felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2751 commits 5 branches 0 tags 16 MiB
Commit graph

460 commits

Author SHA1 Message Date
REmerald
6b5475c7f2
feat(abstractions): vim syntax highlighting 
Add vim syntax support. See man apparmor.vim(5)
 2024-06-15 21:57:49 +01:00
Alexandre Pujol
6c1cdf4d58
fix: ensure btop can send signal 
fix  #385
 2024-06-14 21:10:02 +01:00
Alexandre Pujol
117e63d88f
fix: ensure filter directive get cleaned on build. 2024-06-14 20:50:17 +01:00
Alexandre Pujol
56464d24bf
fix: xdg-desktop-portal breaks screensharing 
fix: #376
 2024-06-12 22:18:02 +01:00
Alexandre Pujol
ff88400b22
feat(abs): minor cleanup. 2024-06-11 23:18:07 +01:00
Alexandre Pujol
6d549b7c70
feat(profile): rewrite steam profiles. 
- Separate profile for sandboxes.
- Separate profile for native and proton games.
- Updated path dirs
- tested on arch & debian.

Note: these profiles are still in alpha stage and disabled by default.
 2024-06-11 00:21:29 +01:00
Alexandre Pujol
08a1aba39d
feat(abs): bwrap: add special mount rule for debian. 2024-06-11 00:01:46 +01:00
Alexandre Pujol
b4407fb7f8
feat(abs): wayland: add ibus shared file. 2024-06-10 23:53:31 +01:00
Alexandre Pujol
0d8afd21e3
feat(abs): vulkan: allow empty vulkan home dir. 2024-06-10 23:52:40 +01:00
Alexandre Pujol
222685c029
feat(profile): use the cups-client more often. 2024-06-10 23:51:38 +01:00
Alexandre Pujol
bb6df870bb
chore: cleanup opensc debian structure. 2024-06-10 23:43:55 +01:00
Alexandre Pujol
5c8dda1ced
feat(profile): remove rule moved in the base or nameservice abstraction. 2024-06-08 22:49:28 +01:00
REmerald
8009c1b9b9
fix(authentication.d/complete): add missing copyright (#370) 
* fix(authentication.d/complete): add missing copyright

* fix(authentication.d/complete): remove first copyright author

Remove the original author from the copyright comment as his file is different and doesn't include his copyright as well. https://gitlab.com/morfikov/apparmemall/-/blob/master/apparmor.d/abstractions/authentication
 2024-06-07 23:04:25 +00:00
curiosityseeker
ec25a155db
Chromium based browsers: add stacking for chrashpad handler (#366) 
* Update chromium abs: remove crashpad-handler

* Update brave: add stacking for chrashpad-handler

* Update chrome: add stacking for crashpad-handler

* Update chromium: add stacking for crashpad-handler

* Update msedge: add stacking for crashpad-handler

* Rename msedge-crashpad-handlers to msedge-crashpad-handler
 2024-06-07 18:26:39 +00:00
Alexandre Pujol
921156c846
fix(profile): pavucontrol 
fix #371
 2024-06-07 19:25:22 +01:00
Alexandre Pujol
503e83a896
fix: steam support on flatpak. 
fix #368
 2024-06-07 17:10:54 +01:00
Alexandre Pujol
13d3b23a04
fix(opensuse): ensure integration on opensuse. 2024-06-04 19:52:56 +01:00
Alexandre Pujol
ff16790421
feat(abs): general update. 2024-06-03 18:37:12 +01:00
Alexandre Pujol
45ae8f5d27
feat(abs): add pgrep. 2024-05-30 21:08:03 +01:00
fira959
d12db8a8dc
Minor improvements (#336) 
* Update audio-client

* Update mpv

* Update mutt

add common mail dir

* Update apparmor.d

* Update mutt

* Update mutt

* Update mutt

* Update mutt

* Update mutt
 2024-05-30 17:51:57 +00:00
curiosityseeker
adccd0066a
Fix typo in @{text_edirors} (#338) 
* Fix typo in multiarch.d/programs

* Fix typo in multirach.d/paths

* Fix typo in abstractions/app-open
 2024-05-29 20:41:23 +00:00
curiosityseeker
94d9570230
Firefox: using stacking for glxtest and vaapitest (#337) 
The current implementation results in the following errors for the Firefox profile:

 @{lib}/firefox/glxtest rix -> firefox-glxtest,  # no new privs

@{lib}/firefox/vaapitest rix -> firefox-vaapitest,   # no new privs

Using stacking as suggested on https://apparmor.pujol.io/development/structure/#no-new-privileges gets rid of these errors.
 2024-05-29 20:41:01 +00:00
Alexandre Pujol
c785b41451
feat(profile): general update. 2024-05-18 22:35:05 +01:00
doublez13
4256e11492 editor abstraction: minor additions 
Add any one-off rules covered in the other editor profiles before converting those to the abstraction.
 2024-05-16 15:44:29 +01:00
Alexandre Pujol
58e458f4ab
feat(profile): add the app/firefox abstraction. 2024-05-15 23:13:23 +01:00
Alexandre Pujol
f5ac8cd4a1
feat(profile): improve dbus rule in chromium based profiles. 2024-05-15 23:07:05 +01:00
Alexandre Pujol
ad960d477b
feat(profile): replace former regex by the new @{user} variable. 2024-05-15 17:22:20 +01:00
Alexandre Pujol
855f25da9b
feat(tunable): add hex38. 2024-05-14 12:55:57 +01:00
Alexandre Pujol
7b25ed1913
Merge branch 'main' of github.com:roddhjav/apparmor.d 
* 'main' of github.com:roddhjav/apparmor.d:
  Task: Update abstraction path
  Mutt: Update abstraction path
  Update and move abstractions/editor to abstractions/app/editor
  Task: Use editor abstraction
  Mutt: Use editor abstraction
  Create editor abstraction
 2024-05-13 20:37:12 +01:00
Alexandre Pujol
8f102dea0a
feat(profile): general update. 2024-05-13 20:35:11 +01:00
doublez13
479d04abac Update and move abstractions/editor to abstractions/app/editor 2024-05-12 17:34:33 +01:00
doublez13
e38f2ac721 Create editor abstraction 
I'm counting seven profiles that have a child profile named "editor" that all include roughly the same boiler plate policies. Let's abstract it out.
 2024-05-12 17:34:33 +01:00
Alexandre Pujol
1739c07ca1
feat(profile): general update. 2024-05-11 17:38:43 +01:00
Alexandre Pujol
4d29127d57
feat(profile): rewrite the child-open* profiles. 2024-05-11 12:13:57 +01:00
Alexandre Pujol
bed9545082
feat(profile): general update. 2024-05-08 20:08:41 +01:00
Alexandre Pujol
7963a65a88
feat(profile): add support for terminal in flatpak app. 
- Sandbox's security is managed by flatpak
- The app stays confined under the (not really strict) flatpak-app profile
- User shell runs unconfined (under the `user_unconfined` profile)

Running terminal as a flatpak app provides less security than as a normal app.
This is because the shell runs as user_unconfined profile that will purposely
not transition to any other profile. While a shell from a classic terminal will
transition to any profile it can, and thus would get restricted. In other words,
running `apt` inside flatpak would run under the `user_unconfined` while it
would use the `apt` profile outside the sandbox.

fix #314
 2024-05-08 15:48:14 +01:00
Alexandre Pujol
9a2f4b5dbe
feat(abs): improve some common user abstraction. 2024-05-07 16:10:09 +01:00
Jose Maldonado aka Yukiteru
1c6f7dd1c2 Fix recent error in abstractions/thumbnails-cache-read 
Sorry, in the previous commit I introduced an error in
abstractions/thumbnails-cache-read that prevented this abstractions
from working correctly after a restart and complete reload of
the profiles (after a new installation from Git).

This commit fixes the bug and with it must also pass the repository tests.
 2024-05-07 15:55:09 +01:00
Jose Maldonado aka Yukiteru
2f3c4574ec Fix access to thumbnail cache dirs in abstractions 
gsd-housekeepin in GNOME have access to @{user_cache_dirs} for
searching thumbnail files and executing one task
for cleaning these files every day.

The actual abstractions/thumbnails-cache-write fail in granted
this access, specially to various folders in
the thumbnail cache (ex: fail folder).

These changes fix this access. For convenience
abstractions/thumbnails-cache-read, have the same access
structure also for files/folders, but only read permissions.
 2024-05-07 15:55:09 +01:00
Alexandre Pujol
03dd5fe4cd
feat(profile): improve xfce profiles stack. 2024-05-07 00:04:07 +01:00
Alexandre Pujol
c2d786200f
feat(profile): cleanup xsession logs. 2024-05-06 20:47:08 +01:00
Alexandre Pujol
4b4e14b1d6
fix(profile): various fix & cleanup 2024-05-06 20:33:01 +01:00
Alexandre Pujol
e2c69f18fa
Merge branch 'feat/update' of https://github.com/Jeroen0494/apparmor.d into Jeroen0494-feat/update 
* 'feat/update' of https://github.com/Jeroen0494/apparmor.d:
  Cleanup
  Remove temp
  Various updates all over
  Various profile updates
 2024-05-06 20:08:13 +01:00
Alex
f75e5047df
Merge branch 'main' into feat/update 2024-05-06 19:56:11 +01:00
Alexandre Pujol
3b41ee93dc
feat(tunable): add the user defined private directories 
- Add @{XDG_PRIVATE_DIR} & @{user_private_dirs}
- This directories are denied in file browser and search engine.
 2024-05-06 19:21:04 +01:00
Alexandre Pujol
89f896a0fd
feat(profile): cleanup flatpak share access. 2024-05-05 18:17:52 +01:00
Alexandre Pujol
d544c386f7
fix(profile): ensure PAM & systemd-homed compatibility. 
see #321
 2024-05-05 17:42:32 +01:00
Alexandre Pujol
f38f1ad651
feat(profile): improve kde profiles. 2024-05-04 00:21:03 +01:00
Alexandre Pujol
40abc98201
feat(profile): general update. 2024-05-03 18:16:12 +01:00
Alexandre Pujol
3f69b9fec4
feat(profile): use the new @{tmp} variable. 
It is only used with the owner statement.
 2024-05-02 22:12:02 +01:00