Compare commits
No commits in common. "main" and "dev" have entirely different histories.
579 changed files with 2300 additions and 4121 deletions
5
.github/workflows/main.yml
vendored
5
.github/workflows/main.yml
vendored
|
|
@ -47,6 +47,11 @@ jobs:
|
|||
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
|
||||
sed -e "s/just complain/just fsp-complain/" -i debian/rules
|
||||
fi
|
||||
if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
|
||||
# Test with Re-attach disconnected path
|
||||
sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go
|
||||
sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system
|
||||
fi
|
||||
bash dists/build.sh dpkg
|
||||
|
||||
- name: Install apparmor.d
|
||||
|
|
|
|||
86
Justfile
86
Justfile
|
|
@ -49,52 +49,44 @@ c := "--connect=qemu:///system"
|
|||
# VM prefix
|
||||
prefix := "aa-"
|
||||
|
||||
# Show this help message
|
||||
[doc('Show this help message')]
|
||||
help:
|
||||
@just --list --unsorted
|
||||
@printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information."
|
||||
|
||||
# Build the go programs
|
||||
[group('build')]
|
||||
[doc('Build the go programs')]
|
||||
build:
|
||||
@go build -o {{build}}/ ./cmd/aa-log
|
||||
@go build -o {{build}}/ ./cmd/prebuild
|
||||
|
||||
# Prebuild the profiles in enforced mode
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in enforced mode')]
|
||||
enforce: build
|
||||
@./{{build}}/prebuild --buildir {{build}}
|
||||
|
||||
# Prebuild the profiles in enforce mode (test)
|
||||
enforce-test: build
|
||||
@./{{build}}/prebuild --buildir {{build}} --test
|
||||
|
||||
# Prebuild the profiles in complain mode
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in complain mode')]
|
||||
complain: build
|
||||
./{{build}}/prebuild --buildir {{build}} --complain
|
||||
|
||||
# Prebuild the profiles in complain mode (test)
|
||||
complain-test: build
|
||||
@./{{build}}/prebuild --buildir {{build}} --complain --test
|
||||
|
||||
# Prebuild the profiles in FSP mode
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in FSP mode')]
|
||||
fsp: build
|
||||
@./{{build}}/prebuild --buildir {{build}} --full
|
||||
|
||||
# Prebuild the profiles in FSP mode (complain)
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in FSP mode (complain)')]
|
||||
fsp-complain: build
|
||||
@./{{build}}/prebuild --buildir {{build}} --complain --full
|
||||
|
||||
# Prebuild the profiles in FSP mode (debug)
|
||||
[group('build')]
|
||||
[doc('Prebuild the profiles in FSP mode (debug)')]
|
||||
fsp-debug: build
|
||||
@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
|
||||
|
||||
# Install prebuild profiles
|
||||
[group('install')]
|
||||
[doc('Install prebuild profiles')]
|
||||
install:
|
||||
#!/usr/bin/env bash
|
||||
set -eu -o pipefail
|
||||
|
|
@ -121,8 +113,8 @@ install:
|
|||
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
|
||||
done
|
||||
|
||||
# Locally install prebuild profiles
|
||||
[group('install')]
|
||||
[doc('Locally install prebuild profiles')]
|
||||
local +names:
|
||||
#!/usr/bin/env bash
|
||||
set -eu -o pipefail
|
||||
|
|
@ -143,39 +135,39 @@ local +names:
|
|||
done;
|
||||
systemctl restart apparmor || sudo journalctl -xeu apparmor.service
|
||||
|
||||
# Prebuild, install, and load a dev profile
|
||||
[group('install')]
|
||||
[doc('Prebuild, install, and load a dev profile')]
|
||||
dev name:
|
||||
go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}`
|
||||
sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}}
|
||||
sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
|
||||
|
||||
# Build & install apparmor.d on Arch based systems
|
||||
[group('packages')]
|
||||
[doc('Build & install apparmor.d on Arch based systems')]
|
||||
pkg:
|
||||
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
|
||||
|
||||
# Build & install apparmor.d on Debian based systems
|
||||
[group('packages')]
|
||||
[doc('Build & install apparmor.d on Debian based systems')]
|
||||
dpkg:
|
||||
@bash dists/build.sh dpkg
|
||||
@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
|
||||
|
||||
# Build & install apparmor.d on OpenSUSE based systems
|
||||
[group('packages')]
|
||||
[doc('Build & install apparmor.d on OpenSUSE based systems')]
|
||||
rpm:
|
||||
@bash dists/build.sh rpm
|
||||
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
|
||||
|
||||
# Run the unit tests
|
||||
[group('tests')]
|
||||
[doc('Run the unit tests')]
|
||||
tests:
|
||||
@go test ./cmd/... -v -cover -coverprofile=coverage.out
|
||||
@go test ./pkg/... -v -cover -coverprofile=coverage.out
|
||||
@go tool cover -func=coverage.out
|
||||
|
||||
# Run the linters
|
||||
[group('linter')]
|
||||
[doc('Run the linters')]
|
||||
lint:
|
||||
golangci-lint run
|
||||
packer fmt tests/packer/
|
||||
|
|
@ -185,34 +177,34 @@ lint:
|
|||
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
|
||||
debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
|
||||
|
||||
# Run style checks on the profiles
|
||||
[group('linter')]
|
||||
[doc('Run style checks on the profiles')]
|
||||
check:
|
||||
@bash tests/check.sh
|
||||
|
||||
# Generate the man pages
|
||||
[group('docs')]
|
||||
[doc('Generate the man pages')]
|
||||
man:
|
||||
@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
|
||||
|
||||
# Build the documentation
|
||||
[group('docs')]
|
||||
[doc('Build the documentation')]
|
||||
docs:
|
||||
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
|
||||
|
||||
# Serve the documentation
|
||||
[group('docs')]
|
||||
[doc('Serve the documentation')]
|
||||
serve:
|
||||
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
|
||||
|
||||
# Remove all build artifacts
|
||||
[doc('Remove all build artifacts')]
|
||||
clean:
|
||||
@rm -rf \
|
||||
debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
|
||||
{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
|
||||
|
||||
# Build the package in a clean OCI container
|
||||
[group('packages')]
|
||||
[doc('Build the package in a clean OCI container')]
|
||||
package dist:
|
||||
#!/usr/bin/env bash
|
||||
set -eu -o pipefail
|
||||
|
|
@ -227,8 +219,8 @@ package dist:
|
|||
fi
|
||||
bash dists/docker.sh $dist $version
|
||||
|
||||
# Build the VM image
|
||||
[group('vm')]
|
||||
[doc('Build the VM image')]
|
||||
img dist flavor: (package dist)
|
||||
@mkdir -p {{base_dir}}
|
||||
packer build -force \
|
||||
|
|
@ -245,8 +237,8 @@ img dist flavor: (package dist)
|
|||
-var output_dir={{output_dir}} \
|
||||
tests/packer/
|
||||
|
||||
# Create the machine
|
||||
[group('vm')]
|
||||
[doc('Create the machine')]
|
||||
create dist flavor:
|
||||
@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
|
||||
@virt-install {{c}} \
|
||||
|
|
@ -265,53 +257,53 @@ create dist flavor:
|
|||
--sound model=ich9 \
|
||||
--noautoconsole
|
||||
|
||||
# Start a machine
|
||||
[group('vm')]
|
||||
[doc('Start a machine')]
|
||||
up dist flavor:
|
||||
@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
|
||||
|
||||
# Stops the machine
|
||||
[group('vm')]
|
||||
[doc('Stops the machine')]
|
||||
halt dist flavor:
|
||||
@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
|
||||
|
||||
# Reboot the machine
|
||||
[group('vm')]
|
||||
[doc('Reboot the machine')]
|
||||
reboot dist flavor:
|
||||
@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
|
||||
|
||||
# Destroy the machine
|
||||
[group('vm')]
|
||||
[doc('Destroy the machine')]
|
||||
destroy dist flavor:
|
||||
@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
|
||||
@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
|
||||
@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
|
||||
|
||||
# Connect to the machine
|
||||
[group('vm')]
|
||||
[doc('Connect to the machine')]
|
||||
ssh dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
|
||||
|
||||
# Mount the shared directory on the machine
|
