felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: felipe:main
Branches Tags
felipe:main
felipe:dev
felipe:integration
felipe:packages
felipe:aa
..
compare: felipe:aa
Branches Tags
felipe:main
felipe:dev
felipe:integration
felipe:packages
felipe:aa

No commits in common. "main" and "aa" have entirely different histories.
main ... aa

2338 changed files with 18951 additions and 38507 deletions
Download patch file Download diff file Expand all files Collapse all files

131
.github/workflows/main.yml vendored
View file

@ -3,61 +3,48 @@ name: Ubuntu
on: [push, pull_request, workflow_dispatch]
jobs:
check:
runs-on: ubuntu-24.04
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Install linter dependencies
run: |
pipx install rust-just
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run basic profile linter check
run: |
just check
build:
runs-on: ${{ matrix.os }}
needs: check
strategy:
matrix:
include:
- os: ubuntu-24.04
mode: default
- os: ubuntu-24.04
mode: full-system-policy
os:
# - ubuntu-24.04
- ubuntu-22.04
mode:
- default
- full-system-policy
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Install Build dependencies
- name: Install Build dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
devscripts debhelper config-package-dev \
auditd apparmor-profiles apparmor-utils
pipx install rust-just
echo "$HOME/.local/bin" >> $GITHUB_PATH
sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
- name: Build the apparmor.d package
run: |
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
sed -e "s/just complain/just fsp-complain/" -i debian/rules
echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
fi
bash dists/build.sh dpkg
VERSION="0.$(git rev-list --count HEAD)-1"
dch --newversion="$VERSION" --urgency=medium --distribution=stable --controlmaint "Release $VERSION"
dpkg-buildpackage -b -d --no-sign
- name: Install apparmor.d
run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
run: sudo dpkg --install ../apparmor.d_*_amd64.deb || true
- name: Reload AppArmor
run: |
if ! sudo systemctl restart apparmor.service; then
sudo journalctl -xeu apparmor.service
exit 1
fi
run: |
sudo systemctl restart apparmor.service || true
sudo systemctl status apparmor.service
- name: Ensure compatibility with some AppArmor userspace tools
run: sudo aa-enforce /etc/apparmor.d/aa-notify
- name: Show AppArmor log and rules
run: |
@ -67,83 +54,3 @@ jobs:
- name: Show Number of loaded profile
run: sudo aa-status --profiled
- name: Cache the build package
if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04'
uses: actions/cache/save@v4
with:
path: .pkg/apparmor.d_*_amd64.deb
key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }}
tests:
runs-on: ubuntu-24.04
needs: build
if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch'
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Restore the cached build package
uses: actions/cache/restore@v4
with:
fail-on-cache-miss: true
path: .pkg/apparmor.d_*_amd64.deb
key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }}
restore-keys: |
ubuntu-24.04-default-
- name: Install Tests dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
apparmor-profiles apparmor-utils \
bats bats-support
pipx install rust-just
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Install apparmor.d
run: |
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
sudo systemctl restart apparmor.service
sudo systemctl daemon-reload
systemctl --user daemon-reload
- name: Restart some services to ensure they are confined
run: |
services=(
containerd cron
dbus docker
ModemManager multipathd
networkd-dispatcher
packagekit polkit
snapd
systemd-journald systemd-hostnamed systemd-logind systemd-networkd
systemd-resolved systemd-udevd
udisks2
)
sudo systemctl daemon-reload
for service in "${services[@]}"; do
sudo systemctl restart "$service" || systemctl status "$service.service" || true
done
systemctl restart --user dbus || systemctl status --user "dbus.service" || true
sudo ps auxZ | grep -v '\[.*\]'
sudo aa-log -s --raw
- name: Install integration dependencies
run: |
just init
find /usr/sbin/ -type f
- name: Run the integration tests
run: |
just integration
- name: Show final AppArmor logs
if: always()
run: |
sudo aa-log -s --raw
- name: Show final processes security context
if: always()
run: |
sudo ps auxZ | grep -v '\[.*\]'

1
.gitignore vendored
View file

@ -1,7 +1,6 @@
# Build
.build
.logs
.pkg
tests/tldr
tests/tldr.tar.gz

36
.gitlab-ci.yml
View file

@ -4,7 +4,7 @@ include:
- template: Security/SAST.gitlab-ci.yml
variables:
PKGDEST: $CI_PROJECT_DIR/.pkg
PKGDEST: $CI_PROJECT_DIR/packages
PACKAGER: 'Alexandre Pujol <alexandre@pujol.io>'
stages:
@ -23,14 +23,14 @@ bash:
image: koalaman/shellcheck-alpine
script:
- shellcheck --shell=bash
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh
PKGBUILD dists/build.sh dists/docker.sh
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
golangci-lint:
stage: lint
image: golangci/golangci-lint
script:
- golangci-lint run
- golangci-lint run --skip-dirs pkg/paths
packer:
stage: lint
@ -54,6 +54,7 @@ tests:
image: golang
coverage: '/Coverage: \d+.\d+/'
script:
- apt update && apt install -y rsync
- cp tests/journalctl /usr/bin/journalctl
- chmod 755 /usr/bin/journalctl
- mkdir -p /var/log/audit/
@ -62,11 +63,6 @@ tests:
- go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out
- go tool cover -func=coverage.out
check:
stage: test
image: registry.gitlab.com/roddhjav/builders/archlinux
script:
- just check
# Package Build
# -------------
@ -84,12 +80,13 @@ archlinux:
debian:
stage: build
image: registry.gitlab.com/roddhjav/builders/debian:trixie
image: registry.gitlab.com/roddhjav/builders/debian
script:
- sudo chown -R build:build /builds/
- git config --global --add safe.directory $CI_PROJECT_DIR
- mkdir -p "$PKGDEST"
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
- sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync
- sudo apt-get install -y -t bookworm-backports golang-go
- bash dists/build.sh dpkg
artifacts:
expire_in: 1 day
@ -98,13 +95,12 @@ debian:
ubuntu:
stage: build
image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04
variables:
GOFLAGS: "-buildvcs=false"
image: registry.gitlab.com/roddhjav/builders/ubuntu
script:
- sudo chown -R ubuntu:ubuntu /builds/
- git config --global --add safe.directory $CI_PROJECT_DIR
- mkdir -p "$PKGDEST"
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
- sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go
- bash dists/build.sh dpkg
artifacts:
expire_in: 1 day
@ -116,14 +112,14 @@ whonix:
variables:
DISTRIBUTION: whonix
before_script:
- sed -e "s/just complain/just fsp-complain/" -i debian/rules
- echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
opensuse:
stage: build
image: registry.gitlab.com/roddhjav/builders/opensuse
script:
- mkdir -p "$PKGDEST"
- sudo zypper install -y distribution-release golang-packaging apparmor-profiles
- sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
- bash dists/build.sh rpm
artifacts:
expire_in: 1 day
@ -146,7 +142,7 @@ preprocess-archlinux:
preprocess-debian:
stage: preprocess
image: debian:trixie
image: debian
dependencies:
- debian
script:
@ -166,7 +162,7 @@ preprocess-ubuntu:
- dpkg --install $PKGDEST/*
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
.preprocess-whonix:
preprocess-whonix:
extends: preprocess-debian
dependencies:
- whonix
@ -194,7 +190,7 @@ pages:
GIT_DEPTH: 0
script:
- pip install -r requirements.txt
- mkdocs build --site-dir public
- mkdocs build --strict --site-dir public
artifacts:
paths:
- public

16
.golangci.yaml
View file

@ -1,15 +1,5 @@
---
version: "2"
linters:
settings:
staticcheck:
checks:
- all
- -SA1019
- -ST1000
exclusions:
paths:
- pkg/paths
- tests/cmd/
linters-settings:
staticcheck:
checks: ["all", "-SA1019" ]

399
Justfile
View file

@ -1,399 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Usage: `just`
# See https://apparmor.pujol.io/development/ for more information.
# Build settings
destdir := "/"
build := ".build"
pkgdest := `pwd` / ".pkg"
pkgname := "apparmor.d"
# Admin username
username := "user"
# Default admin password
password := "user"
# Disk size of the VM to build
disk_size := "40G"
# Virtual machine CPU
vcpus := "6"
# Virtual machine RAM
ram := "4096"
# Path to the ssh key
ssh_keyname := "id_ed25519"
ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname
ssh_publickey := ssh_privatekey + ".pub"
# Where the VM are stored
vm := home_dir() / ".vm"
# Where the VM images are stored
base_dir := home_dir() / ".libvirt/base"
# Where the packer temporary output is stored
output_dir := base_dir / "packer"
# SSH options
sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
# Libvirt connection address
c := "--connect=qemu:///system"
# VM prefix
prefix := "aa-"
# Show this help message
help:
@just --list --unsorted
@printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information."
# Build the go programs
[group('build')]
build:
@go build -o {{build}}/ ./cmd/aa-log
@go build -o {{build}}/ ./cmd/prebuild
# Prebuild the profiles in enforced mode
[group('build')]
enforce: build
@./{{build}}/prebuild --buildir {{build}}
# Prebuild the profiles in enforce mode (test)
enforce-test: build
@./{{build}}/prebuild --buildir {{build}} --test
# Prebuild the profiles in complain mode
[group('build')]
complain: build
./{{build}}/prebuild --buildir {{build}} --complain
# Prebuild the profiles in complain mode (test)
complain-test: build
@./{{build}}/prebuild --buildir {{build}} --complain --test
# Prebuild the profiles in FSP mode
[group('build')]
fsp: build
@./{{build}}/prebuild --buildir {{build}} --full
# Prebuild the profiles in FSP mode (complain)
[group('build')]
fsp-complain: build
@./{{build}}/prebuild --buildir {{build}} --complain --full
# Prebuild the profiles in FSP mode (debug)
[group('build')]
fsp-debug: build
@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
# Install prebuild profiles
[group('install')]
install:
#!/usr/bin/env bash
set -eu -o pipefail
install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n")
for file in "${share[@]}"; do
install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file"
done
mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n")
for file in "${aa[@]}"; do
install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
done
mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n")
for file in "${links[@]}"; do
mkdir -p "{{destdir}}/etc/apparmor.d/disable"
cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
done
for file in "{{build}}/systemd/system/"*; do
service="$(basename "$file")"
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf"
done
for file in "{{build}}/systemd/user/"*; do
service="$(basename "$file")"
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
done
# Locally install prebuild profiles
[group('install')]
local +names:
#!/usr/bin/env bash
set -eu -o pipefail
install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n")
for file in "${abs[@]}"; do
install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file"
done;
mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n")
for file in "${tunables[@]}"; do
install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file"
done;
echo "Warning: profile dependencies fallback to unconfined."
for file in {{names}}; do
grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true
sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file"
install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
done;
systemctl restart apparmor || sudo journalctl -xeu apparmor.service
# Prebuild, install, and load a dev profile
[group('install')]
dev name:
go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}`
sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}}
sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
# Build & install apparmor.d on Arch based systems
[group('packages')]
pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
# Build & install apparmor.d on Debian based systems
[group('packages')]
dpkg:
@bash dists/build.sh dpkg
@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
# Build & install apparmor.d on OpenSUSE based systems
[group('packages')]
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
# Run the unit tests
[group('tests')]
tests:
@go test ./cmd/... -v -cover -coverprofile=coverage.out
@go test ./pkg/... -v -cover -coverprofile=coverage.out
@go tool cover -func=coverage.out
# Run the linters
[group('linter')]
lint:
golangci-lint run
packer fmt tests/packer/
packer validate --syntax-only tests/packer/
shellcheck --shell=bash \
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
# Run style checks on the profiles
[group('linter')]
check:
@bash tests/check.sh
# Generate the man pages
[group('docs')]
man:
@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
# Build the documentation
[group('docs')]
docs:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
# Serve the documentation
[group('docs')]
serve:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
# Remove all build artifacts
clean:
@rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
# Build the package in a clean OCI container
[group('packages')]
package dist:
#!/usr/bin/env bash
set -eu -o pipefail
dist="{{dist}}"
version=""
if [[ $dist =~ ubuntu([0-9]+) ]]; then
version="${BASH_REMATCH[1]}.04"
dist="ubuntu"
elif [[ $dist == debian* ]]; then
version="trixie"
dist="debian"
fi
bash dists/docker.sh $dist $version
# Build the VM image
[group('vm')]
img dist flavor: (package dist)
@mkdir -p {{base_dir}}
packer build -force \
-var dist={{dist}} \
-var flavor={{flavor}} \
-var prefix={{prefix}} \
-var username={{username}} \
-var password={{password}} \
-var ssh_publickey={{ssh_publickey}} \
-var disk_size={{disk_size}} \
-var cpus={{vcpus}} \
-var ram={{ram}} \
-var base_dir={{base_dir}} \
-var output_dir={{output_dir}} \
tests/packer/
# Create the machine
[group('vm')]
create dist flavor:
@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
@virt-install {{c}} \
--import \
--name {{prefix}}{{dist}}-{{flavor}} \
--vcpus {{vcpus}} \
--ram {{ram}} \
--machine q35 \
{{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \
--memorybacking source.type=memfd,access.mode=shared \
--disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \
--filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \
--os-variant "`just _get_osinfo {{dist}}`" \
--graphics spice \
--audio id=1,type=spice \
--sound model=ich9 \
--noautoconsole
# Start a machine
[group('vm')]
up dist flavor:
@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
# Stops the machine
[group('vm')]
halt dist flavor:
@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
# Reboot the machine
[group('vm')]
reboot dist flavor:
@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
# Destroy the machine
[group('vm')]
destroy dist flavor:
@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
# Connect to the machine
[group('vm')]
ssh dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
# Mount the shared directory on the machine
[group('vm')]
mount dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
# Unmout the shared directory on the machine
[group('vm')]
umount dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
# List the machines
[group('vm')]
list:
@printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State"
@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
# List the VM images
[group('vm')]
images:
#!/usr/bin/env bash
set -eu -o pipefail
mkdir -p {{base_dir}}
ls -lh {{base_dir}} | awk '
BEGIN {
printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date")
}
{
if ($9 ~ /^{{prefix}}.*\.qcow2$/) {
split($9, arr, "-|\\.")
printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8)
}
}
'
# List the VM images that can be created
[group('vm')]
available:
#!/usr/bin/env bash
set -eu -o pipefail
ls -lh tests/cloud-init | awk '
BEGIN {
printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor")
}
{
if ($9 ~ /^.*\.user-data.yml$/) {
split($9, arr, "-|\\.")
printf("%-18s %s\n", arr[1], arr[2])
}
}
'
# Install dependencies for the integration tests
[group('tests')]
init:
@bash tests/requirements.sh
# Run the integration tests
[group('tests')]
integration name="":
bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
# Install dependencies for the integration tests (machine)
[group('tests')]
tests-init dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
# Synchronize the integration tests (machine)
[group('tests')]
tests-sync dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
# Re-synchronize the integration tests (machine)
[group('tests')]
tests-resync dist flavor: (mount dist flavor) \
(tests-sync dist flavor) \
(umount dist flavor)
# Run the integration tests (machine)
[group('tests')]
tests-run dist flavor name="": (tests-resync dist flavor)
ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
bats --recursive --pretty --timing --print-output-on-failure \
/home/{{username}}/Projects/tests/integration/{{name}}
_get_ip dist flavor:
@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
head -1 | \
grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
_get_osinfo dist:
#!/usr/bin/env python3
osinfo = {
"archlinux": "archlinux",
"debian12": "debian12",
"debian13": "debian13",
"ubuntu22": "ubuntu22.04",
"ubuntu24": "ubuntu24.04",
"ubuntu25": "ubuntu25.04",
"opensuse": "opensusetumbleweed",
}
print(osinfo.get("{{dist}}", "{{dist}}"))

106
Makefile Normal file
View file

@ -0,0 +1,106 @@
#!/usr/bin/make -f
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
DESTDIR ?= /
BUILD := .build
PKGDEST := /tmp/pkg
PKGNAME := apparmor.d
P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean
all: build
@./${BUILD}/prebuild --complain
build:
@go build -o ${BUILD}/ ./cmd/aa-log
@go build -o ${BUILD}/ ./cmd/prebuild
enforce: build
@./${BUILD}/prebuild
full: build
@./${BUILD}/prebuild --complain --full
ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n")
PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
install:
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ROOT}; do \
install -Dm0644 "${BUILD}/root/$${file}" "${DESTDIR}/$${file}"; \
done;
@for file in ${PROFILES}; do \
install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in ${DISABLES}; do \
mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in ${BUILD}/systemd/system/*; do \
service="$$(basename "$$file")"; \
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \
done;
@for file in ${BUILD}/systemd/user/*; do \
service="$$(basename "$$file")"; \
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done
local:
@make
@sudo make install
@sudo systemctl restart apparmor || sudo systemctl status apparmor
ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n")
TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n")
$(P):
@[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ABSTRACTIONS}; do \
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
done;
@for file in ${TUNABLES}; do \
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
done;
@echo "Warning: profile dependencies fallback to unconfined."
@for file in ${@}; do \
grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \
sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@systemctl restart apparmor || systemctl status apparmor
dist ?= archlinux
package:
@bash dists/docker.sh ${dist}
pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
dpkg:
@bash dists/build.sh dpkg
@sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm
tests:
@go test ./cmd/... -v -cover -coverprofile=coverage.out
@go test ./pkg/... -v -cover -coverprofile=coverage.out
@go tool cover -func=coverage.out
lint:
@golangci-lint run
@make --directory=tests lint
@shellcheck --shell=bash \
PKGBUILD dists/build.sh dists/docker.sh \
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
clean:
@rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst coverage.out \
${PKGNAME}_*.* ${PKGNAME}-*.rpm ${BUILD}

122
PKGBUILD
View file

@ -3,25 +3,19 @@
# Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use.
pkgbase=apparmor.d
pkgname=(
apparmor.d
# apparmor.d.enforced
# apparmor.d.fsp apparmor.d.fsp.enforced
# apparmor.d.server apparmor.d.server.enforced
# apparmor.d.server.fsp apparmor.d.server.fsp.enforced
)
pkgver=0.0001
pkgname=apparmor.d
pkgver=0.001
pkgrel=1
pkgdesc="Full set of apparmor profiles"
arch=('x86_64' 'armv6h' 'armv7h' 'aarch64')
url="https://github.com/roddhjav/apparmor.d"
license=('GPL-2.0-only')
depends=('apparmor>=4.1.0' 'apparmor<5.0.0')
makedepends=('go' 'git' 'rsync' 'just')
arch=("x86_64")
url="https://github.com/roddhjav/$pkgname"
license=('GPL2')
depends=('apparmor')
makedepends=('go' 'git' 'rsync')
conflicts=("$pkgname-git")
pkgver() {
cd "$srcdir/$pkgbase"
cd "$srcdir/$pkgname"
echo "0.$(git rev-list --count HEAD)"
}
@ -30,104 +24,16 @@ prepare() {
}
build() {
cd "$srcdir/$pkgbase"
cd "$srcdir/$pkgname"
export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}"
export GOPATH="${srcdir}"
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
export DISTRIBUTION=arch
local -A modes=(
# Mapping of modes to just build target.
[default]=complain
# [enforced]=enforce
# [fsp]=fsp-complain
# [fsp.enforced]=fsp
# [server]=server-complain
# [server.enforced]=server
# [server.fsp]=server-fsp-complain
# [server.fsp.enforced]=server-fsp
)
for mode in "${!modes[@]}"; do
just build=".build/$mode" "${modes[$mode]}"
done
make DISTRIBUTION=arch
}
_conflicts() {
local mode="$1"
local pattern=".$mode"
if [[ "$mode" == "default" ]]; then
pattern=""
else
echo "$pkgbase"
fi
for pkg in "${pkgname[@]}"; do
if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then
continue
fi
echo "$pkg"
done
}
_install() {
local mode="${1:?}"
cd "$srcdir/$pkgbase"
just build=".build/$mode" destdir="$pkgdir" install
}
package_apparmor.d() {
mode=default
pkgdesc="$pkgdesc (complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.enforced() {
mode=enforced
pkgdesc="$pkgdesc (enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.fsp() {
mode="fsp"
pkgdesc="$pkgdesc (FSP mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.fsp.enforced() {
mode="fsp.enforced"
pkgdesc="$pkgdesc (FSP enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server() {
mode="server"
pkgdesc="$pkgdesc (server complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.enforced() {
mode="server.enforced"
pkgdesc="$pkgdesc (server enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.fsp() {
mode="server.fsp"
pkgdesc="$pkgdesc (server FSP complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.fsp.enforced() {
mode="server.fsp.enforced"
pkgdesc="$pkgdesc (server FSP enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
package() {
cd "$srcdir/$pkgname"
make install DESTDIR="$pkgdir"
}

