polishing
This commit is contained in:
nobodysu
parent
6d5e5dba6f
commit
ed0b11212d
29 changed files with 129 additions and 48 deletions
|
|
@ -48,6 +48,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
|
||||
|
||||
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
|
||||
/usr/share/gnome-documents/org.gnome.Documents rPx,
|
||||
|
||||
/etc/dbus-1/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,11 +39,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.portal.IBus,
|
||||
dbus bind bus=session name=org.freedesktop.portal.IBus,
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.IBus,
|
||||
dbus bind bus=session name=org.freedesktop.IBus,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -57,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_cache_dirs}/ibus/{,**} rw,
|
||||
|
||||
/var/lib/gdm{3,}/.config/ibus/{,**} rw,
|
||||
/var/lib/gdm{3,}/.cache/ibus/{,**} rw,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||
|
|
|
|||
|
|
@ -38,7 +38,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
|
||||
/var/lib/gdm{3,}/.cache/dconf/ w,
|
||||
/var/lib/gdm{3,}/.cache/dconf/user rw,
|
||||
/var/lib/gdm{3,}/.config/dconf/user rw,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ include <tunables/global>
|
|||
|
||||
@{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3
|
||||
@{exec_path} += @{libexec}/ibus-extension-gtk3
|
||||
profile ibus-extension-gtk3 @{exec_path} {
|
||||
profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
|
|
@ -62,8 +62,7 @@ profile ibus-extension-gtk3 @{exec_path} {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.IBus.Panel.Extension.Gtk3,
|
||||
dbus bind bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -25,8 +25,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.portal.IBus,
|
||||
dbus bind bus=session name=org.freedesktop.portal.IBus,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -42,7 +41,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
/dev/null rw,
|
||||
|
||||
include if exists <local/ibus-portal>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -44,16 +44,22 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/language-tools/language-validate rPx,
|
||||
/{usr/,}bin/cat rix,
|
||||
|
||||
/{usr/,}{s,}bin/adduser rPx,
|
||||
/{usr/,}{s,}bin/usermod rPx,
|
||||
/{usr/,}{s,}bin/userdel rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}bin/chage rPx,
