felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into ubuntu2204__2

Browse source
This commit is contained in:
nobodysu 2022-08-18 15:36:21 +00:00 committed by GitHub
commit e65a78972b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
483 changed files with 7221 additions and 2538 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apps/android-studio
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{AS_LIBDIR} = @{MOUNTS}/*/android-studio
@{AS_SDKDIR} = @{MOUNTS}/*/SDK
@{AS_LIBDIR} = @{MOUNTS}/android-studio
@{AS_SDKDIR} = @{MOUNTS}/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects

11
apparmor.d/groups/apps/atom
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -86,18 +87,14 @@ profile atom @{exec_path} {
# Git dirs
/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/atom/ r,
owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**,
owner @{MOUNTS}/ r,
owner @{user_projects_dirs}/ r,
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{user_config_dirs}/git/config r,
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or atom gets crash with the following error:

8
apparmor.d/groups/apps/calibre
View file

@ -75,12 +75,8 @@ profile calibre @{exec_path} {
/usr/share/calibre/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR} rw,
owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,
owner @{user_books_dirs} rw,
owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**,
owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk,

12
apparmor.d/groups/apps/code
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
profile code @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -63,18 +64,11 @@ profile code @{exec_path} {
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
# Git dirs
/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/code/ r,
owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
owner @{user_projects_dirs}/ r,
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or code gets crash with the following error:

4
apparmor.d/groups/apps/filezilla
View file

@ -56,8 +56,8 @@ profile filezilla @{exec_path} {
/{usr/,}lib/firefox/firefox rPUx,
# FTP share folder
owner @{MOUNTS}/*/ftp/ r,
owner @{MOUNTS}/*/ftp/** rw,
owner @{MOUNTS}/ftp/ r,
owner @{MOUNTS}/ftp/** rw,
# Silencer
/ r,

5
apparmor.d/groups/apps/freetube
View file

@ -15,6 +15,7 @@ include <tunables/global>
profile freetube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
@ -67,10 +68,6 @@ profile freetube @{exec_path} {
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_share_dirs} r,

5
apparmor.d/groups/apps/telegram-desktop
View file

@ -12,6 +12,7 @@ include <tunables/global>
profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Needed when saving files as, or otherwise the app crashes
/usr/share/glib-2.0/schemas/gschemas.compiled r,

87
apparmor.d/groups/apps/thunderbird
View file

@ -3,7 +3,6 @@
# SPDX-License-Identifier: GPL-2.0-only
# Useful info:
# http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird
#
abi <abi/3.0>,
@ -19,6 +18,10 @@ profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/wayland>
include <abstractions/nvidia>
include <abstractions/vulkan>
include <abstractions/mesa>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@ -27,9 +30,13 @@ profile thunderbird @{exec_path} {
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/dconf-write>
include <abstractions/ibus>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
ptrace peer=@{profile_name},
@ -47,6 +54,30 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
dbus (send) bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]*
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
dbus (send) bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name=org.freedesktop.UPower),
dbus (send) bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member={Change,Notify}
peer=(name=ca.desrt.dconf),
dbus (bind) bus=session
name=org.mozilla.thunderbird.*,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
@{exec_path} mrix,
@{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix,
@ -91,10 +122,6 @@ profile thunderbird @{exec_path} {
owner @{HOME}/Mail/ rw,
owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Fix error in libglib while saving files as
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -115,6 +142,11 @@ profile thunderbird @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# gnome-tiny
/etc/gnome/defaults.list r,
/usr/share/gvfs/remote-volume-monitors/{,*} r,
@{run}/mount/utab r,
deny @{sys}/devices/system/cpu/present r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
@ -124,8 +156,9 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pids}/cmdline r,
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/comm r,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
# To remove the following error:
@ -133,14 +166,11 @@ profile thunderbird @{exec_path} {
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/@{pid}/net/arp r,
deny @{PROC}/@{pid}/net/route r,
deny @{PROC}/@{pids}/net/arp r,
deny @{PROC}/@{pids}/net/route r,
# for dig
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# TMP files
/var/tmp/ r,
/tmp/ r,
@ -158,12 +188,14 @@ profile thunderbird @{exec_path} {
/dev/shm/ r,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
/etc/fstab r,
/etc/mailcap r,
/etc/timezone r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/ubuntu/applications/{,*} r,
# Silencer
deny /{usr/,}lib/thunderbird/** w,
@ -181,15 +213,18 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/gpgsm rCx -> gpg,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
profile gpg {
include <abstractions/base>
@ -203,7 +238,7 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpg-connect-agent mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-agent rix,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -225,7 +260,7 @@ profile thunderbird @{exec_path} {
owner /tmp/data.sig r,
owner /tmp/data-[0-9]*.sig r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/fd/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -238,6 +273,7 @@ profile thunderbird @{exec_path} {
deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw,
owner /tmp/ns* rw,
include if exists <local/thunderbird_gpg>
}
profile open {
@ -249,7 +285,7 @@ profile thunderbird @{exec_path} {
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@ -258,15 +294,16 @@ profile thunderbird @{exec_path} {
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/thunderbird_open>
}
include if exists <local/thunderbird>

