felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add two profiles directory to have smaller dir.

Browse source
This commit is contained in:
Alexandre Pujol 2021-09-15 16:55:27 +01:00
parent 6c0ae4ddc1
commit d95a876424
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
521 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

27
apparmor.d/profiles-m-r/macchanger Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/macchanger
profile macchanger @{exec_path} {
include <abstractions/base>
# To be able to set the MAC address:
# [ERROR] Could not change MAC: interface up or insufficient permissions: Operation not permitted
capability net_admin,
network inet dgram,
network inet6 dgram,
@{exec_path} mr,
/usr/share/macchanger/*.list r,
/dev/hwrng r,
include if exists <local/macchanger>
}

33
apparmor.d/profiles-m-r/mandb Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mandb
profile mandb @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/etc/man_db.conf r,
/etc/manpath.config r,
/var/cache/man/ r,
/var/cache/man/** rwk,
/usr/share/man/{,**} r,
/usr/local/man/{,**} r,
/usr/{,/share}/man/{,**} r,
/usr/local/{,/share/}/man/{,**} r,
/usr/share/*/man/man[0-9]*/*.[0-9]*.gz r,
include if exists <local/mandb>
}

51
apparmor.d/profiles-m-r/mediainfo Normal file
View file

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{mediainfo_ext} = [aA]{52,[aA][cC],[cC]3}
@{mediainfo_ext} += [mM][kK][aA]
@{mediainfo_ext} += [fF][lL][aA][cC]
@{mediainfo_ext} += [mM][pP][123cC]
@{mediainfo_ext} += [oO][gGmM][aA]
@{mediainfo_ext} += [wW]{,[aA]}[vV]
@{mediainfo_ext} += [wW][mM]{,[aA]}
@{mediainfo_ext} += 3[gG]{[2pP],[pP][2pP]}
@{mediainfo_ext} += [aA][sS][fF]
@{mediainfo_ext} += [aA][vV][iI]
@{mediainfo_ext} += [dD][iI][vV][xX]
@{mediainfo_ext} += [mM][124][vV]
@{mediainfo_ext} += [mM][kKoO][vV]
@{mediainfo_ext} += [mM][pP][4aAeEgG]
@{mediainfo_ext} += [mM][pP][eE][gG]{,[124]}
@{mediainfo_ext} += [oO][gG][gGmMxXvV]
@{mediainfo_ext} += [rR][mM]{,[vV][bB]}
@{mediainfo_ext} += [wW][eE][bB][mM]
@{mediainfo_ext} += [wW][mMtT][vV]
@{mediainfo_ext} += [mM][pP]2[tT]
@{exec_path} = /{usr/,}bin/mediainfo
profile mediainfo @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# Which media files mediainfo should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mediainfo_ext} r,
include if exists <local/mediainfo>
}

88
apparmor.d/profiles-m-r/mediainfo-gui Normal file
View file

@ -0,0 +1,88 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{mediainfo_ext} = [aA]{52,[aA][cC],[cC]3}
@{mediainfo_ext} += [mM][kK][aA]
@{mediainfo_ext} += [fF][lL][aA][cC]
@{mediainfo_ext} += [mM][pP][123cC]
@{mediainfo_ext} += [oO][gGmM][aA]
@{mediainfo_ext} += [wW]{,[aA]}[vV]
@{mediainfo_ext} += [wW][mM]{,[aA]}
@{mediainfo_ext} += 3[gG]{[2pP],[pP][2pP]}
@{mediainfo_ext} += [aA][sS][fF]
@{mediainfo_ext} += [aA][vV][iI]
@{mediainfo_ext} += [dD][iI][vV][xX]
@{mediainfo_ext} += [mM][124][vV]
@{mediainfo_ext} += [mM][kKoO][vV]
@{mediainfo_ext} += [mM][pP][4aAeEgG]
@{mediainfo_ext} += [mM][pP][eE][gG]{,[124]}
@{mediainfo_ext} += [oO][gG][gGmMxXvV]
@{mediainfo_ext} += [rR][mM]{,[vV][bB]}
@{mediainfo_ext} += [wW][eE][bB][mM]
@{mediainfo_ext} += [wW][mMtT][vV]
@{mediainfo_ext} += [mM][pP]2[tT]
@{exec_path} = /{usr/,}bin/mediainfo-gui
profile mediainfo-gui @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
# Which media files mediainfo-gui should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mediainfo_ext} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/mediainfo-gui>
}

119
apparmor.d/profiles-m-r/megasync Normal file
View file

@ -0,0 +1,119 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage
@{exec_path} = /{usr/,}bin/megasync
profile megasync @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/xrdb rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
# Megasync home files
owner @{HOME}/ r,
owner "@{user_share_dirs}/data/Mega Limited/" rw,
owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#[0-9]*[0-9]",
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_config_dirs}/QtProject.conf r,
# Sync folder
#/ r,
#@{MOUNTS}/ r,
#@{MOUNTS}/*/ r,
owner @{SYNC_FOLDER}/ r,
owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**,
# Proc filesystem
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
# Autostart
owner @{user_config_dirs}/autostart/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#[0-9]*[0-9],
/dev/shm/#[0-9]*[0-9] rw,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
# file_inherit
owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw,
owner @{HOME}/.xsession-errors w,
}
include if exists <local/megasync>
}

16
apparmor.d/profiles-m-r/memtester Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/memtester
profile memtester @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/memtester>
}

62
apparmor.d/profiles-m-r/merkaartor Normal file
View file

@ -0,0 +1,62 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/merkaartor
profile merkaartor @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/qt5-settings-write>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/openssl>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
/usr/share/merkaartor/{,**} r,
owner @{HOME}/.config/Merkaartor/ rw,
owner @{HOME}/.config/Merkaartor/* rwkl -> @{HOME}/.config/Merkaartor/,
owner @{HOME}/.merkaartor/ rw,
owner @{HOME}/.merkaartor/* rw,
owner @{HOME}/merkaartor.log rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
deny owner @{PROC}/@{pid}/cmdline r,
owner /tmp/qtsingleapp-merkaa-* rw,
owner /tmp/qtsingleapp-merkaa-*-lockfile rwk,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
include if exists <local/merkaartor>
}

31
apparmor.d/profiles-m-r/mimetype Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mimetype
profile mimetype @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/usr/bin/perl r,
/usr/share/mime/**.xml r,
/usr/share/mime/globs r,
/usr/share/mime/aliases r,
/usr/share/mime/magic r,
owner @{user_share_dirs}/mime/**.xml r,
owner @{user_share_dirs}/mime/globs r,
owner @{user_share_dirs}/mime/aliases r,
owner @{user_share_dirs}/mime/magic r,
# To read files
/** r,
include if exists <local/mimetype>
}

149
apparmor.d/profiles-m-r/minitube Normal file
View file

@ -0,0 +1,149 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/minitube
profile minitube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-shader-cache>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
# Minitube home files
owner "@{user_config_dirs}/Flavio Tordini/" rw,
owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#[0-9]*[0-9]",
owner "@{user_share_dirs}/Flavio Tordini/" rw,
owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw,
owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk,
# Snapshot
owner @{HOME}/@{XDG_PICTURES_DIR}/*.png rw,
owner @{HOME}/vlcsnap-.png rw,
/usr/share/minitube/{,**} r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/.glvnd* mrw,
# Cache
owner @{user_cache_dirs}/ rw,
owner "@{user_cache_dirs}/Flavio Tordini/" rw,
owner "@{user_cache_dirs}/Flavio Tordini/Minitube/" rw,
owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**",
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/etc/vdpau_wrapper.cfg r,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/core_pattern r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/usr/share/hwdata/pnp.ids r,
# TMP
owner /tmp/qtsingleapp-minitu-* rw,
owner /tmp/qtsingleapp-minitu-*-lockfile rwk,
/{usr/,}bin/xdg-open rCx -> open,
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/minitube>
}

28
apparmor.d/profiles-m-r/mission-control Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/telepathy/mission-control-5
profile mission-control @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
network netlink raw,
@{exec_path} mr,
@{libexec}/* rPUx, # FIXME: Needed ?
/usr/share/telepathy/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_share_dirs}/telepathy/mission-control/*.cfg r,
@{run}/user/@{uid}/dconf/user rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
include if exists <local/mission-control>
}

39
apparmor.d/profiles-m-r/mke2fs Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4}
profile mke2fs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
@{exec_path} mr,
# To check for badblocks
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/badblocks rPx,
/etc/mke2fs.conf r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For virt-resize
owner /var/tmp/.guestfs-[0-9]*/** rwk,
include if exists <local/mke2fs>
}

30
apparmor.d/profiles-m-r/mkfs-btrfs Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mkfs.btrfs
profile mkfs-btrfs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
/dev/btrfs-control rw,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-btrfs>
}

26
apparmor.d/profiles-m-r/mkfs-fat Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs}
profile mkfs-fat @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-fat>
}

166
apparmor.d/profiles-m-r/mkinitramfs Normal file
View file

@ -0,0 +1,166 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mkinitramfs
profile mkinitramfs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability syslog,
capability chown,
capability fowner,
capability fsetid,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ r,
/{usr/,}bin/ r,
/{usr/,}lib/ r,
/{usr/,}lib64/ r,
/{usr/,}bin/getopt rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/id rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/env rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
/{usr/,}bin/ldd rCx -> ldd,
/{usr/,}sbin/ldconfig rCx -> ldconfig,
/{usr/,}bin/find rCx -> find,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/linux-version rPx,
# What to do with it? (#FIXME#)
/usr/share/initramfs-tools/hooks/* rPUx,
/usr/share/initramfs-tools/scripts/*/* rPUx,
/etc/initramfs-tools/hooks/* rPUx,
/etc/initramfs-tools/scripts/*/* rPUx,
/usr/share/initramfs-tools/{,**} r,
/etc/initramfs-tools/{,**} r,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/modprobe.d/{,*.conf} r,
/boot/ r,
owner /boot/initrd.img-*.new rw,
/var/tmp/ r,
owner /var/tmp/mkinitramfs_*/ rw,
owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**,
/var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
owner /var/tmp/mkinitramfs-* rw,
@{PROC}/modules r,
profile ldd {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ldd mr,
/{usr/,}bin/kmod mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
}
profile ldconfig {
include <abstractions/base>
include <abstractions/consoles>
capability sys_chroot,
/{usr/,}sbin/ldconfig mr,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r,
owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw,
owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw,
owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw,
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw,
owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw,
}
profile find {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/find mr,
# pwd dir
/ r,
/etc/ r,
/root/ r,
/usr/share/initramfs-tools/scripts/{,**/} r,
/etc/initramfs-tools/scripts/{,**/} r,
owner /var/tmp/mkinitramfs_*/{,**/} r,
}
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/kmod mr,
@{PROC}/cmdline r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r,
}
include if exists <local/mkinitramfs>
}

21
apparmor.d/profiles-m-r/mkntfs Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{mkntfs,mkfs.ntfs}
profile mkntfs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pids}/mounts r,
include if exists <local/mkntfs>
}

23
apparmor.d/profiles-m-r/mkswap Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mkswap
profile mkswap @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
# SWAP file common locations
owner /swapfile rw,
include if exists <local/mkswap>
}

66
apparmor.d/profiles-m-r/mkvmerge Normal file
View file

@ -0,0 +1,66 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{mkvmerge_ext} = [aA]{52,[aA][cC],[cC]3}
@{mkvmerge_ext} += [mM][kK][aA]
@{mkvmerge_ext} += [fF][lL][aA][cC]
@{mkvmerge_ext} += [mM][pP][123cC]
@{mkvmerge_ext} += [oO][gGmM][aA]
@{mkvmerge_ext} += [wW]{,[aA]}[vV]
@{mkvmerge_ext} += [wW][mM]{,[aA]}
@{mkvmerge_ext} += 3[gG]{[2pP],[pP][2pP]}
@{mkvmerge_ext} += [aA][sS][fF]
@{mkvmerge_ext} += [aA][vV][iI]
@{mkvmerge_ext} += [dD][iI][vV][xX]
@{mkvmerge_ext} += [mM][124][vV]
@{mkvmerge_ext} += [mM][kKoO][vV]
@{mkvmerge_ext} += [mM][pP][4aAeEgG]
@{mkvmerge_ext} += [mM][pP][eE][gG]{,[124]}
@{mkvmerge_ext} += [oO][gG][gGmMxXvV]
@{mkvmerge_ext} += [rR][mM]{,[vV][bB]}
@{mkvmerge_ext} += [wW][eE][bB][mM]
@{mkvmerge_ext} += [wW][mMtT][vV]
@{mkvmerge_ext} += [mM][pP]2[tT]
# Subtitle extensions:
# srt, txt, sub
@{mkvmerge_ext} += [sS][rR][tT]
@{mkvmerge_ext} += [tT][xX][tT]
@{mkvmerge_ext} += [sS][uU][bB]
@{exec_path} = /{usr/,}bin/mkvmerge
profile mkvmerge @{exec_path} {
include <abstractions/base>
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill) peer=mkvtoolnix-gui,
@{exec_path} mr,
# Which files mkvmerge should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mkvmerge_ext} rw,
owner /tmp/MKVToolNix-process-*.json r,
owner /tmp/MKVToolNix-GUI-MuxJob-*.json r,
# file_inherit
/dev/dri/card[0-9]* rw,
include if exists <local/mkvmerge>
}

111
apparmor.d/profiles-m-r/mkvtoolnix-gui Normal file
View file

@ -0,0 +1,111 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{mkvtoolnix_ext} = [aA]{52,[aA][cC],[cC]3}
@{mkvtoolnix_ext} += [mM][kK][aA]
@{mkvtoolnix_ext} += [fF][lL][aA][cC]
@{mkvtoolnix_ext} += [mM][pP][123cC]
@{mkvtoolnix_ext} += [oO][gGmM][aA]
@{mkvtoolnix_ext} += [wW]{,[aA]}[vV]
@{mkvtoolnix_ext} += [wW][mM]{,[aA]}
@{mkvtoolnix_ext} += 3[gG]{[2pP],[pP][2pP]}
@{mkvtoolnix_ext} += [aA][sS][fF]
@{mkvtoolnix_ext} += [aA][vV][iI]
@{mkvtoolnix_ext} += [dD][iI][vV][xX]
@{mkvtoolnix_ext} += [mM][124][vV]
@{mkvtoolnix_ext} += [mM][kKoO][vV]
@{mkvtoolnix_ext} += [mM][pP][4aAeEgG]
@{mkvtoolnix_ext} += [mM][pP][eE][gG]{,[124]}
@{mkvtoolnix_ext} += [oO][gG][gGmMxXvV]
@{mkvtoolnix_ext} += [rR][mM]{,[vV][bB]}
@{mkvtoolnix_ext} += [wW][eE][bB][mM]
@{mkvtoolnix_ext} += [wW][mMtT][vV]
@{mkvtoolnix_ext} += [mM][pP]2[tT]
# Subtitle extensions:
# srt, txt, sub
@{mkvtoolnix_ext} += [sS][rR][tT]
@{mkvtoolnix_ext} += [tT][xX][tT]
@{mkvtoolnix_ext} += [sS][uU][bB]
@{exec_path} = /{usr/,}bin/mkvtoolnix-gui
profile mkvtoolnix-gui @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=mkvmerge,
@{exec_path} mr,
/{usr/,}bin/mkvmerge rPx,
/{usr/,}bin/mediainfo-gui rPx,
# Which files mkvtoolnix should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{mkvtoolnix_ext} rw,
owner @{user_config_dirs}/bunkus.org/ rw,
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/ rw,
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/** rwkl -> @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/#[0-9]*[0-9],
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/bunkus.org/ rw,
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/ rw,
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw,
owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/[0-9a-f]* rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/mkvtoolnix-gui>
}

22
apparmor.d/profiles-m-r/mlocate Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mlocate
profile mlocate @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# When run as root
capability dac_read_search,
@{exec_path} mr,
/var/lib/mlocate/mlocate.db r,
include if exists <local/mlocate>
}

67
apparmor.d/profiles-m-r/mount Normal file
View file

@ -0,0 +1,67 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mount
profile mount @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
capability chown,
# To be able to mount anything
# mount("/dev/sdb1", "/mnt", "ext4", 0, NULL) = -1 EPERM (Operation not permitted)
# write(2, "/mnt: permission denied.", 24) = 24
capability sys_admin,
# For NTFS mounts
capability setgid,
capability setuid,
capability dac_read_search,
mount,
network inet stream,
network inet6 stream,
signal (receive) set=(term, kill),
@{exec_path} mr,
/{usr/,}bin/ntfs-3g rPx,
/{usr/,}{s,}bin/lowntfs-3g rPx,
/{usr/,}bin/sshfs rPx,
/{usr/,}{s,}bin/mount.* rPx,
# Mount points
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
/media/cdrom[0-9]/ r,
# Mount iso/img files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# The special /dev/loop-control file can be used to create and destroy loop devices or to find
# the first available loop device.
/dev/loop-control rw,
/etc/fstab r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
include if exists <local/mount>
}

48
apparmor.d/profiles-m-r/mount-cifs Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,bin}/mount.cifs
profile mount-cifs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything.
capability sys_admin,
# (#FIXME#)
capability setpcap,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/systemd-ask-password rPUx,
/etc/fstab r,
owner @{HOME}/.smbcredentials r,
# Mount points
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=cifs -> @{MOUNTS}/*/,
mount fstype=cifs -> @{MOUNTS}/*/*/,
mount fstype=cifs -> /mnt/,
mount fstype=cifs -> /mnt/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-cifs>
}

64
apparmor.d/profiles-m-r/mount-nfs Normal file
View file

@ -0,0 +1,64 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,bin}/mount.nfs
profile mount-nfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to mount anything
capability sys_admin,
capability chown,
capability setgid,
capability setuid,
capability net_bind_service,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/start-statd rix,
/{usr/,}bin/flock rix,
/usr/bin/systemctl rPx -> child-systemctl,
/etc/fstab r,
/etc/netconfig r,
/etc/rpc r,
@{PROC}/filesystems r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
owner @{run}/rpc.statd.lock wk,
# Mount points
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=nfs -> @{MOUNTS}/*/,
mount fstype=nfs -> @{MOUNTS}/*/*/,
mount fstype=nfs -> /mnt/,
mount fstype=nfs -> /mnt/*/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-nfs>
}

61
apparmor.d/profiles-m-r/mpsyt Normal file
View file

@ -0,0 +1,61 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mpsyt
profile mpsyt @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=mpv,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/tset rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/ffprobe rPUx,
# MPV config files
/etc/mpv/* r,
owner @{user_config_dirs}/mpv/* r,
# mps-yt config files
owner @{user_config_dirs}/mps-youtube/{,**} rw,
# Cache files
owner @{user_cache_dirs}/youtube-dl/youtube-sigfuncs/js_*.json{,.*.tmp} rw,
/etc/inputrc r,
/etc/mime.types r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
/tmp/ r,
owner /tmp/[a-z0-9]* rw,
owner /tmp/mpsyt-input* rw,
owner /tmp/mpsyt-mpv*.sock rw,
include if exists <local/mpsyt>
}

181
apparmor.d/profiles-m-r/mpv Normal file
View file

@ -0,0 +1,181 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{mpv_ext} = [aA]{52,[aA][cC],[cC]3}
@{mpv_ext} += [mM][kK][aA]
@{mpv_ext} += [fF][lL][aA][cC]
@{mpv_ext} += [mM][pP][123cC]
@{mpv_ext} += [oO][gGmM][aA]
@{mpv_ext} += [wW]{,[aA]}[vV]
@{mpv_ext} += [wW][mM]{,[aA]}
@{mpv_ext} += 3[gG]{[2pP],[pP][2pP]}
@{mpv_ext} += [aA][sS][fF]
@{mpv_ext} += [aA][vV][iI]
@{mpv_ext} += [dD][iI][vV][xX]
@{mpv_ext} += [mM][124][vV]
@{mpv_ext} += [mM][kKoO][vV]
@{mpv_ext} += [mM][pP][4aAeEgG]
@{mpv_ext} += [mM][pP][eE][gG]{,[124]}
@{mpv_ext} += [oO][gG][gGmMxXvV]
@{mpv_ext} += [rR][mM]{,[vV][bB]}
@{mpv_ext} += [wW][eE][bB][mM]
@{mpv_ext} += [wW][mMtT][vV]
@{mpv_ext} += [mM][pP]2[tT]
# Image extensions
# bmp, jpg, jpeg, png, gif
@{mpv_ext} += [bB][mM][pP]
@{mpv_ext} += [jJ][pP]{,[eE]}[gG]
@{mpv_ext} += [pP][nN][gG]
@{mpv_ext} += [gG][iI][fF]
# Subtitle extensions:
# srt, txt, sub
@{mpv_ext} += [sS][rR][tT]
@{mpv_ext} += [tT][xX][tT]
@{mpv_ext} += [sS][uU][bB]
# Playlist extensions:
# m3u, m3u8, pls
@{mpv_ext} += [mM]3[uU]{,8}
@{mpv_ext} += [pP][lL][sS]
# For Qbittorrent !qB extension
@{mpv_ext} += "!qB"
@{exec_path} = /{usr/,}bin/mpv
profile mpv @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill),
signal (send) set=(term, kill) peer=youtube-dl,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# MPV config files
/etc/mpv/* r,
owner @{user_config_dirs}/mpv/ rw,
owner @{user_config_dirs}/mpv/* rw,
# Which files MPV should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
/tmp/ r,
owner /tmp/mpsyt-input* rw,
owner /tmp/mpsyt-mpv*.sock rw,
owner /tmp/smplayer-mpv-* rw,
owner /tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{mpv_ext} rw,
# For SMB shares
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{mpv_ext} r,
# For the SMPlayer's builtin thumbnail generator
owner /tmp/smplayer_preview/[0-9]*.{jpg,png} w,
# For SMPlayer's screenshots
owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w,
# Media downloaded by firefox
#deny owner /tmp/mozilla_*/* r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/ r,
##include <abstractions/nvidia>
/etc/vdpau_wrapper.cfg r,
#/etc/samba/smb.conf r,
# What's this for? (since v0.30.0)
@{sys}/bus/ r,
@{sys}/class/ r,
#
@{sys}/class/input/ r,
@{sys}/devices/**/input/**/uevent r,
@{sys}/devices/**/input/**/capabilities/* r,
/dev/input/event[0-9]* r,
@{run}/udev/data/+input:input[0-9]* r,
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
#
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/**/sound/**/capabilities/* r,
@{run}/udev/data/+sound:* r,
@{run}/udev/data/c116:[0-9]* r, # for ALSA
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
# External apps
/{usr/,}bin/youtube-dl rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/xscreensaver-command rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/mpv>
}

33
apparmor.d/profiles-m-r/mtools Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
profile mtools @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-write>
include <abstractions/user-download-strict>
capability setuid,
capability setgid,
@{exec_path} mr,
# Mtools config file locations
/etc/mtools.conf r,
/etc/default/mtools.conf r,
owner @{HOME}/.mtoolsrc r,
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mtools>
}

105
apparmor.d/profiles-m-r/mumble Normal file
View file

@ -0,0 +1,105 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mumble
profile mumble @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mrix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# Mumble home files
owner @{HOME}/ r,
owner @{user_config_dirs}/Mumble/ rw,
owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#[0-9]*[0-9],
owner @{user_share_dirs}/Mumble/ rw,
owner @{user_share_dirs}/Mumble/** rwk,
owner @{HOME}/.MumbleOverlayPipe rw,
owner @{HOME}/.MumbleSocket rw,
owner @{HOME}/.jackdrc r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/dev/shm/MumbleLink.[0-9]*[0-9] rw,
/dev/shm/#[0-9]*[0-9] rw,
owner @{run}/user/@{uid}/MumbleSocket rw,
owner @{run}/user/@{uid}/MumbleOverlayPipe rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
/etc/fstab r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/mumble>
}

26
apparmor.d/profiles-m-r/mumble-overlay Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mumble-overlay
profile mumble-overlay @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/file rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/glxgears rPx,
/etc/magic r,
include if exists <local/mumble-overlay>
}

85
apparmor.d/profiles-m-r/nemo Normal file
View file

@ -0,0 +1,85 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/nemo
profile nemo @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
# This should be tightened when the "profile has merged rule with conflicting x modifiers" error
# will be fixed. (#FIXME#)
include <abstractions/app-launcher-user>
include <abstractions/app-launcher-root>
# For root window
deny capability dac_read_search,
deny capability dac_override,
# Needed?
deny capability sys_nice,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/nemo/** mrix,
/usr/libexec/gvfsd-* rPx,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
# the list.
/ r,
/boot/ r,
/boot/** r,
owner /boot/** rw,
/etc/ r,
/etc/** r,
owner /etc/** rw,
/home/ r,
/home/** r,
owner /home/** rw,
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** r,
owner @{MOUNTS}/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,
/root/ r,
/root/** r,
owner /root/** rw,
/run/ r,
/run/** r,
owner /run/** rw,
/srv/ r,
/srv/** r,
owner /srv/** rw,
/tmp/ r,
/tmp/** r,
owner /tmp/** rw,
/usr/ r,
/usr/** r,
owner /usr/** rw,
/var/ r,
/var/** r,
owner /var/** rw,
include if exists <local/nemo>
}

35
apparmor.d/profiles-m-r/netcap Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/netcap
profile netcap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_ptrace,
# To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other
# users than root, for instance systemd-timesync.
capability dac_read_search,
ptrace (read),
@{exec_path} mr,
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pid}/net/tcp{,6} r,
@{PROC}/@{pid}/net/udp{,6} r,
@{PROC}/@{pid}/net/raw{,6} r,
@{PROC}/@{pid}/net/packet r,
@{PROC}/@{pid}/net/dev r,
include if exists <local/netcap>
}

32
apparmor.d/profiles-m-r/nethogs Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/nethogs
profile nethogs @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability syslog,
capability net_raw,
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
network netlink raw,
network packet raw,
@{exec_path} mr,
@{PROC}/ r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/net/tcp{,6} r,
include if exists <local/nethogs>
}

40
apparmor.d/profiles-m-r/newgrp Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/newgrp
profile newgrp @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To remove the following errors:
# setgroups: Operation not permitted
# setgid: Operation not permitted
capability setgid,
# newgrp is a SETUID binary
capability setuid,
network netlink raw,
@{exec_path} mr,
# Shells to use
/{usr/,}bin/{,b,d,rb}ash rPUx,
/{usr/,}bin/{c,k,tc,z}sh rPUx,
/etc/{passwd,group,shadow,gshadow} r,
/etc/login.defs r,
owner @{PROC}/@{pid}/loginuid r,
include if exists <local/newgrp>
}

30
apparmor.d/profiles-m-r/nft Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/nft
profile nft @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to run the nft command.
capability net_admin,
network netlink raw,
@{exec_path} mr,
owner /etc/iproute2/** r,
owner /etc/nftables/**.nft r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
include if exists <local/nft>
}

39
apparmor.d/profiles-m-r/nmap Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/nmap
profile nmap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability net_raw,
capability net_bind_service,
signal (receive) set=(term, kill) peer=zenmap,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network netlink raw,
network packet raw,
@{exec_path} r,
owner @{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/net/if_inet6 r,
/usr/share/nmap/** r,
owner /tmp/zenmap-stdout-* rw,
owner /tmp/zenmap-*.xml rw,
include if exists <local/nmap>
}

55
apparmor.d/profiles-m-r/ntfs-3g Normal file
View file

@ -0,0 +1,55 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{low,}ntfs{,-3g}
@{exec_path} += /{usr/,}{s,}bin/mount.{low,}ntfs{,-3g}
profile ntfs-3g @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
# When UserMapping is placed under /.NTFS-3G/UserMapping on the NTFS volume
include <abstractions/nameservice-strict>
# Needed in order to mount ntfs disks
capability setgid,
capability setuid,
capability sys_admin,
capability dac_read_search,
capability dac_override,
capability mknod,
@{exec_path} mr,
@{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/swaps r,
/dev/fuse rw,
# Mount points
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount ntfs disks only under the /media/ and /mnt/ dirs
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/,
mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/*/,
# Allow to mount encrypted partition
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/,
# kmod is used to load the fuse kernel module
/{usr/,}bin/kmod rPx,
include if exists <local/ntfs-3g>
}

19
apparmor.d/profiles-m-r/ntfs-3g-probe Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfs-3g.probe
profile ntfs-3g-probe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
include if exists <local/ntfs-3g-probe>
}

21
apparmor.d/profiles-m-r/ntfscat Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfscat
profile ntfscat @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscat>
}

25
apparmor.d/profiles-m-r/ntfsclone Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfsclone
profile ntfsclone @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# A place for backups
@{HOME}/** rwk,
@{MOUNTS}/*/** rwk,
include if exists <local/ntfsclone>
}

21
apparmor.d/profiles-m-r/ntfscluster Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfscluster
profile ntfscluster @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscluster>
}

21
apparmor.d/profiles-m-r/ntfscmp Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfscmp
profile ntfscmp @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscmp>
}

28
apparmor.d/profiles-m-r/ntfscp Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfscp
profile ntfscp @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
# For writing files owned by users other than root, since ntfscp has to be started as root.
capability dac_read_search,
@{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
@{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl -> @{HOME}/@{XDG_DOWNLOAD_DIR}/**,
@{HOME}/@{XDG_DESKTOP_DIR}/ r,
@{HOME}/@{XDG_DESKTOP_DIR}/** rwl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfscp>
}

23
apparmor.d/profiles-m-r/ntfsdecrypt Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsdecrypt
profile ntfsdecrypt @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
# Common locations of the key
owner /tmp/*.key r,
owner @{HOME}/*.key r,
include if exists <local/ntfsdecrypt>
}

21
apparmor.d/profiles-m-r/ntfsfallocate Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsfallocate
profile ntfsfallocate @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsfallocate>
}

21
apparmor.d/profiles-m-r/ntfsfix Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsfix
profile ntfsfix @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsfix>
}

21
apparmor.d/profiles-m-r/ntfsinfo Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsinfo
profile ntfsinfo @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsinfo>
}

21
apparmor.d/profiles-m-r/ntfslabel Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfslabel
profile ntfslabel @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfslabel>
}

21
apparmor.d/profiles-m-r/ntfsls Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsls
profile ntfsls @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsls>
}

21
apparmor.d/profiles-m-r/ntfsmove Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsmove
profile ntfsmove @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsmove>
}

21
apparmor.d/profiles-m-r/ntfsrecover Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsrecover
profile ntfsrecover @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsrecover>
}

21
apparmor.d/profiles-m-r/ntfsresize Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfsresize
profile ntfsresize @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfsresize>
}

22
apparmor.d/profiles-m-r/ntfssecaudit Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfssecaudit
profile ntfssecaudit @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfssecaudit>
}

21
apparmor.d/profiles-m-r/ntfstruncate Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfstruncate
profile ntfstruncate @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfstruncate>
}

25
apparmor.d/profiles-m-r/ntfsundelete Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ntfsundelete
profile ntfsundelete @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# The recovery dir
owner /tmp/ntfs-recovery/ r,
owner /tmp/ntfs-recovery/* rw,
include if exists <local/ntfsundelete>
}

26
apparmor.d/profiles-m-r/ntfsusermap Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfsusermap
profile ntfsusermap @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
# Where to save the UserMapping file
owner /root/UserMapping w,
owner /tmp/UserMapping w,
include if exists <local/ntfsusermap>
}

21
apparmor.d/profiles-m-r/ntfswipe Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ntfswipe
profile ntfswipe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/ntfswipe>
}

23
apparmor.d/profiles-m-r/numlockx Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/numlockx
profile numlockx @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/numlockx>
}

26
apparmor.d/profiles-m-r/obamenu Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obamenu
profile obamenu @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/ r,
/usr/share/applications/ r,
/usr/share/applications/*.desktop r,
/usr/share/pixmaps/ r,
/usr/share/*/*.desktop r,
include if exists <local/obamenu>
}

42
apparmor.d/profiles-m-r/obconf Normal file
View file

@ -0,0 +1,42 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obconf
profile obconf @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/usr/share/obconf/{,*} r,
/etc/xdg/openbox/rc.xml r,
owner @{user_config_dirs}/openbox/rc.xml rw,
owner @{HOME}/.themes/{,**} r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/obconf>
}

22
apparmor.d/profiles-m-r/obxprop Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/obxprop
profile obxprop @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/icons/*/cursors/crosshair r,
include if exists <local/obxprop>
}

30
apparmor.d/profiles-m-r/on-ac-power Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/on_ac_power /{usr/,}bin/on_ac_power
profile on-ac-power @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/awk rix,
/{usr/,}bin/cat rix,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/**/{online,type} r,
@{PROC}/pmu/info r,
@{PROC}/apm r,
# For shell pwd
/ r,
owner @{HOME}/ r,
include if exists <local/on-ac-power>
}

90
apparmor.d/profiles-m-r/openbox Normal file
View file

@ -0,0 +1,90 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/openbox
profile openbox @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill),
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart,
# Apps allowed to run
/{usr/,}sbin/* rPUx,
/{usr/,}bin/* rPUx,
/usr/local/bin/* rPUx,
@{libexec}/* rPUx,
/{usr/,}lib/@{multiarch}/*/** rPUx,
/usr/share/themes/*/openbox-3/themerc r,
/etc/xdg/openbox/* r,
owner @{HOME}/ r,
owner @{user_config_dirs}/openbox/ r,
owner @{user_config_dirs}/openbox/* r,
owner @{user_config_dirs}/obmenu-generator/icons/[0-9a-f]*.png r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/openbox/ rw,
owner @{user_cache_dirs}/openbox/openbox.log rw,
owner @{user_cache_dirs}/openbox/sessions/ rw,
owner @{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile autostart {
include <abstractions/base>
/{usr/,}lib/@{multiarch}/openbox-autostart mr,
/{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
# Apps allowed to run
/{usr/,}sbin/* rPUx,
/{usr/,}bin/* rPUx,
/usr/local/bin/* rPUx,
@{libexec}/* rPUx,
/{usr/,}lib/@{multiarch}/*/** rPUx,
/usr/local/lib/python*/dist-packages/ r,
owner @{HOME}/ r,
owner @{user_config_dirs}/openbox/autostart r,
owner @{user_config_dirs}/autostart/{,*} r,
/etc/xdg/openbox/autostart r,
/etc/xdg/autostart/{,*} r,
# Silencer
/{usr/,}lib/python3/** w,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw,
include if exists <local/openbox_autostart>
}
include if exists <local/openbox>
}

28
apparmor.d/profiles-m-r/openbox-session Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/openbox-session
profile openbox-session @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/openbox rPx,
/etc/xdg/openbox/environment r,
owner @{user_config_dirs}/openbox/environment r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw,
include if exists <local/openbox-session>
}

72
apparmor.d/profiles-m-r/orage Normal file
View file

@ -0,0 +1,72 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/orage
profile orage @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/globaltime rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
owner @{user_config_dirs}/orage/ rw,
owner @{user_config_dirs}/orage/* rw,
owner @{user_share_dirs}/orage/ rw,
owner @{user_share_dirs}/orage/* rwk,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/orage>
}

26
apparmor.d/profiles-m-r/pacmd Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pacmd
profile pacmd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
#capability sys_ptrace,
ptrace peer=pulseaudio,
signal (send) peer=pulseaudio,
/{usr/,}bin/pacmd mr,
owner @{PROC}/@{pids}/stat r,
include if exists <local/pacmd>
}

31
apparmor.d/profiles-m-r/pactl Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pactl
profile pactl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
/{usr/,}bin/pactl mr,
owner @{HOME}/.Xauthority r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{user_config_dirs}/pulse/ rw,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.anyRemote/anyremote.stdout w,
include if exists <local/pactl>
}

19
apparmor.d/profiles-m-r/pagesize Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pagesize
profile pagesize @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
# For HugePages
@{sys}/kernel/mm/hugepages/ r,
include if exists <local/pagesize>
}

65
apparmor.d/profiles-m-r/pam-auth-update Normal file
View file

@ -0,0 +1,65 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/pam-auth-update
profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
@{exec_path} mr,
/{usr/,}bin/perl r,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/cp rix,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/etc/pam.d/* rw,
/var/lib/pam/* rw,
/usr/share/pam{,-configs}/{,*} r,
profile frontend flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}{s,}bin/pam-auth-update rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
/etc/shadow r,
}
include if exists <local/pam-auth-update>
}

69
apparmor.d/profiles-m-r/pam/mappings Normal file
View file

@ -0,0 +1,69 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
#
# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example
#
# This file contains the mappings from users to roles for the binaries
# confined with AppArmor and configured for use with libpam-apparmor. Users
# without a mapping will not be able to login.
#
# The default hat is a confined user. The hat contains only the permissions
# necessary to transition to the user's login shell. All other permissions have
# been moved into the default_user profile.
^DEFAULT {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability setgid,
capability setuid,
/etc/default/su r,
/etc/environment r,
@{HOMEDIRS}/.xauth* w,
/{usr/,}bin/{,b,d,rb}ash Px -> default_user,
/{usr/,}bin/{c,k,tc,z}sh Px -> default_user,
}
# morfik is a confined user. The hat contains only the permissions necessary
# to transition to gray's login shell. All other permissions have been
# moved into the confined_user profile.
^morfik {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
/{usr/,}bin/{,b,d,rb}ash Px -> confined_user,
/{usr/,}bin/{c,k,tc,z}sh Px -> confined_user,
/etc/default/su r,
/etc/environment r,
@{HOMEDIRS}/.xauth* w,
}
# Don't confine members whose primary group is 'admin' who are not specifically
# confined. Systems without this special primary group may want to define an
# unconfined 'root' hat in this manner (depending on site policy).
^root {
include <abstractions/authentication>
include <abstractions/nameservice>
include <abstractions/wutmp>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
/{usr/,}bin/{,b,d,rb}ash Ux,
/{usr/,}bin/{c,k,tc,z}sh Ux,
/etc/default/su r,
/etc/environment r,
@{HOMEDIRS}/.xauth* w,
}

53
apparmor.d/profiles-m-r/pam_roles Normal file
View file

@ -0,0 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
#
# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example
#
# This file contains the roles as referenced by pam/mappings
#
abi <abi/3.0>,
include <tunables/global>
# By default, allow users to read, lock and link to their own files anywhere,
# but only write to files in their home directory. Only allow limited execution
# of files.
profile default_user flags=(complain) {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
include <abstractions/nameservice>
deny capability sys_ptrace,
/{usr/,}bin/** Pixmr,
owner /** rkl,
@{PROC}/** r,
owner @{HOMEDIRS}/ w,
owner @{HOMEDIRS}/** w,
}
# Allow confined_users to read, write, lock and link to their own files
# anywhere, and execute from some places.
profile confined_user flags=(complain) {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
include <abstractions/nameservice>
deny capability sys_ptrace,
/{usr/,}bin/** Pixmr,
owner @{HOMEDIRS}/bin/** ixmr,
owner @{user_bin_dirs}/** ixmr,
owner /** rwkl,
@{PROC}/** r,
}

80
apparmor.d/profiles-m-r/parted Normal file
View file

@ -0,0 +1,80 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/parted
profile parted @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
# Needed to inform the system of newly created/removed partitions
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
#
# Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the
# kernel of the change, probably because it/they are in use. As a result, the old partition(s)
# will remain in use. You should reboot now before making further changes.
capability sys_admin,
# Needed? (#FIXME#)
capability sys_rawio,
# Needed?
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/dmidecode rPx,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
@{PROC}/devices r,
/dev/mapper/ r,
/dev/mapper/control rw,
/etc/inputrc r,
# Image files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
profile udevadm {
include <abstractions/base>
ptrace (read),
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/1/cgroup r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
# file_inherit
include <abstractions/disks-write> # lots of files in this abstraction get inherited
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
}
include if exists <local/parted>
}

68
apparmor.d/profiles-m-r/partprobe Normal file
View file

@ -0,0 +1,68 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/partprobe
profile partprobe @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
# To remove the following errors:
# device-mapper: version ioctl on failed: Permission denied
# Incompatible libdevmapper 1.02.167 (2019-11-30) and kernel driver (unknown version).
capability sys_admin,
# To remove the following errors:
# kernel: device-mapper: core: partprobe: sending ioctl 1261 to DM device without required
# privilege.
capability sys_rawio,
# Needed?
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/dmidecode rPx,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
@{PROC}/devices r,
/dev/mapper/ r,
/dev/mapper/control rw,
profile udevadm {
include <abstractions/base>
ptrace (read),
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/1/cgroup r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
# file_inherit
include <abstractions/disks-write> # lots of files in this abstraction get inherited
/dev/mapper/control rw,
}
include if exists <local/partprobe>
}

46
apparmor.d/profiles-m-r/passwd Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/passwd
profile passwd @{exec_path} {
include <abstractions/base>
include <abstractions/wutmp>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/.
# Since passwd reads and writes from /etc/ directory, the write permissions are requried by it.
# Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and
# renames /etc/nshadow to /etc/shadow.
capability chown,
capability fsetid,
capability setuid,
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/loginuid r,
/etc/shadow rw,
/etc/shadow.[0-9]* rw,
/etc/shadow.lock rwl,
/etc/shadow- rw,
/etc/shadow+ rw,
/etc/nshadow rw,
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/passwd>
}

40
apparmor.d/profiles-m-r/pavucontrol Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pavucontrol
profile pavucontrol @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# Pavucontrol files
/usr/share/pavucontrol/pavucontrol.glade r,
# Pavucontrol config files
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/pavucontrol.ini* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{PROC}/@{pid}/cmdline r,
# Missing icons
/usr/share/**/icons/**/*.png r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/pavucontrol>
}

44
apparmor.d/profiles-m-r/pcb-gtk Normal file
View file

@ -0,0 +1,44 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pcb-gtk
profile pcb-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
@{exec_path} mr,
/usr/share/pcb/ListLibraryContents.sh rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/tr rix,
/usr/share/pcb/ r,
/usr/share/pcb/** r,
owner @{HOME}/.pcb/ rw,
owner @{HOME}/.pcb/preferences rw,
owner @{HOME}/PCB.[0-9]*.backup rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
include if exists <local/pcb-gtk>
}

24
apparmor.d/profiles-m-r/pcscd Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pcscd
profile pcscd @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
/etc/libccid_Info.plist r,
/etc/reader.conf.d/{,libccidtwin} r,
owner @{run}/pcscd/{,pcscd.pid} rw,
include if exists <local/pcscd>
}

39
apparmor.d/profiles-m-r/picom Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/picom{,-trans}
profile picom @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/sed rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix,
# For migrating from compton.
owner @{user_config_dirs}/compton.conf r,
owner @{user_config_dirs}/picom.conf r,
owner @{HOME}/.Xauthority r,
@{sys}/devices/pci[0-9]*/**/{uevent,vendor,device,subsystem_vendor,subsystem_device} r,
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/picom>
}

21
apparmor.d/profiles-m-r/pinentry Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pinentry
profile pinentry @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/pinentry-* rPx,
/etc/pinentry/preexec r,
include if exists <local/pinentry>
}

21
apparmor.d/profiles-m-r/pinentry-curses Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pinentry-curses
profile pinentry-curses @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/bash rix,
/usr/share/terminfo/x/xterm-256color r,
include if exists <local/pinentry-curses>
}

16
apparmor.d/profiles-m-r/pinentry-gnome3 Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pinentry-gnome3
profile pinentry-gnome3 @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/pinentry-gnome3>
}

24
apparmor.d/profiles-m-r/pinentry-gtk-2 Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pinentry-gtk-2
profile pinentry-gtk-2 @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@{exec_path} mr,
/usr/share/gtk-2.0/gtkrc r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
include if exists <local/pinentry-gtk-2>
}

52
apparmor.d/profiles-m-r/pinentry-kwallet Normal file
View file

@ -0,0 +1,52 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pinentry-kwallet
profile pinentry-kwallet @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
signal (send) set=(term, kill) peer=gpg-agent,
@{exec_path} mr,
/{usr/,}bin/pinentry-* rPx,
/{usr/,}bin/kwalletcli_getpin rix,
/{usr/,}bin/kwalletcli rCx -> kwalletcli,
# when wrong PIN is provided
/{usr/,}bin/date rix,
/{usr/,}bin/mksh rix,
/{usr/,}bin/env rix,
owner @{HOME}/.Xauthority r,
/usr/share/hwdata/pnp.ids r,
profile kwalletcli {
include <abstractions/base>
/{usr/,}bin/kwalletcli mr,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwalletrc r,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
owner @{HOME}/.Xauthority r,
/usr/share/hwdata/pnp.ids r,
}
include if exists <local/pinentry-kwallet>
}

40
apparmor.d/profiles-m-r/pinentry-qt Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pinentry-qt
profile pinentry-qt @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
@{exec_path} mr,
owner @{PROC}/@{pid}/cmdline r,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/dev/shm/#[0-9]*[0-9] rw,
/usr/share/hwdata/pnp.ids r,
include if exists <local/pinentry-qt>
}

54
apparmor.d/profiles-m-r/pipewire Normal file
View file

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire
profile pipewire @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
ptrace (read) peer=pipewire-media-session,
ptrace (read) peer=pipewire-pulse,
# Needed for all sound/music apps.
ptrace (read),
@{exec_path} mr,
/usr/share/pipewire/pipewire.conf r,
/etc/pipewire/pipewire.conf r,
/etc/pipewire/client.conf r,
owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
/dev/snd/controlC[0-9]* rw,
/dev/snd/pcmC[0-9]*D[0-9]*p rw,
/dev/snd/pcmC[0-9]*D[0-9]*c rw,
/usr/share/alsa/{,**} r,
/etc/alsa/{,**} r,
/dev/shm/ r,
@{run}/shm/ r,
/etc/pulse/{,**} r,
owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/cookie rwk,
owner @{run}/user/@{uid}/pulse/ r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
/ r,
/dev/video[0-9]* rw,
include if exists <local/pipewire>
}

60
apparmor.d/profiles-m-r/pipewire-media-session Normal file
View file

@ -0,0 +1,60 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-media-session
profile pipewire-media-session @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network netlink raw,
@{exec_path} mr,
/usr/share/pipewire/media-session.d/{,**} r,
/etc/pipewire/media-session.d/*.conf r,
owner @{user_config_dirs}/pipewire/ rw,
owner @{user_config_dirs}/pipewire/** rw,
/dev/snd/controlC[0-9]* rw,
/dev/snd/pcmC[0-9]*D[0-9]*p rw,
/dev/snd/pcmC[0-9]*D[0-9]*c rw,
/usr/share/alsa-card-profile/{,**} r,
/usr/share/alsa/{,**} r,
/etc/alsa/{,**} r,
/dev/shm/ r,
@{run}/shm/ r,
/etc/pulse/{,**} r,
owner @{user_config_dirs}/pulse/ rw,
owner @{user_config_dirs}/pulse/cookie rwk,
owner @{run}/user/@{uid}/pulse/ rw,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/class/video4linux/ r,
@{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
@{run}/udev/data/+sound:card[0-9]* r, # For sound
@{run}/udev/data/c81:[0-9]* r, # For video4linux
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{run}/systemd/users/@{uid} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
/dev/video[0-9]* rw,
include if exists <local/pipewire-media-session>
}

36
apparmor.d/profiles-m-r/pipewire-pulse Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-pulse
profile pipewire-pulse @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
ptrace (read) peer=pipewire,
ptrace (read) peer=pipewire-media-session,
# Needed for all sound/music apps.
ptrace (read),
@{exec_path} mr,
/etc/pipewire/client.conf r,
/etc/pipewire/pipewire-pulse.conf r,
owner @{run}/user/@{uid}/pulse/pid w,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
/ r,
include if exists <local/pipewire-pulse>
}

24
apparmor.d/profiles-m-r/pkcs11-register Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pkcs11-register
profile pkcs11-register @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/opensc.conf r,
owner @{HOME}/.mozilla/firefox/*/pkcs11.txt r,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.pki/nssdb/pkcs11.txt r,
owner @{HOME}/.thunderbird/*/pkcs11.txt r,
owner @{HOME}/.thunderbird/profiles.ini r,
include if exists <local/pkcs11-register>
}

57
apparmor.d/profiles-m-r/pkexec Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pkexec
profile pkexec @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/wutmp>
include <abstractions/nameservice-strict>
include <abstractions/consoles>
signal (send) set=(term, kill) peer=polkit-agent-helper,
capability sys_ptrace,
capability audit_write,
capability dac_read_search,
# gdbus
capability setgid,
# gmain
capability setuid,
# Needed?
deny capability sys_nice,
ptrace (read),
network netlink raw,
@{exec_path} mr,
/etc/shells r,
/etc/environment r,
/etc/default/locale r,
/etc/security/limits.d/{,*} r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pid}/fd/ r,
# Apps to be run via pkexec
/{usr/,}{s,}bin/* rPUx,
/{usr/,}bin/* rPUx,
/{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/pkexec>
}

22
apparmor.d/profiles-m-r/plocate Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/plocate
profile plocate @{exec_path} {
include <abstractions/base>
# For running as root
capability dac_read_search,
capability setgid,
@{exec_path} mr,
/var/lib/plocate/plocate.db r,
include if exists <local/plocate>
}

21
apparmor.d/profiles-m-r/plocate-build Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/plocate-build
profile plocate-build @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/var/lib/mlocate/mlocate.db r,
/var/lib/mlocate/#[0-9]* rw,
/var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#[0-9]*,
include if exists <local/plocate-build>
}

28
apparmor.d/profiles-m-r/polipo Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/polipo
profile polipo @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/polipo/* r,
owner /var/log/polipo/ r,
owner /var/log/polipo/polipo.log w,
# Cache dir
owner /var/cache/polipo/{,*} rw,
owner @{HOME}/.polipo-cache/{,*} rw,
# Nameservice
/etc/resolv.conf r,
include if exists <local/polipo>
}

43
apparmor.d/profiles-m-r/polkit-agent-helper Normal file
View file

@ -0,0 +1,43 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]
profile polkit-agent-helper @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
include <abstractions/consoles>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
signal (receive) set=(term, kill) peer=gnome-shell,
signal (receive) set=(term, kill) peer=pkexec,
capability setgid,
capability setuid,
capability audit_write,
# Needed?
deny capability sys_nice,
capability dac_override,
capability net_admin,
network netlink raw,
@{exec_path} mr,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
@{run}/faillock/[a-zA-z0-9]* rwk,
include if exists <local/polkit-agent-helper>
}

55
apparmor.d/profiles-m-r/polkit-kde-authentication-agent Normal file
View file

@ -0,0 +1,55 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/polkit-kde-authentication-agent-[0-9]
profile polkit-kde-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/qt5-compose-cache-write>
include <abstractions/wayland>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=polkit-agent-helper,
@{exec_path} mr,
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/core_pattern r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
/dev/shm/#[0-9]*[0-9] rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9],
include if exists <local/polkit-kde-authentication-agent>
}

46
apparmor.d/profiles-m-r/polkit-mate-authentication-agent Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
profile polkit-mate-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/deny-root-dir-access>
include <abstractions/deny-dconf>
signal (send) set=(term, kill) peer=polkit-agent-helper,
@{exec_path} mr,
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.Xauthority r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/** r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/polkit-mate-authentication-agent>
}

54
apparmor.d/profiles-m-r/polkitd Normal file
View file

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/polkit-1/polkitd
profile polkitd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability setuid,
capability setgid,
capability sys_ptrace,
audit deny capability net_admin,
ptrace (read) peer=unconfined,
@{exec_path} mr,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
# System rules
/etc/polkit-1/rules.d/ r,
/etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
# Vendor rules
/usr/share/polkit-1/rules.d/ r,
/usr/share/polkit-1/rules.d/*.rules r,
# Vendor policies
/usr/share/polkit-1/actions/ r,
/usr/share/polkit-1/actions/*.policy r,
/usr/share/polkit-1/actions/*.policy.choice r,
owner /var/lib/polkit-1/.cache/ rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,
# Silencer
deny /.cache/ rw,
include if exists <local/polkitd>
}

33
apparmor.d/profiles-m-r/popcon-largest-unused Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/popcon-largest-unused
profile popcon-largest-unused @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/apt-cache rPx,
/var/log/popularity-contest r,
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
include if exists <local/popcon-largest-unused>
}

60
apparmor.d/profiles-m-r/popularity-contest Normal file
View file

@ -0,0 +1,60 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/popularity-contest
profile popularity-contest @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
# For popularity-contest --su-nobody
capability setuid,
capability setgid,
capability sys_ptrace,
ptrace (read),
capability dac_read_search,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert,
# For shell pwd
/root/ r,
/etc/popularity-contest.conf r,
/etc/dpkg/origins/debian r,
/etc/shadow r,
/var/lib/dpkg/info/{,*.list} r,
@{PROC}/ r,
/var/log/ r,
/var/log/popularity-contest.new w,
/var/lib/ r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
include if exists <local/popularity-contest>
}

66
apparmor.d/profiles-m-r/ps Normal file
View file

@ -0,0 +1,66 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# When any of the "*ns" parameters is used, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="ps" name="".
@{exec_path} = /{usr/,}bin/ps
profile ps @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
# The "/proc/" dir is needed to avoid the following error:
# error: can not access /proc
# The "stat" file is needed to avoid the following error:
# Error, do this: mount -t proc proc /proc
# The "uptime" file is needed to avoid the following error:
# Error: /proc must be mounted
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{run}/systemd/sessions/[0-9]* r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/system/node/node[0-9]*/cpumap r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/ps>
}

32
apparmor.d/profiles-m-r/ps-mem Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ps_mem
profile ps-mem @{exec_path} {
include <abstractions/base>
include <abstractions/python>
capability sys_ptrace,
ptrace (read),
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
@{PROC}/ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/smaps_rollup r,
@{PROC}/@{pids}/cmdline r,
# For the "--swap" flag
@{PROC}/@{pid}/smaps r,
include if exists <local/ps-mem>
}

25
apparmor.d/profiles-m-r/pscap Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pscap
profile pscap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
include if exists <local/pscap>
}

161
apparmor.d/profiles-m-r/psi Normal file
View file

@ -0,0 +1,161 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/psi
profile psi @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=lsb_release,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
@{exec_path} mr,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg,
# Needed for playing sound events
/{usr/,}bin/aplay rCx -> aplay,
# PSI files
/usr/share/psi/{,**} r,
# PSI config files
owner @{HOME}/ r,
owner @{user_config_dirs}/psi/ rw,
owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9],
owner @{user_share_dirs}/psi/ rw,
owner @{user_share_dirs}/psi/** rwk,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# Cache files
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/psi/{,**} rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Autostart
owner @{user_config_dirs}/autostart/psi.desktop rw,
/etc/debian_version r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],
@{run}/systemd/inhibit/[0-9]*.ref rw,
/usr/share/hwdata/pnp.ids r,
# file_inherit
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile aplay {
include <abstractions/base>
include <abstractions/audio>
/{usr/,}bin/aplay mr,
#/{usr/,}bin/pulseaudio rPUx,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/psi/sound/** r,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
}
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
# file_inherit
/dev/dri/card[0-9]* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/psi>
}

161
apparmor.d/profiles-m-r/psi-plus Normal file
View file

@ -0,0 +1,161 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/psi-plus
profile psi-plus @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=lsb_release,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
@{exec_path} mr,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# Needed for GPG/PGP support
/{usr/,}bin/gpg rCx -> gpg,
# Needed for playing sound events
/{usr/,}bin/aplay rCx -> aplay,
# PSI files
/usr/share/psi-plus/{,**} r,
# PSI config files
owner @{HOME}/ r,
owner @{user_config_dirs}/psi+/ rw,
owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#[0-9]*[0-9],
owner @{user_share_dirs}/psi+/ rw,
owner @{user_share_dirs}/psi+/** rwk,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# Cache files
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/psi+/{,**} rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Autostart
owner @{user_config_dirs}/autostart/psi-plus.desktop rw,
/etc/debian_version r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],
@{run}/systemd/inhibit/[0-9]*.ref rw,
/usr/share/hwdata/pnp.ids r,
# file_inherit
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile aplay {
include <abstractions/base>
include <abstractions/audio>
/{usr/,}bin/aplay mr,
#/{usr/,}bin/pulseaudio rPUx,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/psi-plus/sound/** r,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
}
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
# file_inherit
/dev/dri/card[0-9]* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/psi-plus>
}

Some files were not shown because too many files have changed in this diff Show more