||||
[group('vm')]
|
||||
[doc('Mount the shared directory on the machine')]
|
||||
mount dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
|
||||
|
||||
# Unmout the shared directory on the machine
|
||||
[group('vm')]
|
||||
[doc('Unmout the shared directory on the machine')]
|
||||
umount dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
|
||||
|
||||
# List the machines
|
||||
[group('vm')]
|
||||
[doc('List the machines')]
|
||||
list:
|
||||
@printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State"
|
||||
@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
|
||||
|
||||
# List the VM images
|
||||
[group('vm')]
|
||||
[doc('List the VM images')]
|
||||
images:
|
||||
#!/usr/bin/env bash
|
||||
set -eu -o pipefail
|
||||
|
|
@ -328,8 +320,8 @@ images:
|
|||
}
|
||||
'
|
||||
|
||||
# List the VM images that can be created
|
||||
[group('vm')]
|
||||
[doc('List the VM images that can be created')]
|
||||
available:
|
||||
#!/usr/bin/env bash
|
||||
set -eu -o pipefail
|
||||
|
|
@ -345,36 +337,36 @@ available:
|
|||
}
|
||||
'
|
||||
|
||||
# Install dependencies for the integration tests
|
||||
[group('tests')]
|
||||
[doc('Install dependencies for the integration tests')]
|
||||
init:
|
||||
@bash tests/requirements.sh
|
||||
|
||||
# Run the integration tests
|
||||
[group('tests')]
|
||||
[doc('Run the integration tests')]
|
||||
integration name="":
|
||||
bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
|
||||
|
||||
# Install dependencies for the integration tests (machine)
|
||||
[group('tests')]
|
||||
[doc('Install dependencies for the integration tests (machine)')]
|
||||
tests-init dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
|
||||
|
||||
# Synchronize the integration tests (machine)
|
||||
[group('tests')]
|
||||
[doc('Synchronize the integration tests (machine)')]
|
||||
tests-sync dist flavor:
|
||||
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
|
||||
|
||||
# Re-synchronize the integration tests (machine)
|
||||
[group('tests')]
|
||||
[doc('Re-synchronize the integration tests (machine)')]
|
||||
tests-resync dist flavor: (mount dist flavor) \
|
||||
(tests-sync dist flavor) \
|
||||
(umount dist flavor)
|
||||
|
||||
# Run the integration tests (machine)
|
||||
[group('tests')]
|
||||
[doc('Run the integration tests (machine)')]
|
||||
tests-run dist flavor name="": (tests-resync dist flavor)
|
||||
ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
|
||||
bats --recursive --pretty --timing --print-output-on-failure \
|
||||
|
|
|
|||
111
PKGBUILD
111
PKGBUILD
|
|
@ -3,15 +3,8 @@
|
|||
|
||||
# Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use.
|
||||
|
||||
pkgbase=apparmor.d
|
||||
pkgname=(
|
||||
apparmor.d
|
||||
# apparmor.d.enforced
|
||||
# apparmor.d.fsp apparmor.d.fsp.enforced
|
||||
# apparmor.d.server apparmor.d.server.enforced
|
||||
# apparmor.d.server.fsp apparmor.d.server.fsp.enforced
|
||||
)
|
||||
pkgver=0.0001
|
||||
pkgname=apparmor.d
|
||||
pkgver=0.001
|
||||
pkgrel=1
|
||||
pkgdesc="Full set of apparmor profiles"
|
||||
arch=('x86_64' 'armv6h' 'armv7h' 'aarch64')
|
||||
|
|
@ -19,9 +12,10 @@ url="https://github.com/roddhjav/apparmor.d"
|
|||
license=('GPL-2.0-only')
|
||||
depends=('apparmor>=4.1.0' 'apparmor<5.0.0')
|
||||
makedepends=('go' 'git' 'rsync' 'just')
|
||||
conflicts=("$pkgname-git")
|
||||
|
||||
pkgver() {
|
||||
cd "$srcdir/$pkgbase"
|
||||
cd "$srcdir/$pkgname"
|
||||
echo "0.$(git rev-list --count HEAD)"
|
||||
}
|
||||
|
||||
|
|
@ -30,104 +24,17 @@ prepare() {
|
|||
}
|
||||
|
||||
build() {
|
||||
cd "$srcdir/$pkgbase"
|
||||
cd "$srcdir/$pkgname"
|
||||
export CGO_CPPFLAGS="${CPPFLAGS}"
|
||||
export CGO_CFLAGS="${CFLAGS}"
|
||||
export CGO_CXXFLAGS="${CXXFLAGS}"
|
||||
export CGO_LDFLAGS="${LDFLAGS}"
|
||||
export GOPATH="${srcdir}"
|
||||
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
|
||||
export DISTRIBUTION=arch
|
||||
local -A modes=(
|
||||
# Mapping of modes to just build target.
|
||||
[default]=complain
|
||||
# [enforced]=enforce
|
||||
# [fsp]=fsp-complain
|
||||
# [fsp.enforced]=fsp
|
||||
# [server]=server-complain
|
||||
# [server.enforced]=server
|
||||
# [server.fsp]=server-fsp-complain
|
||||
# [server.fsp.enforced]=server-fsp
|
||||
)
|
||||
for mode in "${!modes[@]}"; do
|
||||
just build=".build/$mode" "${modes[$mode]}"
|
||||
done
|
||||
just complain
|
||||
}
|
||||
|
||||
_conflicts() {
|
||||
local mode="$1"
|
||||
local pattern=".$mode"
|
||||
if [[ "$mode" == "default" ]]; then
|
||||
pattern=""
|
||||
else
|
||||
echo "$pkgbase"
|
||||
fi
|
||||
for pkg in "${pkgname[@]}"; do
|
||||
if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then
|
||||
continue
|
||||
fi
|
||||
echo "$pkg"
|
||||
done
|
||||
}
|
||||
|
||||
_install() {
|
||||
local mode="${1:?}"
|
||||
cd "$srcdir/$pkgbase"
|
||||
just build=".build/$mode" destdir="$pkgdir" install
|
||||
}
|
||||
|
||||
package_apparmor.d() {
|
||||
mode=default
|
||||
pkgdesc="$pkgdesc (complain mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
}
|
||||
|
||||
package_apparmor.d.enforced() {
|
||||
mode=enforced
|
||||
pkgdesc="$pkgdesc (enforced mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
}
|
||||
|
||||
package_apparmor.d.fsp() {
|
||||
mode="fsp"
|
||||
pkgdesc="$pkgdesc (FSP mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
}
|
||||
|
||||
package_apparmor.d.fsp.enforced() {
|
||||
mode="fsp.enforced"
|
||||
pkgdesc="$pkgdesc (FSP enforced mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
}
|
||||
|
||||
package_apparmor.d.server() {
|
||||
mode="server"
|
||||
pkgdesc="$pkgdesc (server complain mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
}
|
||||
|
||||
package_apparmor.d.server.enforced() {
|
||||
mode="server.enforced"
|
||||
pkgdesc="$pkgdesc (server enforced mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
}
|
||||
|
||||
package_apparmor.d.server.fsp() {
|
||||
mode="server.fsp"
|
||||
pkgdesc="$pkgdesc (server FSP complain mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
}
|
||||
|
||||
package_apparmor.d.server.fsp.enforced() {
|
||||
mode="server.fsp.enforced"
|
||||
pkgdesc="$pkgdesc (server FSP enforced mode)"
|
||||
mapfile -t conflicts < <(_conflicts $mode)
|
||||
_install $mode
|
||||
package() {
|
||||
cd "$srcdir/$pkgname"
|
||||
just destdir="$pkgdir" install
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,10 +5,10 @@
|
|||
abi <abi/4.0>,
|
||||
|
||||
# The unix socket to use to connect to the display
|
||||
unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}),
|
||||
unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}),
|
||||
unix type=stream addr=@/tmp/.ICE-unix/@{int},
|
||||
unix type=stream addr=@/tmp/.X11-unix/X@{int},
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
|
||||
unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
|
||||
unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
|
||||
|
||||
/usr/share/X11/{,**} r,
|
||||
/usr/share/xsessions/{,*.desktop} r, # Available Xsessions
|
||||
|
|
@ -16,13 +16,13 @@
|
|||
|
||||
/etc/X11/cursors/{,**} r,
|
||||
|
||||
owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user
|
||||
owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user
|
||||
owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user
|
||||
owner @{HOME}/.xsession-errors rw,
|
||||
|
||||
/tmp/.ICE-unix/@{int} rw,
|
||||
/tmp/.ICE-unix/* rw,
|
||||
/tmp/.X@{int}-lock rw,
|
||||
/tmp/.X11-unix/X@{int} rw,
|
||||
/tmp/.X11-unix/* rw,
|
||||
owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int},
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland
|
||||
|
|
|
|||
|
|
@ -1,15 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow communication with Assistive Technology Service Provider Interface (AT-SPI)
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus/accessibility/org.a11y>
