felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

apparmor.d -> profiles

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 16:02:59 +01:00
parent c408a878b7
commit e9b8e62fcd
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
726 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/X.d/complete
View file

@ -1,7 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,

18
apparmor.d/abstractions/app-launcher-root
View file

@ -1,18 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Root app location
/ r,
/usr/ r,
/{usr/,}sbin/ r,
/{usr/,}sbin/[a-z0-9]* rPUx,

45
apparmor.d/abstractions/app-launcher-user
View file

@ -1,45 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# User app location
/ r,
/usr/ r,
/{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx,
# Firefox
/{usr/,}lib/ r,
/{usr/,}lib/firefox/ r,
/{usr/,}lib/firefox/firefox* rPx,
# Google Chrome
/opt/ r,
/opt/google/ r,
/opt/google/chrome{,-beta,-unstable}/ r,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} rPx,
# Brave
/opt/brave.com/ r,
/opt/brave.com/brave{,-beta,-dev}/ r,
/opt/brave.com/brave{,-beta,-dev}/brave-browser{,-beta,-dev} rPx,
# Discord
/usr/share/ r,
/usr/share/discord/ r,
/usr/share/discord/Discord rPx,
# FreeTube
/opt/FreeTube/ r,
/opt/FreeTube/freetube rPx,
/opt/FreeTube-Vue/ r,
/opt/FreeTube-Vue/freetube-vue rPx,

35
apparmor.d/abstractions/apt-common
View file

@ -1,35 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/preferences r,
/etc/apt/preferences.d/{,*} r,
/etc/apt/sources.list r,
/etc/apt/sources.list.d/{,*.list} r,
/var/lib/apt/lists/{,**} r,
/var/lib/apt/extended_states r,
/var/cache/apt/pkgcache.bin r,
/var/cache/apt/srcpkgcache.bin r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/status r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]*[0-9] rw,

10
apparmor.d/abstractions/audio.d/complete
View file

@ -1,10 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/share/sounds/ r,
# PulseAudio module-ladspa-sink (plugin sc4m_1916)
/usr/lib/ladspa/ r,
/usr/lib/ladspa/*.so mr,

26
apparmor.d/abstractions/base.d/complete
View file

@ -1,26 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/etc/writable/localtime r,
/usr/share/locale/ r,
# Allow to receive some signals
signal (receive) peer=top,
signal (receive) peer=htop,
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=su,
signal (receive) peer=sudo,
# Allow to write a user defined fifo log devices
owner /dev/log-xsession w,
owner /dev/log-gnupg w,
deny owner @{HOME}/.Private/ r,
deny owner @{HOME}/.Private/** mrixwlk,
deny owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
deny owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

28
apparmor.d/abstractions/deny-dconf
View file

@ -1,28 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
deny /etc/dconf/{,**} r,
# When this is blocked, expect lots of the following errors:
# dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
# dconf will not work properly.
deny owner @{run}/user/[0-9]*/dconf/{,**} rw,
deny owner @{HOME}/.config/dconf/{,**} rw,
deny owner @{HOME}/.cache/dconf/{,**} rw,
# When GSETTINGS_BACKEND=keyfile
deny owner @{HOME}/.config/glib-2.0/ rw,
deny owner @{HOME}/.config/glib-2.0/settings/ rw,
deny owner @{HOME}/.config/glib-2.0/settings/keyfile rw,
deny owner @{HOME}/.config/glib-2.0/settings/.goutputstream-* rw,

23
apparmor.d/abstractions/deny-root-dir-access
View file

@ -1,23 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
# access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
# user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
#
# Note that some apps will work anyway when run as root even if all of the files in the /root/
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the
# needed files in the user home dir.
abi <abi/3.0>,
# Use audit for now to see whether some apps are trying to get access to the /root/ dir.
audit deny /root/{,**} rwkmlx,

30
apparmor.d/abstractions/devices-usb
View file

@ -1,30 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/dev/ r,
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
@{sys}/class/ r,
@{sys}/bus/ r,
@{sys}/bus/usb/ r,
@{sys}/bus/usb/devices/{,**} r,
@{sys}/devices/**/usb[0-9]/{,**} rw,
# Udev data about usb devices (~equal to content of lsusb -v)
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c16[6,7]* r,
@{run}/udev/data/c18[0,8,9]* r,

86
apparmor.d/abstractions/disks-read
View file

@ -1,86 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# The /sys/ entries probably should be tightened
/dev/ r,
# Regular disk/partition devices
/dev/sd[a-z] rk,
/dev/sd[a-z][0-9]* rk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rk,
/dev/mmcblk[0-9]*p[0-9]* rk,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
# Loop devices
/dev/loop[0-9]* rk,
/dev/loop[0-9]*p[0-9]* rk,
@{sys}/devices/virtual/block/loop[0-9]*/ r,
@{sys}/devices/virtual/block/loop[0-9]*/** r,
# LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rk,
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZRAM devices
/dev/zram[0-9]* rk,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
# CD-ROM
/dev/sr[0-9]* rk,
@{sys}/class/block/ r,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
# According to the kernel docs[1], the major block numbers from 240 to 254 are allocated
# dynamically by the kernel for devices which don't have official numbers assigned. It looks like
# that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # for ?

86
apparmor.d/abstractions/disks-write
View file

@ -1,86 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# The /sys/ entries probably should be tightened
/dev/ r,
# Regular disk/partition devices
/dev/sd[a-z] rwk,
/dev/sd[a-z][0-9]* rwk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rwk,
/dev/mmcblk[0-9]*p[0-9]* rwk,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
# Loop devices
/dev/loop[0-9]* rwk,
/dev/loop[0-9]*p[0-9]* rwk,
@{sys}/devices/virtual/block/loop[0-9]*/ r,
@{sys}/devices/virtual/block/loop[0-9]*/** r,
# LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rwk,
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZRAM devices
/dev/zram[0-9]* rwk,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
# CD-ROM
/dev/sr[0-9]* rwk,
@{sys}/class/block/ r,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
# According to the kernel docs[1], the major block numbers from 240 to 254 are allocated
# dynamically by the kernel for devices which don't have official numbers assigned. It looks like
# that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # for ?

124
apparmor.d/abstractions/evince
View file

@ -1,124 +0,0 @@
# vim:syntax=apparmor
#
# abstraction used by evince binaries
#
include <abstractions/gnome>
include <abstractions/p11-kit>
include <abstractions/ubuntu-helpers>
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/status r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# move out to the gnome abstraction if anyone else needs these
/dev/.udev/{data,db}/* r,
/etc/udev/udev.conf r,
/sys/devices/**/block/**/uevent r,
# apport
/etc/default/apport r,
# XFCE
/etc/xfce4/defaults.list r,
# Lubuntu
/etc/xdg/lubuntu/applications/defaults.list r,
# evince specific
/etc/ r,
/etc/fstab r,
/etc/texmf/ r,
/etc/texmf/** r,
/etc/xpdf/* r,
owner @{HOME}/.config/evince/ rw,
owner @{HOME}/.config/evince/** rwkl,
/usr/bin/gs-esp ixr,
/usr/bin/mktexpk Cx -> sanitized_helper,
/usr/bin/mktextfm Cx -> sanitized_helper,
/usr/bin/dvipdfm Cx -> sanitized_helper,
/usr/bin/dvipdfmx Cx -> sanitized_helper,
# supported archivers
/bin/gzip ixr,
/bin/bzip2 ixr,
/usr/bin/unrar* ixr,
/usr/bin/unzip ixr,
/usr/bin/7zr ixr,
/usr/lib/p7zip/7zr ixr,
/usr/bin/7za ixr,
/usr/lib/p7zip/7za ixr,
/usr/bin/zipnote ixr,
/bin/tar ixr,
/usr/bin/xz ixr,
# allow read access to anything in /usr/share, for plugins and input methods
/usr/local/share/** r,
/usr/share/** r,
/usr/lib/ghostscript/** mr,
/var/lib/ghostscript/** r,
/var/lib/texmf/** r,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read for all supported file formats
/**.[bB][mM][pP] r,
/**.[dD][jJ][vV][uU] r,
/**.[dD][vV][iI] r,
/**.[gG][iI][fF] r,
/**.[jJ][pP][gG] r,
/**.[jJ][pP][eE][gG] r,
/**.[oO][dD][pP] r,
/**.[fFpP][dD][fF] r,
/**.[pP][nN][mM] r,
/**.[pP][nN][gG] r,
/**.[pP][sS] r,
/**.[eE][pP][sS] r,
/**.[eE][pP][sS][fFiI23] r,
/**.[tT][iI][fF] r,
/**.[tT][iI][fF][fF] r,
/**.[xX][pP][mM] r,
/**.[gG][zZ] r,
/**.[bB][zZ]2 r,
/**.[cC][bB][rRzZ7] r,
/**.[xX][zZ] r,
# Use abstractions/private-files instead of abstractions/private-files-strict
# and add the sensitive files manually to work around LP: #451422. The goal
# is to disallow access to the .mozilla folder in general, but to allow
# access to the Cache directory, which the browser may tell evince to open
# from directly.
include <abstractions/private-files>
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl,
audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
audit deny @{HOME}/.pki/nssdb/** w,
audit deny @{HOME}/.mozilla/*/*/* mrwkl,
audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
audit deny @{HOME}/.config/chromium/** mrwkl,
audit deny @{HOME}/.evolution/** mrwkl,
audit deny @{HOME}/.config/evolution/** mrwkl,
audit deny @{HOME}/.kde/share/config/** mrwkl,
audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
# When LP: #451422 is fixed, change the above to simply be:
include <abstractions/private-files-strict>
#owner @{HOME}/.mozilla/**/*Cache/* r,
# Site-specific additions and overrides. See local/README for details.
include <local/usr.bin.evince>

20
apparmor.d/abstractions/file-browsing-strict
View file

@ -1,20 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
deny @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/@{pid}/mounts r,
# Usually, apps shouldn't view this file
deny /etc/fstab r,
deny /dev/disk/*/ r,

27
apparmor.d/abstractions/flatpak-snap
View file

@ -1,27 +0,0 @@
# kate: syntax AppArmor Security Profile
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018 Nibaldo Gonzalez <nibgonz@gmail.com>
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Flatpak
/var/lib/flatpak/exports/share/{,**} r,
/var/lib/flatpak/app/**/export/share/applications/{,*.desktop} r,
owner @{HOME}/.local/share/flatpak/exports/share/{,**} r,
owner @{HOME}/.local/share/flatpak/app/{,**.desktop} r,
deny owner @{HOME}/.local/share/flatpak/** w,
# Snap
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/*.desktop r,
/var/lib/snapd/desktop/applications/ r,

49
apparmor.d/abstractions/fontconfig-cache-read
View file

@ -1,49 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# The fontconfig cache can be generated via the following command:
# $ fc-cache -f -v
# There's no need to give apps the ability to create cache for their own. Apps can generate the
# fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
# the "fontconfig-cache-write" abstraction.
owner @{HOME}/.cache/fontconfig/ r,
deny @{HOME}/.cache/fontconfig/ w,
deny @{HOME}/.cache/fontconfig/** w,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.fontconfig/ r,
deny @{HOME}/.fontconfig/ w,
deny @{HOME}/.fontconfig/** w,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
/var/cache/fontconfig/ r,
deny /var/cache/fontconfig/ w,
deny /var/cache/fontconfig/** w,
/var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
/var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid r,
deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
/usr/share/**/.uuid r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
# For Google Fonts downloaded via font-manager
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid" r,
deny "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w,
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid" r,
deny "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,

34
apparmor.d/abstractions/fontconfig-cache-write
View file

@ -1,34 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/.cache/fontconfig/ rw,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
owner @{HOME}/.fontconfig/ rw,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw,
link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
# For Google Fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw,
link "@{HOME}/.local/share/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*",
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw,
link "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*",

6
apparmor.d/abstractions/freedesktop.org.d/complete
View file

@ -1,6 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/.icons/default/index.theme r,

16
apparmor.d/abstractions/fzf
View file

@ -1,16 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/.fzf/{,**} r,
owner @{HOME}/.fzf.* r,

45
apparmor.d/abstractions/gstreamer
View file

@ -1,45 +0,0 @@
# vim:syntax=apparmor
include <abstractions/base>
include <abstractions/p11-kit>
include <abstractions/X>
# TODO: adjust when support finer-grained netlink rules
network netlink raw,
/etc/udev/udev.conf r,
/etc/wildmidi/wildmidi.cfg r,
/dev/ r,
/dev/bus/usb/ r,
/dev/dri/ r,
# /dev/shm is a symlink to /run/shm on ubuntu
owner /{dev,run}/shm/shmfd-* rw,
/run/udev/data/c* r,
/run/udev/data/+pci:* r,
/run/udev/data/+usb* r,
/sys/bus/ r,
/sys/bus/usb/devices/ r,
/sys/class/ r,
/sys/class/drm/ r,
/sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
/sys/devices/system/node/ r,
/sys/devices/system/node/*/meminfo r,
owner /tmp/orcexec.* mrw,
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
# needed if /tmp is mounted noexec:
owner @{HOME}/orcexec.* mr,
/usr/lib/frei0r-[0-9]/*.so m,
# /usr/lib/@{multiarch}/dri/** mr,
/usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
/usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,

48
apparmor.d/abstractions/gtk
View file

@ -1,48 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2017-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/themes/{,**} r,
/usr/share/gtksourceview-[0-9]*/ r,
/usr/share/gtksourceview-[0-9]*/** r,
/usr/share/gtk-3.0/ r,
/usr/share/gtk-3.0/settings.ini r,
/etc/gtk-2.0/ r,
/etc/gtk-2.0/gtkrc r,
/etc/gtk-3.0/ r,
/etc/gtk-3.0/*.conf r,
/etc/gtk/gtkrc r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.config/gtkrc r,
owner @{HOME}/.config/gtkrc-2.0 r,
owner @{HOME}/.config/gtk-3.0/ rw,
owner @{HOME}/.config/gtk-3.0/settings.ini r,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
owner @{HOME}/.config/gtk-3.0/gtk.css r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ rw,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# .Xauthority file required for X connections
owner @{HOME}/.Xauthority r,
# Xsession errors file
owner @{HOME}/.xsession-errors w,

18
apparmor.d/abstractions/ibus.d/complete
View file

@ -1,18 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# abstract path in ibus < 1.5.22 uses /tmp
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/ibus/dbus-*"),
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs})
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),

38
apparmor.d/abstractions/kde4
View file

@ -1,38 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/kde4/** r,
/{usr/,}lib/kde4/*.so mr,
/{usr/,}lib/kde4/plugins/*/ r,
/{usr/,}lib/kde4/plugins/*/*.so mr,
# Create home KDE directory structure
owner @{HOME}/.kde{,4}/ rw,
owner @{HOME}/.kde{,4}/**/ rw,
owner @{HOME}/.config/kde.org/ rw,
owner @{HOME}/.config/kde.org/**/ rw,
# Common configs
owner @{HOME}/.kde{,4}/share/config/kdeglobals r,
owner @{HOME}/.kde{,4}/share/config/kdebugrc r,
owner @{HOME}/.kde{,4}/share/config/servicetype_profilerc r,
# Phonon
owner @{HOME}/.config/kde.org/libphonon.conf rk,
owner @{HOME}/.config/Trolltech.conf rk,
owner /var/tmp/kdecache-*/ r,
owner /var/tmp/kdecache-*/** r,
owner /var/tmp/kdecache-*/*.kcache rw,

67
apparmor.d/abstractions/kde5-plasma5
View file

@ -1,67 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/thumbnails-cache-read>
# KDE/Plasma5 themes
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
#/{usr/,}lib/@{multiarch}/qt5/plugins/styles/breeze.so mr,
#/usr/share/plasma/look-and-feel/** r,
#/usr/share/color-schemes/*.colors r,
#/usr/share/kservices5/{,**/} r,
#/usr/share/kservices5/*.protocol r,
#/usr/share/knotifications5/plasma_workspace.notifyrc r,
# For app config (in order to work the KDE_APP_NAME variable has to be set in profile which
# includes this abstraction)
#owner @{HOME}/.config/#[0-9]*[0-9] rwk,
#owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9],
#owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
#owner @{run}/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
# Common KDE config files
#owner @{HOME}/.config/#[0-9]*[0-9] rw,
#owner @{HOME}/.config/kdeglobals* rwkl -> @{HOME}/.config/#[0-9]*[0-9],
#owner @{HOME}/.config/baloofilerc r,
#owner @{HOME}/.config/dolphinrc r,
#owner @{HOME}/.config/trashrc r,
#owner @{HOME}/.config/knfsshare r,
#owner /**/.directory r,
# For bookmarks
#/{usr/,}bin/keditbookmarks rPUx,
#owner @{HOME}/.local/share/kfile/ rw,
#owner @{HOME}/.local/share/kfile/#[0-9]*[0-9] rw,
#owner @{HOME}/.local/share/kfile/bookmarks.xml* rwl -> @{HOME}/.local/share/kfile/#[0-9]*[0-9],
# Common cache files
#owner @{HOME}/.cache/icon-cache.kcache rw,
#owner @{HOME}/.cache/ksycoca5_* r,
# Think what to do about this #FIXME#
# It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
include <abstractions/recent-documents-write>
#signal (send) set=(term, kill) peer=unconfined,
#deny @{sys}/bus/ r,
#deny @{sys}/bus/usb/devices/ r,
#deny @{sys}/class/ r,
#deny @{run}/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc.
#deny @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
#deny @{run}/udev/data/+usb:* r, #
#/etc/exports r,
#/etc/xdg/menus/ r,
#/usr/share/mime/ r,
#owner @{HOME}/.config/menus/ r,
#owner @{HOME}/.config/menus/applications-merged/ r,

121
apparmor.d/abstractions/libvirt-lxc
View file

@ -1,121 +0,0 @@
#include <abstractions/base>
# Allow receiving signals from libvirtd
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
umount,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
deny /proc/sys/ke[^r]*{,/**} wklx,
deny /proc/sys/ker[^n]*{,/**} wklx,
deny /proc/sys/kern[^e]*{,/**} wklx,
deny /proc/sys/kerne[^l]*{,/**} wklx,
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/domainname?*{,/**} wklx,
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/hostname?*{,/**} wklx,
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
deny /proc/sys/kernel/msg*/** wklx,
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
deny /proc/sys/kernel/sem*/** wklx,
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
deny /proc/sys/kernel/shm*/** wklx,
deny /proc/sys/kernel?*{,/**} wklx,
deny /proc/sys/n[^e]*{,/**} wklx,
deny /proc/sys/ne[^t]*{,/**} wklx,
deny /proc/sys/net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
deny /sys/cla[^s]*{,/**} wklx,
deny /sys/clas[^s]*{,/**} wklx,
deny /sys/class/[^n]*{,/**} wklx,
deny /sys/class/n[^e]*{,/**} wklx,
deny /sys/class/ne[^t]*{,/**} wklx,
deny /sys/class/net?*{,/**} wklx,
deny /sys/class?*{,/**} wklx,
deny /sys/d[^e]*{,/**} wklx,
deny /sys/de[^v]*{,/**} wklx,
deny /sys/dev[^i]*{,/**} wklx,
deny /sys/devi[^c]*{,/**} wklx,
deny /sys/devic[^e]*{,/**} wklx,
deny /sys/device[^s]*{,/**} wklx,
deny /sys/devices/[^v]*{,/**} wklx,
deny /sys/devices/v[^i]*{,/**} wklx,
deny /sys/devices/vi[^r]*{,/**} wklx,
deny /sys/devices/vir[^t]*{,/**} wklx,
deny /sys/devices/virt[^u]*{,/**} wklx,
deny /sys/devices/virtu[^a]*{,/**} wklx,
deny /sys/devices/virtua[^l]*{,/**} wklx,
deny /sys/devices/virtual/[^n]*{,/**} wklx,
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
deny /sys/devices/virtual/net?*{,/**} wklx,
deny /sys/devices/virtual?*{,/**} wklx,
deny /sys/devices?*{,/**} wklx,
deny /sys/f[^s]*{,/**} wklx,
deny /sys/fs/[^c]*{,/**} wklx,
deny /sys/fs/c[^g]*{,/**} wklx,
deny /sys/fs/cg[^r]*{,/**} wklx,
deny /sys/fs/cgr[^o]*{,/**} wklx,
deny /sys/fs/cgro[^u]*{,/**} wklx,
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,
# Site-specific additions and overrides. See local/README for details.
#include <local/abstractions/libvirt-lxc>

