felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): define more xdg variables.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-26 17:32:12 +01:00
parent b3a28da5e5
commit e087349662
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
35 changed files with 103 additions and 128 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apps/atom
View file

@ -88,8 +88,8 @@ profile atom @{exec_path} {
/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/ r,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**,
owner @{user_projects_dirs}/ r,
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{user_config_dirs}/git/config r,

8
apparmor.d/groups/apps/calibre
View file

@ -75,12 +75,8 @@ profile calibre @{exec_path} {
/usr/share/calibre/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR} rw,
owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,
owner @{MOUNTS}/@{XDG_BOOKS_DIR}/ r,
owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/ rw,
owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/@{XDG_BOOKS_DIR}*/**,
owner @{user_books_dirs} rw,
owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**,
owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk,

6
apparmor.d/groups/apps/code
View file

@ -64,10 +64,8 @@ profile code @{exec_path} {
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
# Git dirs
/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r,
owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**,
owner @{user_projects_dirs}/ r,
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
/etc/fstab r,

3
apparmor.d/groups/gnome/gnome-music
View file

@ -38,8 +38,7 @@ profile gnome-music @{exec_path} {
/etc/machine-id r,
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r,
owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r,
owner @{user_music_dirs}/{,**} r,
owner @{user_cache_dirs}/gnome-music/{,**} rwk,
owner @{user_cache_dirs}/media-art/album-*.jpeg rw,

3
apparmor.d/groups/gnome/gnome-photos-thumbnailer
View file

@ -15,8 +15,7 @@ profile gnome-photos-thumbnailer @{exec_path} {
/usr/share/mime/mime.cache r,
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{user_pictures_dirs}/{,**} r,
owner @{user_cache_dirs}/babl/{,**} r,
owner @{user_cache_dirs}/gegl-*/{,**} r,

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -170,10 +170,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/var/lib/snapd/desktop/icons/{,**} r,
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
owner @{user_music_dirs}/**/*.jpg r,
owner @{user_config_dirs}/.goutputstream{,*} rw,
owner @{user_config_dirs}/monitors.xml{,~} rwl,

4
apparmor.d/groups/gpg/gpg
View file

@ -30,8 +30,8 @@ profile gpg @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**,
owner @{user_projects_dirs}/**/gnupg/ rw,
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
owner /var/lib/*/gnupg/ rw,
owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,

12
apparmor.d/groups/gpg/gpg-agent
View file

@ -36,12 +36,12 @@ profile gpg-agent @{exec_path} {
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r,
owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r,
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
owner @{run}/user/@{uid}/gnupg/ rw,
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,

2
apparmor.d/groups/gpg/gpgconf
View file

@ -24,7 +24,7 @@ profile gpgconf @{exec_path} {
/{usr/,}bin/pinentry-* rPx,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**,
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

2
apparmor.d/groups/gpg/gpgsm
View file

@ -16,7 +16,7 @@ profile gpgsm @{exec_path} {
deny /usr/bin/.gnupg/ w,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**,
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,

4
apparmor.d/groups/ssh/ssh
View file

@ -30,8 +30,8 @@ profile ssh @{exec_path} {
owner @{HOME}/@{XDG_SSH_DIR}/config r,
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl,
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r,
owner @{user_projects_dirs}/**/ssh/{,*} r,
owner @{user_projects_dirs}/**/config r,
/etc/ssh/ssh_config r,
/etc/ssh/ssh_config.d/{,*} r,

2
apparmor.d/groups/ssh/ssh-agent
View file

@ -29,7 +29,7 @@ profile ssh-agent @{exec_path} {
# SSH keys
owner @{HOME}/@{XDG_SSH_DIR}/ rw,
owner @{HOME}/@{XDG_SSH_DIR}/* r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r,
owner @{user_projects_dirs}/**/ssh/{,*} r,
# When started via systemd
@{run}/user/@{uid}/openssh_agent rw,

2
apparmor.d/groups/ssh/sshd
View file

@ -77,7 +77,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
/etc/ssh/sshd_config.d/{,*} r,
# For scp
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl,
owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl,
owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,

6
apparmor.d/groups/virt/libvirtd
View file

@ -141,10 +141,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
# User VM images and share
@{user_share_dirs}/ r,
@{user_share_dirs}/libvirt/{,**} rwk,
@{HOME}/@{XDG_VM_DIR}/{,**} rwk,
@{MOUNTS}/@{XDG_VM_DIR}/{,**} rwk,
@{HOME}/@{XDG_PUBLICSHARE_DIR}/{,**} rw,
@{MOUNTS}/@{XDG_PUBLICSHARE_DIR}/{,**} rw,
@{user_vm_dirs}/{,**} rwk,
@{user_publicshare_dirs}/{,**} rw,
@{run}/libvirt/ rw,
@{run}/libvirt/** rwk,