|
||||
include <abstractions/bus/session/org.a11y>
|
||||
|
||||
include if exists <abstractions/accessibility.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -2,11 +2,6 @@
|
|||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# LOGPROF-SUGGEST: no
|
||||
# NEEDS-VARIABLE: name
|
||||
# NEEDS-VARIABLE: domain
|
||||
# NEEDS-VARIABLE: lib_dirs
|
||||
# NEEDS-VARIABLE: config_dirs
|
||||
# NEEDS-VARIABLE: cache_dirs
|
||||
|
||||
# Full set of rules for all chromium based browsers. It works as a *function*
|
||||
# and requires some variables to be provided as *arguments* and set in the
|
||||
|
|
@ -25,32 +20,32 @@
|
|||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/avahi-observe>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.bluez>
|
||||
include <abstractions/bus/org.freedesktop.Avahi>
|
||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||
include <abstractions/bus/org.freedesktop.Notifications>
|
||||
include <abstractions/bus/org.freedesktop.ScreenSaver>
|
||||
include <abstractions/bus/org.freedesktop.secrets>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
|
||||
include <abstractions/bus/session/org.gnome.SessionManager>
|
||||
include <abstractions/bus/system/org.bluez>
|
||||
include <abstractions/camera>
|
||||
include <abstractions/bus/org.gnome.ScreenSaver>
|
||||
include <abstractions/bus/org.gnome.SessionManager>
|
||||
include <abstractions/bus/org.kde.kwalletd>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-u2f>
|
||||
include <abstractions/devices-usb-read>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/notifications>
|
||||
include <abstractions/pcscd>
|
||||
include <abstractions/screensaver>
|
||||
include <abstractions/secrets-service>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/uim>
|
||||
include <abstractions/upower-observe>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/user-read-strict>
|
||||
include <abstractions/video>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -108,6 +103,7 @@
|
|||
|
||||
/etc/@{name}/{,**} r,
|
||||
/etc/fstab r,
|
||||
/etc/{,opensc/}opensc.conf r,
|
||||
|
||||
/ r,
|
||||
owner @{HOME}/ r,
|
||||
|
|
@ -155,7 +151,9 @@
|
|||
@{sys}/class/**/ r,
|
||||
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/devices/@{pci}/report_descriptor r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/virtual/**/report_descriptor r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
|
@ -180,6 +178,7 @@
|
|||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/tty rw,
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,6 @@
|
|||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# LOGPROF-SUGGEST: no
|
||||
# NEEDS-VARIABLE: name
|
||||
# NEEDS-VARIABLE: lib_dirs
|
||||
# NEEDS-VARIABLE: config_dirs
|
||||
# NEEDS-VARIABLE: cache_dirs
|
||||
|
||||
# Full set of rules for all firefox based browsers. It works as a *function*
|
||||
# and requires some variables to be provided as *arguments* and set in the
|
||||
|
|
@ -22,6 +18,7 @@
|
|||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
|
|
@ -30,13 +27,11 @@
|
|||
include <abstractions/cups-client>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-u2f>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/pcscd>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/uim>
|
||||
|
|
@ -80,6 +75,7 @@
|
|||
/usr/share/webext/{,**} r,
|
||||
/usr/share/xul-ext/kwallet5/* r,
|
||||
|
||||
/etc/{,opensc/}opensc.conf r,
|
||||
/etc/@{name}/{,**} r,
|
||||
/etc/fstab r,
|
||||
/etc/lsb-release r,
|
||||
|
|
@ -164,6 +160,7 @@
|
|||
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||
|
||||
/dev/ r,
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/tty rw,
|
||||
/dev/video@{int} rw,
|
||||
owner /dev/tty@{int} rw, # File Inherit
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/desktop>
|
||||
|
||||
# We cannot use `@{open_path} mrix,` here because it includes:
|
||||
|
|
@ -31,6 +29,9 @@
|
|||
# if @{DE} == kde
|
||||
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@
|
|||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/status r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/environ r,
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/base>
|
||||
include <abstractions/base-strict>
|
||||
|
||||
@{att}/@{run}/systemd/journal/dev-log w,
|
||||
@{att}/@{run}/systemd/journal/socket w,
|
||||
|
|
|
|||
|
|
@ -57,18 +57,12 @@
|
|||
owner @{run}/user/@{uid}/pulse/ rw,
|
||||
owner @{run}/user/@{uid}/pulse/native rw,
|
||||
|
||||
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||
@{run}/udev/data/+sound:card@{int} r, # For sound card
|
||||
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/sound/ r,
|
||||
|
||||
/dev/shm/ r,
|
||||
owner /dev/shm/pulse-shm-@{int} rw,
|
||||
|
||||
/dev/snd/controlC@{int} r,
|
||||
/dev/snd/pcmC@{int}D@{int}[cp] r,
|
||||
/dev/snd/timer r,
|
||||
|
||||
include if exists <abstractions/audio-client.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,11 @@
|
|||
|
||||
include <abstractions/audio-client>
|
||||
|
||||
@{run}/udev/data/+sound:card@{int} r, # for sound card
|
||||
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/sound/ r,
|
||||
|
||||
@{PROC}/asound/** rw,
|
||||
|
||||
/dev/admmidi* rw,
|
||||
|
|
|
|||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2016 Canonical Ltd
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allows domain, record, service, and service type browsing as well as address,
|
||||
# host and service resolving
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.Server>
|
||||
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver>
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser>
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver>
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser>
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver>
|
||||
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser>
|
||||
|
||||
@{run}/avahi-daemon/socket rw,
|
||||
|
||||
include if exists <abstractions/avahi-observe.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -8,20 +8,20 @@
|
|||
signal receive peer=@{p_systemd_user},
|
||||
|
||||
# Allow to receive some signals from new well-known profiles
|
||||
signal receive peer=btop,
|
||||
signal receive peer=htop,
|
||||
signal receive peer=pkill,
|
||||
signal receive peer=sudo,
|
||||
signal receive peer=top,
|
||||
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
|
||||
signal receive set=(hup term) peer=login,
|
||||
signal receive set=(hup) peer=xinit,
|
||||
signal receive set=(term,kill) peer=gnome-shell,
|
||||
signal receive set=(term,kill) peer=gnome-system-monitor,
|
||||
signal receive set=(term,kill) peer=openbox,
|
||||
signal receive set=(term,kill) peer=su,
|
||||
signal (receive) peer=btop,
|
||||
signal (receive) peer=htop,
|
||||
signal (receive) peer=pkill,
|
||||
signal (receive) peer=sudo,
|
||||
signal (receive) peer=top,
|
||||
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
|
||||
signal (receive) set=(hup term) peer=login,
|
||||
signal (receive) set=(hup) peer=xinit,
|
||||
signal (receive) set=(term,kill) peer=gnome-shell,
|
||||
signal (receive) set=(term,kill) peer=gnome-system-monitor,
|
||||
signal (receive) set=(term,kill) peer=openbox,
|
||||
signal (receive) set=(term,kill) peer=su,
|
||||
|
||||
ptrace readby peer=@{p_systemd_coredump},
|
||||
ptrace (readby) peer=@{p_systemd_coredump},
|
||||
|
||||
@{etc_rw}/localtime r,
|
||||
/etc/locale.conf r,
|
||||
|
|
@ -30,6 +30,4 @@
|
|||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/apparmor/.null rw,
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -1,65 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2017 Canonical Ltd
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Allow the accessibility services in the user session to send us any events
|
||||
|
||||
dbus receive bus=accessibility
|
||||
peer=(label="@{p_at_spi2_registryd}"),
|
||||
|
||||
# Allow querying for capabilities and registering
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member=NotifyListenersSync
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
# org.a11y.atspi is not designed for application isolation and these rules
|
||||
# can be used to send change events for other processes.
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Event.Object
|
||||
member=ChildrenChanged
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Accessible
|
||||
member=Get*
|
||||
peer=(label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
|
||||
interface=org.a11y.atspi.Event.Object
|
||||
member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/cache
|
||||
interface=org.a11y.atspi.Cache
|
||||
member={AddAccessible,RemoveAccessible}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
include if exists <abstractions/bus/accessibility/org.a11y.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
63
apparmor.d/abstractions/bus/org.a11y
Normal file
63
apparmor.d/abstractions/bus/org.a11y
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Accessibility bus
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=EventListenerDeregistered
|
||||
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Set
|
||||
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
|
||||
# Session bus
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus),
|
||||
|
||||
include if exists <abstractions/bus/org.a11y.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -36,6 +36,6 @@
|
|||
member=RegisterApplication
|
||||
peer=(name=org.bluez, label="@{p_bluetoothd}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.bluez.d>
|
||||
include if exists <abstractions/bus/org.bluez.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -15,19 +15,19 @@
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member={CreateProfile,CreateDevice,DeleteDevice}
|
||||
peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
|
||||
member=CreateDevice
|
||||
peer=(name="@{busname}", label="@{p_colord}"),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member={DeviceAdded,DeviceRemoved}
|
||||
peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
|
||||
peer=(name="@{busname}", label="@{p_colord}"),
|
||||
|
||||
dbus (receive, send) bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member={FindDeviceByProperty,FindDeviceById}
|
||||
peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
|
||||
member=FindDeviceByProperty
|
||||
peer=(name="@{busname}", label="@{p_colord}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.ColorManager.d>
|
||||
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
26
apparmor.d/abstractions/bus/org.freedesktop.Notifications
Normal file
26
apparmor.d/abstractions/bus/org.freedesktop.Notifications
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetCapabilities,GetServerInformation,Notify}
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={NotificationClosed,CloseNotification}
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Notify
|
||||
peer=(name=org.freedesktop.DBus, label=gjs-console),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.Notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -2,9 +2,6 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow communication with PackageKit transactions. Transactions are exported
|
||||
# with random object paths that currently take the form /@{int}_@{hex8}.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd
|
||||
|
|
@ -19,14 +16,6 @@
|
|||
member=StateHasChanged
|
||||
peer=(name=org.freedesktop.PackageKit),
|
||||
|
||||
dbus send bus=system path=/@{int}_@{hex8}
|
||||
interface=org.freedesktop.PackageKit.Transaction
|
||||
peer=(label=packagekitd),
|
||||
|
||||
dbus receive bus=system path=/@{int}_@{hex8}
|
||||
interface=org.freedesktop.PackageKit.Transaction
|
||||
peer=(label=packagekitd),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -2,8 +2,6 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Can talk to polkitd's CheckAuthorization API
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
|
||||
|
|
@ -15,13 +13,17 @@
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member={CheckAuthorization,CancelCheckAuthorization}
|
||||
peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
|
||||
member=CheckAuthorization
|
||||
peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=RegisterAuthenticationAgentWithOptions
|
||||
peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
|
||||
member=CheckAuthorization
|
||||
peer=(name="@{busname}", label="@{p_polkitd}"),
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=CheckAuthorization
|
||||
peer=(name=org.freedesktop.PolicyKit1),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -2,20 +2,18 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow checking status, activating and locking the screensaver (GNOME version)
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/{,org/gnome/}ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member={GetActive,GetActiveTime,Lock,SetActive}
|
||||
peer=(name=@{busname}, label=gjs-console),
|
||||
dbus send bus=session path=/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={Inhibit,UnInhibit}
|
||||
peer=(name=org.freedesktop.ScreenSaver),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member={ActiveChanged,WakeUpScreen}
|
||||
peer=(name=@{busname}, label=gjs-console),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gnome.ScreenSaver.d>
|
||||
include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -29,6 +29,6 @@
|
|||
member={DeviceAdded,DeviceRemoved}
|
||||
peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.UPower.d>
|
||||
include if exists <abstractions/bus/org.freedesktop.UPower.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -4,11 +4,12 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
|
||||
dbus send bus=system path=/org/freedesktop/locale1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.locale1),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.locale1.d>
|
||||
include if exists <abstractions/bus/org.freedesktop.locale1.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
16
apparmor.d/abstractions/bus/org.freedesktop.resolve1
Normal file
16
apparmor.d/abstractions/bus/org.freedesktop.resolve1
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/resolve1
|
||||
interface=org.freedesktop.resolve1.Manager
|
||||
member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService}
|
||||
peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"),
|
||||
|
||||
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -11,6 +11,6 @@
|
|||
member=GetSupportedTypes
|
||||
peer=(name="@{busname}", label="@{p_file_roller}"),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gnome.ArchiveManager1.d>
|
||||
include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
@ -11,6 +11,6 @@
|
|||
member=RegisterDisplay
|
||||
peer=(name="@{busname}", label=gdm),
|
||||
|
||||
include if exists <abstractions/bus/system/org.gnome.DisplayManager.d>
|
||||
include if exists <abstractions/bus/org.gnome.DisplayManager.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -6,6 +6,6 @@
|
|||
|
||||
#aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus
|
||||
|
||||
include if exists <abstractions/bus/session/org.gnome.Nautilus.FileOperations2.d>
|
||||
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
21
apparmor.d/abstractions/bus/org.gnome.ScreenSaver
Normal file
21
apparmor.d/abstractions/bus/org.gnome.ScreenSaver
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console
|
||||
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member=GetActive
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member={ActiveChanged,WakeUpScreen}
|
||||
peer=(name="@{busname}", label=gjs-console),
|
||||
|
||||
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,46 +1,48 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# FIXME: Too large, restrict it.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}"
|
||||
#aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={RegisterClient,IsSessionRunning}
|
||||
peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={Inhibit,Uninhibit}
|
||||
peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={Setenv,IsSessionRunning}
|
||||
peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"),
|
||||
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
|
||||
peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
|
||||
interface=org.gnome.SessionManager.ClientPrivate
|
||||
member=EndSessionResponse
|
||||
peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
|
||||
interface=org.gnome.SessionManager.ClientPrivate
|
||||
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
||||
peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager/Presence
|
||||
interface=org.gnome.SessionManager.Presence
|
||||
member=StatusChanged
|
||||
peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
|
||||
peer=(name="@{busname}", label=gnome-session-binary),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gnome.SessionManager.d>
|
||||
include if exists <abstractions/bus/org.gnome.SessionManager.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow accessing the GNOME crypto services prompt APIs as used by
|
||||
# applications using libgcr (such as pinentry-gnome3) for secure pin
|
||||
# entry to unlock GPG keys etc. See:
|
||||
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
|
||||
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
|
||||
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
unix type=stream peer=(label=gnome-keyring-daemon),
|
||||
|
||||
dbus send bus=session path=/org/gnome/keyring/Prompter
|
||||
interface=org.gnome.keyring.internal.Prompter
|
||||
member={BeginPrompting,PerformPrompt,StopPrompting}
|
||||
peer=(name=@{busname}, label=pinentry-*),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
|
||||
interface=org.gnome.keyring.internal.Prompter.Callback
|
||||
member={PromptReady,PromptDone}
|
||||
peer=(name=@{busname}, label=pinentry-*),
|
||||
|
||||
include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -11,6 +11,6 @@
|
|||
member={AddNotification,RemoveNotification}
|
||||
peer=(name=org.gtk.Notifications, label=gnome-shell),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.Notifications.d>
|
||||
include if exists <abstractions/bus/org.gtk.Notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -19,6 +19,6 @@
|
|||
member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged}
|
||||
peer=(name="@{busname}", label=gvfs-*-volume-monitor),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor.d>
|
||||
include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,9 +1,7 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Each daemon (main and for mounts) implement this.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/Daemon
|
||||
|
|
@ -16,6 +14,6 @@
|
|||
member=GetConnection
|
||||
peer=(name=@{busname}),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.vfs.Daemon.d>
|
||||
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -13,13 +13,13 @@
|
|||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member={Set,Move,GetTreeFromDevice,Remove}
|
||||
peer=(name=@{busname}, label=gvfsd-metadata),
|
||||
peer=(name="@{busname}", label=gvfsd-metadata),
|
||||
|
||||
dbus receive bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member=AttributeChanged
|
||||
peer=(name=@{busname}, label=gvfsd-metadata),
|
||||
peer=(name="@{busname}", label=gvfsd-metadata),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.vfs.Metadata.d>
|
||||
include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -2,10 +2,13 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# The mount tracking interface.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=ListMountableInfo
|
||||
peer=(name="@{busname}", label=gvfsd),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=LookupMount
|
||||
|
|
@ -16,16 +19,11 @@
|
|||
member=ListMounts2
|
||||
peer=(name="@{busname}", label=gvfsd),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=ListMountableInfo
|
||||
peer=(name="@{busname}", label=gvfsd),
|
||||
|
||||
dbus receive bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member={Mounted,Unmounted}
|
||||
peer=(name="@{busname}", label=gvfsd),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.vfs.MountTracker.d>
|
||||
include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -23,6 +23,11 @@
|
|||
member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip}
|
||||
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
|
||||
|
||||
include if exists <abstractions/bus/session/org.kde.StatusNotifierItem.d>
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
|
||||
|
||||
include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,9 +1,9 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include if exists <abstractions/bus/session/org.kde.kwalletd.d>
|
||||
include if exists <abstractions/bus/org.kde.kwalletd.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
|
@ -33,6 +33,6 @@
|
|||
member=Seeked
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
include if exists <abstractions/bus/session/org.mpris.MediaPlayer2.Player.d>
|
||||
include if exists <abstractions/bus/org.mpris.MediaPlayer2.Player.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow use of snapd's internal xdg-open
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/
|
||||
interface=com.canonical.SafeLauncher
|
||||
member=OpenURL
|
||||
peer=(name=@{busname}, label=snap),
|
||||
|
||||
dbus send bus=session path=/io/snapcraft/Launcher
|
||||
interface=io.snapcraft.Launcher
|
||||
member={OpenURL,OpenFile}
|
||||
peer=(name=@{busname}, label=snap),
|
||||
|
||||
include if exists <abstractions/bus/session/io.snapcraft.Launcher.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Can identify and launch other snaps.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher
|
||||
interface=io.snapcraft.PrivilegedDesktopLauncher
|
||||
member=OpenDesktopEntry
|
||||
peer=(name=io.snapcraft.Launcher, label=snap),
|
||||
|
||||
include if exists <abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow use of snapd's internal 'xdg-settings'
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/io/snapcraft/Settings
|
||||
interface=io.snapcraft.Settings
|
||||
member={Check,CheckSub,Get,GetSub,Set,SetSub}
|
||||
peer=(name=io.snapcraft.Settings, label=snap),
|
||||
|
||||
include if exists <abstractions/bus/session/io.snapcraft.Settings.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus),
|
||||
|
||||
include if exists <abstractions/bus/session/org.a11y.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow access to the IBus portal
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/IBus
|
||||
interface=org.freedesktop.IBus.Portal
|
||||
member=CreateInputContext
|
||||
peer=(name=org.freedesktop.portal.IBus),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int}
|
||||
interface=org.freedesktop.IBus.InputContext
|
||||
peer=(label=ibus-daemon),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int}
|
||||
interface=org.freedesktop.IBus.InputContext
|
||||
peer=(label=ibus-daemon),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.IBus.Portal.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}"
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.Notifications
|
||||
member={GetCapabilities,GetServerInformation,Notify,CloseNotification}
|
||||
peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.Notifications
|
||||
member={ActionInvoked,NotificationClosed,NotificationReplied}
|
||||
peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.Notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow checking status, activating and locking the screensaver
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={Inhibit,UnInhibit}
|
||||
peer=(name=org.freedesktop.ScreenSaver),
|
||||
|
||||
dbus send bus=session path=/{,org/freedesktop/}ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={GetActive,GetActiveTime,Lock,SetActive}
|
||||
peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={ActiveChanged,WakeUpScreen}
|
||||
peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2017 Canonical Ltd
|
||||
# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Provide full access to the secret-service API:
|
||||
# - https://standards.freedesktop.org/secret-service/)
|
||||
#
|
||||
# The secret-service allows managing (add/delete/lock/etc) collections and
|
||||
# (add/delete/etc) items within collections. The API also has the concept of
|
||||
# aliases for collections which is typically used to access the default
|
||||
# collection. While it would be possible for an application developer to use a
|
||||
# snap-specific collection and mediate by object path, application developers
|
||||
# are meant to instead to treat collections (typically the default collection)
|
||||
# as a database of key/value attributes each with an associated secret that
|
||||
# applications may query. Because AppArmor does not mediate member data,
|
||||
# typical and recommended usage of the API does not allow for application
|
||||
# isolation. For details, see:
|
||||
# - https://standards.freedesktop.org/secret-service/ch03.html
|
||||
#
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/secrets{,/**}
|
||||
interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
|
||||
peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/secrets{,/**}
|
||||
interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
|
||||
peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/secrets
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gnome-keyring-daemon),
|
||||
dbus send bus=session path=/org/freedesktop/secrets
|
||||
interface=org.freedesktop.Secret.Service
|
||||
member=ReadAlias
|
||||
peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon),
|
||||
dbus send bus=session path=/org/freedesktop/secrets
|
||||
interface=org.freedesktop.Secret.Service
|
||||
member=SearchItems
|
||||
peer=(name=@{busname}, label=gnome-keyring-daemon),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.Secret.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=Read
|
||||
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=ReadAll
|
||||
peer=(name=@{busname}, label=xdg-desktop-portal),
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.portal.Settings.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow requesting interest in receiving media key events. This tells Gnome
|
||||
# settings that our application should be notified when key events we are
|
||||
# interested in are pressed, and allows us to receive those events.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# DBus.Properties: read all properties from the interface
|
||||
dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
|
||||
|
||||
dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys
|
||||
interface=org.gnome.SettingsDaemon.MediaKeys
|
||||
peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.gtk.Actions
|
||||
member={Activate,DescribeAll,SetState},
|
||||
|
||||
dbus send bus=session
|
||||
interface=org.gtk.Actions
|
||||
member=Changed,
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.Actions.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.gtk.Menus
|
||||
member={Start,End}
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus send bus=session
|
||||
interface=org.gtk.Menus
|
||||
member=Changed,
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.Menus.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/gtk/MountOperationHandler
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gnome-shell),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.MountOperationHandler.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
dbus receive bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.Settings.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int}
|
||||
interface=org.gtk.vfs.MountOperation
|
||||
member={AskPassword,AskQuestion}
|
||||
peer=(name=@{busname}, label=gvfsd-*),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.vfs.MountOperation.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus receive bus=session path=/org/gtk/vfs/mountable
|
||||
interface=org.gtk.vfs.Mountable
|
||||
member=Mount
|
||||
peer=(name=@{busname}, label=gvfsd),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.vfs.Mountable.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
|
||||
interface=org.gtk.vfs.Spawner
|
||||
member=Spawned
|
||||
peer=(name=@{busname}, label=gvfsd),
|
||||
|
||||
include if exists <abstractions/bus/session/org.gtk.vfs.Spawner.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Address resolving
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=AddressResolverNew
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/AddressResolver@{int}
|
||||
interface=org.freedesktop.Avahi.AddressResolver
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
|
||||
interface=org.freedesktop.Avahi.AddressResolver
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Domain browsing
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=DomainBrowserNew
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/DomainBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.DomainBrowser
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/DomainBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.DomainBrowser
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Hostname resolving
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=HostNameResolverNew
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/HostNameResolver@{int}
|
||||
interface=org.freedesktop.Avahi.HostNameResolver
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/HostNameResolver@{int}
|
||||
interface=org.freedesktop.Avahi.HostNameResolver
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Record browsing
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=RecordBrowserNew
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/RecordBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.RecordBrowser
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/RecordBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.RecordBrowser
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
# Allow service introspection
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
# Allow accessing DBus properties and resolving
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={Get*,Resolve*,IsNSSSupportAvailable}
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
# Allow receiving anything from the Avahi server
|
||||
dbus receive bus=system
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.Server.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=ServiceBrowserNew
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Service resolving
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=ServiceResolverNew
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Service type browsing
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=ServiceTypeBrowserNew
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceTypeBrowser
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
|
||||
|
||||
dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceTypeBrowser
|
||||
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
|
||||
|
||||
include if exists <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allows access to all cameras
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Allow detection of cameras. Leaks plugged in USB device info
|
||||
@{sys}/bus/usb/devices/ r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/busnum r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/devnum r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/idProduct r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/idVendor r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/interface r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/modalias r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/speed r,
|
||||
|
||||
@{sys}/class/video4linux/ r,
|
||||
@{sys}/devices/**/video4linux/** r,
|
||||
@{sys}/devices/**/video4linux/video@{int}/ r,
|
||||
@{sys}/devices/**/video4linux/video@{int}/uevent r,
|
||||
|
||||
@{run}/udev/data/+usb:* r, # Identifies all USB devices
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
|
||||
# VideoCore cameras (shared device with VideoCore/EGL)
|
||||
/dev/vchiq rw,
|
||||
|
||||
# Access to video /dev devices
|
||||
/dev/video@{int} rw,
|
||||
|
||||
include if exists <abstractions/camera.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -2,7 +2,6 @@
