felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add two profiles directory to have smaller dir.

Browse source
This commit is contained in:
Alexandre Pujol 2021-09-15 16:55:27 +01:00
parent 6c0ae4ddc1
commit d95a876424
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
521 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

127
apparmor.d/profiles-g-l/gajim Normal file
View file

@ -0,0 +1,127 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gajim
profile gajim @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/video>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/gstreamer>
include <abstractions/enchant>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}{s,}bin/ldconfig rix,
# To play sounds
/{usr/,}bin/aplay rix,
/{usr/,}bin/pacat rix,
# Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
# External apps
/{usr/,}bin/xdg-settings rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
# Gajim plugins
/usr/share/gajim/plugins/{,**} r,
# Gajim home files
owner @{HOME}/ r,
owner @{user_config_dirs}/gajim/ rw,
owner @{user_config_dirs}/gajim/** rwk,
owner @{user_share_dirs}/gajim/ rw,
owner @{user_share_dirs}/gajim/** rwk,
# Cache
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/gajim/ rw,
owner @{user_cache_dirs}/gajim/** rwk,
owner @{HOME}/.cache/farstream/ rw,
owner @{HOME}/.cache/farstream/codecs.audio.x86_64.cache{,.tmp*} rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
# TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Silencer
deny /usr/share/gajim/** w,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
/{usr/,}lib/gnupg/scdaemon rix,
# without owner
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/.local/share/gajim/openpgp/ rw,
owner @{HOME}/.local/share/gajim/openpgp/** rwkl -> @{HOME}/.local/share/gajim/openpgp/**,
}
include if exists <local/gajim>
}

36
apparmor.d/profiles-g-l/games-wesnoth Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/games/wesnoth{,-[0-9]*}
profile games-wesnoth @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/dri-enumerate>
include <abstractions/dri-common>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mrix,
/usr/share/games/wesnoth/[0-9]*/{,**} r,
owner @{user_config_dirs}/wesnoth-[0-9]*/{,**} rw,
owner @{HOME}/.Xauthority r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/icons/*/index.theme r,
include if exists <local/games-wesnoth>
}

27
apparmor.d/profiles-g-l/games-wesnoth-sh Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/games/wesnoth-[0-9]*{-nolog,-smalgui,_editor} /usr/games/wesnoth-nolog
profile games-wesnoth-sh @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/usr/games/wesnoth{,-[0-9]*} rPx,
# For the editor
/{usr/,}bin/basename rix,
/{usr/,}bin/sed rix,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/games-wesnoth-sh>
}

110
apparmor.d/profiles-g-l/ganyremote Normal file
View file

@ -0,0 +1,110 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ganyremote
profile ganyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
network inet stream,
network inet6 stream,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/anyremote rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/pacmd rPUx,
/{usr/,}bin/pactl rPUx,
# Players
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/amarok rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/strawberry rPUx,
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw,
/usr/share/anyremote/{,**} r,
deny @{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Doc dirs
deny /usr/local/share/ r,
deny /usr/share/ r,
deny /usr/share/doc/ r,
/usr/share/doc/anyremote{,-data}/ r,
profile killall {
include <abstractions/base>
include <abstractions/consoles>
capability sys_ptrace,
signal (send) set=(int, term, kill),
ptrace (read),
/{usr/,}bin/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
}
profile pgrep {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
deny @{PROC}/sys/kernel/osrelease r,
/usr/share/anyremote/{,**} r,
}
include if exists <local/ganyremote>
}

23
apparmor.d/profiles-g-l/gconfd Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9]
profile gconfd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/var/lib/gconf/** r,
/etc/gconf/** r,
owner @{HOME}/.gconf/ rw,
owner @{HOME}/.gconf/.testing.writeability rw,
include if exists <local/gconfd>
}

36
apparmor.d/profiles-g-l/gdisk Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gdisk
profile gdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
# Needed to inform the system of newly created/removed partitions
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
#
# Warning: The kernel is still using the old partition table.
# The new table will be used at the next reboot or after you
# run partprobe(8) or kpartx(8)
# The operation has completed successfully.
capability sys_admin,
@{exec_path} mr,
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/gdisk>
}

22
apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gdk-pixbuf-query-loaders
profile gdk-pixbuf-query-loaders @{exec_path} {
include <abstractions/base>
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw,
/{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw,
include if exists <local/gdk-pixbuf-query-loaders>
}

20
apparmor.d/profiles-g-l/gio-querymodules Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gio-querymodules
profile gio-querymodules @{exec_path} {
include <abstractions/base>
include <abstractions/openssl>
@{exec_path} mr,
/{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
/{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,
include if exists <local/gio-querymodules>
}

180
apparmor.d/profiles-g-l/git Normal file
View file

@ -0,0 +1,180 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/git
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
@{exec_path} += /usr/libexec/git-core/git
@{exec_path} += /usr/libexec/git-core/git-*
@{exec_path} += /usr/libexec/git-core/mergetools/*
profile git @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
# the most similar commands, which it thinks can be used instead. Git binaries are all under
# /usr/bin/ , so allow only this location.
/{usr/,}bin/ r,
deny /{usr/,}sbin/ r,
deny /usr/local/{s,}bin/ r,
deny /usr/games/ r,
deny /usr/local/games/ r,
# These are needed for "git submodule update"
/{usr/,}bin/basename rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/gettext.sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/envsubst rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/man rPx,
# For signing commits
/{usr/,}bin/gpg rCx -> gpg,
# For SSH support
/{usr/,}bin/ssh rCx -> ssh,
# Difftools
/{usr/,}bin/meld rPUx,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
owner @{HOME}/.gitconfig rw,
owner @{user_config_dirs}/git/{,*} rw,
/usr/share/git-core/{,**} r,
/usr/share/terminfo/x/xterm-256color r,
# For diffs
owner /tmp/git-difftool.*/ rw,
owner /tmp/git-difftool.*/right/{,**} rw,
owner /tmp/git-difftool.*/left/{,**} rw,
owner /tmp/* rw,
# For TWRP-device-tree-generator
owner /tmp/tmp*/ rw,
owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**,
# For git log --show-signature
owner /tmp/.git_vtag_tmp* rw,
# For android studio
owner /tmp/git-commit-msg-.txt rw,
# For package building
owner @{HOME}/*/ rw,
owner @{HOME}/*/** rwkl -> @{HOME}/*/**,
owner /tmp/** rwkl -> /tmp/**,
owner /tmp/**/bin/* rCx -> exec,
/etc/mailname r,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/gpg mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner /tmp/.git_vtag_tmp* r,
}
profile ssh {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
/{usr/,}bin/ssh mr,
/etc/ssh/ssh_config.d/{,*} r,
/etc/ssh/ssh_config r,
owner @{HOME}/@{XDG_SSH_DIR}/* r,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts rw,
owner @{PROC}/@{pid}/fd/ r,
owner /tmp/git@*:[0-9]* rwl -> /tmp/git@*:[0-9]*.*,
}
profile exec {
include <abstractions/base>
owner @{user_build_dirs}/**/bin/* mr,
}
profile editor {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim mrix,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
owner @{HOME}/.selected_editor r,
/usr/share/terminfo/x/xterm-256color r,
/usr/share/vim/{,**} r,
/etc/vimrc r,
/etc/vim/{,**} r,
owner @{user_cache_dirs}/vim/{,**} rw,
owner @{user_config_dirs}/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
# The git repository files
owner @{user_build_dirs}/ r,
owner @{user_build_dirs}/** rw,
}
include if exists <local/git>
}

27
apparmor.d/profiles-g-l/gitstatusd Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*}
profile gitstatusd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw,
owner @{HOME}/.gitconfig r,
owner @{user_config_dirs}/git/{,*} r,
# Silencer
deny capability dac_read_search,
deny capability dac_override,
deny owner @{HOME}/.*-store/{,**} r,
include if exists <local/gitstatusd>
}

27
apparmor.d/profiles-g-l/globaltime Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/globaltime
profile globaltime @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
owner @{user_config_dirs}/globaltime/ rw,
owner @{user_config_dirs}/globaltime/globaltimerc{,.*} rw,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/globaltime>
}

29
apparmor.d/profiles-g-l/glxgears Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/glxgears
profile glxgears @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
capability sys_admin,
# Needed?
deny capability sys_nice,
signal (receive) set=(term, kill),
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
include if exists <local/glxgears>
}

31
apparmor.d/profiles-g-l/glxinfo Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/glxinfo
profile glxinfo @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
capability sys_admin,
# Needed?
deny capability sys_nice,
@{exec_path} mr,
/usr/share/X11/XErrorDB r,
owner @{HOME}/.Xauthority r,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/glxinfo>
}

55
apparmor.d/profiles-g-l/gpa Normal file
View file

@ -0,0 +1,55 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpa
profile gpa @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpg rPx,
/{usr/,}bin/gpgsm rPx,
/usr/share/gpa/{,*} r,
owner @{HOME}/@{XDG_GPG_DIR}/gpa.conf rw,
owner @{HOME}/@{XDG_GPG_DIR}/S.uiserver rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
/tmp/ r,
# To create/verify singatures
owner /**.{asc,sig,sign} rw,
# To encrypt/decrypt files
owner /**.{gpg,txt} rw,
# Files to verify
owner /**.tar.gz r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/gpa>
}

96
apparmor.d/profiles-g-l/gparted Normal file
View file

@ -0,0 +1,96 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gparted
profile gparted @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/gpartedbin rPx,
/{usr/,}bin/ r,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/gawk rix,
/{usr/,}lib/udisks2/udisks2-inhibit rix,
@{libexec}/udisks2/udisks2-inhibit rix,
@{run}/udev/rules.d/ rw,
@{run}/udev/rules.d/90-udisks-inhibit.rules rw,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/killall5 rCx -> killall,
/{usr/,}bin/ps rPx,
/{usr/,}bin/xhost rPx,
/{usr/,}bin/pkexec rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
# For shell pwd
/ r,
/root/ r,
/usr/local/bin/ r,
/usr/local/sbin/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
profile udevadm {
include <abstractions/base>
ptrace (read),
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
@{sys}/** r,
@{sys}/devices/virtual/block/**/uevent rw,
@{sys}/devices/pci[0-9]*/**/block/**/uevent rw,
@{run}/udev/data/* r,
}
profile killall flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
capability sys_ptrace,
signal (send) set=(int, term, kill),
ptrace (read),
/{usr/,}{s,}bin/killall5 mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
}
include if exists <local/gparted>
}

