --- a/apparmor.d/profiles-m-r/pinentry +++ b/apparmor.d/profiles-m-r/pinentry @@ -19,4 +19,6 @@ profile pinentry @{exec_path} { /etc/pinentry/preexec r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index b9d53352f..1fd585f47 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -18,4 +18,6 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index 5da9358bf..d6fc0abb0 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -18,4 +18,6 @@ profile pinentry-gnome3 @{exec_path} { owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk-2 index c139e2e2b..efad3a6f1 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk-2 @@ -23,3 +23,5 @@ profile pinentry-gtk-2 @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index 612f68851..235c256a7 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -51,3 +51,5 @@ profile pinentry-kwallet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index ae157744e..947350b8a 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -48,3 +48,5 @@ profile pinentry-qt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 3ca20d326..c8238688e 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -12,8 +12,7 @@ profile pkcs11-register @{exec_path} { @{exec_path} mr, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -23,3 +22,5 @@ profile pkcs11-register @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 417ca76fd..923d955af 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -37,12 +37,11 @@ profile pkexec @{exec_path} { # Apps to be run via pkexec @{bin}/* rPUx, + @{lib}/{,gvfs/}gvfsd-admin rPx, @{lib}/cc-remote-login-helper rPx, - @{lib}/gvfs/gvfsd-admin rPUx, #(#FIXME#) - @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{lib}/polkit-agent-helper-[0-9] rPx, @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx, + #aa:exec polkit-agent-helper @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, @@ -59,7 +58,9 @@ profile pkexec @{exec_path} { owner @{HOME}/.xsession-errors w, # Silencer -deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index ce290da5f..68c85487b 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -33,3 +33,5 @@ profile pkttyagent @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank index f94da07a7..77bad6788 100644 --- a/apparmor.d/profiles-m-r/plank +++ b/apparmor.d/profiles-m-r/plank @@ -24,3 +24,5 @@ profile plank @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index 21a27e43e..e66d0c14c 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -22,3 +22,5 @@ profile plocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index 615baabe5..5e81be8a3 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -20,3 +20,5 @@ profile plocate-build @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 702ccbcdf..a4b93d5b5 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -51,3 +51,5 @@ profile popularity-contest @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index eb5470217..067968258 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -47,4 +47,6 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/acpi/pm_profile* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 92a5eb13c..3d3878c3e 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -2,80 +2,50 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Warning: only the protonmail-bridge CLI and service are supported, NOT the GUI. - abi , include -@{exec_path} = @{bin}/protonmail-bridge -profile protonmail-bridge @{exec_path} { - include - include +@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3 +@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge" +@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3 - network inet dgram, - network inet6 dgram, +@{exec_path} = @{lib}/protonmail/bridge/bridge-gui +profile protonmail-bridge @{exec_path} { + include + include + include + include + include + include + + # network inet dgram, + # network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + # network netlink raw, @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{lib}/protonmail/bridge/bridge rPx, + @{open_path} rPx -> child-open-strict, - /etc/lsb-release r, /etc/machine-id r, - owner /var/tmp/etilqs_@{hex} rw, + owner @{config_dirs}/ rw, + owner @{config_dirs}/** rwlk -> @{config_dirs}/**, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{user_cache_dirs}/protonmail/{,**} rwk, - owner @{user_config_dirs}/protonmail/{,**} rwk, - owner @{user_share_dirs}/protonmail/{,**} rwk, + owner @{share_dirs}/ rw, + owner @{share_dirs}/** rwlk -> @{share_dirs}/**, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/@{pid}/cgroup r, + owner @{tmp}/@{uuid}.txt w, - # Force the use of the Gnome Keyring or Kwallet secret-service. - # Comment these lines and add the commented lines in your local/protonmail-bridge - # to allow the use of pass as secret-service. - # of pass as secret store - # deny @{bin}/pass rmx, - # deny owner @{user_password_store_dirs}/** r, - - profile pass { - include - include - - @{bin}/pass mr, - - @{sh_path} rix, - @{bin}/base64 rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/getopt rix, - @{bin}/git rPx -> pass//git, - @{bin}/gpg{,2} rPx -> pass//gpg, - @{bin}/mkdir rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/tail rix, - @{bin}/tree rix, - @{bin}/tty rix, - @{bin}/which rix, - - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, - - /dev/tty rw, - - include if exists - } + owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core new file mode 100644 index 000000000..b0d153ec2 --- /dev/null +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# To force the use of the Gnome Keyring or Kwallet secret-service, add the +# following lines in your local/protonmail-bridge-core file: +# deny @{bin}/pass x, +# deny owner @{user_password_store_dirs}/** r, + +abi , + +include + +@{exec_path} = @{lib}/protonmail/bridge/bridge +profile protonmail-bridge-core @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/pass rCx -> pass, + + /etc/lsb-release r, + /etc/machine-id r, + + owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + + owner @{user_cache_dirs}/protonmail/{,**} rwk, + owner @{user_config_dirs}/protonmail/{,**} rwk, + owner @{user_share_dirs}/protonmail/{,**} rwk, + + owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, + + owner @{tmp}/bridge@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + @{PROC}/ r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/@{pid}/cgroup r, + + deny @{bin}/pass x, + deny owner @{user_password_store_dirs}/** r, + + profile pass { + include + include + + @{bin}/pass mr, + + @{sh_path} rix, + @{bin}/base64 rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/getopt rix, + @{bin}/git rpx -> pass//git, + @{bin}/gpg{,2} rpx -> pass//gpg, + @{bin}/mkdir rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/tail rix, + @{bin}/tree rix, + @{bin}/tty rix, + @{bin}/which rix, + + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/.gpg-id r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_password_store_dirs}/**/ r, + + /dev/tty rw, + + include if exists + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index dbaf443fc..bdcd6cee2 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -53,3 +53,5 @@ profile ps @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index 4d0a5c642..f34992ccb 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -31,3 +31,5 @@ profile ps-mem @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/profiles-m-r/pscap index 61bd4438a..8a88b26a4 100644 --- a/apparmor.d/profiles-m-r/pscap +++ b/apparmor.d/profiles-m-r/pscap @@ -24,3 +24,5 @@ profile pscap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index a0765eb7e..e764b69f8 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -56,7 +56,7 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, @@ -90,3 +90,5 @@ profile psi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index aaead522e..d9b1f7fd5 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -56,7 +56,7 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, @@ -90,3 +90,5 @@ profile psi-plus @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree index 3ad9e7b0c..a2630d212 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -28,3 +28,5 @@ profile pstree @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index 4166f0678..0ef899263 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -38,3 +38,5 @@ profile pulseeffects @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 051417cf2..af459593a 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -29,3 +29,5 @@ profile pwck @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e1eb03dd8..f9502cf75 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -150,3 +150,5 @@ profile qbittorrent @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index cd4015707..87bc84d51 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -56,3 +56,5 @@ profile qbittorrent-nox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index b873fb6a5..958706374 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -43,4 +43,6 @@ profile qemu-ga @{exec_path} { /dev/vport@{int}p@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 7075a0a49..911519459 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -73,3 +73,5 @@ profile qnapi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 4ce205c27..e1ff13a92 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -63,4 +63,4 @@ profile qpdfview @{exec_path} { include if exists } - +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index 58bd6948e..43964d950 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -39,3 +39,5 @@ profile qt5ct @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qtchooser b/apparmor.d/profiles-m-r/qtchooser index 10749b88e..2202d8c5f 100644 --- a/apparmor.d/profiles-m-r/qtchooser +++ b/apparmor.d/profiles-m-r/qtchooser @@ -23,3 +23,5 @@ profile qtchooser @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index fd9e0748d..e97bcc2ec 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -58,3 +58,5 @@ profile qtox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index a0463bb98..1154ff337 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -63,7 +63,7 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, @@ -97,3 +97,5 @@ profile quiterss @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 5500bbfda..c3a4a8a22 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -20,3 +20,5 @@ profile rdmsr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 833c81818..dcee35f62 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -60,3 +60,5 @@ profile remmina @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 0132cbe9a..6f3ba2417 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -74,3 +74,5 @@ profile