felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): add the camera abstraction

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-06 23:18:31 +02:00
parent ab7cba2da6
commit ec88fcbfcb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 44 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/app/chromium
View file

@ -30,6 +30,7 @@
include <abstractions/bus/org.gnome.Mutter.IdleMonitor> include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.kde.kwalletd> include <abstractions/bus/org.kde.kwalletd>
include <abstractions/camera>
include <abstractions/common/chromium> include <abstractions/common/chromium>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
@ -44,7 +45,6 @@
include <abstractions/uim> include <abstractions/uim>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/user-read-strict> include <abstractions/user-read-strict>
include <abstractions/video>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

35
apparmor.d/abstractions/camera Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allows access to all cameras
abi <abi/4.0>,
# Allow detection of cameras. Leaks plugged in USB device info
@{sys}/bus/usb/devices/ r,
@{sys}/devices/@{pci}/usb@{int}/**/busnum r,
@{sys}/devices/@{pci}/usb@{int}/**/devnum r,
@{sys}/devices/@{pci}/usb@{int}/**/idProduct r,
@{sys}/devices/@{pci}/usb@{int}/**/idVendor r,
@{sys}/devices/@{pci}/usb@{int}/**/interface r,
@{sys}/devices/@{pci}/usb@{int}/**/modalias r,
@{sys}/devices/@{pci}/usb@{int}/**/speed r,
@{sys}/class/video4linux/ r,
@{sys}/devices/**/video4linux/** r,
@{sys}/devices/**/video4linux/video@{int}/ r,
@{sys}/devices/**/video4linux/video@{int}/uevent r,
@{run}/udev/data/+usb:* r, # Identifies all USB devices
@{run}/udev/data/c81:@{int} r, # For video4linux
# VideoCore cameras (shared device with VideoCore/EGL)
/dev/vchiq rw,
# Access to video /dev devices
/dev/video@{int} rw,
include if exists <abstractions/camera.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/common/app
View file

@ -16,6 +16,7 @@
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/camera>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/cups-client> include <abstractions/cups-client>
include <abstractions/desktop> include <abstractions/desktop>
@ -30,7 +31,6 @@
include <abstractions/path> include <abstractions/path>
include <abstractions/sqlite> include <abstractions/sqlite>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/video>
dbus bus=accessibility, dbus bus=accessibility,
dbus bus=session, dbus bus=session,

3
apparmor.d/groups/browsers/epiphany
View file

@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio-server> include <abstractions/audio-server>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.GeoClue2> include <abstractions/bus/org.freedesktop.GeoClue2>
include <abstractions/camera>
include <abstractions/common/bwrap> include <abstractions/common/bwrap>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/gstreamer> include <abstractions/gstreamer>
@ -61,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,
/dev/video@{int} rw,
include if exists <local/epiphany> include if exists <local/epiphany>
} }

2
apparmor.d/groups/freedesktop/pipewire
View file

@ -14,8 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.RealtimeKit1> include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/camera>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/video>
capability sys_ptrace, capability sys_ptrace,

2
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -14,9 +14,9 @@ profile pipewire-media-session @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.RealtimeKit1> include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/camera>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/video>
network bluetooth raw, network bluetooth raw,
network bluetooth seqpacket, network bluetooth seqpacket,

3
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -18,6 +18,7 @@ profile pulseaudio @{exec_path} {
include <abstractions/bus/org.freedesktop.Avahi> include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.hostname1> include <abstractions/bus/org.freedesktop.hostname1>
include <abstractions/bus/org.freedesktop.RealtimeKit1> include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/camera>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri> include <abstractions/dri>
@ -105,7 +106,6 @@ profile pulseaudio @{exec_path} {
@{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
@{sys}/devices/virtual/video4linux/video@{int}/uevent r,
deny @{sys}/module/apparmor/parameters/enabled r, deny @{sys}/module/apparmor/parameters/enabled r,
@ -114,7 +114,6 @@ profile pulseaudio @{exec_path} {
owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/cmdline r,
/dev/media@{int} r, /dev/media@{int} r,
/dev/video@{int} rw,
# file_inherit # file_inherit
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

3
apparmor.d/groups/freedesktop/wireplumber
View file

@ -16,9 +16,9 @@ profile wireplumber @{exec_path} {
include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore> include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
include <abstractions/bus/org.freedesktop.RealtimeKit1> include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.freedesktop.UPower> include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/camera>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/video>
network bluetooth raw, network bluetooth raw,
network bluetooth seqpacket, network bluetooth seqpacket,
@ -71,7 +71,6 @@ profile wireplumber @{exec_path} {
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/media/devices/ r, @{sys}/bus/media/devices/ r,
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
@{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/device:*/{,**/}path r,
@{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/pcm_class r,
@{sys}/devices/**/sound/**/uevent r, @{sys}/devices/**/sound/**/uevent r,

1
apparmor.d/profiles-s-z/signal-desktop
View file

@ -19,6 +19,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.kde.StatusNotifierWatcher> include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/camera>
include <abstractions/common/electron> include <abstractions/common/electron>
include <abstractions/devices-usb-read> include <abstractions/devices-usb-read>
include <abstractions/notifications> include <abstractions/notifications>

2
apparmor.d/profiles-s-z/vlc
View file

@ -17,6 +17,7 @@ profile vlc @{exec_path} {
include <abstractions/bus/org.freedesktop.secrets> include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.kde.kwalletd> include <abstractions/bus/org.kde.kwalletd>
include <abstractions/bus/org.kde.StatusNotifierWatcher> include <abstractions/bus/org.kde.StatusNotifierWatcher>
include <abstractions/camera>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -85,7 +86,6 @@ profile vlc @{exec_path} {
/dev/shm/#@{int} rw, /dev/shm/#@{int} rw,
/dev/snd/ r, /dev/snd/ r,
/dev/tty r, /dev/tty r,
/dev/video@{int} rw,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
# Silencer # Silencer