27
README.md
View file

@ -2,7 +2,7 @@
# apparmor.d
[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link]
[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link]
**Full set of AppArmor profiles**
@ -27,19 +27,16 @@
- Target both desktops and servers
- Support all distributions that support AppArmor:
* [Arch Linux](https://apparmor.pujol.io/install#archlinux)
* [Ubuntu 24.04/22.04](https://apparmor.pujol.io/install#ubuntu)
* [Debian 12](https://apparmor.pujol.io/install#debian)
* [OpenSUSE Tumbleweed](https://apparmor.pujol.io/install#opensuse)
* Arch Linux
* Ubuntu 22.04
* Debian 12
* OpenSUSE Tumbleweed
- Support for all major desktop environments:
* Gnome (GDM)
* KDE (SDDM)
* XFCE (Lightdm) *(work in progress)*
- [Fully tested](https://apparmor.pujol.io/development/tests/)
* Gnome
* KDE
* XFCE *(work in progress)*
- Fully tested (Work in progress)
**Demo**
You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
@ -62,10 +59,6 @@ Building the largest set of AppArmor profiles:
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
Lessons learned while making an AppArmor Play machine:
- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))*
## Installation
Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)
@ -100,8 +93,6 @@ and thus has the same license (GPL2).
[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
[matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix
[matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org
[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square
[play-link]: https://play.pujol.io
[android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/

18
apparmor.d/abstractions/X-strict
View file

@ -2,32 +2,28 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# The unix socket to use to connect to the display
unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}),
unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}),
unix type=stream addr=@/tmp/.ICE-unix/@{int},
unix type=stream addr=@/tmp/.X11-unix/X@{int},
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
/usr/share/X11/{,**} r,
/usr/share/xsessions/{,*.desktop} r, # Available Xsessions
/usr/share/xkeyboard-config-2/{,**} r,
/etc/X11/cursors/{,**} r,
owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user
owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user
owner @{HOME}/.xsession-errors rw,
/tmp/.ICE-unix/@{int} rw,
/tmp/.ICE-unix/* rw,
/tmp/.X@{int}-lock rw,
/tmp/.X11-unix/X@{int} rw,
/tmp/.X11-unix/* rw,
owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int},
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/X11/Xauthority r,
owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},

15
apparmor.d/abstractions/accessibility
View file

@ -1,15 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow communication with Assistive Technology Service Provider Interface (AT-SPI)
abi <abi/4.0>,
include <abstractions/bus-accessibility>
include <abstractions/bus/accessibility/org.a11y>
include <abstractions/bus/session/org.a11y>
include if exists <abstractions/accessibility.d>
# vim:syntax=apparmor

30
apparmor.d/abstractions/amdgpu
View file

@ -1,30 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Kernel Fusion Driver for AMD GPUs
abi <abi/4.0>,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/dev r,
@{sys}/devices/virtual/kfd/kfd/topology/ r,
@{sys}/devices/virtual/kfd/kfd/topology/generation_id r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/system_properties r,
@{sys}/devices/virtual/kfd/kfd/uevent r,
@{sys}/module/amdgpu/initstate r,
/dev/kfd rw,
include if exists <abstractions/amdgpu.d>
# vim:syntax=apparmor

11
apparmor.d/abstractions/ansible
View file

@ -1,11 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw,
include if exists <abstractions/ansible.d>
# vim:syntax=apparmor

12
apparmor.d/abstractions/app-launcher-root
View file

@ -3,13 +3,13 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
@{bin}/* PUx,
/usr/local/{s,}bin/* PUx,
include <abstractions/path>
@{bin}/** PUx,
@{sbin}/** PUx,
/usr/local/{s,}bin/** PUx,
@{bin}/ r,
/ r,
/usr/ r,
/usr/local/{s,}bin/ r,
include if exists <abstractions/app-launcher-root.d>

15
apparmor.d/abstractions/app-launcher-user
View file

@ -3,14 +3,10 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <abstractions/path>
@{bin}/** PUx,
@{bin}/* PUx,
/opt/*/** PUx,
/usr/share/** PUx,
/usr/local/bin/** PUx,
/usr/share/*/* PUx,
/usr/local/bin/* PUx,
@{brave_path} Px,
@{chrome_path} Px,
@ -20,7 +16,10 @@
@{thunderbird_path} Px,
@{offices_path} PUx,
@{user_bin_dirs}/** PUx,
@{bin}/ r,
/ r,
/usr/ r,
/usr/local/bin/ r,
include if exists <abstractions/app-launcher-user.d>

81
apparmor.d/abstractions/app-open
View file

@ -8,58 +8,47 @@
# Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail
# should be present here. Until this day, this profile will be a controlled mess.
abi <abi/4.0>,
# Sandbox managers
@{bin}/bwrap PUx,
@{bin}/firejail PUx,
@{bin}/flatpak Px,
@{bin}/snap Px,
@{bin}/bwrap rPUx,
@{bin}/firejail rPUx,
@{bin}/flatpak rPUx,
@{bin}/snap rPUx,
# Labeled programs
@{archive_viewers_path} PUx,
@{backup_path} PUx,
@{browsers_path} Px,
@{document_viewers_path} PUx,
@{emails_path} PUx,
@{file_explorers_path} Px,
@{help_path} Px,
@{image_viewers_path} PUx,
@{offices_path} PUx,
@{terminal_path} Px,
@{text_editors_path} PUx,
@{archive_viewers_path} rPUx,
@{browsers_path} rPx,
@{document_viewers_path} rPUx,
@{emails_path} rPUx,
@{file_explorers_path} rPx,
@{image_viewers_path} rPUx,
@{offices_path} rPUx,
@{text_editors_path} rPUx,
# Others
@{bin}/amule Px,
@{bin}/blueman-tray Px,
@{bin}/discord{,-ptb} Px,
@{bin}/draw.io PUx,
@{bin}/dropbox Px,
@{bin}/ebook-edit PUx,
@{bin}/element-desktop Px,
@{bin}/extension-manager Px,
@{bin}/filezilla Px,
@{bin}/flameshot Px,
@{bin}/gimp{,-3.0} Px,
@{bin}/gnome-calculator Px,
@{bin}/gnome-disk-image-mounter Px,
@{bin}/gnome-disks Px,
@{bin}/gnome-session-quit Px,
@{bin}/gnome-software Px,
@{bin}/gwenview PUx,
@{bin}/keepassxc Px,
@{bin}/qbittorrent Px,
@{bin}/qpdfview Px,
@{bin}/smplayer Px,
@{bin}/steam-runtime PUx,
@{bin}/telegram-desktop Px,
@{bin}/transmission-gtk Px,
@{bin}/viewnior PUx,
@{bin}/vlc Px,
@{bin}/xbrlapi Px,
@{bin}/blueman-tray rPx,
@{bin}/discord{,-ptb} rPx,
@{bin}/draw.io rPUx,
@{bin}/dropbox rPx,
@{bin}/element-desktop rPx,
@{bin}/extension-manager rPx,
@{bin}/filezilla rPx,
@{bin}/flameshot rPx,
@{bin}/gimp* rPUx,
@{bin}/gnome-calculator rPUx,
@{bin}/gnome-disk-image-mounter rPx,
@{bin}/gnome-disks rPx,
@{bin}/gwenview rPUx,
@{bin}/kgx rPx,
@{bin}/qbittorrent rPx,
@{bin}/qpdfview rPx,
@{bin}/smplayer rPx,
@{bin}/steam-runtime rPUx,
@{bin}/telegram-desktop rPx,
@{bin}/transmission-gtk rPx,
@{bin}/viewnior rPUx,
@{bin}/vlc rPUx,
@{bin}/xbrlapi rPx,
#aa:only opensuse
@{lib}/YaST2/** PUx,
include if exists <abstractions/app-open.d>

22
apparmor.d/abstractions/app/bus
View file

@ -1,22 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for dbus-send/dbus-launch.
abi <abi/4.0>,
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{bin}/dbus-launch mix,
@{bin}/dbus-send mrix,
@{bin}/dbus-daemon Px -> dbus-session,
owner @{HOME}/.dbus/session-bus/@{hex}-@{int} w,
include if exists <abstractions/app/bus.d>
# vim:syntax=apparmor

