felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add two profiles directory to have smaller dir.

Browse source
This commit is contained in:
Alexandre Pujol 2021-09-15 16:55:27 +01:00
parent 6c0ae4ddc1
commit d95a876424
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
521 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
apparmor.d/profiles-s-z/scrot Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/scrot
profile scrot @{exec_path} {
include <abstractions/base>
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# "mv" is needed to change the image dir
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
# The image dir
owner @{HOME}/*.png rw,
owner @{HOME}/.Xauthority r,
/dev/shm/#[0-9]*[0-9] rw,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/icons/*/index.theme r,
/usr/share/icons/*/cursors/* r,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/scrot>
}

204
apparmor.d/profiles-s-z/sddm Normal file
View file

@ -0,0 +1,204 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sddm
profile sddm @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/authentication>
include <abstractions/wutmp>
include <abstractions/dri-common>
include <abstractions/nameservice-strict>
# To remove the following errors:
# chown("/tmp/sddm-:0-YPUOCV", 123, 132) = -1 EPERM (Operation not permitted)
capability chown,
# To remove the following errors:
# sddm-helper[]: pam_keyinit(sddm-greeter:session): Unable to change GID to 132 temporarily
# sddm-helper[]: setgid( 132 ) failed for user: "sddm"
capability setgid,
# To remove the following errors:
# sddm-helper[]: pam_keyinit(sddm-greeter:session): Unable to change UID to 123 temporarily
# sddm-helper[]: pam_unix(sddm-greeter:session): session opened for user sddm by (uid=0)
capability setuid,
# To remove the following errors:
# sddm-helper[]: pam_limits(sddm-greeter:session): Could not set limit for 'nofile' to soft=1024,
# hard=1048576: Operation not permitted; uid=0,euid=0
# sddm-helper[*]: pam_limits(sddm-greeter:session): Could not set limit for 'memlock' to
# soft=1017930240, hard=1017930240: Operation not permitted; uid=0,euid=0
capability sys_resource,
# To be able to display messages
# sddm-greeter[98834]: Connected to the daemon.
# sddm[98806]: Message received from greeter: Connect
# ...
# sddm-greeter[98834]: Message received from daemon: Capabilities
# sddm-greeter[98834]: Message received from daemon: HostName
# ...
# sddm[98806]: Message received from greeter: Login
# ...
# sddm-greeter[98834]: Message received from daemon: LoginSucceeded
capability audit_write,
# To read the /var/lib/sddm/state.conf file
capability dac_read_search,
# Needed?
#capability sys_tty_config,
deny capability net_admin,
ptrace (trace) peer=@{profile_name},
signal (send) set=(kill, term) peer=xorg,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/sddm/sddm-helper rix,
/{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/sddm-greeter rPx,
/etc/sddm/Xsession rPx,
/{usr/,}bin/Xorg rPx,
/{usr/,}bin/xauth rCx -> xauth,
/{usr/,}bin/xsetroot rPx,
/{usr/,}bin/sway rPUx,
# System keyrings
/{usr/,}bin/gnome-keyring-daemon rPx,
/{usr/,}bin/kwalletd5 rPx,
# SDDM scripts
# What to do with it? (#FIXME#)
/usr/share/sddm/scripts/Xsetup rPUx,
/usr/share/sddm/scripts/Xstop rPUx,
/usr/share/sddm/scripts/wayland-session rPUx,
/usr/share/sddm/scripts/Xsession rPUx,
#/usr/share/sddm/scripts/Xsetup rCx -> sddm-scripts,
#/usr/share/sddm/scripts/Xstop rCx -> sddm-scripts,
#/usr/share/sddm/scripts/wayland-session rCx -> sddm-scripts,
#/usr/share/sddm/scripts/Xsession rCx -> sddm-scripts,
# Create kwallet dirs and files
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
@{user_share_dirs}/kwalletd/kdewallet.salt r,
owner @{run}/user/@{uid}/kwallet5.socket rw,
# Themes
/usr/share/sddm/themes/** r,
/usr/share/plasma/desktoptheme/** r,
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
# List of graphical sessions
/usr/share/xsessions/{,*.desktop} r,
/usr/share/wayland-sessions/{,*.desktop} r,
owner /var/lib/sddm/** rw,
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,
/var/lib/sddm/state.conf rw,
/etc/sddm.conf.d/{,*} r,
/etc/sddm.conf r,
# User avatars
/usr/share/sddm/faces/.*.icon r,
/var/lib/AccountsService/icons/*.icon r,
# QT
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/*.so mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/plasma/dataengine/*.so mr,
/{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/**.qmlc mr,
/{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/Private/*.jsc mr,
# TMP files
owner /tmp/sddm-auth* rw,
/tmp/sddm-* rw,
owner /tmp/*/{,s} rw,
owner @{run}/sddm/ rw,
@{run}/sddm/* w,
# Session error logs
# Creating the dir structure is needed when a new user is logging in for the very first time
# using SDDM.
owner @{HOME}/.local/ w,
owner @{user_share_dirs}/ w,
owner @{user_share_dirs}/sddm/ w,
/{usr/,}lib/@{multiarch}/ld-*.so mr,
/etc/security/limits.d/ r,
owner @{HOME}/.Xauthority rw,
/etc/default/locale r,
/etc/environment r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/1/limits r,
@{PROC}/sys/kernel/core_pattern r,
/ r,
# Run SDDM on a specific TTY
/dev/tty[0-9]* rw,
@{run}/systemd/sessions/[0-9]*.ref rw,
profile sddm-scripts {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bash>
/usr/share/sddm/scripts/Xsetup r,
/usr/share/sddm/scripts/Xstop r,
/usr/share/sddm/scripts/wayland-session r,
/usr/share/sddm/scripts/Xsession r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/id rix,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/sway rPUx,
/{usr/,}bin/dbus-run-session rix,
/{usr/,}bin/dbus-daemon rPUx,
}
profile xauth {
include <abstractions/base>
/{usr/,}bin/xauth mr,
owner @{HOME}/.Xauthority-c w,
owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c,
owner @{HOME}/.Xauthority-n rw,
owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n,
}
include if exists <local/sddm>
}

103
apparmor.d/profiles-s-z/sddm-greeter Normal file
View file

@ -0,0 +1,103 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sddm-greeter
profile sddm-greeter @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/mesa>
include <abstractions/qt5-shader-cache>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner /var/lib/sddm/** rw,
owner /var/lib/sddm/#[0-9]*[0-9] mrw,
owner /var/lib/sddm/.cache/** mrwkl -> /var/lib/sddm/.cache/**,
/var/lib/sddm/state.conf r,
/usr/share/sddm/{,**} r,
/etc/sddm.conf.d/{,*} r,
/etc/sddm.conf r,
# QT
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/*.so mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/plasma/dataengine/*.so mr,
/{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/**.qmlc mr,
/{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/Private/*.jsc mr,
/{usr/,}lib/@{multiarch}/qt5/qml/QtGraphicalEffects/private/DropShadowBase.qmlc mr,
# List of graphical sessions
/usr/share/xsessions/{,*.desktop} r,
/usr/share/wayland-sessions/{,*.desktop} r,
# Themes
/usr/share/plasma/desktoptheme/** r,
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
# User avatars
/var/lib/AccountsService/icons/*.icon r,
# All the following is for the test mode
#------------------------------------------------------------------
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/sddm-greeter/ rw,
owner @{user_cache_dirs}/sddm-greeter/qmlcache/ rw,
owner @{user_cache_dirs}/sddm-greeter/qmlcache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/sddm-greeter/qmlcache/[a-f0-9]*.jsc* rwl -> @{user_cache_dirs}/sddm-greeter/qmlcache/#[0-9]*[0-9],
owner @{user_cache_dirs}/sddm-greeter/qmlcache/[a-f0-9]*.qmlc* rwl -> @{user_cache_dirs}/sddm-greeter/qmlcache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/.glvnd* mrw,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/plasmarc r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements-* rw,
include <abstractions/qt5-compose-cache-write>
owner @{PROC}/@{pid}/cmdline r,
#------------------------------------------------------------------
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
owner @{run}/sddm/{,*} rw,
/{usr/,}lib/@{multiarch}/ld-*.so mr,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
#/dev/tty[0-9]* rw,
include if exists <local/sddm-greeter>
}

136
apparmor.d/profiles-s-z/sddm-xsession Normal file
View file

@ -0,0 +1,136 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/sddm/Xsession
profile sddm-xsession @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/bash>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/id rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/date rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/tempfile rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/ r,
/{usr/,}bin/zsh rix,
/{usr/,}bin/tcsh rix,
/{usr/,}bin/csh rix,
/{usr/,}bin/fish rix,
/usr/local/bin/ r,
/etc/X11/Xsession rPx,
/{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/xrdb rPx,
/{usr/,}bin/numlockx rPx,
/{usr/,}bin/xhost rPx,
# Allowed GUI sessions to start
#/{usr/,}bin/openbox-session rPx,
#/{usr/,}bin/openbox rPx,
/{usr/,}bin/ssh-agent rPx,
owner /tmp/xsess-env-* rw,
owner /tmp/file* rw,
/etc/default/{,*} r,
/etc/X11/{,**} r,
owner @{PROC}/@{pid}/loginuid r,
# Xsession logs
owner @{user_share_dirs}/sddm/xorg-session.log w,
owner @{HOME}/.xsession-errors w,
/etc/zsh/* r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/X11/Xsession.d/ r,
/etc/X11/Xresources/ r,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
profile dbus {
include <abstractions/base>
/{usr/,}bin/dbus-update-activation-environment mr,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpg-agent rix,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@{PROC}/@{pid}/fd/ r,
}
profile udevadm {
include <abstractions/base>
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*[0-9a-f]* r,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
@{run}/udev/data/* r,
}
include if exists <local/sddm-xsession>
}

46
apparmor.d/profiles-s-z/sensors Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sensors
profile sensors @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
# Sensors config files
/etc/sensors.d/{,*} r,
/etc/sensors3.conf r,
@{sys}/devices/pci[0-9]*/**/name r,
@{sys}/class/i2c-adapter/ r,
@{sys}/class/hwmon/ r,
@{sys}/devices/virtual/hwmon/hwmon[0-9]* r,
@{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r,
@{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r,
@{sys}/devices/virtual/hwmon/hwmon[0-9]*/fan[0-9]_label r,
@{sys}/devices/**/hwmon*/{,**/} r,
@{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
@{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r,
@{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
# file_inherit
deny @{PROC}/@{pid}/net/dev r,
deny @{PROC}/@{pid}/stat r,
deny @{PROC}/@{pid}/net/tcp{,6} r,
deny @{PROC}/@{pid}/net/if_inet6 r,
deny @{PROC}/@{pid}/cmdline r,
deny @{PROC}/uptime r,
deny @{PROC}/diskstats r,
deny @{PROC}/loadavg r,
deny @{PROC}/@{pid}/io r,
include if exists <local/sensors>
}