repo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index b0d31a4fb..4ef5e6b42 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -70,3 +70,5 @@ profile reprepro @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 7406602e4..114846812 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -28,3 +28,5 @@ profile resize2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 8609e4858..6dfe82b6e 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -37,3 +37,5 @@ profile resolvconf @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index a0ba2c7b3..f64dd20ba 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -20,3 +20,5 @@ profile rfkill @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index b929f1a7a..0f65d8f71 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -24,8 +24,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, + /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, @@ -38,3 +37,5 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 946219e92..641217f56 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -66,3 +66,5 @@ profile rpi-imager @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rredtool b/apparmor.d/profiles-m-r/rredtool index 569f9f25a..d8024b279 100644 --- a/apparmor.d/profiles-m-r/rredtool +++ b/apparmor.d/profiles-m-r/rredtool @@ -15,3 +15,5 @@ profile rredtool @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 60f6d63e9..423e7e41a 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -49,3 +49,5 @@ profile rsyslogd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 72d6f0e7f..21e715579 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -37,3 +37,5 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index adbe7d66b..d855c0a35 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -15,3 +15,5 @@ profile rtkitctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 726f6f64e..8fe649ff5 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -240,3 +240,5 @@ profile run-parts @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 590ed971c..97100f32a 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -49,3 +49,5 @@ profile runuser @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index c711530ef..956aaeaa4 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -134,3 +134,5 @@ profile rustdesk_shell { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils index 8c5817b15..0707f9c8f 100644 --- a/apparmor.d/profiles-m-r/rustdesk-utils +++ b/apparmor.d/profiles-m-r/rustdesk-utils @@ -18,3 +18,5 @@ profile rustdesk-utils @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index dee5b3522..ccbbb2494 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -43,4 +43,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/mountinfo r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 50e5ae8c8..418167345 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -46,4 +46,6 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index 1bc9288da..d614330d2 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -69,4 +69,6 @@ profile s3fs @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index f0b8426c6..aadad6860 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -31,3 +31,5 @@ profile sanoid @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 388145d76..938ecb638 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -39,4 +39,6 @@ profile sbctl @{exec_path} { deny network inet6 stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 711cd73ad..8903fe287 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -38,3 +38,5 @@ profile scrcpy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index f423775f6..377bb7962 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -29,3 +29,5 @@ profile scrot @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sdcv b/apparmor.d/profiles-s-z/sdcv index 7ad78e8a4..cfc6c1b3c 100644 --- a/apparmor.d/profiles-s-z/sdcv +++ b/apparmor.d/profiles-s-z/sdcv @@ -21,4 +21,6 @@ profile sdcv @{exec_path} { owner @{user_cache_dirs}/sdcv/{,**} rwk, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index bf11debcd..3ded8b7ae 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -31,3 +31,5 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index b64790203..618332bce 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -45,3 +45,5 @@ profile sensors @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 820c31d1f..577041922 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -41,13 +41,7 @@ profile sensors-detect @{exec_path} { profile udevadm { include - include - - capability sys_ptrace, - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, + include include if exists } @@ -74,3 +68,5 @@ profile sensors-detect @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 9bfc43d0f..25fe43065 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -19,3 +19,5 @@ profile setpci @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 7080cd909..79398e82d 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -18,4 +18,6 @@ profile setvtrgb @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 4afa8e575..5b75a27ef 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -34,3 +34,5 @@ profile sfdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index 778548d75..00a8c7a56 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -25,3 +25,5 @@ profile sgdisk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 07c557d7c..eb9866b53 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -35,3 +35,5 @@ profile sing-box @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index efd6756b7..0ec43cc9b 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -41,4 +41,6 @@ profile slirp4netns @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 442f4fd9b..6487e82e3 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -27,3 +27,5 @@ profile smartctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 3e710291b..4548813bf 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -53,3 +53,5 @@ profile smartd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool index 4ae50fbb4..010226342 100644 --- a/apparmor.d/profiles-s-z/smbspool +++ b/apparmor.d/profiles-s-z/smbspool @@ -15,4 +15,6 @@ profile smbspool @{exec_path} { /etc/papersize r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 3751c4ab0..d8de18f20 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -87,3 +87,5 @@ profile smplayer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index c8cb926e3..af761d43c 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -102,3 +102,5 @@ profile smtube @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 3d71ce766..f59fd9226 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -111,3 +111,5 @@ profile snap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/profiles-s-z/snap-bootstrap index de4635dd1..71a4ad8f2 100644 --- a/apparmor.d/profiles-s-z/snap-bootstrap +++ b/apparmor.d/profiles-s-z/snap-bootstrap @@ -13,4 +13,6 @@ profile snap-bootstrap @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper index 836071c08..ec342d4e2 100644 --- a/apparmor.d/profiles-s-z/snap-device-helper +++ b/apparmor.d/profiles-s-z/snap-device-helper @@ -20,4 +20,6 @@ profile snap-device-helper @{exec_path} { @{sys}/fs/bpf/snap/ w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns index 2ba6f81ad..ab90529b7 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -30,4 +30,6 @@ profile snap-discard-ns @{exec_path} { @{run}/snapd/ns/* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index 9f6399064..df8fe47fb 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -31,4 +31,6 @@ profile snap-failure @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/profiles-s-z/snap-repair index 1527a465c..d5f282ffa 100644 --- a/apparmor.d/profiles-s-z/snap-repair +++ b/apparmor.d/profiles-s-z/snap-repair @@ -13,4 +13,6 @@ profile snap-repair @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index f62f3a3f3..0da410bca 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -27,4 +27,6 @@ profile snap-seccomp @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 328eab743..e9315f5c7 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -54,4 +54,6 @@ profile snap-update-ns @{exec_path} { @{PROC}/version r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index dfae29999..3892a8ca4 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -180,4 +180,6 @@ profile snapd @{exec_path} { } include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener index f8c1df718..3e3045b80 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener @@ -21,4 +21,6 @@ profile snapd-aa-prompt-listener @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui index 35c6d5e4c..d7b9b3713 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui @@ -19,4 +19,6 @@ profile snapd-aa-prompt-ui @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index d9be96e87..22a9c5faa 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -27,4 +27,6 @@ profile snapd-apparmor @{exec_path} { @{PROC}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/profiles-s-z/snapd-core-fixup index 7d407df32..fffbc4468 100644 --- a/apparmor.d/profiles-s-z/snapd-core-fixup +++ b/apparmor.d/profiles-s-z/snapd-core-fixup @@ -13,4 +13,6 @@ profile snapd-core-fixup @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spacefm-auth b/apparmor.d/profiles-s-z/spacefm-auth index 2e7f34125..754908eac 100644 --- a/apparmor.d/profiles-s-z/spacefm-auth +++ b/apparmor.d/profiles-s-z/spacefm-auth @@ -16,3 +16,5 @@ profile spacefm-auth @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 2ff6defc3..98d677189 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -187,3 +187,5 @@ profile spectre-meltdown-checker @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 5c299fb8d..511f32a96 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -34,3 +34,5 @@ profile speedtest @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index be131b3e9..1847c93d7 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -23,4 +23,6 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{PROC}/sys/kernel/cap_last_cap r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index e25574bb9..c2fd27ced 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -47,3 +47,5 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index cdaf03b9a..e9a8b6330 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -30,3 +30,5 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index e588ffbcf..db2e7ebe9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -56,3 +56,5 @@ profile spotify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 99d05d286..36f4c988d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -45,3 +45,5 @@ profile ss @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal index 2ce04f3e6..beff6a1e9 100644 --- a/apparmor.d/profiles-s-z/sslocal +++ b/apparmor.d/profiles-s-z/sslocal @@ -29,3 +29,5 @@ profile sslocal @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager index affdd3e85..7a89ea8bd 100644 --- a/apparmor.d/profiles-s-z/ssmanager +++ b/apparmor.d/profiles-s-z/ssmanager @@ -29,3 +29,5 @@ profile ssmanager @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver index 07690f08c..51dc62837 100644 --- a/apparmor.d/profiles-s-z/ssserver +++ b/apparmor.d/profiles-s-z/ssserver @@ -28,3 +28,5 @@ profile ssserver @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice index 5c63da5c2..1c62764b2 100644 --- a/apparmor.d/profiles-s-z/ssservice +++ b/apparmor.d/profiles-s-z/ssservice @@ -16,3 +16,5 @@ profile ssservice @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index 9471ab0ad..e1c7b9068 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -24,3 +24,5 @@ profile ssurl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 3287c7556..616b66963 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -24,4 +24,6 @@ profile start-pulseaudio-x11 @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 9a51396c9..26cf4027f 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -47,3 +47,5 @@ profile startx @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 85f5191bb..8de447bfe 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -6,28 +6,32 @@ # - Ensure no user data is accessed by either steam or steam games # - Limit what steam/games can access to the host # -# Current architecture: +# Overall architecture of the steam profiles: # steam -# ├── steam-fossilize -# ├── steam-reaper -# │ └── steam-game -# ├── steam-gameoverlayui -# └── steamerrorreporter +# ├── steam//check # Requirements check (sandboxed) +# ├── steam//web # steamwebhelper (sandboxed) +# ├── steam-fossilize # Update shader cache +# ├── steam-runtime # Launcher tasks up to the creation of the sandbox +# │ ├── steam-game-native # Native games +# │ └── steam-game-proton # Proton games (sandboxed) +# ├── steam-gameoverlayui # Steam game overlay +# └── steamerrorreporter # Error reporter abi , include -@{share_dirs} = @{user_share_dirs}/Steam +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include - include include include include @@ -38,69 +42,75 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability sys_ptrace, + network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + network unix, - ptrace (read), - ptrace (trace) peer=steam, + ptrace read, + ptrace trace peer=steam, - signal (send) peer=steam-game, - signal (read), + signal send peer=steam-game, + signal send peer=steam-launcher, + signal send peer=steam//journalctl, + signal send peer=steam//web, - unix (receive) type=stream, + unix, @{exec_path} mrix, @{sh_path} rix, @{coreutils_path} rix, - @{bin}/cmp rix, - @{bin}/file rix, @{bin}/getopt rix, - @{bin}/gzip rix, + @{bin}/journalctl rPx -> systemctl, @{bin}/ldconfig rix, @{bin}/ldd rix, - @{bin}/localedef rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @{bin}/lspci rCx -> lspci, - @{bin}/steam-runtime-urlopen rix, - @{bin}/tar rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @{bin}/xdg-user-dir rix, - @{bin}/xz rix, - @{bin}/zenity rix, + @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-linux.so* rix, + @{open_path} rPx -> child-open, - @{lib_dirs}/** mr, - @{lib_dirs}/*/** ix, - @{lib_dirs}/*driverquery rix, - @{lib_dirs}/fossilize_replay rpx, - @{lib_dirs}/gameoverlayui rpx, - @{lib_dirs}/reaper rpx, - @{lib_dirs}/steam* rix, + @{lib_dirs}/** mr, + @{lib_dirs}/*driverquery rix, + @{lib_dirs}/fossilize_replay rpx, + @{lib_dirs}/gameoverlayui rpx, + @{lib_dirs}/reaper rpx, # steam-runtime + @{lib_dirs}/steam* rix, - # Entry point for steam-game - @{runtime_dirs}/*entry-point rpx, - - @{lib}/pressure-vessel/from-host/** rix, - @{run}/host/@{bin}/* rix, - @{run}/host/@{lib}/** rix, + @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime, @{share_dirs}/linux{32,64}/steamerrorreporter rpx, - @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so rm, - /usr/lib/os-release rk, - /usr/share/fonts/**.{ttf,otf} rk, - /usr/share/terminfo/** r, - /usr/share/zenity/* r, + @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/*entry-point rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, + @{runtime_dirs}/run{,.sh} rix, + @{runtime_dirs}/setup.sh rix, + + @{lib}/os-release rk, + + /usr/share/fonts/** rk, /etc/lsb-release r, - /etc/udev/udev.conf r, /etc/machine-id r, + /etc/timezone r, /var/lib/dbus/machine-id r, @{bin}/ r, @@ -108,16 +118,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { / r, /etc/ r, /home/ r, - /run/ r, /usr/ r, /usr/local/ r, /usr/local/lib/ r, /var/ r, - - owner /bindfile@{rand6} rw, - - owner /var/pressure-vessel/** rw, - owner /var/cache/ldconfig/aux-cache* rw, + /var/tmp/ r, owner @{HOME}/ r, owner @{HOME}/.steam/{,**} rw, @@ -131,117 +136,259 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, - owner @{user_config_dirs}/unity3d/{,**} rwk, - owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_share_dirs}/applications/*.desktop w, owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, - owner /dev/shm/#@{int} rw, - owner /dev/shm/fossilize-*-@{int}-@{int} rw, - owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - owner /dev/shm/ValveIPCSHM_@{uid} rw, - @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - owner @{tmp}/miles_image_* mrw, - owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, - owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, - owner @{tmp}/runtime-info.txt.* rwk, - owner @{tmp}/sh-thd.* rw, - owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner @{tmp}/glx-icds-@{rand6}/{,**} rw, + owner @{tmp}/runtime-info.txt.@{rand6} rwk, owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/steam/ rw, owner @{tmp}/steam/** rwk, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - owner @{run}/pressure-vessel/** r, + owner /dev/shm/fossilize-*-@{int}-@{int} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, + owner @{run}/user/@{uid}/ r, - @{run}/host/{,**} r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{sys}/ r, @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, @{sys}/class/ r, @{sys}/class/hidraw/ r, @{sys}/class/input/ r, @{sys}/class/net/ r, - @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}report_descriptor r, - @{sys}/devices/@{pci}/sound/card@{int}/** r, - @{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r, + @{sys}/class/power_supply/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/properties r, + @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, + @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/** r, - @{sys}/devices/system/node/ r, - @{sys}/devices/virtual/**/report_descriptor r, + @{sys}/devices/system/ r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/ r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/kernel/ r, @{sys}/power/suspend_stats/success rk, @{PROC}/ r, - @{PROC}/@{pids}/comm rk, - @{PROC}/@{pids}/net/route r, - @{PROC}/@{pids}/stat r, - @{PROC}/locks r, + @{PROC}/@{pid}/comm rk, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cgroup r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/locks r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/unprivileged_userns_clone r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/sys/user/max_user_namespaces r, @{PROC}/version r, - owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/fd/@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/children r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/status r, - /dev/hidraw@{int} rw, /dev/input/ r, - /dev/input/event@{int} r, - /dev/tty rw, /dev/uinput w, - audit deny /**.steam_exec_test.sh rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny /opt/** r, - profile lspci { + profile web flags=(attach_disconnected,mediate_deleted,complain) { + include + include + include + include + include + include + include + include + + capability dac_read_search, + capability sys_chroot, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace trace peer=steam//web, + + signal receive set=kill peer=steam, + + unix receive type=stream, + + @{bin}/ldconfig rix, + @{bin}/getopt rix, + @{bin}/gzip rix, + @{bin}/true rix, + @{bin}/localedef rix, + @{bin}/readlink rix, + + @{lib_dirs}/** mr, + @{lib_dirs}/steamwebhelper rix, + @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, + + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, + @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + + @{lib}/pressure-vessel/from-host/** rix, + @{run}/host/@{bin}/* rix, + @{run}/host/@{lib}/** rix, + + @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + + @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, + + @{run}/host/{,**} r, + + /etc/machine-id r, + + @{lib}/ r, + /usr/local/lib/ r, + /var/tmp/ r, + + owner /bindfile@{rand6} rw, + + owner /var/cache/ldconfig/aux-cache* rw, + owner /var/pressure-vessel/ldso/* rw, + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner @{lib_dirs}/.cef-* wk, + + owner @{share_dirs}/{,**} r, + owner @{share_dirs}/config/** rwk, + owner @{share_dirs}/logs/** rwk, + owner @{share_dirs}/clientui/** k, + owner @{share_dirs}/public/** k, + + @{tmp}/ r, + owner @{tmp}/#@{int} rw, + owner @{tmp}/dumps/ rw, + owner @{tmp}/dumps/** rwk, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, + owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, + owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + + /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, + + owner @{run}/pressure-vessel/** r, + + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/report_descriptor r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/oom_score_adj w, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + + /dev/hidraw@{int} rw, + /dev/tty rw, + + include if exists + } + + profile check flags=(attach_disconnected,mediate_deleted,complain) { + include + include + include + + capability dac_read_search, + + unix receive type=stream, + + @{bin}/true rix, + + @{lib_dirs}/** mr, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, + + / r, + + owner @{HOME}/.steam/root r, + owner @{HOME}/.steam/steam r, + + owner @{share_dirs}/ r, + + @{PROC}/@{pid}/cgroup r, + + include if exists + } + + profile lspci flags=(attach_disconnected,mediate_deleted,complain) { include include include + unix receive type=stream, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, @@ -250,11 +397,26 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, - + owner /dev/shm/ValveIPCSHM_@{uid} rw, include if exists } + profile systemctl { + include + include + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + + include if exists + } + include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize index 323abea8c..b33c90d8b 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -6,9 +6,12 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{lib_dirs}/fossilize_replay profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @@ -17,17 +20,22 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { include include + signal receive peer=steam, + @{exec_path} mr, - @{lib_dirs}/*.so* mr, + @{lib_dirs}/** mr, owner @{HOME}/.steam/steam.pipe r, + owner @{share_dirs}/logs/container-runtime-info.txt.@{rand6} rw, owner @{share_dirs}/steamapps/shadercache/@{int}/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk, owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw, owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner /dev/shm/fossilize-*-@{int}-@{int} rw, @{sys}/devices/system/node/node@{int}/cpumap r, @@ -41,3 +49,5 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game deleted file mode 100644 index 83d001455..000000000 --- a/apparmor.d/profiles-s-z/steam-game +++ /dev/null @@ -1,225 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for steam games - -# TODO: -# Split this profile in three: -# - steam-game-native for native linux games -# - steam-runtime for all runtime related task up to the creation of the sandbox -# - steam-game-proton for the sandboxed proton games -# -# Tasks: -# - AppArmor supports for {*^} regex, or find an alternative -# - AppArmor supports change profile from pivot_root -# - Stack steam//&game to bypass no-new-privs issue -# -# The current version of this profile is not very useful as it is very similar -# to the main steam profile. - -abi , - -include - -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper - -@{exec_path} = @{share_dirs}/steamapps/common/*/** -@{exec_path} += @{lib_dirs}/steam-runtime-sniper/*entry-point -profile steam-game @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - signal (receive) peer=steam, - - unix (receive) type=stream, - - @{exec_path} mrix, - - @{sh_path} rix, - @{bin}/bwrap rix, - @{bin}/env rix, - @{bin}/getopt rix, - @{bin}/gzip rix, - @{bin}/localedef rix, - @{bin}/python3.@{int} rix, - @{bin}/readlink rix, - @{bin}/steam-runtime-launcher-interface-* rix, - @{bin}/steam-runtime-system-info rix, - @{bin}/timeout rix, - @{bin}/true rix, - @{bin}/uname rix, - @{bin}/xdg-open rPx, - - @{lib}/pressure-vessel/from-host/@{bin}/* rix, - @{lib}/pressure-vessel/from-host/@{lib}/** rix, - @{lib}/steam-runtime-tools*/* mrix, - - @{lib_dirs}/{,**} r, - @{lib_dirs}/**.so* mr, - @{lib_dirs}/reaper rix, - @{lib_dirs}/steam-launch-wrapper rm, - @{lib_dirs}/steam-runtime/@{lib}/** mrix, - - @{runtime_dirs}/pressure-vessel/@{bin}/ r, - @{runtime_dirs}/pressure-vessel/@{bin}/* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/ r, - @{runtime_dirs}/pressure-vessel/@{lib}/** mrix, - @{runtime_dirs}/run rix, - - @{share_dirs}/@{bin}/ r, - @{share_dirs}/@{bin}/* mr, - @{share_dirs}/d3ddriverquery64.dxvk-cache rw, - @{share_dirs}/legacycompat/ r, - @{share_dirs}/legacycompat/** mr, - @{share_dirs}/linux{32,64}/ r, - @{share_dirs}/linux{32,64}/**.so* mr, - @{share_dirs}/standalone_installscript_progress_@{int}.vdf rw, - @{share_dirs}/steamapps/common/*/* mr, - @{share_dirs}/steamapps/common/Proton*/ r, - @{share_dirs}/steamapps/common/Proton*/files/@{bin}/* mrix, - @{share_dirs}/steamapps/common/Proton*/files/@{lib}/** mrix, - @{share_dirs}/steamapps/common/Proton*/proton rix, - @{share_dirs}/steamapps/compatdata/@{int}/pfx/**.dll rm, - - @{user_games_dirs}/*/* mr, - @{user_games_dirs}/*/**.dll mr, - - @{run}/host/usr/bin/ldconfig rix, - @{run}/host/usr/lib{,32,64}/**.so* rm, - @{run}/host/usr/bin/localedef rix, - - /usr/share/terminfo/** r, - - /etc/machine-id r, - /etc/udev/udev.conf r, - /var/lib/dbus/machine-id r, - - / r, - /{usr/,}{local/,} r, - /{usr/,}{local/,}lib{,32,64}/ r, - /bindfile@{rand6} rw, - /home/ r, - /tmp/ r, - - owner /var/pressure-vessel/** rw, - owner /var/cache/ldconfig/aux-cache* rw, - - owner @{HOME}/ r, - owner @{HOME}/.steam/steam.pid r, - owner @{HOME}/.steam/steam.pipe r, - - owner @{user_games_dirs}/{,*/} r, - owner @{user_games_dirs}/*/{,**} rwkl, - - owner @{user_config_dirs}/unity3d/{,**} rwk, - - owner @{share_dirs}/ r, - owner @{share_dirs}/* r, - owner @{share_dirs}/*log* rw, - owner @{share_dirs}/config/config.vdf* rw, - owner @{share_dirs}/logs/{,*} rw, - owner @{share_dirs}/shader_cache_temp*/fozpipelinesv*/{,**} rw, - owner @{share_dirs}/steamapps/ r, - owner @{share_dirs}/steamapps/common/ r, - owner @{share_dirs}/steamapps/common/*/ r, - owner @{share_dirs}/steamapps/common/*/** rwkl, - owner @{share_dirs}/steamapps/common/Proton*/files/share/{,**} r, - owner @{share_dirs}/steamapps/compatdata/{,**} rwk, - owner @{share_dirs}/steamapps/shadercache/{,**} rwk, - owner @{share_dirs}/userdata/**/remotecache.vdf rw, - - @{run}/host/ r, - @{run}/host/container-manager r, - @{run}/host/fonts/{,**} r, - @{run}/host/share/{,**} r, - @{run}/host/usr/{,**} r, - owner @{run}/pressure-vessel/{,**} rw, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer - - owner /dev/shm/#@{int} rw, - owner /dev/shm/mono.* rw, - owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /dev/shm/wine-*-fsync rw, - - owner @{tmp}/ r, - owner @{tmp}/.wine-@{int}/ rw, - owner @{tmp}/.wine-@{int}/** rwk, - owner @{tmp}/.wine-@{uid}/server-*/* rwk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/miles_image_* mr, - owner @{tmp}/pressure-vessel-*/{,**} rwl, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/sound/card@{int}/** r, - @{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/** r, - @{sys}/devices/system/node/node[0-9]/cpumap r, - @{sys}/devices/system/node/online r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/kernel/ r, - - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/net/route r, - @{PROC}/sys/net/core/bpf_jit_enable r, - @{PROC}/uptime r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/* rw, - /dev/tty rw, - /dev/uinput rw, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native new file mode 100644 index 000000000..9453076ea --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-game-native @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{app_dirs}/*/** +profile steam-game-native @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + network unix stream, + + signal receive peer=steam, + + @{exec_path} rmix, + + @{sh_path} rix, + + @{app_dirs}/** mr, + @{lib_dirs}/** mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton new file mode 100644 index 000000000..49a668996 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -0,0 +1,111 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap +profile steam-game-proton @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability dac_read_search, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network unix stream, + + signal receive peer=steam, + + @{exec_path} mr, + @{bin}/bwrap mrix, + + @{bin}/getopt rix, + @{bin}/gzip rix, + @{bin}/ldconfig rix, + @{bin}/localedef rix, + @{bin}/python3.@{int} rix, + @{bin}/readlink rix, + @{bin}/steam-runtime-launcher-interface-@{int} rix, + @{bin}/steam-runtime-system-info rix, + @{bin}/steam-runtime-urlopen rix, + @{bin}/true rix, + @{bin}/chmod rix, + @{open_path} rix, + + @{lib_dirs}/** mr, + @{lib}/pressure-vessel/from-host/@{bin}/* rix, + @{lib}/pressure-vessel/from-host/@{lib}/** rix, + @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + + @{app_dirs}/** mr, + @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{app_dirs}/Proton*/files/@{bin}/* rix, + @{app_dirs}/Proton*/files/@{lib}/** rix, + @{app_dirs}/Proton*/proton rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + + @{run}/host/@{bin}/ldconfig rix, + @{run}/host/@{bin}/localedef rix, + @{run}/host/@{lib}/** mr, + + @{share_dirs}/bin/d3ddriverquery64.exe mr, + @{share_dirs}/steamapps/compatdata/@{int}/pfx/** mr, + + @{user_games_dirs}/** mr, + + owner /bindfile@{rand6} rw, + + owner /var/pressure-vessel/** rw, + owner /var/cache/ldconfig/aux-cache* rw, + + owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, + owner @{app_dirs}/Proton*/** rwkl, + + owner @{share_dirs}/*.dll r, + owner @{share_dirs}/bin/ r, + owner @{share_dirs}/legacycompat/ r, + owner @{share_dirs}/legacycompat/** mr, + owner @{share_dirs}/steamapps/compatdata/{,**} rwk, + + owner @{user_share_dirs}/applications/wine/ rw, + owner @{user_share_dirs}/applications/wine/**/ rw, + + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/** rwk, + owner @{tmp}/glx-icds-@{rand6}/{,**} w, + owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, + owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w, + + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + + @{run}/host/fonts/{,**} r, + @{run}/host/share/{,**} r, + @{run}/host/usr/{,**} r, + owner @{run}/pressure-vessel/{,**} r, + + @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/online r, + + @{PROC}/@{pids}/net/* r, + @{PROC}/sys/net/core/bpf_jit_enable r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index d41a5e644..bbe2452e2 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -6,9 +6,12 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{lib_dirs}/gameoverlayui profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { @@ -19,15 +22,16 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - - unix (receive) type=stream, + network unix stream, @{exec_path} mr, - @{lib_dirs}/*.so* mr, - @{lib_dirs}/steam-runtime/@{lib}/**.so* mr, + @{lib_dirs}/**.so* mr, + @{runtime_dirs}/@{lib}/**.so* mr, - /usr/share/fonts/{,**} rk, # ? + @{lib_dirs}/steamerrorreporter rpx, + + /usr/share/fonts/{,**} rk, / r, /home/ r, @@ -45,15 +49,19 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/userdata/@{int}/{,**} rk, owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, owner @{tmp}/gameoverlayui.log* rw, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, - owner @{tmp}/miles_image_* mrw, @{sys}/ r, @{sys}/kernel/ r, + @{sys}/devices/ r, + @{sys}/devices/system/ r, + @{sys}/devices/system/cpu/cpu@{int}/ r, @{PROC}/version r, @@ -61,3 +69,5 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch new file mode 100644 index 000000000..877181b61 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-launch @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{bin}/steam @{bin}/steam-runtime +profile steam-launch @{exec_path} { + include + include + + network unix stream, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/id rix, + @{bin}/readlink rix, + + @{lib}/steam/steam rix, + @{lib}/steam/bin_steam.sh rix, + @{share_dirs}/steam.sh rPx, + + /usr/ r, + /usr/local/ r, + + owner @{share_dirs}/bootstrap.tar.xz rw, + + /dev/tty rw, + + deny /opt/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher new file mode 100644 index 000000000..45fa30245 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-launcher @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service +profile steam-launcher @{exec_path} flags=(attach_disconnected) { + include + + network unix stream, + + signal receive peer=steam, + + @{exec_path} mr, + + @{lib_dirs}/** mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper deleted file mode 100644 index f635b1315..000000000 --- a/apparmor.d/profiles-s-z/steam-reaper +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper - -@{exec_path} = @{lib_dirs}/reaper -profile steam-reaper @{exec_path} flags=(attach_disconnected) { - include - include - - unix (receive) type=stream, - - @{exec_path} mr, - - @{lib_dirs}/*.so* mr, - @{lib_dirs}/steam-runtime/@{lib}/**.so* mr, - @{lib_dirs}/steam-launch-wrapper rpx -> steam-game, - - @{share_dirs}/steamapps/common/*/* rpx -> steam-game, - - owner @{HOME}/.steam/steam.pipe r, - - owner @{share_dirs}/userdata/**/remotecache.vdf rw, - - owner /dev/shm/u@{uid}-Shm_@{hex} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - - @{sys}/devices/system/cpu/cpu@{int}/** r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime index 6d04630d4..5d6d0f856 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -6,38 +6,80 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ -@{exec_path} = @{bin}/steam @{bin}/steam-runtime -profile steam-runtime @{exec_path} { +@{exec_path} = @{lib_dirs}/reaper +profile steam-runtime @{exec_path} flags=(attach_disconnected) { include - include + include + include + include + include + include - unix (receive) type=stream, + network unix stream, @{exec_path} mr, - @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/id rix, - @{bin}/readlink rix, + @{sh_path} r, + @{bin}/getopt rix, + @{bin}/readlink rix, - @{lib}/steam/steam rix, - @{lib}/steam/bin_steam.sh rix, - @{share_dirs}/steam.sh rPx, + @{lib_dirs}/** mr, + @{lib_dirs}/steam-launch-wrapper rix, - /usr/ r, - /usr/local/ r, + # Native linux games (steam-game-native) + @{app_dirs}/[^S]*/** rpx -> steam-game-native, - owner @{share_dirs}/bootstrap.tar.xz rw, + # Proton games, sandboxed (steam-game-proton) + @{app_dirs}/@{runtime}/*entry-point rmix, + @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton, + @{app_dirs}/@{runtime}/run rix, + @{bin}/bwrap rpx -> steam-game-proton, + + / r, + @{lib}/ r, + @{lib_dirs}/ r, + + owner @{HOME}/.steam/steam.pipe r, + + owner @{app_dirs}/*/ r, + owner @{app_dirs}/config/config.vdf rw, + owner @{app_dirs}/@{runtime}/** r, + owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, + owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/var/** rwk, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + + owner @{tmp}/ r, + owner @{tmp}/#@{int} rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner @{run}/user/@{uid}/ r, + + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, - deny /opt/** r, - include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter index c9e1bf630..3e206e898 100644 --- a/apparmor.d/profiles-s-z/steamerrorreporter +++ b/apparmor.d/profiles-s-z/steamerrorreporter @@ -6,12 +6,15 @@ abi , include -@{share_dirs} = @{user_share_dirs}/Steam -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ -@{exec_path} = @{share_dirs}/linux{32,64}/steamerrorreporter -profile steamerrorreporter @{exec_path} { +@{exec_path} = @{lib_dirs}/steamerrorreporter +profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { include include @@ -19,14 +22,14 @@ profile steamerrorreporter @{exec_path} { network inet stream, network inet6 dgram, network inet6 stream, + network unix stream, @{exec_path} mr, owner @{HOME}/.steam/steam.pipe r, - owner @{lib_dirs}/ r, - owner @{lib_dirs}/steam-runtime/pinned_libs_{32,64}/ r, - + owner @{lib_dirs}/{,**} r, + owner @{runtime_dirs}/pinned_libs_{32,64}/ r, owner @{share_dirs}/ r, owner @{tmp}/dumps/ r, @@ -35,4 +38,6 @@ profile steamerrorreporter @{exec_path} { owner @{PROC}/@{pid}/status r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 39c68f5ed..a790e6b7b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -64,7 +64,7 @@ profile strawberry @{exec_path} { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, @@ -79,3 +79,5 @@ profile strawberry @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index de4462c8c..0e1aced4f 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -29,3 +29,5 @@ profile strawberry-tagreader @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 940536a07..429c48938 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -28,3 +28,5 @@ profile su @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index f67917f55..0ba2694bd 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -47,3 +47,5 @@ profile sudo @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin index a50aeea42..3793df043 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -26,4 +26,6 @@ profile sulogin @{exec_path} { /dev/tty@{int} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/profiles-s-z/swaplabel index a038e9dc9..03d2fe8d0 100644 --- a/apparmor.d/profiles-s-z/swaplabel +++ b/apparmor.d/profiles-s-z/swaplabel @@ -19,3 +19,5 @@ profile swaplabel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/profiles-s-z/swapon index 613e1b3de..31ee2e93a 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -28,3 +28,5 @@ profile swapon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 19b991cc1..4cfa8ba96 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -34,3 +34,5 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl index 1afd61d9c..9979c9246 100644 --- a/apparmor.d/profiles-s-z/switcherooctl +++ b/apparmor.d/profiles-s-z/switcherooctl @@ -17,4 +17,6 @@ profile switcherooctl @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 8b4fd09d0..4f6d1b38c 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -28,4 +28,6 @@ profile swtpm @{exec_path} { @{run}/libvirt/qemu/swtpm/*.pid w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl index 708ee3982..c77810624 100644 --- a/apparmor.d/profiles-s-z/swtpm_ioctl +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -16,4 +16,6 @@ profile swtpm_ioctl @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca index 6a8998829..a9749c91f 100644 --- a/apparmor.d/profiles-s-z/swtpm_localca +++ b/apparmor.d/profiles-s-z/swtpm_localca @@ -30,4 +30,6 @@ profile swtpm_localca @{exec_path} { @{run}/libvirt/qemu/swtpm/*.sock w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 18aafae60..f4b01f0e0 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -26,4 +26,6 @@ profile swtpm_setup @{exec_path} { owner @{tmp}/.swtpm_setup.pidfile* rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 3211a2b59..6bdb55732 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -14,4 +14,6 @@ profile sync @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 36a5c9856..c90665cdf 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -31,3 +31,5 @@ profile syncoid @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index f669e73dc..50b04668b 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -45,3 +45,5 @@ profile syncthing @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 839e473f6..4e50430be 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -31,4 +31,6 @@ profile sysctl @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index fb3c60772..ab36047f2 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -58,3 +58,5 @@ profile system-config-printer @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index f5c393f64..0112b152a 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -31,3 +31,5 @@ profile system-config-printer-applet @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index 3c0ea26b5..bd7f276a8 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -47,3 +47,5 @@ profile task @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 94bba6ce9..b96200dea 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -80,3 +80,5 @@ profile tasksel @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/taskwarrior-tui b/apparmor.d/profiles-s-z/taskwarrior-tui index f3678ff82..f125c993d 100644 --- a/apparmor.d/profiles-s-z/taskwarrior-tui +++ b/apparmor.d/profiles-s-z/taskwarrior-tui @@ -30,3 +30,5 @@ profile taskwarrior-tui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index c63a5657c..3f9ba6e25 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -63,4 +63,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 977b51790..fb848cb1c 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -17,3 +17,5 @@ profile tftp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 5dfa66125..1e72d45ec 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -82,3 +82,5 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan index cd5160493..56a39736e 100644 --- a/apparmor.d/profiles-s-z/thinkfan +++ b/apparmor.d/profiles-s-z/thinkfan @@ -28,3 +28,5 @@ profile thinkfan @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 7e9b67d6d..d6553d990 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -179,3 +179,5 @@ profile thunderbird @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index b69db4912..17fda9d56 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -26,4 +26,6 @@ profile thunderbird-glxtest @{exec_path} { owner @{PROC}/@{pid}/cmdline r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index 345b7a6f8..85c1a08cb 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -28,3 +28,5 @@ profile thunderbird-vaapitest @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index e098f55e4..2e44d0fab 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -62,3 +62,5 @@ profile tint2 @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index 2ad3762cf..776b843a3 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -41,3 +41,5 @@ profile tint2conf @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 91cdd57a1..9e4b7c11a 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -68,3 +68,5 @@ profile top @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/torify b/apparmor.d/profiles-s-z/torify index 6eb5f76fa..fcc4c9b98 100644 --- a/apparmor.d/profiles-s-z/torify +++ b/apparmor.d/profiles-s-z/torify @@ -16,3 +16,5 @@ profile torify @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index b72a959e7..8d75133da 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -25,3 +25,5 @@ profile torsocks @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index 3febe67c9..673f46e32 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -28,3 +28,5 @@ profile tpacpi-bat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk index 3da3784e5..40586fa03 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission-gtk @@ -50,3 +50,5 @@ profile transmission-gtk @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index 5b232a005..bbfe5bff4 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -52,3 +52,5 @@ profile transmission-qt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 192fff844..d9a8c5409 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -34,3 +34,5 @@ profile tune2fs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id index 62c834d99..ab6a2de77 100644 --- a/apparmor.d/profiles-s-z/udev-dmi-memory-id +++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id @@ -18,4 +18,6 @@ profile udev-dmi-memory-id @{exec_path} { @{sys}/firmware/dmi/tables/smbios_entry_point r, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index f6e7aaafc..505017bcd 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -68,3 +68,5 @@ profile udiskie @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/profiles-s-z/udiskie-info index 947144150..aa359ef56 100644 --- a/apparmor.d/profiles-s-z/udiskie-info +++ b/apparmor.d/profiles-s-z/udiskie-info @@ -24,3 +24,5 @@ profile udiskie-info @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/profiles-s-z/udiskie-mount index bbfb20ad8..7e72e9713 100644 --- a/apparmor.d/profiles-s-z/udiskie-mount +++ b/apparmor.d/profiles-s-z/udiskie-mount @@ -24,3 +24,5 @@ profile udiskie-mount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/profiles-s-z/udiskie-umount index edf8c79b9..8dc30eb9a 100644 --- a/apparmor.d/profiles-s-z/udiskie-umount +++ b/apparmor.d/profiles-s-z/udiskie-umount @@ -24,3 +24,5 @@ profile udiskie-umount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl index c4f6dc96b..a05cede9c 100644 --- a/apparmor.d/profiles-s-z/udisksctl +++ b/apparmor.d/profiles-s-z/udisksctl @@ -23,3 +23,5 @@ profile udisksctl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index cbe3a79b0..365044702 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -150,3 +150,5 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 8253f4335..e066dff89 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -48,3 +48,5 @@ profile umount @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/profiles-s-z/umount.udisks2 index 87a8e2b33..2a6f7747d 100644 --- a/apparmor.d/profiles-s-z/umount.udisks2 +++ b/apparmor.d/profiles-s-z/umount.udisks2 @@ -15,3 +15,5 @@ profile umount.udisks2 @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 267fdb82a..4dd41a7bf 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -21,3 +21,5 @@ profile uname @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-linux b/apparmor.d/profiles-s-z/unhide-linux index a782c72ca..d03561452 100644 --- a/apparmor.d/profiles-s-z/unhide-linux +++ b/apparmor.d/profiles-s-z/unhide-linux @@ -36,3 +36,5 @@ profile unhide-linux @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix index 0e869207c..1277e299c 100644 --- a/apparmor.d/profiles-s-z/unhide-posix +++ b/apparmor.d/profiles-s-z/unhide-posix @@ -39,3 +39,5 @@ profile unhide-posix @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-rb b/apparmor.d/profiles-s-z/unhide-rb index a860f5218..e503f639a 100644 --- a/apparmor.d/profiles-s-z/unhide-rb +++ b/apparmor.d/profiles-s-z/unhide-rb @@ -23,3 +23,5 @@ profile unhide-rb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index bd17557df..bb54d19b1 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -33,3 +33,5 @@ profile unhide-tcp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 65fd4330c..c24da3bab 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -30,3 +30,5 @@ profile unix-chkpwd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 23f4e2490..d5d1cb953 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -52,3 +52,5 @@ profile unmkinitramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 3ef1d8f1d..dfe7725d8 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -32,3 +32,5 @@ profile update-alternatives @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index d1dba09ea..f08383fba 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -59,3 +59,5 @@ profile update-ca-certificates @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 4a9df2282..a4434ad48 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -37,4 +37,6 @@ profile update-ca-trust @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index a6e3eb3b4..56c215402 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -47,3 +47,5 @@ profile update-command-not-found @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 7c2d4c1b9..6b4192903 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -39,4 +39,6 @@ profile update-cracklib @{exec_path} { owner @{tmp}/sort@{rand6} rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index fcf3c65b1..08687c6c8 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -62,3 +62,5 @@ profile update-dlocatedb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index be61c82b0..fc62d99f2 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -53,3 +53,5 @@ profile update-initramfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index 759166464..233ed60be 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -66,3 +66,5 @@ profile update-pciids @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 8c3db4b0d..8431fd1e6 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -34,3 +34,5 @@ profile update-secureboot-policy @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 60c1de581..7140bbd5b 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -92,3 +92,5 @@ profile update-smart-drivedb @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 6a2469e3a..9e470d878 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -64,3 +64,5 @@ profile updatedb-mlocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate index 3b2cdd991..67ea546fd 100644 --- a/apparmor.d/profiles-s-z/updatedb.plocate +++ b/apparmor.d/profiles-s-z/updatedb.plocate @@ -38,3 +38,5 @@ profile updatedb.plocate @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime index b0cb79a81..1b28a07da 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -21,3 +21,5 @@ profile uptime @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uptimed b/apparmor.d/profiles-s-z/uptimed index 0c87a121b..a850d7771 100644 --- a/apparmor.d/profiles-s-z/uptimed +++ b/apparmor.d/profiles-s-z/uptimed @@ -19,4 +19,6 @@ profile uptimed @{exec_path} { @{run}/uptimed/uptimed.pid rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 881e35c45..94e6526ab 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -13,20 +13,24 @@ profile usb-devices @{exec_path} { include include - capability dac_read_search, - deny capability dac_override, + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, - @{exec_path} r, @{sh_path} rix, - - @{bin}/cat rix, - @{bin}/cut rix, @{bin}/{,e}grep rix, @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, @{bin}/readlink rix, + @{bin}/sort rix, # For shell pwd /root/ r, include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index 7ceb6038b..deb5ef46d 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -37,3 +37,5 @@ profile usbguard @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt index a266575ee..bc004b86f 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -44,3 +44,5 @@ profile usbguard-applet-qt @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon index f831200e0..d6c05f782 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -40,3 +40,5 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus index f4cc7a4cb..b02524d55 100644 --- a/apparmor.d/profiles-s-z/usbguard-dbus +++ b/apparmor.d/profiles-s-z/usbguard-dbus @@ -23,3 +23,5 @@ profile usbguard-dbus @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/profiles-s-z/usbguard-notifier index f8f2b75a5..48f88d0aa 100644 --- a/apparmor.d/profiles-s-z/usbguard-notifier +++ b/apparmor.d/profiles-s-z/usbguard-notifier @@ -20,3 +20,5 @@ profile usbguard-notifier @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 78cc81779..a6094867a 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -73,3 +73,5 @@ profile useradd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 5c5b4f9bb..6b95a4848 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -55,3 +55,5 @@ profile userdel @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index 6c9dd9b2a..cfcdc6bdc 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -56,3 +56,5 @@ profile usermod @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/profiles-s-z/users index 684b489a3..fbad304bf 100644 --- a/apparmor.d/profiles-s-z/users +++ b/apparmor.d/profiles-s-z/users @@ -20,3 +20,5 @@ profile users @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/utmpdump b/apparmor.d/profiles-s-z/utmpdump index 3cb319f23..054bb69ce 100644 --- a/apparmor.d/profiles-s-z/utmpdump +++ b/apparmor.d/profiles-s-z/utmpdump @@ -18,3 +18,5 @@ profile utmpdump @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index 5a0c2cc81..e5642c263 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -39,3 +39,5 @@ profile utox @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index 2fd5956f5..c98d8175f 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -13,4 +13,6 @@ profile uuidd @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/profiles-s-z/uuidgen index 4a433508f..b00ed1f26 100644 --- a/apparmor.d/profiles-s-z/uuidgen +++ b/apparmor.d/profiles-s-z/uuidgen @@ -14,4 +14,6 @@ profile uuidgen @{exec_path} { @{exec_path} mr, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index ffc6c4069..f49441ebf 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -52,3 +52,5 @@ profile uupdate @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 9ceb9ec4b..37422840c 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -32,3 +32,5 @@ profile vcsi @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index b9c129559..226a0dd98 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -70,3 +70,5 @@ profile vidcutter @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index c6e58e7f5..835267c2d 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -49,3 +49,5 @@ profile vipw-vigr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 68f52dd37..9fa13e500 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -100,3 +100,5 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index a457d6c89..5d113ba3b 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -85,3 +85,5 @@ profile vlc @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index bffbd8fc0..b464f1712 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -23,4 +23,6 @@ profile vlc-cache-gen @{exec_path} { deny network inet stream, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index 