111
apparmor.d/abstractions/app/chromium
View file

@ -1,12 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# NEEDS-VARIABLE: name
# NEEDS-VARIABLE: domain
# NEEDS-VARIABLE: lib_dirs
# NEEDS-VARIABLE: config_dirs
# NEEDS-VARIABLE: cache_dirs
# Full set of rules for all chromium based browsers. It works as a *function*
# and requires some variables to be provided as *arguments* and set in the
@ -22,35 +16,38 @@
# or abstractions/common/electron instead.
#
abi <abi/4.0>,
include <abstractions/audio-client>
include <abstractions/avahi-observe>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.bluez>
include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/session/org.gnome.SessionManager>
include <abstractions/bus/system/org.bluez>
include <abstractions/camera>
include <abstractions/common/chromium>
include <abstractions/bus/org.freedesktop.Notifications>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.kde.kwalletd>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-u2f>
include <abstractions/devices-usb-read>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/graphics-full>
include <abstractions/nameservice-strict>
include <abstractions/notifications>
include <abstractions/pcscd>
include <abstractions/screensaver>
include <abstractions/secrets-service>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/uim>
include <abstractions/upower-observe>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
include <abstractions/video>
# userns,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
network inet dgram,
network inet6 dgram,
@ -76,7 +73,7 @@
@{lib_dirs}/chrome-sandbox rPx,
# Desktop integration
@{bin}/lsb_release rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-desktop-menu rPx,
@{bin}/xdg-email rPx,
@{bin}/xdg-icon-resource rPx,
@ -84,11 +81,16 @@
@{bin}/xdg-open rPx -> child-open,
@{bin}/xdg-settings rPx,
# Installing/removing extensions, applications, and stacked xdg menus
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/{m,g,}awk ix,
@{coreutils_path} ix,
# Installing/removing extensions & applications
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/touch rix,
# For storing passwords externally
@{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128
@ -108,14 +110,24 @@
/etc/@{name}/{,**} r,
/etc/fstab r,
/etc/{,opensc/}opensc.conf r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/ r,
owner @{HOME}/ r,
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
owner @{user_config_dirs}/gtk-3.0/servers r,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w,
owner @{user_config_dirs}/gtk-3.0/servers r,
owner @{user_share_dirs}/.@{domain}.* rw,
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{config_dirs}/ rw,
owner @{config_dirs}/** rwk,
@ -123,10 +135,6 @@
owner @{cache_dirs}/{,**} rw,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/menus/applications-merged/*.menu rw,
# For importing data (bookmarks, cookies, etc) from Firefox
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
# owner @{HOME}/.mozilla/firefox/*/ r,
@ -139,8 +147,10 @@
/tmp/ r,
/var/tmp/ r,
owner @{tmp}/.@{domain}.* rw,
owner @{tmp}/.@{domain}*/{,**} rw,
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
owner @{tmp}/tmp.@{rand10} rw,
owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
owner @{tmp}/tmp.@{rand6} rw,
owner @{tmp}/tmp.@{rand6}/ rw,
owner @{tmp}/tmp.@{rand6}/** rwk,
@ -148,6 +158,9 @@
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
/dev/shm/ r,
owner /dev/shm/.@{domain}* rw,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/bus/ r,
@ -155,31 +168,39 @@
@{sys}/class/**/ r,
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/report_descriptor r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/**/report_descriptor r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/task/@{tid}/status r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/pressure/{memory,cpu,io} r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/clear_refs w,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/smaps_rollup r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/uid_map w,
owner @{PROC}/@{pids}/clear_refs w,
owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pids}/task/ r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/tty rw,
owner /dev/tty@{int} rw,

28
apparmor.d/abstractions/app/editor
View file

@ -1,43 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
include <abstractions/nameservice-strict>
include <abstractions/consoles>
@{sh_path} rix,
@{bin}/nvim mrix,
@{bin}/sensible-editor mr,
@{bin}/vim* mrix,
@{bin}/which{,.debianutils} rix,
@{bin}/sensible-editor mr,
@{bin}/vim{,.*} mrix,
@{sh_path} rix,
@{bin}/which{,.debianutils} rix,
/usr/share/doc/{,**} r,
/usr/share/nvim/{,**} r,
/usr/share/terminfo/** r,
/usr/share/vim/{,**} r,
/usr/share/terminfo/** r,
/etc/vim/{,**} r,
/etc/vimrc r,
/etc/xdg/nvim/* r,
/etc/vim/{,**} r,
owner @{HOME}/.selected_editor r,
owner @{HOME}/.vim/{after/,}spell/{,**} rw,
owner @{HOME}/.vim/** r,
owner @{HOME}/.viminf@{c}{,.tmp} rw,
owner @{HOME}/.vimrc r,
# Vim swap file
owner @{HOME}/ r,
owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/vim/{,**} rw,
owner @{user_config_dirs}/vim/{,**} r,
owner @{user_state_dirs}/nvim/{,**} rw,
owner @{user_config_dirs}/nvim/{,**} rw,
owner @{run}/user/@{uid}/nvim.* rw,
include if exists <abstractions/app/editor.d>

54
apparmor.d/abstractions/app/firefox
View file

@ -1,11 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# NEEDS-VARIABLE: name
# NEEDS-VARIABLE: lib_dirs
# NEEDS-VARIABLE: config_dirs
# NEEDS-VARIABLE: cache_dirs
# Full set of rules for all firefox based browsers. It works as a *function*
# and requires some variables to be provided as *arguments* and set in the
@ -17,31 +12,25 @@
# @{cache_dirs} = @{user_cache_dirs}/mozilla/
#
abi <abi/4.0>,
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.freedesktop.timedate1>
include <abstractions/cups-client>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-u2f>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/graphics-full>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/pcscd>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/uim>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
userns,
# userns,
capability sys_admin, # If kernel.unprivileged_userns_clone = 1
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
@ -57,8 +46,6 @@
signal (send) set=(term, kill) peer=@{profile_name}-*,
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/dirname rix,
@ -67,12 +54,14 @@
@{lib_dirs}/{,**} r,
@{lib_dirs}/*.so mr,
@{lib_dirs}/crashreporter rPx,
@{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest,
@{lib_dirs}/minidump-analyzer rPx,
@{lib_dirs}/pingsender rPx,
@{lib_dirs}/plugin-container rPx,
@{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest,
# Desktop integration
@{bin}/lsb_release rPx,
@{bin}/lsb_release rPx -> lsb_release,
/usr/share/@{name}/{,**} r,
/usr/share/doc/{,**} r,
@ -82,9 +71,9 @@
/etc/@{name}/{,**} r,
/etc/fstab r,
/etc/lsb-release r,
/etc/mailcap r,
/etc/mime.types r,
/etc/{,opensc/}opensc.conf r,
/etc/sysconfig/proxy r,
/etc/xdg/* r,
/etc/xul-ext/kwallet5.js r,
@ -99,28 +88,18 @@
owner @{cache_dirs}/ rw,
owner @{cache_dirs}/** rwk,
/tmp/ rw,
/tmp/ r,
/var/tmp/ r,
owner @{tmp}/@{name}/ rw,
owner @{tmp}/@{name}/* rwk,
owner @{tmp}/@{rand6}.tmp rw,
owner @{tmp}/firefox/ rw,
owner @{tmp}/firefox/* rwk,
owner @{tmp}/mozilla* rw,
owner @{tmp}/mozilla*/ rw,
owner @{tmp}/mozilla*/* rwk,
owner @{tmp}/remote-settings-startup-bundle- rw,
owner @{tmp}/remote-settings-startup-bundle-.tmp rw,
owner @{tmp}/Temp-@{uuid}/ rw,
owner @{tmp}/Temp-@{uuid}/* rwk,
owner @{tmp}/tmp-*.xpi rw,
owner @{tmp}/tmpaddon rw,
owner @{tmp}/tmp-???.xpi rw,
owner @{tmp}/tmpaddon r,
owner @{tmp}/tmpaddon-@{int} r,
owner /dev/shm/org.chromium.@{rand6} rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
@{run}/mount/utab r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@ -137,10 +116,8 @@
@{sys}/devices/**/uevent r,
@{sys}/devices/power/events/energy-* r,
@{sys}/devices/power/type r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_sku r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
@{PROC}/@{pid}/net/arp r,
@ -164,13 +141,18 @@
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
/dev/ r,
/dev/hidraw@{int} rw,
/dev/tty rw,
/dev/video@{int} rw,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner /dev/tty@{int} rw, # File Inherit
# Silencer
deny dbus send bus=system path=/org/freedesktop/hostname1,
deny /tmp/MozillaUpdateLock-* w,
deny owner @{HOME}/ r,
deny owner @{HOME}/.* r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,

35
apparmor.d/abstractions/app/fusermount
View file

@ -1,35 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should
# be defined in the calling profile.
abi <abi/4.0>,
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_override,
capability dac_read_search,
capability sys_admin, # To mount anything
@{bin}/fusermount{,3} mr,
@{bin}/mount rix,
@{bin}/umount rix,
@{etc_ro}/fuse{,3}.conf r,
@{run}/mount/utab r,
@{run}/mount/utab.* rwk,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
/dev/fuse rw,
include if exists <abstractions/app/fusermount.d>
# vim:syntax=apparmor

5
apparmor.d/abstractions/app/kmod
View file

@ -1,13 +1,10 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
include <abstractions/consoles>
@{bin}/kmod mr,
@{bin}/kmod mr,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,

33
apparmor.d/abstractions/app/open
View file

@ -1,46 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Full set of rules for desktop generic open-* used in child-open-* profiles.
# Full set of rules for child-open-* profiles.
abi <abi/4.0>,
include <abstractions/accessibility>
include <abstractions/bus-session>
include <abstractions/desktop>
# We cannot use `@{open_path} mrix,` here because it includes:
# @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
# And `@{multiarch}` has a wildcard that cannot be merged and that will generate
# "has merged rule with conflicting x modifiers" error when used with other
# wilcard over PUx transition.
@{bin}/exo-open mrix,
@{bin}/xdg-open mrix,
@{bin}/gio mrix,
@{bin}/kde-open mrix,
@{bin}/gio-launch-desktop mrix,
@{lib}/gio-launch-desktop mrix,
@{open_path} mrix,
@{bin}/env rix,
@{sh_path} r,
/dev/tty rw,
# if @{DE} == kde
include <abstractions/audio-client>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@{PROC}/sys/kernel/random/boot_id r,
# fi
include if exists <abstractions/app/open.d>
# vim:syntax=apparmor