76
apparmor.d/profiles-s-z/sensors-detect Normal file
View file

@ -0,0 +1,76 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sensors-detect
profile sensors-detect @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
capability syslog,
@{exec_path} r,
/{usr/,}bin/perl r,
/usr/bin/uname rix,
/usr/bin/udevadm rCx -> udevadm,
/usr/bin/kmod rCx -> kmod,
/etc/udev/udev.conf r,
@{sys}/bus/pci/devices/ r,
@{sys}/class/i2c-adapter/ r,
@{sys}/devices/pci[0-9]*/**/{class,vendor,device} r,
@{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
@{sys}/devices/pci[0-9]*/**/modalias r,
@{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r,
@{sys}/devices/virtual/dmi/id/product_{version,name} r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
/dev/i2c-[0-9]* r,
owner @{PROC}/@{pid}/mounts r,
/proc/modules r,
profile udevadm {
include <abstractions/base>
capability sys_ptrace,
ptrace (read),
/{usr/,}bin/udevadm mr,
/etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r,
@{PROC}/sys/kernel/random/boot_id r,
}
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{PROC}/cmdline r,
/{usr/,}lib/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
}
include if exists <local/sensors-detect>
}

19
apparmor.d/profiles-s-z/setpci Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/setpci
profile setpci @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/** r,
include if exists <local/setpci>
}

20
apparmor.d/profiles-s-z/setpriv Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/setpriv
profile setpriv @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}{s,}bin/[a-z0-9]* rPUx,
include if exists <local/setpriv>
}

36
apparmor.d/profiles-s-z/sfdisk Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sfdisk
profile sfdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
# Needed to avoid the following error:
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
#
# Checking that no-one is using this disk right now ... FAILED
# This disk is currently in use - repartitioning is probably a bad idea.
# Umount all file systems, and swapoff all swap partitions on this disk.
# Use the --no-reread flag to suppress this check.
capability sys_admin,
@{exec_path} mr,
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/sfdisk>
}

36
apparmor.d/profiles-s-z/sgdisk Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/sgdisk
profile sgdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
# Needed to inform the system of newly created/removed partitions
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
#
# Warning: The kernel is still using the old partition table.
# The new table will be used at the next reboot or after you
# run partprobe(8) or kpartx(8)
# The operation has completed successfully.
capability sys_admin,
@{exec_path} mr,
# For disk images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,
owner @{MOUNTS}/*/**.{bak,back} rwk,
include if exists <local/sgdisk>
}

25
apparmor.d/profiles-s-z/smartctl Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/smartctl
profile smartctl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
capability sys_admin,
capability sys_rawio,
@{exec_path} mr,
/usr/share/smartmontools/** r,
/var/lib/smartmontools/** r,
include if exists <local/smartctl>
}

43
apparmor.d/profiles-s-z/smartd Normal file
View file

@ -0,0 +1,43 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/smartd
profile smartd @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
# To remove the following errors:
# Device: /dev/disk/by-id/ata-*, IE (SMART) not enabled, skip device
# Try 'smartctl -s on /dev/disk/by-id/ata-*' to turn on SMART features
# Unable to register SCSI device /dev/disk/by-id/ata-* at line * of file /etc/smartd.conf
# Device: /dev/disk/by-id/ata-*, not available
capability sys_rawio,
# Needed?
deny capability net_admin,
@{exec_path} mr,
/etc/smartd.conf r,
/var/lib/smartmontools/smartd.*.state{,~} rw,
/var/lib/smartmontools/attrlog.*.csv rw,
# Plugin directory for smartd warning script
/etc/smartmontools/smartd_warning.d/ r,
# Drive database location
/var/lib/smartmontools/drivedb/drivedb.h r,
/etc/smart_drivedb.h r,
# Needed when smartd-runner scans for drives
/dev/ r,
@{PROC}/devices r,
include if exists <local/smartd>
}

153
apparmor.d/profiles-s-z/smplayer Normal file
View file

@ -0,0 +1,153 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{smplayer_ext} = [aA]{52,[aA][cC],[cC]3}
@{smplayer_ext} += [mM][kK][aA]
@{smplayer_ext} += [fF][lL][aA][cC]
@{smplayer_ext} += [mM][pP][123cC]
@{smplayer_ext} += [oO][gGmM][aA]
@{smplayer_ext} += [wW]{,[aA]}[vV]
@{smplayer_ext} += [wW][mM]{,[aA]}
@{smplayer_ext} += 3[gG]{[2pP],[pP][2pP]}
@{smplayer_ext} += [aA][sS][fF]
@{smplayer_ext} += [aA][vV][iI]
@{smplayer_ext} += [dD][iI][vV][xX]
@{smplayer_ext} += [mM][124][vV]
@{smplayer_ext} += [mM][kKoO][vV]
@{smplayer_ext} += [mM][pP][4aAeEgG]
@{smplayer_ext} += [mM][pP][eE][gG]{,[124]}
@{smplayer_ext} += [oO][gG][gGmMxXvV]
@{smplayer_ext} += [rR][mM]{,[vV][bB]}
@{smplayer_ext} += [wW][eE][bB][mM]
@{smplayer_ext} += [wW][mMtT][vV]
@{smplayer_ext} += [mM][pP]2[tT]
# Image extensions
# bmp, jpg, jpeg, png, gif
@{smplayer_ext} += [bB][mM][pP]
@{smplayer_ext} += [jJ][pP]{,[eE]}[gG]
@{smplayer_ext} += [pP][nN][gG]
@{smplayer_ext} += [gG][iI][fF]
# Subtitle extensions:
# srt, txt, sub
@{smplayer_ext} += [sS][rR][tT]
@{smplayer_ext} += [tT][xX][tT]
@{smplayer_ext} += [sS][uU][bB]
# Playlist extensions:
# m3u, m3u8, pls
@{smplayer_ext} += [mM]3[uU]{,8}
@{smplayer_ext} += [pP][lL][sS]
# For Qbittorrent !qB extension
@{smplayer_ext} += "!qB"
@{exec_path} = /{usr/,}bin/smplayer
profile smplayer @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/wayland>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/openssl>
include <abstractions/deny-root-dir-access>
# Needed for hardware decoding
##include <abstractions/nvidia>
signal (send) set=(term, kill),
signal (receive) set=(term, kill),
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
@{exec_path} mrix,
# Which media files SMPlayer should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
/tmp/ r,
owner /tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{smplayer_ext} rw,
# For SMB shares
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{smplayer_ext} r,
# SMPlayer config files
owner @{user_config_dirs}/smplayer/ rw,
owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9],
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
/etc/fstab r,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
owner /tmp/qtsingleapp-smplay-* rw,
owner /tmp/qtsingleapp-smplay-*-lockfile rwk,
/usr/share/hwdata/pnp.ids r,
# For the builtin thumbnail generator
owner /tmp/smplayer_preview/ rw,
owner /tmp/smplayer_preview/[0-9]*.{jpg,png} rw,
owner /tmp/smplayer-mpv-* w,
# External apps
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/smtube rPUx,
/{usr/,}bin/youtube-dl rPUx,
# PulseAudio (to use "pacmd")
/{usr/,}bin/pacmd rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.anyRemote/anyremote.stdout w,
include if exists <local/smplayer>
}

107
apparmor.d/profiles-s-z/smtube Normal file
View file

@ -0,0 +1,107 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/smtube
profile smtube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/gstreamer>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
# SMTube config files
owner @{user_config_dirs}/smtube/ rw,
owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#[0-9]*[0-9],
# Needed for updating YT code
owner @{user_config_dirs}/smplayer/yt.js rw,
owner @{user_config_dirs}/smplayer/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/smplayer/hdpi.ini rw,
owner @{user_config_dirs}/smplayer/hdpi.ini.lock rwk,
owner @{user_config_dirs}/smplayer/hdpi.ini.* rwl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9],
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# Cache
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/smtube/ rw,
owner @{user_cache_dirs}/smtube/* rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/sys/kernel/random/boot_id r,
# Players
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/cvlc rPUx,
/{usr/,}bin/youtube-dl rPUx,
/{usr/,}bin/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/smtube>
}

97
apparmor.d/profiles-s-z/spacefm Normal file
View file

@ -0,0 +1,97 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spacefm
profile spacefm @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/disks-read>
include <abstractions/consoles>
# This should be tightened when the "profile has merged rule with conflicting x modifiers" error
# will be fixed. (#FIXME#)
include <abstractions/app-launcher-user>
include <abstractions/app-launcher-root>
# For root window
deny capability dac_read_search,
deny capability dac_override,
# Needed?
deny capability sys_nice,
# SpaceFM needs this for killing/terminating processes it initiates.
signal (send) set=(term, kill),
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cgroup r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/fs/cgroup/{,**} r,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
# the list.
/ r,
/boot/ r,
/boot/** r,
owner /boot/** rw,
/etc/ r,
/etc/** r,
owner /etc/** rw,
/home/ r,
/home/** r,
/home/** rw,
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
@{MOUNTS}/ r,
@{MOUNTS}/** r,
owner @{MOUNTS}/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,
/root/ r,
/root/** r,
owner /root/** rw,
/run/ r,
/run/** r,
owner /run/** rw,
/srv/ r,
/srv/** r,
owner /srv/** rw,
/tmp/ r,
/tmp/** r,
owner /tmp/** rw,
/usr/ r,
/usr/** r,
owner /usr/** rw,
/var/ r,
/var/** r,
owner /var/** rw,
include if exists <local/spacefm>
}

17
apparmor.d/profiles-s-z/spacefm-auth Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spacefm-auth
profile spacefm-auth @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
include if exists <local/spacefm-auth>
}

164
apparmor.d/profiles-s-z/spectre-meltdown-checker Normal file
View file

@ -0,0 +1,164 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spectre-meltdown-checker
profile spectre-meltdown-checker @{exec_path} {
include <abstractions/base>
# Needed to read the /dev/cpu/[0-9]*/msr device
capability sys_rawio,
# Needed to read system logs
capability syslog,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/od rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/id rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/zstd rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/base64 rix,
/{usr/,}bin/unzip rix,
/{usr/,}bin/{,@{multiarch}-}readelf rix,
/{usr/,}bin/{,@{multiarch}-}strings rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
/{usr/,}{s,}bin/iucode_tool rix,
/{usr/,}bin/dmesg rix,
/{usr/,}bin/mount rix,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/kmod rCx -> kmod,
# To fetch MCE.db from the MCExtractor project
/{usr/,}bin/wget rCx -> mcedb,
/{usr/,}bin/sqlite3 rCx -> mcedb,
owner /tmp/mcedb-* rw,
owner /tmp/smc-* rw,
owner /tmp/intelfw-*/ rw,
owner /tmp/intelfw-*/fw.zip rw,
owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw,
owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw,
owner @{HOME}/.mcedb rw,
owner /{usr/,}bin/spectre-meltdown-checker w,
/tmp/ r,
owner /tmp/{config,kernel}-* rw,
owner /dev/cpu/[0-9]*/cpuid r,
owner /dev/cpu/[0-9]*/msr rw,
owner /dev/kmsg r,
/boot/ r,
/boot/{config,vmlinuz,System.map}-* r,
@{sys}/devices/system/cpu/vulnerabilities/* r,
@{sys}/module/kvm_intel/parameters/ept r,
@{PROC}/ r,
@{PROC}/config.gz r,
@{PROC}/cmdline r,
@{PROC}/kallsyms r,
@{PROC}/modules r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# For shell pwd
/root/ r,
/etc/ r,
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
/etc/debian_version r,
}
profile pgrep {
include <abstractions/base>
/{usr/,}bin/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r,
}
profile mcedb {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/wget mr,
/{usr/,}bin/sqlite3 mr,
/etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk,
/tmp/ r,
owner /tmp/mcedb-* rwk,
owner /tmp/intelfw-*/fw.zip rw,
/usr/share/publicsuffix/public_suffix_list.* r,
}
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{PROC}/cmdline r,
}
include if exists <local/spectre-meltdown-checker>
}

37
apparmor.d/profiles-s-z/speedtest Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/speedtest{,-cli}
profile speedtest @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/file rix,
/{usr/,}bin/uname rix,
owner @{PROC}/@{pid}/fd/ r,
/usr/local/lib/python*/dist-packages/ r,
/etc/magic r,
include if exists <local/speedtest>
}

53
apparmor.d/profiles-s-z/spflashtool Normal file
View file

@ -0,0 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /opt/SPFlashTool/flash_tool{,.sh}
profile spflashtool @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/deny-root-dir-access>
@{exec_path} mrix,
# SPFlashTool installation files
/opt/SPFlashTool/{,**} r,
/opt/SPFlashTool/lib*.so mr,
/opt/SPFlashTool/lib/lib*.so.[0-9]* mr,
/opt/SPFlashTool/*.ini rk,
# Session logs
owner /tmp/SP_FT_Logs/ rw,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ rw,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*1/QT_FLASH_TOOL.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/BROM_DLL_V[0-9]*.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/GLB_[0-9]*-[0-9]*_[0-9]*.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/QT_FLASH_TOOL.log w,
owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w,
# For reading the scatter.txt file
owner /**/scatter.txt r,
owner @{user_config_dirs}/Trolltech.conf rwk,
owner @{user_config_dirs}/MTK/ rw,
owner @{user_config_dirs}/MTK/Clipper.conf rwk,
/dev/ r,
# For reading/writing from/to phone flash memory
/dev/ttyACM[0-9]* rw,
@{sys}/devices/pci[0-9]*/**/{idVendor,idProduct} r,
# Silence the noise
/opt/SPFlashTool/** w,
include if exists <local/spflashtool>
}

21
apparmor.d/profiles-s-z/start-pulseaudio-x11 Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/start-pulseaudio-x11
profile start-pulseaudio-x11 @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pactl rPx,
/dev/tty rw,
include if exists <local/start-pulseaudio-x11>
}

46
apparmor.d/profiles-s-z/startx Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/startx
profile startx @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/mcookie rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/deallocvt rix,
/{usr/,}bin/xauth rPx,
/{usr/,}bin/xinit rPx,
/etc/X11/xinit/xinitrc r,
/etc/X11/xinit/xserverrc r,
owner @{HOME}/ r,
owner @{HOME}/.xinitrc r,
owner @{HOME}/.xserverrc r,
/tmp/ r,
owner /tmp/serverauth.* rw,
/dev/ r,
owner /dev/tty[0-9]* rw,
include if exists <local/startx>
}

137
apparmor.d/profiles-s-z/strawberry Normal file
View file

@ -0,0 +1,137 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{MEDIA_LIB} = @{MOUNTS}/*/mp3/
@{exec_path} = /{usr/,}bin/strawberry
profile strawberry @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/gstreamer>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=strawberry-tagreader,
signal (receive) set=(term, kill) peer=anyremote//*,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/strawberry-tagreader rPx,
/{usr/,}bin/xdg-open rCx -> open,
# Media library
/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MEDIA_LIB}/ r,
owner @{MEDIA_LIB}/** rw,
# Playlists
owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw,
owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw,
owner @{HOME}/ r,
owner @{user_config_dirs}/strawberry/ rw,
owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#[0-9]*[0-9],
owner @{user_share_dirs}/strawberry/ rw,
owner @{user_share_dirs}/strawberry/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/strawberry/ rw,
owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#[0-9]*[0-9],
owner @{user_cache_dirs}/xine-lib/ rw,
owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{run}/mount/utab r,
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/sr[0-9]* r,
owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
owner /tmp/.*/ rw,
owner /tmp/.*/s rw,
owner /tmp/strawberry*[0-9] w,
owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/*= w,
owner /var/tmp/etilqs_[0-9a-f]* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.anyRemote/anyremote.stdout w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/strawberry>
}

34
apparmor.d/profiles-s-z/strawberry-tagreader Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{MEDIA_LIB} = @{MOUNTS}/*/mp3/
@{exec_path} = /{usr/,}bin/strawberry-tagreader
profile strawberry-tagreader @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill) peer=strawberry,
signal (receive) set=(term, kill) peer=anyremote//*,
@{exec_path} mr,
# Media library
owner @{MEDIA_LIB}/ r,
owner @{MEDIA_LIB}/** rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.anyRemote/anyremote.stdout w,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
include if exists <local/strawberry-tagreader>
}

61
apparmor.d/profiles-s-z/su Normal file
View file

@ -0,0 +1,61 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/su
profile su @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication>
include <abstractions/wutmp>
include <abstractions/nameservice-strict>
# include <pam/mappings>
# To remove the following errors:
# su: cannot set groups: Operation not permitted
capability setgid,
# To remove the following errors:
# su: cannot set user id: Operation not permitted
capability setuid,
# To write records to the kernel auditing log.
capability audit_write,
# Needed?
audit deny capability net_bind_service,
signal (send) set=(term,kill),
signal (receive) set=(int,quit,term),
network netlink raw,
@{exec_path} mr,
# Shells to use
/{usr/,}bin/{,b,d,rb}ash rpux,
/{usr/,}bin/{c,k,tc,z}sh rpux,
# Fake shells to politely refuse a login
#/{usr/,}{s,}bin/nologin rpux,
/etc/environment r,
@{PROC}/1/limits r,
owner @{PROC}/@{pid}/loginuid r,
/etc/default/locale r,
/etc/security/limits.d/ r,
/etc/shells r,
# For pam_securetty
@{PROC}/cmdline r,
@{sys}/devices/virtual/tty/console/active r,
include if exists <local/su>
}

87
apparmor.d/profiles-s-z/sudo Normal file
View file

@ -0,0 +1,87 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sudo
profile sudo @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication>
include <abstractions/wutmp>
include <abstractions/nameservice-strict>
# include <pam/mappings>
# To remove the following errors:
# sudo: unable to change to root gid: Operation not permitted
capability setgid,
# To remove the following errors:
# sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
# sudo: no valid sudoers sources found, quitting
# sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
capability setuid,
# To write records to the kernel auditing log.
capability audit_write,
# For changing ownership of the /var/log/sudo.log file
capability chown,
# Needed? (#FIXME#)
capability sys_resource,
capability net_admin,
capability sys_ptrace,
capability dac_read_search,
capability dac_override,
capability mknod,
ptrace read,
# To remove the following error:
# sudo: PAM account management error: Permission denied
# sudo: unable to open audit system: Permission denied
# sudo: a password is required
network netlink raw,
signal,
@{exec_path} mr,
# Shells to use
/{usr/,}bin/{,b,d,rb}ash rpux,
/{usr/,}bin/{c,k,tc,z}sh rpux,
/{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}{s,}bin/[a-z0-9]* rPUx,
/{usr/,}lib/cockpit/cockpit-askpass rPx,
/dev/ r,
/dev/ptmx rw,
# For timestampdir
owner @{run}/sudo/ rw,
owner @{run}/sudo/ts/ rw,
owner @{run}/sudo/ts/* rwk,
@{run}/faillock/{,*} rwk,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/stat r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/{,*} r,
/etc/environment r,
/etc/security/limits.d/{,*} r,
/var/log/sudo.log wk,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/sudo>
}

35
apparmor.d/profiles-s-z/suid3num Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/suid3num
@{exec_path} += /{usr/,}bin/suid3num.py
profile suid3num @{exec_path} {
include <abstractions/base>
include <abstractions/python>
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/{,ba,da}sh rix,
/usr/bin/find rix,
owner @{PROC}/@{pid}/fd/ r,
/ r,
/**/ r,
deny @{MOUNTS}/ r,
deny @{MOUNTS}/**/ r,
include if exists <local/suid3num>
}

20
apparmor.d/profiles-s-z/swaplabel Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swaplabel
profile swaplabel @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
# SWAP file common locations
owner /swapfile rw,
include if exists <local/swaplabel>
}

27
apparmor.d/profiles-s-z/swapoff Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swapoff
profile swapoff @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
/etc/fstab r,
@{PROC}/swaps r,
# SWAP file common locations
owner /swapfile rw,
include if exists <local/swapoff>
}

26
apparmor.d/profiles-s-z/swapon Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/swapon
profile swapon @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
@{exec_path} mr,
/etc/fstab r,
@{PROC}/swaps r,
# SWAP file common locations
owner /swapfile rw,
include if exists <local/swapon>
}

70
apparmor.d/profiles-s-z/syncthing Normal file
View file

@ -0,0 +1,70 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{SYNC_DIR} = @{HOME}/Sync/
@{SYNC_DIR} += @{MOUNTS}/*/syncthing/
@{exec_path} = /{usr/,}bin/syncthing
profile syncthing @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/ip rix,
owner @{HOME}/ r,
owner @{user_config_dirs}/syncthing/ rw,
owner @{user_config_dirs}/syncthing/** rwk,
@{SYNC_DIR}/{,**} rw,
/etc/mime.types r,
@{PROC}/sys/net/core/somaxconn r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Silecne the noise
deny /etc/ssl/certs/java/ r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/syncthing>
}

81
apparmor.d/profiles-s-z/system-config-printer Normal file
View file

@ -0,0 +1,81 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/system-config-printer
@{exec_path} += /usr/share/system-config-printer/system-config-printer.py
profile system-config-printer @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/openssl>
include <abstractions/deny-root-dir-access>
network inet stream,
network inet6 stream,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}lib/cups/*/* rCx -> cups,
# For HP printers
/usr/share/hplip/query.py rPUx,
/usr/share/system-config-printer/{,**} r,
/usr/share/cups/data/testprint r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/fstab r,
/etc/cups/cupsd.conf r,
/etc/cupshelpers/preferreddrivers.xml r,
/etc/papersize r,
# To set the default printer
owner @{HOME}/.cups/ rw,
owner @{HOME}/.cups/lpoptions rw,
owner /tmp/* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# file_inherit
owner /dev/tty[0-9]* rw,
profile cups flags=(complain) {
include <abstractions/base>
network inet dgram,
network inet6 dgram,
/{usr/,}lib/cups/*/* mr,
/etc/cups/snmp.conf r,
}
include if exists <local/system-config-printer>
}

29
apparmor.d/profiles-s-z/system-config-printer-applet Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/system-config-printer-applet /usr/share/system-config-printer/applet.py
profile system-config-printer-applet @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
network inet stream,
network inet6 stream,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
/usr/share/system-config-printer/{,**} r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/system-config-printer-applet>
}

25
apparmor.d/profiles-s-z/system_tor Normal file
View file

@ -0,0 +1,25 @@
# vim:syntax=apparmor
include <tunables/global>
profile system_tor flags=(attach_disconnected) {
include <abstractions/tor>
include <abstractions/openssl>
owner /var/lib/tor/** rwk,
owner /var/lib/tor/ r,
owner /var/log/tor/* w,
# During startup, tor (as root) tries to open various things such as
# directories via check_private_dir(). Let it.
/var/lib/tor/** r,
/{,var/}run/tor/ r,
/{,var/}run/tor/control w,
/{,var/}run/tor/socks w,
/{,var/}run/tor/tor.pid w,
/{,var/}run/tor/control.authcookie w,
/{,var/}run/tor/control.authcookie.tmp rw,
/{,var/}run/systemd/notify w,
include if exists <local/system_tor>
}

81
apparmor.d/profiles-s-z/tasksel Normal file
View file

@ -0,0 +1,81 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tasksel
profile tasksel @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tempfile rix,
/{usr/,}lib/tasksel/tasksel-debconf rix,
/{usr/,}lib/tasksel/tests/* rCx -> tasksel-tests,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/debconf-apt-progress rPx,
/usr/share/tasksel/** r,
/usr/share/debconf/confmodule r,
owner /tmp/file* w,
profile tasksel-tests flags=(complain) {
include <abstractions/base>
/{usr/,}lib/tasksel/tests/* r,
/{usr/,}bin/{,ba,da}sh rix,
}
profile frontend flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}bin/tasksel rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx,
owner /tmp/file* w,
/usr/share/debconf/confmodule r,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
/etc/shadow r,
}
include if exists <local/tasksel>
}

18
apparmor.d/profiles-s-z/tftp Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tftp
profile tftp @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/user-download-strict>
@{exec_path} mr,
include if exists <local/tftp>
}

54
apparmor.d/profiles-s-z/thermald Normal file
View file

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/thermald
profile thermald @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{run}/thermald/ rw,
owner @{run}/thermald/thd_preference.conf rw,
owner @{run}/thermald/thd_preference.conf.save w,
owner @{run}/thermald/thermald.pid rwk,
/etc/thermald/thermal-conf.xml r,
/etc/thermald/thermal-cpu-cdev-order.xml r,
@{sys}/class/hwmon/ r,
@{sys}/class/thermal/ r,
@{sys}/devices/platform/ r,
@{sys}/devices/system/cpu/present r,
@{sys}/devices/system/cpu/intel_pstate/max_perf_pct r,
@{sys}/devices/system/cpu/intel_pstate/status r,
@{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
@{sys}/devices/**/hwmon[0-9]*/name r,
@{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_uuid r,
@{sys}/devices/virtual/thermal/**/{type,temp} r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r,
@{sys}/devices/virtual/powercap/intel-rapl/ r,
@{sys}/devices/virtual/powercap/intel-rapl/**/name r,
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r,
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r,
include if exists <local/thermald>
}

29
apparmor.d/profiles-s-z/thinkfan Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/thinkfan
profile thinkfan @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/thinkfan.conf r,
/etc/thinkfan.yaml r,
@{sys}/devices/**/hwmon/**/pwm[0-9]* rw,
@{sys}/devices/**/hwmon/**/pwm[0-9]*_enable rw,
@{sys}/devices/**/hwmon/**/temp[0-9]*_input r,
@{PROC}/acpi/ibm/thermal r,
@{PROC}/acpi/ibm/fan rw,
owner @{run}/thinkfan.pid rw,
include if exists <local/thinkfan>
}

64
apparmor.d/profiles-s-z/tint2 Normal file
View file

@ -0,0 +1,64 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tint2
profile tint2 @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/deny-root-dir-access>
include <abstractions/app-launcher-user>
network netlink dgram,
@{exec_path} mr,
# Tint2 files
/usr/share/tint2/{,**} r,
# Tint2 config files
/etc/xdg/tint2/tint2rc r,
owner @{user_config_dirs}/tint2/{,*} rw,
# Tint2 cache files
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/tint2/ rw,
owner @{user_cache_dirs}/tint2/[0-9a-f]*.png w,
owner @{user_cache_dirs}/tint2/icon.cache rwk,
# Launcher config files
owner @{user_config_dirs}/launchers/{,*.desktop} r,
owner @{user_config_dirs}/launchers/icons/{,*.png} r,
/{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr,
# Some missing icons
/usr/share/**.png r,
owner @{HOME}/.Xauthority r,
owner /tmp/tint2-@{pid}-[0-9]*.png rw,
# Battery applet
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/fs/cgroup/{,**} r,
/dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
include if exists <local/tint2>
}

43
apparmor.d/profiles-s-z/tint2conf Normal file
View file

@ -0,0 +1,43 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tint2conf
profile tint2conf @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/tint2 rPx,
/{usr/,}bin/{,ba,da}sh rix,
/usr/share/tint2/{,*} r,
/etc/xdg/tint2/ r,
/etc/xdg/tint2/tint2rc r,
owner @{user_config_dirs}/tint2/ r,
owner @{user_config_dirs}/tint2/* rw,
owner @{user_cache_dirs}/tint2/[0-9a-f]*.png r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/tint2conf>
}

75
apparmor.d/profiles-s-z/top Normal file
View file

@ -0,0 +1,75 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# When any of the "ns*" fields is displayed, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="top" name="".
@{exec_path} = /{usr/,}bin/top
profile top @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/wutmp>
include <abstractions/nameservice-strict>
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search,
# To manage priorities.
capability sys_nice,
# To terminate other users' processes when top is started as root.
capability kill,
capability sys_ptrace,
signal (send),
ptrace (read),
@{exec_path} mr,
/usr/share/terminfo/x/xterm-256color r,
@{PROC}/ r,
@{PROC}/loadavg r,
@{PROC}/uptime r,
@{PROC}/tty/drivers r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/statm r,
@{PROC}/@{pids}/task/@{tid}/environ r,
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
@{PROC}/@{pids}/task/@{tid}/oom_score r,
@{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/task/@{tid}/cgroup r,
@{PROC}/@{pids}/task/@{tid}/wchan r,
@{PROC}/@{pids}/task/@{tid}/status r,
/etc/topdefaultrc r,
/etc/toprc r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/system/node/node[0-9]*/cpumap r,
owner @{user_config_dirs}/procps/ rw,
owner @{user_config_dirs}/procps/toprc rw,
include if exists <local/top>
}

17
apparmor.d/profiles-s-z/torify Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/torify
profile torify @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
include if exists <local/torify>
}

17
apparmor.d/profiles-s-z/torsocks Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/torsocks
profile torsocks @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
include if exists <local/torsocks>
}

29
apparmor.d/profiles-s-z/tpacpi-bat Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/tpacpi-bat
profile tpacpi-bat @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} mr,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
# To load the acpi_call module
/{usr/,}bin/kmod rPx,
@{PROC}/acpi/call rw,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/**/path r,
include if exists <local/tpacpi-bat>
}

33
apparmor.d/profiles-s-z/tune2fs Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{tune2fs,e2label}
profile tune2fs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
network inet stream,
network inet6 stream,
@{exec_path} mr,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/swaps r,
/.ismount-test-file rw,
owner @{run}/blkid/blkid.tab{,-*} rw,
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
# Image files
@{HOME}/** rw,
@{MOUNTS}/*/** rw,
include if exists <local/tune2fs>
}

116
apparmor.d/profiles-s-z/ucf Normal file
View file

@ -0,0 +1,116 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ucf
profile ucf @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/id rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/stat rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/dpkg-divert rPx,
/{usr/,}bin/sensible-pager rCx -> pager,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/etc/ucf.conf r,
/var/lib/ucf/** rw,
owner /tmp/* rw,
/etc/default/* rw,
# For md5sum
/etc/** r,
/usr/share/*/conffiles/* r,
@{run}/** r,
# For writing new config files
/etc/** rw,
/usr/share/debconf/confmodule r,
# For shell pwd
/ r,
/root/ r,
profile pager flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
# For shell pwd
/root/ r,
}
profile frontend flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}bin/ucf rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
}
include if exists <local/ucf>
}

73
apparmor.d/profiles-s-z/udiskie Normal file
View file

@ -0,0 +1,73 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie
profile udiskie @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/python>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/{usr/,}bin/ r,
/{usr/,}bin/xdg-open rCx -> open,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
# Silencer
deny /{usr/,}lib/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/udiskie>
}

25
apparmor.d/profiles-s-z/udiskie-info Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-info
profile udiskie-info @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/usr/bin/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/udiskie-info>
}

25
apparmor.d/profiles-s-z/udiskie-mount Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-mount
profile udiskie-mount @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/usr/bin/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/udiskie-mount>
}

25
apparmor.d/profiles-s-z/udiskie-umount Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udiskie-umount
profile udiskie-umount @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9] r,
/usr/bin/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/udiskie-umount>
}

25
apparmor.d/profiles-s-z/udisksctl Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udisksctl
profile udisksctl @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/dev/tty rw,
include if exists <local/udisksctl>
}

134
apparmor.d/profiles-s-z/udisksd Normal file
View file

@ -0,0 +1,134 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/udisks2/udisksd
@{exec_path} += @{libexec}/udisks2/udisksd
profile udisksd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/disks-write>
# To remove the following errors:
# udisksd[]: Error probing device: Error sending ATA command IDENTIFY DEVICE to '/dev/sda':
# SGIO v3 ioctl failed (v4 not supported): Operation not permitted (g-io-error-quark, 14)
capability sys_rawio,
# To allow users to mount volumes
# Error mounting /dev/sd*: GDBus.Error:org.freedesktop.UDisks2.Error.Failed:
# Error mounting /dev/sd* at /media/*/*: Operation not permitted.
capability sys_admin,
capability chown,
capability dac_read_search,
capability dac_override,
# Needed?
deny capability sys_nice,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/umount rix,
/{usr/,}bin/eject rPx,
/{usr/,}{s,}bin/dumpe2fs rPx,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}{s,}bin/lvm rPUx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-escape rPx,
# Allow mounting of removable devices
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/sd[a-z] -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
# Allow mounting of loop devices (ISO files)
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
# Allow mounting of cdrom
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
mount fstype={iso9660,udf} /dev/sr[0-9]* -> /media/cdrom[0-9]/,
# Allow mounting od sd cards
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
# Allow unmounting
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /media/cdrom[0-9]/,
# Be able to create/delete dirs for removable media
@{MOUNTS}/*/ rw,
@{MOUNTS}/*/*/ rw,
/media/cdrom[0-9]/ rw,
# Udisks2 config files
/etc/udisks2/ r,
/etc/udisks2/udisks2.conf r,
# For mounting NTFS disks
capability setuid,
capability setgid,
/{usr/,}bin/ntfs-3g rPx,
/etc/libblockdev/conf.d/ r,
/etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/swaps r,
@{PROC}/devices r,
# To be able to initialize device-mapper disk devices
/dev/mapper/ r,
/dev/mapper/control rw,
# The special /dev/loop-control file can be used to create and destroy loop devices or to find
# the first available loop device.
/dev/loop-control rw,
# To check whether the x-udisks-auth option was used to specify that additional authorization is
# required to mount/unlock a device
/etc/fstab r,
/etc/crypttab r,
# To be able to operate on encryted devices
@{run}/cryptsetup/ r,
@{run}/cryptsetup/L* rwk,
@{sys}/fs/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
@{sys}/devices/virtual/block/dm-[0-9]*/ w,
@{sys}/devices/virtual/block/dm-[0-9]*/** w,
# For powering off USB devices
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
@{sys}/devices/virtual/bdi/**/read_ahead_kb r,
@{run}/ r,
# Info on mounted devices
@{run}/mount/utab{,.*} rw,
@{run}/mount/utab.lock rwk,
/var/lib/udisks2/ r,
/var/lib/udisks2/mounted-fs{,*} rw,
@{run}/udisks2/{,**} rw,
@{run}/systemd/seats/seat[0-9]* r,
@{run}/systemd/inhibit/[0-9]*.ref rw,
include if exists <local/udisksd>
}