2a2f3b55a..25bdcfb1b 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -68,3 +68,5 @@ profile vnstat @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vnstatd b/apparmor.d/profiles-s-z/vnstatd index a037c684d..c37c8b6d7 100644 --- a/apparmor.d/profiles-s-z/vnstatd +++ b/apparmor.d/profiles-s-z/vnstatd @@ -30,3 +30,5 @@ profile vnstatd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index 010b83789..c58381d7d 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -36,3 +36,5 @@ profile volumeicon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 33915f7c5..aa45b805e 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -71,3 +71,5 @@ profile vsftpd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 839080510..a3fc8c9e3 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -35,3 +35,5 @@ profile w @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m new file mode 100644 index 000000000..5b919ecc0 --- /dev/null +++ b/apparmor.d/profiles-s-z/w3m @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/w3m +profile w3m @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + /usr/share/terminfo/{,**} r, + + /etc/w3m/{,**} r, + owner @{HOME}/.w3m/{,**} r, + owner @{user_config_dirs}/w3m/{,**} r, + + owner /tmp/@{rand6}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wavemon b/apparmor.d/profiles-s-z/wavemon index 12299df81..9ec082580 100644 --- a/apparmor.d/profiles-s-z/wavemon +++ b/apparmor.d/profiles-s-z/wavemon @@ -30,3 +30,5 @@ profile wavemon @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index db62117f8..e99900304 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -30,3 +30,5 @@ profile whatis @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index 77e93426b..e5e111b8b 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -34,3 +34,5 @@ profile whdd @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis index c79baf349..330957a62 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -40,3 +40,5 @@ profile whereis @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 6b24b8a71..32d0945e1 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -35,3 +35,5 @@ profile which @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index 464d5862c..f2339717a 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -22,3 +22,5 @@ profile whiptail @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/profiles-s-z/who index 5a9ef26c6..bed53e7e6 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/profiles-s-z/who @@ -22,3 +22,5 @@ profile who @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami index cb7e2bb81..3072d7da0 100644 --- a/apparmor.d/profiles-s-z/whoami +++ b/apparmor.d/profiles-s-z/whoami @@ -17,3 +17,5 @@ profile whoami @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 143b9a4cc..146408bc7 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -76,3 +76,5 @@ profile wireplumber @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 3c10760d3..ed8fd0efa 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -63,3 +63,5 @@ profile wireshark @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index b961da104..3ea916395 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -15,6 +15,7 @@ profile wl-copy @{exec_path} { @{bin}/cat rix, @{bin}/rm rix, + @{bin}/cliphist rPUx, @{bin}/xdg-mime rPx, owner @{tmp}/wl-copy-buffer-*/{,**} rw, @@ -22,4 +23,6 @@ profile wl-copy @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl index ac3bf48fc..8d99da352 100644 --- a/apparmor.d/profiles-s-z/wmctrl +++ b/apparmor.d/profiles-s-z/wmctrl @@ -17,3 +17,5 @@ profile wmctrl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 59c06ee50..3495849e7 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -40,3 +40,5 @@ profile wpa-action @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index 03c3db367..5edd2f177 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -25,3 +25,5 @@ profile wpa-cli @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index 6718f20cc..ceefecbf2 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -35,3 +35,5 @@ profile wpa-gui @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 0a16592a5..f3da61258 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -54,3 +54,5 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index cbbc56b17..1ee5bd806 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -20,3 +20,5 @@ profile wrmsr @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 46a3c40b6..92b0f360f 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -11,6 +11,10 @@ profile wsdd @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network netlink raw, + @{exec_path} mr, @{bin}/env r, @@ -18,7 +22,11 @@ profile wsdd @{exec_path} { /etc/machine-id r, + owner /var/lib/libuuid/clock.txt rw, + owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index dccccc2b4..a5ec89fd9 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -100,3 +100,5 @@ profile xarchiver @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 02ab30427..f051fdc0c 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -42,3 +42,5 @@ profile xauth @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock index 3aebbe521..89de67bd1 100644 --- a/apparmor.d/profiles-s-z/xautolock +++ b/apparmor.d/profiles-s-z/xautolock @@ -30,3 +30,5 @@ profile xautolock @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight index 8d44638f6..19eb4a9f3 100644 --- a/apparmor.d/profiles-s-z/xbacklight +++ b/apparmor.d/profiles-s-z/xbacklight @@ -17,3 +17,5 @@ profile xbacklight @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index f38beeca9..dc30114bd 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -19,3 +19,5 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 192f17104..378e8cae3 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -20,3 +20,5 @@ profile xclip @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo index 2bad9b330..902905d09 100644 --- a/apparmor.d/profiles-s-z/xdpyinfo +++ b/apparmor.d/profiles-s-z/xdpyinfo @@ -16,3 +16,5 @@ profile xdpyinfo @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 03ec3ff92..521a182ba 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -92,32 +92,12 @@ profile xinit @{exec_path} { profile udevadm { include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{run}/udev/data/* r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/stat r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, + include include if exists } include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput index 1c3304538..18eab6a78 100644 --- a/apparmor.d/profiles-s-z/xinput +++ b/apparmor.d/profiles-s-z/xinput @@ -18,3 +18,5 @@ profile xinput @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 9fb9593d3..949aa19f7 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -27,3 +27,5 @@ profile xsel @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index 0e03b9f7f..c22e3cdd9 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -32,3 +32,5 @@ profile yadifad @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 23d6b16e6..85da6bfe0 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -60,3 +60,5 @@ profile youtube-dl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 92c60e389..1c405e8fe 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -66,3 +66,5 @@ profile youtube-viewer @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index d147f3a65..c71b87efd 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -46,3 +46,5 @@ profile yt-dlp @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 452eef3f5..230e15f80 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -43,3 +43,5 @@ profile ytdl @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index 98f218e13..b055fe31b 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -29,3 +29,5 @@ profile zathura @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 1ce392886..c966ce839 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -57,3 +57,5 @@ profile zed @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 2136952ad..bc4090be8 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -42,3 +42,5 @@ profile zenmap @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index cb36774d0..9538b9c13 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -34,3 +34,5 @@ profile zfs @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index aad07309a..7d12cf3b7 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -42,3 +42,5 @@ profile zpool @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index 0732978e9..653690898 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -28,3 +28,5 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index d492635eb..c325e216d 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -44,3 +44,5 @@ profile zsysd @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 5b8204163..c23a8d956 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -12,22 +12,23 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d # Extra user personal directories +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" @{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}=".games" @{XDG_PROJECTS_DIR}="Projects" @{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" @{XDG_SYNC_DIR}="Sync" @{XDG_TORRENTS_DIR}="Torrents" -@{XDG_GAMES_DIR}=".games" @{XDG_VM_DIR}=".vm" @{XDG_VM_SHARES_DIR}="VM_Shares" @{XDG_IMG_DIR}="images" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_GAMESSTUDIO_DIR}="unity3d" # User personal keyrings -@{XDG_SSH_DIR}=".ssh" @{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" @{XDG_PASSWORD_STORE_DIR}=".password-store" # User personal private directories @@ -44,9 +45,9 @@ # Full path of the user configuration directories @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} # User build directories and output @{user_build_dirs}="/tmp/build/" @@ -57,11 +58,13 @@ # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} +@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} @{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} @{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} -@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} -@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/home.d/whonix b/apparmor.d/tunables/home.d/whonix index f462036f9..e3c3f3d8a 100644 --- a/apparmor.d/tunables/home.d/whonix +++ b/apparmor.d/tunables/home.d/whonix @@ -70,3 +70,5 @@ alias /etc/timezone -> /etc/timezone.anondist-orig, alias /etc/timezone -> /etc/timezone.anondist, alias /etc/tor/torrc -> /etc/tor/torrc.anondist-orig, alias /etc/tor/torrc -> /etc/tor/torrc.anondist, + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 45dfea041..67f32bf8c 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -53,3 +53,5 @@ # Office suites @{offices_path} = @{bin}/@{offices} @{lib}/libreoffice/program/soffice + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 5a8348110..dd9386b09 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -10,3 +10,5 @@ # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` @{p_systemd}=unconfined @{p_systemd_user}=unconfined + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 33feb30e6..a118d0cbe 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -68,3 +68,5 @@ # Office suites @{offices} = libreoffice soffice + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 300a46b84..d219c1d4d 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -88,3 +88,5 @@ # OpenSUSE does not have the same multiarch structure @{multiarch}+=*-suse-linux* #aa:only opensuse + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index f39013def..885913da3 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -31,3 +31,5 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 7476a1678..00231cbce 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -18,9 +18,11 @@ @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} +@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} @{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} @{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} @{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists + +# vim:syntax=apparmor diff --git a/dists/docker.sh b/dists/docker.sh index 19a8737ae..500918c5f 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -100,7 +100,7 @@ build_in_docker_rpm() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ "$BASEIMAGE/$dist" - docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync + docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 4770b79eb..814123c81 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -298,11 +298,13 @@ startplasma complain startx attach_disconnected,complain steam attach_disconnected,mediate_deleted,complain steam-fossilize attach_disconnected,complain -steam-game attach_disconnected,complain +steam-game-native attach_disconnected,complain +steam-game-proton attach_disconnected,complain steam-gameoverlayui attach_disconnected,complain -steam-reaper attach_disconnected,complain -steam-runtime complain -steamerrorreporter complain +steam-launch complain +steam-launcher attach_disconnected,complain +steam-runtime attach_disconnected,complain +steamerrorreporter attach_disconnected,complain sulogin complain switcherooctl complain swtpm complain diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 795fbf1c7..0e89a76c5 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -17,8 +17,10 @@ man plasma-discover steam steam-fossilize -steam-game +steam-game-native +steam-game-proton steam-gameoverlayui -steam-reaper +steam-launch +steam-launcher steam-runtime steamerrorreporter diff --git a/docs/development/index.md b/docs/development/index.md index 6da12d47d..c12226a7a 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -85,6 +85,8 @@ profile foo @{exec_path} { include if exists } + +# vim:syntax=apparmor ``` diff --git a/docs/variables.md b/docs/variables.md index 6ea5285c8..a70358263 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -6,71 +6,83 @@ title: Variables References ### User directories -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | -| Download | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | -| Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | -| Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | +| Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | | Music | `@{XDG_MUSIC_DIR}` | `Music` | | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | -| Books | `@{XDG_BOOKS_DIR}` | `Books` | -| Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | +| Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | +| Books | `@{XDG_BOOKS_DIR}` | `Books` | +| Games | `@{XDG_GAMES_DIR}` | `.games` | +| Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | +| Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | +| Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | +| Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | +| Work | `@{XDG_WORK_DIR}` | `Work` | +| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` -| Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | +| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | Disk images | `@{XDG_IMG_DIR}` | `images` | ### Dotfiles -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| -| SSH | `@{XDG_SSH_DIR}` | `.ssh` | -| GPG | `@{XDG_GPG_DIR}` | `.gnupg` | -| Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | | Config | `@{XDG_CONFIG_DIR}` | `.config` | | Data | `@{XDG_DATA_DIR}` | `.local/share` | | State | `@{XDG_STATE_DIR}` | `.local/state` | | Bin | `@{XDG_BIN_DIR}` | `.local/bin` | | Lib | `@{XDG_LIB_DIR}` | `.local/lib` | +| GPG | `@{XDG_GPG_DIR}` | `.gnupg` | +| SSH | `@{XDG_SSH_DIR}` | `.ssh` | +| Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | +| Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | +| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | ### Full configuration path -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | -| Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | -| State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | +| Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | +| State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | | Build | `@{user_build_dirs}` | `/tmp/` | -| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` | | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | +| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` | ### Full user path -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| -| Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | -| Download | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | +| Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | | Pictures | `@{user_pictures_dirs}` | `@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}` | +| Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | +| Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | +| Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | +| Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | +| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | +| Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | | Public | `@{user_publicshare_dirs}` | `@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}` | -| Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | -| Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | +| Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` -| Password | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | -| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | +| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` +| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | ## System variables @@ -81,7 +93,7 @@ title: Variables References **Helper variables** -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` | | Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | | @@ -99,7 +111,7 @@ title: Variables References **System Paths** -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | Root Home | `@{HOMEDIRS}` | `/home/` | | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | @@ -111,12 +123,12 @@ title: Variables References | Proc | `@{PROC}` | `/proc/` | | Run | `@{run}` | `/run/ /var/run/` | | Sys | `@{sys}` | `/sys/` | -| Flatpack export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` | | System wide share | `@{system_share_dirs}` | `/{usr,usr/local,var/lib/@{flatpak_exports_root}}/share` | +| Flatpak export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` | **Program paths** -| Description | Name | Default Value | +| Description | Name | Default Value(s) | |-------------|:----:|---------------| | All the shells | `@{shells}` | `sh zsh bash dash fish rbash ksh tcsh csh` | | Shells path | `@{shells_path}` | `@{bin}/@{shells}` | diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index a580e7e52..ffdf107de 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -6,6 +6,7 @@ package aa import ( "reflect" + "strings" "testing" "github.com/roddhjav/apparmor.d/pkg/paths" @@ -17,6 +18,13 @@ var ( intData = paths.New("../../apparmor.d") ) +// mustReadProfileFile read a file and return its content as a slice of string. +// It panics if an error occurs. It removes the last comment line. +func mustReadProfileFile(path *paths.Path) string { + res := strings.Split(util.MustReadFile(path), "\n") + return strings.Join(res[:len(res)-2], "\n") +} + func TestAppArmorProfileFile_String(t *testing.T) { tests := []struct { name string @@ -230,7 +238,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: util.MustReadFile(intData.Join("profiles-a-f/aa-status")), + want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 211813789..97349a456 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -176,13 +176,7 @@ var ( newRule := newLogMountMap[log["operation"]] return newRule(log) }, - "net": func(log map[string]string) Rule { - if log["family"] == "unix" { - return newUnixFromLog(log) - } else { - return newNetworkFromLog(log) - } - }, + "net": newNetworkFromLog, "file": func(log map[string]string) Rule { if log["operation"] == "change_onexec" { return newChangeProfileFromLog(log) @@ -190,10 +184,14 @@ var ( return newFileFromLog(log) } }, - "exec": newFileFromLog, - "file_inherit": newFileFromLog, - "file_perm": newFileFromLog, - "open": newFileFromLog, + "exec": newFileFromLog, + "getattr": newFileFromLog, + "mkdir": newFileFromLog, + "mknod": newFileFromLog, + "open": newFileFromLog, + "rename_src": newFileFromLog, + "truncate": newFileFromLog, + "unlink": newFileFromLog, } newLogMountMap = map[string]func(log map[string]string) Rule{ "mount": newMountFromLog, @@ -229,10 +227,13 @@ func (p *Profile) AddRule(log map[string]string) { } if !done { - if strings.Contains(log["operation"], "dbus") { + switch { + case strings.HasPrefix(log["operation"], "file_"): + p.Rules = append(p.Rules, newFileFromLog(log)) + case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) - } else { - fmt.Printf("unknown log type: %s", log) + default: + fmt.Printf("unknown log type: %s", log["operation"]) } } } diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 53176b01d..d14dd4861 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -65,7 +65,7 @@ func NewOption(file *paths.Path, match []string) *Option { // Useful to remove directive text applied on some condition only func (o *Option) Clean(profile string) string { reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`) - return reg.ReplaceAllString(profile, "") + return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1) } func RegisterDirective(d Directive) {