39
apparmor.d/abstractions/app/pager
View file

@ -1,39 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for pagers.
abi <abi/4.0>,
include <abstractions/consoles>
capability dac_override,
capability dac_read_search,
signal receive set=(stop, cont, term, kill),
@{bin}/ r,
@{pager_path} mrix,
@{system_share_dirs}/terminfo/{,**} r,
/usr/share/file/misc/** r,
/usr/share/nvim/{,**} r,
@{etc_ro}/lesskey.bin r,
@{HOME}/.lesshst r,
owner @{HOME}/ r,
owner @{HOME}/.lesshs* rw,
owner @{HOME}/.terminfo/@{int}/* r,
owner @{user_cache_dirs}/lesshs* rw,
owner @{user_state_dirs}/ r,
owner @{user_state_dirs}/lesshs* rw,
/dev/tty@{int} rw,
include if exists <abstractions/app/pager.d>
# vim:syntax=apparmor

8
apparmor.d/abstractions/app/pgrep
View file

@ -1,11 +1,8 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for pgrep/pkill.
abi <abi/4.0>,
# Minimal set of rules for pgrep.
include <abstractions/consoles>
@ -19,13 +16,10 @@
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
include if exists <abstractions/app/pgrep.d>

43
apparmor.d/abstractions/app/pkexec
View file

@ -1,43 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for pkexec.
abi <abi/4.0>,
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability audit_write,
capability dac_override,
capability dac_read_search,
capability net_admin,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
network netlink raw, # PAM
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
@{bin}/pkexec mr,
/etc/shells r,
@{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/loginuid r,
owner /dev/tty@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <abstractions/app/pkexec.d>
# vim:syntax=apparmor

25
apparmor.d/abstractions/app/sudo
View file

@ -1,18 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for sudo.
abi <abi/4.0>,
# Minimal set of rules for sudo. Interactive sudo need more rules.
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
include <abstractions/devices-usb>
capability audit_write,
capability dac_override,
@ -24,10 +20,10 @@
network netlink raw, # PAM
unix type=stream addr=@@{udbus}/bus/sudo/system,
#aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}"
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.logi1.Manager
member=CreateSession
peer=(name=org.freedesktop.login1, label=systemd-logind),
dbus (send receive) bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd.Manager
@ -36,6 +32,8 @@
@{bin}/sudo mr,
@{lib}/sudo/** mr,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,
@{etc_ro}/sudo.conf r,
@{etc_ro}/sudoers r,
@{etc_ro}/sudoers.d/{,*} r,
@ -43,17 +41,12 @@
/ r,
/etc/machine-id r,
/var/db/sudo/lectured/ r,
owner /var/lib/sudo/ts/ rw,
owner /var/lib/sudo/ts/ rw,
owner /var/lib/sudo/ts/@{uid} rwk,
owner /var/log/sudo.log wk,
owner @{HOME}/.sudo_as_admin_successful rw,
# yubikey support
@{HOME}/.yubico/ r,
owner @{HOME}/.yubico/challenge-* rw,
@{run}/faillock/ rw,
@{run}/faillock/@{user} rwk,
owner @{run}/sudo/ rw,
@ -63,6 +56,8 @@
@{PROC}/@{pid}/limits r,
@{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/kernel/ngroups_max r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
/dev/ r,

10
apparmor.d/abstractions/app/systemctl
View file

@ -1,22 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
include <abstractions/bus-system>
include <abstractions/consoles>
ptrace read peer=@{p_systemd},
ptrace (read) peer=@{p_systemd},
unix bind type=stream addr=@@{udbus}/bus/systemctl/,
unix bind type=stream addr=@@{udbus}/bus/systemctl/system,
unix (bind) type=stream addr=@@{hex16}/bus/systemctl/,
@{bin}/systemctl mr,
@{att}/@{run}/systemd/private rw,
owner @{run}/systemd/private rw,
@{PROC}/1/cgroup r,

6
apparmor.d/abstractions/app/udevadm
View file

@ -1,9 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
abi <abi/4.0>,
ptrace read peer=@{p_systemd},
@ -11,8 +8,7 @@
/etc/udev/udev.conf r,
@{run}/udev/data/+*:* r, # Identifies all subsystems
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{run}/udev/data/* r,
@{sys}/** r,

24
apparmor.d/abstractions/attached/base
View file

@ -1,24 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, It automatically replaces the base abstraction in a
# profile with the attach_disconnected flag set and the re-attached path enabled.
abi <abi/4.0>,
include <abstractions/base>
@{att}/@{run}/systemd/journal/dev-log w,
@{att}/@{run}/systemd/journal/socket w,
@{att}/@{run}/systemd/journal/stdout rw,
@{att}/dev/null rw,
/apparmor/.null rw,
@{att}/apparmor/.null rw,
include if exists <abstractions/attached/base.d>
# vim:syntax=apparmor

29
apparmor.d/abstractions/attached/consoles
View file

@ -1,29 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, It automatically replaces the consoles abstraction in a
# profile with the attach_disconnected flag set and the re-attached path enabled.
abi <abi/4.0>,
# There are the common ways to refer to consoles
/dev/console rw,
/dev/tty rw,
/dev/tty@{u8} rw,
@{att}/dev/tty rw,
@{att}/dev/tty@{u8} rw,
# These entries are a bit unfortunate; /dev/tty will always be
# associated with the controlling terminal by the kernel, but if a
# program uses the /dev/pts/ interface, it actually has access to
# -all- xterm, sshd, etc, terminals on the system.
/dev/pts/ r,
owner /dev/pts/@{u16} rw,
@{att}/pts/ r,
owner @{att}/dev/pts/@{u16} rw,
include if exists <abstractions/attached/consoles.d>
# vim:syntax=apparmor

17
apparmor.d/abstractions/audio-client
View file

@ -5,13 +5,10 @@
# Most programs do not need access to audio devices, audio-client only includes
# configuration files to be used by client applications.
abi <abi/4.0>,
/usr/share/alsa/{,**} r,
/usr/share/alsa/** r,
/usr/share/openal/hrtf/{,**} r,
/usr/share/pipewire/client-rt.conf r,
/usr/share/pipewire/client.conf r,
/usr/share/pipewire/jack.conf r,
/usr/share/sounds/{,**} r,
/etc/alsa/conf.d/{,**} r,
@ -20,8 +17,7 @@
/etc/libao.conf r,
/etc/openal/alsoft.conf r,
/etc/pipewire/client{,-rt}.conf r,
/etc/pipewire/client{,-rt}.conf.d/{,**} r,
/etc/pipewire/jack.conf.d/{,**} r,
/etc/pipewire/client.conf.d/{,**} r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
/etc/wildmidi/wildmidi.cfg r,
@ -49,7 +45,6 @@
owner @{user_config_dirs}/pipewire/client.conf r,
owner @{user_share_dirs}/openal/hrtf/{,**} r,
owner @{user_share_dirs}/sounds/ r,
owner @{user_share_dirs}/sounds/__custom/index.theme r,
owner @{run}/user/@{uid}/pipewire-@{int} rw,
@ -57,19 +52,11 @@
owner @{run}/user/@{uid}/pulse/ rw,
owner @{run}/user/@{uid}/pulse/native rw,
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/+sound:card@{int} r, # For sound card
@{sys}/class/ r,
@{sys}/class/sound/ r,
/dev/shm/ r,
owner /dev/shm/pulse-shm-@{int} rw,
/dev/snd/controlC@{int} r,
/dev/snd/pcmC@{int}D@{int}[cp] r,
/dev/snd/timer r,
include if exists <abstractions/audio-client.d>
# vim:syntax=apparmor

13
apparmor.d/abstractions/audio-server
View file

@ -3,12 +3,19 @@
# SPDX-License-Identifier: GPL-2.0-only
# Provide access to audio devices. It should only be used by audio servers that
# need direct access to them.
abi <abi/4.0>,
# need direct access to them.
include <abstractions/audio-client>
/usr/share/alsa/{,**} r,
/etc/alsa/conf.d/{,**} r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{PROC}/asound/** rw,
/dev/admmidi* rw,

11
apparmor.d/abstractions/authentication.d/complete
View file

@ -3,14 +3,13 @@
# SPDX-License-Identifier: GPL-2.0-only
@{bin}/pam-tmpdir-helper rPx,
@{lib}/pam-tmpdir/pam-tmpdir-helper rPx,
#aa:only abi3
@{sbin}/unix_chkpwd rPx,
#aa:exclude ubuntu opensuse
@{bin}/unix_chkpwd rPx,
#aa:only whonix
@{lib}/security-misc/pam-abort-on-locked-password rPx,
@{lib}/security-misc/pam-info rPx,
@{lib}/security-misc/pam_faillock_not_if_x rPx,
@{lib}/security-misc/pam_faillock_not_if_x rPx,
@{lib}/security-misc/pam-abort-on-locked-password rPx,
@{lib}/security-misc/pam-info rPx,
# vim:syntax=apparmor

25
apparmor.d/abstractions/avahi-observe
View file

@ -1,25 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2016 Canonical Ltd
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allows domain, record, service, and service type browsing as well as address,
# host and service resolving
abi <abi/4.0>,
include <abstractions/bus/system/org.freedesktop.Avahi.Server>
include <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver>
include <abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser>
include <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver>
include <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser>
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver>
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser>
@{run}/avahi-daemon/socket rw,
include if exists <abstractions/avahi-observe.d>
# vim:syntax=apparmor

