feat(abs): add the devices-u2f abs.
This commit is contained in:
Alexandre Pujol
parent
94444077a8
commit
e4b6e7e92b
4 changed files with 26 additions and 5 deletions
|
|
@ -36,6 +36,7 @@
|
||||||
include <abstractions/common/chromium>
|
include <abstractions/common/chromium>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
|
include <abstractions/devices-u2f>
|
||||||
include <abstractions/devices-usb-read>
|
include <abstractions/devices-usb-read>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
|
@ -154,9 +155,7 @@
|
||||||
@{sys}/class/**/ r,
|
@{sys}/class/**/ r,
|
||||||
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
||||||
@{sys}/devices/@{pci}/boot_vga r,
|
@{sys}/devices/@{pci}/boot_vga r,
|
||||||
@{sys}/devices/@{pci}/report_descriptor r,
|
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/virtual/**/report_descriptor r,
|
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pid}/fd/ r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
|
|
@ -181,7 +180,6 @@
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
/dev/hidraw@{int} rw,
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
owner /dev/tty@{int} rw,
|
owner /dev/tty@{int} rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,7 @@
|
||||||
include <abstractions/cups-client>
|
include <abstractions/cups-client>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
|
include <abstractions/devices-u2f>
|
||||||
include <abstractions/enchant>
|
include <abstractions/enchant>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
|
@ -164,7 +165,6 @@
|
||||||
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||||
|
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
/dev/hidraw@{int} rw,
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
/dev/video@{int} rw,
|
/dev/video@{int} rw,
|
||||||
owner /dev/tty@{int} rw, # File Inherit
|
owner /dev/tty@{int} rw, # File Inherit
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/cups-client>
|
include <abstractions/cups-client>
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
|
include <abstractions/devices-u2f>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/enchant>
|
include <abstractions/enchant>
|
||||||
|
|
@ -148,7 +149,6 @@
|
||||||
@{att}/dev/dri/renderD129 rw,
|
@{att}/dev/dri/renderD129 rw,
|
||||||
owner @{att}/dev/shm/@{uuid} r,
|
owner @{att}/dev/shm/@{uuid} r,
|
||||||
|
|
||||||
/dev/hidraw@{int} rw,
|
|
||||||
/dev/ptmx rw,
|
/dev/ptmx rw,
|
||||||
/dev/pts/ptmx rw,
|
/dev/pts/ptmx rw,
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
|
||||||
23
apparmor.d/abstractions/devices-u2f
Normal file
23
apparmor.d/abstractions/devices-u2f
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2019 Canonical Ltd
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
# Allows access to Universal 2nd Factor (U2F) devices
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
@{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers)
|
||||||
|
|
||||||
|
# Needed for dynamic assignment of U2F devices
|
||||||
|
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||||
|
|
||||||
|
@{sys}/devices/**/i2c*/**/report_descriptor r,
|
||||||
|
@{sys}/devices/**/usb@{int}/**/report_descriptor r,
|
||||||
|
|
||||||
|
# Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed
|
||||||
|
/dev/hidraw@{int} rw,
|
||||||
|
|
||||||
|
include if exists <abstractions/devices-u2f.d>
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
Loading…
Add table
Add a link
Reference in a new issue