felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feat/update

Browse source
This commit is contained in:
Alex 2024-05-06 19:56:11 +01:00 committed by GitHub
commit f75e5047df
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
340 changed files with 1603 additions and 1539 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/profiles-a-f/aa-notify
View file

@ -33,8 +33,8 @@ profile aa-notify @{exec_path} {
owner @{HOME}/.inputrc r,
owner @{HOME}/.terminfo/@{int}/dumb r,
owner /tmp/@{rand8} rw,
owner /tmp/apparmor-bugreport-*.txt rw,
owner @{tmp}/@{rand8} rw,
owner @{tmp}/apparmor-bugreport-*.txt rw,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,

2
apparmor.d/profiles-a-f/adb
View file

@ -24,7 +24,7 @@ profile adb @{exec_path} {
/usr/share/scrcpy/scrcpy-server r,
owner /tmp/adb.@{int}.log rw,
owner @{tmp}/adb.@{int}.log rw,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/adb.@{int} rw,

4
apparmor.d/profiles-a-f/anacron
View file

@ -35,8 +35,8 @@ profile anacron @{exec_path} {
/etc/cron.*/ r,
/etc/cron.*/* rPUx,
owner /tmp/#@{int} rw,
owner /tmp/file@{rand6} rw,
owner @{tmp}/#@{int} rw,
owner @{tmp}/file@{rand6} rw,
include if exists <local/anacron_run_parts>
}

10
apparmor.d/profiles-a-f/anyremote
View file

@ -61,8 +61,8 @@ profile anyremote @{exec_path} {
@{bin}/mpv rPx,
@{bin}/strawberry rPx,
owner /tmp/amarok_covers/ rw,
owner /tmp/*.png rw,
owner @{tmp}/amarok_covers/ rw,
owner @{tmp}/*.png rw,
# For shell pwd
owner @{HOME}/ r,
@ -92,9 +92,9 @@ profile anyremote @{exec_path} {
owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r,
/tmp/ r,
owner /tmp/*.png rw,
owner /tmp/amarok_covers/* rw,
owner /tmp/magick-* rw,
owner @{tmp}/*.png rw,
owner @{tmp}/amarok_covers/* rw,
owner @{tmp}/magick-* rw,
}

2
apparmor.d/profiles-a-f/apparmor_parser
View file

@ -36,7 +36,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
owner /var/lib/snapd/apparmor/{,**} r,
owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
owner /tmp/cri-containerd.apparmor.d@{int} r,
owner @{tmp}/cri-containerd.apparmor.d@{int} r,
@{sys}/kernel/security/apparmor/{,**} r,
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,

6
apparmor.d/profiles-a-f/appstreamcli
View file

@ -52,9 +52,9 @@ profile appstreamcli @{exec_path} flags=(complain) {
owner @{user_cache_dirs}/appstream/ rw,
owner @{user_cache_dirs}/appstream/appcache-*.mdb rw,
owner /tmp/appstream-cache-*.mdb rw,
owner /tmp/appstream/ rw,
owner /tmp/appstream/appcache-*.mdb rw,
owner @{tmp}/appstream-cache-*.mdb rw,
owner @{tmp}/appstream/ rw,
owner @{tmp}/appstream/appcache-*.mdb rw,
owner @{PROC}/@{pid}/fd/ r,

24
apparmor.d/profiles-a-f/arduino
View file

@ -67,18 +67,18 @@ profile arduino @{exec_path} {
owner @{HOME}/.Xauthority r,
/tmp/ r,
owner /tmp/cc*.{s,res,c,o,ld,le} rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
owner /tmp/untitled[0-9]*.tmp rw,
owner /tmp/untitled[0-9]*.tmp/{,**} rw,
owner /tmp/console[0-9]*.tmp rw,
owner /tmp/console[0-9]*.tmp/{,**} rw,
owner /tmp/build[0-9]*.tmp rw,
owner /tmp/build[0-9]*.tmp/{,**} rw,
owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw,
owner /tmp/{library,package}_index.json*.tmp* rw,
owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw,
owner @{tmp}/cc*.{s,res,c,o,ld,le} rw,
owner @{tmp}/hsperfdata_*/ rw,
owner @{tmp}/hsperfdata_*/@{pid} rw,
owner @{tmp}/untitled[0-9]*.tmp rw,
owner @{tmp}/untitled[0-9]*.tmp/{,**} rw,
owner @{tmp}/console[0-9]*.tmp rw,
owner @{tmp}/console[0-9]*.tmp/{,**} rw,
owner @{tmp}/build[0-9]*.tmp rw,
owner @{tmp}/build[0-9]*.tmp/{,**} rw,
owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw,
owner @{tmp}/{library,package}_index.json*.tmp* rw,
owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw,
owner @{run}/lock/tmp* rw,
owner @{run}/lock/LCK..ttyS[0-9]* rw,

8
apparmor.d/profiles-a-f/arduino-builder
View file

@ -42,10 +42,10 @@ profile arduino-builder @{exec_path} {
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/tmp/ r,
owner /tmp/cc* rw,
owner /tmp/untitled[0-9]*.tmp/{,**} rw,
owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw,
owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw,
owner @{tmp}/cc* rw,
owner @{tmp}/untitled[0-9]*.tmp/{,**} rw,
owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw,
owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw,
include if exists <local/arduino-builder>
}

4
apparmor.d/profiles-a-f/arduino-ctags
View file

@ -13,9 +13,9 @@ profile arduino-ctags @{exec_path} {
@{exec_path} mr,
owner /tmp/tags.* rw,
owner @{tmp}/tags.* rw,
owner /tmp/arduino_build_@{int}/** r,
owner @{tmp}/arduino_build_@{int}/** r,
include if exists <local/arduino-ctags>
}

8
apparmor.d/profiles-a-f/atril
View file

@ -60,10 +60,10 @@ profile atril @{exec_path} {
owner @{user_share_dirs}/ r,
owner /tmp/gtkprint_* rw,
owner /tmp/settings*.ini rw,
owner /tmp/settings*.ini.* rw,
owner /tmp/atril-@{pid}/{,**} rw,
owner @{tmp}/gtkprint_* rw,
owner @{tmp}/settings*.ini rw,
owner @{tmp}/settings*.ini.* rw,
owner @{tmp}/atril-@{pid}/{,**} rw,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/devices/virtual/dmi/id/chassis_type r,

2
apparmor.d/profiles-a-f/augenrules
View file

@ -28,7 +28,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) {
/etc/audit/audit.rules rw,
/etc/audit/rules.d/{,*} r,
owner /tmp/aurules.@{rand8} rw,
owner @{tmp}/aurules.@{rand8} rw,
/dev/tty rw,

73
apparmor.d/profiles-a-f/birdtray
View file

@ -10,16 +10,11 @@ include <tunables/global>
@{exec_path} = @{bin}/birdtray
profile birdtray @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/qt5>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write>
include <abstractions/ssl_certs>
network inet dgram,
@ -28,20 +23,13 @@ profile birdtray @{exec_path} {
@{exec_path} mr,
# To be able to start Thunderbird
@{bin}/thunderbird rPx,
@{bin}/xdg-open rCx -> open,
@{bin}/thunderbird rPx,
@{open_path} rPx -> child-open,
/usr/share/ulduzsoft/birdtray/{,**} r,
owner @{user_config_dirs}/ulduzsoft/ rw,
owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*,
owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int},
owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Thunderbird mail dirs
owner @{HOME}/ r,
@ -51,47 +39,22 @@ profile birdtray @{exec_path} {
owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/ r,
owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r,
/usr/share/hwdata/pnp.ids r,
owner @{user_config_dirs}/ulduzsoft/ rw,
owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*,
owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int},
owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w,
/dev/shm/#@{int} rw,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty@{int} rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/qpdfview_open>
}
include if exists <local/birdtray>
}

12
apparmor.d/profiles-a-f/borg
View file

@ -64,12 +64,12 @@ profile borg @{exec_path} {
owner @{user_config_dirs}/borg/** rw,
# If /tmp/ isn't accessible, then /var/tmp/ is used.
owner /tmp/* rw,
owner /tmp/borg-cache-*/ rw,
owner /tmp/borg-cache-*/* rw,
owner /tmp/tmp*/ rw,
owner /tmp/tmp*/file rw,
owner /tmp/tmp*/idx rw,
owner @{tmp}/* rw,
owner @{tmp}/borg-cache-*/ rw,
owner @{tmp}/borg-cache-*/* rw,
owner @{tmp}/tmp*/ rw,
owner @{tmp}/tmp*/file rw,
owner @{tmp}/tmp*/idx rw,
owner /var/lib/libuuid/clock.txt w,
owner /var/tmp/* rw,
owner /var/tmp/tmp*/ rw,

2
apparmor.d/profiles-a-f/browserpass
View file

@ -23,7 +23,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r,
owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r,
owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
owner /tmp/mozilla-temp-@{int} r,
owner @{tmp}/mozilla-temp-@{int} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

2
apparmor.d/profiles-a-f/btrfs
View file

@ -37,7 +37,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
owner @{user_img_dirs}/{,**} rwk,
# For fsck of the btrfs filesystem directly from gparted
owner /tmp/gparted-*/ rw,
owner @{tmp}/gparted-*/ rw,
@{run}/blkid/blkid.tab{,-@{rand6}} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,

4
apparmor.d/profiles-a-f/check-support-status
View file

@ -55,7 +55,7 @@ profile check-support-status @{exec_path} {
owner @{HOME}/ r,
/tmp/ r,
owner /tmp/debian-security-support.*/{,**} rw,
owner @{tmp}/debian-security-support.*/{,**} rw,
/tmp/debian-security-support.postinst.*/output w,
/var/lib/debian-security-support/ r,
@ -73,7 +73,7 @@ profile check-support-status @{exec_path} {
@{bin}/debconf-escape r,
@{bin}/perl r,
owner /tmp/debian-security-support.postinst.*/output r,
owner @{tmp}/debian-security-support.postinst.*/output r,
}

8
apparmor.d/profiles-a-f/check-support-status-hook
View file

@ -40,8 +40,8 @@ profile check-support-status-hook @{exec_path} {
/root/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/ rw,
owner /tmp/debian-security-support.postinst.*/output rw,
owner @{tmp}/debian-security-support.postinst.*/ rw,
owner @{tmp}/debian-security-support.postinst.*/output rw,
/var/lib/ r,
/var/lib/debian-security-support/ r,
@ -56,7 +56,7 @@ profile check-support-status-hook @{exec_path} {
@{bin}/perl r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output r,
owner @{tmp}/debian-security-support.postinst.*/output r,
}
@ -123,7 +123,7 @@ profile check-support-status-hook @{exec_path} {
@{etc_ro}/security/limits.d/ r,
/tmp/ r,
owner /tmp/debian-security-support.postinst.*/output w,
owner @{tmp}/debian-security-support.postinst.*/output w,
}
include if exists <local/check-support-status-hook>

6
apparmor.d/profiles-a-f/claws-mail
View file

@ -48,9 +48,9 @@ profile claws-mail @{exec_path} flags=(complain) {
owner @{user_mail_dirs}/ rw,
owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
owner /tmp/claws-mail-@{int}/ rw,
owner /tmp/claws-mail-@{int}/@{hex} rw,
owner /tmp/claws-mail-@{int}/@{hex}.lock rwk,
owner @{tmp}/claws-mail-@{int}/ rw,
owner @{tmp}/claws-mail-@{int}/@{hex} rw,
owner @{tmp}/claws-mail-@{int}/@{hex}.lock rwk,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,

6
apparmor.d/profiles-a-f/code
View file

@ -65,9 +65,9 @@ profile code flags=(attach_disconnected) {
owner @{user_projects_dirs}/ r,
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner /tmp/@{uuid} rw,
owner /tmp/vscode-*/{,**} rw,
owner /tmp/vscode-ipc-@{uuid}.sock rw,
owner @{tmp}/@{uuid} rw,
owner @{tmp}/vscode-*/{,**} rw,
owner @{tmp}/vscode-ipc-@{uuid}.sock rw,
owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw,

2
apparmor.d/profiles-a-f/code-extension-git-askpass
View file

@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} {
/usr/share/terminfo/** r,
owner /tmp/tmp.* rw,
owner @{tmp}/tmp.* rw,
/dev/tty rw,

2
apparmor.d/profiles-a-f/conky
View file

@ -141,7 +141,7 @@ profile conky @{exec_path} {
@{PROC}/@{pid}/net/route r,
owner /tmp/xauth-@{int}-_[0-9] r,
owner @{tmp}/xauth-@{int}-_[0-9] r,
/usr/share/X11/XErrorDB r,

2
apparmor.d/profiles-a-f/cpuid
View file

@ -17,7 +17,7 @@ profile cpuid @{exec_path} {
/dev/cpu/@{int}/cpuid r,
owner /tmp/cpuid* rw,
owner @{tmp}/cpuid* rw,
include if exists <local/cpuid>
}

2
apparmor.d/profiles-a-f/cups-backend-usb
View file

@ -11,6 +11,8 @@ profile cups-backend-usb @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
capability net_admin,
network netlink raw,
@{exec_path} mr,

2
apparmor.d/profiles-a-f/cups-notifier-dbus
View file

@ -19,7 +19,7 @@ profile cups-notifier-dbus @{exec_path} {
/etc/cups/client.conf r,
owner /tmp/cups-dbus-notifier-lockfile rwk,
owner @{tmp}/cups-dbus-notifier-lockfile rwk,
include if exists <local/cups-notifier-dbus>
}

2
apparmor.d/profiles-a-f/cups-pk-helper-mechanism
View file

@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} {
/etc/cups/ppd/*.ppd r,
owner /tmp/[a-z0-9]* rw,
owner @{tmp}/[a-z0-9]* rw,
@{run}/cups/cups.sock rw,

2
apparmor.d/profiles-a-f/cupsd
View file

@ -94,7 +94,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner /tmp/*_latest_print_info w,
owner @{tmp}/*_latest_print_info w,
/dev/tty rw,

8
apparmor.d/profiles-a-f/deltachat-desktop
View file

@ -48,10 +48,10 @@ profile deltachat-desktop @{exec_path} {
owner @{user_config_dirs}/DeltaChat/ rw,
owner @{user_config_dirs}/DeltaChat/** rwk,
owner /tmp/@{hex}/ rw,
owner /tmp/@{hex}/db.sqlite-blobs/ rw,
owner /tmp/@{hex}/db.sqlite rwk,
owner /tmp/@{hex}/db.sqlite-journal rw,
owner @{tmp}/@{hex}/ rw,
owner @{tmp}/@{hex}/db.sqlite-blobs/ rw,
owner @{tmp}/@{hex}/db.sqlite rwk,
owner @{tmp}/@{hex}/db.sqlite-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-a-f/dhclient-script
View file

@ -56,8 +56,8 @@ profile dhclient-script @{exec_path} {
/var/lib/dhcp/dhclient.leases r,
/var/lib/samba/dhcp.conf{,.new} rw,
owner /tmp/dhclient-script.debug rw,
owner /tmp/variables.txt w,
owner @{tmp}/dhclient-script.debug rw,
owner @{tmp}/variables.txt w,
@{run}/chrony-dhcp/ rw,
@{run}/systemd/netif/leases/ r,

12
apparmor.d/profiles-a-f/dkms
View file

@ -85,11 +85,11 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/ r,
owner /tmp/* rw,
owner /tmp/cc* rw,
owner /tmp/dkms.*/ rw,
owner /tmp/sh-thd.* rw,
owner /tmp/tmp.* rw,
owner @{tmp}/* rw,
owner @{tmp}/cc* rw,
owner @{tmp}/dkms.*/ rw,
owner @{tmp}/sh-thd.* rw,
owner @{tmp}/tmp.* rw,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r,
@ -109,7 +109,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
owner /boot/System.map-* r,
owner /tmp/tmp.* r,
owner @{tmp}/tmp.* r,
@{sys}/module/compression r,

2
apparmor.d/profiles-a-f/dlocate
View file

@ -42,7 +42,7 @@ profile dlocate @{exec_path} {
/var/lib/dpkg/info/*.conffiles r,
/var/lib/dpkg/info/*.md5sums r,
owner /tmp/sh-thd.* rw,
owner @{tmp}/sh-thd.* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fd/2 w,

2
apparmor.d/profiles-a-f/dmidecode
View file

@ -14,7 +14,7 @@ profile dmidecode @{exec_path} {
@{exec_path} mr,
owner /tmp/dump.bin rw,
owner @{tmp}/dump.bin rw,
@{sys}/firmware/dmi/tables/DMI r,
@{sys}/firmware/dmi/tables/smbios_entry_point r,

2
apparmor.d/profiles-a-f/downloadhelper
View file

@ -33,7 +33,7 @@ profile downloadhelper @{exec_path} {
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google@{int}/goog-phish-proto-@{int}.vlpset rw,
owner /tmp/vdh-*.tmp rw,
owner @{tmp}/vdh-*.tmp rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,

4
apparmor.d/profiles-a-f/dumpcap
View file

@ -44,8 +44,8 @@ profile dumpcap @{exec_path} {
/dev/ r,
# Traffic log files
owner /tmp/wireshark_*.pcapng rw,
owner /tmp/*.pcap rw,
owner @{tmp}/wireshark_*.pcapng rw,
owner @{tmp}/*.pcap rw,
# file_inherit
owner @{HOME}/.xsession-errors w,

2
apparmor.d/profiles-a-f/engrampa
View file

@ -76,7 +76,7 @@ profile engrampa @{exec_path} {
owner @{user_share_dirs}/ r,
/tmp/ r,
owner /tmp/** rw,
owner @{tmp}/** rw,
@{run}/mount/utab r,

2
apparmor.d/profiles-a-f/etckeeper
View file

@ -57,7 +57,7 @@ profile etckeeper @{exec_path} {
owner @{HOME}/.netrc r,
owner @{user_config_dirs}/git/{,*} rw,
owner /tmp/etckeeper-git* rw,
owner @{tmp}/etckeeper-git* rw,
owner @{PROC}/@{pid}/fd/ r,

6
apparmor.d/profiles-a-f/evince
View file

@ -52,9 +52,9 @@ profile evince @{exec_path} {
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_config_dirs}/evince/{,*} rw,
owner /tmp/*.pdf r,
owner /tmp/evince-*/{,**} rw,
owner /tmp/gtkprint* rw,
owner @{tmp}/*.pdf r,
owner @{tmp}/evince-*/{,**} rw,
owner @{tmp}/gtkprint* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,

4
apparmor.d/profiles-a-f/evince-thumbnailer
View file

@ -15,8 +15,8 @@ profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) {
/usr/share/mime/mime.cache r,
/usr/share/poppler/{,**} r,
owner /tmp/gnome-desktop-file-to-thumbnail.pdf r,
owner /tmp/gnome-desktop-thumbnailer.png w,
owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r,
owner @{tmp}/gnome-desktop-thumbnailer.png w,
include if exists <local/evince-thumbnailer>
}

4
apparmor.d/profiles-a-f/ffmpeg
View file

@ -32,8 +32,8 @@ profile ffmpeg @{exec_path} {
owner @{user_music_dirs}/** rw,
owner @{user_videos_dirs}/** rw,
owner /tmp/*.{png,jpg} rw, # To generate thumbnails in some apps
owner /tmp/vidcutter/** rw, # TMP files for apps using ffmpeg
owner @{tmp}/*.{png,jpg} rw, # To generate thumbnails in some apps
owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,

6
apparmor.d/profiles-a-f/flatpak
View file

@ -70,7 +70,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
/tmp/#@{int} rw,
owner /dev/shm/flatpak*/{,**} rw,
owner /tmp/ostree-gpg-*/{,**} rw,
owner @{tmp}/ostree-gpg-*/{,**} rw,
@{run}/.userns r,
@{run}/user/@{uid}/.dbus-proxy/ w,
@ -107,8 +107,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
owner /tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{tmp}/ostree-gpg-*/ rw,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
include if exists <local/flatpak_gpg>
}

2
apparmor.d/profiles-a-f/flatpak-portal
View file

@ -29,6 +29,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
/usr/share/mime/mime.cache r,
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/ r,
/.flatpak-info r,

6
apparmor.d/profiles-a-f/flatpak-system-helper
View file

@ -45,7 +45,7 @@ profile flatpak-system-helper @{exec_path} {
owner /{var/,}tmp/#@{int} rw,
owner /{var/,}tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
@ -62,8 +62,8 @@ profile flatpak-system-helper @{exec_path} {
@{lib}/{,gnupg/}scdaemon rix,
@{bin}/gpg-agent rix,
owner /tmp/ostree-gpg-*/ r,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{tmp}/ostree-gpg-*/ r,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

4
apparmor.d/profiles-a-f/frontend
View file

@ -74,7 +74,7 @@ profile frontend @{exec_path} flags=(complain) {
/etc/inputrc r,
/etc/shadow r,
owner /tmp/file* w,
owner @{tmp}/file* w,
owner /var/cache/debconf/* rwk,
@{HOME}/.Xauthority r,
@ -119,7 +119,7 @@ profile frontend @{exec_path} flags=(complain) {
@{run}/ r,
@{run}/** rw,
/tmp/ r,
owner /tmp/** rw,
owner @{tmp}/** rw,
}