58
apparmor.d/profiles-s-z/umount Normal file
View file

@ -0,0 +1,58 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/umount
profile umount @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To be able to umount anything
# umount2("/mnt", 0) = -1 EPERM (Operation not permitted)
#
# umount: /mnt: must be superuser to unmount.
capability sys_admin,
capability setuid,
capability setgid,
capability dac_read_search,
capability chown,
umount,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}sbin/umount.* rPx,
/{usr/,}sbin/mount.* rPx,
# Mount points
@{HOME}/ r,
@{HOME}/*/ r,
@{HOME}/*/*/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
/media/cdrom[0-9]/ r,
/etc/mtab r,
/etc/fstab r,
owner @{PROC}/@{pid}/mountinfo r,
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
owner @{run}/mount/ rw,
owner @{run}/mount/utab.lock wk,
@{run}/mount/utab{,.*} rw,
include if exists <local/umount>
}

16
apparmor.d/profiles-s-z/umount.udisks2 Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/umount.udisks2
profile umount.udisks2 @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/umount.udisks2>
}

22
apparmor.d/profiles-s-z/uname Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/uname
profile uname @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
owner /tmp/mktexlsr.* rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/uname>
}

37
apparmor.d/profiles-s-z/unhide-linux Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide{,-linux}
profile unhide-linux @{exec_path} {
include <abstractions/base>
capability kill,
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ps rix,
@{PROC}/ r,
@{PROC}/uptime r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/ r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/unhide-linux>
}

40
apparmor.d/profiles-s-z/unhide-posix Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide-posix
profile unhide-posix @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ps rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{,e}grep rix,
@{PROC}/ r,
@{PROC}/uptime r,
#@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/ r,
#@{PROC}/@{pids}/task/@{tid}/ r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/tty/drivers r,
include if exists <local/unhide-posix>
}

24
apparmor.d/profiles-s-z/unhide-rb Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide_rb
profile unhide-rb @{exec_path} {
include <abstractions/base>
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
@{PROC}/ r,
@{PROC}/@{pids}/task/ r,
include if exists <local/unhide-rb>
}

34
apparmor.d/profiles-s-z/unhide-tcp Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unhide-tcp
profile unhide-tcp @{exec_path} {
include <abstractions/base>
capability net_bind_service,
capability syslog,
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/ss rix,
/{usr/,}bin/netstat rix,
/{usr/,}bin/fuser rix,
@{PROC}/@{pids}/net/tcp{,6} r,
@{PROC}/@{pids}/net/udp{,6} r,
@{PROC}/@{pids}/fd/ r,
# For logs
/**/unhide-tcp_[0-9]*-[0-9]*-[0-9]*.log w,
include if exists <local/unhide-tcp>
}

27
apparmor.d/profiles-s-z/unix-chkpwd Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/unix_chkpwd
profile unix-chkpwd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
network netlink raw,
@{exec_path} mr,
/etc/shadow r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/unix-chkpwd>
}

54
apparmor.d/profiles-s-z/unmkinitramfs Normal file
View file

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/unmkinitramfs
profile unmkinitramfs @{exec_path} {
include <abstractions/base>
# To avoid the following error:
# cpio: etc/console-setup/null: Cannot mknod: Operation not permitted
capability mknod,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/xzcat rix,
/{usr/,}bin/lz4cat rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
/boot/ r,
owner /boot/initrd.img-* r,
/tmp/ r,
owner /tmp/initrd.img-* r,
/mnt/ r,
owner /mnt/initrd.img-* r,
/mnt/boot/ r,
owner /mnt/boot/initrd.img-* r,
# To extract the content of the initrd image
owner /tmp/** rwl -> /tmp/**,
/var/tmp/ r,
owner /var/tmp/unmkinitramfs_* rw,
include if exists <local/unmkinitramfs>
}

32
apparmor.d/profiles-s-z/update-alternatives Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-alternatives
profile update-alternatives @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/var/log/alternatives.log w,
/etc/alternatives/* rw,
/var/lib/dpkg/alternatives/ r,
/var/lib/dpkg/alternatives/* rw,
/{usr/,}bin/* w,
/{usr/,}bin/*.dpkg-tmp rw,
/{usr/,}sbin/* w,
/{usr/,}sbin/*.dpkg-tmp rw,
/usr/** rw,
include if exists <local/update-alternatives>
}

114
apparmor.d/profiles-s-z/update-ca-certificates Normal file
View file

@ -0,0 +1,114 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-ca-certificates
profile update-ca-certificates @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ssl_certs>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/find rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/test rix,
/{usr/,}bin/openssl rix,
/etc/ca-certificates/update.d/ r,
/etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore,
/{usr/,}bin/run-parts rCx -> run-parts,
/etc/ r,
/etc/ca-certificates.conf r,
/etc/ssl/certs/ca-certificates.crt rw,
/etc/ssl/certs/*.pem rw,
/etc/ssl/certs/[0-9a-f]*.[0-9] rw,
/{usr/,}lib/locale/locale-archive r,
/tmp/ r,
owner /tmp/ca-certificates{,.crt}.tmp.* rw,
# For shell pwd
/root/ r,
/usr/local/share/ r,
@{PROC}/filesystems r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/ca-certificates/update.d/ r,
# file_inherit
owner /dev/pts/[0-9]* rw,
}
profile jks-keystore {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
/etc/ca-certificates/update.d/jks-keystore mr,
/{usr/,}lib/ r,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mountpoint rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/dpkg rPx -> child-dpkg,
/usr/share/ca-certificates-java/ca-certificates-java.jar r,
/usr/share/java/java-atk-wrapper.jar r,
/etc/default/cacerts r,
/etc/ssl/certs/java/cacerts rw,
/etc/java-[0-9]*-openjdk/{,**} r,
owner @{PROC}/@{pid}/coredump_filter rw,
owner @{PROC}/@{pid}/coredump rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
@{sys}/fs/cgroup/** r,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
}
include if exists <local/update-ca-certificates>
}

40
apparmor.d/profiles-s-z/update-ca-trust Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-ca-trust
profile update-ca-trust @{exec_path} {
include <abstractions/base>
include <abstractions/ssl_certs>
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/find rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/trust rix,
/ r,
/usr/share/p11-kit/modules/{,*} r,
/etc/ca-certificates/extracted/{tls,email,objsign}-ca-bundle.pem{,.*} w,
/etc/ca-certificates/extracted/ca-bundle.trust.crt{,.*} w,
/etc/ca-certificates/extracted/cadir/{,*} rw,
/etc/ca-certificates/extracted/edk2-cacerts.bin{,.*} w,
/etc/ssl/certs/{,*} rw,
/etc/ssl/certs/java/cacerts{,.*} w,
/dev/tty rw,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/update-ca-trust>
}

45
apparmor.d/profiles-s-z/update-command-not-found Normal file
View file

@ -0,0 +1,45 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/command-not-found/cnf-update-db
@{exec_path} += /{usr/,}{s,}bin/update-command-not-found
profile update-command-not-found @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}lib/apt/apt-helper rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/command-not-found/ r,
/var/lib/command-not-found/commands.db* rwk,
/usr/share/command-not-found/{,**} r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/*_Contents-* r,
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
/var/log/cron-apt/temp w,
include if exists <local/update-command-not-found>
}

28
apparmor.d/profiles-s-z/update-desktop-database Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-desktop-database
profile update-desktop-database @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/usr/share/applications/{,**/} r,
/usr/share/applications/**.desktop r,
/usr/share/applications/.mimeinfo.cache.* rw,
/usr/share/applications/mimeinfo.cache w,
/usr/share/*/*.desktop r,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/update-desktop-database>
}

63
apparmor.d/profiles-s-z/update-dlocatedb Normal file
View file

@ -0,0 +1,63 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-dlocatedb
profile update-dlocatedb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/ionice rix,
/usr/share/dlocate/updatedb rCx -> updatedb,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/2 w,
/var/lib/dlocate/dpkg-list w,
# For shell pwd
/root/ r,
profile updatedb {
include <abstractions/base>
include <abstractions/perl>
/usr/share/dlocate/updatedb r,
/{usr/,}bin/perl r,
/etc/default/dlocate r,
/var/lib/dlocate/ r,
/var/lib/dlocate/dlocatedb rw,
/var/lib/dlocate/dlocatedb.stamps{,.new} rw,
/var/lib/dlocate/dlocatedb.{new,old} rw,
link /var/lib/dlocate/dlocatedb.old -> /var/lib/dlocate/dlocatedb,
/var/lib/dpkg/diversions r,
/var/lib/dpkg/info/ r,
/var/lib/dpkg/info/*.list r,
# For compression
/{usr/,}bin/gzip rix,
/var/lib/dlocate/dlocatedb.gz rw,
}
include if exists <local/update-dlocatedb>
}

56
apparmor.d/profiles-s-z/update-initramfs Normal file
View file

@ -0,0 +1,56 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/update-initramfs
profile update-initramfs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# Needed? (comm="ischroot")
#ptrace (read),
@{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ r,
/{usr/,}bin/cat rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mawk rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sha1sum rix,
/{usr/,}bin/sync rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/dpkg-trigger rPx,
/{usr/,}bin/linux-version rPx,
/{usr/,}sbin/mkinitramfs rPx,
/var/lib/initramfs-tools/* w,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/initramfs-tools/update-initramfs.conf r,
@{PROC}/1/mountinfo r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner /boot/ r,
owner /boot/initrd.img-* rw,
owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*,
include if exists <local/update-initramfs>
}

22
apparmor.d/profiles-s-z/update-mime-database Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-mime-database
profile update-mime-database @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/usr/share/mime/{,**} rw,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/update-mime-database>
}

68
apparmor.d/profiles-s-z/update-pciids Normal file
View file

@ -0,0 +1,68 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-pciids
profile update-pciids @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/zgrep rix,
/{usr/,}bin/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse,
/usr/share/misc/ r,
/usr/share/misc/* rwl -> /usr/share/misc/*,
# For shell pwd
/root/ r,
profile browse {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
/{usr/,}bin/wget mr,
/{usr/,}bin/curl mr,
/{usr/,}bin/lynx mr,
/etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk,
/usr/share/misc/pci.ids.new w,
/usr/share/misc/pci.ids.gz.new w,
}
include if exists <local/update-pciids>
}

94
apparmor.d/profiles-s-z/update-smart-drivedb Normal file
View file

@ -0,0 +1,94 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-smart-drivedb
profile update-smart-drivedb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cmp rix,
/{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/smartctl rPx,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse,
/var/lib/smartmontools/drivedb/drivedb.h{,.*} rw,
owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/{,**} rw,
# For shell pwd
/root/ r,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpg-agent rix,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/smartmontools/drivedb/drivedb.h.new.raw{,.asc} r,
owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/ rw,
owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/**,
}
profile browse {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
/{usr/,}bin/wget mr,
/{usr/,}bin/curl mr,
/{usr/,}bin/lynx mr,
/{usr/,}bin/{,ba,da}sh rix,
/etc/mime.types r,
/etc/mailcap r,
/etc/lynx/* r,
/etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk,
/usr/share/publicsuffix/public_suffix_list.* r,
/var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w,
}
include if exists <local/update-smart-drivedb>
}

65
apparmor.d/profiles-s-z/updatedb-mlocate Normal file
View file

@ -0,0 +1,65 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/updatedb.mlocate
profile updatedb-mlocate @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability fowner,
capability chown,
capability fsetid,
@{exec_path} mr,
/{usr/,}{s,}bin/on_ac_power rPx,
# For shell pwd
/ r,
/boot/ r,
/boot/**/ r,
/home/ r,
@{HOME}/ r,
@{HOME}/**/ r,
/etc/ r,
/etc/**/ r,
/usr/ r,
/usr/**/ r,
/var/ r,
/var/**/ r,
/opt/ r,
/opt/**/ r,
/srv/ r,
/srv/**/ r,
# Silence the noise
deny /efi/ r,
deny /hugepages/ r,
deny /lost+found/ r,
deny /mnt/ r,
@{run}/mlocate.daily.lock r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/var/lib/mlocate/mlocate.db rwk,
/var/lib/mlocate/mlocate.db.* rw,
/etc/updatedb.conf r,
include if exists <local/updatedb-mlocate>
}

39
apparmor.d/profiles-s-z/updatedb.plocate Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/updatedb.plocate
profile updatedb.plocate @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability chown,
capability fowner,
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
/etc/updatedb.conf r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/var/lib/plocate/plocate.db rw,
/var/lib/plocate/#[0-9]* rw,
/var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#[0-9]*,
/ r,
/**/ r,
# file_inherit
@{run}/plocate.daily.lock r,
include if exists <local/updatedb.plocate>
}

19
apparmor.d/profiles-s-z/upower Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/upower
profile upower @{exec_path} {
include <abstractions/base>
# Needed?
deny capability sys_nice,
@{exec_path} mr,
include if exists <local/upower>
}

52
apparmor.d/profiles-s-z/upowerd Normal file
View file

@ -0,0 +1,52 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/upower/upowerd
@{exec_path} += @{libexec}/upowerd
profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
# UPower config file
/etc/UPower/ r,
/etc/UPower/UPower.conf r,
# The history data for the power device
/var/lib/upower/ r,
/var/lib/upower/history-*.dat{,.*} rw,
# Are all of these needed? (#FIXME#)
/dev/input/event* r,
@{sys}/bus/hid/devices/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@{sys}/devices/platform/**/leds/**/brightness rw,
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
@{run}/udev/data/ r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+input* r,
@{run}/udev/data/+hid* r,
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
@{run}/systemd/inhibit/[0-9]*.ref rw,
include if exists <local/upowerd>
}

21
apparmor.d/profiles-s-z/uptime Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/uptime
profile uptime @{exec_path} {
include <abstractions/base>
include <abstractions/wutmp>
@{exec_path} mr,
@{PROC}/uptime r,
@{PROC}/loadavg r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/uptime>
}

27
apparmor.d/profiles-s-z/usb-devices Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/usb-devices
profile usb-devices @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
# For shell pwd
/root/ r,
include if exists <local/usb-devices>
}

35
apparmor.d/profiles-s-z/usbguard Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/usbguard
profile usbguard @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/devices-usb>
capability chown,
capability fowner,
capability dac_override,
# Needed to create policy (usbguard generate-policy)
network netlink dgram,
@{exec_path} mr,
/etc/usbguard/*.conf rw,
/etc/usbguard/IPCAccessControl.d/{,*} rw,
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
# For "usbguard generate-policy"
@{sys}/devices/pci[0-9]*/**/uevent r,
include if exists <local/usbguard>
}

51
apparmor.d/profiles-s-z/usbguard-applet-qt Normal file
View file

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/usbguard-applet-qt
profile usbguard-applet-qt @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
# Needed?
ptrace (read),
@{exec_path} mr,
owner @{user_config_dirs}/USBGuard/ rw,
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#[0-9]*[0-9],
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw,
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/core_pattern r,
/usr/share/hwdata/pnp.ids r,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/usbguard-applet-qt>
}

39
apparmor.d/profiles-s-z/usbguard-daemon Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-daemon
profile usbguard-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
capability chown,
capability fowner,
capability dac_override,
network netlink dgram,
@{exec_path} mr,
/etc/usbguard/*.conf rw,
/etc/usbguard/IPCAccessControl.d/{,*} r,
owner @{run}/usbguard.pid rwk,
/var/log/usbguard/usbguard-audit.log rw,
/dev/shm/ r,
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/ rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
@{sys}/devices/pci[0-9]*/**/uevent r,
include if exists <local/usbguard-daemon>
}

22
apparmor.d/profiles-s-z/usbguard-dbus Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-dbus
profile usbguard-dbus @{exec_path} {
include <abstractions/base>
# Needed?
deny capability sys_nice,
@{exec_path} mr,
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
include if exists <local/usbguard-dbus>
}

22
apparmor.d/profiles-s-z/usbguard-notifier Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usbguard-notifier
profile usbguard-notifier @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
owner @{PROC}/@{pid}/loginuid r,
include if exists <local/usbguard-notifier>
}

74
apparmor.d/profiles-s-z/uscan Normal file
View file

@ -0,0 +1,74 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/uscan
profile uscan @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/openssl>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pwd rix,
/{usr/,}bin/find rix,
/{usr/,}bin/file rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/uupdate rPUx,
# To run custom maintainer scripts
owner @{user_build_dirs}/**/debian/* rPUx,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgv rCx -> gpg,
/etc/dpkg/origins/debian r,
/etc/devscripts.conf r,
/etc/magic r,
# For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
# For GPG keys
owner /tmp/*/ rw,
owner /tmp/*/trustedkeys.gpg w,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgv mr,
owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/pubring.{gpg,kbx} r,
owner /tmp/*/trustedkeys.gpg rw,
owner @{user_build_dirs}/**/debian/upstream/signing-key.asc r,
owner @{user_build_dirs}/**/*.tar.* r,
}
include if exists <local/uscan>
}

88
apparmor.d/profiles-s-z/useradd Normal file
View file

@ -0,0 +1,88 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/useradd
profile useradd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To create a user home dir and give it proper permissions:
# mkdir("/home/user", 000) = 0
# chown("/home/user", 0, 0) = 0
# chmod("/home/user", 0755) = 0
# chown("/home/user/", 1001, 1001) = 0
# chmod("/home/user/", 0755) = 0
capability chown,
capability fowner,
# To set the set-group-ID bit for the user home dir.
capability fsetid,
# To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different
# owner.
capability dac_read_search,
capability dac_override,
# To write records to the kernel auditing log.
capability audit_write,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/usermod rPx,
/{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2,
/etc/login.defs r,
/etc/default/useradd r,
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid},
/etc/subgid.lock wl -> /etc/subgid.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
/var/log/faillog rw,
/var/log/lastlog rw,
# To create user dirs
@{HOME}/ rw,
# To copy files from /etc/skel/ to user dirs
@{HOME}/.* w,
/etc/skel/{,.*} r,
profile pam_tally2 {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability audit_write,
/{usr/,}{s,}bin/pam_tally2 mr,
/var/log/tallylog rw,
}
include if exists <local/useradd>
}

65
apparmor.d/profiles-s-z/userdel Normal file
View file

@ -0,0 +1,65 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/userdel
profile userdel @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The userdel command is issued as root and its task is to delete regular user accounts. It
# optionally can remove user files (via --remove). Because of that, the userdel command needs the
# following CAPs to be able to do so.
capability dac_read_search,
capability dac_override,
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir).
capability chown,
capability fsetid,
# To prevent removing a user when it's used by some process.
capability sys_ptrace,
ptrace (read),
network netlink raw,
@{exec_path} mr,
/etc/login.defs r,
@{PROC}/ r,
@{PROC}/@{pids}/task/ r,
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid},
/etc/subgid.lock wl -> /etc/subgid.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
# To remove user home files
@{HOME}/ rw,
@{HOME}/** w,
# To remove user mail
/var/mail/* w,
include if exists <local/userdel>
}

65
apparmor.d/profiles-s-z/usermod Normal file
View file

@ -0,0 +1,65 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/usermod
profile usermod @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
# To read user home files and change their user/group.
# usermod: Failed to change ownership of the home directory
capability dac_read_search,
# To move user home files to a new location.
capability fowner,
# To prevent removing a user when it's used by some process.
capability sys_ptrace,
ptrace (read),
network netlink raw,
@{exec_path} mr,
/{usr/,}{s,}bin/nscd rix,
/etc/login.defs r,
/etc/{passwd,shadow,gshadow,group} rw,
/etc/{passwd,shadow,gshadow,group}.@{pid} w,
/etc/{passwd,shadow,gshadow,group}- w,
/etc/{passwd,shadow,gshadow,group}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/group.lock wl -> /etc/group.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
/etc/subuid r,
@{PROC}/ r,
@{PROC}/@{pids}/task/ r,
# To create and move user dirs
@{HOME}/{,**} rw,
/var/{,**} rw,
include if exists <local/usermod>
}

53
apparmor.d/profiles-s-z/usr.bin.irssi Normal file
View file

@ -0,0 +1,53 @@
# Author: Jamie Strandboge
# For use with irssi within screen
include <tunables/global>
/usr/bin/irssi flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/perl>
include <abstractions/ssl_certs>
/usr/share/irssi/themes/*.theme r,
/usr/share/irssi/help/* r,
# Enable system wide scripts
/usr/share/irssi/scripts/* r,
/usr/share/ca-certificates/** r,
@{PROC}/uptime r,
/{usr/,}bin/dash ix,
# for screen_away
include <abstractions/wutmp>
/usr/bin/screen ix,
owner /{,var/}run/screen/** r,
owner /{,var/}run/screen/S-[a-zA-Z0-9]*/[0-9]* w,
@{PROC}/[0-9]*/stat r,
# for /uptime
/usr/bin/gawk ix,
/usr/bin/expr ix,
/{usr/,}bin/date ix,
# for /calc
/usr/bin/bc ix,
/{usr/,}bin/which ixr,
# config files, etc
/etc/irssi.conf r,
owner @{HOME}/.irssi/ r,
owner @{HOME}/.irssi/** r,
owner @{HOME}/.irssi/away.log wk,
owner @{HOME}/.irssi/config{,.autosave} wk,
owner @{HOME}/.irssi/*.theme wk,
# http://www.irssi.org/documentation/startup states that ~/irclogs is the
# default location for logs. Also allow the common configuration of logging
# inside the .irssi directory.
owner @{HOME}/{.irssi/,}irclogs/ r,
owner @{HOME}/{.irssi/,}irclogs/** rwk,
# for fnotify
owner @{HOME}/.irssi/fnotify rwk,
include if exists <local/usr.bin.irssi>
}

5
apparmor.d/profiles-s-z/usr.bin.lxc-start Normal file
View file

@ -0,0 +1,5 @@
include <tunables/global>
profile lxc-start /usr/bin/lxc-start flags=(attach_disconnected) {
include <abstractions/lxc/start-container>
}

116
apparmor.d/profiles-s-z/usr.bin.man Normal file
View file

@ -0,0 +1,116 @@
# vim:syntax=apparmor
include <tunables/global>
/usr/bin/man {
include <abstractions/base>
# Use a special profile when man calls anything groff-related. We only
# include the programs that actually parse input data in a non-trivial
# way, not wrappers such as groff and nroff, since the latter would need a
# broader profile.
/usr/bin/eqn rmCx -> &man_groff,
/usr/bin/grap rmCx -> &man_groff,
/usr/bin/pic rmCx -> &man_groff,
/usr/bin/preconv rmCx -> &man_groff,
/usr/bin/refer rmCx -> &man_groff,
/usr/bin/tbl rmCx -> &man_groff,
/usr/bin/troff rmCx -> &man_groff,
/usr/bin/vgrind rmCx -> &man_groff,
# Similarly, use a special profile when man calls decompressors and other
# simple filters.
/{,usr/}bin/bzip2 rmCx -> &man_filter,
/{,usr/}bin/gzip rmCx -> &man_filter,
/usr/bin/col rmCx -> &man_filter,
/usr/bin/compress rmCx -> &man_filter,
/usr/bin/iconv rmCx -> &man_filter,
/usr/bin/lzip.lzip rmCx -> &man_filter,
/usr/bin/tr rmCx -> &man_filter,
/usr/bin/xz rmCx -> &man_filter,
# Allow basically anything in terms of file system access, subject to DAC.
# The purpose of this profile isn't to confine man itself (that might be
# nice in the future, but is tricky since it's quite configurable), but to
# confine the processes it calls that parse untrusted data.
/** mrixwlk,
unix,
capability setuid,
capability setgid,
# Ordinary permission checks sometimes involve checking whether the
# process has this capability, which can produce audit log messages.
# Silence them.
deny capability dac_override,
deny capability dac_read_search,
signal peer=@{profile_name},
signal peer=/usr/bin/man//&man_groff,
signal peer=/usr/bin/man//&man_filter,
include if exists <local/usr.bin.man>
}
profile man_groff {
include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
include <abstractions/consoles>
# man always runs its groff pipeline with the input file open on stdin,
# so we can skip <abstractions/user-manpages>.
/usr/bin/eqn rm,
/usr/bin/grap rm,
/usr/bin/pic rm,
/usr/bin/preconv rm,
/usr/bin/refer rm,
/usr/bin/tbl rm,
/usr/bin/troff rm,
/usr/bin/vgrind rm,
/etc/groff/** r,
/etc/papersize r,
/usr/lib/groff/site-tmac/** r,
/usr/share/groff/** r,
/tmp/groff* rw,
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_groff,
# file_inherit
owner /tmp/* rw,
}
profile man_filter {
include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
include <abstractions/consoles>
/{,usr/}bin/bzip2 rm,
/{,usr/}bin/gzip rm,
/usr/bin/col rm,
/usr/bin/compress rm,
/usr/bin/iconv rm,
/usr/bin/lzip.lzip rm,
/usr/bin/tr rm,
/usr/bin/xz rm,
# Manual pages can be more or less anywhere, especially with "man -l", and
# there's no harm in allowing wide read access here since the worst it can
# do is feed data to the invoking man process.
/** r,
# Allow writing cat pages.
/var/cache/man/** w,
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_filter,
}

86
apparmor.d/profiles-s-z/usr.bin.pidgin Normal file
View file

@ -0,0 +1,86 @@
# vim:syntax=apparmor
include <tunables/global>
/usr/bin/pidgin {
include <abstractions/audio>
include <abstractions/base>
include <abstractions/bash>
include <abstractions/dbus-session>
include <abstractions/dbus-strict>
include <abstractions/dconf>
include <abstractions/enchant>
include <abstractions/gnome>
include <abstractions/gstreamer>
include <abstractions/ibus>
include <abstractions/nameservice>
include <abstractions/private-files-strict>
include <abstractions/ssl_certs>
include <abstractions/ubuntu-browsers>
include <abstractions/ubuntu-helpers>
include <abstractions/user-download>
dbus receive
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged,PropertiesChanged}
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=state
peer=(label=unconfined),
deny ptrace,
deny capability sys_ptrace,
deny @{user_share_dirs}/applications/wine/ r,
owner @{HOME}/.purple/ rw,
owner @{HOME}/.purple/** rwk,
owner @{HOME}/.purple/plugins/*.so m,
owner @{user_config_dirs}/indicators/ rw,
owner @{user_config_dirs}/indicators/** rw,
owner @{user_share_dirs}/applications/ r,
# Uncomment the two following lines if you want to allow Pidgin to update
# any DConf setting:
# owner @{HOME}/.{cache,config}/dconf/user rw,
# owner /{,var/}run/user/[0-9]*/dconf/user rwk,
/{usr/,}bin/dash rix,
/{usr/,}bin/which rix,
# NB: the preferred browser and proxy settings must be configured
# in the GNOME preferences: this profile does not allow running
# the corresponding external configuration applications.
/usr/bin/gconftool-2 rPix,
/usr/bin/gnome-open rmix,
/usr/bin/gsettings rix,
/usr/bin/gvfs-open rmix,
/usr/bin/pidgin r,
/usr/bin/xdg-open rmix,
/etc/purple/prefs.xml r,
/usr/lib/frei0r-1/*.so rm,
/usr/lib/@{multiarch}/libvisual-*/**.so rm,
/usr/lib/pidgin/*.so rm,
/usr/lib/purple*/*.so rm,
# pidgin-blinklight plugin
/usr/lib/pidgin-blinklight/blinklight-fixperm rPix,
@{PROC}/acpi/ibm/light rwk,
/usr/share/purple/ca-certs/ r,
/usr/share/purple/ca-certs/** r,
/usr/share/tcltk/** r,
/usr/share/themes/ r,
owner @{PROC}/@{pid}/auxv r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/usr.bin.pidgin>
}

65
apparmor.d/profiles-s-z/usr.bin.tcpdump Normal file
View file

@ -0,0 +1,65 @@
# vim:syntax=apparmor
#include <tunables/global>
profile tcpdump /usr/bin/tcpdump {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability net_raw,
capability setuid,
capability setgid,
capability dac_override,
capability chown,
network raw,
network packet,
# for -D
@{PROC}/bus/usb/ r,
@{PROC}/bus/usb/** r,
# for finding an interface
/dev/ r,
@{PROC}/[0-9]*/net/dev r,
/sys/bus/usb/devices/ r,
/sys/class/net/ r,
/sys/devices/**/net/** r,
# for -j
capability net_admin,
# for tracing USB bus, which libpcap supports
/dev/usbmon* r,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
# for init_etherarray(), with -e
/etc/ethers r,
# for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
/dev/bus/usb/**/[0-9]* w,
# for -z
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
# for -F and -w
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
audit deny @{HOME}/bin/ rw,
audit deny @{HOME}/bin/** mrwkl,
owner @{HOME}/ r,
owner @{HOME}/** rw,
# for -r, -F and -w
/**.[pP][cC][aA][pP] rw,
/**.[cC][aA][pP] rw,
# for convenience with -r (ie, read pcap files from other sources)
/var/log/snort/*log* r,
/usr/bin/tcpdump mr,
include if exists <local/usr.sbin.tcpdump>
}

58
apparmor.d/profiles-s-z/usr.bin.totem Normal file
View file

@ -0,0 +1,58 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Jamie Strandboge <jamie@canonical.com>
# SPDX-License-Identifier: GPL-2.0-only
#include <tunables/global>
/usr/bin/totem {
#include <abstractions/audio>
#include <abstractions/dconf>
#include <abstractions/ibus>
#include <abstractions/mesa>
#include <abstractions/nvidia>
#include <abstractions/python>
#include <abstractions/totem>
#include <abstractions/ubuntu-helpers>
signal (send) set=("kill") peer=unconfined,
# Maybe in an abstraction?
/usr/include/**/pyconfig.h r,
/usr/bin/totem r,
/usr/bin/totem-video-thumbnailer Pix,
/usr/bin/bwrap PUx,
/usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
/usr/{lib/@{multiarch},libexec}/totem-gallery-thumbnailer Pix,
/dev/sr* r,
# Help browser
/usr/bin/yelp Cx -> sanitized_helper,
# GDesktopAppInfo in GLib 2.64.x uses a very small shell script
# to launch .desktop files, instead of gio-launch-desktop
/{usr/,}bin/{dash,bash} ixr,
# With older GLib we might still be on the fallback code path
# (remove this after Debian 11 and Ubuntu 20.04)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
# Quiet logs
deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
# Allow read and write on almost anything in @{HOME}. Lenient, but
# private-files-strict is in effect.
#include <abstractions/private-files-strict>
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/** rw,
# Allow usage of openat with O_TMPFILE
owner @{HOME}/#[0-9]*[0-9] m,
owner /{,var/}run/user/*/dconf/user w,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
/sys/devices/pci[0-9]*/**/config r,
/sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
include if exists <local/usr.bin.totem>
}

40
apparmor.d/profiles-s-z/usr.bin.totem-previewers Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Jamie Strandboge <jamie@canonical.com>
# SPDX-License-Identifier: GPL-2.0-only
include <tunables/global>
/usr/bin/totem-video-thumbnailer flags=(attach_disconnected) {
include <abstractions/totem>
# Probably needed due to this program being run with bwrap
@{HOMEDIRS} w,
owner @{HOME}/ w,
# Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
include <abstractions/private-files-strict>
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/** rw,
# Not needed by nautilus, but maybe other applications
owner /**.[pP][nN][gG] w,
owner /**.[jJ][pP]{,[eE]}[gG] w,
/usr/bin/totem-video-thumbnailer rm,
include if exists <local/usr.bin.totem-previewers>
}
/usr/bin/totem-audio-preview flags=(attach_disconnected) {
include <abstractions/totem>
include <abstractions/audio>
# Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
include <abstractions/private-files-strict>
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/** rw,
include if exists <local/usr.bin.totem-previewers>
}

75
apparmor.d/profiles-s-z/usr.lib.libvirt.virt-aa-helper Normal file
View file

@ -0,0 +1,75 @@
#include <tunables/global>
profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper {
#include <abstractions/base>
#include <abstractions/openssl>
# needed for searching directories
capability dac_override,
capability dac_read_search,
# needed for when disk is on a network filesystem
network inet,
network inet6,
deny @{PROC}/[0-9]*/mounts r,
@{PROC}/[0-9]*/net/psched r,
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
# Used when internally running another command (namely apparmor_parser)
@{PROC}/@{pid}/fd/ r,
# allow reading libnl's classid file
/etc/libnl{,-3}/classid r,
# for gl enabled graphics
/dev/dri/{,*} r,
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
/sys/bus/usb/devices/ r,
deny /dev/sd* r,
deny /dev/vd* r,
deny /dev/dm-* r,
deny /dev/drbd[0-9]* r,
deny /dev/dasd* r,
deny /dev/nvme* r,
deny /dev/zd[0-9]* r,
deny /dev/mapper/ r,
deny /dev/mapper/* r,
/usr/lib/libvirt/virt-aa-helper mr,
/{usr/,}{s,}bin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# for backingstore -- allow access to non-hidden files in @{HOME} as well
# as storage pools
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
audit deny @{HOME}/bin/ rw,
audit deny @{HOME}/bin/** mrwkl,
@{HOME}/ r,
@{HOME}/** r,
/var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r,
/var/lib/nova/instances/_base/* r,
/{media,mnt,opt,srv}/** r,
# For virt-sandbox
/{,var/}run/libvirt/**/[sv]d[a-z] r,
/**.img r,
/**.raw r,
/**.qcow{,2} r,
/**.qed r,
/**.vmdk r,
/**.vhd r,
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
include if exists <local/usr.lib.libvirt.virt-aa-helper>
}

221
apparmor.d/profiles-s-z/usr.sbin.cupsd Normal file
View file

@ -0,0 +1,221 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2007 Martin Pitt <martin.pitt@ubuntu.com>
# SPDX-License-Identifier: GPL-2.0-only
#include <tunables/global>
/usr/sbin/cupsd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/authentication>
#include <abstractions/dbus>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/perl>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability audit_write,
capability wake_alarm,
deny capability block_suspend,
# noisy
deny signal (send) set=("term") peer=unconfined,
# nasty, but we limit file access pretty tightly, and cups chowns a
# lot of files to 'lp' which it cannot read/write afterwards any
# more
capability dac_override,
capability dac_read_search,
# the bluetooth backend needs this
network bluetooth,
# the dnssd backend uses those
network x25 seqpacket,
network ax25 dgram,
network netrom seqpacket,
network rose dgram,
network ipx dgram,
network appletalk dgram,
network econet dgram,
network ash dgram,
# CUPS is of systemd service type "notify" now, meaning that cupsd notifies
# systemd when it is up and running, give CUPS access to systemd's
# notification socket
/run/systemd/notify w,
/{usr/,}bin/bash ixr,
/{usr/,}bin/dash ixr,
/{usr/,}bin/hostname ixr,
/dev/lp* rw,
deny /dev/tty rw, # silence noise
/dev/ttyS* rw,
/dev/ttyUSB* rw,
/dev/usb/lp* rw,
/dev/bus/usb/ r,
/dev/bus/usb/** rw,
/dev/parport* rw,
/etc/cups/ rw,
/etc/cups/** rw,
/etc/cups/interfaces/* ixrw,
/etc/foomatic/* r,
/etc/gai.conf r,
/etc/papersize r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/etc/ssl/** r,
@{PROC}/net/ r,
@{PROC}/net/* r,
@{PROC}/sys/dev/parport/** r,
@{PROC}/*/net/ r,
@{PROC}/*/net/** r,
@{PROC}/*/auxv r,
@{PROC}/sys/crypto/** r,
/sys/** r,
/usr/bin/* ixr,
/usr/sbin/* ixr,
/{usr/,}bin/* ixr,
/{usr/,}{s,}bin/* ixr,
/usr/lib/** rm,
# backends which come with CUPS can be confined
/usr/lib/cups/backend/bluetooth ixr,
/usr/lib/cups/backend/dnssd ixr,
/usr/lib/cups/backend/http ixr,
/usr/lib/cups/backend/ipp ixr,
/usr/lib/cups/backend/lpd ixr,
/usr/lib/cups/backend/mdns ixr,
/usr/lib/cups/backend/parallel ixr,
/usr/lib/cups/backend/serial ixr,
/usr/lib/cups/backend/snmp ixr,
/usr/lib/cups/backend/socket ixr,
/usr/lib/cups/backend/usb ixr,
# we treat cups-pdf specially, since it needs to write into /home
# and thus needs extra paranoia
/usr/lib/cups/backend/cups-pdf Px,
# allow communicating with cups-pdf via Unix sockets
unix peer=(label=/usr/lib/cups/backend/cups-pdf),
# third party backends get no restrictions as they often need high
# privileges and this is beyond our control
/usr/lib/cups/backend/* Cx -> third_party,
/usr/lib/cups/cgi-bin/* ixr,
/usr/lib/cups/daemon/* ixr,
/usr/lib/cups/monitor/* ixr,
/usr/lib/cups/notifier/* ixr,
# filters and drivers (PPD generators) are always run as non-root,
# and there are a lot of third-party drivers which we cannot predict
/usr/lib/cups/filter/** Cxr -> third_party,
/usr/lib/cups/driver/* Cxr -> third_party,
/usr/local/** rm,
/usr/local/lib/cups/** rix,
/usr/share/** r,
/{,var/}run/** rm,
/{,var/}run/avahi-daemon/socket rw,
deny /{,var/}run/samba/ rw,
/{,var/}run/samba/** rw,
/var/cache/samba/*.tdb r,
/var/{cache,lib}/samba/printing/printers.tdb r,
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
/var/cache/cups/ rw,
/var/cache/cups/** rwk,
/var/log/cups/ rw,
/var/log/cups/* rw,
/var/spool/cups/ rw,
/var/spool/cups/** rw,
# third-party printer drivers; no known structure here
/opt/** rix,
# FIXME: no policy ATM for hplip and Brother drivers
/usr/bin/hpijs Cx -> third_party,
/usr/Brother/** Cx -> third_party,
# Kerberos authentication
/etc/krb5.conf r,
deny /etc/krb5.conf w,
/etc/krb5.keytab rk,
/etc/cups/krb5.keytab rwk,
/tmp/krb5cc* k,
# likewise authentication
/etc/likewise r,
/etc/likewise/* r,
# silence noise
deny /etc/udev/udev.conf r,
signal peer=/usr/sbin/cupsd//third_party,
unix peer=(label=/usr/sbin/cupsd//third_party),
profile third_party flags=(attach_disconnected) {
# third party backends, filters, and drivers get relatively no restrictions
# as they often need high privileges, are unpredictable or otherwise beyond
# our control
file,
capability,
audit deny capability mac_admin,
network,
dbus,
signal,
ptrace,
unix,
}
include if exists <local/usr.sbin.cupsd>
}
# separate profile since this needs to write into /home
/usr/lib/cups/backend/cups-pdf {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
# unfortunate, but required for when $HOME is 700
capability dac_override,
capability dac_read_search,
# allow communicating with cupsd via Unix sockets
unix peer=(label=/usr/sbin/cupsd),
@{PROC}/*/auxv r,
/{usr/,}bin/dash ixr,
/{usr/,}bin/bash ixr,
/{usr/,}bin/cp ixr,
/etc/papersize r,
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
/usr/bin/gs ixr,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups/** r,
/var/spool/cups-pdf/** rw,
# allow read and write on almost anything in @{HOME} (lenient, but
# private-files-strict is in effect), to support customized "Out"
# setting in cups-pdf.conf (Debian#940578)
#include <abstractions/private-files-strict>
@{HOME}/[^.]*/{,**/} rw,
@{HOME}/[^.]*/** rw,
}

143
apparmor.d/profiles-s-z/usr.sbin.libvirtd Normal file
View file

@ -0,0 +1,143 @@
#include <tunables/global>
@{LIBVIRT}="libvirt"
profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/dbus>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability audit_write,
capability ipc_lock,
capability sys_rawio,
capability bpf,
capability perfmon,
# Needed for vfio
capability sys_resource,
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
umount /{var/,}run/libvirt/qemu/*.dev/,
# libvirt provides any mounts under /dev to qemu namespaces
mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network netlink raw,
network packet dgram,
network packet raw,
# for --p2p migrations
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined,
ptrace (read,trace) peer=@{profile_name},
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
ptrace (read,trace) peer=virt-manager,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
signal (send) set=("kill", "term") peer=unconfined,
# For communication/control to qemu-bridge-helper
unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
# allow connect with openGraphicsFD, direction reversed in newer versions
unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
# unconfined also required if guests run without security module
unix (send, receive) type=stream addr=none peer=(label=unconfined),
# required if guests run unconfined seclabel type='none' but libvirtd is confined
signal (read, send) peer=unconfined,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/virtlogd pix,
/usr/sbin/* PUx,
/{usr/,}lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64,libexec}/xen/bin/* Ux,
/usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
/usr/{lib,libexec}/xen-*/bin/pygrub PUx,
/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
/usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# read and run an ebtables script.
/var/lib/libvirt/virtd* ixr,
# force the use of virt-aa-helper
audit deny /{usr/,}{s,}bin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/lib/libvirt/* PUxr,
/usr/lib/libvirt/libvirt_parthelper ix,
/usr/lib/libvirt/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
#include <abstractions/base>
capability setuid,
capability setgid,
capability setpcap,
capability net_admin,
network inet stream,
# For communication/control from libvirtd
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
include if exists <local/usr.sbin.libvirtd>
}

19
apparmor.d/profiles-s-z/utmpdump Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/utmpdump
profile utmpdump @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/var/log/wtmp{,.[0-9]*} r,
/var/log/btmp{,.[0-9]*} r,
include if exists <local/utmpdump>
}

76
apparmor.d/profiles-s-z/utox Normal file
View file

@ -0,0 +1,76 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/utox
profile utox @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/video>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/xdg-open rCx -> open,
owner @{HOME}/ r,
owner @{user_config_dirs}/tox/ rw,
owner @{user_config_dirs}/tox/** rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny owner @{PROC}/@{pid}/cmdline r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{user_config_dirs}/tox/[0-9A-F].ftinfo w,
owner @{user_config_dirs}/tox/[0-9A-F].ftoutfo w,
deny /dev/video[0-9]* rw,
}
include if exists <local/utox>
}

53
apparmor.d/profiles-s-z/uupdate Normal file
View file

@ -0,0 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/uupdate
profile uupdate @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/xz rix,
# FIXME
/{usr/,}bin/debchange rPUx,
/{usr/,}bin/dpkg-vendor rPUx,
/{usr/,}bin/dpkg-parsechangelog rPUx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/etc/devscripts.conf r,
# For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
include if exists <local/uupdates>
}

34
apparmor.d/profiles-s-z/vcsi Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/vcsi
profile vcsi @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/ffmpeg rPx,
/{usr/,}bin/ffprobe rPx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
owner /tmp/* rw,
include if exists <local/vcsi>
}

160
apparmor.d/profiles-s-z/vidcutter Normal file
View file

@ -0,0 +1,160 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{vidcutter_ext} = [aA]{52,[aA][cC],[cC]3}
@{vidcutter_ext} += [mM][kK][aA]
@{vidcutter_ext} += [fF][lL][aA][cC]
@{vidcutter_ext} += [mM][pP][123cC]
@{vidcutter_ext} += [oO][gGmM][aA]
@{vidcutter_ext} += [wW]{,[aA]}[vV]
@{vidcutter_ext} += [wW][mM]{,[aA]}
@{vidcutter_ext} += 3[gG]{[2pP],[pP][2pP]}
@{vidcutter_ext} += [aA][sS][fF]
@{vidcutter_ext} += [aA][vV][iI]
@{vidcutter_ext} += [dD][iI][vV][xX]
@{vidcutter_ext} += [mM][124][vV]
@{vidcutter_ext} += [mM][kKoO][vV]
@{vidcutter_ext} += [mM][pP][4aAeEgG]
@{vidcutter_ext} += [mM][pP][eE][gG]{,[124]}
@{vidcutter_ext} += [oO][gG][gGmMxXvV]
@{vidcutter_ext} += [rR][mM]{,[vV][bB]}
@{vidcutter_ext} += [wW][eE][bB][mM]
@{vidcutter_ext} += [wW][mMtT][vV]
@{vidcutter_ext} += [mM][pP]2[tT]
@{exec_path} = /{usr/,}bin/vidcutter
profile vidcutter @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-shader-cache>
include <abstractions/user-download-strict>
include <abstractions/audio>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/ffmpeg rPx,
/{usr/,}bin/ffprobe rPx,
/{usr/,}bin/mediainfo rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Which files vidcutter should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{vidcutter_ext} rw,
owner @{HOME}/ r,
owner @{user_config_dirs}/vidcutter/ rw,
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#[0-9]*[0-9],
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/.glvnd* mrw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
owner /tmp/vidcutter-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]* w,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/vidcutter/{,*} rw,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/disk/*/ r,
/etc/vdpau_wrapper.cfg r,
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/vidcutter>
}

Some files were not shown because too many files have changed in this diff Show more