felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add two profiles directory to have smaller dir.

Browse source
This commit is contained in:
Alexandre Pujol 2021-09-15 16:55:27 +01:00
parent 6c0ae4ddc1
commit d95a876424
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
521 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

38
apparmor.d/profiles-a-f/aa-notify Normal file
View file

@ -0,0 +1,38 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aa-notify
profile aa-notify @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/python>
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/ r,
/etc/apparmor/*.conf r,
/etc/inputrc r,
/usr/share/terminfo/x/xterm-256color r,
/usr/share/terminfo/d/dumb r,
/var/log/audit/audit.log r,
owner /tmp/[a-z0-9]* rw,
owner /tmp/apparmor-bugreport-*.txt rw,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/cmdline r,
include if exists <local/aa-notify>
}

29
apparmor.d/profiles-a-f/aa-status Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/aa-status
profile aa-status @{exec_path} {
include <abstractions/base>
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/ r,
@{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/attr/current r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/aa-status>
}

23
apparmor.d/profiles-a-f/acpi Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/acpi
profile acpi @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
@{sys}/class/thermal/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/{,**} r,
@{sys}/devices/virtual/thermal/{,**} r,
include if exists <local/acpi>
}

36
apparmor.d/profiles-a-f/acpid Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/acpid
profile acpid @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability mknod,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix,
/etc/acpi/{,**} r,
/etc/acpi/handler.sh rix,
/dev/input/{,**} r,
/dev/tty rw,
/dev/null r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,
@{run}/acpid.socket rw,
include if exists <local/acpid>
}

33
apparmor.d/profiles-a-f/adb Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/adb
@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
profile adb @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
include <abstractions/user-download-strict>
# For adb kill-server:
# cannot connect to daemon at tcp:5037: Permission denied
network inet stream,
network inet6 stream,
@{exec_path} mrix,
/usr/share/scrcpy/scrcpy-server r,
owner /tmp/adb.[0-9]*.log rw,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/adb.[0-9]* rw,
owner @{HOME}/.android/adbkey rw,
include if exists <local/adb>
}

64
apparmor.d/profiles-a-f/adduser Normal file
View file

@ -0,0 +1,64 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/add{user,group}
profile adduser @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
# To create a user home dir and give it proper permissions:
# mkdir("/home/user", 0755) = 0
# chown("/home/user", 1001, 1001) = 0
# chmod("/home/user", 0755) = 0
capability chown,
capability fowner,
# To set the set-group-ID bit for the user home dir (SETGID_HOME=yes).
capability fsetid,
# To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different
# owner.
capability dac_read_search,
capability dac_override,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
/{usr/,}{s,}bin/useradd rPx,
/{usr/,}{s,}bin/userdel rPx,
/{usr/,}{s,}bin/groupdel rPx,
/{usr/,}{s,}bin/groupadd rPx,
/{usr/,}{s,}bin/usermod rPx,
/{usr/,}bin/passwd rPx,
/{usr/,}bin/gpasswd rPx,
/{usr/,}bin/chfn rPx,
/{usr/,}bin/chage rPx,
/etc/{group,passwd,shadow} r,
/etc/adduser.conf r,
# To create user dirs
@{HOME}/ rw,
# To copy files from /etc/skel/ to user dirs
@{HOME}/.* w,
/etc/skel/{,.*} r,
# What's this for? (#FIXME#)
/var/lib/lightdm/{,*} w,
/var/lib/sddm/{,*} w,
include if exists <local/adduser>
}

111
apparmor.d/profiles-a-f/adequate Normal file
View file

@ -0,0 +1,111 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/adequate
profile adequate @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}{s,}bin/ldconfig rix,
# It wants to ldd all binaries/libs in packages.
/{usr/,}bin/ldd rCx -> ldd,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/{usr/,}bin/pkg-config rCx -> pkg-config,
/{usr/,}bin/dpkg rPx -> child-dpkg,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/update-alternatives rPx,
/var/lib/adequate/pending rwk,
/etc/shadow r,
/usr/share/python{,3}/debian_defaults r,
/usr/share/doc/*/copyright r,
/usr/share/**/__pycache__/ r,
/usr/**/*.py r,
profile ldd flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ldd mr,
/{usr/,}bin/* mr,
/{usr/,}{s,}bin/* mr,
/usr/games/* mr,
/{usr/,}lib{,x}{,32,64}/** mr,
/{usr/,}lib/@{multiarch}/** mr,
/usr/share/** r,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
}
profile frontend flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}bin/adequate rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
/etc/shadow r,
}
profile pkg-config flags=(complain) {
include <abstractions/base>
/{usr/,}bin/pkg-config mr,
}
include if exists <local/adequate>
}

193
apparmor.d/profiles-a-f/amarok Normal file
View file

@ -0,0 +1,193 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Audio extensions
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma,
@{amarok_ext} = [aA]{52,[aA][cC],[cC]3}
@{amarok_ext} += [mM][kK][aA]
@{amarok_ext} += [fF][lL][aA][cC]
@{amarok_ext} += [mM][pP][123cC]
@{amarok_ext} += [oO][gGmM][aA]
@{amarok_ext} += [wW]{,[aA]}[vV]
@{amarok_ext} += [wW][mM]{,[aA]}
# Image extensions
# bmp, jpg, jpeg, png, gif
@{amarok_ext} += [bB][mM][pP]
@{amarok_ext} += [jJ][pP]{,[eE]}[gG]
@{amarok_ext} += [pP][nN][gG]
@{amarok_ext} += [gG][iI][fF]
# Playlist extensions
# m3u, m3u8, pls
@{amarok_ext} += [mM]3[uU]{,8}
@{amarok_ext} += [pP][lL][sS]
@{exec_path} = /{usr/,}bin/amarok
profile amarok @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/kde4>
include <abstractions/gtk>
include <abstractions/audio>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/trash>
include <abstractions/vlc-art-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
ptrace (trace) peer=@{profile_name},
# Signals to kdeinit4 (unconfined)
signal (send) peer=unconfined,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/amarokcollectionscanner rix,
/{usr/,}bin/kde4-config rix,
/{usr/,}lib/kde4/libexec/lnusertemp rix,
/{usr/,}lib/kde4/libexec/drkonqi rix,
/{usr/,}bin/kglobalaccel rPUx,
/{usr/,}bin/kbuildsycoca4 rPUx,
/{usr/,}bin/kdeinit4 rPUx,
/{usr/,}bin/knotify4 rPUx,
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
# Which media files Amarok should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{amarok_ext} rw,
# Amarok home files
owner @{HOME}/.kde{,4}/share/apps/amarok/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/** rwk,
owner @{HOME}/.kde{,4}/share/apps/knewstuff3/amarok.knsregistry rw,
owner @{HOME}/.kde{,4}/share/config/amarokrc* rw,
owner @{HOME}/.kde{,4}/share/config/amarok_homerc* rw,
owner @{HOME}/.kde{,4}/share/config/amarok-appletsrcm* rw,
owner @{HOME}/.kde{,4}/share/config/amarok-appletsrc* rw,
owner @{HOME}/.kde{,4}/share/config/kcookiejarrc r,
owner @{HOME}/.kde{,4}/share/config/kio_httprc r,
owner @{HOME}/.kde{,4}/share/config/kioslaverc r,
owner @{HOME}/.kde{,4}/share/config/ktimezonedrc r,
# Phonon
/{usr/,}lib/@{multiarch}/qt4/plugins/phonon_backend/phonon_vlc.so mr,
# VLC backend
/{usr/,}lib/@{multiarch}/vlc/plugins/plugins.dat.* r,
/usr/share/vlc/** r,
# Cache for art images
owner @{HOME}/.kde{,4}/ rw,
owner @{HOME}/.kde{,4}/share/ rw,
owner @{HOME}/.kde{,4}/share/apps/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@[0-9a-f]* rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw,
owner @{user_share_dirs}/user-places.xbel rw,
owner @{user_config_dirs}/Trolltech.conf rwk,
deny /etc/rpc r,
deny /etc/gnome-vfs-2.0/modules/default-modules.conf r,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# TMP
owner /tmp/#sql_*.{MAI,MAD} rw,
owner /tmp/qipc_{systemsem,sharedmemory}_AmarokScannerMemory[a-f0-9]* rw,
owner /tmp/qt_temp.* rw,
owner /tmp/xauth-[0-9]*-_[0-9] r,
owner /tmp/kde-*/ rw,
/usr/share/icons/*/index.theme rk,
@{run}/user/@{uid}/ksocket-*/amarok*.slave-socket rw,
# What's this for?
deny /etc/mysql/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
deny /usr/share/anyremote/** r,
owner @{HOME}/.anyRemote/anyremote.stdout w,
# Udev silencer
deny @{sys}/bus/ r,
deny @{sys}/class/ r,
deny @{sys}/devices/ r,
deny @{sys}/devices/virtual/net/**/{uevent,type} r,
deny @{sys}/devices/virtual/sound/seq/uevent r,
deny @{sys}/devices/system/node/ r,
deny @{run}/udev/data/* r,
# To generate the crash log info in Amarok
/{usr/,}bin/gdb rCx -> gdb,
profile gdb {
include <abstractions/base>
include <abstractions/python>
/{usr/,}bin/gdb mr,
/usr/share/glib-2.0/gdb/{,**} r,
@{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/stat r,
owner @{PROC}/@{pids}/task/@{tid}/maps r,
owner @{PROC}/@{pids}/mem r,
/{usr/,}bin/iconv rix,
/usr/share/gdb/python/ r,
/usr/share/gdb/python/{,**} r,
ptrace (trace),
/{usr/,}bin/* r,
/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/*.py r,
/usr/share/gdb/auto-load/lib/x86_64-linux-gnu/*.py r,
/usr/share/gcc-[0-9]*/python/{,**} r,
# Silencer
deny /usr/share/** w,
}
include if exists <local/amarok>
}

