diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 6a29d1764..4c506da69 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -2,6 +2,9 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + # The unix socket to use to connect to the display unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 2aaecbd21..5d2f74363 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/** PUx, /usr/local/{s,}bin/** PUx, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 04b20e84d..800de5106 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index f0fd32206..900fdc3c8 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -8,6 +8,8 @@ # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail # should be present here. Until this day, this profile will be a controlled mess. + abi , + # Sandbox managers @{bin}/bwrap rPUx, @{bin}/firejail rPUx, diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus index d1d0d8cb7..d1bd606a6 100644 --- a/apparmor.d/abstractions/app/bus +++ b/apparmor.d/abstractions/app/bus @@ -4,6 +4,8 @@ # Minimal set of rules for dbus-send/dbus-launch. + abi , + include @{bin}/dbus-launch mix, diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 81d37113d..6bf3f26ed 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -16,6 +16,8 @@ # or abstractions/common/electron instead. # + abi , + include include include diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index d6e346f36..9daec6ad1 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -3,6 +3,8 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only + abi , + include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index c94ef8476..2f9c93937 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -12,6 +12,8 @@ # @{cache_dirs} = @{user_cache_dirs}/mozilla/ # + abi , + include include include diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index ae10dbbfc..ad02acc54 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include @{bin}/depmod mr, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index f21a2a7de..9ae49c4bd 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -4,6 +4,8 @@ # Full set of rules for child-open-* profiles. + abi , + include @{open_path} mrix, diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index aaf14d859..13ebcd390 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -4,6 +4,8 @@ # Minimal set of rules for pgrep/pkill. + abi , + include capability sys_ptrace, diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 2c3669bcc..5b9197957 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -4,6 +4,8 @@ # Minimal set of rules for pkexec. + abi , + include include include diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index b10c66c68..0149cc883 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -4,6 +4,8 @@ # Minimal set of rules for sudo. Interactive sudo need more rules. + abi , + include include include diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 62b4aafdf..9f0da659b 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index 72fb4c61b..cba83e1ff 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + ptrace read peer=@{p_systemd}, @{bin}/udevadm mr, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 7ed4d6b80..45028f488 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -5,6 +5,8 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. + abi , + /usr/share/alsa/{,**} r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index ef69d2d54..97850305b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -5,6 +5,8 @@ # Provide access to audio devices. It should only be used by audio servers that # need direct access to them. + abi , + include @{run}/udev/data/+sound:card@{int} r, # for sound card diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 832f2add6..9ea35f8c2 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + /usr/share/bash-completion/{,**} r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index f032f842b..ee0a16b99 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index d5ca957e8..811787bad 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + unix (bind, listen) type=stream addr="@/tmp/dbus-*", unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0148d0711..0bfe96818 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index 7aa5e7f75..9363bb757 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -4,6 +4,8 @@ # Access required for connecting to/communicating with the Unity Launcher + abi , + dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.Unity.LauncherEntry member=Update diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index 290a86de8..c5f74a6de 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 458d99eef..4b7d6c89d 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 1bee9da46..4da873247 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index 84422b28e..7f68d2d06 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index ad16d10a2..41735f1be 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index deb517f1d..357c06473 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + # Accessibility bus dbus receive bus=accessibility path=/org/a11y/atspi/registry diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index d6ed8922d..7b709ab9b 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 946189fe5..f2048c80e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 73ddaf14e..ccf5b30a9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 6f5c7acf3..205557ad5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 36f5b405e..101e493ab 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/FileManager1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index af34b33fe..ddbf4d1de 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 84ce80b6e..5c514d54c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 61f27fca5..af2b6d2b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index 27e1e7137..eee09ffad 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index 1a6839b17..b65bc1ef5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 006dcee84..ab9e373ab 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 527c1e916..ff2906932 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 842057a1d..43ed93af6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 567740a35..48fa7e394 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index cd415f396..30abb2199 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 148db02d7..369448079 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index ff7d57989..f6019eedb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/background/monitor interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 51b0a5cec..8957c4cdd 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 0fabcd310..c4e4a5fbf 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 74e51b1d7..50218ced3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 595b81335..77271fe23 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index d5b62f739..4affc3d22 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 268a21dea..56460a52b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/network1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 820b57ff7..1561491cc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={Get,GetAll,Read} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 7f5b6d1a4..7714a871b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index bb8014fc0..0b169a04e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 49e4b014d..115aefd78 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index 8edda758c..97db8023f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 32cc2f451..443d35eed 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index 078835c41..120330ac1 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager index 0d76f2388..107868836 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager member=RegisterDisplay diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index 1449ff4ea..605e90311 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 2726a7c54..68769f2c9 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 index da9f7229f..185937e70 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver index 15eec0c69..ba13aa7d2 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 19242d56a..c683eddac 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -4,6 +4,8 @@ # FIXME: Too large, restrict it. + abi , + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index ed39a2533..efe53af62 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index 0ad921ed3..9060c8c15 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded} diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 3e0d95f18..e813f5c4f 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index e755faa6a..80daa4927 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 575401ee6..1c80ca6ea 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 4fca40e84..43947d52a 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , include if exists diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 67ac1fb6d..5217a50f5 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd index c0d2ecba2..1ae5a1ace 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 7b6a5fdda..392ea2c5f 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -9,6 +9,8 @@ # applications (bwrap) that have no way to restrict access depending on the # application being confined. + abi , + include include include diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 77c5a0b7e..5dd8b26bc 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 711117f6d..7f337aff3 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -7,6 +7,8 @@ # - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' + abi , + userns, capability net_admin, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index cad07669a..9fba7b8bb 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -6,6 +6,8 @@ # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/chromium instead. + abi , + userns, capability setgid, # If kernel.unprivileged_userns_clone = 1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index da792131d..7bfae1ffa 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -12,6 +12,8 @@ # @{cache_dirs} = @{user_cache_dirs}/@{name} # + abi , + include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 678327f09..3b4a982f1 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -10,6 +10,8 @@ # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") # - @{user_games_dirs} for user specific game directories (eg: steam storage dir) + abi , + include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 653221e1d..ccb5de8b3 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -4,6 +4,8 @@ # Minimal set of rules for all gnome based UI application. + abi , + include include include diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 4bd211f27..b3c66e035 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include @{lib_dirs}/ r, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 34e9be9d7..df138bf6c 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 41145e512..b83a585e2 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -5,6 +5,8 @@ # Permissions for querying dconf settings with write access; use the dconf # abstraction first, and dconf-write only for specific application's profile. + abi , + dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member=Change diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 1f1047cec..4291762a4 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,6 +11,8 @@ # The only legitimate use in this project is for file browser and search engine. + abi , + # User defined private directories deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index ae585999b..a9a3665d2 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -7,6 +7,8 @@ # When supported in apparmor, condition will be used in this abstraction to filter # resources specific for supported DE. + abi , + include include include diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 5a2a8b742..1a85a0100 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /dev/ r, /dev/bus/usb/ r, /dev/bus/usb/@{int}/ r, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 10beb258d..10cf0c90b 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -5,6 +5,8 @@ # The /sys/ entries probably should be tightened + abi , + /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 361b60d82..bd34a6f42 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -5,6 +5,8 @@ # The /sys/ entries probably should be tightened + abi , + /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index a1eb1cd41..af634ff91 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -6,6 +6,8 @@ # Linux graphics stack which allows unprivileged user-space programs to issue # commands to graphics hardware without conflicting with other programs. + abi , + @{lib}/dri/** mr, @{lib}/@{multiarch}/dri/** mr, @{lib}/fglrx/dri/** mr, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index fe3cab891..2ae6ab93d 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + /usr/share/fish/{,**} r, /etc/fish/{,**} r, diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 216075648..306787378 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -9,6 +9,8 @@ # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use # the "fontconfig-cache-write" abstraction. + abi , + owner @{user_cache_dirs}/fontconfig/ r, deny @{user_cache_dirs}/fontconfig/ w, deny @{user_cache_dirs}/fontconfig/** w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 19fa7c53a..922a15a6a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/fontconfig/ rw, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, diff --git a/apparmor.d/abstractions/glfw b/apparmor.d/abstractions/glfw index f52fb926d..5dbda197d 100644 --- a/apparmor.d/abstractions/glfw +++ b/apparmor.d/abstractions/glfw @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw, include if exists diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index ed3f2f4c0..27d648247 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 9b7954f0d..101fe1b45 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index fe2d2001c..1f2b0ffd2 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 4a5deb7c4..b9f1cbadd 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 11e897aba..490cf48a1 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 0cac5a1a2..5f49a63d9 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -6,6 +6,8 @@ # Many programs wish to perform nameservice-like operations, such as looking up # users by name or id, groups by name or id, hosts by name or IP, etc. + abi , + include @{etc_ro}/default/nss r, @@ -33,6 +35,6 @@ @{run}/systemd/resolve/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6521c9840..6069ddd9a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, /usr/share/nvidia/nvidia-application-profiles-* r, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index e43ca64e1..d40aa3766 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw, diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index b269f2335..35d3a580a 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + include include include diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index dc164c6ba..adb80dd4d 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -3,6 +3,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/thumbnails/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r, diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 01de0407e..5a31de221 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/thumbnails/ rw, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw, diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index 1f4202818..a2b024d3e 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -9,6 +9,8 @@ # There is no 'owner' rule on expunged folders because some internally sandboxed # app (using bwrap) run on a different private user. + abi , + owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/trashrc rw, owner @{user_config_dirs}/trashrc.* rwl, diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 03ae9e3e8..88d75ec15 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -3,6 +3,8 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/uim/* r, /var/lib/uim/* r, diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 3feed5cd8..ab0e05f0a 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{HOME}/@{XDG_DESKTOP_DIR}/ w, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 4187ab9e2..bd350186b 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -4,6 +4,8 @@ # Warning: This abstraction gives unrestricted read access on all non hidden user directories. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 5211b0345..f7eb186b5 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -5,6 +5,8 @@ # This abstraction gives read access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 223fc660a..026825b27 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -5,6 +5,8 @@ # This abstraction gives write only access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 7dbb8f424..edb258288 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/egl/egl_external_platform.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/libdrm/*.ids r, diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 067de9148..0d510a3fe 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 15711713c..a22895c91 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -6,6 +6,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, /usr/share/zsh/{,**} r,