132
apparmor.d/abstractions/base-strict
View file

@ -1,132 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, It automatically replaces the base abstraction in
# profiles when the re-attached mode is enabled.
# For now, it is only a restructuring of the base abstraction with awareness
# of the apparmor.d architecture.
abi <abi/4.0>,
include <abstractions/crypto>
include <abstractions/glibc>
include <abstractions/ld>
include <abstractions/locale>
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=exists,
#aa:exclude RBAC
# Allow unconfined processes to send us signals by default
signal receive peer=unconfined,
# Systemd: allow to receive any signal from the systemd profiles stack
signal receive peer=@{p_systemd},
signal receive peer=@{p_systemd_user},
# Htop like programs can send any signal to any process
signal receive peer=btop,
signal receive peer=htop,
signal receive peer=top,
signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor,
# Allow to receive termination signal from manager such as sudo, login, shutdown or systemd
signal receive peer=su,
signal receive peer=sudo,
signal receive set=(cont,term,kill,stop) peer=gnome-shell,
signal receive set=(cont,term,kill,stop) peer=login,
signal receive set=(cont,term,kill,stop) peer=openbox,
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
signal receive set=(cont,term,kill,stop) peer=xinit,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace readby ...
ptrace readby,
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace tracedby ...
ptrace tracedby,
# Allow us to ptrace read ourselves
ptrace read peer=@{profile_name},
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix receive peer=(label=unconfined),
# Allow communication to children and stacked profiles
signal peer=@{profile_name}//*,
signal peer=@{profile_name}//&*,
unix type=stream peer=(label=@{profile_name}//*),
# Allow us to create abstract and anonymous sockets
unix create,
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Allow all programs to use common libraries
@{lib}/** r,
@{lib}/**.so* m,
@{lib}/@{multiarch}/**.so* m,
@{lib}/@{multiarch}/** r,
# Some applications will display license information
/usr/share/common-licenses/** r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
@{run}/uuidd/request r,
# Transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Systemd's equivalent of /dev/log
@{run}/systemd/journal/dev-log w,
# Systemd native journal API (see sd_journal_print(4))
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Controls how core dump files are named
@{PROC}/sys/kernel/core_pattern r,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Harmless and frequently used
/dev/null rw,
/dev/random r,
/dev/urandom r,
/dev/zero rw,
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
include if exists <abstractions/base-strict.d>
# vim:syntax=apparmor

34
apparmor.d/abstractions/base.d/complete
View file

@ -3,25 +3,23 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Systemd: allow to receive any signal from the systemd profiles stack
signal receive peer=@{p_systemd},
signal receive peer=@{p_systemd_user},
# Allow to receive some signals from new well-known profiles
signal receive peer=btop,
signal receive peer=htop,
signal receive peer=pkill,
signal receive peer=sudo,
signal receive peer=top,
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
signal receive set=(hup term) peer=login,
signal receive set=(hup) peer=xinit,
signal receive set=(term,kill) peer=gnome-shell,
signal receive set=(term,kill) peer=gnome-system-monitor,
signal receive set=(term,kill) peer=openbox,
signal receive set=(term,kill) peer=su,
signal (receive) peer=btop,
signal (receive) peer=htop,
signal (receive) peer=sudo,
signal (receive) peer=top,
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
signal (receive) set=(cont,term) peer=@{p_systemd_user},
signal (receive) set=(cont,term) peer=@{p_systemd},
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=gnome-shell,
signal (receive) set=(term,kill) peer=gnome-system-monitor,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(term,kill) peer=su,
ptrace readby peer=@{p_systemd_coredump},
ptrace (readby) peer=systemd-coredump,
/usr/share/locale/ r,
@{etc_rw}/localtime r,
/etc/locale.conf r,
@ -30,6 +28,6 @@
@{PROC}/sys/kernel/core_pattern r,
/apparmor/.null rw,
deny /apparmor/.null rw,
# vim:syntax=apparmor

5
apparmor.d/abstractions/bash-strict
View file

@ -2,11 +2,9 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# This abstraction is only required when .bashrc is loaded (e.g. interactive shell).
# This abstraction is only required when an interactive shell is started.
# Classic shell scripts do not need it.
abi <abi/4.0>,
/usr/share/bash-completion/{,**} r,
/usr/share/terminfo/{,**} r,
@ -26,7 +24,6 @@
owner @{HOME}/.alias r,
owner @{HOME}/.bash_aliases r,
owner @{HOME}/.bash_complete r,
owner @{HOME}/.bash_history rw,
owner @{HOME}/.bash_profile r,
owner @{HOME}/.bashrc r,

9
apparmor.d/abstractions/bus-accessibility
View file

@ -2,12 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus rw,

15
apparmor.d/abstractions/bus-session
View file

@ -2,14 +2,19 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),
unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session,
dbus send bus=session path=/org/freedesktop/{dbus,DBus}
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
peer=(name=org.freedesktop.DBus, label=dbus-session),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-session),
/etc/machine-id r,
/var/lib/dbus/machine-id r,

14
apparmor.d/abstractions/bus-system
View file

@ -2,17 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
peer=(name=org.freedesktop.DBus, label=dbus-system),
@{run}/dbus/system_bus_socket rw,
@{att}/@{run}/dbus/system_bus_socket rw,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-system),
@{run}/dbus/system_bus_socket rw,
include if exists <abstractions/bus-system.d>

65
apparmor.d/abstractions/bus/accessibility/org.a11y
View file

@ -1,65 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017 Canonical Ltd
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# Allow the accessibility services in the user session to send us any events
dbus receive bus=accessibility
peer=(label="@{p_at_spi2_registryd}"),
# Allow querying for capabilities and registering
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member=NotifyListenersSync
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
# org.a11y.atspi is not designed for application isolation and these rules
# can be used to send change events for other processes.
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Event.Object
member=ChildrenChanged
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Accessible
member=Get*
peer=(label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
interface=org.a11y.atspi.Event.Object
member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/cache
interface=org.a11y.atspi.Cache
member={AddAccessible,RemoveAccessible}
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
include if exists <abstractions/bus/accessibility/org.a11y.d>
# vim:syntax=apparmor

25
apparmor.d/abstractions/bus/accessibility/own
View file

@ -1,25 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, It is automatically included in a profile by the
# `aa:dbus own` directive.
# Allow owning a name on DBus public bus
abi <abi/4.0>,
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
include if exists <abstractions/bus/accessibility/own.d>
# vim:syntax=apparmor

19
apparmor.d/abstractions/bus/ca.desrt.dconf.Writer
View file

@ -1,19 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Change
peer=(name=ca.desrt.dconf), # no peer's labels
dbus receive bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Notify
peer=(name=@{busname}, label=dconf-service),
include if exists <abstractions/bus/ca.desrt.dconf.Writer.d>
# vim:syntax=apparmor

6
apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
View file

@ -4,8 +4,6 @@
# Access required for connecting to/communicating with the Unity Launcher
abi <abi/4.0>,
dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=com.canonical.Unity.LauncherEntry
member=Update
@ -14,12 +12,12 @@
dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties}
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
include if exists <abstractions/bus/com.canonical.Unity.LauncherEntry.d>

6
apparmor.d/abstractions/bus/com.canonical.dbusmenu
View file

@ -2,12 +2,6 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/com/canonical/unity/launcherentry/**
interface=com.canonical.dbusmenu
member={GetGroupProperties,GetLayout}
peer=(name=@{busname}, label=nautilus),
include if exists <abstractions/bus/com.canonical.dbusmenu.d>

31
apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
View file

@ -2,39 +2,50 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant
dbus send bus=system path=/fi/w1/wpa_supplicant1
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name="@{busname}", label=wpa-supplicant),
member={GetAll,Set}
peer=(name=:*, label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1
interface=fi.w1.wpa_supplicant1.Interface
member=CreateInterface
peer=(name="@{busname}", label=wpa-supplicant),
peer=(name=:*, label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=fi.w1.wpa_supplicant1.Interface
member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork}
peer=(name="@{busname}", label=wpa-supplicant),
peer=(name=:*, label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=fi.w1.wpa_supplicant1.Interface.P2PDevice
member=Cancel
peer=(name="@{busname}", label=wpa-supplicant),
peer=(name=:*, label=wpa-supplicant),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved
peer=(name="@{busname}", label=wpa-supplicant),
peer=(name=:*, label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=fi.w1.wpa_supplicant1.Interface
member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged}
peer=(name="@{busname}", label=wpa-supplicant),
peer=(name=:*, label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=wpa-supplicant),
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>

7
apparmor.d/abstractions/bus/net.hadess.PowerProfiles
View file

@ -2,9 +2,10 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}"
dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=power-profiles-daemon),
include if exists <abstractions/bus/net.hadess.PowerProfiles.d>

7
apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
View file

@ -2,9 +2,10 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
dbus send bus=system path=/net/hadess/SwitcherooControl
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=switcheroo-control),
include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>

8
apparmor.d/abstractions/bus/net.reactivated.Fprint
View file

@ -2,14 +2,10 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}"
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member={GetDevices,GetDefaultDevice}
peer=(name="@{busname}", label="@{p_fprintd}"),
peer=(name=:*, label=fprintd),
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
@ -19,7 +15,7 @@
dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager
member={GetDevices,GetDefaultDevice}
peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"),
peer=(name=net.reactivated.Fprint, label=fprintd),
include if exists <abstractions/bus/net.reactivated.Fprint.d>

46
apparmor.d/abstractions/bus/org.a11y Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Accessibility bus
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name=:*, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
# Session bus
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus, label=dbus-accessibility),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus),
include if exists <abstractions/bus/org.a11y.d>
# vim:syntax=apparmor

30
apparmor.d/abstractions/bus/system/org.bluez → apparmor.d/abstractions/bus/org.bluez
View file

@ -2,40 +2,46 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}"
dbus receive bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member={InterfacesAdded,InterfacesRemoved}
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
member=InterfacesRemoved
peer=(name="{:*,org.bluez}", label=bluetoothd),
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.bluez}", label=bluetoothd),
dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
peer=(name="{:*,org.bluez}", label=bluetoothd),
dbus send bus=system path=/org/bluez
interface=org.bluez.AgentManager@{int}
member={RegisterAgent,RequestDefaultAgent,UnregisterAgent}
peer=(name=org.bluez, label="@{p_bluetoothd}"),
peer=(name=org.bluez, label=bluetoothd),
dbus send bus=system path=/org/bluez
interface=org.bluez.ProfileManager@{int}
member=RegisterProfile
peer=(name=org.bluez, label="@{p_bluetoothd}"),
peer=(name=org.bluez, label=bluetoothd),
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name="{:*,org.bluez}", label=bluetoothd),
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.bluez.BatteryProviderManager@{int}
member=RegisterProfile
peer=(name=org.bluez, label="@{p_bluetoothd}"),
peer=(name=org.bluez, label=bluetoothd),
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.bluez.Media@{int}
member=RegisterApplication
peer=(name=org.bluez, label="@{p_bluetoothd}"),
peer=(name=org.bluez, label=bluetoothd),
include if exists <abstractions/bus/system/org.bluez.d>
include if exists <abstractions/bus/org.bluez.d>
# vim:syntax=apparmor

19
apparmor.d/abstractions/bus/org.freedesktop.Accounts
View file

@ -2,29 +2,30 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
dbus send bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member={FindUserByName,ListCachedUsers,FindUserById}
peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"),
member={FindUserByName,ListCachedUsers}
peer=(name=:*, label=accounts-daemon),
dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.Accounts.User
member=*Changed
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
peer=(name=:*, label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member=UserAdded
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
peer=(name=:*, label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.DBus.Properties
member=*Changed
peer=(name="@{busname}", label="@{p_accounts_daemon}"),
peer=(name=:*, label=accounts-daemon),
include if exists <abstractions/bus/org.freedesktop.Accounts.d>

29
apparmor.d/abstractions/bus/org.freedesktop.Avahi
View file

@ -2,44 +2,25 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}"
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,Service*New}
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
member=Free
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
member={ItemNew,ItemRemove,AllForNow,CacheExhausted}
peer=(name="@{busname}", label="@{p_avahi_daemon}"),
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
interface=org.freedesktop.Avahi.ServiceResolver
member=Found
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
interface=org.freedesktop.Avahi.ServiceResolver
member=Free
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
member={ItemNew,AllForNow,CacheExhausted}
peer=(name=:*, label=avahi-daemon),
include if exists <abstractions/bus/org.freedesktop.Avahi.d>

27
apparmor.d/abstractions/bus/org.freedesktop.ColorManager Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=GetDevices
peer=(name=:*, label=colord),
dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=colord),
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=CreateDevice
peer=(name=:*, label=colord),
dbus receive bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member={DeviceAdded,DeviceRemoved}
peer=(name=:*, label=colord),
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
# vim:syntax=apparmor

15
apparmor.d/abstractions/bus/org.freedesktop.FileManager1
View file

@ -2,14 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus
dbus send bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.FileManager1
member=ShowItems
peer=(name=org.freedesktop.FileManager1, label=nautilus),
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=nautilus),
dbus receive bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=nautilus),
include if exists <abstractions/bus/org.freedesktop.FileManager1.d>

21
apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
View file

@ -2,28 +2,35 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=geoclue),
#aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"),
peer=(name=org.freedesktop.DBus, label=geoclue),
dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label="@{p_geoclue}"),
peer=(name=:*, label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label="@{p_geoclue}"),
peer=(name=:*, label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.GeoClue2.Manager
member=AddAgent
peer=(name="@{busname}", label="@{p_geoclue}"),
peer=(name=:*, label=geoclue),
dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=geoclue),
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>

15
apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
View file

@ -2,19 +2,20 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.freedesktop.ModemManager1, label=ModemManager),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"),
peer=(name=:*, label=ModemManager),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="@{busname}", label="@{p_ModemManager}"),
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=ModemManager),
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>

56
apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
View file

@ -2,59 +2,75 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager
dbus send bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member={GetManagedObjects,InterfacesRemoved}
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
member=GetManagedObjects
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={GetDevices,GetPermissions}
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member={InterfacesAdded,InterfacesRemoved}
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
member=InterfacesAdded
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=CheckPermissions
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=CheckPermissions
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
interface=org.freedesktop.NetworkManager.Settings.Connection
member=Updated
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
interface=org.freedesktop.NetworkManager.Connection.Active
member=StateChanged
peer=(name=@{busname}, label=NetworkManager),
peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>

27
apparmor.d/abstractions/bus/org.freedesktop.Notifications Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gjs-console),
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={GetCapabilities,GetServerInformation,Notify}
peer=(name=:*, label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={GetAll,NotificationClosed,CloseNotification}
peer=(name=:*, label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=Notify
peer=(name=org.freedesktop.DBus, label=gjs-console),
include if exists <abstractions/bus/org.freedesktop.Notifications.d>
# vim:syntax=apparmor

24
apparmor.d/abstractions/bus/org.freedesktop.PackageKit
View file

@ -2,13 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow communication with PackageKit transactions. Transactions are exported
# with random object paths that currently take the form /@{int}_@{hex8}.
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=packagekitd),
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable
member=Introspect
@ -17,15 +19,7 @@
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.PackageKit
member=StateHasChanged
peer=(name=org.freedesktop.PackageKit),
dbus send bus=system path=/@{int}_@{hex8}
interface=org.freedesktop.PackageKit.Transaction
peer=(label=packagekitd),
dbus receive bus=system path=/@{int}_@{hex8}
interface=org.freedesktop.PackageKit.Transaction
peer=(label=packagekitd),
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
include if exists <abstractions/bus/org.freedesktop.PackageKit.d>

30
apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
View file

@ -2,26 +2,34 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Can talk to polkitd's CheckAuthorization API
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=Changed
peer=(name="@{busname}", label="@{p_polkitd}"),
peer=(name=:*, label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member={CheckAuthorization,CancelCheckAuthorization}
peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=RegisterAuthenticationAgentWithOptions
peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
member=CheckAuthorization
peer=(name=:*, label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=polkitd),
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>

25
apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
View file

@ -2,25 +2,30 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow setting realtime priorities.
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}"
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member={MakeThreadHighPriority,MakeThreadRealtime}
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*, label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID}
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
member=MakeThread*
peer=(name=:*, label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>

12
apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver Normal file
View file

@ -0,0 +1,12 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
# vim:syntax=apparmor

6
apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
View file

@ -2,17 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"),
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.Tracker3.Endpoint
member=Query
peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"),
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>

36
apparmor.d/abstractions/bus/org.freedesktop.UDisks2
View file

@ -2,39 +2,55 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd
dbus send bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/**
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesAdded
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int}
interface=org.freedesktop.UDisks2.Job
member=Completed
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
include if exists <abstractions/bus/org.freedesktop.UDisks2.d>

46
apparmor.d/abstractions/bus/org.freedesktop.UPower Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.UPower, label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Properties
member=GetDisplayDevice
peer=(name=org.freedesktop.UPower, label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower/devices/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower/devices/*
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
dbus receive bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=DeviceAdded
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
dbus receive bus=system path=/org/freedesktop/UPower/devices/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
include if exists <abstractions/bus/org.freedesktop.UPower.d>
# vim:syntax=apparmor

11
apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles
View file

@ -1,11 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
include if exists <abstractions/bus/org.freedesktop.UPower.PowerProfiles.d>
# vim:syntax=apparmor

10
apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
View file

@ -2,9 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/background/monitor
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
#aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal
dbus receive bus=session path=/org/freedesktop/background/monitor
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=xdg-desktop-portal),
include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>

9
apparmor.d/abstractions/bus/org.freedesktop.hostname1
View file

@ -2,13 +2,14 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.hostname1}", label=systemd-hostnamed),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=Get
member={Get,GetAll}
peer=(name=org.freedesktop.hostname1),
include if exists <abstractions/bus/org.freedesktop.hostname1.d>

14
apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
View file

@ -2,19 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-permission-store),
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.impl.portal.PermissionStore
member=Lookup
peer=(name="@{busname}", label=xdg-permission-store),
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.impl.portal.PermissionStore
member=Lookup
peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store),
peer=(name=:*, label=xdg-permission-store),
include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>

8
apparmor.d/abstractions/bus/system/org.freedesktop.locale1 → apparmor.d/abstractions/bus/org.freedesktop.locale1
View file

@ -2,13 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-localed),
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.locale1),
include if exists <abstractions/bus/system/org.freedesktop.locale1.d>
include if exists <abstractions/bus/org.freedesktop.locale1.d>
# vim:syntax=apparmor

23
apparmor.d/abstractions/bus/org.freedesktop.login1
View file

@ -2,24 +2,35 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member=PauseDeviceComplete
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
peer=(name=org.freedesktop.login1, label=systemd-logind),
include if exists <abstractions/bus/org.freedesktop.login1.d>

30
apparmor.d/abstractions/bus/org.freedesktop.login1.Session
View file

@ -2,24 +2,40 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=GetSession
peer=(name="@{busname}", label="@{p_systemd_logind}"),
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/seat/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member={PauseDevice,Unlock}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
include if exists <abstractions/bus/org.freedesktop.login1.Session.d>

7
apparmor.d/abstractions/bus/org.freedesktop.network1
View file

@ -2,9 +2,10 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}"
dbus send bus=system path=/org/freedesktop/network1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.network1, label=systemd-networkd),
include if exists <abstractions/bus/org.freedesktop.network1.d>

43
apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
View file

@ -2,59 +2,30 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=Read
peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=xdg-desktop-portal),
member={Get,GetAll,Read}
peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member={Read,ReadAll}
peer=(name=@{busname}, label=xdg-desktop-portal),
peer=(name=:*, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=SettingChanged
peer=(name=@{busname}, label=xdg-desktop-portal),
peer=(name=:*, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**}
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=@{busname}, label=xdg-desktop-portal),
peer=(name=:*, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member={Read,ReadAll}
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.host.portal.Registry
member=Register
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop/**
interface=org.freedesktop.portal.Request
member=Response
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Inhibit
member={StateChanged,CreateMonitor}
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop/session/**
interface=org.freedesktop.impl.portal.Session
member=Close
peer=(name=@{busname}, label=xdg-desktop-portal),
peer=(name=:*, label=xdg-desktop-portal),
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>