164
apparmor.d/groups/apt/apt
View file

@ -1,19 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get
@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd
profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/dbus-strict>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/openssl>
include <abstractions/python>
capability chown,
capability dac_override,
@ -24,15 +27,46 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability net_admin,
capability setgid,
capability setuid,
capability sys_nice,
signal (send) peer=apt-methods-*,
unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.{DBus.Introspectable,PackageKit}
member={StateHasChanged,Introspect}
peer=(name=org.freedesktop.PackageKit),
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit
peer=(name=org.freedesktop.login[0-9]),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus{,.Introspectable}
member={RequestName,GetConnectionUnixProcessID,Introspect}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority}
member={CheckAuthorization,Introspect},
dbus bind bus=system
name= org.debian.apt,
@{exec_path} mr,
/{usr/,}{s,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
@ -45,81 +79,96 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}bin/df rPx,
/{usr/,}bin/dmesg rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
@{libexec}/zsys-system-autosnapshot rPx,
# For building the source after the download process is finished (apt-get source --compile)
/{usr/,}bin/dpkg-buildpackage rPUx,
/{usr/,}bin/dpkg-buildpackage rPUx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
# Ubuntu specificities
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# For editing the sources.list file
/etc/apt/sources.list rwk,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
# For changelogs
/tmp/apt-changelog-*/ w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
/tmp/apt-changelog-*/*.changelog w,
/{usr/,}bin/sensible-pager rCx -> pager,
/{usr/,}bin/sensible-pager rCx -> pager,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
/usr/share/xml/iso-codes/{,**} r,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/apt/sources.list rwk,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/lib/dbus/machine-id r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/crash/{,*.@{uid}.crash} rw,
/var/lib/apt/extended_states{,.*} rw,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/periodic/update-success-stamp rw,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/log/apt/{,**} rw,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
/tmp/ r,
/tmp/apt-changelog-*/ w,
/tmp/apt-changelog-*/*.changelog w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
/dev/ptmx rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
profile editor flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
owner @{HOME}/.selected_editor r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/which{,.debianutils} rix,
/usr/share/vim/{,**} r,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
/etc/apt/sources.list rw,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.selected_editor r,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
}
@ -129,40 +178,37 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/less rix,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/less rix,
/root/ r, # For shell pwd
owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/xz rix,
/etc/dpkg/origins/debian r,

13
apparmor.d/groups/apt/apt-cache
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,23 +10,23 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache
profile apt-cache @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-cache>
}

16
apparmor.d/groups/apt/apt-cdrom
View file

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
capability dac_read_search,
@ -21,6 +21,8 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount,
/etc/fstab r,
# Are all of these needed? (#FIXME#)
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@ -29,8 +31,6 @@ profile apt-cdrom @{exec_path} flags=(complain) {
@{sys}/devices/**/uevent r,
@{run}/udev/data/* r,
/etc/fstab r,
# For cd-roms
/media/cdrom[0-9]/ r,
/media/cdrom[0-9]/**/ r,
@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
# For pendrives
@{MOUNTS}/*/*/ r,
@{MOUNTS}/*/*/**/ r,
@{MOUNTS}/*/*/.disk/info r,
@{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r,
@{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r,
@{MOUNTS}/ r,
@{MOUNTS}/**/ r,
@{MOUNTS}/.disk/info r,
@{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
@{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw,

7
apparmor.d/groups/apt/apt-config
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,13 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config
profile apt-config @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner /tmp/tmp*/apt.conf r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-config>

13
apparmor.d/groups/apt/apt-extracttemplates
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -16,15 +17,17 @@ profile apt-extracttemplates @{exec_path} {
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner /tmp/*.{config,template}.?????? rw,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
owner /tmp/*.{config,template}.?????? rw,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-extracttemplates>
}

7
apparmor.d/groups/apt/apt-file
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -25,13 +26,13 @@ profile apt-file @{exec_path} {
/etc/apt/apt-file.conf r,
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
# file_inherit
/var/log/cron-apt/temp w,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-file>
}

18
apparmor.d/groups/apt/apt-forktracer
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,8 +10,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-forktracer
profile apt-forktracer @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/apt-common>
include <abstractions/python>
@{exec_path} mr,
@ -19,21 +20,20 @@ profile apt-forktracer @{exec_path} {
/{usr/,}bin/apt-cache rPx,
/usr/share/apt-forktracer/{,**} r,
/usr/share/distro-info/debian.csv r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/*_InRelease r,
/var/cache/apt/pkgcache.bin{,.*} rw,
/usr/share/distro-info/debian.csv r,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/dpkg/origins/debian r,
/etc/debian_version r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-forktracer>
}

43
apparmor.d/groups/apt/apt-key
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -14,21 +15,21 @@ profile apt-key @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/find rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
@ -73,6 +74,11 @@ profile apt-key @{exec_path} {
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
/etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg{,~,.tmp} rw,
@ -86,18 +92,13 @@ profile apt-key @{exec_path} {
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
# File_inherit
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
}
include if exists <local/apt-key>

2
apparmor.d/groups/apt/apt-listbugs-aptcleanup
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
@{exec_path} = @{libexec}/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/apt/apt-listbugs-migratepins
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/migratepins
@{exec_path} = @{libexec}/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

8
apparmor.d/groups/apt/apt-methods-http
View file

@ -14,17 +14,15 @@ profile apt-methods-http @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
network inet dgram,
network inet6 dgram,

2
apparmor.d/groups/apt/dpkg-divert
View file

@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {
/var/lib/dpkg/** r,
/usr/share/*/**.dpkg-divert.tmp w,
/usr/share/*/** w,
/var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw,

8
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -35,6 +36,9 @@ profile dpkg-preconfigure @{exec_path} {
owner /tmp/*.config.* rwPUx,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
@{run}/user/@{uid}/pk-debconf-socket rw,
# The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
include <abstractions/gtk>
@ -44,9 +48,7 @@ profile dpkg-preconfigure @{exec_path} {
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/dpkg-preconfigure>

1
apparmor.d/groups/apt/dpkg-query
View file

@ -23,6 +23,7 @@ profile dpkg-query @{exec_path} {
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/dev/tty[0-9]* rw,
include if exists <local/dpkg-query>
}

5
apparmor.d/groups/apt/reportbug
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/reportbug
profile reportbug @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/wayland>
include <abstractions/consoles>
include <abstractions/fonts>
@ -63,10 +64,6 @@ profile reportbug @{exec_path} {
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/gpg rCx -> gpg,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# For sending additional information
/etc/** r,

57
apparmor.d/groups/apt/unattended-upgrade
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,10 +10,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/unattended-upgrade
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/consoles>
capability chown,
capability dac_override,
@ -26,42 +29,69 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
network netlink raw,
signal (send) peer=apt-methods-http,
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.PackageKit
member=StateHasChanged,
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable
member=Introspect,
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,GetAll},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged},
@{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/uname rix,
/{usr/,}{s,}bin/dpkg-preconfigure rPx,
/{usr/,}{s,}bin/on_ac_power rPx,
/{usr/,}{s,}bin/sendmail rPUx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/apt/methods/http{,s} rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
@{libexec}/zsys-system-autosnapshot rPx,
/usr/share/distro-info/* r,
/usr/share/dpkg/*table r,
/etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r,
/etc/apt/preferences.d/{,**} r,
/etc/apt/sources.list.d/{,**} r,
/etc/update-manager/{,**} r,
/etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
/etc/machine-id r,
/var/log/unattended-upgrades/*.log rw,
/var/log/unattended-upgrades/{,**} rw,
/var/lib/apt/extended_states r,
/var/lib/apt/lists/{,**} r,
/var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/status r,
/var/lib/dpkg/updates/ r,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/cache/apt/{,**} rwk,
/var/lib/apt/extended_states{,.*} rw,
@ -74,9 +104,12 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/resolvconf/resolv.conf r,
owner /tmp/#[0-9]* rw,
owner /tmp/apt-dpkg-install-*/{,*} rw,
owner @{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
/dev/ptmx rw,
include if exists <local/unattended-upgrade>
}

20
apparmor.d/groups/apt/unattended-upgrade-shutdown
View file

@ -9,11 +9,31 @@ include <tunables/global>
@{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown
profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/python>
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.{Introspectable,Properties}
member={Introspect,Get},
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=PrepareForShutdown,
@{exec_path} mr,
/{usr/,}bin/ischroot rix,
/usr/share/unattended-upgrades/{,*} r,
/etc/apt/apt.conf.d/{,*} r,

43
apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
View file

@ -1,43 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Felix Geyer <debfx@ubuntu.com>
# SPDX-License-Identifier: GPL-2.0-only
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
include <tunables/global>
profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r,
/etc/hosts.{deny,allow} r,
/usr/sbin/apt-cacher-ng mr,
/var/lib/apt-cacher-ng/** r,
/{,var/}run/apt-cacher-ng/* rw,
@{APT_CACHER_NG_CACHE_DIR}/ r,
@{APT_CACHER_NG_CACHE_DIR}/** rwl,
/var/log/apt-cacher-ng/ r,
/var/log/apt-cacher-ng/* rw,
/{,var/}run/systemd/notify w,
/{usr/,}bin/dash ixr,
/{usr/,}bin/ed ixr,
/{usr/,}bin/red ixr,
/{usr/,}bin/sed ixr,
/usr/lib/apt-cacher-ng/acngtool ixr,
# Allow serving local documentation
/etc/mime.types r,
/usr/share/doc/apt-cacher-ng/html/** r,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,
include if exists <local/usr.sbin.apt-cacher-ng>
}

5
apparmor.d/groups/browsers/brave
View file

@ -14,6 +14,7 @@ include <tunables/global>
profile brave @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -105,10 +106,6 @@ profile brave @{exec_path} {
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or Brave crash with the following error:

5
apparmor.d/groups/browsers/chrome-gnome-shell
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/chrome-gnome-shell
profile chrome-gnome-shell @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{PROC}/@{pid}/mounts r,
deny @{HOME}/.* r,

6
apparmor.d/groups/browsers/chromium-chromium
View file

@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/chromium-common>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -58,6 +58,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-email rPx,
/{usr/,}bin/xdg-icon-resource rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
@ -106,9 +107,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
# owner @{HOME}/.mozilla/firefox/*/logins.json r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner /tmp/tmp.*/ rw,
owner /tmp/tmp.*/** rwk,
owner /tmp/scoped_dir*/{,**} rw,

6
apparmor.d/groups/browsers/firefox
View file

@ -15,7 +15,7 @@ include <tunables/global>
profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
@ -157,6 +154,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{sys}/devices/system/cpu/possible r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/present r,

5
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -12,7 +12,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/firefox/crashreporter
profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/mozilla/firefox/*.*/** r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/tmp/ r,
/var/tmp/ r,
owner /tmp/[0-9a-f]*.{dmp,extra} rw,

5
apparmor.d/groups/browsers/opera
View file

@ -13,6 +13,7 @@ include <tunables/global>
@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
profile opera @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -83,10 +84,6 @@ profile opera @{exec_path} {
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or opera crashes with the following error:

22
apparmor.d/groups/bus/dbus-daemon
View file

@ -11,6 +11,9 @@ include <tunables/global>
profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/nameservice-strict>
capability audit_write,
@ -34,14 +37,18 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{libexec}/* rPUx,
/{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx,
@{libexec}/* rPUx,
/{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
# Xubuntu
/{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx,
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/etc/dbus-1/{,**} r,
/etc/machine-id r,
/usr/share/dbus-1/{,**} r,
/usr/share/defaults/**.conf r,
@ -63,13 +70,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
owner /tmp/dbus-[0-9a-zA-Z]* rw,
owner @{run}/user/@{uid}/bus w,
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
owner @{run}/user/@{uid}/dbus-1/ rw,
owner @{run}/user/@{uid}/dbus-1/services/ rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/[0-9]*.ref rw,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
@{sys}/kernel/security/apparmor/.access rw,
@ -77,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/oom_score_adj rw,
@{PROC}/@{pids}/cmdline r,

8
apparmor.d/groups/bus/dbus-daemon-launch-helper
View file

@ -18,10 +18,16 @@ profile dbus-daemon-launch-helper @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
/{usr/,}lib/software-properties/software-properties-dbus rPx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/usr/share/dbus-1/{,**} r,
/etc/dbus-1/{,**} r,
owner @{PROC}/@{pid}/oom_score_adj rw,
include if exists <local/dbus-daemon-launch-helper>

4
apparmor.d/groups/bus/dbus-run-session
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session
profile dbus-run-session @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
signal (receive) set=(term, kill, hup) peer=gdm*,
signal (send) set=term peer=dbus-daemon,
@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/dconf/profile/gdm r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.cache/dconf/ rw,

3
apparmor.d/groups/bus/ibus-daemon
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/ibus-daemon
profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
signal (receive) set=(usr1) peer=gnome-shell,
@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/{,**} rw,
owner @{user_cache_dirs}/ibus/{,**} rw,
/var/lib/gdm{3,}/.config/ibus/{,**} rw,
/var/lib/gdm{3,}/.cache/ibus/{,**} rw,

4
apparmor.d/groups/bus/ibus-dconf
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-dconf
profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
signal (receive) set=term peer=ibus-daemon,
@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.cache/dconf/ w,
/var/lib/gdm/.cache/dconf/user rw,
/var/lib/gdm/.config/dconf/user rw,

3
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-engine-simple
profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/ibus>
signal (receive) set=term peer=ibus-daemon,
@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,

13
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -10,10 +10,12 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-extension-gtk3
profile ibus-extension-gtk3 @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
signal (receive) set=term peer=ibus-daemon,
@ -32,17 +34,10 @@ profile ibus-extension-gtk3 @{exec_path} {
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.config/dconf/user r,
include if exists <local/ibus-extension-gtk3>

5
apparmor.d/groups/bus/ibus-memconf
View file

@ -9,14 +9,15 @@ include <tunables/global>
@{exec_path} = @{libexec}/ibus-memconf
profile ibus-memconf @{exec_path} {
include <abstractions/base>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/etc/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
include if exists <local/ibus-memconf>
}

4
apparmor.d/groups/bus/ibus-portal
View file

@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-portal
profile ibus-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/ibus>
signal (receive) set=(term, hup) peer=gdm*,
@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/ r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner /dev/tty[0-9]* rw,
/dev/null rw,

7
apparmor.d/groups/bus/ibus-x11
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-x11
profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
@ -18,14 +19,14 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict>
include <abstractions/opencl>
unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
@{exec_path} mr,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,

97
apparmor.d/groups/cron/cron
View file

@ -7,17 +7,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/cron
@{exec_path} = /{usr/,}{s,}bin/cron
profile cron @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/app-launcher-root>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability setuid,
capability setgid,
capability dac_read_search,
capability audit_write,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_resource,
network netlink raw,
@ -26,36 +27,21 @@ profile cron @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/run-parts rPx,
/etc/crontab r,
# All stuff that is executed via the /etc/cron.d/ dir
/etc/cron.d/{,*} r,
/{usr/,}sbin/cron-apt rPx,
/{usr/,}bin/debsecan rPx,
/{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
/{usr/,}sbin/e2scrub_all rPUx,
/etc/cron.daily/popularity-contest rPx,
/{usr/,}lib/sysstat/debian-sa1 rPUx,
/{usr/,}{s,}bin/sendmail rPUx,
# All stuff that is executed via the user crontab files
/{usr/,}bin/apt-file rPx,
/{usr/,}bin/apt-key rPx,
/{usr/,}bin/rsync rPUx,
/usr/share/rsync/scripts/rrsync rPUx,
/{usr/,}bin/gpg rPx,
/{usr/,}sbin/update-pciids rPx,
/{usr/,}bin/borg rPx,
/usr/local/lib/pki/pki-realm rPUx, # TODO: FIXME: NO COMMIT ZENFRA ONLY
# Cron scripts in the /etc/cron.*/ dir to execute
/{usr/,}bin/run-parts rCx -> run-parts,
# Send results using email
/{usr/,}sbin/exim4 rPx,
/etc/cron.d/{,*} r,
/etc/crontab r,
/etc/default/locale r,
/etc/environment r,
/etc/security/limits.d/{,**} r,
/var/spool/cron/crontabs/{,*} r,
@ -66,56 +52,7 @@ profile cron @{exec_path} {
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pid}/loginuid rw,
/etc/environment r,
/etc/default/locale r,
@{PROC}/1/limits r,
/etc/security/limits.d/ r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/cron.{hourly,daily,weekly,monthly}/ r,
/etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx,
/etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/debtags rPx,
/etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx,
/etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/plocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx,
/etc/cron.{hourly,daily,weekly,monthly}/debsums rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/man-db rPx,
/etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx,
/etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx,
/etc/cron.{hourly,daily,weekly,monthly}/tor rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx,
/etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx,
#/etc/cron.{hourly,daily,weekly,monthly}/opera-browser rPUx,
#/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable} rPUx,
#/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx,
#/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx,
#/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
include if exists <local/cron_run-parts>
}
@{PROC}/1/limits r,
include if exists <local/cron>
}

19
apparmor.d/groups/cron/cron-anacron Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/0anacron
profile cron-anacron @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/anacron rPx,
include if exists <local/cron-anacron>
}

24
apparmor.d/groups/cron/cron-apport Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apport
profile cron-apport @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
/ r,
/var/crash/ r,
/var/crash/*.crash w,
include if exists <local/cron-apport>
}

0
apparmor.d/groups/apt/cron-apt → apparmor.d/groups/cron/cron-apt
View file

0
apparmor.d/groups/apt/cron-apt-compat → apparmor.d/groups/cron/cron-apt-compat
View file

0
apparmor.d/groups/apt/cron-apt-listbugs → apparmor.d/groups/cron/cron-apt-listbugs
View file

0
apparmor.d/groups/apt/cron-apt-show-versions → apparmor.d/groups/cron/cron-apt-show-versions
View file

0
apparmor.d/groups/apt/cron-apt-xapian-index → apparmor.d/groups/cron/cron-apt-xapian-index
View file

0
apparmor.d/groups/apt/cron-aptitude → apparmor.d/groups/cron/cron-aptitude
View file

0
apparmor.d/groups/apt/cron-debsums → apparmor.d/groups/cron/cron-debsums
View file

0
apparmor.d/groups/apt/cron-debtags → apparmor.d/groups/cron/cron-debtags
View file

0
apparmor.d/groups/apt/cron-popularity-contest → apparmor.d/groups/cron/cron-popularity-contest
View file

35
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -9,25 +9,50 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon
@{exec_path} += @{libexec}/accounts-daemon
profile accounts-daemon @{exec_path} {
profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
ptrace (read) peer=unconfined,
dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}},
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member={CheckAuthorization,Changed},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus),
dbus bind bus=system
name=org.freedesktop.Accounts,
@{exec_path} mr,
/usr/share/language-tools/language-validate rPx,
/usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/*.xml r,
/etc/gdm/ r,
/etc/gdm/custom.conf rw,
/etc/gdm/custom.conf.* rw,
/etc/default/locale r,
/etc/gdm{3,}/ r,
/etc/gdm{3,}/custom.conf rw,
/etc/gdm{3,}/custom.conf.* rw,
/etc/machine-id r,
/etc/shadow r,
/etc/shells r,
@ -35,6 +60,8 @@ profile accounts-daemon @{exec_path} {
owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw,
@{HOME}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,

9
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -11,11 +11,13 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
signal (receive) set=(term hup kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=gdm*,
signal (receive) set=(term hup kill) peer=gnome-session-binary,
signal (send) set=(term hup kill) peer=dbus-daemon,
network inet stream,
@ -33,11 +35,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/at-spi/{,bus} rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/lightdm/.Xauthority r,
/var/lib/gdm/.config/dconf/user r,

12
apparmor.d/groups/freedesktop/at-spi2-registryd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -10,21 +11,20 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi2-registryd
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/nameservice-strict>
# Needed?
deny capability sys_nice,
signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
/var/lib/lightdm/.Xauthority r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/gdm/Xauthority r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw,
include if exists <local/at-spi2-registryd>

25
apparmor.d/groups/freedesktop/colord
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,11 +11,30 @@ include <tunables/global>
@{exec_path} += @{libexec}/colord
profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.{DBus.Properties,ColorManager*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=CheckAuthorization,
dbus bind bus=system
name=org.freedesktop.ColorManager,
@{exec_path} mr,
/{usr/,}lib/colord/colord-sane rPx,
@ -37,7 +56,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{user_share_dirs}/icc/edid-*.icc r,
@{run}/systemd/sessions/[0-9]* r,
@{run}/systemd/sessions/* r,
@{sys}/class/drm/ r,
@{sys}/class/video4linux/ r,

27
apparmor.d/groups/freedesktop/colord-sane
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -8,25 +9,41 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-sane
@{exec_path} += @{libexec}/colord-sane
profile colord-sane @{exec_path} flags=(complain) {
profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
network inet dgram,
network inet6 dgram,
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.{DBus.Properties,ColorManager},
dbus send bus=system path=/
interface=org.freedesktop.{DBus.Peer,Avahi.Server}
member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser
member={CacheExhausted,AllForNow},
@{exec_path} mr,
/etc/sane.d/{,**} r,
/usr/share/snmp/mibs/{,*} r,
/etc/sane.d/{,**} r,
/etc/snmp/snmp.conf r,
/var/lib/snmp/{mib,cert}_indexes/ rw,
/var/lib/snmp/mibs/{iana,ietf}/ r,
/var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
/var/lib/snmp/{mib,cert}_indexes/ rw,
/usr/share/snmp/mibs/{,*} r,
@{run}/systemd/journal/socket rw,
@{sys}/bus/scsi/devices/ r,
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
@{PROC}/sys/dev/parport/ r,

3
apparmor.d/groups/freedesktop/colord-session
View file

@ -6,7 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session
@{exec_path} = /{usr/,}lib/colord/colord-session
@{exec_path} += @{libexec}/colord-session
profile colord-session @{exec_path} flags=(complain) {
include <abstractions/base>

5
apparmor.d/groups/freedesktop/dconf
View file

@ -9,17 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf
profile dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf-write>
capability sys_nice,
@{exec_path} mr,
/etc/dconf/{,**} r,
/etc/dconf/db/** rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

16
apparmor.d/groups/freedesktop/dconf-editor
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,16 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf-editor
profile dconf-editor @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/dconf>
include <abstractions/gtk>
@{exec_path} mr,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/{,*} r,
# When GSETTINGS_BACKEND=keyfile
owner @{user_config_dirs}/glib-2.0/ rw,
@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} {
owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
/usr/share/glib-2.0/schemas/{,*} r,
owner @{HOME}/.Xauthority r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/dconf-editor>

8
apparmor.d/groups/freedesktop/dconf-service
View file

@ -9,18 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
profile dconf-service @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
# Needed?
deny capability sys_nice,
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
signal (receive) set=(term kill hup) peer=dbus-daemon,
signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mr,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

16
apparmor.d/groups/freedesktop/desktop-file-install Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/desktop-file-install
profile desktop-file-install @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/desktop-file-install>
}

2
apparmor.d/groups/freedesktop/fc-cache
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/fc-cache{,-32}
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
profile fc-cache @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>

52
apparmor.d/groups/freedesktop/geoclue
View file

@ -7,15 +7,65 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/geoclue
profile geoclue @{exec_path} {
profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager}
interface=org.freedesktop.{DBus.Properties,GeoClue2*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged},
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged,
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser
member={AllForNow,CacheExhausted},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged,PropertiesChanged},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus bind bus=system
name=org.freedesktop.GeoClue2,
@{exec_path} mr,
/etc/geoclue/{,**} r,
@{run}/systemd/journal/socket rw,
@{PROC}/@{pids}/cgroup r,
include if exists <local/geoclue>

14
apparmor.d/groups/freedesktop/pipewire
View file

@ -11,12 +11,26 @@ include <tunables/global>
profile pipewire @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
ptrace (read),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit[0-9]
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit[0-9]),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit[0-9]),
@{exec_path} mr,
/{usr/,}bin/pipewire-media-session rPx,
/usr/share/pipewire/pipewire.conf r,
/etc/machine-id r,

11
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile pipewire-media-session @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
@ -19,6 +20,16 @@ profile pipewire-media-session @{exec_path} {
network bluetooth stream,
network netlink raw,
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit1
member=MakeThreadRealtime
peer=(name=org.freedesktop.RealtimeKit1),
@{exec_path} mr,
/usr/share/alsa-card-profile/{,**} r,

2
apparmor.d/groups/freedesktop/plymouth-set-default-theme
View file

@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} {
/{usr/,}bin/grep rix,
/{usr/,}bin/plymouth rPx,
/etc/plymouth/{,*} r,
include if exists <local/plymouth-set-default-theme>
}

52
apparmor.d/groups/freedesktop/plymouthd Normal file
View file

@ -0,0 +1,52 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/plymouthd
profile plymouthd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-common>
capability sys_admin,
capability sys_tty_config,
network netlink raw,
signal (send) peer=unconfined,
unix type=stream addr="@/org/freedesktop/plymouthd",
unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),
@{exec_path} mr,
/usr/share/plymouth/{,**} r,
/etc/default/keyboard r,
/etc/plymouth/plymouthd.conf r,
/etc/vconsole.conf r,
@{run}/udev/data/+drm:* r,
@{run}/udev/data/c226:* r,
@{run}/udev/data/c29:* r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/graphics/ r,
@{sys}/devices/pci[0-9]*/**/{,uevent} r,
@{sys}/devices/virtual/graphics/fbcon/uevent r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/acpi/bgrt/{,*} r,
@{PROC}/cmdline r,
/dev/ptmx rw,
/dev/tty[0-9]* rw,
include if exists <local/plymouthd>
}

32
apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,14 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
profile polkit-mate-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
signal (send) set=(term, kill) peer=polkit-agent-helper,
@ -24,25 +26,19 @@ profile polkit-mate-authentication-agent @{exec_path} {
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.Xauthority r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/** r,
# file_inherit
owner /dev/tty[0-9]* rw,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/polkit-mate-authentication-agent>
}

2
apparmor.d/groups/freedesktop/polkitd
View file

@ -18,7 +18,7 @@ profile polkitd @{exec_path} {
capability setuid,
capability sys_nice,
capability sys_ptrace,
audit deny capability net_admin,
audit capability net_admin,
ptrace (read),

148
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -14,9 +15,13 @@ profile pulseaudio @{exec_path} {
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gstreamer>
include <abstractions/hosts_access>
include <abstractions/nameservice-strict>
include <abstractions/X-strict>
ptrace (trace) peer=@{profile_name},
@ -29,65 +34,20 @@ profile pulseaudio @{exec_path} {
network bluetooth stream,
network bluetooth seqpacket,
@{exec_path} mrix,
dbus (send)
bus=session
path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member={GetState,AddService,AddServiceSubtype,Commit}
peer=(name=org.freedesktop.Avahi),
/{usr/,}lib{exec,}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
dbus (receive)
bus=session
path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member=StateChanged
peer=(name=org.freedesktop.Avahi),
# PulseAudio files
/usr/share/pulseaudio/{,**} r,
/{usr/,}lib/pulse-*/modules/*.so mr,
# PulseAudio home config files
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
# Needed when PulseAudio is started via the start-pulseaudio-x11 script
owner @{HOME}/.Xauthority r,
# Needed when PulseAudio is started via gdm
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
owner @{HOME}/.ICEauthority r,
# TCP wrap
/etc/hosts.{allow,deny} r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
deny @{sys}/module/apparmor/parameters/enabled r,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# DBus
dbus (send)
bus=session
path=/org/freedesktop/DBus
@ -138,15 +98,47 @@ profile pulseaudio @{exec_path} {
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.bluez),
dbus (send)
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,EntryGroupNew}
peer=(name=org.freedesktop.Avahi),
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
owner @{run}/user/@{uid}/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
dbus (receive)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus (send)
bus=system
path=/
interface=org.freedesktop.hostname[0-9]
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
@{exec_path} mrix,
/{usr/,}@{libexec}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
/{usr/,}lib/pulse-*/modules/*.so mr,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pulseaudio/{,**} r,
/usr/share/ubuntu/applications/{,*} r,
/var/lib/snapd/desktop/applications/ r,
# For GDM
owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw,
@ -164,13 +156,33 @@ profile pulseaudio @{exec_path} {
owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k,
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
deny @{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
# Snap
/var/lib/snapd/desktop/applications/ r,
/usr/{local/,}share/ubuntu/applications/{,*} r,
include if exists <local/pulseaudio>
}

13
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -24,12 +24,15 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
/usr/share/*/*.desktop r,
/var/lib/flatpak/exports/share/applications/{,**/} r,
/var/lib/flatpak/exports/share/applications/**.desktop r,
/var/lib/flatpak/exports/share/applications/.mimeinfo.cache.* rw,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache w,
/var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
/var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
/var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
/var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,
/var/lib/flatpak/app/**/export/share/applications/**.desktop r,
/var/lib/snapd/desktop/applications/{,**/} r,
/var/lib/snapd/desktop/applications/**.desktop r,
/var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
/var/lib/snapd/desktop/applications/mimeinfo.cache w,
# Inherit silencer
deny network inet6 stream,

2
apparmor.d/groups/freedesktop/upower
View file

@ -11,7 +11,7 @@ profile upower @{exec_path} {
include <abstractions/base>
# Needed?
deny capability sys_nice,
audit capability sys_nice,
@{exec_path} mr,

60
apparmor.d/groups/freedesktop/upowerd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -10,36 +11,42 @@ include <tunables/global>
@{exec_path} += @{libexec}/upowerd
profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,GetAll},
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member={SessionNew,SessionRemoved,PrepareForShutdown},
dbus bind bus=system
name=org.freedesktop.UPower,
@{exec_path} mr,
# UPower config file
/etc/UPower/ r,
/etc/UPower/UPower.conf r,
# The history data for the power device
/var/lib/upower/ r,
/var/lib/upower/history-*.dat{,.*} rw,
# Are all of these needed? (#FIXME#)
/dev/input/event* r,
@{sys}/bus/hid/devices/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@{sys}/devices/platform/**/leds/**/brightness rw,
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
@{run}/udev/data/ r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+input* r,
@ -48,5 +55,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{sys}/bus/hid/devices/ r,
@{sys}/class/input/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/ r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/platform/**/leds/**/brightness rw,
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@{sys}/devices/virtual/dmi/id/product_name r,
/dev/input/event* r,
include if exists <local/upowerd>
}

1
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@{exec_path} mr,

16
apparmor.d/groups/freedesktop/xdg-desktop-icon Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-desktop-icon
profile xdg-desktop-icon @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/xdg-desktop-icon>
}

31
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -9,7 +9,10 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
@ -19,30 +22,48 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
ptrace (read),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member={GetAll,Get},
dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={StateChanged,CheckPermissions},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/snap rPx,
# Allowed apps to open
/{usr/,}bin/firefox rPx -> firefox,
/ r,
/.flatpak-info r,
/{usr/,}lib/x r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pipewire/client.conf r,
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
/etc/machine-id r,
/etc/pipewire/client.conf.d/ r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/flatpak/exports/share/applications/{**,} r,
owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{PROC}/@{pids}/cgroup r,
@{PROC}/ r,

19
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -9,13 +9,28 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/user-download>
include <abstractions/user-read>
dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.Accounts.User
member=Changed,
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -28,7 +43,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
owner @{user_share_dirs}/ r,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
include if exists <local/xdg-desktop-portal-gnome>

28
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -9,7 +9,9 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -18,6 +20,26 @@ profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/user-download>
include <abstractions/user-write>
dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.Accounts.User
member=Changed,
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=CheckPermissions,
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -30,10 +52,10 @@ profile xdg-desktop-portal-gtk @{exec_path} {
owner @{HOME}/@{XDG_DATA_HOME}/ r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{run}/mount/utab r,
owner @{PROC}/@{uid}/mountinfo r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/xdg-desktop-portal-gtk>
}

4
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -12,6 +12,8 @@ profile xdg-document-portal @{exec_path} {
ptrace (read) peer=xdg-desktop-portal,
unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount),
@{exec_path} mr,
/{usr/,}bin/flatpak rCx -> flatpak,
@ -57,6 +59,8 @@ profile xdg-document-portal @{exec_path} {
capability sys_admin,
capability dac_read_search,
unix (send receive) type=stream peer=(label=xdg-document-portal),
# network inet stream,
# network inet6 stream,

10
apparmor.d/groups/freedesktop/xdg-email
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,8 +12,13 @@ profile xdg-email @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-mime rPx,
owner /dev/tty[0-9]* rw,

59
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -14,24 +15,39 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/head rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/file rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/mimetype rPx,
/{usr/,}bin/xprop rPx,
/usr/share/terminfo/x/xterm-256color r,
/usr/share/ubuntu/applications/ r,
/etc/gnome/defaults.list r,
owner @{HOME}/.Xauthority r,
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/user/@{uid}/ r,
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r,
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
/dev/dri/card[0-9]* rw,
/dev/tty rw,
# When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes:
@ -44,26 +60,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{HOME}/.Xauthority r,
owner @{run}/user/@{uid}/ r,
# For shell pwd
owner @{HOME}/ r,
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r,
@{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
# file_inherit
@{MOUNTS}/** rw,
/dev/dri/card[0-9]* rw,
/dev/tty rw,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -72,10 +68,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPx,
# for dbus-launch
@{HOME}/.Xauthority r,
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
@{HOME}/.Xauthority r,
}
include if exists <local/xdg-mime>

2
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-permission-store
profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
signal (receive) set=(term hup kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=gdm*,
@ -17,6 +18,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
@{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
owner @{user_share_dirs}/flatpak/db/ rw,
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
owner @{user_share_dirs}/flatpak/db/background rw,

3
apparmor.d/groups/freedesktop/xdg-settings
View file

@ -35,11 +35,14 @@ profile xdg-settings @{exec_path} {
/usr/share/terminfo/x/xterm-256color r,
/usr/share/applications/ r,
/usr/share/ubuntu/applications/ r,
/etc/xdg/xfce4/helpers.rc r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/snapd/desktop/applications/{,*} r,
owner @{HOME}/ r,
owner @{HOME}/.Xauthority r,

20
apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-user-dirs-gtk-update
profile xdg-user-dirs-gtk-update @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@{exec_path} mr,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_config_dirs}/user-dirs.locale r,
include if exists <local/xdg-user-dirs-gtk-update>
}

4
apparmor.d/groups/freedesktop/xkbcomp
View file

@ -11,6 +11,10 @@ include <tunables/global>
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
unix (send,receive) type=stream addr=none peer=(label=xwayland),
@{exec_path} mr,
/usr/share/X11/xkb/** r,

12
apparmor.d/groups/freedesktop/xorg
View file

@ -10,9 +10,10 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/X
@{exec_path} += /{usr/,}bin/Xorg
@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
@{exec_path} += /{usr/,}lib/xorg/Xorg
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
profile xorg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -40,6 +41,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
network netlink raw,
dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*}
interface=org.freedesktop.{DBus.Properties,login1.Session}
member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID}
peer=(name=org.freedesktop.login[0-9]),
dbus receive bus=system path=/org/freedesktop/login[0-9]/session/*
interface=org.freedesktop.login1.Session
member=PauseDevice,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,

6
apparmor.d/groups/freedesktop/xrdb
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xrdb
profile xrdb @{exec_path} {
include <abstractions/base>
include <abstractions/X-strict>
@{exec_path} mr,
@ -17,9 +18,8 @@ profile xrdb @{exec_path} {
/{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix,
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/usr/include/stdc-predef.h r,
owner @{HOME}/.Xauthority r,
/usr/include/stdc-predef.h r,
/etc/X11/Xresources/x11-common r,
@ -33,8 +33,6 @@ profile xrdb @{exec_path} {
owner /tmp/xauth-[0-9]*-_[0-9] r,
owner /tmp/kcminit.* r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,

4
apparmor.d/groups/freedesktop/xwayland
View file

@ -19,6 +19,9 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term hup) peer=gdm*,
signal (receive) set=(term hup) peer=gnome-shell,
unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@ -32,6 +35,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/system/cpu/possible r,
@{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/comm r,

24
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -9,7 +9,10 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-addressbook-factory
profile evolution-addressbook-factory @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/p11-kit>
@ -20,6 +23,22 @@ profile evolution-addressbook-factory @{exec_path} {
network inet6 dgram,
network netlink raw,
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/locale[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
@{exec_path} mr,
@{exec_path}-subprocess rix,
@ -28,9 +47,6 @@ profile evolution-addressbook-factory @{exec_path} {
owner @{user_share_dirs}/evolution/{,**} rwk,
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,

6
apparmor.d/groups/gnome/evolution-alarm-notify
View file

@ -9,7 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify
profile evolution-alarm-notify @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/gnome>
include <abstractions/nameservice-strict>
@ -23,8 +24,5 @@ profile evolution-alarm-notify @{exec_path} {
/usr/share/ubuntu/applications/ r,
/usr/share/zoneinfo-icu/{,**} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/evolution-alarm-notify>
}

16
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -9,7 +9,10 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-calendar-factory
profile evolution-calendar-factory @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/p11-kit>
@ -20,6 +23,14 @@ profile evolution-calendar-factory @{exec_path} {
network inet6 dgram,
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,GetAll},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged},
@{exec_path} mr,
@{exec_path}-subprocess rix,
@ -30,9 +41,6 @@ profile evolution-calendar-factory @{exec_path} {
owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,

8
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -9,10 +9,11 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-source-registry
profile evolution-source-registry @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
network inet stream,
network inet6 stream,
@ -29,9 +30,6 @@ profile evolution-source-registry @{exec_path} {
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/evolution/{,**} rwk,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,

47
apparmor.d/groups/gnome/gdm
View file

@ -9,8 +9,10 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gdm{3,}
profile gdm @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/wutmp>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability chown,
capability fsetid,
@ -24,15 +26,46 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
signal (send) set=(term),
dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.{DBus.Properties,Accounts.User}
member={Changed,GetAll,PropertiesChanged},
dbus send bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.{DBus.Properties,Accounts}
member={GetAll,ListCachedUsers,FindUserByName},
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login1.Manager
member={ListSeats,ActivateSessionOnSeat,UnlockSession},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9]
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus receive bus=system path=/org/gnome/DisplayManager/Manager
interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager}
member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel},
dbus bind bus=system
name=org.gnome.DisplayManager,
@{exec_path} mr,
/{usr/,}bin/plymouth rPx,
/{usr/,}lib/gdm-session-worker rPx,
/{usr/,}{s,}prime-switch rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/plymouth rPx,
/etc/gdm{3,}/PrimeOff/Default rix,
@{libexec}/gdm-session-worker rPx,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
/usr/share/xsessions/*.desktop r,
/etc/default/locale r,
/etc/gdm{3,}/custom.conf r,
/etc/locale.conf r,
@ -44,12 +77,12 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{run}/gdm{3,}/gdm.pid rw,
@{run}/gdm{3,}/greeter/ rw,
@{run}/systemd/seats/seat[0-9]* r,
@{run}/systemd/sessions/[0-9]* r,
@{run}/systemd/sessions/[0-9]*.ref r,
@{run}/systemd/userdb/ r,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref r,
@{run}/systemd/users/@{uid} r,
@{run}/udev/tags/master-of-seat/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/boot_vga r,
@{sys}/devices/virtual/tty/tty[0-9]*/active r,

2
apparmor.d/groups/gnome/gdm-runtime-config
View file

@ -12,7 +12,7 @@ profile gdm-runtime-config @{exec_path} {
@{exec_path} mr,
@{run}/gdm/ r,
@{run}/gdm/ rw,
@{run}/gdm/custom.conf* rw,
include if exists <local/gdm-runtime-config>

23
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability audit_write,
@ -39,12 +41,24 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
interface=org.freedesktop.{DBus.Properties,Accounts*}
member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged},
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member={CreateSession,ReleaseSession},
@{exec_path} mrix,
/{usr/,}bin/gnome-keyring-daemon rPx,
@{libexec}/gdm-wayland-session rPx,
@{libexec}/gdm-x-session rPx,
/etc/gdm{3,}/{Pre,Post}Session/Default rix,
/etc/gdm{3,}/PrimeOff/Default rix,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
/etc/default/locale r,
/etc/environment r,
@ -56,21 +70,20 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/etc/security/limits.d/{,*.conf} r,
/etc/shells r,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
owner @{run}/user/@{uid}/keyring/control rw,
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/gdm/custom.conf r,
@{run}/systemd/sessions/[0-9]*.ref rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
@{run}/utmp rwk,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
owner @{PROC}/@{pid}/uid_map r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/1/limits r,
@{PROC}/keys r,

18
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -11,7 +11,8 @@ profile gdm-wayland-session @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
include <abstractions/dconf>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/zsh>
@ -20,20 +21,25 @@ profile gdm-wayland-session @{exec_path} {
signal (send) set=(term) peer=dbus-daemon,
signal (send) set=(term) peer=gnome-session-binary,
@{exec_path} mr,
dbus send bus=system path=/org/gnome/DisplayManager/Manager
interface=org.gnome.DisplayManager.Manager
member=RegisterDisplay,
# It can run hooks, how to handle them nicely? rCx? them mostly include if exist
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/env rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gnome-session rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gsettings rix,
/{usr/,}bin/head rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/locale-check rix,
/{usr/,}bin/qmake rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/dbus-daemon rPx,
@ -42,20 +48,20 @@ profile gdm-wayland-session @{exec_path} {
/{usr/,}bin/flatpak rPUx,
@{libexec}/gnome-session-binary rPx,
/{usr/,}bin/gettext.sh r,
/usr/share/im-config/{,**} r,
/etc/default/im-config r,
/etc/gdm{3,}/custom.conf r,
/etc/machine-id r,
/etc/shells r,
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r,
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
@{run}/gdm/custom.conf r,
owner @{PROC}/@{pid}/fd/ r,

7
apparmor.d/groups/gnome/gdm-x-session
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/gdm-x-session
profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
signal (receive) set=term peer=gdm{,-session-worker},
# signal (send) set=term peer=unconfined,
@ -20,9 +22,10 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/Xorg rPx,
/{usr/,}bin/dbus-run-session rPx,
/etc/gdm/Xsession rPx,
/etc/gdm{3,}/Xsession rPx,
/etc/gdm{3,}/Prime/Default rix,
/etc/gdm/custom.conf r,
/etc/gdm{3,}/custom.conf r,
/usr/share/gdm/gdm.schemas r,
/var/lib/gdm/.cache/gdm/Xauthority rw,

Some files were not shown because too many files have changed in this diff Show more