239
apparmor.d/profiles-g-l/gpartedbin Normal file
View file

@ -0,0 +1,239 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gpartedbin
profile gpartedbin @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/disks-write>
# Needed to inform the system of newly created/removed partitions.
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
#
# Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the
# kernel of the change, probably because it/they are in use. As a result, the old partition(s)
# will remain in use. You should reboot now before making further changes.
capability sys_admin,
#
capability dac_read_search,
# Needed? (##FIXME##)
capability sys_rawio,
# Needed?
deny capability sys_nice,
# Needed?
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}{s,}bin/hdparm rPx,
/{usr/,}{s,}bin/blkid rPx,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount,
# RAID
/{usr/,}{s,}bin/dmraid rPUx,
# Device mapper
/{usr/,}{s,}bin/dmsetup rPUx,
# LVM
/{usr/,}{s,}bin/lvm rPUx,
# NTFS
# The following tools link to mkntfs:
# mkfs.ntfs
/{usr/,}{s,}bin/mkntfs rPx,
/{usr/,}{s,}bin/ntfslabel rPx,
/{usr/,}{s,}bin/ntfsresize rPx,
/{usr/,}bin/ntfsinfo rPx,
# FAT16/32
# The following tools link to mtools:
# mattrib, mbadblocks, mcat, mcd, mclasserase, mcopy, mdel,
# mdeltree, mdir, mdu, mformat, minfo, mlabel, mmd, mmount,
# mmove, mpartition, mrd, mren, mshortname, mshowfat,
# mtoolstest, mtype, mzip
/{usr/,}bin/mtools rPx,
# The following tools link to mkfs.fat:
# mkdosfs, mkfs.msdos, mkfs.vfat
/{usr/,}{s,}bin/mkfs.fat rPx,
# The following tools link to fsck.fat:
# dosfsck, fsck.msdos, fsck.vfat
/{usr/,}{s,}bin/fsck.fat rPx,
# EXT2/3/4
# The following tools link to mke2fs:
# mkfs.ext2, mkfs.ext3, mkfs.ext4
/{usr/,}{s,}bin/mke2fs rPx,
# The following tools link to e2fsck:
# fsck.ext2, fsck.ext3, fsck.ext4
/{usr/,}{s,}bin/e2fsck rPx,
/{usr/,}{s,}bin/resize2fs rPx,
# The following tools link to dumpe2fs:
# e2mmpstatus
/{usr/,}{s,}bin/dumpe2fs rPx,
# The following tools link to tune2fs:
# e2label
/{usr/,}{s,}bin/tune2fs rPx,
/{usr/,}{s,}bin/e2image rPx,
# BTRFS
/{usr/,}{s,}bin/mkfs.btrfs rPx,
# The following tools link to btrfs:
# btrfsck
/{usr/,}bin/btrfs rPx,
/{usr/,}bin/btrfstune rPx,
/{usr/,}{s,}bin/fsck.btrfs rPx,
/{usr/,}{s,}bin/mkfs.btrfs rPx,
# SWAP
/{usr/,}{s,}bin/mkswap rPx,
/{usr/,}{s,}bin/swaplabel rPx,
/{usr/,}{s,}bin/swapon rPx,
/{usr/,}{s,}bin/swapoff rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{PROC}/version r,
@{PROC}/swaps r,
@{PROC}/partitions r,
@{PROC}/devices r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/mapper/control rw,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{run}/mount/utab r,
# For fsck of the btrfs filesystem
owner /tmp/gparted-*/ rw,
# Started as root so without "owner".
@{HOME}/.Xauthority r,
# For saving reports
owner @{HOME}/*.htm w,
profile mount {
include <abstractions/base>
capability sys_admin,
/{usr/,}bin/mount mr,
mount /dev/sd[a-z][0-9]* -> /tmp/gparted-*/,
mount /dev/sd[a-z][0-9]* -> /boot/,
mount /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/,
mount /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/*/,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/dev r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/sd[a-z][0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/sd[a-z][0-9]*/{start,size} r,
/dev/sd[a-z] r,
/dev/sd[a-z][0-9]* r,
}
profile umount {
include <abstractions/base>
capability sys_admin,
/{usr/,}bin/umount mr,
umount /tmp/gparted-*/,
umount /boot/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
owner @{PROC}/@{pid}/mountinfo r,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
}
profile udevadm {
include <abstractions/base>
ptrace (read),
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
# file_inherit
include <abstractions/disks-write> # lots of files in this abstraction get inherited
/dev/mapper/control rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/gpartedbin>
}

45
apparmor.d/profiles-g-l/gpasswd Normal file
View file

@ -0,0 +1,45 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpasswd
profile gpasswd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
# gpasswd is a SETUID binary
capability setuid,
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/loginuid r,
/etc/login.defs r,
/etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}- w,
/etc/{group,gshadow}+ rw,
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/gpasswd>
}

47
apparmor.d/profiles-g-l/gpo Normal file
View file

@ -0,0 +1,47 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpo
profile gpo @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/gPodder/ rw,
owner @{HOME}/gPodder/** rwk,
/usr/share/gpodder/extensions/{,*.py} r,
/etc/inputrc r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
include if exists <local/gpo>
}

98
apparmor.d/profiles-g-l/gpodder Normal file
View file

@ -0,0 +1,98 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpodder
profile gpodder @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
owner @{HOME}/ r,
owner @{HOME}/gPodder/ rw,
owner @{HOME}/gPodder/** rwk,
/usr/share/gpodder/{,**} r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
/etc/mime.types r,
/usr/share/*/*.desktop r,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# A/V players
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/mpv rPUx,
# Open in a web browser
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/gpodder>
}

28
apparmor.d/profiles-g-l/gpodder-migrate2tres Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpodder-migrate2tres
profile gpodder-migrate2tres @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/gPodder/ rw,
owner @{HOME}/gPodder/** rwk,
include if exists <local/gpodder-migrate2tres>
}

41
apparmor.d/profiles-g-l/groupadd Normal file
View file

@ -0,0 +1,41 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupadd
profile groupadd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
network netlink raw,
@{exec_path} mr,
/{usr/,}{s,}bin/nscd rix,
/etc/login.defs r,
/etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}- w,
/etc/{group,gshadow}+ rw,
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/groupadd>
}

41
apparmor.d/profiles-g-l/groupdel Normal file
View file

@ -0,0 +1,41 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupdel
profile groupdel @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
network netlink raw,
@{exec_path} mr,
/{usr/,}{s,}bin/nscd rix,
/etc/login.defs r,
/etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}- w,
/etc/{group,gshadow}+ rw,
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/groupdel>
}

42
apparmor.d/profiles-g-l/groupmod Normal file
View file

@ -0,0 +1,42 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupmod
profile groupmod @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
network netlink raw,
@{exec_path} mr,
/etc/login.defs r,
/etc/{passwd,gshadow,group} rw,
/etc/{passwd,gshadow,group}.@{pid} w,
/etc/{passwd,gshadow,group}- w,
/etc/{passwd,gshadow,group}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/groupmod>
}

17
apparmor.d/profiles-g-l/groups Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/groups
profile groups @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
include if exists <local/groups>
}

35
apparmor.d/profiles-g-l/grpck Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grpck
profile grpck @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
@{exec_path} mr,
/etc/login.defs r,
/etc/{gshadow,group} rw,
/etc/{gshadow,group}.@{pid} rw,
/etc/{gshadow,group}- w,
/etc/{gshadow,group}+ rw,
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/grpck>
}

19
apparmor.d/profiles-g-l/gsimplecal Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gsimplecal
profile gsimplecal @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@{exec_path} mr,
include if exists <local/gsimplecal>
}

117
apparmor.d/profiles-g-l/gsmartcontrol Normal file
View file

@ -0,0 +1,117 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gsmartcontrol
profile gsmartcontrol @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/deny-dconf>
capability dac_read_search,
# Needed?
deny capability sys_nice,
@{exec_path} mr,
/{usr/,}{s,}bin/smartctl rPx,
/{usr/,}bin/xterm rCx -> terminal,
# When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Gsmartcontrol works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
owner @{user_config_dirs}/gsmartcontrol/ rw,
owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw,
# As it's started as root
@{HOME}/.Xauthority r,
# For saving SMART raport
owner /root/ r,
owner /root/**.txt w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/partitions r,
owner @{PROC}/devices r,
owner @{PROC}/scsi/scsi r,
owner @{PROC}/scsi/sg/devices r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
# root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
# hence this behavior should be blocked.
deny /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,
# file_inherit
owner @{HOME}/.xsession-errors w,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
@{HOME}/.Xauthority r,
}
profile terminal {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/freedesktop.org>
capability setuid,
capability setgid,
capability fsetid,
/{usr/,}bin/xterm mr,
/usr/sbin/update-smart-drivedb rPx,
owner @{HOME}/.Xauthority r,
/etc/shells r,
/etc/X11/app-defaults/XTerm-color r,
/etc/X11/app-defaults/XTerm r,
/etc/X11/cursors/*.theme r,
/usr/include/X11/bitmaps/vlines2 r,
/dev/ptmx rw,
}
include if exists <local/gsmartcontrol>
}

22
apparmor.d/profiles-g-l/gsmartcontrol-root Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gsmartcontrol-root
profile gsmartcontrol-root @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/pkexec rPx,
include if exists <local/gsmartcontrol-root>
}

23
apparmor.d/profiles-g-l/gtk-query-immodules Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk-query-immodules-{2,3}.0
profile gtk-query-immodules @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}lib/gtk-{3,4}.0/**/immodules.cache w,
/{usr/,}lib/gtk-{3,4}.0/**/immodules.cache.[0-9A-Z]* w,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/gtk-query-immodules>
}

22
apparmor.d/profiles-g-l/gtk-update-icon-cache Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache
profile gtk-update-icon-cache @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/usr/share/icons/** r,
/usr/share/icons/**/.icon-theme.cache rw,
/usr/share/icons/**/icon-theme.cache rw,
include if exists <local/gtk-update-icon-cache>
}

122
apparmor.d/profiles-g-l/gtk-youtube-viewer Normal file
View file

@ -0,0 +1,122 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk{,2,3}-youtube-viewer
profile gtk-youtube-viewer @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xterm rCx -> xterm,
/{usr/,}bin/rxvt rCx -> xterm,
/{usr/,}bin/urxvt rCx -> xterm,
# Players
/{usr/,}bin/mpv rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/youtube-viewer/ rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
profile xterm {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/wutmp>
signal (send) set=(hup, winch) peer=youtube-viewer,
signal (send) set=(hup, winch) peer=youtube-viewer//wget,
/{usr/,}bin/xterm mr,
/{usr/,}bin/rxvt mr,
/{usr/,}bin/urxvt mr,
/{usr/,}bin/zsh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/youtube-viewer rPx,
owner @{PROC}/@{pid}/loginuid r,
/etc/shells r,
/etc/zsh/* r,
/etc/X11/app-defaults/* r,
/usr/include/X11/bitmaps/vlines2 r,
owner @{HOME}/.urxvt/** r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.ICEauthority r,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/gtk-youtube-viewer>
}

95
apparmor.d/profiles-g-l/gzdoom Normal file
View file

@ -0,0 +1,95 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/games/gzdoom
@{exec_path} += /opt/gzdoom/gzdoom
profile gzdoom @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
network netlink raw,
ptrace (trace) peer=@{profile_name},
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/gdb rix,
/{usr/,}bin/iconv rix,
/opt/gzdoom/ r,
/opt/gzdoom/** mr,
/etc/gdb/gdbinit.d/ r,
/etc/gdb/gdbinit r,
/usr/share/gdb/{,**} r,
/usr/share/gcc/{,**} r,
deny /usr/share/gdb/{,**} w,
deny /usr/share/gcc/{,**} w,
/etc/zsh/zshenv r,
/etc/X11/app-defaults/* r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r,
owner @{HOME}/ r,
owner @{user_config_dirs}/gzdoom/ rw,
owner @{user_config_dirs}/gzdoom/** rw,
owner @{user_config_dirs}/zdoom/ rw,
owner @{user_config_dirs}/zdoom/** rwk,
owner @{HOME}/gzdoom-crash.log rw,
owner @{HOME}/gdb-respfile-* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/mem r,
owner @{PROC}/@{pids}/task/@{tid}/stat r,
owner @{PROC}/@{pids}/task/@{tid}/comm r,
owner @{PROC}/@{pids}/task/@{tid}/maps r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/cmdline r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/class/input/ r,
@{sys}/class/hidraw/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/sound/**/{uevent,ev,rel,key,abs} r,
@{sys}/devices/**/input/**/{uevent,ev,rel,key,abs} r,
@{run}/udev/data/+sound:* r,
@{run}/udev/data/+input:* r,
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{run}/udev/data/c240:[0-9]* r, # For USB HID
include if exists <local/gzdoom>
}

199
apparmor.d/profiles-g-l/hardinfo Normal file
View file

@ -0,0 +1,199 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hardinfo
profile hardinfo @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/python>
# This is needed to display some content of devices -> resources
capability sys_admin,
# This is for benchmarks
capability sys_nice,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/ldd rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/python2.[0-9]* rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/make rix,
/{usr/,}bin/strace rix,
/{usr/,}bin/gdb rix,
/{usr/,}bin/last rix,
/{usr/,}bin/iconv rix,
/{usr/,}{s,}bin/route rix,
/{usr/,}bin/valgrind{,.bin} rix,
/{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/glxinfo rPx,
/{usr/,}bin/xdpyinfo rPx,
/{usr/,}bin/lspci rPx,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/netstat rPx,
/{usr/,}bin/qtchooser rPx,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac,
/usr/share/hardinfo/{,**} r,
@{sys}/class/power_supply/ r,
@{sys}/class/thermal/ r,
@{sys}/bus/i2c/drivers/eeprom/ r,
@{sys}/devices/system/cpu/** r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/temp* r,
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r,
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
@{sys}/devices/pci[0-9]*/**/eeprom r,
@{sys}/devices/pci[0-9]*/**/hwmon/hwmon[0-9]*/temp* r,
@{sys}/devices/**/power_supply/** r,
@{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/arp r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/uptime r,
@{PROC}/loadavg r,
@{PROC}/ioports r,
@{PROC}/iomem r,
@{PROC}/dma r,
@{PROC}/asound/cards r,
@{PROC}/scsi/scsi r,
@{PROC}/bus/input/devices r,
@{PROC}/sys/kernel/random/entropy_avail r,
@{PROC}/@{pids}/net/route r,
/etc/fstab r,
/etc/exports r,
/etc/samba/smb.conf r,
/etc/gdb/gdbinit.d/ r,
/usr/share/gdb/python/ r,
/usr/share/gdb/python/** r,
/var/log/wtmp r,
owner @{HOME}/.hardinfo/ rw,
owner /tmp/#[0-9]*[0-9] rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# Silencer
deny /usr/share/gdb/python/** w,
# file_inherit
owner /dev/tty[0-9]* rw,
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
/etc/debian_version r,
}
profile javac {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/* mr,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/lib/** mr,
/etc/java-[0-9]*-openjdk/** r,
/usr/share/java/*.jar r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/coredump_filter rw,
@{sys}/fs/cgroup/{,**} r,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{sys}/module/** r,
@{PROC}/cmdline r,
@{PROC}/modules r,
@{PROC}/ioports r,
}
include if exists <local/hardinfo>
}

33
apparmor.d/profiles-g-l/haveged Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2009-2012 Steve Kostecke <steve@debian.org>;
# 2011-2014 Jérémy Bobbio <lunar@debian.org>;
# 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
# SPDX-License-Identifier: GPL-3.0-only
# Version of program profiled: 1.9.14
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/haveged
profile haveged @{exec_path} {
include <abstractions/base>
# Required for ioctl RNDADDENTROPY
capability sys_admin,
owner @{PROC}/@{pid}/status r,
@{exec_path} mr,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/poolsize r,
@{PROC}/sys/kernel/random/write_wakeup_threshold w,
/dev/random w,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/cpu*/cache/ r,
@{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
include if exists <local/haveged>
}

21
apparmor.d/profiles-g-l/hciconfig Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hciconfig
profile hciconfig @{exec_path} {
include <abstractions/base>
capability net_raw,
capability net_admin,
network bluetooth raw,
@{exec_path} mr,
include if exists <local/hciconfig>
}

39
apparmor.d/profiles-g-l/hddtemp Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hddtemp
profile hddtemp @{exec_path} {
include <abstractions/base>
# To remove the following errors:
# /dev/sda: Permission denied
capability sys_rawio,
# There's the following error in strace:
# ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied)
# This should be covered by CAP_SYS_RAWIO instead.
# (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst)
# It looks like hddtemp works just fine without it.
deny capability sys_admin,
network inet stream,
network inet6 stream,
@{exec_path} mr,
# Monitored hard drives
/dev/sd[a-z] r,
# Database file that allows hddtemp to recognize supported drives
/etc/hddtemp.db r,
# Needed when the hddtemp daemon is started in the TCP/IP mode
/etc/gai.conf r,
include if exists <local/hddtemp>
}

34
apparmor.d/profiles-g-l/hdparm Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hdparm
profile hdparm @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/disks-read>
# To remove the following errors:
# re-writing sector *: BLKFLSBUF failed: Permission denied
capability sys_admin,
# To remove the following errors:
# /dev/sda: HDIO_DRIVE_CMD(identify) failed: Operation not permitted
capability sys_rawio,
@{exec_path} mr,
/etc/hdparm.conf r,
# for hdparm --fibmap
@{PROC}/devices r,
# Image files
@{HOME}/** r,
@{MOUNTS}/*/** r,
include if exists <local/hdparm>
}

55
apparmor.d/profiles-g-l/hexchat Normal file
View file

@ -0,0 +1,55 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hexchat
profile hexchat @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
# For python/perl plugins
include <abstractions/python>
include <abstractions/perl>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# Hexchat plugins
/{usr/,}lib/@{multiarch}/hexchat/** r,
/{usr/,}lib/@{multiarch}/hexchat/plugins/*.so mr,
# Hexchat home files
owner @{HOME}/ r,
owner @{user_config_dirs}/hexchat/ rw,
owner @{user_config_dirs}/hexchat/** rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/hexchat>
}

22
apparmor.d/profiles-g-l/hostname Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
profile hostname @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_admin,
network netlink raw,
@{exec_path} mr,
include if exists <local/hostname>
}

107
apparmor.d/profiles-g-l/htop Normal file
View file

@ -0,0 +1,107 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/htop
profile htop @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search,
# To manage priorities.
capability sys_nice,
# To terminate other users' processes when htop is started as root.
capability kill,
capability sys_ptrace,
# Needed? (for system state)
audit deny capability net_admin,
signal (send),
ptrace (read),
network netlink raw,
@{exec_path} mr,
/usr/share/terminfo/x/xterm-256color r,
@{PROC}/ r,
@{PROC}/loadavg r,
@{PROC}/uptime r,
@{PROC}/tty/drivers r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
@{PROC}/diskstats r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/io r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/attr/current r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/statm r,
@{PROC}/@{pids}/task/@{tid}/environ r,
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
@{PROC}/@{pids}/task/@{tid}/oom_score r,
@{PROC}/@{pids}/task/@{tid}/cgroup r,
@{PROC}/@{pids}/task/@{tid}/wchan r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/io r,
@{PROC}/@{pids}/task/@{tid}/comm r,
@{PROC}/@{pids}/net/dev r,
owner @{PROC}/@{pid}/smaps_rollup r,
@{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
@{sys}/class/i2c-adapter/ r,
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
@{sys}/class/hwmon/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/**/{uevent,type,online} r,
@{sys}/devices/**/hwmon/ r,
@{sys}/devices/**/hwmon/{name,temp*} r,
@{sys}/devices/**/hwmon/**/ r,
@{sys}/devices/**/hwmon/**/{name,temp*} r,
@{sys}/devices/**/hwmon[0-9]*/ r,
@{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
@{sys}/devices/**/hwmon[0-9]*/**/ r,
@{sys}/devices/**/hwmon[0-9]*/**/{name,temp*} r,
owner @{user_config_dirs}/htop/ rw,
owner @{user_config_dirs}/htop/htoprc rw,
# When started in TTY, to remove the following error:
# htop[]: *** err
# /dev/tty2: Permission denied
# htop[]: *** err
# htop[]: Oh, oh, it's an error! possibly I die!
/dev/tty[0-9]* rw,
/etc/sensors.d/ r,
/etc/sensors3.conf r,
include if exists <local/htop>
}

60
apparmor.d/profiles-g-l/hugeadm Normal file
View file

@ -0,0 +1,60 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hugeadm
profile hugeadm @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything under /var/lib/hugetlbfs/** .
capability sys_admin,
# For chown on the /var/lib/hugetlbfs/ dir and subdirs.
capability chown,
# For chmod on the /var/lib/hugetlbfs/ dir and subdirs.
capability fowner,
# For setting the set-group-ID bit on the /var/lib/hugetlbfs/group/*/ dirs.
capability fsetid,
# To create /var/lib/hugetlbfs/user/*/pagesize-*/ subdir because the /var/lib/hugetlbfs/user/*/
# parent dir is owned by a different user than root with the "drwx------" permissions.
capability dac_read_search,
capability dac_override,
@{exec_path} mr,
mount fstype=hugetlbfs -> /var/lib/hugetlbfs/pagesize-*/,
mount fstype=hugetlbfs -> /var/lib/hugetlbfs/{user,group}/*/pagesize-*/,
mount fstype=hugetlbfs -> /var/lib/hugetlbfs/global/pagesize-*/,
/var/lib/hugetlbfs/ w,
/var/lib/hugetlbfs/pagesize-*/ w,
/var/lib/hugetlbfs/{user,group}/ w,
/var/lib/hugetlbfs/{user,group}/*/ w,
/var/lib/hugetlbfs/{user,group}/*/pagesize-*/ w,
/var/lib/hugetlbfs/global/ w,
/var/lib/hugetlbfs/global/pagesize-*/ w,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/vm/nr_overcommit_hugepages r,
# For the "--set-recommended-min_free_kbytes" parameter.
owner @{PROC}/sys/vm/min_free_kbytes w,
# For the "--set-recommended-shmmax" parameter.
owner @{PROC}/sys/kernel/shmmax w,
# For the "--set-shm-group" parameter.
owner @{PROC}/sys/vm/hugetlb_shm_group w,
@{sys}/kernel/mm/hugepages/ r,
@{sys}/kernel/mm/transparent_hugepage/* r,
owner @{sys}/kernel/mm/transparent_hugepage/* rw,
include if exists <local/hugeadm>
}

40
apparmor.d/profiles-g-l/hugo Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{HUGO_DIR} = @{MOUNTS}/debuilder/hugo
@{exec_path} = /{usr/,}bin/hugo
profile hugo @{exec_path} {
include <abstractions/base>
network inet stream,
network inet6 stream,
@{exec_path} mr,
# Hugo dirs
owner @{HOME}/hugo/ r,
owner @{HOME}/hugo/** r,
owner @{HOME}/hugo/**/public/ rw,
owner @{HOME}/hugo/**/public/** rw,
owner @{HUGO_DIR}/ r,
owner @{HUGO_DIR}/** r,
owner @{HUGO_DIR}/**/public/ rw,
owner @{HUGO_DIR}/**/public/** rw,
owner /tmp/hugo_cache/ rw,
owner /tmp/hugo_cache/**/ rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{PROC}/sys/net/core/somaxconn r,
/etc/mime.types r,
include if exists <local/hugo>
}

246
apparmor.d/profiles-g-l/hw-probe Normal file
View file

@ -0,0 +1,246 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hw-probe
profile hw-probe @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
capability sys_admin,
network inet dgram,
network inet6 dgram,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/pwd rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/efivar rix,
/{usr/,}bin/efibootmgr rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}{s,}bin/dkms rPx,
/{usr/,}{s,}bin/fdisk rPx,
/{usr/,}bin/upower rPx,
/{usr/,}{s,}bin/hdparm rPx,
/{usr/,}{s,}bin/smartctl rPx,
/{usr/,}bin/sensors rPx,
/{usr/,}bin/lsblk rPx,
/{usr/,}bin/dmesg rPx,
/{usr/,}bin/hciconfig rPx,
/{usr/,}bin/uptime rPx,
/{usr/,}{s,}bin/rfkill rPx,
/{usr/,}{s,}bin/biosdecode rPx,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}bin/edid-decode rPx,
/{usr/,}bin/cpupower rPx,
/{usr/,}bin/acpi rPx,
/{usr/,}bin/lspci rPx,
/{usr/,}bin/lscpu rPx,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/usb-devices rPx,
/{usr/,}{s,}bin/hwinfo rPx,
/{usr/,}bin/glxinfo rPx,
/{usr/,}{s,}bin/i2cdetect rPx,
/{usr/,}bin/glxgears rPx,
/{usr/,}{s,}bin/memtester rPx,
/{usr/,}bin/xrandr rPx,
/{usr/,}bin/inxi rPx,
/{usr/,}bin/aplay rPx,
/{usr/,}bin/amixer rPx,
/{usr/,}bin/xdpyinfo rPx,
/{usr/,}bin/df rPx,
/{usr/,}bin/cpuid rPx,
/{usr/,}bin/xinput rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/find rCx -> find,
/{usr/,}bin/journalctl rCx -> journalctl,
/{usr/,}bin/systemd-analyze rCx -> systemd-analyze,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}{s,}bin/iw rCx -> netconfig,
/{usr/,}{s,}bin/ifconfig rCx -> netconfig,
/{usr/,}{s,}bin/iwconfig rCx -> netconfig,
/{usr/,}{s,}bin/ethtool rCx -> netconfig,
/{usr/,}bin/curl rCx -> curl,
owner /root/HW_PROBE/{,**} rw,
owner /tmp/*/ rw,
owner /tmp/*/cpu_perf rw,
/var/log/Xorg.[0-9].log{,.old} r,
/etc/X11/xorg.conf.d/{,*.conf} r,
/usr/share/X11/xorg.conf.d/{,*.conf} r,
/etc/modprobe.d/{,*.conf} r,
@{sys}/class/drm/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/*/edid r,
@{sys}/devices/**/power_supply/*/uevent r,
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/* r,
@{PROC}/scsi/scsi r,
@{PROC}/ioports r,
@{PROC}/interrupts r,
@{PROC}/bus/input/devices r,
profile find {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_read_search,
/{usr/,}bin/find mr,
/dev/{,**} r,
/root/ r,
}
profile journalctl {
include <abstractions/base>
/{usr/,}bin/journalctl mr,
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
/{run,var}/log/journal/[0-9a-f]*/ rw,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
owner @{PROC}/@{pid}/stat r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
}
profile systemd-analyze {
include <abstractions/base>
/{usr/,}bin/systemd-analyze mr,
owner @{PROC}/@{pid}/stat r,
}
profile killall {
include <abstractions/base>
capability sys_ptrace,
signal (send) set=(int, term, kill),
ptrace (read),
/{usr/,}bin/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
}
profile udevadm {
include <abstractions/base>
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
@{run}/udev/data/* r,
}
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{PROC}/cmdline r,
@{PROC}/modules r,
@{sys}/module/*/ r,
@{sys}/module/*/{coresize,refcnt} r,
@{sys}/module/*/holders/ r,
}
profile netconfig {
include <abstractions/base>
# Not needed
deny capability net_admin,
deny capability net_raw,
network inet dgram,
network inet6 dgram,
network ipx dgram,
network ax25 dgram,
network appletalk dgram,
network netlink raw,
/{usr/,}{s,}bin/iw mr,
/{usr/,}{s,}bin/ifconfig mr,
/{usr/,}{s,}bin/iwconfig mr,
/{usr/,}{s,}bin/ethtool mr,
owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/net/dev r,
}
profile curl {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
}
include if exists <local/hw-probe>
}

116
apparmor.d/profiles-g-l/hwinfo Normal file
View file

@ -0,0 +1,116 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hwinfo
profile hwinfo @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
# Without the sys_admin CAP, some information, for instance the reserved I/O port address range
# in the /proc/ioports, will be hidden.
capability sys_admin,
# For the kernel log entries to be shown in the output
capability syslog,
# To remove the following errors:
# eth0: socket failed: Operation not permitted
capability net_raw,
# Needed when passed disk related options (--block, --partition, --floppy)
capability sys_rawio,
network inet dgram,
network inet6 dgram,
network packet raw,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/dmraid rPUx,
@{PROC}/version r,
@{PROC}/cmdline r,
@{PROC}/dma r,
@{PROC}/interrupts r,
@{PROC}/modules r,
@{PROC}/tty/driver/serial r,
@{PROC}/ioports r,
@{PROC}/bus/input/devices r,
@{PROC}/partitions r,
@{PROC}/driver/nvram r,
@{PROC}/sys/dev/cdrom/info r,
/dev/mem r,
/dev/nvram r,
/dev/psaux r,
/dev/console rw,
/dev/ttyS0 r,
/dev/ttyS1 r,
/dev/fb[0-9] r,
@{sys}/bus/{,**/} r,
@{sys}/class/*/ r,
@{sys}/devices/pci[0-9]*/** r,
@{sys}/devices/**/input/**/dev r,
@{sys}/devices/**/{modalias,uevent} r,
@{sys}/devices/virtual/net/*/{type,carrier,address} r,
@{sys}/firmware/dmi/tables/DMI r,
@{sys}/firmware/dmi/tables/smbios_entry_point r,
@{sys}/firmware/edd/{,**} r,
/var/lib/hardware/udi/ r,
# For a log file
owner /tmp/hwinfo*.txt rw,
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
/etc/modprobe.d/{,*.conf} r,
@{PROC}/cmdline r,
# file_inherit
/dev/ttyS0 r,
/dev/ttyS1 r,
owner /tmp/hwinfo*.txt rw,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r,
}
profile udevadm {
include <abstractions/base>
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/** r,
@{run}/udev/data/* r,
# file_inherit
owner /tmp/hwinfo*.txt rw,
}
include if exists <local/hwinfo>
}

115
apparmor.d/profiles-g-l/hypnotix Normal file
View file

@ -0,0 +1,115 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Playlist extensions:
# m3u, m3u8, pls
@{hypnotix_ext} = [mM]3[uU]{,8}
@{hypnotix_ext} += [pP][lL][sS]
@{exec_path} = /{usr/,}bin/hypnotix
@{exec_path} += /{usr/,}lib/hypnotix/hypnotix.py
profile hypnotix @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/vulkan>
include <abstractions/audio>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/python>
signal (send) set=(term, kill) peer=youtube-dl,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} rix,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
/{usr/,}bin/youtube-dl rPx,
/{usr/,}lib/firefox/firefox rPx,
# Which files hypnotix should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{hypnotix_ext} r,
# To be able to store settings
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/hypnotix/{,**} r,
owner @{HOME}/.hypnotix/ rw,
owner @{HOME}/.hypnotix/** rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/cmdline r,
@{sys}/devices/pci[0-9]*/**/drm/ r,
/dev/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/vdpau_wrapper.cfg r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Silencer
/{usr/,}lib/hypnotix/** w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/hypnotix>
}

18
apparmor.d/profiles-g-l/i2cdetect Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/i2cdetect
profile i2cdetect @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/i2cdetect>
}

37
apparmor.d/profiles-g-l/i3lock Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/i3lock
profile i3lock @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/authentication>
include <abstractions/wutmp>
network netlink raw,
@{exec_path} mr,
/usr/sbin/unix_chkpwd rPx,
owner @{HOME}/.Xauthority r,
# For background image.
owner @{HOME}/*.png r,
owner @{HOME}/*/*.png r,
# When using also i3lock-fancy.
owner /tmp/tmp.*.png r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/i3lock>
}

71
apparmor.d/profiles-g-l/i3lock-fancy Normal file
View file

@ -0,0 +1,71 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/i3lock-fancy
profile i3lock-fancy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/fc-match rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/env rix,
/{usr/,}bin/i3lock rPx,
/{usr/,}bin/xrandr rPx,
/{usr/,}bin/convert-im6.q16 rCx -> imagemagic,
/{usr/,}bin/import-im6.q16 rCx -> imagemagic,
/{usr/,}bin/scrot rCx -> imagemagic,
owner /tmp/tmp.*.png rw,
owner /tmp/tmp.* rw,
owner /tmp/sh-thd.* rw,
/usr/share/i3lock-fancy/{,*} r,
# file_inherit
owner /dev/tty[0-9]* rw,
profile imagemagic {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
/{usr/,}bin/convert-im6.q16 mr,
/{usr/,}bin/import-im6.q16 mr,
/{usr/,}bin/scrot mr,
/usr/share/ImageMagick-[0-9]/*.xml r,
/etc/ImageMagick-[0-9]/*.xml r,
owner @{HOME}/.Xauthority r,
/usr/share/i3lock-fancy/**.png r,
# For gray scale (doesn't seem to be required). It produces files like /home/*/PIHFhJ .
deny owner @{HOME}/* rw,
owner /tmp/tmp.*.png rw,
# file_inherit
owner /dev/tty[0-9]* rw,
}
include if exists <local/i3lock-fancy>
}

18
apparmor.d/profiles-g-l/id Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/id
profile id @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
include if exists <local/id>
}

34
apparmor.d/profiles-g-l/ifconfig Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ifconfig
profile ifconfig @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To be able to manage network interfaces.
capability net_admin,
# Needed?
audit deny capability sys_module,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
@{PROC}/net/dev r,
@{PROC}/net/if_inet6 r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/if_inet6 r,
/etc/networks r,
include if exists <local/ifconfig>
}

86
apparmor.d/profiles-g-l/ifup Normal file
View file

@ -0,0 +1,86 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{ifup,ifdown,ifquery}
profile ifup @{exec_path} {
include <abstractions/base>
# To be able to manage network interfaces.
capability net_admin,
# Needed?
audit deny capability sys_module,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/sleep rix,
/{usr/,}{s,}bin/dhclient rPx,
/{usr/,}bin/macchanger rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/etc/network/interfaces r,
/etc/network/interfaces.d/{,*} r,
@{run}/network/ rw,
@{run}/network/{.,}ifstate* rwk,
@{run}/network/{ifup,ifdown}-*.pid rw,
# For setting a USB modem
owner /dev/ttyUSB[0-9]* rw,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/network/if-down.d/ r,
/etc/network/if-down.d/openvpn rPUx,
/etc/network/if-down.d/wpasupplicant rPUx,
/etc/wpa_supplicant/ifupdown.sh rPUx,
/etc/network/if-post-down.d/ r,
/etc/network/if-post-down.d/bridge rPUx,
/etc/network/if-post-down.d/hostapd rPUx,
/etc/network/if-post-down.d/chrony rPUx,
/etc/hostapd/ifupdown.sh rPUx,
/etc/network/if-post-down.d/ifenslave rPUx,
/etc/network/if-post-down.d/macchanger rPUx,
/etc/macchanger/ifupdown.sh rPUx,
/etc/network/if-post-down.d/wireless-tools rPUx,
/etc/network/if-post-down.d/wpasupplicant rPUx,
/etc/network/if-pre-up.d/ r,
/etc/network/if-pre-up.d/bridge rPUx,
/{usr/,}lib/bridge-utils/ifupdown.sh rPUx,
/etc/network/if-pre-up.d/ethtool rPUx,
/etc/network/if-pre-up.d/hostapd rPUx,
/etc/network/if-pre-up.d/ifenslave rPUx,
/etc/network/if-pre-up.d/macchanger rPUx,
/etc/network/if-pre-up.d/wireless-tools rPUx,
/etc/network/if-pre-up.d/wpasupplicant rPUx,
# For stable-privacy IPv6 addresses
/etc/network/if-pre-up.d/random-secret rPUx,
/etc/network/if-up.d/ r,
/etc/network/if-up.d/ethtool rPUx,
/etc/network/if-up.d/ifenslave rPUx,
/etc/network/if-up.d/chrony rPUx,
/etc/network/if-up.d/openvpn rPUx,
/etc/network/if-up.d/wpasupplicant rPUx,
}
include if exists <local/ifup>
}

65
apparmor.d/profiles-g-l/initd-kexec Normal file
View file

@ -0,0 +1,65 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/init.d/kexec
profile initd-kexec @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/echo rix,
/{usr/,}{s,}bin/kexec rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl,
/etc/default/kexec r,
@{sys}/kernel/kexec_loaded r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/default/kexec.d/ r,
}
profile systemctl {
include <abstractions/base>
capability sys_resource,
ptrace (read),
/{usr/,}bin/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
/dev/kmsg w,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
}
include if exists <local/initd-kexec>
}

80
apparmor.d/profiles-g-l/initd-kexec-load Normal file
View file

@ -0,0 +1,80 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/init.d/kexec-load
profile initd-kexec-load @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/awk rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/head rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}{s,}bin/kexec rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl,
/no-kexec-reboot rw,
/etc/default/kexec r,
@{sys}/kernel/kexec_loaded r,
owner /boot/grub/{grub.cfg,grubenv} r,
@{PROC}/cmdline r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/default/kexec.d/ r,
}
profile systemctl {
include <abstractions/base>
include <abstractions/wutmp>
capability sys_resource,
ptrace (read),
/{usr/,}bin/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
/dev/kmsg w,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
}
include if exists <local/initd-kexec-load>
}

60
apparmor.d/profiles-g-l/initd-kmod Normal file
View file

@ -0,0 +1,60 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/init.d/kmod
profile initd-kmod @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/id rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl,
/etc/modules-load.d/*.conf r,
/etc/modules r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/modules-load.d/ r,
}
profile systemctl {
include <abstractions/base>
capability sys_resource,
ptrace (read),
/{usr/,}bin/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
}
include if exists <local/initd-kmod>
}

30
apparmor.d/profiles-g-l/install-info Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/install-info
profile install-info @{exec_path} {
include <abstractions/base>
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gzip rix,
/usr/share/info/{,**} r,
/usr/share/info/dir rw,
/dev/tty rw,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/install-info>
}

23
apparmor.d/profiles-g-l/install-printerdriver Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/install-printerdriver
@{exec_path} += /usr/share/system-config-printer/install-printerdriver.py
profile install-printerdriver @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/python>
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
/usr/share/system-config-printer/{,**} r,
include if exists <local/install-printerdriver>
}

172
apparmor.d/profiles-g-l/inxi Normal file
View file

@ -0,0 +1,172 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/inxi
profile inxi @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/file rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/ip rCx -> ip,
/{usr/,}lib/systemd/systemd rCx -> systemd,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}bin/systemctl rPx -> child-systemctl,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/compton rPx,
/{usr/,}bin/xrandr rPx,
/{usr/,}bin/glxinfo rPx,
/{usr/,}bin/lspci rPx,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/lsblk rPx,
/{usr/,}bin/sensors rPx,
/{usr/,}bin/uptime rPx,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}bin/xdpyinfo rPx,
/{usr/,}bin/who rPx,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/df rPx,
/{usr/,}{s,}bin/blockdev rPx,
/{usr/,}bin/dig rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/sudo rPx,
/{usr/,}bin/openbox rPx,
/{usr/,}bin/xset rPx,
/{usr/,}{s,}bin/smartctl rPx,
/{usr/,}{s,}bin/hddtemp rPx,
/etc/ r,
/etc/inxi.conf r,
/etc/issue r,
/etc/magic r,
/etc/apt/sources.list r,
/etc/apt/sources.list.d/{,*.list} r,
/var/log/ r,
/var/log/Xorg.[0-9]*.log r,
/home/ r,
@{user_share_dirs}/xorg/ r,
@{user_share_dirs}/xorg/Xorg.[0-9]*.log r,
# For shell pwd
/root/ r,
@{run}/ r,
@{PROC}/asound/ r,
@{PROC}/asound/version r,
@{PROC}/sys/kernel/hostname r,
@{PROC}/swaps r,
@{PROC}/partitions r,
@{PROC}/scsi/scsi r,
@{PROC}/cmdline r,
@{PROC}/version r,
@{PROC}/sys/vm/swappiness r,
@{PROC}/sys/vm/vfs_cache_pressure r,
@{PROC}/sys/dev/cdrom/info r,
@{PROC}/1/comm r,
/dev/ r,
/dev/mapper/ r,
/dev/disk/*/ r,
/dev/dm-[0-9]* r,
@{sys}/class/power_supply/ r,
@{sys}/class/net/ r,
@{sys}/firmware/acpi/tables/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/{,**} r,
@{sys}/module/*/version r,
@{sys}/power/wakeup_count r,
profile ip {
include <abstractions/base>
network netlink raw,
/{usr/,}bin/ip mr,
@{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r,
/etc/iproute2/group r,
}
profile systemd {
include <abstractions/base>
/{usr/,}lib/systemd/systemd mr,
/etc/systemd/user.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/threads-max r,
@{PROC}/1/cgroup r,
}
profile udevadm {
include <abstractions/base>
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/devices/pci[0-9]*/**/block/**/uevent r,
@{run}/udev/data/b* r,
}
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{PROC}/cmdline r,
@{PROC}/modules r,
}
include if exists <local/inxi>
}

48
apparmor.d/profiles-g-l/ioping Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ioping
profile ioping @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
# For pinging other users files as root.
capability dac_read_search,
capability dac_override,
@{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
# The RW set on dirs means that the dirs can be pinged, which is safe write operation. In the
# case of files, this write operation can damage files, so we allow only to read the files. When
# pinging dirs, a file similar to "#1573619" is created in that dir, so it's allowed as well.
/ rw,
/#[0-9]*[0-9] rw,
/**/ rw,
/**/#[0-9]*[0-9] rw,
# Allow pinging files, but without write operation. Like in the case of dirs, when pinging dirs
# there's also created the file similar to "#1573619" .
/usr/** r,
/lib/** r,
/bin/* r,
/sbin/* r,
/etc/** r,
/boot/** r,
/opt/** r,
/var/** r,
@{MOUNTS}/** r,
/tmp/** r,
/home/** r,
# This was created when ioping was used on an external SD card.
/**/ioping.tmp.* w,
include if exists <local/ioping>
}

40
apparmor.d/profiles-g-l/iotop Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iotop
profile iotop @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
# Needed?
audit deny capability net_admin,
# To set processes' priorities
capability sys_nice,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/file rix,
/{usr/,}{s,}bin/ r,
@{PROC}/ r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/ r,
@{PROC}/sys/kernel/pid_max r,
# For file
/etc/magic r,
include if exists <local/iotop>
}

48
apparmor.d/profiles-g-l/ip Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# When "ip netns" is issued, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="ip" name="".
@{exec_path} = /{usr/,}bin/ip
profile ip @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
# To be able to manage network interfaces.
capability net_admin,
# Needed?
#capability sys_admin,
audit deny capability sys_module,
network netlink raw,
@{exec_path} mrix,
mount options=(rw, rshared) -> /{var/,}run/netns/,
mount options=(rw, rslave) -> /,
mount options=(rw, bind) / -> /{var/,}run/netns/*,
mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf,
mount fstype=sysfs -> /sys/,
umount @{run}/netns/*,
umount /sys/,
/etc/iproute2/{,**} r,
/ r,
owner @{run}/netns/ rw,
@{run}/netns/* rw,
/etc/netns/*/ r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/net/dev_mcast r,
owner @{PROC}/@{pid}/net/igmp{,6} r,
owner @{PROC}/sys/net/ipv{4,6}/route/flush w,
include if exists <local/ip>
}

18
apparmor.d/profiles-g-l/ipcalc Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ipcalc
profile ipcalc @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
include if exists <local/ipcalc>
}

27
apparmor.d/profiles-g-l/iw Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iw
profile iw @{exec_path} {
include <abstractions/base>
# To be able to manage network interfaces.
capability net_admin,
# Needed?
audit deny capability sys_module,
network netlink raw,
@{exec_path} mr,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/iw>
}

29
apparmor.d/profiles-g-l/iwconfig Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iwconfig
profile iwconfig @{exec_path} {
include <abstractions/base>
# To be able to manage network interfaces.
capability net_admin,
# Needed?
audit deny capability sys_module,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
@{PROC}/net/wireless r,
owner @{PROC}/@{pid}/net/wireless r,
owner @{PROC}/@{pid}/net/dev r,
include if exists <local/iwconfig>
}

22
apparmor.d/profiles-g-l/iwlist Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iwlist
profile iwlist @{exec_path} {
include <abstractions/base>
# To be able to manage network interfaces.
capability net_admin,
@{exec_path} mr,
@{PROC}/net/wireless r,
owner @{PROC}/@{pid}/net/dev r,
include if exists <local/iwlist>
}

63
apparmor.d/profiles-g-l/jami-gnome Normal file
View file

@ -0,0 +1,63 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jami-gnome
profile jami-gnome @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
network netlink raw,
@{exec_path} mr,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/jami-gnome/ rw,
owner @{HOME}/.cache/jami-gnome/** rw,
owner @{HOME}/.local/share/jami/ rw,
owner @{HOME}/.local/share/jami/** rwkl -> @{HOME}/.local/share/jami/,
owner @{HOME}/.config/autostart/jami-gnome.desktop w,
owner @{HOME}/.local/share/ r,
owner @{HOME}/.local/share/webkitgtk/deviceidhashsalts/1/ r,
owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v0 w,
owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v1/ w,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/ring/{,**} r,
/usr/share/sounds/jami-gnome/{,**} r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/zoneinfo r,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/fs/cgroup/** r,
include if exists <local/jami-gnome>
}

126
apparmor.d/profiles-g-l/jdownloader Normal file
View file

@ -0,0 +1,126 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{JD_INSTALLDIR} = /home/*/jd2
@{exec_path} = @{JD_INSTALLDIR}/*JDownloader*
profile jdownloader @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/find rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/ffmpeg rPx,
# These are needed when the above tools are in some nonstandard locations
#/{usr/,}bin/which{,.debianutils} rix,
#/usr/ r,
#/usr/local/ r,
#/{usr/,}bin/ r,
#/{usr/,}lib/ r,
deny /opt/ r,
owner @{HOME}/ r,
owner @{JD_INSTALLDIR}/ rw,
owner @{JD_INSTALLDIR}/** rwk,
owner @{JD_INSTALLDIR}/jre/bin/java rix,
owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw,
owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw,
owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw,
owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw,
owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
owner @{HOME}/.java/fonts/[0-9]*/ rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,
owner @{HOME}/.install4j rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
# If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead
owner /tmp/SevenZipJBinding-*/ rw,
owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
# For auto updates
owner /tmp/lastChanceSrc[0-9]*lch rw,
owner /tmp/lastChanceDst[0-9]*.jar rw,
owner /tmp/i4j_log_jd2_[0-9]*.log rw,
owner /tmp/install4jError[0-9]*.log rw,
owner @{HOME}/.Xauthority r,
# What's this for?
deny owner @{HOME}/.mozilla/firefox/ r,
deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/@{pid}/net/ipv6_route r,
deny @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/asound/version r,
# For Reconnect -> Share Settings/Get Route
#/{usr/,}bin/netstat rix,
#/{usr/,}{s,}bin/route rix,
#/{usr/,}bin/ping rix,
#/{usr/,}bin/ip rix,
#@{PROC}/@{pid}/net/route r,
# To open a web browser for CAPTCHA
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/jdownloader>
}

104
apparmor.d/profiles-g-l/jdownloader-install Normal file
View file

@ -0,0 +1,104 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{JD_INSTALLDIR} = /home/*/jd2
@{JD_SH_PATH} = /home/*/@{XDG_DOWNLOAD_DIR}
@{JD_SH_PATH} += /home/*/@{XDG_DESKTOP_DIR}
@{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh
profile jdownloader-install @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/df rix,
/{usr/,}bin/nohup rix,
# Check for old JD installations
deny /opt/ r,
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/ rw,
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/** rwk,
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/bin/unpack200 rix,
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/bin/java rix,
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/jli/libjli.so mrw,
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/server/libjvm.so mrw,
owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/*.so mrw,
owner @{JD_SH_PATH}/install4jError[0-9]*.log rw,
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,
owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.tmp rw,
owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
owner @{HOME}/.install4j rw,
# While creating the desktop icon
owner @{user_share_dirs}/applications/i4j[0-9]*.tmp rw,
owner @{user_share_dirs}/applications/JDownloader*.desktop rw,
/tmp/ r,
owner /tmp/_jdinstall/ rw,
owner /tmp/JD2Setup_{x86,x64}.sh.[0-9]*.dir/ rw,
owner /tmp/JD2Setup_{x86,x64}.sh.[0-9]*.dir/sfx_archive.tar.gz rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
owner /tmp/appwork[0-9]*[0-9] rw,
owner /tmp/i4j*.log rw,
owner /tmp/i4j*.sh rw,
owner /tmp/i4*.tmp rw,
owner /tmp/imageio[0-9]*.tmp rw,
owner /tmp/install4jError[0-9]*.log rw,
owner @{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/@{pid}/net/ipv6_route r,
deny @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
# What's this for?
deny owner @{HOME}/.mozilla/firefox/ r,
deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r,
# Needed when installing JD
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{JD_INSTALLDIR}/ rw,
owner @{JD_INSTALLDIR}/** rw,
deny owner @{JD_INSTALLDIR}/jre/bin/java rx,
deny owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so m,
deny owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so m,
deny owner @{JD_INSTALLDIR}/jre/lib/*/*.so m,
deny owner @{JD_INSTALLDIR}/JDownloader2 rx,
include if exists <local/jdownloader-install>
}

33
apparmor.d/profiles-g-l/jekyll Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
@{JEKYLL_DIR}=@{HOME}/morfikov.github.io
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jekyll
profile jekyll @{exec_path} {
include <abstractions/base>
include <abstractions/ruby>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* r,
/usr/share/rubygems-integration/** r,
/usr/share/ruby-addressable/unicode.data r,
# Jekyll dir
owner @{JEKYLL_DIR}/{,**} r,
owner @{JEKYLL_DIR}/_site/{,**} rw,
owner @{JEKYLL_DIR}/.sass-cache/** rw,
@{PROC}/version r,
include if exists <local/jekyll>
}

59
apparmor.d/profiles-g-l/jgmenu Normal file
View file

@ -0,0 +1,59 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jgmenu{,_run}
profile jgmenu @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
include <abstractions/app-launcher-user>
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/find rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/cat rix,
/{usr/,}lib/jgmenu/jgmenu-* rix,
owner @{HOME}/ r,
owner @{HOME}/.jgmenu-lockfile rwk,
owner @{user_config_dirs}/tint2/* r,
owner @{user_config_dirs}/jgmenu/ rw,
owner @{user_config_dirs}/jgmenu/** rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/jgmenu/ rw,
owner @{user_cache_dirs}/jgmenu/** rw,
owner @{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/loginuid r,
# For zsh shell
/etc/zsh/zshenv r,
# For missing apps icon and desktop files
/usr/share/**.png r,
/usr/share/**.desktop r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/jgmenu>
}

53
apparmor.d/profiles-g-l/jmtpfs Normal file
View file

@ -0,0 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jmtpfs
profile jmtpfs @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
# Mount points
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
/etc/magic r,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
/etc/fuse.conf r,
/dev/fuse rw,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/jmtpfs>
}

120
apparmor.d/profiles-g-l/kanyremote Normal file
View file

@ -0,0 +1,120 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kanyremote
profile kanyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/deny-root-dir-access>
network inet stream,
network inet6 stream,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/head rix,
/{usr/,}bin/find rix,
/{usr/,}bin/anyremote rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/pacmd rPUx,
/{usr/,}bin/pactl rPUx,
# Players
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/amarok rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/strawberry rPUx,
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/anyremote/{,**} r,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
/dev/shm/#[0-9]*[0-9] rw,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Doc dirs
deny /usr/local/share/ r,
deny /usr/share/ r,
deny /usr/share/doc/ r,
/usr/share/doc/anyremote{,-data}/ r,
profile killall {
include <abstractions/base>
include <abstractions/consoles>
capability sys_ptrace,
signal (send) set=(int, term, kill),
ptrace (read),
/{usr/,}bin/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
}
profile pgrep {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
deny @{PROC}/sys/kernel/osrelease r,
/usr/share/anyremote/{,**} r,
}
include if exists <local/kanyremote>
}

26
apparmor.d/profiles-g-l/kcheckpass Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass
profile kcheckpass @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/authentication>
include <abstractions/wutmp>
signal (receive) peer=kscreenlocker-greet,
@{exec_path} mr,
/{usr/,}{s,}bin/unix_chkpwd rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/kcheckpass>
}

28
apparmor.d/profiles-g-l/kconfig-hardened-check Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kconfig-hardened-check
profile kconfig-hardened-check @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
# The usual kernel config locations
/boot/config-* r,
@{PROC}/config.gz r,
# This is for kernels, which are built manually
/**/.config r,
include if exists <local/kconfig-hardened-check>
}

137
apparmor.d/profiles-g-l/keepassxc Normal file
View file

@ -0,0 +1,137 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{KP_DB} = @{HOME}/keepass-baza
@{exec_path} = /{usr/,}bin/keepassxc
profile keepassxc @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/qt5-settings-write>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mrix,
/usr/share/keepassxc/{,**} r,
owner @{user_config_dirs}/keepassxc/ rw,
owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#[0-9]*[0-9],
owner @{user_cache_dirs}/keepassxc/ rw,
owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#[0-9]*[0-9],
# Database location
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{KP_DB}/ r,
owner @{KP_DB}/#[0-9]*[0-9] rw,
owner @{KP_DB}/*.kdbx* rwl -> @{KP_DB}/#[0-9]*[0-9],
#For export to a CSV file
owner @{KP_DB}/*.csv rw,
# For SSH keys
owner @{HOME}/@{XDG_SSH_DIR}/ r,
owner @{HOME}/@{XDG_SSH_DIR}/* r,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner /tmp/keepassxc-*.lock{,.rmlock} rwk,
owner /tmp/keepassxc-*.socket rw,
# When $USER is not set
owner /tmp/keepassxc.lock rw,
owner /tmp/keepassxc.socket rw,
owner /tmp/.[a-zA-Z]*/{,s} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/*.*.gpgkey rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/*.*.settings rwl -> /tmp/#[0-9]*[0-9],
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pids}/comm r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
# For browser integration
owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
owner @{run}/user/@{uid}/kpxc_server rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
/{usr/,}bin/xdg-open rCx -> open,
# file_inherit
owner /dev/tty[0-9]* rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/geany rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/geany rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/keepassxc>
}

17
apparmor.d/profiles-g-l/keepassxc-cli Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc-cli
profile keepassxc-cli @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
include if exists <local/keepassxc-cli>
}

46
apparmor.d/profiles-g-l/keepassxc-proxy Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc-proxy
profile keepassxc-proxy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill),
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# file_inherit
deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
deny owner @{run}/user/@{uid}/kpxc_server rw,
deny /dev/shm/org.chromium.* rw,
deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw,
#
deny owner @{HOME}/.mozilla/** rw,
deny owner @{user_cache_dirs}/mozilla/** rw,
deny owner @{MOUNTS}/*/.mozilla/** rw,
deny owner /tmp/firefox*/.parentlock rw,
deny owner /tmp/tmp-*.xpi rw,
deny owner /tmp/tmpaddon r,
deny owner @{user_config_dirs}/google-chrome/** rw,
deny owner @{user_config_dirs}/chromium/** rw,
#
/usr/share/icons/*/index.theme r,
#
owner @{HOME}/.xsession-errors w,
/dev/dri/renderD128 rw,
include if exists <local/keepassxc-proxy>
}

69
apparmor.d/profiles-g-l/kernel-install Normal file
View file

@ -0,0 +1,69 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kernel-install
profile kernel-install @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mountpoint rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}lib/kernel/install.d/ r,
/{usr/,}lib/kernel/install.d/[0-9][0-9]-*.install rix,
/etc/kernel/install.d/ r,
/etc/kernel/install.d/*.install rix,
owner /tmp/sh-thd.* rw,
owner /boot/{vmlinuz,initrd.img}-* r,
owner /boot/[a-f0-9]*/*/ rw,
owner /boot/[a-f0-9]*/*/{linux,initrd} w,
owner /boot/loader/ rw,
owner /boot/loader/entries/ rw,
owner /boot/loader/entries/*.conf w,
/{usr/,}lib/modules/*/modules.* w,
/etc/os-release r,
/{usr/,}lib/os-release r,
/etc/kernel/tries r,
/etc/kernel/cmdline r,
@{PROC}/cmdline r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
profile kmod flags=(complain) {
include <abstractions/base>
/{usr/,}bin/kmod mr,
#@{PROC}/cmdline r,
#@{PROC}/modules r,
}
include if exists <local/kernel-install>
}

28
apparmor.d/profiles-g-l/kerneloops Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kerneloops
profile kerneloops @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability syslog,
@{exec_path} mr,
# Config file
/etc/kerneloops.conf r,
# File to scan for kernel OOPSes
/var/log/kern.log r,
# When found a kernel OOPS make a tmp file and fill it with the OOPS message
/tmp/kerneloops.* rw,
include if exists <local/kerneloops>
}

34
apparmor.d/profiles-g-l/kerneloops-applet Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kerneloops-applet
profile kerneloops-applet @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/usr/share/kerneloops/{,**} r,
owner @{HOME}/.kerneloops rw,
owner @{HOME}/.Xauthority r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
# When found a kernel OOPS make a tmp file and fill it with the OOPS message
/tmp/kerneloops.* rw,
# Fonts
/usr/share/poppler/cMap/Adobe-Japan2/ r,
include if exists <local/kerneloops-applet>
}

29
apparmor.d/profiles-g-l/kexec Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kexec
profile kexec @{exec_path} flags=(complain) {
include <abstractions/base>
capability sys_boot,
@{exec_path} mr,
owner /boot/{initrd.img,vmlinuz}-* r,
@{sys}/firmware/memmap/ r,
@{sys}/firmware/memmap/[0-9]*/{start,end,type} r,
@{sys}/kernel/boot_params/data r,
@{PROC}/cmdline r,
owner @{PROC}/@{pid}/mounts r,
/dev/fb[0-9] r,
include if exists <local/kexec>
}

63
apparmor.d/profiles-g-l/kmod Normal file
View file

@ -0,0 +1,63 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{kmod,lsmod}
@{exec_path} += /{usr/,}{s,}bin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
profile kmod @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# To load/unload kernel modules
# modprobe: ERROR: could not insert '*': Operation not permitted
#
# modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove
# '*': Operation not permitted
capability sys_module,
# For error logs to go through the syslog mechanism (as LOG_DAEMON with level LOG_NOTICE) rather
# than to standard error.
capability syslog,
# Needed for static-nodes
capability dac_override,
unix (receive) type=stream,
@{exec_path} mr,
/{usr/,}lib/modprobe.d/{,*.conf} r,
/etc/modprobe.d/{,*.conf} r,
/etc/depmod.d/{,**} r,
/{usr/,}lib/modules/*/modules.* rw,
/var/lib/dkms/**/module/*.ko r,
/usr/src/*/*.ko r,
@{sys}/module/{,**} r,
@{PROC}/cmdline r,
@{PROC}/modules r,
# Initframs
owner /tmp/mkinitcpio.*/{,**} rw,
#owner @{PROC}/@{pid}/fd/1 w,
# For local kernel build
owner /tmp/depmod.*/lib/modules/*/ r,
owner /tmp/depmod.*/lib/modules/*/modules.* rw,
owner @{user_build_dirs}/**/System.map r,
owner @{user_build_dirs}/**/debian/*/lib/modules/*/ r,
owner @{user_build_dirs}/**/debian/*/lib/modules/*/modules.* rw,
owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/{,**/} r,
owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/**/*.ko r,
include if exists <local/kmod>
}

94
apparmor.d/profiles-g-l/kodi Normal file
View file

@ -0,0 +1,94 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kodi /{usr/,}lib/@{multiarch}/kodi/kodi.bin
profile kodi @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/vulkan>
include <abstractions/audio>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/kodi/kodi.bin mrix,
/{usr/,}lib/@{multiarch}/kodi/kodi-xrandr rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/find rix,
/{usr/,}bin/date rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/dirname rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/df rCx -> df,
/usr/share/kodi/{,**} r,
owner @{HOME}/.kodi/ rw,
owner @{HOME}/.kodi/** rwk,
owner @{HOME}/core w,
owner @{HOME}/kodi_crashlog-[0-9]*_[0-9]*.log w,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/publicsuffix/* r,
/usr/share/icons/*/index.theme r,
/etc/mime.types r,
/etc/timezone r,
/etc/fstab r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/@{pid}/net/route r,
@{sys}/**/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{bDeviceClass,idProduct,idVendor} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{bDeviceClass,idProduct,idVendor} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
@{run}/udev/data/* r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
profile df {
include <abstractions/base>
/{usr/,}bin/df mr,
owner @{PROC}/@{pid}/mountinfo r,
# file_inherit
/usr/share/kodi/** r,
/sys/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
/sys/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
/home/morfik/.kodi/temp/kodi.log w,
}
include if exists <local/kodi>
}

24
apparmor.d/profiles-g-l/kodi-xrandr Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr
profile kodi-xrandr @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
# file_inherit
@{sys}/devices/virtual/thermal/thermal_zone0/temp r,
@{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r,
owner @{HOME}/.kodi/temp/kodi.log w,
include if exists <local/kodi-xrandr>
}

77
apparmor.d/profiles-g-l/kscreenlocker-greet Normal file
View file

@ -0,0 +1,77 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet
profile kscreenlocker-greet @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-shader-cache>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
signal (send) peer=kcheckpass,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/libexec/kcheckpass rPx,
/usr/share/plasma/** r,
/usr/share/wallpapers/Path/contents/images/*.{jpg,png} r,
# List of graphical sessions
/usr/share/xsessions/{,*.desktop} r,
/usr/share/wayland-sessions/{,*.desktop} r,
owner @{HOME}/.Xauthority r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/.glvnd* mrw,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
# Audio player covers
owner /tmp/*-cover-*.{jpg,png} r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/kscreenlocker-greet>
}

47
apparmor.d/profiles-g-l/kvm-ok Normal file
View file

@ -0,0 +1,47 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kvm-ok
profile kvm-ok @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}{s,}bin/rdmsr rPx,
#/proc/cpuinfo r,
#/dev/kvm r,
#/dev/cpu/[0-9]*/msr r,
# For shell pwd
/root/ r,
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
/{usr/,}lib/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r,
@{PROC}/cmdline r,
}
include if exists <local/kvm-ok>
}

79
apparmor.d/profiles-g-l/kwalletd5 Normal file
View file

@ -0,0 +1,79 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kwalletd5
profile kwalletd5 @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/wayland>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
owner @{user_config_dirs}/kwalletrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw,
owner @{user_share_dirs}/kwalletd/*.salt rw,
owner @{user_share_dirs}/kwalletd/*.kwl rw,
owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#[0-9]*[0-9],
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/core_pattern r,
owner /tmp/kwalletd5.* rw,
/usr/share/hwdata/pnp.ids r,
# For GPG encrypted wallets
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgsm mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
}
include if exists <local/kwalletd5>
}

75
apparmor.d/profiles-g-l/kwalletmanager5 Normal file
View file

@ -0,0 +1,75 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kwalletmanager5
profile kwalletmanager5 @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/FrameworkIntegrationPlugin.so mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/phonon_platform/kde.so mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/phonon4qt5_backend/phonon_vlc.so mr,
/usr/share/kxmlgui5/kwalletmanager5/kwalletmanager.rc r,
owner @{user_config_dirs}/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/kwalletrc rw,
owner @{user_config_dirs}/kwalletrc.lock rwk,
owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/kwalletmanager5rc rw,
owner @{user_config_dirs}/kwalletmanager5rc.lock rwk,
owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/session/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9],
owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/core_pattern r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
/etc/fstab r,
/etc/xdg/ui/ui_standards.rc r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
/dev/shm/ r,
/dev/shm/#[0-9]*[0-9] rw,
owner /tmp/xauth-[0-9]*-_[0-9] r,
include if exists <local/kwalletmanager5>
}

74
apparmor.d/profiles-g-l/labwc Normal file
View file

@ -0,0 +1,74 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/labwc
profile labwc @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/wayland>
include <abstractions/vulkan>
include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
network netlink raw,
@{exec_path} mr,
# Apps allowed to run
/{usr/,}{s,}bin/* rPUx,
/{usr/,}bin/* rPUx,
@{libexec}/* rPUx,
owner @{user_config_dirs}/labwc/ r,
owner @{user_config_dirs}/labwc/* r,
/usr/share/libinput/ r,
/usr/share/libinput/*.quirks r,
/usr/share/themes/**/themerc r,
/usr/share/X11/xkb/** r,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
@{sys}/class/drm/ r,
@{sys}/class/input/ r,
@{sys}/devices/pci[0-9]*/**/boot_vga r,
@{sys}/devices/**/uevent r,
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
@{run}/udev/data/+platform* r, # for ?
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
@{run}/udev/data/+acpi* r, # for ?
@{run}/udev/data/+hid* r, # for HID-Compliant Keyboard
@{run}/udev/data/+pci* r, # for VGA compatible controller
@{run}/udev/data/+sound:card* r, # for sound
@{run}/udev/data/+serio* r, # for touchpad?
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{run}/systemd/sessions/[0-9]* r,
@{run}/systemd/seats/seat[0-9]* r,
@{run}/user/@{uid}/wayland-[0-9].lock k,
owner @{PROC}/@{pid}/fd/ r,
owner /tmp/.X[0-9]*-lock rw,
owner /tmp/.X11-unix/ rw,
owner /tmp/.X11-unix/X[0-9]* rw,
include if exists <local/labwc>
}

25
apparmor.d/profiles-g-l/last Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/last{,b}
profile last @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
# For the --dns flag
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
@{PROC}/@{pids}/loginuid r,
include if exists <local/last>
}

22
apparmor.d/profiles-g-l/lastlog Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/lastlog
profile lastlog @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network netlink raw,
@{exec_path} mr,
/var/log/lastlog r,
/etc/login.defs r,
include if exists <local/lastlog>
}

31
apparmor.d/profiles-g-l/less Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-3.0-only
# Version of less profiled: 563
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/less
profile less @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
# less can be used to view protected files
capability dac_read_search,
capability dac_override,
@{exec_path} mr,
/{,**} r,
# Source highlighting
/usr/bin/{bash,dash} mrix,
/usr/bin/source-highlight mrix,
/usr/bin/src-hilite-lesspipe.sh mrix,
# Silence unnecessary permissions
deny /{,**} w,
}

15
apparmor.d/profiles-g-l/libvirt/TEMPLATE.lxc Normal file
View file

@ -0,0 +1,15 @@
#
# This profile is for the domain whose UUID matches this file.
#
include <tunables/global>
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
include <abstractions/libvirt-lxc>
# Globally allows everything to run under this profile
# These can be narrowed depending on the container's use.
file,
capability,
network,
}

9
apparmor.d/profiles-g-l/libvirt/TEMPLATE.qemu Normal file
View file

@ -0,0 +1,9 @@
#
# This profile is for the domain whose UUID matches this file.
#
include <tunables/global>
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
include <abstractions/libvirt-qemu>
}

38
apparmor.d/profiles-g-l/light Normal file
View file

@ -0,0 +1,38 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/light
profile light @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# When started as root
/etc/light/ rw,
/etc/light/**/ rw,
/etc/light/targets/sysfs/backlight/auto/save rw,
owner @{user_config_dirs}/light/ rw,
owner @{user_config_dirs}/light/** rw,
@{sys}/class/backlight/ r,
@{sys}/class/leds/ r,
@{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/{,max_}brightness r,
@{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/brightness rw,
@{sys}/devices/pci[0-9]*/**/backlight/*/{,max_}brightness r,
@{sys}/devices/pci[0-9]*/**/backlight/*/brightness rw,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/light>
}

49
apparmor.d/profiles-g-l/light-locker Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/light-locker
profile light-locker @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
# when locking the screen and switching/closing sessions
@{run}/systemd/sessions/[0-9]* r,
# To silecne the following error:
# dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
# dconf will not work properly.
##include <abstractions/dconf>
#owner @{run}/user/@{uid}/dconf/ w,
#owner @{run}/user/@{uid}/dconf/user rw,
include <abstractions/deny-dconf>
@{sys}/devices/pci[0-9]*/**/uevent r,
@{sys}/devices/pci[0-9]*/**/vendor r,
@{sys}/devices/pci[0-9]*/**/device r,
@{sys}/devices/pci[0-9]*/**/subsystem_vendor r,
@{sys}/devices/pci[0-9]*/**/subsystem_device r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/light-locker>
}

17
apparmor.d/profiles-g-l/light-locker-command Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/light-locker-command
profile light-locker-command @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
include if exists <local/light-locker-command>
}

122
apparmor.d/profiles-g-l/lightdm Normal file
View file

@ -0,0 +1,122 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/lightdm
profile lightdm @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/authentication>
include <abstractions/wutmp>
# To remove the following errors:
# lightdm[]: Could not chown user data directory /var/lib/lightdm/data/lightdm: Error setting
# owner: Operation not permitted
capability chown,
capability fowner,
capability fsetid,
# To remove the following errors:
# write(2, "Failed to initialize supplementary groups for lightdm:
# Operation not permitted\n", 79) = 79
capability setgid,
# To remove the following errors:
# write(1, "Bail out! ERROR:privileges.c:30:privileges_drop: assertion failed:
# (setresuid (uid, uid, -1) == 0)\n", 99) = 99
capability setuid,
# To remove the following errors:
# lightdm[]: Could not enumerate user data directory /var/lib/lightdm/data: Error opening
# directory '/var/lib/lightdm/data': Permission denied
capability dac_read_search,
# To remove the following errors:
# Error using VT_ACTIVATE 7 on /dev/tty0: Operation not permitted
capability sys_tty_config,
# To be able to kill the X-server
capability kill,
# To remove the following errors:
# pam_limits(su-l:session): Could not set limit for 'nofile' to soft=1024, hard=1048576:
# Operation not permitted; uid=1000,euid=0
# pam_limits(su-l:session): Could not set limit for 'memlock' to soft=1017930240,
# hard=1017930240: Operation not permitted; uid=1000,euid=0
capability sys_resource,
# Needed?
capability audit_write,
deny capability sys_nice,
deny capability net_admin,
signal (send) set=(term, kill, usr1),
signal (receive) set=(usr1) peer=xorg,
@{exec_path} mrix,
/{usr/,}bin/plymouth mrix,
/{usr/,}bin/Xorg rPx,
/{usr/,}{s,}bin/lightdm-gtk-greeter rPx,
/{usr/,}bin/startx rPx,
/etc/X11/Xsession rPUx,
/{usr/,}bin/gnome-keyring-daemon rPUx,
/{usr/,}bin/rm rix,
# LightDM files
/usr/share/lightdm/{,**} r,
/usr/share/xgreeters/{,**} r,
/var/lib/lightdm/{,**} rw,
# List of graphical sessions
# The X sessions are covered by abstractions/X
/usr/share/wayland-sessions/{,*.desktop} r,
/tmp/.X[0-9]*-lock r,
# LightDM config files
/etc/lightdm/{,**} r,
# LightDM logs
/var/log/lightdm/{,**} rw,
@{run}/lightdm/{,**} rw,
@{run}/lightdm.pid rw,
@{PROC}/1/limits r,
/etc/security/limits.d/ r,
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/cmdline r,
/etc/environment r,
/etc/default/locale r,
/dev/tty[0-9]* r,
# Xsession logs
owner @{HOME}/.xsession-errors{,.old} rw,
owner @{HOME}/.Xauthority rw,
owner @{HOME}/.dmrc* rw,
/var/cache/lightdm/dmrc/*.dmrc* rw,
/{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
@{libexec}/at-spi-bus-launcher rPUx,
include if exists <local/lightdm>
}

78
apparmor.d/profiles-g-l/lightdm-gtk-greeter Normal file
View file

@ -0,0 +1,78 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/lightdm-gtk-greeter
profile lightdm-gtk-greeter @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
signal (receive) set=(term, kill) peer=lightdm,
@{exec_path} mr,
/{usr/,}bin/locale rix,
/{usr/,}lib/systemd/systemd rCx -> systemd,
# LightDM files
/usr/share/lightdm/{,**} r,
/var/lib/lightdm/{,**} rw,
# List of graphical sessions
# The X sessions are covered by abstractions/X
/usr/share/wayland-sessions/{,*.desktop} r,
# Greeter theme
/var/lib/AccountsService/{,**} r,
/usr/share/desktop-base/{,**} r,
# LightDM config files
/etc/lightdm/{,**} r,
# LightDM logs
/var/log/lightdm/{,**} rw,
owner @{HOME}/.face r,
owner @{PROC}/@{pid}/fd/ r,
# For account icons
@{HOME}/.dmrc r,
@{HOME}/.face r,
/{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
@{libexec}/at-spi-bus-launcher rPUx,
profile systemd {
include <abstractions/base>
/{usr/,}lib/systemd/systemd mr,
/etc/systemd/user.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
# file_inherit
/var/log/lightdm/seat[0-9]*-greeter.log w,
}
include if exists <local/lightdm-gtk-greeter>
}

27
apparmor.d/profiles-g-l/lightdm-guest-session Normal file
View file

@ -0,0 +1,27 @@
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
include <tunables/global>
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session {
# Most applications are confined via the main abstraction
include <abstractions/lightdm>
# chromium-browser needs special confinement due to its sandboxing
include <abstractions/lightdm_chromium-browser>
# fcitx and friends needs special treatment due to C/S design
/usr/bin/fcitx ix,
/tmp/fcitx-socket-* rwl,
/dev/shm/* rwl,
/usr/bin/fcitx-qimpanel ix,
/usr/bin/sogou-qimpanel-watchdog ix,
/usr/bin/sogou-sys-notify ix,
/tmp/sogou-qimpanel:* rwl,
# Allow ibus
unix (bind, listen) type=stream addr="@tmp/ibus/*",
# mozc_server needs special treatment due to C/S design
unix (bind, listen) type=stream addr="@tmp/.mozc.*",
}

28
apparmor.d/profiles-g-l/lightworks Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/lightworks
profile lightworks @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/lightworks/ntcardvt rPx,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/od rix,
owner @{HOME}/Lightworks/{,**/} w,
owner @{HOME}/Lightworks/Projects/DefNetDrive.txt w,
owner @{HOME}/Lightworks/machine.num w,
include if exists <local/lightworks>
}

Some files were not shown because too many files have changed in this diff Show more