12
apparmor.d/abstractions/bus/org.freedesktop.resolve1 Normal file
View file

@ -0,0 +1,12 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=system path=/org/freedesktop/resolve1
interface=org.freedesktop.resolve1.Manager
member={SetLink*,ResolveHostname}
peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved),
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
# vim:syntax=apparmor

18
apparmor.d/abstractions/bus/org.freedesktop.secrets
View file

@ -2,14 +2,15 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon
dbus send bus=session path=/org/freedesktop/secrets{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-keyring-daemon),
dbus send bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias}
peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
member={OpenSession,GetSecrets,SearchItems,ReadAlias}
peer=(name=:*, label=gnome-keyring-daemon),
dbus send bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.Secret.Collection
@ -19,7 +20,12 @@
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.Secret.Collection
member=ItemCreated
peer=(name="@{busname}", label=gnome-keyring-daemon),
peer=(name=:*, label=gnome-keyring-daemon),
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-keyring-daemon),
include if exists <abstractions/bus/org.freedesktop.secrets.d>

12
apparmor.d/abstractions/bus/org.freedesktop.systemd1
View file

@ -2,18 +2,14 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
dbus send bus=system path=/org/freedesktop/systemd1
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=ListUnitsByPatterns
member={GetUnit,StartUnit,StartTransientUnit}
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
dbus send bus=session path=/org/freedesktop/systemd1

22
apparmor.d/abstractions/bus/org.freedesktop.systemd1-session Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.systemd1),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetUnit
peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
# vim:syntax=apparmor

16
apparmor.d/abstractions/bus/org.freedesktop.timedate1
View file

@ -2,9 +2,21 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.timedate1, label=systemd-timedated),
#aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}"
# FIXME: should be under the systemd-timedated label
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.timedate1, label=unconfined),
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-timedated),
include if exists <abstractions/bus/org.freedesktop.timedate1.d>

11
apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 → apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
View file

@ -2,15 +2,16 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}"
dbus send bus=session path=/org/gnome/ArchiveManager1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=file-roller),
dbus send bus=session path=/org/gnome/ArchiveManager1
interface=org.gnome.ArchiveManager1
member=GetSupportedTypes
peer=(name="@{busname}", label="@{p_file_roller}"),
peer=(name=:*, label=file-roller),
include if exists <abstractions/bus/session/org.gnome.ArchiveManager1.d>
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
# vim:syntax=apparmor

12
apparmor.d/abstractions/bus/org.gnome.DisplayManager Normal file
View file

@ -0,0 +1,12 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=system path=/org/gnome/DisplayManager/Manager
interface=org.gnome.DisplayManager.Manager
member=RegisterDisplay
peer=(name=:*, label=gdm),
include if exists <abstractions/bus/org.gnome.DisplayManager.d>
# vim:syntax=apparmor

20
apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
View file

@ -2,24 +2,30 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member={GetResources,GetCrtcGamma}
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member=GetCurrentState
peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
peer=(name="{:*,org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member=MonitorsChanged
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Mutter.DisplayConfig.d>

12
apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
View file

@ -2,24 +2,20 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime}
peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell),
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
member=WatchFired
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Mutter.IdleMonitor.d>

22
apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=nautilus),
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=nautilus),
dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=nautilus),
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
# vim:syntax=apparmor

22
apparmor.d/abstractions/bus/org.gnome.ScreenSaver Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gjs-console),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=GetActive
peer=(name=:*, label=gjs-console),
dbus receive bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member={ActiveChanged,WakeUpScreen}
peer=(name=:*, label=gjs-console),
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
# vim:syntax=apparmor

64
apparmor.d/abstractions/bus/org.gnome.SessionManager Normal file
View file

@ -0,0 +1,64 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# FIXME: Too large, restrict it.
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={RegisterClient,IsSessionRunning}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Setenv,IsSessionRunning}
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member={CancelEndSession,QueryEndSession,EndSession,Stop}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Presence
interface=org.gnome.SessionManager.Presence
member=StatusChanged
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
include if exists <abstractions/bus/org.gnome.SessionManager.d>
# vim:syntax=apparmor

19
apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
View file

@ -2,19 +2,30 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
#aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.gnome.Shell.Introspect, label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.gnome.Shell.Introspect
member=GetRunningApplications
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.gnome.Shell.Introspect
member={RunningApplicationsChanged,WindowsChanged}
peer=(name="@{busname}", label=gnome-shell),
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>

22
apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2
View file

@ -1,22 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas}
peer=(name=@{busname}, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
member=*Cancel
peer=(name=@{busname}, label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>
# vim:syntax=apparmor

28
apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter
View file

@ -1,28 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow accessing the GNOME crypto services prompt APIs as used by
# applications using libgcr (such as pinentry-gnome3) for secure pin
# entry to unlock GPG keys etc. See:
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
abi <abi/4.0>,
unix type=stream peer=(label=gnome-keyring-daemon),
dbus send bus=session path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member={BeginPrompting,PerformPrompt,StopPrompting}
peer=(name=@{busname}, label=pinentry-*),
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
interface=org.gnome.keyring.internal.Prompter.Callback
member={PromptReady,PromptDone}
peer=(name=@{busname}, label=pinentry-*),
include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
# vim:syntax=apparmor

10
apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor → apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
View file

@ -2,23 +2,21 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded}
peer=(name="@{busname}", label=gvfs-*-volume-monitor),
peer=(name=:*, label=gvfs-*-volume-monitor),
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={MountAdded,MountChanged,VolumeChanged,VolumeRemoved}
peer=(name="@{busname}", label=gvfs-*-volume-monitor),
peer=(name=:*, label=gvfs-*-volume-monitor),
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged}
peer=(name="@{busname}", label=gvfs-*-volume-monitor),
peer=(name=:*, label=gvfs-*-volume-monitor),
include if exists <abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor.d>
include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
# vim:syntax=apparmor

12
apparmor.d/abstractions/bus/org.gtk.vfs.Daemon Normal file
View file

@ -0,0 +1,12 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member={GetConnection,ListMonitorImplementations,ListMountableInfo}
peer=(name=:*, label=gvfsd),
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
# vim:syntax=apparmor

17
apparmor.d/abstractions/bus/org.gtk.vfs.Metadata Normal file
View file

@ -0,0 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gvfsd-metadata),
dbus receive bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=AttributeChanged
peer=(name=:*, label=gvfsd-metadata),
include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
# vim:syntax=apparmor

21
apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker → apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
View file

@ -2,30 +2,21 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# The mount tracking interface.
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=LookupMount
peer=(name="@{busname}", label=gvfsd),
member=ListMountableInfo
peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMounts2
peer=(name="@{busname}", label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(name="@{busname}", label=gvfsd),
peer=(name=:*, label=gvfsd),
dbus receive bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member={Mounted,Unmounted}
peer=(name="@{busname}", label=gvfsd),
member=Mounted
peer=(name=:*, label=gvfsd),
include if exists <abstractions/bus/session/org.gtk.vfs.MountTracker.d>
include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
# vim:syntax=apparmor

8
apparmor.d/abstractions/bus/org.kde.StatusNotifierItem Normal file
View file

@ -0,0 +1,8 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
# vim:syntax=apparmor

44
apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
View file

@ -2,52 +2,20 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow to display Status Notifier Items in the KDE Plasma systray
abi <abi/4.0>,
#aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label="@{pp_app_indicator}"),
dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
interface=com.canonical.dbusmenu
member={LayoutUpdated,ItemsPropertiesUpdated}
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
member={Get*,AboutTo*,Event*}
peer=(label="@{pp_app_indicator}"),
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label="@{pp_app_indicator}"),
peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={ProvideXdgActivationToken,Activate}
peer=(label="@{pp_app_indicator}"),
dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,GetLayout,Event}
peer=(label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>

6
apparmor.d/abstractions/glfw → apparmor.d/abstractions/bus/org.kde.kwalletd
View file

@ -2,10 +2,6 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw,
include if exists <abstractions/glfw.d>
include if exists <abstractions/bus/org.kde.kwalletd.d>
# vim:syntax=apparmor

21
apparmor.d/abstractions/bus/session/io.snapcraft.Launcher
View file

@ -1,21 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow use of snapd's internal xdg-open
abi <abi/4.0>,
dbus send bus=session path=/
interface=com.canonical.SafeLauncher
member=OpenURL
peer=(name=@{busname}, label=snap),
dbus send bus=session path=/io/snapcraft/Launcher
interface=io.snapcraft.Launcher
member={OpenURL,OpenFile}
peer=(name=@{busname}, label=snap),
include if exists <abstractions/bus/session/io.snapcraft.Launcher.d>
# vim:syntax=apparmor

16
apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher
View file

@ -1,16 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Can identify and launch other snaps.
abi <abi/4.0>,
dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher
interface=io.snapcraft.PrivilegedDesktopLauncher
member=OpenDesktopEntry
peer=(name=io.snapcraft.Launcher, label=snap),
include if exists <abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher.d>
# vim:syntax=apparmor

16
apparmor.d/abstractions/bus/session/io.snapcraft.Settings
View file

@ -1,16 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow use of snapd's internal 'xdg-settings'
abi <abi/4.0>,
dbus send bus=session path=/io/snapcraft/Settings
interface=io.snapcraft.Settings
member={Check,CheckSub,Get,GetSub,Set,SetSub}
peer=(name=io.snapcraft.Settings, label=snap),
include if exists <abstractions/bus/session/io.snapcraft.Settings.d>
# vim:syntax=apparmor

Some files were not shown because too many files have changed in this diff Show more