|
|||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# LOGPROF-SUGGEST: no
|
||||
# NEEDS-VARIABLE: att
|
||||
|
||||
# Common rules for applications sandboxed using bwrap.
|
||||
|
||||
|
|
@ -13,35 +12,31 @@
|
|||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/avahi-observe>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/camera>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-u2f>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/input>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/notifications>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/path>
|
||||
include <abstractions/screensaver>
|
||||
include <abstractions/secrets-service>
|
||||
include <abstractions/sqlite>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/video>
|
||||
|
||||
dbus bus=accessibility,
|
||||
dbus bus=session,
|
||||
dbus bus=system,
|
||||
|
||||
/usr/** rk,
|
||||
/usr/** r,
|
||||
/usr/share/** rk,
|
||||
|
||||
/etc/{,**} r,
|
||||
|
|
@ -72,10 +67,13 @@
|
|||
|
||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||
|
||||
@{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket.
|
||||
@{run}/host/{,**} r,
|
||||
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
|
||||
@{run}/utmp rk,
|
||||
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
|
||||
@{sys}/ r,
|
||||
@{sys}/block/ r,
|
||||
@{sys}/bus/ r,
|
||||
|
|
@ -85,7 +83,6 @@
|
|||
@{sys}/bus/pci/slots/@{int}/address r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/** r,
|
||||
@{sys}/devices/virtual/dmi/id/bios_version k,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/* r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r,
|
||||
|
|
@ -97,13 +94,11 @@
|
|||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/comm rk,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/maps r,
|
||||
@{PROC}/@{pid}/mountinfo r,
|
||||
@{PROC}/@{pid}/net/** r,
|
||||
@{PROC}/@{pid}/smaps r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pid}/statm r,
|
||||
@{PROC}/@{pid}/status r,
|
||||
@{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
@{PROC}/@{pid}/task/@{tid}/status r,
|
||||
@{PROC}/bus/pci/devices r,
|
||||
|
|
@ -147,6 +142,9 @@
|
|||
@{att}/dev/dri/renderD129 rw,
|
||||
owner @{att}/dev/shm/@{uuid} r,
|
||||
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/input/ r,
|
||||
/dev/input/event@{int} rw,
|
||||
/dev/ptmx rw,
|
||||
/dev/pts/ptmx rw,
|
||||
/dev/tty rw,
|
||||
|
|
|
|||
|
|
@ -6,9 +6,7 @@
|
|||
abi <abi/4.0>,
|
||||
|
||||
/usr/share/dpkg/cputable r,
|
||||
/usr/share/dpkg/ostable r,
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/dpkg/varianttable r,
|
||||
|
||||
/etc/apt/apt.conf r,
|
||||
/etc/apt/apt.conf.d/{,*} r,
|
||||
|
|
@ -20,9 +18,6 @@
|
|||
/etc/apt/sources.list.d/ r,
|
||||
/etc/apt/sources.list.d/*.{sources,list} r,
|
||||
|
||||
/etc/apt/trusted.gpg r,
|
||||
/etc/apt/trusted.gpg.d/{,*} r,
|
||||
|
||||
/var/lib/apt/lists/{,**} r,
|
||||
/var/lib/apt/extended_states r,
|
||||
|
||||
|
|
@ -30,14 +25,11 @@
|
|||
/var/cache/apt/srcpkgcache.bin r,
|
||||
|
||||
/var/lib/dpkg/status r,
|
||||
/var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu
|
||||
/var/lib/ubuntu-advantage/apt-esm/{,**} r,
|
||||
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/clearsigned.message.* rw,
|
||||
|
||||
#aa:only test
|
||||
/tmp/autopkgtest.@{rand6}/** rwk,
|
||||
|
||||
include if exists <abstractions/apt.d>
|
||||
include if exists <abstractions/common/apt.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,7 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# NEEDS-VARIABLE: att
|
||||
|
||||
# A minimal set of rules for sandboxed programs using bwrap.
|
||||
# A profile using this abstraction still needs to set:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
# Copyright (C) 2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# NEEDS-VARIABLE: domain
|
||||
|
||||
# This abstraction is for chromium based application. Chromium based browsers
|
||||
# need to use abstractions/app/chromium instead.
|
||||
|
|
@ -17,14 +16,9 @@
|
|||
|
||||
userns,
|
||||
|
||||
# Required for dropping into PID namespace. Keep in mind that until the
|
||||
# process drops this capability it can escape confinement, but once it
|
||||
# drops CAP_SYS_ADMIN we are ok.
|
||||
capability sys_admin,
|
||||
|
||||
# All of these are for sanely dropping from root and chrooting
|
||||
capability setgid, # If kernel.unprivileged_userns_clone = 1
|
||||
capability setuid, # If kernel.unprivileged_userns_clone = 1
|
||||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
capability sys_ptrace,
|
||||
|
||||
|
|
@ -38,22 +32,20 @@
|
|||
|
||||
owner @{tmp}/.@{domain}.@{rand6} rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/ rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w,
|
||||
owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/ rw,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SS rw,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
|
||||
owner @{tmp}/scoped_dir@{rand6}/SS w,
|
||||
|
||||
/dev/shm/ r,
|
||||
owner /dev/shm/.@{domain}.@{rand6} rw,
|
||||
|
||||
@{sys}/devices/system/cpu/kernel_max r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
|
||||
# Allow getting the manufacturer and model of the computer where chromium is currently running.
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
|
||||
# If kernel.unprivileged_userns_clone = 1
|
||||
owner @{PROC}/@{pid}/setgroups w,
|
||||
|
|
|
|||
|
|
@ -1,11 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# NEEDS-VARIABLE: name
|
||||
# NEEDS-VARIABLE: domain
|
||||
# NEEDS-VARIABLE: lib_dirs
|
||||
# NEEDS-VARIABLE: config_dirs
|
||||
# NEEDS-VARIABLE: cache_dirs
|
||||
|
||||
# Minimal set of rules for all electron based UI application. It works as a
|
||||
# *function* and requires some variables to be provided as *arguments* and set
|
||||
|
|
@ -20,7 +15,6 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
|
|
|
|||
|
|
@ -17,10 +17,8 @@
|
|||
include <abstractions/devices-usb>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/input>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/uinput>
|
||||
|
||||
@{bin}/uname rix,
|
||||
@{bin}/xdg-settings rPx,
|
||||
|
|
@ -68,6 +66,9 @@
|
|||
owner /dev/shm/mono.@{int} rw,
|
||||
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
|
||||
|
||||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
|
||||
@{sys}/ r,
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/class/ r,
|
||||
|
|
@ -78,6 +79,7 @@
|
|||
@{sys}/devices/@{pci}/net/*/carrier r,
|
||||
@{sys}/devices/**/input@{int}/ r,
|
||||
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
|
||||
@{sys}/devices/**/input@{int}/capabilities/* r,
|
||||
@{sys}/devices/**/input/input@{int}/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/system/ r,
|
||||
|
|
@ -106,7 +108,11 @@
|
|||
|
||||
/dev/ r,
|
||||
/dev/hidraw@{int} rw,
|
||||
/dev/input/ r,
|
||||
/dev/input/event@{int} rw,
|
||||
/dev/input/js@{int} rw,
|
||||
/dev/tty rw,
|
||||
/dev/uinput rw,
|
||||
|
||||
include if exists <abstractions/common/game.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -6,8 +6,9 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
|
|
|
|||
|
|
@ -1,9 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# NEEDS-VARIABLE: app_dirs
|
||||
# NEEDS-VARIABLE: lib_dirs
|
||||
# NEEDS-VARIABLE: share_dirs
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,17 +9,14 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/accessibility>
|
||||
include <abstractions/desktop-files>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gschemas>
|
||||
include <abstractions/gtk-strict>
|
||||
include <abstractions/gsettings>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/icons>
|
||||
include <abstractions/mime>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recently-used>
|
||||
include <abstractions/themes>
|
||||
include <abstractions/user-dirs>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
|
|
|||
|
|
@ -1,23 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019 Canonical Ltd
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allows access to Universal 2nd Factor (U2F) devices
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
@{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers)
|
||||
|
||||
# Needed for dynamic assignment of U2F devices
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
||||
@{sys}/devices/**/i2c*/**/report_descriptor r,
|
||||
@{sys}/devices/**/usb@{int}/**/report_descriptor r,
|
||||
|
||||
# Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed
|
||||
/dev/hidraw@{int} rw,
|
||||
|
||||
include if exists <abstractions/devices-u2f.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -3,22 +3,13 @@
|
|||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow raw access to all connected USB devices
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/devices-usb-read>
|
||||
|
||||
@{PROC}/tty/drivers r,
|
||||
/dev/bus/usb/@{int}/@{int} wk,
|
||||
|
||||
/dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk,
|
||||
|
||||
# Allow access to all ttyUSB devices too
|
||||
/dev/ttyACM@{int} wk,
|
||||
/dev/ttyUSB@{int} wk,
|
||||
|
||||
# Allow raw access to USB printers (i.e. for receipt printers in POS systems).
|
||||
/dev/usb/lp@{int} wk,
|
||||
@{sys}/devices/**/usb@{int}/{,**} w,
|
||||
|
||||
include if exists <abstractions/devices-usb.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -3,29 +3,26 @@
|
|||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow detection of usb devices. Leaks plugged in USB device info
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/@{int}/ r,
|
||||
/dev/bus/usb/@{int}/@{int} r,
|
||||
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/usbmisc/ r,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/usb/ r,
|
||||
@{sys}/bus/usb/devices/ r,
|
||||
@{sys}/devices/**/usb@{int}/ r,
|
||||
@{sys}/devices/**/usb@{int}/** r,
|
||||
@{sys}/bus/usb/devices/{,**} r,
|
||||
|
||||
@{sys}/devices/**/usb@{int}/{,**} r,
|
||||
|
||||
# Udev data about usb devices (~equal to content of lsusb -v)
|
||||
@{run}/udev/data/+usb:* r, # Identifies all USB devices
|
||||
@{run}/udev/data/b180:@{int} r, # USB block devices
|
||||
@{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems
|
||||
@{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices
|
||||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/@{int}/ r,
|
||||
/dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r,
|
||||
@{run}/udev/data/c16[6,7]:@{int} r, # USB modems
|
||||
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
|
||||
|
||||
include if exists <abstractions/devices-usb-read.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -28,11 +28,8 @@
|
|||
@{sys}/devices/@{pci}/uevent r,
|
||||
@{sys}/devices/@{pci}/vendor r,
|
||||
|
||||
# Allow access to all cards
|
||||
/dev/dri/ r,
|
||||
/dev/dri/card@{int} rw,
|
||||
|
||||
# Video Acceleration API
|
||||
/dev/dri/renderD128 rw,
|
||||
/dev/dri/renderD129 rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -22,15 +22,9 @@
|
|||
@{PROC}/stat r,
|
||||
|
||||
# Glibc's *printf protections read the maps file
|
||||
owner @{PROC}/@{pid}/auxv r,
|
||||
owner @{PROC}/@{pid}/maps r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
|
||||
# @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps,
|
||||
# but in a format that is simpler to manage, because it doesn't require to
|
||||
# parse the text data inside a file, but just reading the contents of
|
||||
# a directory.
|
||||
owner @{PROC}/@{pid}/map_files/ r,
|
||||
@{PROC}/@{pid}/auxv r,
|
||||
@{PROC}/@{pid}/maps r,
|
||||
@{PROC}/@{pid}/status r,
|
||||
|
||||
# Glibc statvfs
|
||||
@{PROC}/filesystems r,
|
||||
|
|
|
|||
|
|
@ -4,17 +4,14 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/accessibility>
|
||||
include <abstractions/desktop-files>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gschemas>
|
||||
include <abstractions/gtk-strict>
|
||||
include <abstractions/gsettings>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/icons>
|
||||
include <abstractions/mime>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recently-used>
|
||||
include <abstractions/themes>
|
||||
include <abstractions/user-dirs>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
include <abstractions/gtk-strict>
|
||||
include <abstractions/gtk>
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -13,22 +13,14 @@
|
|||
/etc/libva.conf r,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/online r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r,
|
||||
@{sys}/devices/system/cpu/cpu@{int}/topology/* r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/* r,
|
||||
@{sys}/devices/system/cpu/present r,
|
||||
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
@{sys}/devices/system/node/node@{int}/cpumap r,
|
||||
|
||||
include if exists <abstractions/graphics.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,13 @@
|
|||
include <abstractions/graphics>
|
||||
include <abstractions/oneapi>
|
||||
|
||||
@{sys}/devices/@{pci}/numa_node r,
|
||||
|
||||
@{PROC}/devices r,
|
||||
|
||||
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
/dev/nvidia-uvm rw,
|
||||
/dev/nvidia-uvm-tools rw,
|
||||
|
||||
include if exists <abstractions/graphics-full.d>
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,6 @@
|
|||
@{system_share_dirs}/glib-2.0/schemas/ r,
|
||||
@{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include if exists <abstractions/gschemas.d>
|
||||
include if exists <abstractions/gsettings.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,74 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/session/org.gtk.Actions>
|
||||
include <abstractions/bus/session/org.gtk.Menus>
|
||||
include <abstractions/bus/session/org.gtk.Settings>
|
||||
include <abstractions/bus/session/org.gtk.vfs.MountTracker>
|
||||
|
||||
@{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr,
|
||||
@{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr,
|
||||
@{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr,
|
||||
|
||||
/usr/share/gtksourceview-2.0/{,**} r,
|
||||
/usr/share/gtksourceview-3.0/{,**} r,
|
||||
/usr/share/gtksourceview-4/{,**} r,
|
||||
/usr/share/gtksourceview-5/{,**} r,
|
||||
|
||||
/usr/share/gtk-2.0/ r,
|
||||
/usr/share/gtk-2.0/gtkrc r,
|
||||
|
||||
/usr/share/gtk-3.0/ r,
|
||||
/usr/share/gtk-3.0/settings.ini r,
|
||||
|
||||
/usr/share/gtk-4.0/ r,
|
||||
/usr/share/gtk-4.0/settings.ini r,
|
||||
|
||||
/etc/gtk/gtkrc r,
|
||||
|
||||
/etc/gtk-2.0/ r,
|
||||
/etc/gtk-2.0/gtkrc r,
|
||||
|
||||
/etc/gtk-3.0/ r,
|
||||
/etc/gtk-3.0/*.conf r,
|
||||
/etc/gtk-3.0/settings.ini r,
|
||||
|
||||
/etc/gtk-4.0/ r,
|
||||
/etc/gtk-4.0/*.conf r,
|
||||
/etc/gtk-4.0/settings.ini r,
|
||||
|
||||
owner @{HOME}/.gtk r,
|
||||
owner @{HOME}/.gtkrc r,
|
||||
owner @{HOME}/.gtkrc-2.0 r,
|
||||
owner @{HOME}/.gtk-bookmarks r,
|
||||
|
||||
owner @{user_cache_dirs}/gtk-4.0/ rw,
|
||||
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw,
|
||||
owner @{user_cache_dirs}/gtkrc r,
|
||||
owner @{user_cache_dirs}/gtkrc-2.0 r,
|
||||
|
||||
owner @{user_config_dirs}/gtk-2.0/ rw,
|
||||
owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw,
|
||||
|
||||
owner @{user_config_dirs}/gtk-3.0/ rw,
|
||||
owner @{user_config_dirs}/gtk-3.0/bookmarks r,
|
||||
owner @{user_config_dirs}/gtk-3.0/colors.css r,
|
||||
owner @{user_config_dirs}/gtk-3.0/gtk.css r,
|
||||
owner @{user_config_dirs}/gtk-3.0/servers r,
|
||||
owner @{user_config_dirs}/gtk-3.0/settings.ini r,
|
||||
owner @{user_config_dirs}/gtk-3.0/window_decorations.css r,
|
||||
|
||||
owner @{user_config_dirs}/gtk-4.0/ rw,
|
||||
owner @{user_config_dirs}/gtk-4.0/bookmarks r,
|
||||
owner @{user_config_dirs}/gtk-4.0/colors.css r,
|
||||
owner @{user_config_dirs}/gtk-4.0/gtk.css r,
|
||||
owner @{user_config_dirs}/gtk-4.0/servers r,
|
||||
owner @{user_config_dirs}/gtk-4.0/settings.ini r,
|
||||
owner @{user_config_dirs}/gtk-4.0/window_decorations.css r,
|
||||
|
||||
include if exists <abstractions/gtk-strict.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -2,9 +2,23 @@
|
|||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
include <abstractions/bus/session/org.gtk.Actions>
|
||||
include <abstractions/bus/session/org.gtk.Menus>
|
||||
include <abstractions/bus/session/org.gtk.Settings>
|
||||
dbus receive bus=session
|
||||
interface=org.gtk.Actions
|
||||
member={Activate,DescribeAll,SetState}
|
||||
peer=(name=@{busname}),
|
||||
|
||||
dbus send bus=session
|
||||
interface=org.gtk.Actions
|
||||
member=Changed,
|
||||
|
||||
dbus send bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
dbus receive bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=@{busname}, label=gsd-xsettings),
|
||||
|
||||
@{lib}/{,@{multiarch}/}gtk*/** mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Canonical Ltd
|
||||
# Copyright (C) 2022-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow reading and writing to raw input devices
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# network netlink raw,
|
||||
|
||||
# Allow reading for supported event reports for all input devices. See
|
||||
# https://www.kernel.org/doc/Documentation/input/event-codes.txt
|
||||
@{sys}/devices/**/input@{int}/capabilities/* r,
|
||||
|
||||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
|
||||
/dev/input/ r,
|
||||
/dev/input/event@{int} rw,
|
||||
/dev/input/mice rw,
|
||||
/dev/input/mouse@{int} rw,
|
||||
|
||||
include if exists <abstractions/input.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -4,17 +4,14 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/accessibility>
|
||||
include <abstractions/desktop-files>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gschemas>
|
||||
include <abstractions/gtk-strict>
|
||||
include <abstractions/gsettings>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/icons>
|
||||
include <abstractions/mime>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recently-used>
|
||||
include <abstractions/themes>
|
||||
include <abstractions/user-dirs>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
|
@ -48,7 +45,7 @@
|
|||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/session/ rw,
|
||||
owner @{user_config_dirs}/session/*_* rwlk,
|
||||
owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk,
|
||||
owner @{user_config_dirs}/session/#@{int} rw,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
|
|
|
|||
|
|
@ -4,13 +4,11 @@
|
|||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/accessibility>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk-strict>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/themes>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
|
|
|||
|
|
@ -1,20 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Canonical Ltd
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allows access to media controller such as microphones, and video capture hardware.
|
||||
# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Control of media devices
|
||||
/dev/media@{int} rwk,
|
||||
|
||||
# Access to V4L subnodes configuration
|
||||
# See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html
|
||||
/dev/v4l-subdev@{int} rw,
|
||||
|
||||
include if exists <abstractions/media-control.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow requesting interest in receiving media key events. This tells Gnome
|
||||
# settings that our application should be notified when key events we are
|
||||
# interested in are pressed, and allows us to receive those events.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys>
|
||||
|
||||
include if exists <abstractions/mediakeys.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow operating as an MPRIS player.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/session/org.mpris.MediaPlayer2.Player>
|
||||
|
||||
# Allow binding to the well-known DBus mpris interface based on the app's name
|
||||
# See: https://specifications.freedesktop.org/mpris-spec/latest/
|
||||
#aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name}
|
||||
|
||||
include if exists <abstractions/mpris.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/session/org.freedesktop.Notifications>
|
||||
include <abstractions/bus/session/org.gtk.Notifications>
|
||||
|
||||
include if exists <abstractions/notifications.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
@{bin}/nvidia-modprobe Px -> child-modprobe-nvidia,
|
||||
|
||||
/opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr,
|
||||
/opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr,
|
||||
|
||||
/usr/share/nvidia/nvidia-application-profiles-* r,
|
||||
|
||||
|
|
@ -24,34 +24,20 @@
|
|||
owner @{user_cache_dirs}/nvidia/GLCache/ rw,
|
||||
owner @{user_cache_dirs}/nvidia/GLCache/** rwk,
|
||||
|
||||
@{sys}/devices/@{pci}/numa_node r,
|
||||
@{sys}/devices/system/memory/block_size_bytes r,
|
||||
@{sys}/module/nvidia/version r,
|
||||
|
||||
@{PROC}/driver/nvidia/capabilities/mig/monitor r,
|
||||
@{PROC}/driver/nvidia/gpus/@{pci_id}/information r,
|
||||
@{PROC}/driver/nvidia/params r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/vm/max_map_count r,
|
||||
@{PROC}/sys/vm/mmap_min_addr r,
|
||||
|
||||
@{PROC}/driver/nvidia/params r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/vm/max_map_count r,
|
||||
@{PROC}/sys/vm/mmap_min_addr r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm r,
|
||||
|
||||
/dev/char/195:@{u8} w, # Nvidia graphics devices
|
||||
|
||||
# Nvidia proprietary modset driver
|
||||
/dev/char/195:@{int} w, # Nvidia graphics devices
|
||||
/dev/nvidia-modeset rw,
|
||||
|
||||
# Nvidia graphics devices
|
||||
/dev/nvidia@{int} rw,
|
||||
|
||||
# Nvidia's Unified Memory driver
|
||||
/dev/nvidia-uvm rw,
|
||||
/dev/nvidia-uvm-tools rw,
|
||||
|
||||
# Nvidia's control device
|
||||
/dev/nvidiactl rw,
|
||||
|
||||
deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r,
|
||||
|
|
|
|||
|
|
@ -8,6 +8,6 @@
|
|||
|
||||
/etc/nvidia/nvidia-application-profiles* r,
|
||||
|
||||
/dev/char/195:@{u8} rw, # Nvidia graphics devices
|
||||
/dev/char/195:@{int} rw, # Nvidia graphics devices
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -1,19 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Canonical Ltd
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allows interacting with PC/SC Smart Card Daemon
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Configuration file for OPENSC
|
||||
/etc/opensc.conf r,
|
||||
/etc/opensc/opensc.conf r,
|
||||
|
||||
# Socket for communication between PCSCD and PS/SC API library
|
||||
@{run}/pcscd/pcscd.comm rw,
|
||||
|
||||
include if exists <abstractions/pcscd.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -14,6 +14,8 @@
|
|||
owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
|
||||
owner @{user_share_dirs}/recently-used.xbel.lock rwk,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here?
|
||||
|
||||
include if exists <abstractions/recently-used.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow checking status, activating and locking the screensaver
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver>
|
||||
include if exists <abstractions/bus/session/org.gnome.ScreenSaver>
|
||||
|
||||
include if exists <abstractions/screensaver.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2017 Canonical Ltd
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Provide full access to the secret-service API:
|
||||
# - https://standards.freedesktop.org/secret-service/)
|
||||
#
|
||||
# The secret-service allows managing (add/delete/lock/etc) collections and
|
||||
# (add/delete/etc) items within collections. The API also has the concept of
|
||||
# aliases for collections which is typically used to access the default
|
||||
# collection. While it would be possible for an application developer to use a
|
||||
# snap-specific collection and mediate by object path, application developers
|
||||
# are meant to instead to treat collections (typically the default collection)
|
||||
# as a database of key/value attributes each with an associated secret that
|
||||
# applications may query. Because AppArmor does not mediate member data,
|
||||
# typical and recommended usage of the API does not allow for application
|
||||
# isolation. For details, see:
|
||||
# - https://standards.freedesktop.org/secret-service/ch03.html
|
||||
#
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus/session/org.freedesktop.Secret>
|
||||
include <abstractions/bus/session/org.kde.kwalletd>
|
||||
|
||||
dbus send bus=session path=/org/gnome/keyring/daemon
|
||||
interface=org.gnome.keyring.Daemon
|
||||
member=GetEnvironment
|
||||
peer=(name=org.gnome.keyring, label=gnome-keyring-daemon),
|
||||
|
||||
include if exists <abstractions/secrets-service.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
/usr/share/themes/{,**} r,
|
||||
|
||||
owner @{HOME}/.themes/{,**} r,
|
||||
owner @{user_share_dirs}/themes/{,**} r,
|
||||
|
||||
include if exists <abstractions/themes.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue