felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2744 commits 5 branches 0 tags 16 MiB
Commit graph

54 commits

Author SHA1 Message Date
Alexandre Pujol
7a53fc3a99
feat(profile): general updtae. 2024-09-18 18:10:27 +01:00
Alexandre Pujol
cc139f1144
feat(abs): update kde abs with common access. 2024-09-18 18:01:16 +01:00
Alexandre Pujol
619aa709f1
feat(abs): add iceauth to X-strict. 2024-09-18 17:06:04 +01:00
Alexandre Pujol
7858cae330
feat(profile): torbrowser: do not give access to user dirs by default. 
- Remove read-only access to most user dirs.
- Remove read-write access to download directories.

fix #490
 2024-09-16 13:36:29 +01:00
Alexandre Pujol
09401567a4
feat(profile): base the the thunderbird profile from firefox. 2024-09-13 22:39:43 +01:00
Alexandre Pujol
b03b9b05eb
feat(profile): improve kde integration. 
see #484
 2024-09-13 20:41:22 +01:00
Alexandre Pujol
db064b651e
feat(profile): general update. 2024-09-13 19:47:07 +01:00
Alexandre Pujol
18010b266d
feat(profile): firefox: update dbus & move stacked profile outside of the abs. 2024-09-12 22:17:37 +01:00
Alexandre Pujol
64c2ee5fe9
feat(abs): add app/bus 
Useful to confine dbus access in scripts.
 2024-09-11 19:48:31 +01:00
Alexandre Pujol
c2bc55dc46
feat(profile): general update. 2024-09-09 20:53:12 +01:00
Alexandre Pujol
bb1c4e0537
feat(profile): modernise the crontab profile. 
fix #428
 2024-08-28 19:19:21 +01:00
Alexandre Pujol
788d865939
feat(profile): general update. 2024-08-20 20:56:58 +01:00
Alexandre Pujol
93313422bd
feat(profile): update kde profiles on openSUSE Tumbleweed. 
See #424
 2024-08-20 18:49:52 +01:00
Alexandre Pujol
52a2ae8c23
feat(profile): general update. 
see #422
 2024-07-20 13:13:27 +01:00
Alexandre Pujol
6cd01064ae
feat(profile): general update. 2024-07-15 23:12:39 +01:00
Alexandre Pujol
2e127ace4b
feat(abs): general update. 2024-06-23 11:17:56 +01:00
Alexandre Pujol
856a9a467e
feat(profile): improve chromium tmp file restriction. 2024-06-23 11:17:01 +01:00
Alexandre Pujol
747292e954
fix: remove useless audit mode on chromium. 2024-06-16 22:53:16 +01:00
Alexandre Pujol
13b35b156e
feat(abs): add the app/kmod abstraction. 2024-06-16 21:50:48 +01:00
REmerald
c1d531525a
fix(abstractions, tunables): move vim modeline 
Move vim syntax comment to the end of the file, separated by newline, as requested in #380.
 2024-06-15 22:01:25 +01:00
REmerald
1206692e51
feat(abstractions): vim syntax highlighting 
Add vim syntax support. See man apparmor.vim(5)
 2024-06-15 22:00:29 +01:00
Alexandre Pujol
275b77d2ac
fix: profile compilation. 2024-06-15 21:59:31 +01:00
Alexandre Pujol
035e1da7b2
feat(abs): add udevadm app abstraction. 2024-06-15 21:59:31 +01:00
REmerald
eb480672f3
fix(abstractions, tunables): move vim modeline 
Move vim syntax comment to the end of the file, separated by newline, as requested in #380.
 2024-06-15 21:59:31 +01:00
REmerald
6b5475c7f2
feat(abstractions): vim syntax highlighting 
Add vim syntax support. See man apparmor.vim(5)
 2024-06-15 21:57:49 +01:00
Alexandre Pujol
ff88400b22
feat(abs): minor cleanup. 2024-06-11 23:18:07 +01:00
Alexandre Pujol
222685c029
feat(profile): use the cups-client more often. 2024-06-10 23:51:38 +01:00
Alexandre Pujol
bb6df870bb
chore: cleanup opensc debian structure. 2024-06-10 23:43:55 +01:00
curiosityseeker
ec25a155db
Chromium based browsers: add stacking for chrashpad handler (#366) 
* Update chromium abs: remove crashpad-handler

* Update brave: add stacking for chrashpad-handler

* Update chrome: add stacking for crashpad-handler

* Update chromium: add stacking for crashpad-handler

* Update msedge: add stacking for crashpad-handler

* Rename msedge-crashpad-handlers to msedge-crashpad-handler
 2024-06-07 18:26:39 +00:00
Alexandre Pujol
ff16790421
feat(abs): general update. 2024-06-03 18:37:12 +01:00
Alexandre Pujol
45ae8f5d27
feat(abs): add pgrep. 2024-05-30 21:08:03 +01:00
curiosityseeker
94d9570230
Firefox: using stacking for glxtest and vaapitest (#337) 
The current implementation results in the following errors for the Firefox profile:

 @{lib}/firefox/glxtest rix -> firefox-glxtest,  # no new privs

@{lib}/firefox/vaapitest rix -> firefox-vaapitest,   # no new privs

Using stacking as suggested on https://apparmor.pujol.io/development/structure/#no-new-privileges gets rid of these errors.
 2024-05-29 20:41:01 +00:00
doublez13
4256e11492 editor abstraction: minor additions 
Add any one-off rules covered in the other editor profiles before converting those to the abstraction.
 2024-05-16 15:44:29 +01:00
Alexandre Pujol
58e458f4ab
feat(profile): add the app/firefox abstraction. 2024-05-15 23:13:23 +01:00
Alexandre Pujol
f5ac8cd4a1
feat(profile): improve dbus rule in chromium based profiles. 2024-05-15 23:07:05 +01:00
Alexandre Pujol
ad960d477b
feat(profile): replace former regex by the new @{user} variable. 2024-05-15 17:22:20 +01:00
doublez13
479d04abac Update and move abstractions/editor to abstractions/app/editor 2024-05-12 17:34:33 +01:00
Alexandre Pujol
1739c07ca1
feat(profile): general update. 2024-05-11 17:38:43 +01:00
Alexandre Pujol
4d29127d57
feat(profile): rewrite the child-open* profiles. 2024-05-11 12:13:57 +01:00
Alexandre Pujol
d544c386f7
fix(profile): ensure PAM & systemd-homed compatibility. 
see #321
 2024-05-05 17:42:32 +01:00
Alexandre Pujol
f38f1ad651
feat(profile): improve kde profiles. 2024-05-04 00:21:03 +01:00
Alexandre Pujol
40abc98201
feat(profile): general update. 2024-05-03 18:16:12 +01:00
Alexandre Pujol
3f69b9fec4
feat(profile): use the new @{tmp} variable. 
It is only used with the owner statement.
 2024-05-02 22:12:02 +01:00
Jose Maldonado aka Yukiteru
0a941e7d87 Fix for access video devices and opensc in Chromium profile 
This commit fix two issues for abstractions/app/chromium

1.- Access to /dev/video (not merged in last commit)
2.- Access to /etc/opensc/opensc.conf in Debian (and derivates)
 2024-05-01 11:40:32 +01:00
Jose Maldonado aka Yukiteru
d0ea5f50a3 New profile for Microsoft Edge and better support in abstractions/app/chromium 
This commit add new profile for Microsoft Edge browser and variants (beta,dev).
The new profile is based in actual chrome profile. Tested with actual Edge, in
Debian Stable and enforced rules. All ok using GPU Rasterization and Vulkan, not
HWAccel for encoding video because this is very unstable yet in all Chromium based
browsers.

Add support for libpam-tmpdir for abstractions/app/chromium and all browser using
this absctractions (Chrome, Chromium, Edge, and others). This fix access and use
of browser with libpam-tmpdir installed (Debian and Whonix)

Fix a denied access to RADV user cache (Vulkan-amdgpu) in abstractions/app/chromium
(Vulkan is optional in Chromium-based browser, but the backend is
perfectly usable now).
 2024-05-01 11:40:32 +01:00
Alexandre Pujol
65d0cfafe4
feat(profile): general update. 2024-04-28 13:50:48 +01:00
Jose Maldonado aka Yukiteru
2f3d55e924 Fix out-of-scope in abstractions/video and bad use abstraction in chromium 2024-04-27 23:51:48 +01:00
Jose Maldonado aka Yukiteru
3291fa7f8f Better support for Qt in abstractions/chromium 2024-04-27 23:51:48 +01:00
Alexandre Pujol
5c6f9c51b5
feat(abs): cleanup sudo abs. 2024-04-05 23:48:03 +01:00
Alexandre Pujol
095254864f
feat(profile): general update. 2024-04-03 21:04:18 +01:00