|
||||
/usr/share/language-tools/language-validate rPx,
|
||||
|
||||
/usr/share/accountsservice/{,**} r,
|
||||
/usr/share/dbus-1/interfaces/*.xml r,
|
||||
|
||||
/etc/default/locale r,
|
||||
/etc/gdm{3,}/ r,
|
||||
/etc/gdm{3,}/daemon.conf r,
|
||||
/etc/gdm{3,}/custom.conf rw,
|
||||
/etc/gdm{3,}/custom.conf.* rw,
|
||||
@{etc_rw}/gdm{3,}/daemon.conf{,.??????} rw,
|
||||
@{etc_rw}/gdm{3,}/custom.conf{,.??????} rw,
|
||||
/etc/machine-id r,
|
||||
/etc/shadow r,
|
||||
/etc/shells r,
|
||||
|
|
@ -63,10 +69,18 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{HOME}/ r,
|
||||
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
@{PROC}/@{pids}/loginuid r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
# wtmp.d ?
|
||||
/var/log/wtmp r,
|
||||
|
||||
owner /tmp/gnome-control-center-user-icon-?????? rw,
|
||||
|
||||
include if exists <local/accounts-daemon>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/geoclue
|
||||
profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/flatpak/db/ rw,
|
||||
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
|
||||
owner @{user_share_dirs}/flatpak/db/background rw,
|
||||
owner @{user_share_dirs}/flatpak/db/notifications rw,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -26,6 +26,15 @@ profile xdg-user-dirs-update @{exec_path} {
|
|||
/var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw,
|
||||
/var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw,
|
||||
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_MUSIC_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_PICTURES_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_VIDEOS_DIR}/ rw,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
include if exists <local/xdg-user-dirs-update>
|
||||
|
|
|
|||
|
|
@ -34,8 +34,7 @@ profile evolution-calendar-factory @{exec_path} {
|
|||
dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
|
||||
interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*},
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gnome.evolution.dataserver.Calendar[0-9],
|
||||
dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar[0-9]*,
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path}-subprocess rix,
|
||||
|
|
|
|||
|
|
@ -66,20 +66,19 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gnome.ScreenSaver,
|
||||
dbus bind bus=session name=org.gnome.ScreenSaver,
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.Notifications,
|
||||
dbus bind bus=session name=org.freedesktop.Notifications,
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gnome.Shell.Notifications,
|
||||
dbus bind bus=session name=org.gnome.Shell.Notifications,
|
||||
|
||||
@{exec_path} mr,
|
||||
/{usr/,}bin/ r,
|
||||
/{usr/,}bin/[a-z0-9]* rPUx,
|
||||
@{libexec}/** rPUx,
|
||||
|
||||
/etc/openni2/OpenNI.ini r,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
|
|
@ -92,6 +91,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
|
||||
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
|
||||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
|
||||
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
|
||||
|
|
|
|||
|
|
@ -74,16 +74,21 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{libexec}/gnome-control-center-goa-helper rPx,
|
||||
@{libexec}/gnome-control-center-print-renderer rPx,
|
||||
/{usr/,}bin/gnome-software rPUx,
|
||||
/{usr/,}bin/gkbd-keyboard-display rPUx,
|
||||
/{usr/,}bin/bwrap rPUx,
|
||||
/{usr/,}bin/openvpn rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}bin/software-properties-gtk rPx,
|
||||
/{usr/,}bin/pkexec rPx,
|
||||
/{usr/,}{s,}bin/usermod rPx,
|
||||
/{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
||||
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
|
||||
/usr/share/language-tools/language2locale rix,
|
||||
|
||||
/snap/*/[0-9]*/**.png r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
/usr/share/desktop-base/**.{xml,png,svg} r,
|
||||
/usr/share/cups/data/testprint r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
|
@ -93,10 +98,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/gnome-control-center/{,**} r,
|
||||
/usr/share/gnome-shell/search-providers/{,**} r,
|
||||
/usr/share/gnome/gnome-version.xml r,
|
||||
/usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/thumbnailers/{,*} r,
|
||||
/usr/share/ubuntu/applications/{,*} r,
|
||||
/usr/share/*ubuntu/applications/{,*} r,
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/zoneinfo/{,**} r,
|
||||
|
||||
|
|
@ -104,6 +110,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/pipewire/client.conf.d/ r,
|
||||
/etc/security/pwquality.conf r,
|
||||
/etc/security/pwquality.conf.d/{,**} r,
|
||||
/etc/rygel.conf r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
|
|
@ -112,6 +119,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/snapd/desktop/icons/ r,
|
||||
|
||||
/var/cache/samba/ rw,
|
||||
/var/lib/AccountsService/icons/* r,
|
||||
/var/cache/cracklib/cracklib_dict.* r,
|
||||
|
||||
owner @{HOME}/.cat_installer/ca.pem r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
|
|
@ -119,7 +128,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r,
|
||||
owner @{user_config_dirs}/mimeapps.list.* rw,
|
||||
owner @{user_config_dirs}/mimeapps.list* rw,
|
||||
owner @{user_config_dirs}/rygel.conf{,.??????} rw,
|
||||
owner @{user_share_dirs}/backgrounds/{,**} rw,
|
||||
owner @{user_share_dirs}/icc/{,edid-*} r,
|
||||
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
|
||||
|
|
|
|||
|
|
@ -19,5 +19,8 @@ profile gnome-remote-desktop-daemon @{exec_path} {
|
|||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r,
|
||||
|
||||
include if exists <local/gnome-remote-desktop-daemon>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -165,11 +165,12 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/xdg-user-dirs-update rPx,
|
||||
/{usr/,}bin/parcellite rPUx,
|
||||
/{usr/,}bin/baloo_file rPUx,
|
||||
# /{usr/,}bin/gnome-software rPUx,
|
||||
/{usr/,}bin/gnome-software rPUx,
|
||||
/{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx,
|
||||
/{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
|
||||
/{usr/,}lib/@{multiarch}/libexec/kdeconnectd rPUx,
|
||||
/{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
|
||||
/{usr/,}lib/caribou/caribou rPUx,
|
||||
@{libexec}/deja-dup/deja-dup-monitor rPUx,
|
||||
@{libexec}/at-spi-bus-launcher rPx,
|
||||
@{libexec}/evolution-data-server/evolution-alarm-notify rPx,
|
||||
|
|
@ -219,6 +220,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/applications/ r,
|
||||
owner @{user_share_dirs}/applications/mimeinfo.cache r,
|
||||
owner @{user_share_dirs}/session_migration-ubuntu r,
|
||||
owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
@{run}/systemd/sessions/* r,
|
||||
|
|
|
|||
|
|
@ -485,6 +485,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/desktop-directories/{,*.directory} r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/evolution-data-server/icons/{,**} r,
|
||||
/usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gdm/greeter/applications/{,**} r,
|
||||
/usr/share/gdm/BuiltInSessions/{,*.desktop} r,
|
||||
|
|
@ -495,7 +496,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/libinput/[0-9][0-9]-*.quirks r,
|
||||
/usr/share/libwacom/{,*.stylus,*.tablet} r,
|
||||
/usr/share/plymouth/*.png r,
|
||||
/usr/share/ubuntu/applications/{,*.desktop} r,
|
||||
/usr/share/*ubuntu/applications/{,*.desktop} r,
|
||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/desktop-base/** r,
|
||||
|
|
@ -504,7 +505,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/fstab r,
|
||||
/etc/xdg/menus/gnome-applications.menu r,
|
||||
|
||||
/var/lib/gdm{3,}/.cache/ w,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
|
||||
|
|
@ -523,6 +523,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
/var/lib/AccountsService/icons/* r,
|
||||
|
||||
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
||||
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
||||
|
||||
|
|
@ -546,6 +548,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/gnome-boxes/*.png r,
|
||||
owner @{user_cache_dirs}/gnome-photos/{,**} r,
|
||||
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
|
||||
owner @{user_cache_dirs}/libgweather/ w,
|
||||
owner @{user_cache_dirs}/libgweather/{,**} r,
|
||||
owner @{user_cache_dirs}/media-art/{,**} r,
|
||||
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
||||
|
|
@ -626,6 +629,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/input/event[0-9]* rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
owner @{user_share_dirs}/sounds/__custom/index.theme r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
include if exists <local/gnome-shell>
|
||||
|
|
|
|||
|
|
@ -73,6 +73,9 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
/var/tmp/ r,
|
||||
/tmp/ r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/gsd-smartcard>
|
||||
|
|
|
|||
|
|
@ -29,11 +29,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
member={IsSupported,List}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gnome.Nautilus,
|
||||
dbus bind bus=session name=org.gnome.Nautilus,
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.FileManager1,
|
||||
dbus bind bus=session name=org.freedesktop.FileManager1,
|
||||
|
||||
@{exec_path} mr,
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
@ -44,7 +42,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/sounds/freedesktop/stereo/*.oga r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
/usr/share/ubuntu/applications/{,**} r,
|
||||
/usr/share/*ubuntu/applications/{,**} r,
|
||||
/usr/share/tracker/domain-ontologies/*.rule r,
|
||||
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@
|
|||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
|
|
@ -37,11 +36,12 @@ profile gvfsd-metadata @{exec_path} {
|
|||
member={GetTreeFromDevice,Remove}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gtk.vfs.Metadata,
|
||||
dbus bind bus=session name=org.gtk.vfs.Metadata,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/lib/gdm{3,}/.local/share/gvfs-metadata/{,*} rw,
|
||||
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
|
||||
owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -56,7 +56,10 @@ profile gvfsd-smb-browse @{exec_path} {
|
|||
/etc/samba/smb.conf r,
|
||||
|
||||
owner @{run}/samba/ rw,
|
||||
owner @{run}/samba/gencache.tdb rwk,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
|
||||
|
||||
owner @{user_cache_dirs}/samba/gencache.tdb rwk,
|
||||
|
||||
include if exists <local/gvfsd-smb-browse>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -51,6 +51,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/udev/data/+pci:* r,
|
||||
@{run}/udev/data/+platform* r,
|
||||
@{run}/udev/data/+usb:* r,
|
||||
@{run}/udev/data/c189:[0-9]* r,
|
||||
@{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]*
|
||||
@{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx
|
||||
@{run}/udev/data/n[0-9]* r,
|
||||
|
|
@ -58,6 +60,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/systemd/inhibit/*.ref rw,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/usb/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/net/ r,
|
||||
@{sys}/class/tty/ r,
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
|
||||
profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
||||
profile systemd-hostnamed @{exec_path} flags=(attach_disconnected complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
|
@ -30,7 +30,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
member={Get,GetAll,SetHostname}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus bind bus=system
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.hostname[0-9],
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
@ -50,8 +50,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/firmware/dmi/entries/*/raw r,
|
||||
|
||||
/etc/.#hostname* rw,
|
||||
/etc/.#machine-info?????? rw,
|
||||
/etc/hostname rw,
|
||||
/etc/machine-info r,
|
||||
/etc/machine-info rw,
|
||||
|
||||
@{run}/udev/data/+dmi:id r,
|
||||
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{etc_rw}/adjtime r,
|
||||
/etc/adjtime r,
|
||||
/etc/systemd/timesyncd.conf r,
|
||||
/etc/systemd/timesyncd.conf.d/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
|||
/var/lib/app-info/ w,
|
||||
/var/lib/app-info/yaml/ r,
|
||||
/var/lib/app-info/yaml/*.yml.gz w,
|
||||
/var/lib/app-info/icons/ r,
|
||||
/var/lib/apt/lists/ r,
|
||||
/var/lib/apt/lists/*.gz r,
|
||||
/var/lib/flatpak/appstream/{,**} r,
|
||||
|
|
@ -65,6 +66,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
|||
|
||||
/{usr/,}bin/curl mr,
|
||||
|
||||
include if exists <local/appstreamcli_curl>
|
||||
}
|
||||
|
||||
include if exists <local/appstreamcli>
|
||||
|
|
|
|||
17
apparmor.d/profiles-a-f/cc-remote-login-helper
Normal file
17
apparmor.d/profiles-a-f/cc-remote-login-helper
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/cc-remote-login-helper
|
||||
profile cc-remote-login-helper @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_nice,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
include if exists <local/cc-remote-login-helper>
|
||||
}
|
||||
0
apparmor.d/profiles-g-l/logrotate
Executable file → Normal file
0
apparmor.d/profiles-g-l/logrotate
Executable file → Normal file
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/man
|
||||
profile man @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
signal peer=man//man_groff,
|
||||
signal peer=man//man_filter,
|
||||
|
|
@ -41,11 +42,12 @@ profile man @{exec_path} {
|
|||
/{usr/,}bin/less rPx -> child-pager,
|
||||
/{usr/,}bin/more rPx -> child-pager,
|
||||
|
||||
/usr/**/man/** r,
|
||||
/var/**/man/** r,
|
||||
/usr/**/man/{,**} r,
|
||||
/var/**/man/{,**} r,
|
||||
/var/cache/man/index.db rk,
|
||||
|
||||
/etc/man_db.conf r,
|
||||
/etc/manpath.config r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
|
|
@ -75,6 +77,8 @@ profile man_groff {
|
|||
|
||||
/tmp/groff* rw,
|
||||
owner /tmp/* rw,
|
||||
|
||||
include if exists <local/man_groff>
|
||||
}
|
||||
|
||||
profile man_filter {
|
||||
|
|
@ -102,4 +106,6 @@ profile man_filter {
|
|||
owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r,
|
||||
|
||||
/var/cache/man/** w,
|
||||
|
||||
include if exists <local/man_filter>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@ profile passwd @{exec_path} {
|
|||
capability fsetid,
|
||||
capability setuid,
|
||||
|
||||
signal (receive) set=(term, kill) peer=gnome-control-center,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -58,6 +58,7 @@ profile pkexec @{exec_path} flags=(complain) {
|
|||
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||
/{usr/,}lib/update-notifier/package-system-locked rPx,
|
||||
/usr/share/apport/apport-gtk rPx,
|
||||
@{libexec}/cc-remote-login-helper rPx,
|
||||
|
||||
/etc/shells r,
|
||||
/etc/environment r,
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ profile useradd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/usermod rPx,
|
||||
/{usr/,}{s,}bin/usermod rPx,
|
||||
|
||||
/{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2,
|
||||
|
||||
|
|
@ -81,6 +81,7 @@ profile useradd @{exec_path} {
|
|||
|
||||
/var/log/tallylog rw,
|
||||
|
||||
include if exists <local/useradd_pam_tally2>
|
||||
}
|
||||
|
||||
include if exists <local/useradd>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue