felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feat/update

Browse source
This commit is contained in:
Alex 2024-05-06 19:56:11 +01:00 committed by GitHub
commit f75e5047df
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
340 changed files with 1603 additions and 1539 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/X-strict
View file

@ -19,7 +19,7 @@
/tmp/.ICE-unix/* rw,
/tmp/.X@{int}-lock rw,
/tmp/.X11-unix/* rw,
owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int},
owner @{tmp}/xauth_@{rand6} rl -> /tmp/#@{int},
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,

22
apparmor.d/abstractions/app/chromium
View file

@ -46,6 +46,7 @@
ptrace (read) peer=gnome-browser-connector-host,
ptrace (read) peer=keepassxc-proxy,
ptrace (read) peer=lsb_release,
ptrace (read) peer=plasma-browser-integration-host,
ptrace (read) peer=xdg-settings,
ptrace (trace) peer=@{profile_name},
@ -109,6 +110,7 @@
/etc/@{name}/{,**} r,
/etc/fstab r,
/etc/opensc.conf r,
/etc/opensc/opensc.conf r, # Debian ubication
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -150,22 +152,22 @@
/tmp/ r,
/var/tmp/ r,
owner /tmp/.@{domain}.* rw,
owner /tmp/.@{domain}*/{,**} rw,
owner /tmp/@{name}-crashlog-@{int}-@{int}.txt rw,
owner /tmp/scoped_dir*/{,**} rw,
owner /tmp/tmp.* rw,
owner /tmp/tmp.*/ rw,
owner /tmp/tmp.*/** rwk,
owner @{tmp}/.@{domain}.* rw,
owner @{tmp}/.@{domain}*/{,**} rw,
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
owner @{tmp}/scoped_dir*/{,**} rw,
owner @{tmp}/tmp.* rw,
owner @{tmp}/tmp.*/ rw,
owner @{tmp}/tmp.*/** rwk,
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
/dev/shm/ r,
owner /dev/shm/.@{domain}* rw,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/class/**/ r,

1
apparmor.d/abstractions/app/sudo
View file

@ -39,6 +39,7 @@
@{etc_ro}/sudoers.d/{,*} r,
/ r,
/etc/machine-id r,
owner /var/lib/sudo/ts/ rw,
owner /var/lib/sudo/ts/@{uid} rwk,

4
apparmor.d/abstractions/authentication.d/complete
View file

@ -1,8 +1,10 @@
@{bin}/pam-tmpdir-helper rPx,
#aa:exclude ubuntu
@{bin}/unix_chkpwd rPx,
#aa:only whonix
@{bin}/pam-tmpdir-helper rPx,
@{lib}/security-misc/pam_faillock_not_if_x rPx,
@{lib}/security-misc/pam-abort-on-locked-password rPx,
@{lib}/security-misc/pam-info rPx,

4
apparmor.d/abstractions/bus-session
View file

@ -19,8 +19,8 @@
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner /tmp/dbus-@{rand8} rw,
owner /tmp/dbus-@{rand10} rw,
owner @{tmp}/dbus-@{rand8} rw,
owner @{tmp}/dbus-@{rand10} rw,
owner @{run}/user/@{uid}/bus rw,

6
apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
View file

@ -14,17 +14,17 @@
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member={MakeThreadRealtime,MakeThreadHighPriority}
member=MakeThread*
peer=(name=:*, label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member={MakeThreadRealtime,MakeThreadHighPriority}
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member=MakeThreadRealtimeWithPID
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>

2
apparmor.d/abstractions/common/app
View file

@ -53,7 +53,7 @@
owner @{user_share_dirs}/** rwkl,
owner @{user_games_dirs}/{,**} rm,
owner /tmp/** rmwk,
owner @{tmp}/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**,
@{run}/cups/cups.sock rw, # Allow access to cups printing socket.

5
apparmor.d/abstractions/common/apt
View file

@ -25,8 +25,7 @@
/var/lib/dpkg/status r,
/var/lib/ubuntu-advantage/apt-esm/{,**} r,
owner /tmp/#@{int} rw,
owner /tmp/clearsigned.message.* rw,
owner /tmp/user/@{uid}/#@{int} rw,
owner @{tmp}/#@{int} rw,
owner @{tmp}/clearsigned.message.* rw,
include if exists <abstractions/common/apt.d>

4
apparmor.d/abstractions/common/bwrap
View file

@ -37,8 +37,8 @@
owner / r,
owner /newroot/{,**} w,
owner /tmp/newroot/ w,
owner /tmp/oldroot/ w,
owner @{tmp}/newroot/ w,
owner @{tmp}/oldroot/ w,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,

12
apparmor.d/abstractions/common/chromium
View file

@ -24,12 +24,12 @@
/tmp/ r,
/var/tmp/ r,
owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/.org.chromium.Chromium.*/{,**} rw,
owner /tmp/scoped_dir*/ rw,
owner /tmp/scoped_dir*/SingletonCookie w,
owner /tmp/scoped_dir*/SingletonSocket w,
owner /tmp/scoped_dir*/SS w,
owner @{tmp}/.org.chromium.Chromium.* rw,
owner @{tmp}/.org.chromium.Chromium.*/{,**} rw,
owner @{tmp}/scoped_dir*/ rw,
owner @{tmp}/scoped_dir*/SingletonCookie w,
owner @{tmp}/scoped_dir*/SingletonSocket w,
owner @{tmp}/scoped_dir*/SS w,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,

16
apparmor.d/abstractions/common/electron
View file

@ -50,14 +50,14 @@
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner /tmp/.org.chromium.Chromium.@{rand6} rw,
owner /tmp/.org.chromium.Chromium.@{rand6}/ rw,
owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonCookie w,
owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonSocket w,
owner /tmp/scoped_dir@{rand6}/ rw,
owner /tmp/scoped_dir@{rand6}/SingletonCookie w,
owner /tmp/scoped_dir@{rand6}/SingletonSocket w,
owner /tmp/scoped_dir@{rand6}/SS w,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/ rw,
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
owner @{tmp}/scoped_dir@{rand6}/SS w,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,

14
apparmor.d/abstractions/fish Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# This abstraction is only required when an interactive shell is started.
# Classic shell scripts do not need it.
/usr/share/fish/{,**} r,
/etc/fish/{,**} r,
owner @{user_config_dirs}/fish/{,**} r,
include if exists <abstractions/fish.d>

3
apparmor.d/abstractions/freedesktop.org.d/complete
View file

@ -10,6 +10,9 @@
@{system_share_dirs}/glib-2.0/schemas/ r,
@{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
@{system_share_dirs}/ r,
@{system_share_dirs}/mime/ r,
/usr/share/mime/ r,
/etc/gnome/defaults.list r,

1
apparmor.d/abstractions/shells
View file

@ -6,6 +6,7 @@
# Classic shell scripts do not need it.
include <abstractions/bash-strict>
include <abstractions/fish>
include <abstractions/zsh>
include if exists <abstractions/shells.d>

3
apparmor.d/abstractions/video.d/complete
View file

@ -3,3 +3,6 @@
# SPDX-License-Identifier: GPL-2.0-only
@{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
# Access to video /dev devices
/dev/video@{int} rw,

4
apparmor.d/abstractions/vulkan-strict
View file

@ -15,6 +15,7 @@
/etc/vulkan/implicit_layer.d/{,*.json} r,
owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r,
owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache
@{sys}/class/ r,
@{sys}/class/drm/ r,
@ -23,4 +24,5 @@
@{sys}/devices/@{pci}/drm/card@{int}/metrics/ r,
@{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r,
include if exists <abstractions/vulkan-strict.d>
include if exists <abstractions/vulkan-strict.d>