27
apparmor.d/profiles-a-f/amixer Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/amixer
profile amixer @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@{exec_path} mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.Xauthority r,
owner @{user_config_dirs}/pulse/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/amixer>
}

215
apparmor.d/profiles-a-f/anki Normal file
View file

@ -0,0 +1,215 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/anki
profile anki @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-shader-cache>
include <abstractions/user-download-strict>
include <abstractions/trash>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=anki//mpv,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/ r,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/mpv rCx -> mpv,
# For recording sounds while creating decks
/{usr/,}bin/lame rCx -> lame,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**/*.pak r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
/usr/share/anki/{,**} r,
/usr/share/javascript/**/*.js r,
owner @{user_cache_dirs}/Anki/ rw,
owner @{user_cache_dirs}/Anki/** rw,
owner @{user_share_dirs}/Anki{,2}/ rw,
owner @{user_share_dirs}/Anki{,2}/** rwk,
owner @{HOME}/ r,
owner @{HOME}/.cache/ rw,
# To remove the following error:
# Error initializing NSS with a persistent database
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/.glvnd* mrw,
# The /proc/ dir is needed to avoid the following error:
# [:FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0)
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pids}/statm r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pid}/cmdline r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/vmstat r,
deny owner @{PROC}/@{pid}/setgroups w,
/etc/fstab r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/anki_temp/ rw,
owner /tmp/anki_temp/** rwk,
owner /tmp/mozilla_*/*.apkg r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/dev/shm/#[0-9]*[0-9] rw,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/pci[0-9]*/**/{vendor,device} r,
/usr/share/hwdata/pnp.ids r,
/etc/mime.types r,
# SyncThread
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/etc/ r,
/etc/debian_version r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile mpv {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio>
signal (receive) set=(term, kill) peer=anki,
/{usr/,}bin/mpv mr,
/etc/mpv/encoding-profiles.conf r,
owner /tmp/mpv.* rw,
# For playing sets' sounds
owner @{user_share_dirs}/Anki{,2}/*/collection.media/ r,
owner @{user_share_dirs}/Anki{,2}/*/collection.media/*.{mp3,wav} r,
owner @{user_share_dirs}/Anki{,2}/pulse/ r,
owner @{user_share_dirs}/Anki{,2}/pulse/cookie rk,
owner @{HOME}/.Xauthority r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
}
profile lame {
include <abstractions/base>
/{usr/,}bin/lame mr,
owner @{user_share_dirs}/Anki{,2}/*/collection.media/rec.{mp3,wav} rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/anki>
}

159
apparmor.d/profiles-a-f/anyremote Normal file
View file

@ -0,0 +1,159 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/anyremote
profile anyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
signal (receive) set=(int, term, kill),
signal (send) set=(term, kill),
network inet stream,
network inet6 stream,
@{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/head rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/find rix,
/{usr/,}bin/convert-im6.q16 rCx -> imagemagic,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}lib/qt5/bin/qdbus rCx -> qdbus,
/{usr/,}bin/curl rCx -> curl,
/{usr/,}bin/pacmd rPx,
/{usr/,}bin/pactl rPx,
/{usr/,}bin/wmctrl rPx,
/{usr/,}bin/qtchooser rPx,
/{usr/,}bin/ps rPx,
# Players
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/amarok rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/strawberry rPx,
owner /tmp/amarok_covers/ rw,
owner /tmp/*.png rw,
# For shell pwd
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,**} rw,
owner @{HOME}/.anyRemote/imdb-mf.sh rix,
/usr/share/anyremote/{,**} r,
/usr/share/anyremote/cfg-data/Utils/*.sh rix,
deny @{PROC}/sys/kernel/osrelease r,
owner @{HOME}/.Xauthority r,
profile imagemagic {
include <abstractions/base>
/{usr/,}bin/convert-im6.q16 mr,
/usr/share/ImageMagick-[0-9]/*.xml rw,
/etc/ImageMagick-[0-9]/*.xml r,
/usr/share/anyremote/cfg-data/Icons/common/*.png r,
owner @{HOME}/.anyRemote/*.png rw,
owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r,
/tmp/ r,
owner /tmp/*.png rw,
owner /tmp/amarok_covers/* rw,
owner /tmp/magick-* rw,
}
profile killall {
include <abstractions/base>
include <abstractions/consoles>
capability sys_ptrace,
signal (send) set=(term, kill),
ptrace (read),
/{usr/,}bin/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
# file_inherit
owner @{HOME}/.anyRemote/anyremote.stdout w,
}
profile pgrep {
include <abstractions/base>
include <abstractions/consoles>
signal (send) set=(term, kill),
/{usr/,}bin/pgrep mr,
# The /proc/ dir and the cmdline have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
deny @{PROC}/sys/kernel/osrelease r,
# file_inherit
owner @{HOME}/.anyRemote/anyremote.stdout w,
}
profile curl {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
}
profile qdbus {
include <abstractions/base>
/{usr/,}lib/qt5/bin/qdbus mr,
}
include if exists <local/anyremote>
}

24
apparmor.d/profiles-a-f/aplay Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aplay
profile aplay @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/audio>
@{exec_path} mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.Xauthority r,
owner @{user_config_dirs}/pulse/ r,
include if exists <local/aplay>
}

135
apparmor.d/profiles-a-f/appimage-beyond-all-reason Normal file
View file

@ -0,0 +1,135 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = "/home/*/@{XDG_DESKTOP_DIR}/Beyond All Reason.AppImage"
@{exec_path} += /home/*/@{XDG_DESKTOP_DIR}/BeyondAllReason.AppImage
profile appimage-beyond-all-reason @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/ssl_certs>
include <abstractions/audio>
capability sys_ptrace,
# For kernel unprivileged user namespaces
capability sys_admin,
capability sys_chroot,
capability setuid,
capability setgid,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
network netlink raw,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/x86_64-linux-gnu-addr2line rix,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,
/var/tmp/ r,
/tmp/ r,
/tmp/.mount_Beyond*/ rw,
/tmp/.mount_Beyond*/beyond-all-reason rix,
/tmp/.mount_Beyond*/AppRun rix,
/tmp/.mount_Beyond*/bin/* rix,
/tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix,
/tmp/.mount_Beyond*/** r,
/tmp/.mount_Beyond*/**.so{,.[0-9]*} mr,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
owner /tmp/.org.chromium.Chromium.*/SS rw,
owner /tmp/.org.chromium.Chromium.*/*.png rw,
owner /tmp/.org.chromium.Chromium.* rw,
owner @{user_config_dirs}/Beyond-All-Reason/ rw,
owner @{user_config_dirs}/Beyond-All-Reason/** rwk,
owner "@{HOME}/Beyond All Reason/" rw,
owner "@{HOME}/Beyond All Reason/**" rwkm,
owner "@{HOME}/Beyond All Reason/engine/**/spring" rix,
owner @{HOME}/.spring/ rw,
owner @{HOME}/.spring/** rw,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/statm r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/oom_{,score_}adj r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
@{PROC}sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
owner /dev/shm/.org.chromium.Chromium.* rw,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/class r,
@{sys}/devices/virtual/tty/tty0/active r,
/dev/fuse rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.*.AppImage} -> /tmp/.mount_*/,
umount /tmp/.mount_*/,
/dev/fuse rw,
/etc/fuse.conf r,
owner @{HOME}/**.AppImage r,
owner @{MOUNTS}/*/**.AppImage r,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/appimage-beyond-all-reason>
}

63
apparmor.d/profiles-a-f/appstreamcli Normal file
View file

@ -0,0 +1,63 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/appstreamcli
profile appstreamcli @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
# For file valudation using the network
/{usr/,}bin/curl rCx -> curl,
/etc/appstream.conf r,
owner @{PROC}/@{pid}/fd/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/appstream-cache-*.mdb rw,
owner @{user_cache_dirs}/appstream/ rw,
owner @{user_cache_dirs}/appstream/appcache-*.mdb rw,
/usr/share/appdata/ r,
/var/lib/app-info/yaml/ r,
/var/lib/app-info/yaml/*_Components-*.yml.gz w,
owner /var/cache/app-info/{,**} rw,
owner /tmp/appstream-cache-*.mdb rw,
owner /tmp/appstream/ rw,
owner /tmp/appstream/appcache-*.mdb rw,
owner @{user_share_dirs}/mime/mime.cache r,
/usr/share/mime/mime.cache r,
/usr/share/applications/{,*.desktop} r,
/usr/share/metainfo/ r,
/usr/share/metainfo/*.{metainfo,appdata}.xml r,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/*_Components-*.gz r,
# file_inherit
/var/log/cron-apt/temp w,
profile curl {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
}
include if exists <local/appstreamcli>
}

39
apparmor.d/profiles-a-f/arandr Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arandr
profile arandr @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/python>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/xrandr rPx,
owner @{HOME}/.screenlayout/ rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/arandr>
}

57
apparmor.d/profiles-a-f/archivemount Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/archivemount
profile archivemount @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
/**.{tar,tar.gz,zip} r,
/**.{TAR,TAR.GZ,ZIP} r,
owner /**.{tar,tar.gz,zip} w,
owner /**.{TAR,TAR.GZ,ZIP} w,
owner @{HOME}/ r,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype=fuse.archivemount -> @{HOME}/*/,
mount fstype=fuse.archivemount -> @{HOME}/*/*/,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/,
mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/,
/dev/fuse rw,
/etc/fuse.conf r,
owner @{HOME}/ r,
/**.{tar,tar.gz,zip} r,
/**.{TAR,TAR.GZ,ZIP} r,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/archivemount>
}

141
apparmor.d/profiles-a-f/arduino Normal file
View file

@ -0,0 +1,141 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino
profile arduino @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/devices-usb>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace (read) peer=arduino//open,
ptrace (read) peer=arduino-builder,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/id rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/groups rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/avrdude rix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/arduino-builder rPx,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
/usr/share/java/*.jar r,
/etc/java-[0-9]*-openjdk/** r,
/etc/ssl/certs/java/cacerts r,
owner @{HOME}/.java/fonts/*/ rw,
owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw,
owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/arduino/{,**} r,
/usr/share/arduino-builder/{,**} r,
/usr/share/doc/arduino/{,**} r,
/usr/share/doc/arduino-core/{,**} r,
owner @{HOME}/ r,
owner @{HOME}/.arduino{,15}/{,**} rw,
owner @{HOME}/Arduino/{,**} rw,
owner @{HOME}/sketchbook/{,**} rw,
owner @{HOME}/.Xauthority r,
/tmp/ r,
owner /tmp/cc*.{s,res,c,o,ld,le} rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
owner /tmp/untitled[0-9]*.tmp rw,
owner /tmp/untitled[0-9]*.tmp/{,**} rw,
owner /tmp/console[0-9]*.tmp rw,
owner /tmp/console[0-9]*.tmp/{,**} rw,
owner /tmp/build[0-9]*.tmp rw,
owner /tmp/build[0-9]*.tmp/{,**} rw,
owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw,
owner /tmp/{library,package}_index.json*.tmp* rw,
owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw,
owner @{run}/lock/tmp* rw,
owner @{run}/lock/LCK..ttyS[0-9]* rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/coredump_filter rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
# For java
@{PROC}/@{pids}/stat r,
#
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
/etc/fstab r,
/etc/avrdude.conf r,
@{sys}/fs/cgroup/{,**} r,
@{sys}/class/tty/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r,
/dev/ttyS[0-9]* rw,
/dev/ttyACM[0-9]* rw,
# Silencer
deny /usr/share/arduino/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/spacefm rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/arduino>
}

50
apparmor.d/profiles-a-f/arduino-builder Normal file
View file

@ -0,0 +1,50 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino-builder
profile arduino-builder @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/avr-g++ rix,
/{usr/,}bin/avr-gcc rix,
/{usr/,}bin/avr-gcc-ar rix,
/{usr/,}bin/avr-size rix,
/{usr/,}bin/avrdude rix,
/{usr/,}lib/gcc/avr/[0-9]*/cc1plus rix,
/{usr/,}lib/gcc/avr/[0-9]*/cc1 rix,
/{usr/,}lib/gcc/avr/[0-9]*/collect2 rix,
/{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix,
/{usr/,}lib/gcc/avr/[0-9]*/lto1 rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}lib/avr/bin/as rix,
/{usr/,}lib/avr/bin/ar rix,
/{usr/,}lib/avr/bin/ld rix,
/{usr/,}lib/avr/bin/objcopy rix,
/{usr/,}bin/arduino-ctags rPx,
/usr/share/arduino/{,**} r,
/usr/share/arduino-builder/{,**} r,
/usr/share/doc/arduino/{,**} r,
owner @{HOME}/Arduino/{,**} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/tmp/ r,
owner /tmp/cc* rw,
owner /tmp/untitled[0-9]*.tmp/{,**} rw,
owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw,
owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw,
include if exists <local/arduino-builder>
}

20
apparmor.d/profiles-a-f/arduino-ctags Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino-ctags
profile arduino-ctags @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner /tmp/tags.* rw,
owner /tmp/arduino_build_[0-9]*/** r,
include if exists <local/arduino-ctags>
}

24
apparmor.d/profiles-a-f/aspell Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aspell
profile aspell @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/usr/share/aspell/{,*} r,
/usr/lib/aspell/{,*} r,
/var/lib/aspell/{,*} r,
/var/lib/aspell/*.rws rw,
include if exists <local/aspell>
}

74
apparmor.d/profiles-a-f/aspell-autobuildhash Normal file
View file

@ -0,0 +1,74 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/aspell-autobuildhash
profile aspell-autobuildhash @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/precat rix,
/{usr/,}bin/zcat rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/prezip-bin rix,
/{usr/,}bin/dpkg-trigger rPx,
/{usr/,}bin/aspell rPx,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/usr/share/aspell/{,*} r,
/usr/lib/aspell/{,*} r,
/usr/lib/aspell/*.rws rw,
/var/lib/aspell/ r,
/var/lib/aspell/* rw,
profile frontend {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}sbin/aspell-autobuildhash rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
}
include if exists <local/aspell-autobuildhash>
}

28
apparmor.d/profiles-a-f/atftpd Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/atftpd
profile atftpd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>
# to run atftpd daemon as nobody/nogroup
capability setgid,
capability setuid,
@{exec_path} mr,
# FTP dirs (add "w" if you need write permissions and hence upload files)
/tftpboot/{,**} r,
/srv/tftp/{,**} r,
# for libwrap (TCP Wrapper) support
/etc/hosts.{,allow,deny} r,
include if exists <local/atftpd>
}

34
apparmor.d/profiles-a-f/auditd Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/auditd
profile auditd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability audit_control,
capability chown,
capability fsetid,
capability sys_resource,
network netlink raw,
@{exec_path} mr,
/etc/audit/{,**} r,
/var/log/audit/{,**} rw,
@{run}/systemd/userdb/ r,
owner @{PROC}/@{pid}/attr/current r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/oom_score_adj r,
include if exists <local/auditd>
}

25
apparmor.d/profiles-a-f/badblocks Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/badblocks
profile badblocks @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
@{exec_path} r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
# A place for a list of already existing known bad blocks
@{HOME}/** rwk,
@{MOUNTS}/*/** rwk,
include if exists <local/badblocks>
}

49
apparmor.d/profiles-a-f/bin.netstat Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2002-2005 Novell/SUSE
# 2017 Christian Boltz
# 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Evolution, amongst other things, calls this program. I didn't want to
# give evolution access to significant chunks of /proc
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/netstat
profile netstat @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
capability dac_read_search,
capability syslog,
capability sys_ptrace,
ptrace (trace,read),
@{exec_path} rmix,
/etc/networks r,
@{PROC} r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/net r,
@{PROC}/net/* r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pid}/attr/current r,
@{PROC}/@{pid}/net/netstat r,
@{PROC}/@{pid}/net/raw r,
@{PROC}/@{pid}/net/snmp r,
@{PROC}/@{pid}/net/raw6 r,
@{PROC}/@{pid}/net/tcp r,
@{PROC}/@{pid}/net/tcp6 r,
@{PROC}/@{pid}/net/udp r,
@{PROC}/@{pid}/net/udp6 r,
@{PROC}/@{pid}/net/udplite r,
@{PROC}/@{pid}/net/udplite6 r,
@{PROC}/@{pid}/net/unix r,
# For "netstat -i"
@{PROC}/@{pid}/net/dev r,
}

21
apparmor.d/profiles-a-f/biosdecode Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/biosdecode
profile biosdecode @{exec_path} {
include <abstractions/base>
# Needed to read the /dev/mem device
capability sys_rawio,
@{exec_path} mr,
/dev/mem r,
include if exists <local/biosdecode>
}

102
apparmor.d/profiles-a-f/birdtray Normal file
View file

@ -0,0 +1,102 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/birdtray
profile birdtray @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network netlink dgram,
@{exec_path} mr,
# To be able to start Thunderbird
/{usr/,}bin/thunderbird rPx,
/{usr/,}bin/xdg-open rCx -> open,
/usr/share/ulduzsoft/birdtray/{,**} r,
owner @{user_config_dirs}/ulduzsoft/ rw,
owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*,
owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w,
# Thunderbird mail dirs
owner @{HOME}/ r,
owner @{HOME}/.thunderbird/ r,
owner @{HOME}/.thunderbird/*.*/ r,
owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/ r,
owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/ r,
owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/qpdfview_open>
}
include if exists <local/birdtray>
}

37
apparmor.d/profiles-a-f/blkid Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/blkid
profile blkid @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
@{exec_path} mr,
/etc/blkid.conf r,
# The standard location of the cache file
# Without owner here if this tool should be used as a regular user
@{run}/blkid/ rw,
@{run}/blkid/blkid.tab{,-*} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# When the system doesn't have the /run/ dir, the cache file is placed under /etc/
/etc/blkid.tab{,-*} rw,
/etc/blkid.tab.old rwl -> /etc/blkid.tab,
# For the EVALUATE=scan method
@{PROC}/partitions r,
# Image files
@{HOME}/** r,
@{MOUNTS}/*/** r,
include if exists <local/blkid>
}

21
apparmor.d/profiles-a-f/blockdev Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/blockdev
profile blockdev @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
@{PROC}/partitions r,
include if exists <local/blockdev>
}

20
apparmor.d/profiles-a-f/bmon Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/bmon
profile bmon @{exec_path} {
include <abstractions/base>
network netlink raw,
@{exec_path} mr,
/etc/bmon.conf r,
include if exists <local/bmon>
}

128
apparmor.d/profiles-a-f/borg Normal file
View file

@ -0,0 +1,128 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BACKUP_DIR} = @{MOUNTS}/Arti/backup-*
@{exec_path} = /{usr/,}bin/borg
profile borg @{exec_path} {
include <abstractions/base>
include <abstractions/python>
# For reading files of other users as root
capability dac_read_search,
# Needed to mount backup files
capability sys_admin,
#
capability fowner,
network inet dgram,
network inet6 dgram,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/uname rix,
/{usr/,}bin/cat rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,@{multiarch}-}ld.bfd rix,
/{usr/,}bin/pass rPUx,
/{usr/,}bin/ssh rPx,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
mount fstype=fuse -> @{MOUNTS}/*/,
mount fstype=fuse -> @{MOUNTS}/*/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
/dev/fuse rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/random/boot_id r,
@{run}/systemd/userdb/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/borg/ rw,
owner @{user_cache_dirs}/borg/** rw,
owner @{user_config_dirs}/borg/ rw,
owner @{user_config_dirs}/borg/** rw,
# If /tmp/ isn't accessible, then /var/tmp/ is used.
owner /tmp/* rw,
owner /tmp/tmp*/ rw,
owner /tmp/tmp*/idx rw,
owner /tmp/borg-cache-*/ rw,
owner /tmp/borg-cache-*/* rw,
owner /var/tmp/* rw,
owner /var/tmp/tmp*/ rw,
owner /var/tmp/tmp*/idx rw,
# Dirs that can be backed up
/ r,
/boot/{,**} r,
/efi/{,**} r,
/etc/{,**} r,
/home/{,**} r,
@{MOUNTS}/{,**} r,
/opt/{,**} r,
/root/{,**} r,
/srv/{,**} r,
/usr/{,**} r,
/var/{,**} r,
# The backup dirs
owner @{BACKUP_DIR}/ r,
owner @{BACKUP_DIR}/** rwkl -> @{BACKUP_DIR}/**,
# For exporting the key
owner /**/key w,
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
/etc/debian_version r,
}
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
/etc/fuse.conf r,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
@{PROC}/@{pids}/mounts r,
/dev/fuse rw,
}
include if exists <distribution/borg.d>
include if exists <local/borg>
}

40
apparmor.d/profiles-a-f/browserpass Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/browserpass
profile browserpass @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/gpg rUx,
owner @{HOME}/.password-store/{,**} r,
owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw,
owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r,
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw,
owner /tmp/mozilla-temp-[0-9]* r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
owner @{PROC}/@{pid}/mountinfo r,
# Silencer
deny network inet6 stream,
deny network inet stream,
deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
deny /dev/dri/card[0-9]* rw,
include if exists <local/browserpass>
}

50
apparmor.d/profiles-a-f/btrfs Normal file
View file

@ -0,0 +1,50 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{btrfs,btrfsck}
profile btrfs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
capability sys_admin,
capability fowner,
capability sys_rawio,
@{exec_path} mr,
@{run}/blkid/blkid.tab{,-*} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/partitions r,
# For fsck of the btrfs filesystem directly from gparted
owner /tmp/gparted-*/ rw,
# For scrub
/var/lib/btrfs/ rw,
/var/lib/btrfs/scrub.progress.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
/var/lib/btrfs/scrub.status.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*{,_tmp} rwk,
# Saved metadata
@{MOUNTS}/*/ r,
@{MOUNTS}/*/ext2_saved/ rw,
@{MOUNTS}/*/ext2_saved/image rw,
@{MOUNTS}/*/*/ r,
@{MOUNTS}/*/*/ext2_saved/ rw,
@{MOUNTS}/*/*/ext2_saved/image rw,
# To be able to manage btrfs volumes
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs>
}

19
apparmor.d/profiles-a-f/btrfs-convert Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-convert
profile btrfs-convert @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/btrfs-convert>
}

23
apparmor.d/profiles-a-f/btrfs-find-root Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-find-root
profile btrfs-find-root @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@{exec_path} mr,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-find-root>
}

25
apparmor.d/profiles-a-f/btrfs-image Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-image
profile btrfs-image @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# Image files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-image>
}

23
apparmor.d/profiles-a-f/btrfs-map-logical Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-map-logical
profile btrfs-map-logical @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@{exec_path} mr,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/btrfs-map-logical>
}

19
apparmor.d/profiles-a-f/btrfs-select-super Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfs-select-super
profile btrfs-select-super @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/btrfs-select-super>
}

23
apparmor.d/profiles-a-f/btrfstune Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/btrfstune
profile btrfstune @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
@{PROC}/partitions r,
owner @{PROC}/@{pid}/mounts r,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
include if exists <local/btrfstune>
}

81
apparmor.d/profiles-a-f/cawbird Normal file
View file

@ -0,0 +1,81 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cawbird
profile cawbird @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/enchant>
include <abstractions/audio>
include <abstractions/gstreamer>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
owner @{user_config_dirs}/cawbird/ rw,
owner @{user_config_dirs}/cawbird/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/cawbird-* rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
# This is needed as cawbird stores its settings in the dconf database.
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{PROC}/@{pid}/fd/ r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/cawbird>
}

22
apparmor.d/profiles-a-f/ccze Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ccze
profile ccze @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/ccze/*.so mr,
/etc/cczerc r,
include if exists <local/ccze>
}

37
apparmor.d/profiles-a-f/cfdisk Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cfdisk
profile cfdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
@{PROC}/partitions r,
/etc/fstab r,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# A place for backups
owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/cfdisk>
}

29
apparmor.d/profiles-a-f/cgdisk Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cgdisk
profile cgdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# A place for backups
owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/cgdisk>
}

52
apparmor.d/profiles-a-f/cgrulesengd Normal file
View file

@ -0,0 +1,52 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cgrulesengd
profile cgrulesengd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# For creating Unix domain sockets/IPC sockets:
# socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
# ...
# bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation
# not permitted)
capability net_admin,
# To remove the following errors:
# readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied)
capability sys_ptrace,
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search,
network netlink dgram,
ptrace (read),
@{exec_path} mr,
@{sys}/fs/cgroup/**/tasks w,
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/cgroups r,
@{sys}/fs/cgroup/unified/cgroup.controllers r,
owner @{run}/cgred.socket w,
/etc/cgconfig.conf r,
/etc/cgrules.conf r,
/etc/cgconfig.d/ r,
include if exists <local/cgrulesengd>
}

37
apparmor.d/profiles-a-f/chage Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/chage
profile chage @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
network netlink raw,
@{exec_path} mr,
/etc/login.defs r,
/etc/{passwd,shadow} rw,
/etc/{passwd,shadow}.@{pid} w,
/etc/{passwd,shadow}- w,
/etc/{passwd,shadow}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/chage>
}

38
apparmor.d/profiles-a-f/changestool Normal file
View file

@ -0,0 +1,38 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/changestool
profile changestool @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
owner @{PROC}/@{pid}/fd/ r,
# For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
owner @{HOME}/@{XDG_GPG_DIR}/ r,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
}
include if exists <local/changestool>
}

48
apparmor.d/profiles-a-f/check-bios-nx Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/check-bios-nx
profile check-bios-nx @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# To remove the following errors:
# /usr/sbin/check-bios-nx: 19: cannot create /dev/stderr: Permission denied
capability dac_override,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}{s,}bin/rdmsr rPx,
owner @{PROC}/@{pid}/fd/2 w,
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
/{usr/,}lib/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r,
/{usr/,}lib/modules/*/modules.* r,
@{PROC}/cmdline r,
}
include if exists <local/check-bios-nx>
}

81
apparmor.d/profiles-a-f/check-support-status Normal file
View file

@ -0,0 +1,81 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/check-support-status
profile check-support-status @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/gettext.sh r,
/{usr/,}bin/cat rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/fold rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/awk rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/find rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/head rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/envsubst rix,
/{usr/,}bin/dirname rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/debconf-escape rCx -> debconf-escape,
/etc/debian_version r,
# For shell pwd
/ r,
owner @{HOME}/ r,
/tmp/ r,
owner /tmp/debian-security-support.*/{,**} rw,
/tmp/debian-security-support.postinst.*/output w,
/var/lib/debian-security-support/ r,
owner /var/lib/debian-security-support/security-support.semaphore rw,
owner /var/lib/debian-security-support/tmp.* rw,
/usr/share/debian-security-support/ r,
/usr/share/debian-security-support/* r,
profile debconf-escape {
include <abstractions/base>
include <abstractions/perl>
/{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r,
owner /tmp/debian-security-support.postinst.*/output r,
}
include if exists <local/check-support-status>
}

129
apparmor.d/profiles-a-f/check-support-status-hook Normal file
View file

@ -0,0 +1,129 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/debian-security-support/check-support-status.hook
profile check-support-status-hook @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/getent rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}sbin/adduser rPx,
/{usr/,}bin/check-support-status rPx,
/{usr/,}bin/debconf-escape rCx -> debconf-escape,
/{usr/,}sbin/runuser rCx -> runuser,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/usr/share/debconf/confmodule r,
# For shell pwd
/ r,
/root/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/ rw,
owner /tmp/debian-security-support.postinst.*/output rw,
/var/lib/ r,
/var/lib/debian-security-support/ r,
profile debconf-escape {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
/{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output r,
}
profile frontend {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/usr/share/debian-security-support/ r,
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
}
profile runuser {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/authentication>
network netlink raw,
# To remove the following errors:
# runuser: cannot set user id: Operation not permitted
capability setuid,
# To remove the following errrors:
# runuser: cannot set groups: Operation not permitted
capability setgid,
# To write records to the kernel auditing log.
capability audit_write,
/{usr/,}sbin/runuser mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/check-support-status rPx,
owner @{PROC}/@{pids}/loginuid r,
@{PROC}/1/limits r,
/etc/security/limits.d/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output w,
}
include if exists <local/check-support-status-hook>
}

46
apparmor.d/profiles-a-f/chfn Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/chfn
profile chfn @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/authentication>
include <abstractions/wutmp>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
# chfn is a SETUID binary
capability setuid,
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/loginuid r,
/etc/passwd rw,
/etc/passwd- w,
/etc/passwd+ rw,
/etc/passwd.@{pid} w,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow r,
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/chfn>
}

41
apparmor.d/profiles-a-f/child-pager Normal file
View file

@ -0,0 +1,41 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-pager" exec transitions from
# other profiles. We want to confine the pager(1) utility when it
# is invoked from other confined applications, but not when it is used
# in regular (unconfined) shell scripts or run directly by the user.
abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/pager by default
profile child-pager {
include <abstractions/base>
include <abstractions/consoles>
capability dac_override,
capability dac_read_search,
signal (receive) set=(stop, cont, term, kill),
/{usr/,}bin/ r,
/{usr/,}bin/pager mr,
/{usr/,}bin/less mr,
/{usr/,}bin/more mr,
@{user_cache_dirs}/lesshs* rw,
owner /root/.lesshs* rw,
# Display properly on different host terminals
@{system_share_dirs}/terminfo/{,**} r,
# For shell pwd
/root/ r,
include if exists <local/child-pager>
}

47
apparmor.d/profiles-a-f/chsh Normal file
View file

@ -0,0 +1,47 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/chsh
profile chsh @{exec_path} {
include <abstractions/base>
include <abstractions/wutmp>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
# gpasswd is a SETUID binary
capability setuid,
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/loginuid r,
/etc/shells r,
/etc/passwd rw,
/etc/passwd- w,
/etc/passwd+ rw,
/etc/passwd.@{pid} w,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow r,
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/chsh>
}

86
apparmor.d/profiles-a-f/claws-mail Normal file
View file

@ -0,0 +1,86 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/claws-mail
profile claws-mail @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/thumbnails-cache-read>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
# For Orage integration
/{usr/,}bin/orage rPUx,
# For sending local mails
/{usr/,}{s,}bin/exim4 rPUx,
# For editing in an external editor
/{usr/,}bin/geany rPUx,
owner @{HOME}/ r,
owner @{HOME}/.claws-mail/ rw,
owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**,
owner /tmp/claws-mail-[0-9]*/ rw,
owner /tmp/claws-mail-[0-9]*/[0-9a-f]* rw,
owner /tmp/claws-mail-[0-9]*/[0-9a-f]*.lock rwk,
owner /var/mail/* rwk,
owner @{HOME}/Mail/ rw,
owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/publicsuffix/*.dafsa r,
# file_inherit
owner @{HOME}/.xsession-errors w,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpgconf mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
}
include if exists <local/claws-mail>
}

27
apparmor.d/profiles-a-f/compton Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/compton
profile compton @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# Compton config file
owner @{user_config_dirs}/compton.conf rw,
/usr/share/X11/XErrorDB r,
owner @{HOME}/.Xauthority r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/compton>
}

200
apparmor.d/profiles-a-f/conky Normal file
View file

@ -0,0 +1,200 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/conky
profile conky @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
# For dig
#network inet stream,
#network inet6 stream,
#network netlink raw,
@{exec_path} mr,
# Needed tools to render conky output
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/head rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/sed rix,
# For external IP address
#/{usr/,}bin/dig rix,
#owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# To remove the following error:
# .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied
/{usr/,}bin/pgrep rix,
@{PROC}/sys/kernel/osrelease r,
# Browsers to fetch remote content
/{usr/,}bin/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse,
/{usr/,}bin/w3m rCx -> browse,
# Conky home files
owner @{HOME}/ r,
owner @{HOME}/.conky/ r,
owner @{HOME}/.conky/** rw,
# Display images (graphic) inside of the conky window
/{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr,
# Get the PRETTY_NAME name from /etc/os-release link
/etc/ r,
# Get the kernel version and its architecture via "uname -r"
/{usr/,}bin/uname rix,
# Display machine's hostname
/etc/hostname r,
# Display machine's uptime
@{PROC}/uptime r,
# Get the number of CPU cores
@{sys}/devices/system/cpu/present r,
# Get the current frequency of the CPU
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
# Get load average values for 1, 5 and 15 minutes
@{PROC}/loadavg r,
# Display processes' status
@{PROC}/ r,
# Get the PID value
@{PROC}/@{pid}/stat r,
# Get the name, %CPU and %RAM values
@{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/io r,
# Not needed
deny capability sys_ptrace,
deny ptrace (trace, read),
# Display the hard disk model name
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/**/model r,
@{sys}/block/sd[a-z]/device/model r,
# Display the disk write/read speed
@{PROC}/diskstats r,
# Get the mount point names
owner @{PROC}/@{pid}/mounts r,
# /etc/mtab r,
# Display WiFi network status, which includes the following:
# ESSID, AP's MAC, bitrate, signal strength, IP address and down/up speed
@{PROC}/@{pid}/net/dev r,
# Display IPv6 address of an interface
@{PROC}/@{pid}/net/if_inet6 r,
# Display the number of active TCP/TCP6 connections
@{PROC}/@{pid}/net/tcp{,6} r,
# Xserver auth cookie for clients
owner @{HOME}/.Xauthority r,
/dev/shm/#[0-9]*[0-9] rw,
# Temperatures and Fans
/{usr/,}bin/sensors rPUx,
@{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_input r,
@{sys}/devices/**/hwmon/hwmon[0-9]*/temp[0-9]*_input r,
@{sys}/class/hwmon/ r,
@{PROC}/acpi/ibm/fan r,
# Display network data transfer status
/{usr/,}bin/vnstat rPUx,
# Display Secure Boot status
/{usr/,}bin/mokutil rPUx,
@{PROC}/@{pid}/net/route r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
/usr/share/X11/XErrorDB r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile browse {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet,
network inet6,
/{usr/,}bin/wget mr,
/{usr/,}bin/curl mr,
/{usr/,}bin/lynx mr,
/{usr/,}bin/w3m mr,
/{usr/,}bin/{,ba,da}sh rix,
/etc/mime.types r,
/etc/mailcap r,
/etc/lynx/* r,
/etc/wgetrc r,
/etc/w3m/config r,
/etc/w3m/mailcap r,
owner @{HOME}/.wget-hsts rwk,
owner @{HOME}/.w3m/ rw,
owner @{HOME}/.w3m/** rw,
owner @{HOME}/.conky/** rw,
/usr/share/publicsuffix/public_suffix_list.* r,
# file_inherit
owner /dev/tty[0-9]* rw,
deny @{PROC}/@{pids}/net/dev r,
deny @{PROC}/@{pids}/net/tcp r,
deny @{PROC}/@{pids}/net/tcp6 r,
deny @{PROC}/@{pids}/net/if_inet6 r,
deny @{PROC}/@{pids}/stat r,
deny @{PROC}/diskstats r,
deny @{PROC}/uptime r,
deny @{PROC}/loadavg r,
deny @{PROC}/@{pids}/cmdline r,
deny @{PROC}/@{pids}/io r,
deny @{PROC}/@{pid}/net/route r,
deny @{sys}/devices/**/hwmon/**/temp*_input r,
}
include if exists <local/conky>
}

46
apparmor.d/profiles-a-f/convertall Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/convertall /usr/share/convertall/convertall.py
profile convertall @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/python>
include <abstractions/qt5-compose-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,
owner @{HOME}/.convertall rw,
deny owner @{PROC}/@{pid}/cmdline r,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/convertall/{,**} r,
/usr/share/doc/convertall/{,*} r,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/convertall>
}

35
apparmor.d/profiles-a-f/cppw-cpgr Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cp{pw,gr}
profile cppw-cpgr @{exec_path} {
include <abstractions/base>
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
@{exec_path} mr,
/etc/{passwd,shadow,gshadow,group} rw,
/etc/{passwd,shadow,gshadow,group}.@{pid} rw,
/etc/{passwd,shadow,gshadow,group}.new rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
/etc/group.lock wl -> /etc/group.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
# Source of the files to be replaced
owner /root/* r,
include if exists <local/cppw-cpgr>
}

22
apparmor.d/profiles-a-f/cpuid Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cpuid
profile cpuid @{exec_path} {
include <abstractions/base>
capability mknod,
@{exec_path} mr,
/dev/cpu/[0-9]*/cpuid r,
owner /tmp/cpuid* rw,
include if exists <local/cpuid>
}

19
apparmor.d/profiles-a-f/crda Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/crda
profile crda @{exec_path} {
include <abstractions/base>
# For "iw reg set PL"
capability net_admin,
@{exec_path} mr,
include if exists <local/crda>
}

37
apparmor.d/profiles-a-f/curl Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/curl
profile curl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/usr/share/publicsuffix/public_suffix_list.* r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/net/tcp{,6} r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/diskstats r,
@{PROC}/uptime r,
@{PROC}/loadavg r,
include if exists <local/curl>
}

33
apparmor.d/profiles-a-f/czkawka-cli Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/czkawka_cli
profile czkawka-cli @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
owner @{MOUNTS}/** rw,
owner @{user_config_dirs}/czkawka/ rw,
owner @{user_config_dirs}/czkawka/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/czkawka/ rw,
owner @{user_cache_dirs}/czkawka/** rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/fs/cgroup/{,**} r,
include if exists <local/czkawka-cli>
}

73
apparmor.d/profiles-a-f/czkawka-gui Normal file
View file

@ -0,0 +1,73 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/czkawka_gui
profile czkawka-gui @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
owner @{MOUNTS}/** rw,
owner @{user_config_dirs}/czkawka/ rw,
owner @{user_config_dirs}/czkawka/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/czkawka/ rw,
owner @{user_cache_dirs}/czkawka/** rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/fs/cgroup/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
#/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/czkawka-gui>
}

32
apparmor.d/profiles-a-f/ddclient Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ddclient
profile ddclient @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix,
/etc/ddclient.conf r,
@{run}/ddclient.pid rw,
/var/cache/ddclient/ddclient.cache rw,
/ r,
include if exists <local/ddclient>
}

129
apparmor.d/profiles-a-f/deltachat-desktop Normal file
View file

@ -0,0 +1,129 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{DCD_LIBDIR} = /{usr/,}lib/deltachat-desktop
@{DCD_LIBDIR} += /{usr/,}lib/deltachat
@{DCD_LIBDIR} += /opt/DeltaChat/
@{exec_path} = /usr/bin/deltachat-desktop
@{exec_path} += /opt/DeltaChat/deltachat-desktop
#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop
profile deltachat-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
@{DCD_LIBDIR}/ r,
@{DCD_LIBDIR}/** r,
@{DCD_LIBDIR}/libffmpeg.so mr,
@{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
@{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr,
@{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr,
@{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr,
@{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
@{DCD_LIBDIR}/chrome-sandbox rPx,
owner @{HOME}/.config/DeltaChat/ rw,
owner @{HOME}/.config/DeltaChat/** rwk,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
owner /tmp/.org.chromium.Chromium.*/SS w,
owner /tmp/.org.chromium.Chromium.*/*.png rw,
owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/[0-9a-f]*/ rw,
owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw,
owner /tmp/[0-9a-f]*/db.sqlite rwk,
owner /tmp/[0-9a-f]*/db.sqlite-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/statm r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pids}/oom_{,score_}adj r,
deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
/dev/ r,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,
# (#FIXME#)
deny @{sys}/bus/pci/devices/ r,
deny @{sys}/devices/virtual/tty/tty0/active r,
# no new privs
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/deltachat-desktop>
}

60
apparmor.d/profiles-a-f/deluser Normal file
View file

@ -0,0 +1,60 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/del{user,group}
profile deluser @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The deluser command is issued as root and its task is to delete regular user accounts. It
# optionally can remove user files (via --remove-home or --remove-all-files) or create a backup.
# Because of that, the deluser command needs the following CAPs to be able to do so.
capability dac_read_search,
capability dac_override,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/userdel rPx,
/{usr/,}{s,}bin/groupdel rPx,
/{usr/,}bin/gpasswd rPx,
/{usr/,}bin/crontab rPx,
/{usr/,}bin/mount rCx -> mount,
/etc/adduser.conf r,
/etc/deluser.conf r,
owner /etc/shadow r,
# This is for the "--remove-all-files" flag, which it used to remove all files owned by the user
# that's going to be deleted. Basically it scans all the files in the system in each dir and look
# for matches. This also includes files required by the "--remove-home" flag as well as the
# "--backup" and --backup-to flags.
/ r,
/** rw,
profile mount {
include <abstractions/base>
/{usr/,}bin/mount mr,
@{PROC}/@{pid}/mountinfo r,
@{sys}/devices/virtual/block/**/name r,
}
include if exists <local/deluser>
}

26
apparmor.d/profiles-a-f/df Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/df
profile df @{exec_path} {
include <abstractions/base>
capability dac_read_search,
@{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
/usr/share/icons/*/index.theme r,
# For dir stats
/ r,
/**/ r,
include if exists <local/df>
}

21
apparmor.d/profiles-a-f/dfc Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dfc
profile dfc @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
owner @{user_config_dirs}/dfc/dfcrc r,
owner @{HOME}/.dfcrc r,
include if exists <local/dfc>
}

47
apparmor.d/profiles-a-f/dhclient Normal file
View file

@ -0,0 +1,47 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/dhclient
profile dhclient @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
# To remove the following errors:
# dhclient[]: Open a socket for LPF: Operation not permitted
capability net_raw,
# To remove the following errors:
# dhclient[]: Can't bind to dhcp address: Permission denied
capability net_bind_service,
# Needed?
audit deny capability net_admin,
audit deny capability sys_module,
network inet dgram,
network inet6 dgram,
network netlink raw,
network packet raw,
@{exec_path} mr,
# To run dhclient scripts
/{usr/,}{s,}bin/dhclient-script rPx,
/etc/dhclient.conf r,
/etc/dhcp/{,**} r,
/var/lib/dhcp{,3}/dhclient* rw,
owner @{run}/dhclient*.pid rw,
owner @{run}/dhclient*.lease* rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/dhclient>
}

109
apparmor.d/profiles-a-f/dhclient-script Normal file
View file

@ -0,0 +1,109 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/dhclient-script
profile dhclient-script @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/ssl_certs>
capability sys_admin,
# Needed?
audit deny capability sys_module,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/ping rPx,
/{usr/,}bin/chronyc rPUx,
/{usr/,}bin/run-parts rCx -> run-parts,
# To remove the following error:
# /sbin/dhclient-script: 133: hostname: Permission denied
/{usr/,}bin/hostname rix,
# To read scripts
/etc/dhcp/ r,
/etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
# For debug script
/{usr/,}bin/date rix,
/etc/dhcp/debug r,
owner /tmp/dhclient-script.debug rw,
# For ddclient script
/{usr/,}{s,}bin/ddclient rPx,
/etc/default/ddclient r,
/{usr/,}bin/logger rix,
# For samba script
/{usr/,}bin/mv rix,
/etc/samba/dhcp.conf{,.new} rw,
# For netbios name servers settings from a DHCP server
/var/lib/samba/dhcp.conf{,.new} rw,
# Many scripts may use the ip tool
capability net_admin,
/{usr/,}bin/ip rix,
# For loadbalance
/etc/iproute2/rt_tables r,
/etc/iproute2/rt_tables.d/{,*} r,
owner @{PROC}/@{pid}/loginuid r,
# For updating the /etc/resolv.conf file
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/sed rix,
/etc/fstab r,
/etc/resolv.conf.dhclient-new.@{pid} rw,
/etc/resolv.conf rw,
# For stable-privacy addresses
/{usr/,}{s,}bin/sysctl rix,
/{usr/,}bin/head rix,
/{usr/,}bin/xxd rix,
/{usr/,}bin/paste rix,
/{usr/,}bin/fold rix,
/{usr/,}bin/tr rix,
@{PROC}/sys/net/ipv6/conf/*/stable_secret w,
# For printing env
/{usr/,}bin/printenv rix,
owner /tmp/variables.txt w,
# For ntpd/ntpsec
@{run}/systemd/netif/leases/ r,
# For chrony
@{run}/chrony-dhcp/ rw,
# file_inherit
/var/lib/dhcp/dhclient.leases r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/dhcp/dhclient-{enter,exit}-hooks.d/ r,
# file_inherit
owner /var/lib/dhcp/dhclient.leases r,
}
include if exists <local/dhclient-script>
}

28
apparmor.d/profiles-a-f/dig Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dig
profile dig @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{HOME}/.digrc r,
include if exists <local/dig>
}

57
apparmor.d/profiles-a-f/dino-im Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dino-im
profile dino-im @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ w,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_share_dirs}/dino/ rw,
owner @{user_share_dirs}/dino/** rwk,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/fd/ r,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
}
include if exists <local/dino-im>
}

115
apparmor.d/profiles-a-f/dkms Normal file
View file

@ -0,0 +1,115 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/dkms
profile dkms @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
capability mknod,
capability setgid,
capability setuid,
unix (receive) type=stream,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/head rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/diff rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/find rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/pwd rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/make rix,
/{usr/,}bin/{,@{multiarch}-}* rix,
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}lib/linux-kbuild-*/scripts/** rix,
/{usr/,}lib/modules/*/build/scripts/** rix,
/{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
/{usr/,}lib/modules/*/build/tools/objtool/objtool rix,
/ r,
/{usr/,}lib/modules/*/updates/ rw,
/{usr/,}lib/modules/*/updates/dkms/ rw,
/{usr/,}lib/modules/*/updates/dkms/*.ko rw,
/{usr/,}lib/modules/*/kernel/drivers/{,*,*/,**.ko.xz} rw,
/var/lib/dkms/ r,
/var/lib/dkms/** rw,
/etc/dkms/{,**} r,
# For building module in /usr/src/ subdirs
/usr/src/ r,
/usr/src/** rw,
/usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
/usr/src/linux-headers-*/scripts/** rix,
/usr/src/linux-headers-*/tools/** rix,
/usr/include/**.h r,
# For autosign modules
owner /etc/kernel_key/sign-kernel.sh rix,
owner /etc/kernel_key/*.key r,
owner /etc/kernel_key/*.crt r,
owner @{HOME}/ r,
owner /tmp/cc* rw,
owner /tmp/dkms.*/ rw,
owner /tmp/tmp.* rw,
owner /tmp/sh-thd.* rw,
owner /tmp/* rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/osrelease r,
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/kmod mr,
@{PROC}/cmdline r,
/{usr/,}lib/modules/*/modules.* rw,
/var/lib/dkms/**/module/*.ko r,
owner /boot/System.map-* r,
}
include if exists <local/dkms>
}

39
apparmor.d/profiles-a-f/dkms-autoinstaller Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/dkms/dkms_autoinstaller
profile dkms-autoinstaller @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/echo rix,
/{usr/,}{s,}bin/dkms rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rPx -> child-systemctl,
# For shell pwd
/ r,
profile run-parts {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/run-parts mr,
}
include if exists <local/dkms-autoinstaller>
}

65
apparmor.d/profiles-a-f/dlocate Normal file
View file

@ -0,0 +1,65 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dlocate
profile dlocate @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/awk rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/grep-dctrl rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/du rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/md5sum rCx -> md5sum,
/etc/default/dlocate r,
/var/lib/dlocate/dlocatedb r,
/var/lib/dlocate/dpkg-list r,
/var/lib/dpkg/status r,
/var/lib/dpkg/info/*.list r,
/var/lib/dpkg/info/*.conffiles r,
/var/lib/dpkg/info/*.md5sums r,
owner /tmp/sh-thd.* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fd/2 w,
/ r,
profile md5sum {
include <abstractions/base>
/{usr/,}bin/md5sum mr,
# For the md5 check
/boot/** r,
/usr/** r,
}
include if exists <local/dlocate>
}

25
apparmor.d/profiles-a-f/dmcrypt-get-device Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/eject/dmcrypt-get-device
profile dmcrypt-get-device @{exec_path} flags=(complain) {
include <abstractions/base>
capability sys_admin,
capability setgid,
capability setuid,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/devices r,
/dev/mapper/control rw,
include if exists <local/dmcrypt-get-device>
}

27
apparmor.d/profiles-a-f/dmesg Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dmesg
profile dmesg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability syslog,
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/less rPx -> child-pager,
/dev/kmsg r,
/usr/share/terminfo/{,**} r,
include if exists <local/dmesg>
}

27
apparmor.d/profiles-a-f/dmidecode Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/dmidecode
profile dmidecode @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
@{sys}/firmware/dmi/tables/smbios_entry_point r,
@{sys}/firmware/dmi/tables/DMI r,
# The following are needed when the --no-sysfs flag is used
#capability sys_rawio,
#/dev/mem r,
#@{sys}/firmware/efi/systab r,
# For dumping the output to a file
owner /tmp/dump.bin rw,
include if exists <local/dmidecode>
}

76
apparmor.d/profiles-a-f/dnscrypt-proxy Normal file
View file

@ -0,0 +1,76 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/dnscrypt-proxy
profile dnscrypt-proxy @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# To bind to the 53 tcp/udp port (when systemd's sockets aren't used).
capability net_bind_service,
# Needed for privilege drop (to run as _dnscrypt-proxy:nogroup).
capability setgid,
capability setuid,
# Needed?
capability net_admin,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
# dnscrypt-proxy config files
/etc/dnscrypt-proxy/ r,
/etc/dnscrypt-proxy/dnscrypt-proxy.toml r,
/etc/dnscrypt-proxy/whitelist.txt r,
/etc/dnscrypt-proxy/blacklist.txt r,
/etc/dnscrypt-proxy/cloaking-rules.txt r,
/etc/dnscrypt-proxy/forwarding-rules.txt r,
# This is for the built-in DoH server / Firefox ESNI (Encrypted ClientHello)
# See: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH
owner /etc/dnscrypt-proxy/localhost.pem r,
# For downloading the relays.md and public-resolvers.md files (for offline use, which can fix
# connectivity issues).
owner /etc/dnscrypt-proxy/sf-*.tmp rw,
owner /etc/dnscrypt-proxy/relays.md rw,
owner /etc/dnscrypt-proxy/relays.md.minisig rw,
owner /etc/dnscrypt-proxy/public-resolvers.md rw,
owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw,
owner /var/cache/dnscrypt-proxy/sf-*.tmp rw,
owner /var/cache/dnscrypt-proxy/relays.md rw,
owner /var/cache/dnscrypt-proxy/relays.md.minisig rw,
owner /var/cache/dnscrypt-proxy/public-resolvers.md rw,
owner /var/cache/dnscrypt-proxy/public-resolvers.md.minisig rw,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/kernel/hostname r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Logs
/var/log/dnscrypt-proxy/ r,
/var/log/dnscrypt-proxy/*.log w,
/var/log/private/dnscrypt-proxy/ rw,
/var/log/private/dnscrypt-proxy/*.log w,
/var/cache/private/dnscrypt-proxy/sf-*.tmp rw,
/var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw,
# Needed?
deny /etc/ssl/certs/java/ r,
include if exists <local/dnscrypt-proxy>
}

37
apparmor.d/profiles-a-f/dring Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/ring/dring
profile dring @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/video>
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
owner @{HOME}/.config/ring/ rw,
owner @{HOME}/.config/jami/dring.yml rw,
owner @{HOME}/.config/jami/dring.yml.bak w,
owner @{HOME}/.local/share/jami/ r,
@{sys}/class/ r,
@{sys}/bus/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/dring>
}

50
apparmor.d/profiles-a-f/dumpcap Normal file
View file

@ -0,0 +1,50 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dumpcap
profile dumpcap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To capture packekts
capability net_raw,
capability net_admin,
signal (receive) peer=wireshark,
network inet dgram,
network inet6 dgram,
network netlink raw,
network packet dgram,
network packet raw,
network bluetooth raw,
@{exec_path} mr,
@{sys}/class/net/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/virtual/net/*/type r,
@{sys}/devices/pci[0-9]*/**/net/*/type r,
@{sys}/devices/virtual/net/*/statistics/* r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/psched r,
/dev/ r,
# Traffic log files
owner /tmp/wireshark_*.pcapng rw,
owner /tmp/*.pcap rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
/usr/share/GeoIP/* r,
/dev/dri/card[0-9] rw,
include if exists <local/dumpcap>
}

25
apparmor.d/profiles-a-f/dumpe2fs Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{dumpe2fs,e2mmpstatus}
profile dumpe2fs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# Image files
@{HOME}/** r,
@{MOUNTS}/** r,
include if exists <local/dumpe2fs>
}

24
apparmor.d/profiles-a-f/dunst Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dunst
profile dunst @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@{exec_path} mr,
/etc/xdg/dunst/dunstrc r,
owner @{HOME}/.config/dunst/dunstrc r,
owner @{HOME}/.Xauthority r,
include if exists <local/dunst>
}

24
apparmor.d/profiles-a-f/dunstctl Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dunstctl
profile dunstctl @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/dbus-send rCx -> dbus,
profile dbus {
include <abstractions/base>
/{usr/,}bin/dbus-send mr,
}
include if exists <local/dunstctl>
}

19
apparmor.d/profiles-a-f/dunstify Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dunstify
profile dunstify @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/dunstify>
}

36
apparmor.d/profiles-a-f/e2fsck Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{e2fsck,fsck.ext2,fsck.ext3,fsck.ext4}
profile e2fsck @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
@{exec_path} mr,
# To check for badblocks
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/badblocks rPx,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/devices/**/power_supply/AC/online r,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/e2fsck>
}

27
apparmor.d/profiles-a-f/e2image Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/e2image
profile e2image @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
@{exec_path} mr,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
# A place for the metadata image file
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/e2image>
}

18
apparmor.d/profiles-a-f/edid-decode Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/edid-decode
profile edid-decode @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/*/edid r,
include if exists <local/edid-decode>
}

31
apparmor.d/profiles-a-f/eject Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/eject
profile eject @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
capability sys_rawio,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/eject/dmcrypt-get-device rPx,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
@{run}/mount/utab r,
include if exists <local/eject>
}

123
apparmor.d/profiles-a-f/engrampa Normal file
View file

@ -0,0 +1,123 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/engrampa
profile engrampa @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cp rix,
# Archivers
/{usr/,}bin/7z rix,
/{usr/,}lib/p7zip/7z rix,
/{usr/,}bin/unrar-nonfree rix,
/{usr/,}bin/zip rix,
/{usr/,}bin/unzip rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/zstd rix,
# For deb packages
/{usr/,}bin/dpkg-deb rix,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/{usr/,}bin/xdg-open rCx -> open,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/engrampa/ rw,
/ r,
/home/ r,
#owner @{HOME}/ r,
#owner @{HOME}/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
/tmp/ r,
owner /tmp/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/.fr-*/{,**} rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/gvfs-metadata/** r,
/usr/share/engrampa/{,**} r,
/usr/share/**.desktop r,
/usr/share/**/icons/**.png r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
/etc/fstab r,
# Allowed apps to open
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/engrampa>
}

19
apparmor.d/profiles-a-f/execute-dcut Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dcut /usr/share/dput/execute-dcut
profile execute-dcut @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/python>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
include if exists <local/execute-dcut>
}

54
apparmor.d/profiles-a-f/execute-dput Normal file
View file

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dput /usr/share/dput/execute-dput
profile execute-dput @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
/usr/share/dput/{,**} r,
/etc/dput.cf r,
owner @{HOME}/.dput.cf r,
owner @{PROC}/@{pid}/fd/ r,
# sources dir
owner @{user_build_dirs}/**.changes r,
owner @{user_build_dirs}/**.dsc r,
owner @{user_build_dirs}/**.buildinfo r,
owner @{user_build_dirs}/**.tar.xz r,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgsm mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
}
include if exists <local/execute-dput>
}

78
apparmor.d/profiles-a-f/exim4 Normal file
View file

@ -0,0 +1,78 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/exim4
profile exim4 @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
# To bind to port 25/tcp
capability net_bind_service,
# To remove the following error:
# exim4[]: exim: setgroups() failed: Operation not permitted
capability setgid,
# To remove the following error:
# exim4[]: unable to set gid=110 or uid=105 (euid=0): calling tls_validate_require_cipher
capability setuid,
# To remove the following error:
# exim4[]: Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=110
capability dac_read_search,
capability dac_override,
# To remove the following error:
# exim.c:774: chown(/var/spool/exim4//msglog//1kqH5Z-000RUf-UR, 105:110) failed (Operation not
# permitted). Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391
capability chown,
# To remove the following error:
# Couldn't chmod message log /var/spool/exim4//msglog//1kqH6c-000S7r-Ni: Operation not permitted
capability fowner,
# Needed?
audit deny capability net_admin,
/var/lib/exim4/config.autogenerated{,.tmp} r,
/etc/email-addresses r,
/etc/aliases r,
/var/log/exim4/ w,
/var/log/exim4/mainlog w,
/var/log/exim4/paniclog w,
/var/log/exim4/rejectlog w,
/var/spool/exim4/ r,
/var/spool/exim4/** rwk,
owner /var/mail/* rwkl -> /var/mail/*,
@{run}/exim4/ r,
owner @{run}/exim4/exim.pid rw,
owner @{run}/dbus/system_bus_socket rw,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/var/lib/dpkg/status r,
/var/log/cron-apt/lastfullmessage r,
include if exists <local/exim4>
}

23
apparmor.d/profiles-a-f/exo-compose-mail Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/xfce4/exo/exo-compose-mail
profile exo-compose-mail @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
# Mail clients
/{usr/,}bin/thunderbird rPx,
/{usr/,}lib/thunderbird/thunderbird rPx,
/{usr/,}lib/thunderbird/thunderbird-bin rPx,
include if exists <local/exo-compose-mail>
}

56
apparmor.d/profiles-a-f/exo-helper Normal file
View file

@ -0,0 +1,56 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9]
profile exo-helper @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app-launcher-user>
# These are needed when there's no default application set in the ~/.config/xfce4/helpers.rc
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@{exec_path} mr,
/usr/share/ r,
/usr/share/xfce4/ r,
/usr/share/xfce4/helpers/ r,
/usr/share/xfce4/helpers/*.desktop r,
/usr/local/share/ r,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/xfce4/ r,
owner @{user_share_dirs}/xfce4/helpers/ r,
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
owner @{user_config_dirs}/xfce4/helpers.rc rw,
owner @{user_config_dirs}/xfce4/helpers.rc.@{pid}.tmp rw,
owner @{user_share_dirs}/xfce4/helpers/*.desktop rw,
owner @{user_share_dirs}/xfce4/helpers/*.desktop.@{pid}.tmp rw,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
# Some missing icons
/usr/share/**.png r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/exo-helper>
}

32
apparmor.d/profiles-a-f/exo-open Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/exo-open
profile exo-open @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/app-launcher-user>
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx,
# It looks like gio-launch-desktop decides what app should be opened
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx,
owner @{PROC}/@{pid}/fd/ r,
/** r,
owner /** rw,
include if exists <local/exo-open>
}

17
apparmor.d/profiles-a-f/f3brew Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/f3brew
profile f3brew @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
include if exists <local/f3brew>
}

63
apparmor.d/profiles-a-f/f3fix Normal file
View file

@ -0,0 +1,63 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/f3fix
profile f3fix @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
# To remove the following errors:
# Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the
# kernel of the change, probably because it/they are in use. As a result, the old partition(s)
# will remain in use. You should reboot now before making further changes.
capability sys_admin,
# Needed? (##FIXME##)
capability sys_rawio,
# Needed?
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}bin/udevadm rCx -> udevadm,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
profile udevadm {
include <abstractions/base>
ptrace (read),
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
# file_inherit
/dev/sd[a-z] rw,
}
include if exists <local/f3fix>
}

18
apparmor.d/profiles-a-f/f3probe Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/f3probe
profile f3probe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@{exec_path} mr,
include if exists <local/f3probe>
}

27
apparmor.d/profiles-a-f/f3read Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/f3read
profile f3read @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
# USB drive mount locations
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
/mnt/ r,
# To be able to read h2w files
owner @{MOUNTS}/*/[0-9]*.h2w r,
owner @{MOUNTS}/*/*/[0-9]*.h2w r,
owner /mnt/[0-9]*.h2w r,
include if exists <local/f3read>
}

31
apparmor.d/profiles-a-f/f3write Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/f3write
profile f3write @{exec_path} {
include <abstractions/base>
# The f3write doesn't have to be started as root, but when it's started as root, the following
# CAP is needed in order to write to the user owned USB drives (e.g. mounted via udisks).
#capability dac_override,
@{exec_path} mr,
# USB drive mount locations
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
/mnt/ r,
# To be able to write h2w files
owner @{MOUNTS}/*/[0-9]*.h2w w,
owner @{MOUNTS}/*/*/[0-9]*.h2w w,
owner /mnt/[0-9]*.h2w w,
include if exists <local/f3write>
}

Some files were not shown because too many files have changed in this diff Show more