felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): move away from old or too wide abstractions.

Browse source
This commit is contained in:
Alexandre Pujol 2025-06-19 23:55:20 +02:00
parent 033a7475e0
commit f29041576e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
19 changed files with 84 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/browsers/opera-crashreporter
View file

@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} {
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/nameservice> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
ptrace (trace, read) peer=opera, ptrace (trace, read) peer=opera,

10
apparmor.d/groups/filesystem/udiskie
View file

@ -11,16 +11,12 @@ include <tunables/global>
profile udiskie @{exec_path} { profile udiskie @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/X> include <abstractions/desktop>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/graphics>
include <abstractions/gtk>
include <abstractions/python> include <abstractions/python>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/mesa> include <abstractions/user-download-strict>
include <abstractions/dri-enumerate>
@{exec_path} r, @{exec_path} r,
@{python_path} r, @{python_path} r,

1
apparmor.d/groups/hyprland/hyprpm
View file

@ -11,7 +11,6 @@ profile hyprpm @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-tmp>
network inet dgram, network inet dgram,
network inet stream, network inet stream,

2
apparmor.d/groups/network/nm-dhcp-helper
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper
profile nm-dhcp-helper @{exec_path} { profile nm-dhcp-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus> include <abstractions/bus-system>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

20
apparmor.d/groups/usb/usbguard-applet-qt
View file

@ -10,22 +10,21 @@ include <tunables/global>
@{exec_path} = @{bin}/usbguard-applet-qt @{exec_path} = @{bin}/usbguard-applet-qt
profile usbguard-applet-qt @{exec_path} { profile usbguard-applet-qt @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/desktop>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/qt5>
include <abstractions/qt5-compose-cache-write>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
# Needed? # Needed?
ptrace (read), ptrace (read),
@{exec_path} mr, @{exec_path} mr,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/ rw,
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int},
@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} {
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/usbguard-applet-qt> include if exists <local/usbguard-applet-qt>
} }

3
apparmor.d/groups/virt/libvirtd
View file

@ -17,8 +17,9 @@ include <tunables/global>
@{exec_path} = @{sbin}/libvirtd @{exec_path} = @{sbin}/libvirtd
profile libvirtd @{exec_path} flags=(attach_disconnected) { profile libvirtd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/disks-write> include <abstractions/disks-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

8
apparmor.d/profiles-a-f/atftpd
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/atftpd @{exec_path} = @{bin}/atftpd
profile atftpd @{exec_path} { profile atftpd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice> include <abstractions/nameservice-strict>
# For libwrap (TCP Wrapper) support # For libwrap (TCP Wrapper) support
include <abstractions/hosts_access> include <abstractions/hosts_access>
@ -18,6 +18,12 @@ profile atftpd @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
# FTP dirs (add "w" if you need write permissions and hence upload files) # FTP dirs (add "w" if you need write permissions and hence upload files)

8
apparmor.d/profiles-a-f/dhclient-script
View file

@ -10,13 +10,19 @@ include <tunables/global>
@{exec_path} = @{bin}/dhclient-script @{exec_path} = @{bin}/dhclient-script
profile dhclient-script @{exec_path} { profile dhclient-script @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
capability net_admin, capability net_admin,
capability sys_admin, capability sys_admin,
audit capability sys_module, audit capability sys_module,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{sh_path} mrix, @{sh_path} mrix,

8
apparmor.d/profiles-a-f/dumpcap
View file

@ -10,16 +10,14 @@ include <tunables/global>
@{exec_path} = @{bin}/dumpcap @{exec_path} = @{bin}/dumpcap
profile dumpcap @{exec_path} { profile dumpcap @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/dbus>
include <abstractions/dbus-session>
# To capture packekts # To capture packekts
capability net_raw, capability net_raw,
capability net_admin, capability net_admin,
signal (receive) peer=wireshark,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
@ -27,6 +25,8 @@ profile dumpcap @{exec_path} {
network packet raw, network packet raw,
network bluetooth raw, network bluetooth raw,
signal (receive) peer=wireshark,
dbus (eavesdrop) bus=session, dbus (eavesdrop) bus=session,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/profiles-a-f/ffplay
View file

@ -11,10 +11,9 @@ include <tunables/global>
profile ffplay @{exec_path} { profile ffplay @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/freedesktop.org> include <abstractions/desktop>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/X>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,

46
apparmor.d/profiles-a-f/fritzing
View file

@ -10,16 +10,13 @@ include <tunables/global>
@{exec_path} = @{bin}/fritzing{,.real} @{exec_path} = @{bin}/fritzing{,.real}
profile fritzing @{exec_path} { profile fritzing @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/desktop>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/qt5> include <abstractions/fontconfig-cache-read>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write> include <abstractions/qt5-settings-write>
include <abstractions/qt5>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -30,26 +27,25 @@ profile fritzing @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/usr/share/fritzing/{,**} r,
/usr/share/hwdata/pnp.ids r,
/etc/debian_version r,
/etc/fstab r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/ rw,
owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**,
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw,
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw,
/usr/share/fritzing/{,**} r, owner @{run}/lock/LCK..ttyACM[0-9]* rwk,
/usr/share/hwdata/pnp.ids r, @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
owner @{PROC}/@{pid}/cmdline r, @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]*
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/debian_version r,
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/class/ r, @{sys}/class/ r,
@ -57,15 +53,13 @@ profile fritzing @{exec_path} {
@{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty*/uevent r,
@{sys}/devices/**/tty/**/uevent r, @{sys}/devices/**/tty/**/uevent r,
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* owner @{PROC}/@{pid}/cmdline r,
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx owner @{PROC}/@{pid}/mountinfo r,
@{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* owner @{PROC}/@{pid}/mounts r,
/dev/ttyS@{int} rw, /dev/ttyS@{int} rw,
/dev/ttyACM@{int} rw, /dev/ttyACM@{int} rw,
owner @{run}/lock/LCK..ttyACM[0-9]* rwk,
include if exists <local/fritzing> include if exists <local/fritzing>
} }

12
apparmor.d/profiles-g-l/light-locker
View file

@ -11,19 +11,12 @@ include <tunables/global>
profile light-locker @{exec_path} { profile light-locker @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/X> include <abstractions/desktop>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wayland>
@{exec_path} mr, @{exec_path} mr,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
# when locking the screen and switching/closing sessions # when locking the screen and switching/closing sessions
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@ -33,6 +26,9 @@ profile light-locker @{exec_path} {
@{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_vendor r,
@{sys}/devices/@{pci}/subsystem_device r, @{sys}/devices/@{pci}/subsystem_device r,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
# file_inherit # file_inherit
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

10
apparmor.d/profiles-m-r/mkvtoolnix-gui
View file

@ -10,19 +10,15 @@ include <tunables/global>
@{exec_path} = @{bin}/mkvtoolnix-gui @{exec_path} = @{bin}/mkvtoolnix-gui
profile mkvtoolnix-gui @{exec_path} { profile mkvtoolnix-gui @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dri-enumerate> include <abstractions/desktop>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/graphics>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/qt5-compose-cache-write> include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write> include <abstractions/qt5-settings-write>
include <abstractions/qt5>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/X>
signal (send) set=(term, kill) peer=mkvmerge, signal (send) set=(term, kill) peer=mkvmerge,

8
apparmor.d/profiles-m-r/netstat
View file

@ -13,12 +13,18 @@ include <tunables/global>
profile netstat @{exec_path} { profile netstat @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
capability sys_ptrace, capability sys_ptrace,
capability syslog, capability syslog,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
ptrace (trace,read), ptrace (trace,read),
@{exec_path} rmix, @{exec_path} rmix,

8
apparmor.d/profiles-m-r/pcb-gtk
View file

@ -10,13 +10,9 @@ include <tunables/global>
@{exec_path} = @{bin}/pcb-gtk @{exec_path} = @{bin}/pcb-gtk
profile pcb-gtk @{exec_path} { profile pcb-gtk @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X> include <abstractions/desktop>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/graphics>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>

1
apparmor.d/profiles-s-z/sing-box
View file

@ -12,7 +12,6 @@ include <tunables/global>
profile sing-box @{exec_path} { profile sing-box @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-tmp>
capability net_bind_service, capability net_bind_service,

8
apparmor.d/profiles-s-z/tftp
View file

@ -10,9 +10,15 @@ include <tunables/global>
@{exec_path} = @{bin}/tftp @{exec_path} = @{bin}/tftp
profile tftp @{exec_path} { profile tftp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
include if exists <local/tftp> include if exists <local/tftp>

8
apparmor.d/profiles-s-z/vsftpd
View file

@ -12,7 +12,7 @@ profile vsftpd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/hosts_access> include <abstractions/hosts_access>
include <abstractions/nameservice> include <abstractions/nameservice-strict>
include <abstractions/wutmp> include <abstractions/wutmp>
# To be able to listen on ports < 1024 # To be able to listen on ports < 1024
@ -41,6 +41,12 @@ profile vsftpd @{exec_path} {
capability dac_read_search, capability dac_read_search,
# If session_support=YES, vsftpd will also try and update utmp and wtmp # If session_support=YES, vsftpd will also try and update utmp and wtmp
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
# To validate allowed users shells # To validate allowed users shells

4
apparmor.d/profiles-s-z/youtube-dl
View file

@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} {
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/desktop>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/X>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,