update apparmor profiles
This commit is contained in:
Mikhail Morfikov
Alexandre Pujol
parent
1ab54c1ed1
commit
e085014238
37 changed files with 447 additions and 56 deletions
|
|
@ -13,6 +13,11 @@
|
||||||
#/etc/udev/udev.conf r,
|
#/etc/udev/udev.conf r,
|
||||||
#/etc/wildmidi/wildmidi.cfg r,
|
#/etc/wildmidi/wildmidi.cfg r,
|
||||||
|
|
||||||
|
/etc/openni2/OpenNI.ini r,
|
||||||
|
|
||||||
|
/tmp/ r,
|
||||||
|
/var/tmp/ r,
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
/dev/bus/usb/ r,
|
/dev/bus/usb/ r,
|
||||||
/dev/dri/ r,
|
/dev/dri/ r,
|
||||||
|
|
@ -21,16 +26,19 @@
|
||||||
#owner /{dev,run}/shm/shmfd-* rw,
|
#owner /{dev,run}/shm/shmfd-* rw,
|
||||||
|
|
||||||
#
|
#
|
||||||
@{run}/udev/data/c81:* r, # For video4linux
|
@{run}/udev/data/c81:[0-9]* r, # For video4linux
|
||||||
@{run}/udev/data/c226:* r, # For /dev/dri/card[0-9]*
|
@{run}/udev/data/c189:[0-9]* r, # For /dev/bus/usb/**
|
||||||
@{run}/udev/data/+drm:* r, # For screen outputs
|
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]*
|
||||||
#@{run}/udev/data/+pci:* r,
|
@{run}/udev/data/+drm:* r, # For screen outputs
|
||||||
@{run}/udev/data/+usb:* r,
|
#@{run}/udev/data/+pci:* r,
|
||||||
|
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/bus/usb/devices/ r,
|
@{sys}/bus/usb/devices/ r,
|
||||||
|
@{sys}/bus/media/devices/ r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/class/drm/ r,
|
@{sys}/class/drm/ r,
|
||||||
|
@{sys}/class/video4linux/ r,
|
||||||
@{sys}/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
|
@{sys}/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||||
|
|
|
||||||
12
apparmor.d/abstractions/qt5-shader-cache
Normal file
12
apparmor.d/abstractions/qt5-shader-cache
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2021 Mikhail Morfikov
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
owner @{HOME}/.cache/qtshadercache/ rw,
|
||||||
|
owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
|
||||||
|
owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
|
||||||
|
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw,
|
||||||
|
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||||
|
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||||
|
|
@ -32,6 +32,7 @@ profile calibre @{exec_path} {
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/qt5-settings-write>
|
include <abstractions/qt5-settings-write>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
|
||||||
|
|
@ -56,6 +56,7 @@ profile dropbox @{exec_path} {
|
||||||
/{usr/,}bin/dirname rix,
|
/{usr/,}bin/dirname rix,
|
||||||
/{usr/,}bin/uname rix,
|
/{usr/,}bin/uname rix,
|
||||||
/{usr/,}{s,}bin/ldconfig rix,
|
/{usr/,}{s,}bin/ldconfig rix,
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}objdump rix,
|
/{usr/,}bin/{,@{multiarch}-}objdump rix,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -73,32 +73,32 @@
|
||||||
|
|
||||||
@{libo_user_dirs} = @{HOME} /mnt /media
|
@{libo_user_dirs} = @{HOME} /mnt /media
|
||||||
|
|
||||||
include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
|
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
|
||||||
include <abstractions/private-files>
|
#include <abstractions/private-files>
|
||||||
|
|
||||||
include <abstractions/audio>
|
#include <abstractions/audio>
|
||||||
include <abstractions/bash>
|
#include <abstractions/bash>
|
||||||
include <abstractions/cups-client>
|
#include <abstractions/cups-client>
|
||||||
include <abstractions/dbus>
|
#include <abstractions/dbus>
|
||||||
include <abstractions/dbus-session>
|
#include <abstractions/dbus-session>
|
||||||
include <abstractions/dbus-accessibility>
|
#include <abstractions/dbus-accessibility>
|
||||||
include <abstractions/dri-enumerate>
|
#include <abstractions/dri-enumerate>
|
||||||
include <abstractions/mesa>
|
#include <abstractions/mesa>
|
||||||
include <abstractions/ibus>
|
#include <abstractions/ibus>
|
||||||
include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
include <abstractions/gnome>
|
#include <abstractions/gnome>
|
||||||
# GnuPG1 only...
|
# GnuPG1 only...
|
||||||
# include <abstractions/gnupg>
|
# #include <abstractions/gnupg>
|
||||||
include <abstractions/python>
|
#include <abstractions/python>
|
||||||
include <abstractions/p11-kit>
|
#include <abstractions/p11-kit>
|
||||||
|
|
||||||
include <abstractions/user-tmp>
|
#include <abstractions/user-tmp>
|
||||||
|
|
||||||
include <abstractions/opencl-intel>
|
#include <abstractions/opencl-intel>
|
||||||
include <abstractions/opencl-mesa>
|
#include <abstractions/opencl-mesa>
|
||||||
include <abstractions/opencl-nvidia>
|
#include <abstractions/opencl-nvidia>
|
||||||
|
|
||||||
#List directories for file browser
|
#List directories for file browser
|
||||||
/ r,
|
/ r,
|
||||||
|
|
@ -107,7 +107,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
|
||||||
owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
|
owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
|
||||||
owner @{libo_user_dirs}/**~lock.* rw, #lock file support
|
owner @{libo_user_dirs}/**~lock.* rw, #lock file support
|
||||||
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
|
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
|
||||||
owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
|
owner @{libo_user_dirs}/{,**/}lu???????????{,?}.tmp rwk, #Temporary file used when saving
|
||||||
owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
|
owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
|
||||||
|
|
||||||
# Settings
|
# Settings
|
||||||
|
|
@ -214,8 +214,8 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
|
||||||
owner @{user_share_dirs}/user-places.xbel r,
|
owner @{user_share_dirs}/user-places.xbel r,
|
||||||
|
|
||||||
# there is abstractions/gnupg but that's just for gpg1...
|
# there is abstractions/gnupg but that's just for gpg1...
|
||||||
profile gpg flags=(complain) {
|
profile gpg {
|
||||||
include <abstractions/base>
|
#include <abstractions/base>
|
||||||
|
|
||||||
/usr/bin/gpgconf rm,
|
/usr/bin/gpgconf rm,
|
||||||
/usr/bin/gpg rm,
|
/usr/bin/gpg rm,
|
||||||
|
|
|
||||||
|
|
@ -12,16 +12,21 @@ profile dpkg-architecture @{exec_path} {
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/perl>
|
include <abstractions/perl>
|
||||||
|
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
/usr/bin/perl r,
|
/usr/bin/perl r,
|
||||||
|
|
||||||
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
|
|
||||||
/{usr/,}bin/ccache rCx -> ccache,
|
/{usr/,}bin/ccache rCx -> ccache,
|
||||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||||
|
|
||||||
/usr/share/dpkg/** r,
|
/usr/share/dpkg/** r,
|
||||||
|
|
||||||
|
/etc/debian_version r,
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
owner /tmp/* rw,
|
owner /tmp/* rw,
|
||||||
|
|
||||||
|
|
@ -31,10 +36,14 @@ profile dpkg-architecture @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/ccache mr,
|
/{usr/,}bin/ccache mr,
|
||||||
|
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
|
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
|
||||||
|
|
||||||
/media/ccache/*/** rw,
|
/media/ccache/*/** rw,
|
||||||
|
|
||||||
|
/etc/debian_version r,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
include if exists <local/dpkg-architecture>
|
include if exists <local/dpkg-architecture>