248
apparmor.d/abstractions/libvirt-qemu
View file

@ -1,248 +0,0 @@
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
# required for reading disk images
capability dac_override,
capability dac_read_search,
capability chown,
# needed to drop privileges
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
ptrace (readby, tracedby) peer=libvirtd,
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
/dev/kvm rw,
/dev/net/tun rw,
/dev/ptmx rw,
@{PROC}/*/status r,
# When qemu is signaled to terminate, it will read cmdline of signaling
# process for reporting purposes. Allowing read access to a process
# cmdline may leak sensitive information embedded in the cmdline.
@{PROC}/@{pid}/cmdline r,
# Per man(5) proc, the kernel enforces that a thread may
# only modify its comm value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/vm/overcommit_memory r,
# detect hardware capabilities via qemu_getauxval
owner @{PROC}/*/auxv r,
# For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r,
/sys/devices/**/usb[0-9]*/** r,
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
/run/udev/data/+usb* r,
/run/udev/data/c16[6,7]* r,
/run/udev/data/c18[0,8,9]* r,
# WARNING: this gives the guest direct access to host hardware and specific
# portions of shared memory. This is required for sound using ALSA with kvm,
# but may constitute a security risk. If your environment does not require
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
# the rules for files in /dev.
/dev/snd/* rw,
/{dev,run}/shm r,
/{dev,run}/shmpulse-shm* r,
/{dev,run}/shmpulse-shm* rwk,
capability ipc_lock,
# spice
owner /{dev,run}/shm/spice.* rw,
# 'kill' is not required for sound and is a security risk. Do not enable
# unless you absolutely need it.
deny capability kill,
# Uncomment the following if you need access to /dev/fb*
#/dev/fb* rw,
/etc/pulse/client.conf r,
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
owner /root/.pulse/ rw,
owner /root/.pulse/* rw,
/usr/share/alsa/** r,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
/var/lib/dbus/machine-id r,
# access to firmware's etc
/usr/share/AAVMF/** r,
/usr/share/bochs/** r,
/usr/share/edk2-ovmf/** r,
/usr/share/kvm/** r,
/usr/share/misc/sgabios.bin r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
/usr/share/OVMF/** r,
/usr/share/ovmf/** r,
/usr/share/proll/** r,
/usr/share/qemu-efi/** r,
/usr/share/qemu-kvm/** r,
/usr/share/qemu/** r,
/usr/share/seabios/** r,
/usr/share/sgabios/** r,
/usr/share/slof/** r,
/usr/share/vgabios/** r,
# pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
/etc/pki/CA/ r,
/etc/pki/CA/* r,
/etc/pki/libvirt{,-spice,-vnc}/ r,
/etc/pki/libvirt{,-spice,-vnc}/** r,
/etc/pki/qemu/ r,
/etc/pki/qemu/** r,
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/kvm-spice rmix,
/usr/bin/qemu rmix,
/usr/bin/qemu-aarch64 rmix,
/usr/bin/qemu-alpha rmix,
/usr/bin/qemu-arm rmix,
/usr/bin/qemu-armeb rmix,
/usr/bin/qemu-cris rmix,
/usr/bin/qemu-i386 rmix,
/usr/bin/qemu-kvm rmix,
/usr/bin/qemu-m68k rmix,
/usr/bin/qemu-microblaze rmix,
/usr/bin/qemu-microblazeel rmix,
/usr/bin/qemu-mips rmix,
/usr/bin/qemu-mips64 rmix,
/usr/bin/qemu-mips64el rmix,
/usr/bin/qemu-mipsel rmix,
/usr/bin/qemu-mipsn32 rmix,
/usr/bin/qemu-mipsn32el rmix,
/usr/bin/qemu-or32 rmix,
/usr/bin/qemu-ppc rmix,
/usr/bin/qemu-ppc64 rmix,
/usr/bin/qemu-ppc64abi32 rmix,
/usr/bin/qemu-ppc64le rmix,
/usr/bin/qemu-s390x rmix,
/usr/bin/qemu-sh4 rmix,
/usr/bin/qemu-sh4eb rmix,
/usr/bin/qemu-sparc rmix,
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-system-aarch64 rmix,
/usr/bin/qemu-system-alpha rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-hppa rmix,
/usr/bin/qemu-system-i386 rmix,
/usr/bin/qemu-system-lm32 rmix,
/usr/bin/qemu-system-m68k rmix,
/usr/bin/qemu-system-microblaze rmix,
/usr/bin/qemu-system-microblazeel rmix,
/usr/bin/qemu-system-mips rmix,
/usr/bin/qemu-system-mips64 rmix,
/usr/bin/qemu-system-mips64el rmix,
/usr/bin/qemu-system-mipsel rmix,
/usr/bin/qemu-system-moxie rmix,
/usr/bin/qemu-system-nios2 rmix,
/usr/bin/qemu-system-or1k rmix,
/usr/bin/qemu-system-or32 rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
/usr/bin/qemu-system-ppcemb rmix,
/usr/bin/qemu-system-riscv32 rmix,
/usr/bin/qemu-system-riscv64 rmix,
/usr/bin/qemu-system-s390x rmix,
/usr/bin/qemu-system-sh4 rmix,
/usr/bin/qemu-system-sh4eb rmix,
/usr/bin/qemu-system-sparc rmix,
/usr/bin/qemu-system-sparc64 rmix,
/usr/bin/qemu-system-tricore rmix,
/usr/bin/qemu-system-unicore32 rmix,
/usr/bin/qemu-system-x86_64 rmix,
/usr/bin/qemu-system-xtensa rmix,
/usr/bin/qemu-system-xtensaeb rmix,
/usr/bin/qemu-unicore32 rmix,
/usr/bin/qemu-x86_64 rmix,
# for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
# let qemu load old shared objects after upgrades (LP: #1847361)
/{var/,}run/qemu/*/*.so mr,
# but explicitly deny writing to these files
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
/{usr/,}bin/swtpm rmix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
/{usr/,}bin/cat rmix,
# for restore
/{usr/,}bin/bash rmix,
# for usb access
/dev/bus/usb/ r,
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
# for rbd
/etc/ceph/ceph.conf r,
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base
# dir and a few known functions like samba support.
# We want to avoid to give blanket rw permission to everything under /tmp,
# users are expected to add site specific addons for more uncommon cases.
# Qemu processes usually all run as the same users, so the "owner"
# restriction prevents access to other services files, but not across
# different instances.
# This is a tradeoff between usability and security - if paths would be more
# predictable that would be preferred - at least for write rules we would
# want more unique paths per rule.
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
# for file-posix getting limits since 9103f1ce
/sys/devices/**/block/*/queue/max_segments r,
# for ppc device-tree access
@{PROC}/device-tree/ r,
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
# allow connect with openGraphicsFD to work
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r,
# silence refusals to open lttng files (see LP: #1432644)
deny /dev/shm/lttng-ust-wait-* r,
deny /run/shm/lttng-ust-wait-* r,
# for vfio hotplug on systems without static vfio (LP: #1775777)
/dev/vfio/vfio rw,
# required for sasl GSSAPI plugin
/etc/gss/mech.d/ r,
/etc/gss/mech.d/* r,
# required by libpmem init to fts_open()/fts_read() the symlinks in
# /sys/bus/nd/devices
/ r, # harmless on any lsb compliant system
/sys/bus/nd/devices/{,**/} r,
# Site-specific additions and overrides. See local/README for details.
#include <local/abstractions/libvirt-qemu>

114
apparmor.d/abstractions/lightdm
View file

@ -1,114 +0,0 @@
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <martin.pitt@ubuntu.com>
# This abstraction provides the majority of the confinement for guest sessions.
# It is in its own abstraction so we can have a centralized place for
# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
# etc). Note that this profile intentionally omits chromium-browser.
# Requires apparmor 2.9
include <abstractions/authentication>
include <abstractions/cups-client>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/nameservice>
include <abstractions/wutmp>
# bug in compiz https://launchpad.net/bugs/697678
/etc/compizconfig/config rw,
/etc/compizconfig/unity.ini rw,
/ r,
/bin/ rmix,
/bin/fusermount Px,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/etc/ r,
/etc/** rmk,
/etc/X11/Xsession ix,
/etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
/etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
/lib/ r,
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
/lib64/ r,
/lib64/** rmixk,
owner /{,run/}media/ r,
owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
@{PROC}/sys/vm/overcommit_memory r,
owner @{PROC}/** rm,
# needed for gnome-keyring-daemon
@{PROC}/*/status r,
# needed for bamfdaemon and utilities such as ps and killall
@{PROC}/*/stat r,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
# needed for confined trusted helpers, such as dbus-daemon
/sys/kernel/security/apparmor/.access rw,
/tmp/ rw,
owner /tmp/** rwlkmix,
/usr/ r,
/usr/** rmixk,
/var/ r,
/var/** rmixk,
/var/guest-data/** rw, # allow to store files permanently
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
# necessary for writing to sockets, etc.
/{,var/}run/** rmkix,
/{,var/}run/mir_socket rw,
/{,var/}run/screen/** wl,
/{,var/}run/shm/** wl,
/{,var/}run/uuidd/request w,
# libpam-xdg-support/logind
owner /{,var/}run/user/*/** rw,
capability ipc_lock,
# allow processes in the guest session to signal and ptrace each other
signal peer=@{profile_name},
ptrace peer=@{profile_name},
# needed when logging out of the guest session
signal (receive) peer=unconfined,
unix peer=(label=@{profile_name}),
unix (receive) peer=(label=unconfined),
unix (create),
unix (getattr, getopt, setopt, shutdown),
unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
unix (bind, listen) type=stream addr="@guest*",
unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
unix (connect, receive, send) type=stream peer=(addr="@guest*"),
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
deny capability dac_read_search,
#deny /etc/** w, # re-enable once LP#697678 is fixed
deny /usr/** w,
deny /var/crash/ w,

76
apparmor.d/abstractions/lightdm_chromium-browser
View file

@ -1,76 +0,0 @@
# vim:syntax=apparmor
# Profile abstraction for restricting chromium in the lightdm guest session
# Author: Jamie Strandboge <jamie@canonical.com>
# The abstraction provides the additional accesses required to launch
# chromium based browsers from within an lightdm session. Because AppArmor
# cannot yet merge profiles and because we want to utilize the access rules
# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.
# Requires apparmor 2.9
/usr/lib/chromium/chromium Cx -> chromium,
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
/usr/bin/webapp-container Cx -> chromium,
/usr/bin/webbrowser-app Cx -> chromium,
/usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
/opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
/opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
/opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
/opt/google/chrome/google-chrome Cx -> chromium,
# Allow ptracing processes in the chromium child profile
ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow receiving and sending signals to processes in the chromium child profile
signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow communications with chromium child profile via unix sockets
unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
profile chromium {
# Allow all the same accesses as other applications in the guest session
include <abstractions/lightdm>
# but also allow a few things because of chromium-browser's sandboxing that
# are not appropriate to other guest session applications.
owner @{PROC}/[0-9]*/oom_{,score_}adj w,
@{PROC}/sys/kernel/shmmax r,
capability sys_admin, # for sandbox to change namespaces
capability sys_chroot, # fod sandbox to chroot to a safe directory
capability setgid, # for sandbox to drop privileges
capability setuid, # for sandbox to drop privileges
capability sys_ptrace, # chromium needs this to keep track of itself
@{PROC}/sys/kernel/yama/ptrace_scope r,
# Allow ptrace reads of processes in the lightdm-guest-session
ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow other guest session processes to read and trace us
ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
ptrace (readby, tracedby) peer=@{profile_name},
# Allow us to receive and send signals from processes in the
# lightdm-guest-session
signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow us to receive and send on unix sockets from processes in the
# lightdm-guest-session
unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
@{PROC}/[0-9]*/ r, # sandbox wants these
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
@{PROC}/[0-9]*/statm r, # sandbox wants these
@{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/uid_map w,
owner @{PROC}/@{pid}/gid_map w,
/selinux/ r,
/usr/lib/chromium/chrome-sandbox ix,
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
/opt/google/chrome-*/chrome-sandbox ix,
}

225
apparmor.d/abstractions/lxc/container-base
View file

@ -1,225 +0,0 @@
network,
capability,
file,
umount,
# dbus, signal, ptrace and unix are only supported by recent apparmor
# versions. Comment them if the apparmor parser doesn't recognize them.
# This also needs additional rules to reach outside of the container via
# DBus, so just let all of DBus within the container.
dbus,
# Allow us to receive signals from anywhere. Note: if per-container profiles
# are supported, for container isolation this should be changed to something
# like:
# signal (receive) peer=unconfined,
# signal (receive) peer=/usr/bin/lxc-start,
signal (receive),
# Allow us to send signals to ourselves
signal peer=@{profile_name},
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
# Allow receive via unix sockets from anywhere. Note: if per-container
# profiles are supported, for container isolation this should be changed to
# something like:
# unix (receive) peer=(label=unconfined),
unix (receive),
# Allow all unix in the container
unix peer=(label=@{profile_name}),
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
deny mount options=(ro, remount, silent) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow hugetlbfs mounts everywhere
mount fstype=hugetlbfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse,
mount fstype=fuse.*,
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/acpi/** rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
# mount options=(rw,make-rslave) -> **,
# mount options=(rw,make-shared) -> **,
# mount options=(rw,make-rshared) -> **,
# mount options=(rw,make-private) -> **,
# mount options=(rw,make-rprivate) -> **,
# mount options=(rw,make-unbindable) -> **,
# mount options=(rw,make-runbindable) -> **,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
mount options=(rw,bind) /d[^e]*{,/**},
mount options=(rw,bind) /de[^v]*{,/**},
mount options=(rw,bind) /dev/.[^l]*{,/**},
mount options=(rw,bind) /dev/.l[^x]*{,/**},
mount options=(rw,bind) /dev/.lx[^c]*{,/**},
mount options=(rw,bind) /dev/.lxc?*{,/**},
mount options=(rw,bind) /dev/[^.]*{,/**},
mount options=(rw,bind) /dev?*{,/**},
mount options=(rw,bind) /p[^r]*{,/**},
mount options=(rw,bind) /pr[^o]*{,/**},
mount options=(rw,bind) /pro[^c]*{,/**},
mount options=(rw,bind) /proc?*{,/**},
mount options=(rw,bind) /s[^y]*{,/**},
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
# allow various ro-bind-*re*-mounts
mount options=(ro,remount,bind),
mount options=(ro,remount,bind,nosuid),
mount options=(ro,remount,bind,noexec),
mount options=(ro,remount,bind,nodev),
mount options=(ro,remount,bind,nosuid,noexec),
mount options=(ro,remount,bind,noexec,nodev),
mount options=(ro,remount,bind,nodev,nosuid),
mount options=(ro,remount,bind,nosuid,noexec,nodev),
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
mount options=(rw,move) /de[^v]*{,/**},
mount options=(rw,move) /dev/.[^l]*{,/**},
mount options=(rw,move) /dev/.l[^x]*{,/**},
mount options=(rw,move) /dev/.lx[^c]*{,/**},
mount options=(rw,move) /dev/.lxc?*{,/**},
mount options=(rw,move) /dev/[^.]*{,/**},
mount options=(rw,move) /dev?*{,/**},
mount options=(rw,move) /p[^r]*{,/**},
mount options=(rw,move) /pr[^o]*{,/**},
mount options=(rw,move) /pro[^c]*{,/**},
mount options=(rw,move) /proc?*{,/**},
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
deny /proc/sys/ke[^r]*{,/**} wklx,
deny /proc/sys/ker[^n]*{,/**} wklx,
deny /proc/sys/kern[^e]*{,/**} wklx,
deny /proc/sys/kerne[^l]*{,/**} wklx,
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/domainname?*{,/**} wklx,
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/hostname?*{,/**} wklx,
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
deny /proc/sys/kernel/msg*/** wklx,
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
deny /proc/sys/kernel/sem*/** wklx,
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
deny /proc/sys/kernel/shm*/** wklx,
deny /proc/sys/kernel?*{,/**} wklx,
deny /proc/sys/n[^e]*{,/**} wklx,
deny /proc/sys/ne[^t]*{,/**} wklx,
deny /proc/sys/net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
deny /sys/cla[^s]*{,/**} wklx,
deny /sys/clas[^s]*{,/**} wklx,
deny /sys/class/[^n]*{,/**} wklx,
deny /sys/class/n[^e]*{,/**} wklx,
deny /sys/class/ne[^t]*{,/**} wklx,
deny /sys/class/net?*{,/**} wklx,
deny /sys/class?*{,/**} wklx,
deny /sys/d[^e]*{,/**} wklx,
deny /sys/de[^v]*{,/**} wklx,
deny /sys/dev[^i]*{,/**} wklx,
deny /sys/devi[^c]*{,/**} wklx,
deny /sys/devic[^e]*{,/**} wklx,
deny /sys/device[^s]*{,/**} wklx,
deny /sys/devices/[^v]*{,/**} wklx,
deny /sys/devices/v[^i]*{,/**} wklx,
deny /sys/devices/vi[^r]*{,/**} wklx,
deny /sys/devices/vir[^t]*{,/**} wklx,
deny /sys/devices/virt[^u]*{,/**} wklx,
deny /sys/devices/virtu[^a]*{,/**} wklx,
deny /sys/devices/virtua[^l]*{,/**} wklx,
deny /sys/devices/virtual/[^n]*{,/**} wklx,
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
deny /sys/devices/virtual/net?*{,/**} wklx,
deny /sys/devices/virtual?*{,/**} wklx,
deny /sys/devices?*{,/**} wklx,
deny /sys/f[^s]*{,/**} wklx,
deny /sys/fs/[^c]*{,/**} wklx,
deny /sys/fs/c[^g]*{,/**} wklx,
deny /sys/fs/cg[^r]*{,/**} wklx,
deny /sys/fs/cgr[^o]*{,/**} wklx,
deny /sys/fs/cgro[^u]*{,/**} wklx,
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,

50
apparmor.d/abstractions/lxc/start-container
View file

@ -1,50 +0,0 @@
network,
capability,
file,
# The following 3 entries are only supported by recent apparmor versions.
# Comment them if the apparmor parser doesn't recognize them.
dbus,
signal,
ptrace,
# currently blocked by apparmor bug
mount -> /usr/lib*/*/lxc/{**,},
mount -> /usr/lib*/lxc/{**,},
mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,
mount options=(rw, make-slave) -> **,
mount options=(rw, make-rslave) -> **,
mount fstype=debugfs,
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
mount -> /var/lib/lxc/{**,},
mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
# required for some pre-mount hooks
mount fstype=overlayfs,
mount fstype=aufs,
mount fstype=ecryptfs,
# all umounts are under the original root's /mnt, but right now we
# can't allow those umounts after pivot_root. So allow all umounts
# right now. They'll be restricted for the container at least.
umount,
#umount /mnt/{**,},
# This may look a bit redundant, however it appears we need all of
# them if we want things to work properly on all combinations of kernel
# and userspace parser...
pivot_root /usr/lib*/lxc/,
pivot_root /usr/lib*/*/lxc/,
pivot_root /usr/lib*/lxc/**,
pivot_root /usr/lib*/*/lxc/**,
pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
change_profile -> lxc-*,
change_profile -> lxc-**,
change_profile -> unconfined,
change_profile -> :lxc-*:unconfined,

29
apparmor.d/abstractions/nameservice-strict
View file

@ -1,29 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/hosts r,
/etc/host.conf r,
/etc/resolv.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/gai.conf r,
/etc/group r,
/etc/protocols r,
/etc/default/nss r,
/etc/services r,
# NSS records from systemd-userdbd.service
/{var,}run/systemd/userdb/ r,
/{var,}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,

9
apparmor.d/abstractions/python.d/complete
View file

@ -1,9 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
# Silencer
/{usr/,}lib/python3/** w,

26
apparmor.d/abstractions/systemd-common
View file

@ -1,26 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
ptrace (read),
owner @{PROC}/@{pid}/stat r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
/dev/kmsg w,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,

20
apparmor.d/abstractions/thumbnails-cache-read
View file

@ -1,20 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/thumbnails/ r,
owner @{HOME}/thumbnails/{large,normal}/ r,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r,
owner @{HOME}/.cache/thumbnails/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r,

22
apparmor.d/abstractions/thumbnails-cache-write
View file

@ -1,22 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/thumbnails/ rw,
owner @{HOME}/thumbnails/{large,normal}/ rw,
owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9],
owner @{HOME}/.cache/thumbnails/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9],

31
apparmor.d/abstractions/tor
View file

@ -1,31 +0,0 @@
# vim:syntax=apparmor
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
network tcp,
network udp,
capability chown,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
/usr/bin/tor r,
/usr/sbin/tor r,
# Needed by obfs4proxy
/proc/sys/net/core/somaxconn r,
/proc/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/etc/tor/* r,
/usr/share/tor/** r,
/usr/bin/obfsproxy PUx,
/usr/bin/obfs4proxy Pix,

53
apparmor.d/abstractions/totem
View file

@ -1,53 +0,0 @@
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
# Description: Limit executable access and reasonable read access. A look at
# the gconf schema files for totem-video-thumbnailer reveals at least the
# following files:
# 3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac,
# flc, fli, flic, flv, google-video-pointer, gpp, gsm, m4a, m4v, matroska,
# midi, mod, mp3, mp4, mp4es, mpeg, mpt2, msvideo, ms-wm, musepack,mxf,
# netshow, nsv, off, ogm, pict, pn-realaudio, prs.sid, quicktime, ram,
# realpix, rn, sbc, sdp, shorten, speex, theora, totem-stream, tta, ultravox,
# vivo, vorbis, wav, wavpack, wax, webm, wma, wmv, wmx, wpl, wvx, x-anim,
# x-it, xm
#
# While ideally we would narrow down our read access to the above, this is
# a maintenance problem and doesn't work for files without extensions.
include <abstractions/gnome>
include <abstractions/gstreamer>
include <abstractions/nameservice>
include <abstractions/dbus-session>
# Allow read on all directories
/**/ r,
# Allow read on removable media and files in /usr/share and /usr/local/share
/usr/local/share/** r,
/usr/share/** r,
/{media,mnt,opt,srv}/** r,
owner @{HOME}/.cache/mesa/** rwk,
owner @{HOME}/.cache/thumbnails/** rw,
owner @{HOME}/.cache/totem/ rw,
owner @{HOME}/.cache/totem/** rwk,
owner @{HOME}/.cache/totem-* rwk,
owner @{HOME}/.cache/tracker/db-locale.txt r,
owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk,
owner @{HOME}/.cache/tracker/ontologies.gvdb r,
owner @{HOME}/.config/totem/ rwk,
owner @{HOME}/.config/totem/** rwk,
owner @{HOME}/.local/share/grilo-plugins/ rwk,
owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
owner @{HOME}/.local/share/gvfs-metadata/** r,
owner @{HOME}/.local/share/totem/ rwk,
owner @{HOME}/.local/share/tracker/data/tracker-store.journal rwk,
owner @{PROC}/@{pid}/{mountinfo,status} r,
/run/udev/data/c* r,
/run/udev/data/+drm:card* r,
/run/udev/data/+usb* r,
/sys/devices/system/node/*/meminfo r,

51
apparmor.d/abstractions/trash
View file

@ -1,51 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/.config/trashrc rw,
owner @{HOME}/.config/trashrc.lock rwk,
owner @{HOME}/.config/#[0-9]*[0-9] rwk,
owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
# Home trash location
owner @{HOME}/.local/share/Trash/ rw,
owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw,
owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9],
owner @{HOME}/.local/share/Trash/files/{,**} rw,
owner @{HOME}/.local/share/Trash/info/ rw,
owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw,
owner @{HOME}/.local/share/Trash/expunged/ rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw,
# Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /media/*/.Trash/ rw,
owner /media/*/.Trash/[0-9]*/ rw,
owner /media/*/.Trash/[0-9]*/#[0-9]*[0-9] rw,
owner /media/*/.Trash/[0-9]*/directorysizes{,.*} rwl -> /media/*/.Trash/[0-9]*/#[0-9]*[0-9],
owner /media/*/.Trash/[0-9]*/files/{,**} rw,
owner /media/*/.Trash/[0-9]*/info/ rw,
owner /media/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash/[0-9]*/expunged/ rw,
owner /media/*/.Trash/[0-9]*/expunged/[0-9]* rw,
# Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /media/*/.Trash-[0-9]*/ rw,
owner /media/*/.Trash-[0-9]*/#[0-9]*[0-9] rw,
owner /media/*/.Trash-[0-9]*/directorysizes{,.*} rwl -> /media/*/.Trash-[0-9]*/#[0-9]*[0-9],
owner /media/*/.Trash-[0-9]*/files/{,**} rw,
owner /media/*/.Trash-[0-9]*/info/ rw,
owner /media/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash-[0-9]*/expunged/ rw,
owner /media/*/.Trash-[0-9]*/expunged/[0-9]* rw,

26
apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
View file

@ -1,26 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Author: Jamie Strandboge <jamie@canonical.com>
# For site-specific adjustments, please see:
# /etc/apparmor.d/local/chromium-browser
abi <abi/3.0>,
include <abstractions/ubuntu-browsers.d/plugins-common>
include <abstractions/ubuntu-browsers.d/mailto>
include <abstractions/ubuntu-browsers.d/multimedia>
include <abstractions/ubuntu-browsers.d/productivity>
include <abstractions/ubuntu-browsers.d/java>
include <abstractions/ubuntu-browsers.d/kde>
include <abstractions/ubuntu-browsers.d/text-editors>
include <abstractions/ubuntu-browsers.d/ubuntu-integration>
include <abstractions/ubuntu-browsers.d/user-files>

120
apparmor.d/abstractions/ubuntu-browsers.d/java
View file

@ -1,120 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# Java plugin
owner @{HOME}/.java/deployment/deployment.properties k,
/etc/java-*/ r,
/etc/java-*/** r,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
/usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
owner /{,var/}run/user/*/icedteaplugin-*/ rw,
owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
# Profile for the supported OpenJDK in Ubuntu. This doesn't require the
# unfortunate workarounds of the proprietary Javas, so have a separate
# profile.
profile browser_openjdk {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/gnome>
include <abstractions/kde>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
include <abstractions/private-files-strict>
network inet stream,
network inet6 stream,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
/etc/java-*/ r,
/etc/java-*/** r,
/etc/lsb-release r,
/etc/ssl/certs/java/* r,
/etc/timezone r,
/etc/writable/timezone r,
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/** r,
/usr/share/** r,
/var/lib/dbus/machine-id r,
/usr/bin/env ix,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
# Why would java need this?
deny /usr/bin/gconftool-2 x,
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
owner @{HOME}/ r,
owner @{HOME}/** rwk,
}
# Profile for commercial Javas. These need workarounds to work right (eg
# Sun's forcing of an executable stack (LP: #535247)).
profile browser_java {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/gnome>
include <abstractions/kde>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
include <abstractions/private-files-strict>
network inet stream,
network inet6 stream,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
@{PROC}/loadavg r,
/etc/debian_version r,
/etc/java-*/ r,
/etc/java-*/** r,
/etc/lsb-release r,
/etc/ssl/certs/java/* r,
/etc/timezone r,
/etc/writable/timezone r,
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/** r,
/usr/share/** r,
/var/lib/dbus/machine-id r,
/usr/bin/env ix,
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
/usr/lib/j2*-ibm/jre/bin/java ix,
# noisy, can't write here anyway
deny /etc/.java/ w,
deny /etc/.java/** w,
deny /usr/bin/gconftool-2 x,
owner @{HOME}/ r,
owner @{HOME}/** rwk,
# These are seriously unfortunate, but required due to LP: #535247
/etc/passwd m,
owner @{HOME}/.java/**/cache/** m,
owner /tmp/** m,
/usr/lib{,32,64}/jvm/**/*.jar mr,
/usr/share/fonts/** m,
}

9
apparmor.d/abstractions/ubuntu-browsers.d/kde
View file

@ -1,9 +0,0 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
include <abstractions/kde>
/usr/bin/kde4-config Cx -> sanitized_helper,

11
apparmor.d/abstractions/ubuntu-browsers.d/mailto
View file

@ -1,11 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# for mailto:
include <abstractions/ubuntu-email>
include <abstractions/ubuntu-console-email>
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrct access to what only firefox is allowed to do
include <abstractions/ubuntu-gnome-terminal>

51
apparmor.d/abstractions/ubuntu-browsers.d/multimedia
View file

@ -1,51 +0,0 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
include <abstractions/X>
# Pulseaudio
/usr/bin/pulseaudio Pixr,
# Image viewers
/usr/bin/eog Cxr -> sanitized_helper,
/usr/bin/gimp* Cxr -> sanitized_helper,
/usr/bin/shotwell Cxr -> sanitized_helper,
/usr/bin/digikam Cxr -> sanitized_helper,
/usr/bin/gwenview Cxr -> sanitized_helper,
include <abstractions/ubuntu-media-players>
owner @{HOME}/.adobe/ w,
owner @{HOME}/.adobe/** rw,
owner @{HOME}/.macromedia/ w,
owner @{HOME}/.macromedia/** rw,
/opt/real/RealPlayer/mozilla/nphelix.so rm,
/usr/bin/lpstat Cxr -> sanitized_helper,
/usr/bin/lpr Cxr -> sanitized_helper,
# Bittorrent clients
include <abstractions/ubuntu-bittorrent-clients>
# Archivers
/usr/bin/ark Cxr -> sanitized_helper,
/usr/bin/file-roller Cxr -> sanitized_helper,
/usr/bin/xarchiver Cxr -> sanitized_helper,
/usr/local/lib{,32,64}/*.so* mr,
# News feed readers
include <abstractions/ubuntu-feed-readers>
# If we allow the above, nvidia based systems will also need this
include <abstractions/nvidia>
# Virus scanners
/usr/bin/clamscan Cx -> sanitized_helper,
# gxine (LP: #1057642)
/var/lib/xine/gxine.desktop r,
# For WebRTC camera access (LP: #1665535)
/dev/video[0-9]* rw,

18
apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
View file

@ -1,18 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
#
# Plugins/helpers
#
@{PROC}/@{pid}/fd/ r,
/usr/lib/** rm,
/{,usr/}bin/bash ixr,
/{,usr/}bin/dash ixr,
/{,usr/}bin/grep ixr,
/{,usr/}bin/sed ixr,
/usr/bin/m4 ixr,
# Since all the ubuntu-browsers.d abstractions need this, just include it
# here
include <abstractions/ubuntu-helpers>

26
apparmor.d/abstractions/ubuntu-browsers.d/productivity
View file

@ -1,26 +0,0 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
# Openoffice.org
/usr/bin/ooffice Cxr -> sanitized_helper,
/usr/bin/oocalc Cxr -> sanitized_helper,
/usr/bin/oodraw Cxr -> sanitized_helper,
/usr/bin/ooimpress Cxr -> sanitized_helper,
/usr/bin/oowriter Cxr -> sanitized_helper,
/usr/lib/openoffice/program/soffice Cxr -> sanitized_helper,
# LibreOffice
/usr/bin/libreoffice Cxr -> sanitized_helper,
/usr/bin/localc Cxr -> sanitized_helper,
/usr/bin/lodraw Cxr -> sanitized_helper,
/usr/bin/loimpress Cxr -> sanitized_helper,
/usr/bin/lowriter Cxr -> sanitized_helper,
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
# PDFs
/usr/bin/evince Cxr -> sanitized_helper,
/usr/bin/okular Cxr -> sanitized_helper,

16
apparmor.d/abstractions/ubuntu-browsers.d/text-editors
View file

@ -1,16 +0,0 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
# Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
/usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
/usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper,
/usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper,
/usr/bin/gedit Cxr -> sanitized_helper,
/usr/bin/vim.gnome Cxr -> sanitized_helper,
/usr/bin/leafpad Cxr -> sanitized_helper,
/usr/bin/mousepad Cxr -> sanitized_helper,
/usr/bin/kate Cxr -> sanitized_helper,

37
apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
View file

@ -1,37 +0,0 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
# Apport
/usr/bin/apport-bug Cx -> sanitized_helper,
# Package installation
/usr/bin/apturl Cxr -> sanitized_helper,
/usr/share/software-center/software-center Cxr -> sanitized_helper,
# Input Methods
/usr/bin/scim Cx -> sanitized_helper,
/usr/bin/scim-bridge Cx -> sanitized_helper,
# File managers
/usr/bin/nautilus Cxr -> sanitized_helper,
/usr/bin/{t,T}hunar Cxr -> sanitized_helper,
/usr/bin/dolphin Cxr -> sanitized_helper,
# Themes
/usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,
# Kubuntu
/usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
# Exo-aware applications
include <abstractions/exo-open>
# unity webapps integration. Could go in its own abstraction
owner /run/user/*/dconf/user rw,
owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
/usr/bin/debconf-communicate Cxr -> sanitized_helper,
owner @{HOME}/.config/libaccounts-glib/accounts.db rk,

8
apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
View file

@ -1,8 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# firefox-notify
include <abstractions/python>
/usr/bin/python2.[4567] ix,
/usr/share/xul-ext/notify/**/download_complete_notify.py ix,

30
apparmor.d/abstractions/ubuntu-browsers.d/user-files
View file

@ -1,30 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# Allow read to all files user has DAC access to and write access to all
# files owned by the user in $HOME.
@{HOME}/ r,
@{HOME}/** r,
owner @{HOME}/** w,
# Do not allow read and/or write to particularly sensitive/problematic files
include <abstractions/private-files>
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
# Comment this out if using gpg plugin/addons
audit deny @{HOME}/.gnupg/{,**} mrwkl,
# Allow read to all files user has DAC access to and write for files the user
# owns on removable media and filesystems.
/media/** r,
/mnt/** r,
/srv/** r,
/net/** r,
owner /media/** w,
owner /mnt/** w,
owner /srv/** w,
owner /net/** w,

25
apparmor.d/abstractions/user-download-strict
View file

@ -1,25 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/[dD]ownload{,s}/ r,
owner @{HOME}/[dD]ownload{,s}/** rwl,
owner /media/*/[dD]ownload/ r,
owner /media/*/[dD]ownload/** rwl,
owner @{HOME}/[dD]esktop/ r,
owner @{HOME}/[dD]esktop/** rwl,
# For SSHFS mounts (without owner as files in such mounts can be owned by different users)
@{HOME}/mount-sshfs/ r,
@{HOME}/mount-sshfs/** rwl,

21
apparmor.d/abstractions/vlc-art-cache-write
View file

@ -1,21 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/vlc/ rw,
owner @{HOME}/.cache/vlc/art/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art.jpg rw,

8
apparmor.d/abstractions/wayland.d/complete
View file

@ -1,8 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
owner /dev/shm/wlroots-* rw,

8
apparmor.d/abstractions/wutmp.d/complete
View file

@ -1,8 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
deny /var/log/wtmp wk,
/var/log/wtmp rwk,
/var/log/btmp rwk,

31
apparmor.d/abstractions/zsh
View file

@ -1,31 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/zsh/{,**} r,
/usr/local/share/zsh/{,**} r,
/{usr/,}lib/@{multiarch}/zsh/[0-9]*/zsh/*.so mr,
/etc/zsh/zshenv r,
/etc/zsh/zshrc r,
/etc/zsh/zprofile r,
/etc/zsh/zlogin r,
owner @{HOME}/.zshrc r,
owner @{HOME}/.zsh_history rw,
owner @{HOME}/.zsh_history.LOCK rwk,
owner @{HOME}/.oh-my-zsh/{,**} r,
owner @{HOME}/.oh-my-zsh/log/update.lock/ w,
owner @{HOME}/.zcompdump-* rw,

39
apparmor.d/accounts-daemon
View file

@ -1,39 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon
@{exec_path} += /usr/libexec/accounts-daemon
profile accounts-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/wutmp>
include <abstractions/nameservice-strict>
# Needed?
deny capability sys_nice,
@{exec_path} mr,
owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw,
/usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
/etc/shells r,
/etc/shadow r,
include if exists <local/accounts-daemon>
}

30
apparmor.d/acpi
View file

@ -1,30 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/acpi
profile acpi @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
@{sys}/class/thermal/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/{,**} r,
@{sys}/devices/virtual/thermal/{,**} r,
include if exists <local/acpi>
}

38
apparmor.d/adb
View file

@ -1,38 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/adb
@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
profile adb @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
include <abstractions/user-download-strict>
# For adb kill-server:
# cannot connect to daemon at tcp:5037: Permission denied
network inet stream,
network inet6 stream,
@{exec_path} mrix,
owner /tmp/adb.[0-9]*.log rw,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/adb.[0-9]* rw,
owner @{HOME}/.android/adbkey rw,
include if exists <local/adb>
}

71
apparmor.d/adduser
View file

@ -1,71 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/add{user,group}
profile adduser @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
# To create a user home dir and give it proper permissions:
# mkdir("/home/user", 0755) = 0
# chown("/home/user", 1001, 1001) = 0
# chmod("/home/user", 0755) = 0
capability chown,
capability fowner,
# To set the set-group-ID bit for the user home dir (SETGID_HOME=yes).
capability fsetid,
# To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different
# owner.
capability dac_read_search,
capability dac_override,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
/{usr/,}sbin/useradd rPx,
/{usr/,}sbin/userdel rPx,
/{usr/,}sbin/groupdel rPx,
/{usr/,}sbin/groupadd rPx,
/{usr/,}sbin/usermod rPx,
/{usr/,}bin/passwd rPx,
/{usr/,}bin/gpasswd rPx,
/{usr/,}bin/chfn rPx,
/{usr/,}bin/chage rPx,
/etc/{group,passwd,shadow} r,
/etc/adduser.conf r,
# To create user dirs
@{HOME}/ rw,
# To copy files from /etc/skel/ to user dirs
@{HOME}/.* w,
/etc/skel/{,.*} r,
# What's this for? (#FIXME#)
/var/lib/lightdm/{,*} w,
/var/lib/sddm/{,*} w,
include if exists <local/adduser>
}

118
apparmor.d/adequate
View file

@ -1,118 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/adequate
profile adequate @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}sbin/ldconfig rix,
# It wants to ldd all binaries/libs in packages.
/{usr/,}bin/ldd rCx -> ldd,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/{usr/,}bin/pkg-config rCx -> pkg-config,
/{usr/,}bin/dpkg rPx -> child-dpkg,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/update-alternatives rPx,
/var/lib/adequate/pending rwk,
/etc/shadow r,
/usr/share/python{,3}/debian_defaults r,
/usr/share/doc/*/copyright r,
/usr/share/**/__pycache__/ r,
/usr/**/*.py r,
profile ldd flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ldd mr,
/{usr/,}bin/* mr,
/{usr/,}sbin/* mr,
/usr/games/* mr,
/{usr/,}lib{,x}{,32,64}/** mr,
/{usr/,}lib/@{multiarch}/** mr,
/usr/share/** r,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
}
profile frontend flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}bin/adequate rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
/etc/shadow r,
}
profile pkg-config flags=(complain) {
include <abstractions/base>
/{usr/,}bin/pkg-config mr,
}
include if exists <local/adequate>
}

200
apparmor.d/amarok
View file

@ -1,200 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2017-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
# Audio extensions
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma,
@{amarok_ext} = [aA]{52,[aA][cC],[cC]3}
@{amarok_ext} += [mM][kK][aA]
@{amarok_ext} += [fF][lL][aA][cC]
@{amarok_ext} += [mM][pP][123cC]
@{amarok_ext} += [oO][gGmM][aA]
@{amarok_ext} += [wW]{,[aA]}[vV]
@{amarok_ext} += [wW][mM]{,[aA]}
# Image extensions
# bmp, jpg, jpeg, png, gif
@{amarok_ext} += [bB][mM][pP]
@{amarok_ext} += [jJ][pP]{,[eE]}[gG]
@{amarok_ext} += [pP][nN][gG]
@{amarok_ext} += [gG][iI][fF]
# Playlist extensions
# m3u, m3u8, pls
@{amarok_ext} += [mM]3[uU]{,8}
@{amarok_ext} += [pP][lL][sS]
@{exec_path} = /{usr/,}bin/amarok
profile amarok @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/kde4>
include <abstractions/gtk>
include <abstractions/audio>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/trash>
include <abstractions/vlc-art-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
ptrace (trace) peer=@{profile_name},
# Signals to kdeinit4 (unconfined)
signal (send) peer=unconfined,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/amarokcollectionscanner rix,
/{usr/,}bin/kde4-config rix,
/{usr/,}lib/kde4/libexec/lnusertemp rix,
/{usr/,}lib/kde4/libexec/drkonqi rix,
/{usr/,}bin/kglobalaccel rPUx,
/{usr/,}bin/kbuildsycoca4 rPUx,
/{usr/,}bin/kdeinit4 rPUx,
/{usr/,}bin/knotify4 rPUx,
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
# Which media files Amarok should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
owner /{home,media}/**.@{amarok_ext} rw,
# Amarok home files
owner @{HOME}/.kde{,4}/share/apps/amarok/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/** rwk,
owner @{HOME}/.kde{,4}/share/apps/knewstuff3/amarok.knsregistry rw,
owner @{HOME}/.kde{,4}/share/config/amarokrc* rw,
owner @{HOME}/.kde{,4}/share/config/amarok_homerc* rw,
owner @{HOME}/.kde{,4}/share/config/amarok-appletsrcm* rw,
owner @{HOME}/.kde{,4}/share/config/amarok-appletsrc* rw,
owner @{HOME}/.kde{,4}/share/config/kcookiejarrc r,
owner @{HOME}/.kde{,4}/share/config/kio_httprc r,
owner @{HOME}/.kde{,4}/share/config/kioslaverc r,
owner @{HOME}/.kde{,4}/share/config/ktimezonedrc r,
# Phonon
/{usr/,}lib/@{multiarch}/qt4/plugins/phonon_backend/phonon_vlc.so mr,
# VLC backend
/{usr/,}lib/@{multiarch}/vlc/plugins/plugins.dat.* r,
/usr/share/vlc/** r,
# Cache for art images
owner @{HOME}/.kde{,4}/ rw,
owner @{HOME}/.kde{,4}/share/ rw,
owner @{HOME}/.kde{,4}/share/apps/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/ rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@[0-9a-f]* rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw,
owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw,
owner @{HOME}/.local/share/user-places.xbel rw,
owner @{HOME}/.config/Trolltech.conf rwk,
deny /etc/rpc r,
deny /etc/gnome-vfs-2.0/modules/default-modules.conf r,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# TMP
owner /tmp/#sql_*.{MAI,MAD} rw,
owner /tmp/qipc_{systemsem,sharedmemory}_AmarokScannerMemory[a-f0-9]* rw,
owner /tmp/qt_temp.* rw,
owner /tmp/xauth-[0-9]*-_[0-9] r,
owner /tmp/kde-*/ rw,
/usr/share/icons/*/index.theme rk,
@{run}/user/[0-9]*/ksocket-*/amarok*.slave-socket rw,
# What's this for?
deny /etc/mysql/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
deny /usr/share/anyremote/** r,
owner @{HOME}/.anyRemote/anyremote.stdout w,
# Udev silencer
deny @{sys}/bus/ r,
deny @{sys}/class/ r,
deny @{sys}/devices/ r,
deny @{sys}/devices/virtual/net/**/{uevent,type} r,
deny @{sys}/devices/virtual/sound/seq/uevent r,
deny @{sys}/devices/system/node/ r,
deny @{run}/udev/data/* r,
# To generate the crash log info in Amarok
/{usr/,}bin/gdb rCx -> gdb,
profile gdb {
include <abstractions/base>
include <abstractions/python>
/{usr/,}bin/gdb mr,
/usr/share/glib-2.0/gdb/{,**} r,
@{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/stat r,
owner @{PROC}/@{pids}/task/@{tid}/maps r,
owner @{PROC}/@{pids}/mem r,
/{usr/,}bin/iconv rix,
/usr/share/gdb/python/ r,
/usr/share/gdb/python/{,**} r,
ptrace (trace),
/{usr/,}bin/* r,
/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/*.py r,
/usr/share/gdb/auto-load/lib/x86_64-linux-gnu/*.py r,
/usr/share/gcc-[0-9]*/python/{,**} r,
# Silencer
deny /usr/share/** w,
}
include if exists <local/amarok>
}

31
apparmor.d/amixer
View file

@ -1,31 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/amixer
profile amixer @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@{exec_path} mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/pulse/ r,
include if exists <local/amixer>
}

307
apparmor.d/android-studio
View file

@ -1,307 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{AS_LIBDIR} = /media/*/android-studio
@{AS_SDKDIR} = /media/*/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects
@{exec_path} = @{AS_LIBDIR}/bin/studio.sh
profile android-studio @{exec_path} {
include <abstractions/base>
#icnlude <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/ssl_certs>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
capability sys_ptrace,
signal (send) set=(term, kill) peer=android-studio//lsb-release,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/which rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/chattr rix,
/{usr/,}bin/setsid rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/kill rix,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/git rPx,
/{usr/,}bin/lsb_release rCx -> lsb-release,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/etc/java-[0-9]*-openjdk/** r,
/usr/share/java/java-atk-wrapper.jar r,
/etc/ssl/certs/java/cacerts r,
/ r,
/home/ r,
/media/ r,
/media/*/ r,
/usr/ r,
/{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,
@{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix,
# A standard system android SDK location.
# Currently there is only the target platform of API Level 23 packaged, so only apps targeted at
# android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in
# order to use the SDK, build scripts need to be modified.
/{usr/,}lib/android-sdk/ r,
/{usr/,}lib/android-sdk/** mrkix,
/usr/share/android-sdk-platform-*/{,**} r,
deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w,
deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w,
deny /{usr/,}lib/android-sdk/.knownPackages w,
# This one is used if the standard android SDK location is missing
@{AS_SDKDIR}/ rw,
@{AS_SDKDIR}/** mrwkix,
owner @{AS_HOMEDIR}/ rw,
owner @{AS_HOMEDIR}/** mrwkix,
owner @{AS_PROJECTDIR}/ rw,
owner @{AS_PROJECTDIR}/** rwk,
owner @{HOME}/AndroidStudio/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/** rw,
owner @{HOME}/Android/ rw,
owner @{HOME}/Android/** mrwkix,
owner "@{HOME}/.config/Android Open Source Project/" rw,
owner "@{HOME}/.config/Android Open Source Project/**" rwk,
owner @{HOME}/.config/Google/ rw,
owner @{HOME}/.config/Google/** rwk,
owner @{HOME}/.cache/ rw,
owner "@{HOME}/.cache/Android Open Source Project/" rw,
owner "@{HOME}/.cache/Android Open Source Project/**" rw,
owner @{HOME}/.cache/Google/ rw,
owner @{HOME}/.cache/Google/** rwk,
# To remove the following error:
# Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp
# java.io.IOException: Cannot run program
# "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix,
#
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk,
owner @{HOME}/.cache/JNA/ rw,
owner @{HOME}/.cache/JNA/** rw,
owner @{HOME}/.gradle/ rw,
owner @{HOME}/.gradle/** mrwkix,
owner @{HOME}/ r,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**,
owner @{HOME}/.local/share/Google/ rw,
owner @{HOME}/.local/share/Google/** rw,
owner @{HOME}/.local/share/kotlin/ rw,
owner @{HOME}/.local/share/kotlin/** rw,
owner "@{HOME}/.local/share/Android Open Source Project/" rw,
owner "@{HOME}/.local/share/Android Open Source Project/**" rwk,
owner @{HOME}/.java/ rw,
owner @{HOME}/.java/fonts/ rw,
owner @{HOME}/.java/fonts/*/ rw,
owner @{HOME}/.java/fonts/*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/*/fcinfo*.properties rw,
owner @{HOME}/.java/.userPrefs/ rw,
owner @{HOME}/.java/.userPrefs/** rwk,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{HOME}/.emulator_console_auth_token rw,
deny owner @{HOME}/Desktop/* rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/stat r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/partitions r,
@{PROC}/vmstat r,
@{PROC}/loadavg r,
@{sys}/fs/cgroup/{,**} r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/** rwk,
owner /tmp/native-platform[0-9]*dir/*.so rwm,
owner /{var,}run/user/[0-9]*/avd/ rw,
owner /{var,}run/user/[0-9]*/avd/running/ rw,
owner /{var,}run/user/[0-9]*/avd/running/pid_@{pid}.ini rw,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/dev/kvm rw,
@{sys}/devices/virtual/block/**/rotational r,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
}
profile lsb-release {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
signal (receive) set=(term, kill) peer=android-studio,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
/etc/dpkg/origins/** r,
/etc/debian_version r,
/usr/share/distro-info/*.csv r,
owner /tmp/android-*/emulator-* w,
owner /tmp/android-*/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/opengl_* w,
# file_inherit
owner @{HOME}/.android/avd/** r,
/dev/dri/card[0-9]* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/android-studio>
}

206
apparmor.d/anki
View file

@ -1,206 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/anki
profile anki @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/user-download-strict>
include <abstractions/trash>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=anki//mpv,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/ r,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/mpv rCx -> mpv,
# For recording sounds while creating decks
/{usr/,}bin/lame rCx -> lame,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**/*.pak r,
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{HOME}/ r,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/qtshadercache/ rw,
owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
/usr/share/anki/{,**} r,
/usr/share/javascript/**/*.js r,
owner @{HOME}/.local/share/Anki{,2}/ rw,
owner @{HOME}/.local/share/Anki{,2}/** rwk,
# To remove the following error:
# Error initializing NSS with a persistent database
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/.glvnd* mrw,
# The /proc/ dir is needed to avoid the following error:
# [:FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0)
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/task/ r,
deny owner @{PROC}/@{pid}/task/@{tid}/status r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pid}/cmdline r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny @{PROC}/vmstat r,
deny owner @{PROC}/@{pid}/setgroups w,
/etc/fstab r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/anki_temp/ rw,
owner /tmp/anki_temp/** rwk,
owner /tmp/mozilla_*/*.apkg r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/dev/shm/#[0-9]*[0-9] rw,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/pci[0-9]*/**/{vendor,device} r,
/usr/share/hwdata/pnp.ids r,
/etc/mime.types r,
# SyncThread
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/etc/ r,
/etc/debian_version r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile mpv {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio>
signal (receive) set=(term, kill) peer=anki,
/{usr/,}bin/mpv mr,
/etc/mpv/encoding-profiles.conf r,
owner /tmp/mpv.* rw,
# For playing sets' sounds
owner @{HOME}/.local/share/Anki{,2}/*/collection.media/ r,
owner @{HOME}/.local/share/Anki{,2}/*/collection.media/*.{mp3,wav} r,
owner @{HOME}/.local/share/Anki{,2}/pulse/ r,
owner @{HOME}/.local/share/Anki{,2}/pulse/cookie rk,
owner @{HOME}/.Xauthority r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
}
profile lame {
include <abstractions/base>
/{usr/,}bin/lame mr,
owner @{HOME}/.local/share/Anki{,2}/*/collection.media/rec.{mp3,wav} rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/anki>
}

166
apparmor.d/anyremote
View file

@ -1,166 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/anyremote
profile anyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
signal (receive) set=(int, term, kill),
signal (send) set=(term, kill),
network inet stream,
network inet6 stream,
@{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/which rix,
/{usr/,}bin/head rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/find rix,
/{usr/,}bin/convert-im6.q16 rCx -> imagemagic,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}lib/qt5/bin/qdbus rCx -> qdbus,
/{usr/,}bin/curl rCx -> curl,
/{usr/,}bin/pacmd rPx,
/{usr/,}bin/pactl rPx,
/{usr/,}bin/wmctrl rPx,
/{usr/,}bin/qtchooser rPx,
/{usr/,}bin/ps rPx,
# Players
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/amarok rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/strawberry rPx,
owner /tmp/amarok_covers/ rw,
owner /tmp/*.png rw,
# For shell pwd
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,**} rw,
owner @{HOME}/.anyRemote/imdb-mf.sh rix,
/usr/share/anyremote/{,**} r,
/usr/share/anyremote/cfg-data/Utils/*.sh rix,
deny @{PROC}/sys/kernel/osrelease r,
owner @{HOME}/.Xauthority r,
profile imagemagic {
include <abstractions/base>
/{usr/,}bin/convert-im6.q16 mr,
/usr/share/ImageMagick-[0-9]/*.xml rw,
/etc/ImageMagick-[0-9]/*.xml r,
/usr/share/anyremote/cfg-data/Icons/common/*.png r,
owner @{HOME}/.anyRemote/*.png rw,
owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r,
/tmp/ r,
owner /tmp/*.png rw,
owner /tmp/amarok_covers/* rw,
owner /tmp/magick-* rw,
}
profile killall {
include <abstractions/base>
include <abstractions/consoles>
capability sys_ptrace,
signal (send) set=(term, kill),
ptrace (read),
/{usr/,}bin/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
# file_inherit
owner @{HOME}/.anyRemote/anyremote.stdout w,
}
profile pgrep {
include <abstractions/base>
include <abstractions/consoles>
signal (send) set=(term, kill),
/{usr/,}bin/pgrep mr,
# The /proc/ dir and the cmdline have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
deny @{PROC}/sys/kernel/osrelease r,
# file_inherit
owner @{HOME}/.anyRemote/anyremote.stdout w,
}
profile curl {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
}
profile qdbus {
include <abstractions/base>
/{usr/,}lib/qt5/bin/qdbus mr,
}
include if exists <local/anyremote>
}

31
apparmor.d/aplay
View file

@ -1,31 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aplay
profile aplay @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/audio>
@{exec_path} mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/pulse/ r,
include if exists <local/aplay>
}

116
apparmor.d/appimage-beyond-all-reason
View file

@ -1,116 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = "/home/*/Desktop/Beyond All Reason.AppImage"
@{exec_path} += /home/*/Desktop/BeyondAllReason.AppImage
profile appimage-beyond-all-reason @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/ssl_certs>
include <abstractions/audio>
capability sys_ptrace,
# For kernel unprivileged user namespaces
capability sys_admin,
capability sys_chroot,
capability setuid,
capability setgid,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
network netlink raw,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/x86_64-linux-gnu-addr2line rix,
/{usr/,}bin/fusermount{,3} rPx,
mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,
/var/tmp/ r,
/tmp/ r,
/tmp/.mount_Beyond*/ rw,
/tmp/.mount_Beyond*/beyond-all-reason rix,
/tmp/.mount_Beyond*/AppRun rix,
/tmp/.mount_Beyond*/bin/* rix,
/tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix,
/tmp/.mount_Beyond*/** r,
/tmp/.mount_Beyond*/**.so{,.[0-9]*} mr,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
owner /tmp/.org.chromium.Chromium.*/SS rw,
owner /tmp/.org.chromium.Chromium.*/*.png rw,
owner /tmp/.org.chromium.Chromium.* rw,
owner @{HOME}/.config/Beyond-All-Reason/ rw,
owner @{HOME}/.config/Beyond-All-Reason/** rwk,
owner "@{HOME}/Beyond All Reason/" rw,
owner "@{HOME}/Beyond All Reason/**" rwkm,
owner "@{HOME}/Beyond All Reason/engine/**/spring" rix,
owner @{HOME}/.spring/ rw,
owner @{HOME}/.spring/** rw,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/statm r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/oom_{,score_}adj r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
@{PROC}sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
owner /dev/shm/.org.chromium.Chromium.* rw,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/class r,
@{sys}/devices/virtual/tty/tty0/active r,
/dev/fuse rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/appimage-beyond-all-reason>
}

68
apparmor.d/appstreamcli
View file

@ -1,68 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/appstreamcli
profile appstreamcli @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
# For file valudation using the network
/{usr/,}bin/curl rCx -> curl,
/etc/appstream.conf r,
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/appstream-cache-*.mdb rw,
/usr/share/appdata/ r,
/var/lib/app-info/yaml/ r,
/var/lib/app-info/yaml/*_Components-*.yml.gz w,
owner /var/cache/app-info/{,**} rw,
owner /tmp/appstream-cache-*.mdb rw,
owner /tmp/appstream/ rw,
owner /tmp/appstream/appcache-*.mdb rw,
owner @{HOME}/.local/share/mime/mime.cache r,
/usr/share/mime/mime.cache r,
/usr/share/applications/{,*.desktop} r,
/usr/share/metainfo/ r,
/usr/share/metainfo/*.{metainfo,appdata}.xml r,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/*_Components-*.gz r,
# file_inherit
/var/log/cron-apt/temp w,
profile curl {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
}
include if exists <local/appstreamcli>
}

184
apparmor.d/apt
View file

@ -1,184 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt
profile apt @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
audit deny capability net_admin,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For editing the sources.list file
/etc/apt/sources.list rwk,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
profile editor flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r,
/usr/share/vim/{,**} r,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
/etc/apt/sources.list rw,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/etc/dpkg/origins/debian r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
include if exists <local/apt>
}

38
apparmor.d/apt-cache
View file

@ -1,38 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache
profile apt-cache @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/apt-cache>
}

94
apparmor.d/apt-cdrom
View file

@ -1,94 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount,
# Are all of these needed? (#FIXME#)
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
@{run}/udev/data/* r,
/etc/fstab r,
# For cd-roms
/media/cdrom[0-9]/ r,
/media/cdrom[0-9]/**/ r,
/media/cdrom[0-9]/.disk/info r,
/media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r,
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
# For pendrives
/media/*/*/ r,
/media/*/*/**/ r,
/media/*/*/.disk/info r,
/media/*/*/dists/**/binary-*/Packages{,.gz} r,
/media/*/*/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/apt/cdroms.list{,.new} rw,
/var/lib/apt/cdroms.list~ w,
/etc/apt/sources.list{,.new} rw,
/etc/apt/sources.list~ w,
profile mount flags=(complain) {
include <abstractions/base>
/{usr/,}bin/mount mr,
/etc/fstab r,
/media/cdrom[0-9]/ r,
}
profile umount flags=(complain) {
include <abstractions/base>
capability sys_admin,
/{usr/,}bin/umount mr,
@{run}/mount/utab{,.*} rw,
@{run}/mount/utab.lock rwk,
owner @{PROC}/@{pid}/mountinfo r,
umount /media/*/,
umount /media/*/*/,
}
include if exists <local/apt-cdrom>
}

29
apparmor.d/apt-config
View file

@ -1,29 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config
profile apt-config @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-config>
}

39
apparmor.d/apt-extracttemplates
View file

@ -1,39 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-extracttemplates
profile apt-extracttemplates @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner /tmp/*.{config,template}.?????? rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/apt-extracttemplates>
}

44
apparmor.d/apt-file
View file

@ -1,44 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-file
profile apt-file @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/fgrep rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/xargs rix,
/{usr/,}lib/apt/apt-helper rix,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/apt rPx,
/etc/apt/apt-file.conf r,
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
# file_inherit
/var/log/cron-apt/temp w,
include if exists <local/apt-file>
}

31
apparmor.d/apt-ftparchive
View file

@ -1,31 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-ftparchive
profile apt-ftparchive @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/apt-ftparchive>
}

190
apparmor.d/apt-get
View file

@ -1,190 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-get
profile apt-get @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
audit deny capability net_admin,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For building the source after the download process is finished (apt-get source --compile)
# (#FIXME#)
/{usr/,}bin/dpkg-buildpackage rPUx,
# For changelogs
/tmp/apt-changelog-*/ w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
/tmp/apt-changelog-*/*.changelog w,
/{usr/,}bin/sensible-pager rCx -> pager,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt-tmp-index.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /var/log/cron-apt/temp w,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/etc/dpkg/origins/debian r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
include if exists <local/apt-get>
}

110
apparmor.d/apt-key
View file

@ -1,110 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-key
profile apt-key @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/apt-config rPx,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/{,**} rw,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
/etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg{,~,.tmp} rw,
/etc/apt/trusted.gpg.lock rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg.d/ r,
/etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg.d/*.gpg r,
/etc/apt/trusted.gpg.d/*.gpg.lock rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid},
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
# File_inherit
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
}
include if exists <local/apt-key>
}

65
apparmor.d/apt-listbugs
View file

@ -1,65 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listbugs
profile apt-listbugs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
#capability sys_tty_config,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logname rix,
/{usr/,}bin/apt-config rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/listbugs/{,*} r,
@{PROC}/@{pid}/loginuid r,
# The following is needed when apt-listbugs uses debcconf GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
include if exists <local/apt-listbugs>
}

26
apparmor.d/apt-listbugs-aptcleanup
View file

@ -1,26 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
include if exists <local/apt-listbugs-aptcleanup>
}

35
apparmor.d/apt-listbugs-migratepins
View file

@ -1,35 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/preferences r,
owner /tmp/pin_migration_*-@{pid}-*/ w,
owner /tmp/pin_migration_*-@{pid}-*/preferences w,
owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w,
include if exists <local/apt-listbugs-migratepins>
}

36
apparmor.d/apt-listbugs-prefclean
View file

@ -1,36 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/ r,
owner /var/spool/apt-listbugs/lastprefclean rw,
include if exists <local/apt-listbugs-prefclean>
}

108
apparmor.d/apt-listchanges
View file

@ -1,108 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listchanges
profile apt-listchanges @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
include <abstractions/nameservice-strict>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
#
/{usr/,}bin/sensible-pager rCx -> pager,
# Send results using email
/{usr/,}sbin/exim4 rPx,
/usr/share/apt-listchanges/{,**} r,
/etc/apt/listchanges.conf r,
/etc/apt/listchanges.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/status r,
/var/lib/apt/listchanges{,-new}.db rw,
/var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db,
/var/cache/apt/archives/ r,
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/apt-listchanges*/ rw,
owner /tmp/apt-listchanges*/**/ rw,
owner /tmp/apt-listchanges*/*/*/*/*/changelog.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw,
# The following is needed when apt-listchanges uses debcconf GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
#capability sys_tty_config,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
# For shell pwd
/root/ r,
/tmp/ r,
owner /tmp/apt-listchanges-tmp*.txt r,
}
include if exists <local/apt-listchanges>
}

33
apparmor.d/apt-mark
View file

@ -1,33 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-mark
profile apt-mark @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
/var/lib/apt/extended_states{,.*} rw,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
include if exists <local/apt-mark>
}

53
apparmor.d/apt-methods-cdrom
View file

@ -1,53 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/cdrom
profile apt-methods-cdrom @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-cdrom>
}

64
apparmor.d/apt-methods-copy
View file

@ -1,64 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/copy
profile apt-methods-copy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-copy>
}

64
apparmor.d/apt-methods-file
View file

@ -1,64 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/file
profile apt-methods-file @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-file>
}

53
apparmor.d/apt-methods-ftp
View file

@ -1,53 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/ftp
profile apt-methods-ftp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-ftp>
}

96
apparmor.d/apt-methods-gpgv
View file

@ -1,96 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/gpgv
profile apt-methods-gpgv @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# The following get "no new privs" so "rix" them
/{usr/,}bin/apt-key rix,
/{usr/,}bin/apt-config rix,
/{usr/,}bin/dpkg rix,
/{usr/,}bin/gpg-connect-agent rix,
/{usr/,}bin/gpgconf rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpgv rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/arch r,
@{PROC}/@{pid}/fd/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-gpgv>
}

84
apparmor.d/apt-methods-http
View file

@ -1,84 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/http{,s}
profile apt-methods-http @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/auth.conf.d/{,*} r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For the aptitude interactive mode
/tmp/ r,
owner /tmp/aptitude-root.*/aptitude-download-* rw,
owner /tmp/apt-changelog-*/*.changelog rw,
@{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-http>
}

53
apparmor.d/apt-methods-mirror
View file

@ -1,53 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
profile apt-methods-mirror @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-mirror>
}

64
apparmor.d/apt-methods-rred
View file

@ -1,64 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/rred
profile apt-methods-rred @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-rred>
}

53
apparmor.d/apt-methods-rsh
View file

@ -1,53 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
profile apt-methods-rsh @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-rsh>
}

69
apparmor.d/apt-methods-store
View file

@ -1,69 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/store
profile apt-methods-store @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/doc/*/changelog.* r,
/tmp/ r,
owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
include if exists <local/apt-methods-store>
}

44
apparmor.d/apt-show-versions
View file

@ -1,44 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-show-versions
profile apt-show-versions @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/apt-common>
@{exec_path} r,
/{usr/,}bin/perl r,
/usr/bin/dpkg rPx -> child-dpkg,
owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
owner /var/cache/apt-show-versions/files rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
include if exists <local/apt-show-versions>
}

29
apparmor.d/apt-sortpkgs
View file

@ -1,29 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-sortpkgs
profile apt-sortpkgs @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
include if exists <local/apt-sortpkgs>
}

74
apparmor.d/apt-systemd-daily
View file

@ -1,74 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} {
include <abstractions/base>
# Needed to remove the following error:
# apt.systemd.daily[]: find: /var/cache/apt/archives/partial: Permission denied
capability dac_read_search,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/which rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/date rix,
/{usr/,}bin/find rix,
/{usr/,}bin/du rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx,
/etc/default/locale r,
# The /daily_lock file is only used when the /var/lib/apt/daily_lock can be accessed.
#/daily_lock w,
/var/lib/apt/daily_lock wk,
/var/lib/apt/extended_states r,
/var/lib/apt/periodic/autoclean-stamp w,
/var/backups/ r,
/var/backups/apt.extended_states rw,
/var/backups/apt.extended_states.[0-9]* rw,
/var/backups/apt.extended_states.[0-9]*.gz w,
/var/cache/apt/ r,
/var/cache/apt/archives/ r,
/var/cache/apt/archives/partial/ r,
/var/cache/apt/archives/*.deb rw,
/var/cache/apt/backup/ r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-systemd-daily>
}

200
apparmor.d/aptitude
View file

@ -1,200 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/aptitude{,-curses}
profile aptitude @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
capability sys_chroot,
audit deny capability net_admin,
#capability sys_tty_config,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
/var/log/aptitude w,
# For downloading the source of packages (showsrc/source options)
/{usr/,}bin/apt rPx,
# For changelogs
owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw,
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
owner /tmp/aptitude-*.@{pid}:*/parsedchangelog* w,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/aptitude/ rw,
owner @{HOME}/.cache/aptitude/metadata-download{,-journal} rw,
owner @{HOME}/.cache/aptitude/metadata-download rwk,
/{usr/,}bin/sensible-pager rCx -> pager,
# For aptitude-run-state-bundle
owner /tmp/aptitudebug.*/ r,
owner /tmp/aptitudebug.*/** rwk,
/var/lib/apt-xapian-index/index r,
/var/cache/apt-xapian-index/index.[0-9]/*.glass r,
/var/cache/apt-xapian-index/index.[0-9]/iamglass r,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/aptitude-*.@{pid}:*/ rw,
owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw,
/tmp/aptitude-*.@{pid}:*/pkgstates* r,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For the interactive mode
/usr/share/tasksel/descs/ r,
/usr/share/tasksel/descs/debian-tasks.desc r,
owner @{HOME}/.aptitude/ rw,
owner @{HOME}/.aptitude/config rw,
owner @{HOME}/.aptitude/config@{pid} rw,
/tmp/apt-changelog-*/ rw,
/var/lib/debtags/vocabulary r,
/{usr/,}bin/su rPx,
@{run}/lock/aptitude rwk,
/usr/share/aptitude/ r,
/usr/share/aptitude/* r,
/var/lib/aptitude/pkgstates{,.old,.new} rw,
/var/lib/aptitude/pkgstates.old rwl -> /var/lib/aptitude/pkgstates,
/var/lib/debtags/package-tags r,
# When run in a TTY, to remove the following error:
# aptitude[]: *** err
# aptitude[]: /dev/tty2: Permission denied
# aptitude[]: *** err
# aptitude[]: Oh, oh, it's an error! possibly I die!
/dev/tty[0-9]* rw,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
/var/log/cron-apt/temp w,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
# For shell pwd
/root/ r,
}
include if exists <local/aptitude>
}

29
apparmor.d/aptitude-changelog-parser
View file

@ -1,29 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-changelog-parser
profile aptitude-changelog-parser @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
/**/debian/changelog r,
include if exists <local/aptitude-changelog-parser>
}

40
apparmor.d/aptitude-create-state-bundle
View file

@ -1,40 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle
profile aptitude-create-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
# Files included in the bundle
owner @{HOME}/.aptitude/{,*} r,
/var/lib/aptitude/{,*} r,
/var/lib/apt/{,**} r,
/var/cache/apt/ r,
/var/cache/apt/*.bin r,
/etc/apt/{,**} r,
/var/lib/dpkg/status r,
include if exists <local/aptitude-create-state-bundle>
}

36
apparmor.d/aptitude-run-state-bundle
View file

@ -1,36 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle
profile aptitude-run-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/aptitude-curses rPx,
owner /tmp/aptitudebug.*/{,**} rw,
include if exists <local/aptitude-run-state-bundle>
}

46
apparmor.d/arandr
View file

@ -1,46 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arandr
profile arandr @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/python>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/xrandr rPx,
owner @{HOME}/.screenlayout/ rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/arandr>
}

148
apparmor.d/arduino
View file

@ -1,148 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arduino
profile arduino @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/devices-usb>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace (read) peer=arduino//open,
ptrace (read) peer=arduino-builder,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/id rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/groups rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/avrdude rix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/arduino-builder rPx,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
/usr/share/java/*.jar r,
/etc/java-[0-9]*-openjdk/** r,
/etc/ssl/certs/java/cacerts r,
owner @{HOME}/.java/fonts/*/ rw,
owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw,
owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/user rw,
/usr/share/arduino/{,**} r,
/usr/share/arduino-builder/{,**} r,
/usr/share/doc/arduino/{,**} r,
/usr/share/doc/arduino-core/{,**} r,
owner @{HOME}/ r,
owner @{HOME}/.arduino{,15}/{,**} rw,
owner @{HOME}/Arduino/{,**} rw,
owner @{HOME}/sketchbook/{,**} rw,
owner @{HOME}/.Xauthority r,
/tmp/ r,
owner /tmp/cc*.{s,res,c,o,ld,le} rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
owner /tmp/untitled[0-9]*.tmp rw,
owner /tmp/untitled[0-9]*.tmp/{,**} rw,
owner /tmp/console[0-9]*.tmp rw,
owner /tmp/console[0-9]*.tmp/{,**} rw,
owner /tmp/build[0-9]*.tmp rw,
owner /tmp/build[0-9]*.tmp/{,**} rw,
owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw,
owner /tmp/{library,package}_index.json*.tmp* rw,
owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw,
owner @{run}/lock/tmp* rw,
owner @{run}/lock/LCK..ttyS[0-9]* rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/coredump_filter rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
# For java
@{PROC}/@{pids}/stat r,
#
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
/etc/fstab r,
/etc/avrdude.conf r,
@{sys}/fs/cgroup/{,**} r,
@{sys}/class/tty/ r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r,
/dev/ttyS[0-9]* rw,
/dev/ttyACM[0-9]* rw,
# Silencer
deny /usr/share/arduino/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/spacefm rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/arduino>
}

Some files were not shown because too many files have changed in this diff Show more