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2015-2020 Mikhail Morfikov
|
# Copyright (C) 2015-2021 Mikhail Morfikov
|
||||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
|
@ -100,6 +100,12 @@ profile firefox @{exec_path} {
|
||||||
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
||||||
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
|
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
|
||||||
|
|
||||||
|
# For Cryptographic Attestation of Personhood
|
||||||
|
#@{sys}/bus/ r,
|
||||||
|
#@{sys}/class/ r,
|
||||||
|
#@{sys}/class/hidraw/ r,
|
||||||
|
#@{run}/udev/data/c241:[0-9]* r, # dynamic
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
deny owner @{PROC}/@{pid}/stat r,
|
deny owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
@ -126,6 +132,7 @@ profile firefox @{exec_path} {
|
||||||
|
|
||||||
# Set default browser
|
# Set default browser
|
||||||
/{usr/,}bin/update-mime-database rPx,
|
/{usr/,}bin/update-mime-database rPx,
|
||||||
|
owner @{user_config_dirs}/ r,
|
||||||
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
|
||||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
|
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
|
||||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
|
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,10 @@
|
||||||
include <tunables/global>
|
#include <tunables/global>
|
||||||
include <tunables/torbrowser>
|
#include <tunables/torbrowser>
|
||||||
|
|
||||||
@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
|
@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
|
||||||
|
|
||||||
profile torbrowser_tor @{torbrowser_tor_executable} {
|
profile torbrowser_tor @{torbrowser_tor_executable} {
|
||||||
include <abstractions/base>
|
#include <abstractions/base>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
network tcp,
|
network tcp,
|
||||||
|
|
@ -24,7 +24,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
|
||||||
# Support some of the included pluggable transports
|
# Support some of the included pluggable transports
|
||||||
owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
|
owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
|
||||||
@{PROC}/sys/net/core/somaxconn r,
|
@{PROC}/sys/net/core/somaxconn r,
|
||||||
include <abstractions/ssl_certs>
|
#include <abstractions/ssl_certs>
|
||||||
|
|
||||||
# Silence file_inherit logs
|
# Silence file_inherit logs
|
||||||
deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
|
deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
|
||||||
|
|
@ -38,6 +38,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/uuid r,
|
@{PROC}/sys/kernel/random/uuid r,
|
||||||
/sys/devices/system/cpu/ r,
|
/sys/devices/system/cpu/ r,
|
||||||
|
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
|
|
||||||
# OnionShare compatibility
|
# OnionShare compatibility
|
||||||
/tmp/onionshare/** rw,
|
/tmp/onionshare/** rw,
|
||||||
|
|
|
||||||
|
|
@ -22,9 +22,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
network bluetooth stream,
|
|
||||||
network bluetooth seqpacket,
|
|
||||||
|
|
||||||
ptrace (read) peer=unconfined,
|
ptrace (read) peer=unconfined,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,11 @@ profile gpg-agent @{exec_path} {
|
||||||
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||||
owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||||
|
|
||||||
|
owner /tmp/tmp.*/gnupg/ rw,
|
||||||
|
owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
|
||||||
|
owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
|
||||||
|
owner /tmp/tmp.*/gnupg/S.gpg-agent rw,
|
||||||
|
|
||||||
# For debuild
|
# For debuild
|
||||||
owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,
|
owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,
|
||||||
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
|
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,18 @@ profile gpg-connect-agent @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}bin/gpg-agent rPx,
|
||||||
|
|
||||||
/etc/inputrc r,
|
/etc/inputrc r,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
||||||
|
|
||||||
|
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw,
|
||||||
|
owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||||
|
owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
|
||||||
|
|
||||||
include if exists <local/gpg-connect-agent>
|
include if exists <local/gpg-connect-agent>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ profile anki @{exec_path} {
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/qt5-settings-write>
|
include <abstractions/qt5-settings-write>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/trash>
|
include <abstractions/trash>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
@ -28,6 +29,12 @@ profile anki @{exec_path} {
|
||||||
|
|
||||||
signal (send) set=(term, kill) peer=anki//mpv,
|
signal (send) set=(term, kill) peer=anki//mpv,
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
/{usr/,}bin/python3.[0-9]* r,
|
/{usr/,}bin/python3.[0-9]* r,
|
||||||
|
|
||||||
|
|
@ -57,9 +64,15 @@ profile anki @{exec_path} {
|
||||||
|
|
||||||
/usr/share/javascript/**/*.js r,
|
/usr/share/javascript/**/*.js r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/Anki/ rw,
|
||||||
|
owner @{user_cache_dirs}/Anki/** rw,
|
||||||
|
|
||||||
owner @{user_share_dirs}/Anki{,2}/ rw,
|
owner @{user_share_dirs}/Anki{,2}/ rw,
|
||||||
owner @{user_share_dirs}/Anki{,2}/** rwk,
|
owner @{user_share_dirs}/Anki{,2}/** rwk,
|
||||||
|
|
||||||
|
owner @{HOME}/ r,
|
||||||
|
owner @{HOME}/.cache/ rw,
|
||||||
|
|
||||||
# To remove the following error:
|
# To remove the following error:
|
||||||
# Error initializing NSS with a persistent database
|
# Error initializing NSS with a persistent database
|
||||||
owner @{HOME}/.pki/ rw,
|
owner @{HOME}/.pki/ rw,
|
||||||
|
|
@ -78,10 +91,13 @@ profile anki @{exec_path} {
|
||||||
# [:FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0)
|
# [:FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0)
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
deny owner @{PROC}/@{pid}/mem r,
|
owner @{PROC}/@{pid}/mem r,
|
||||||
|
owner @{PROC}/@{pids}/statm r,
|
||||||
|
owner @{PROC}/@{pids}/stat r,
|
||||||
owner @{PROC}/@{pid}/task/ r,
|
owner @{PROC}/@{pid}/task/ r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
||||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||||
|
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||||
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||||
deny owner @{PROC}/@{pid}/cmdline r,
|
deny owner @{PROC}/@{pid}/cmdline r,
|
||||||
# To remove the following error:
|
# To remove the following error:
|
||||||
|
|
@ -90,7 +106,7 @@ profile anki @{exec_path} {
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
deny @{PROC}/sys/kernel/random/boot_id r,
|
deny @{PROC}/sys/kernel/random/boot_id r,
|
||||||
deny @{PROC}/vmstat r,
|
@{PROC}/vmstat r,
|
||||||
deny owner @{PROC}/@{pid}/setgroups w,
|
deny owner @{PROC}/@{pid}/setgroups w,
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,7 @@ profile arduino-builder @{exec_path} {
|
||||||
/{usr/,}lib/gcc/avr/[0-9]*/collect2 rix,
|
/{usr/,}lib/gcc/avr/[0-9]*/collect2 rix,
|
||||||
/{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix,
|
/{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix,
|
||||||
/{usr/,}lib/gcc/avr/[0-9]*/lto1 rix,
|
/{usr/,}lib/gcc/avr/[0-9]*/lto1 rix,
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/{usr/,}lib/avr/bin/as rix,
|
/{usr/,}lib/avr/bin/as rix,
|
||||||
/{usr/,}lib/avr/bin/ar rix,
|
/{usr/,}lib/avr/bin/ar rix,
|
||||||
/{usr/,}lib/avr/bin/ld rix,
|
/{usr/,}lib/avr/bin/ld rix,
|
||||||
|
|
|
||||||
|
|
@ -92,10 +92,14 @@ profile borg @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/ccache mr,
|
/{usr/,}bin/ccache mr,
|
||||||
|
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
|
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
|
||||||
|
|
||||||
/media/ccache/*/** rw,
|
/media/ccache/*/** rw,
|
||||||
|
|
||||||
|
/etc/debian_version r,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
profile fusermount {
|
profile fusermount {
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,7 @@ profile dkms @{exec_path} {
|
||||||
/{usr/,}bin/make rix,
|
/{usr/,}bin/make rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}* rix,
|
/{usr/,}bin/{,@{multiarch}-}* rix,
|
||||||
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix,
|
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix,
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
|
|
||||||
/{usr/,}bin/kmod rCx -> kmod,
|
/{usr/,}bin/kmod rCx -> kmod,
|
||||||
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
|
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
|
||||||
|
|
@ -70,6 +71,7 @@ profile dkms @{exec_path} {
|
||||||
/etc/dkms/{,**} r,
|
/etc/dkms/{,**} r,
|
||||||
|
|
||||||
# For building module in /usr/src/ subdirs
|
# For building module in /usr/src/ subdirs
|
||||||
|
/usr/src/ r,
|
||||||
/usr/src/** rw,
|
/usr/src/** rw,
|
||||||
/usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
|
/usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
|
||||||
/usr/src/linux-headers-*/scripts/** rix,
|
/usr/src/linux-headers-*/scripts/** rix,
|
||||||
|
|
|
||||||
|
|
@ -53,22 +53,25 @@ profile exim4 @{exec_path} {
|
||||||
/etc/email-addresses r,
|
/etc/email-addresses r,
|
||||||
/etc/aliases r,
|
/etc/aliases r,
|
||||||
|
|
||||||
deny /var/log/exim4/ w,
|
/var/log/exim4/ w,
|
||||||
/var/log/exim4/mainlog w,
|
/var/log/exim4/mainlog w,
|
||||||
/var/log/exim4/paniclog w,
|
/var/log/exim4/paniclog w,
|
||||||
|
/var/log/exim4/rejectlog w,
|
||||||
|
|
||||||
owner /var/spool/exim4/ r,
|
/var/spool/exim4/ r,
|
||||||
/var/spool/exim4/input/ r,
|
/var/spool/exim4/input/ r,
|
||||||
/var/spool/exim4/input/*-*-*-* rwk,
|
/var/spool/exim4/input/*-*-*-* rwk,
|
||||||
owner /var/spool/exim4/input/hdr.*-*-* rw,
|
owner /var/spool/exim4/input/hdr.*-*-* rw,
|
||||||
owner /var/spool/exim4/input/hdr.@{pid} rw,
|
owner /var/spool/exim4/input/hdr.@{pid} rw,
|
||||||
/var/spool/exim4/db/retry.lockfile rwk,
|
/var/spool/exim4/db/retry.lockfile rwk,
|
||||||
|
owner /var/spool/exim4/db/__db.retry rwk,
|
||||||
/var/spool/exim4/msglog/*-*-* w,
|
/var/spool/exim4/msglog/*-*-* w,
|
||||||
|
|
||||||
owner /var/mail/* rwk,
|
owner /var/mail/* rwk,
|
||||||
owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w,
|
owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w,
|
||||||
owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*,
|
owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*,
|
||||||
|
|
||||||
|
@{run}/exim4/ r,
|
||||||
owner @{run}/exim4/exim.pid rw,
|
owner @{run}/exim4/exim.pid rw,
|
||||||
|
|
||||||
owner @{run}/dbus/system_bus_socket rw,
|
owner @{run}/dbus/system_bus_socket rw,
|
||||||
|
|
|
||||||
|
|
@ -126,10 +126,14 @@ profile hardinfo @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/ccache mr,
|
/{usr/,}bin/ccache mr,
|
||||||
|
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
|
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
|
||||||
|
|
||||||
/media/ccache/*/** rw,
|
/media/ccache/*/** rw,
|
||||||
|
|
||||||
|
/etc/debian_version r,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
profile javac {
|
profile javac {
|
||||||
|
|
|
||||||
|
|
@ -27,10 +27,12 @@ profile inxi @{exec_path} {
|
||||||
/{usr/,}bin/zsh rix,
|
/{usr/,}bin/zsh rix,
|
||||||
/{usr/,}bin/tty rix,
|
/{usr/,}bin/tty rix,
|
||||||
/{usr/,}bin/tput rix,
|
/{usr/,}bin/tput rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
|
||||||
/{usr/,}bin/getconf rix,
|
/{usr/,}bin/getconf rix,
|
||||||
/{usr/,}bin/file rix,
|
/{usr/,}bin/file rix,
|
||||||
|
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
|
|
||||||
/{usr/,}bin/ip rCx -> ip,
|
/{usr/,}bin/ip rCx -> ip,
|
||||||
/{usr/,}lib/systemd/systemd rCx -> systemd,
|
/{usr/,}lib/systemd/systemd rCx -> systemd,
|
||||||
/{usr/,}bin/kmod rCx -> kmod,
|
/{usr/,}bin/kmod rCx -> kmod,
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/deny-root-dir-access>
|
include <abstractions/deny-root-dir-access>
|
||||||
|
|
||||||
|
|
|
||||||
62
apparmor.d/profiles-m-z/merkaartor
Normal file
62
apparmor.d/profiles-m-z/merkaartor
Normal file
|
|
@ -0,0 +1,62 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2021 Mikhail Morfikov
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/merkaartor
|
||||||
|
profile merkaartor @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/dri-common>
|
||||||
|
include <abstractions/dri-enumerate>
|
||||||
|
include <abstractions/qt5-settings-write>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/ssl_certs>
|
||||||
|
include <abstractions/openssl>
|
||||||
|
include <abstractions/user-download-strict>
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
network netlink dgram,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/merkaartor/{,**} r,
|
||||||
|
|
||||||
|
owner @{HOME}/.config/Merkaartor/ rw,
|
||||||
|
owner @{HOME}/.config/Merkaartor/* rwkl -> @{HOME}/.config/Merkaartor/,
|
||||||
|
|
||||||
|
owner @{HOME}/.merkaartor/ rw,
|
||||||
|
owner @{HOME}/.merkaartor/* rw,
|
||||||
|
|
||||||
|
owner @{HOME}/merkaartor.log rw,
|
||||||
|
|
||||||
|
/var/lib/dbus/machine-id r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
|
||||||
|
owner @{HOME}/.config/qt5ct/{,**} r,
|
||||||
|
/usr/share/qt5ct/** r,
|
||||||
|
|
||||||
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
|
||||||
|
deny owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|
||||||
|
owner /tmp/qtsingleapp-merkaa-* rw,
|
||||||
|
owner /tmp/qtsingleapp-merkaa-*-lockfile rwk,
|
||||||
|
|
||||||
|
@{sys}/devices/system/node/ r,
|
||||||
|
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||||
|
|
||||||
|
include if exists <local/merkaartor>
|
||||||
|
}
|
||||||
|
|
@ -17,10 +17,10 @@ profile minitube @{exec_path} {
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-settings-write>
|
include <abstractions/qt5-settings-write>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/deny-root-dir-access>
|
include <abstractions/deny-root-dir-access>
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,6 @@ profile pinentry-kwallet @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/deny-root-dir-access>
|
|
||||||
|
|
||||||
signal (send) set=(term, kill) peer=gpg-agent,
|
signal (send) set=(term, kill) peer=gpg-agent,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,6 @@ profile pinentry-qt @{exec_path} {
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/deny-root-dir-access>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
|
||||||
49
apparmor.d/profiles-m-z/pipewire
Normal file
49
apparmor.d/profiles-m-z/pipewire
Normal file
|
|
@ -0,0 +1,49 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2015-2020 Mikhail Morfikov
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/pipewire
|
||||||
|
profile pipewire @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
ptrace (read) peer=pipewire-media-session,
|
||||||
|
ptrace (read) peer=pipewire-pulse,
|
||||||
|
|
||||||
|
# Needed for all sound/music apps.
|
||||||
|
ptrace (read),
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/pipewire/pipewire.conf r,
|
||||||
|
/etc/pipewire/client.conf r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
|
||||||
|
|
||||||
|
/dev/snd/controlC[0-9]* rw,
|
||||||
|
/dev/snd/pcmC[0-9]*D[0-9]*p rw,
|
||||||
|
/dev/snd/pcmC[0-9]*D[0-9]*c rw,
|
||||||
|
|
||||||
|
/usr/share/alsa/{,**} r,
|
||||||
|
/etc/alsa/{,**} r,
|
||||||
|
|
||||||
|
/dev/shm/ r,
|
||||||
|
@{run}/shm/ r,
|
||||||
|
/etc/pulse/{,**} r,
|
||||||
|
owner @{HOME}/.config/pulse/ rw,
|
||||||
|
owner @{HOME}/.config/pulse/cookie rwk,
|
||||||
|
owner @{run}/user/@{uid}/pulse/ r,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
|
include if exists <local/pipewire>
|
||||||
|
}
|
||||||
54
apparmor.d/profiles-m-z/pipewire-media-session
Normal file
54
apparmor.d/profiles-m-z/pipewire-media-session
Normal file
|
|
@ -0,0 +1,54 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2015-2020 Mikhail Morfikov
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/pipewire-media-session
|
||||||
|
profile pipewire-media-session @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/pipewire/media-session.d/*.conf r,
|
||||||
|
|
||||||
|
owner @{HOME}/.config/pipewire/ rw,
|
||||||
|
owner @{HOME}/.config/pipewire/** rw,
|
||||||
|
|
||||||
|
/dev/snd/controlC[0-9]* rw,
|
||||||
|
/dev/snd/pcmC[0-9]*D[0-9]*p rw,
|
||||||
|
/dev/snd/pcmC[0-9]*D[0-9]*c rw,
|
||||||
|
|
||||||
|
/usr/share/alsa-card-profile/{,**} r,
|
||||||
|
/usr/share/alsa/{,**} r,
|
||||||
|
/etc/alsa/{,**} r,
|
||||||
|
|
||||||
|
/dev/shm/ r,
|
||||||
|
@{run}/shm/ r,
|
||||||
|
/etc/pulse/{,**} r,
|
||||||
|
owner @{HOME}/.config/pulse/ rw,
|
||||||
|
owner @{HOME}/.config/pulse/cookie rwk,
|
||||||
|
owner @{run}/user/@{uid}/pulse/ rw,
|
||||||
|
|
||||||
|
@{sys}/bus/ r,
|
||||||
|
@{sys}/class/ r,
|
||||||
|
@{sys}/class/sound/ r,
|
||||||
|
@{sys}/class/video4linux/ r,
|
||||||
|
|
||||||
|
@{sys}/devices/**/sound/**/uevent r,
|
||||||
|
|
||||||
|
@{run}/udev/data/+sound:card[0-9]* r, # For sound
|
||||||
|
@{run}/udev/data/c116:[0-9]* r, # For ALSA
|
||||||
|
|
||||||
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
||||||
|
@{sys}/devices/system/node/ r,
|
||||||
|
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||||
|
|
||||||
|
include if exists <local/pipewire-media-session>
|
||||||
|
}
|
||||||
36
apparmor.d/profiles-m-z/pipewire-pulse
Normal file
36
apparmor.d/profiles-m-z/pipewire-pulse
Normal file
|
|
@ -0,0 +1,36 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2015-2020 Mikhail Morfikov
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/pipewire-pulse
|
||||||
|
profile pipewire-pulse @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
ptrace (read) peer=pipewire,
|
||||||
|
ptrace (read) peer=pipewire-media-session,
|
||||||
|
|
||||||
|
# Needed for all sound/music apps.
|
||||||
|
ptrace (read),
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/pipewire/client.conf r,
|
||||||
|
|
||||||
|
/etc/pipewire/pipewire-pulse.conf r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/pulse/pid w,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
|
include if exists <local/pipewire-pulse>
|
||||||
|
}
|
||||||
|
|
@ -30,21 +30,22 @@ profile polkitd @{exec_path} {
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
|
|
||||||
# System rules
|
# System rules
|
||||||
/etc/polkit-1/rules.d/{,[0-9][0-9]-*.rules} r,
|
/etc/polkit-1/rules.d/ r,
|
||||||
|
/etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
|
||||||
|
|
||||||
# Vendor rules
|
# Vendor rules
|
||||||
/usr/share/polkit-1/rules.d/{,*.rules} r,
|
/usr/share/polkit-1/rules.d/ r,
|
||||||
|
/usr/share/polkit-1/rules.d/*.rules r,
|
||||||
|
|
||||||
# Vendor policies
|
# Vendor policies
|
||||||
/usr/share/polkit-1/actions/{,*.policy} r,
|
/usr/share/polkit-1/actions/ r,
|
||||||
|
/usr/share/polkit-1/actions/*.policy r,
|
||||||
|
/usr/share/polkit-1/actions/*.policy.choice r,
|
||||||
|
|
||||||
owner /var/lib/polkit-1/.cache/ rw,
|
owner /var/lib/polkit-1/.cache/ rw,
|
||||||
|
|
||||||
@{run}/systemd/sessions/* r,
|
@{run}/systemd/sessions/* r,
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
||||||
# Silencer
|
|
||||||
deny /.cache/ rw,
|
|
||||||
|
|
||||||
include if exists <local/polkitd>
|
include if exists <local/polkitd>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
44
apparmor.d/profiles-m-z/pulseeffects
Normal file
44
apparmor.d/profiles-m-z/pulseeffects
Normal file
|
|
@ -0,0 +1,44 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2015-2020 Mikhail Morfikov
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/pulseeffects
|
||||||
|
profile pulseeffects @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/gstreamer>
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/pipewire/pipewire.conf r,
|
||||||
|
/etc/pipewire/client.conf r,
|
||||||
|
|
||||||
|
owner @{HOME}/.config/PulseEffects/ rw,
|
||||||
|
owner @{HOME}/.config/PulseEffects/** rw,
|
||||||
|
|
||||||
|
owner @{HOME}/.config/autostart/pulseeffects-service.desktop w,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
|
include <abstractions/dconf>
|
||||||
|
owner @{run}/user/@{uid}/dconf/ rw,
|
||||||
|
owner @{run}/user/@{uid}/dconf/user rw,
|
||||||
|
|
||||||
|
# file_inherit
|
||||||
|
owner /dev/tty[0-9]* rw,
|
||||||
|
|
||||||
|
include if exists <local/pulseeffects>
|
||||||
|
}
|
||||||
|
|
@ -19,6 +19,7 @@ profile rpi-imager @{exec_path} {
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/disks-write>
|
include <abstractions/disks-write>
|
||||||
|
|
||||||
|
|
@ -28,7 +29,7 @@ profile rpi-imager @{exec_path} {
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
network netlink dgram,
|
network netlink dgram,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,7 @@ profile sddm-greeter @{exec_path} {
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
|
||||||
|
|
@ -104,10 +104,14 @@ profile spectre-meltdown-checker @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/ccache mr,
|
/{usr/,}bin/ccache mr,
|
||||||
|
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
|
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
|
||||||
|
|
||||||
/media/ccache/*/** rw,
|
/media/ccache/*/** rw,
|
||||||
|
|
||||||
|
/etc/debian_version r,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
profile pgrep {
|
profile pgrep {
|
||||||
|
|
|
||||||
54
apparmor.d/profiles-m-z/thermald
Normal file
54
apparmor.d/profiles-m-z/thermald
Normal file
|
|
@ -0,0 +1,54 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2015-2020 Mikhail Morfikov
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}sbin/thermald
|
||||||
|
profile thermald @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
owner @{run}/thermald/ rw,
|
||||||
|
owner @{run}/thermald/thd_preference.conf rw,
|
||||||
|
owner @{run}/thermald/thd_preference.conf.save w,
|
||||||
|
owner @{run}/thermald/thermald.pid rwk,
|
||||||
|
|
||||||
|
/etc/thermald/thermal-conf.xml r,
|
||||||
|
/etc/thermald/thermal-cpu-cdev-order.xml r,
|
||||||
|
|
||||||
|
@{sys}/class/hwmon/ r,
|
||||||
|
@{sys}/class/thermal/ r,
|
||||||
|
@{sys}/devices/platform/ r,
|
||||||
|
|
||||||
|
@{sys}/devices/system/cpu/present r,
|
||||||
|
@{sys}/devices/system/cpu/intel_pstate/max_perf_pct r,
|
||||||
|
@{sys}/devices/system/cpu/intel_pstate/status r,
|
||||||
|
|
||||||
|
@{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
|
||||||
|
|
||||||
|
@{sys}/devices/**/hwmon[0-9]*/name r,
|
||||||
|
@{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_uuid r,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/thermal/**/{type,temp} r,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
|
||||||
|
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
|
||||||
|
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,
|
||||||
|
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r,
|
||||||
|
|
||||||
|
@{sys}/devices/virtual/powercap/intel-rapl/ r,
|
||||||
|
@{sys}/devices/virtual/powercap/intel-rapl/**/name r,
|
||||||
|
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r,
|
||||||
|
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r,
|
||||||
|
|
||||||
|
include if exists <local/thermald>
|
||||||
|
}
|
||||||
|
|
@ -43,6 +43,7 @@ profile vidcutter @{exec_path} {
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/qt5-settings-write>
|
include <abstractions/qt5-settings-write>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
|
||||||
|
|
@ -36,8 +36,9 @@ profile volumeicon @{exec_path} {
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
|
|
||||||
# Start the PulseAudio sound mixer
|
# Start the PulseAudio sound mixer
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/pavucontrol rPUx,
|
/{usr/,}bin/pavucontrol rPUx,
|
||||||
|
/{usr/,}bin/pulseeffects rPUx,
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
owner /dev/tty[0-9]* rw,
|
owner /dev/tty[0-9]* rw,
|
||||||
|
|
|
||||||
|
|
@ -47,8 +47,6 @@ profile xdg-mime @{exec_path} {
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/ r,
|
owner @{run}/user/@{uid}/ r,
|
||||||
|
|
||||||
/dev/tty rw,
|
|
||||||
|
|
||||||
# For shell pwd
|
# For shell pwd
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ profile xrdb @{exec_path} {
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix,
|
/{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix,
|
||||||
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
|
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/usr/include/stdc-predef.h r,
|
/usr/include/stdc-predef.h r,
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,8 @@ profile youtube-dl @{exec_path} {
|
||||||
/{usr/,}bin/python3.[0-9]* r,
|
/{usr/,}bin/python3.[0-9]* r,
|
||||||
|
|
||||||
/{usr/,}bin/ r,
|
/{usr/,}bin/ r,
|
||||||
/{usr/,}bin/gcc rix,
|
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||||
|
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
|
||||||
/{usr/,}{s,}bin/ldconfig rix,
|
/{usr/,}{s,}bin/ldconfig rix,
|
||||||
/{usr/,}bin/uname rix,
|
/{usr/,}bin/uname rix,
|
||||||
/{usr/,}bin/rtmpdump rix,
|
/{usr/,}bin/rtmpdump rix,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue