felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: felipe:main
Branches Tags
felipe:main
felipe:dev
felipe:integration
felipe:packages
felipe:aa
..
compare: felipe:integration
Branches Tags
felipe:main
felipe:dev
felipe:integration
felipe:packages
felipe:aa

No commits in common. "main" and "integration" have entirely different histories.
main ... integratio

1779 changed files with 9864 additions and 23216 deletions
Download patch file Download diff file Expand all files Collapse all files

46
.github/workflows/main.yml vendored
View file

@ -9,25 +9,21 @@ jobs:
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install linter dependencies
run: |
pipx install rust-just
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run basic profile linter check - name: Run basic profile linter check
run: | run: |
just check make check
build: build:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
needs: check needs: check
strategy: strategy:
matrix: matrix:
include: os:
- os: ubuntu-24.04 - ubuntu-24.04
mode: default - ubuntu-22.04
- os: ubuntu-24.04 mode:
mode: full-system-policy - default
- full-system-policy
steps: steps:
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -38,14 +34,12 @@ jobs:
sudo apt-get install -y \ sudo apt-get install -y \
devscripts debhelper config-package-dev \ devscripts debhelper config-package-dev \
auditd apparmor-profiles apparmor-utils auditd apparmor-profiles apparmor-utils
pipx install rust-just
echo "$HOME/.local/bin" >> $GITHUB_PATH
sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
- name: Build the apparmor.d package - name: Build the apparmor.d package
run: | run: |
if [[ ${{ matrix.mode }} == full-system-policy ]]; then if [[ ${{ matrix.mode }} == full-system-policy ]]; then
sed -e "s/just complain/just fsp-complain/" -i debian/rules echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
fi fi
bash dists/build.sh dpkg bash dists/build.sh dpkg
@ -54,10 +48,13 @@ jobs:
- name: Reload AppArmor - name: Reload AppArmor
run: | run: |
if ! sudo systemctl restart apparmor.service; then sudo systemctl restart apparmor.service || true
sudo journalctl -xeu apparmor.service sudo systemctl status apparmor.service
exit 1
fi - name: Ensure compatibility with some AppArmor userspace tools
if: matrix.os != 'ubuntu-24.04'
run: |
sudo aa-enforce /etc/apparmor.d/aa-notify
- name: Show AppArmor log and rules - name: Show AppArmor log and rules
run: | run: |
@ -78,7 +75,6 @@ jobs:
tests: tests:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
needs: build needs: build
if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch'
steps: steps:
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -98,15 +94,11 @@ jobs:
sudo apt-get install -y \ sudo apt-get install -y \
apparmor-profiles apparmor-utils \ apparmor-profiles apparmor-utils \
bats bats-support bats bats-support
pipx install rust-just
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Install apparmor.d - name: Install apparmor.d
run: | run: |
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
sudo systemctl restart apparmor.service sudo systemctl restart apparmor.service
sudo systemctl daemon-reload
systemctl --user daemon-reload
- name: Restart some services to ensure they are confined - name: Restart some services to ensure they are confined
run: | run: |
@ -125,18 +117,16 @@ jobs:
for service in "${services[@]}"; do for service in "${services[@]}"; do
sudo systemctl restart "$service" || systemctl status "$service.service" || true sudo systemctl restart "$service" || systemctl status "$service.service" || true
done done
systemctl restart --user dbus || systemctl status --user "dbus.service" || true
sudo ps auxZ | grep -v '\[.*\]' sudo ps auxZ | grep -v '\[.*\]'
sudo aa-log -s --raw sudo aa-log -s --raw
- name: Install integration dependencies - name: Install integration dependencies
run: | run: |
just init bash tests/requirements.sh
find /usr/sbin/ -type f
- name: Run the integration tests - name: Run the bats integration tests
run: | run: |
just integration make bats
- name: Show final AppArmor logs - name: Show final AppArmor logs
if: always() if: always()

1
.gitignore vendored
View file

@ -1,7 +1,6 @@
# Build # Build
.build .build
.logs .logs
.pkg
tests/tldr tests/tldr
tests/tldr.tar.gz tests/tldr.tar.gz

27
.gitlab-ci.yml
View file

@ -24,13 +24,13 @@ bash:
script: script:
- shellcheck --shell=bash - shellcheck --shell=bash
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
golangci-lint: golangci-lint:
stage: lint stage: lint
image: golangci/golangci-lint image: golangci/golangci-lint
script: script:
- golangci-lint run - golangci-lint run --exclude-dirs pkg/paths
packer: packer:
stage: lint stage: lint
@ -54,6 +54,7 @@ tests:
image: golang image: golang
coverage: '/Coverage: \d+.\d+/' coverage: '/Coverage: \d+.\d+/'
script: script:
- apt update && apt install -y rsync
- cp tests/journalctl /usr/bin/journalctl - cp tests/journalctl /usr/bin/journalctl
- chmod 755 /usr/bin/journalctl - chmod 755 /usr/bin/journalctl
- mkdir -p /var/log/audit/ - mkdir -p /var/log/audit/
@ -66,7 +67,7 @@ check:
stage: test stage: test
image: registry.gitlab.com/roddhjav/builders/archlinux image: registry.gitlab.com/roddhjav/builders/archlinux
script: script:
- just check - make check
# Package Build # Package Build
# ------------- # -------------
@ -84,12 +85,13 @@ archlinux:
debian: debian:
stage: build stage: build
image: registry.gitlab.com/roddhjav/builders/debian:trixie image: registry.gitlab.com/roddhjav/builders/debian
script: script:
- sudo chown -R build:build /builds/ - sudo chown -R build:build /builds/
- git config --global --add safe.directory $CI_PROJECT_DIR - git config --global --add safe.directory $CI_PROJECT_DIR
- mkdir -p "$PKGDEST" - mkdir -p "$PKGDEST"
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync
- sudo apt-get install -y -t bookworm-backports golang-go
- bash dists/build.sh dpkg - bash dists/build.sh dpkg
artifacts: artifacts:
expire_in: 1 day expire_in: 1 day
@ -98,13 +100,12 @@ debian:
ubuntu: ubuntu:
stage: build stage: build
image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 image: registry.gitlab.com/roddhjav/builders/ubuntu
variables:
GOFLAGS: "-buildvcs=false"
script: script:
- sudo chown -R ubuntu:ubuntu /builds/
- git config --global --add safe.directory $CI_PROJECT_DIR - git config --global --add safe.directory $CI_PROJECT_DIR
- mkdir -p "$PKGDEST" - mkdir -p "$PKGDEST"
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go
- bash dists/build.sh dpkg - bash dists/build.sh dpkg
artifacts: artifacts:
expire_in: 1 day expire_in: 1 day
@ -116,14 +117,14 @@ whonix:
variables: variables:
DISTRIBUTION: whonix DISTRIBUTION: whonix
before_script: before_script:
- sed -e "s/just complain/just fsp-complain/" -i debian/rules - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
opensuse: opensuse:
stage: build stage: build
image: registry.gitlab.com/roddhjav/builders/opensuse image: registry.gitlab.com/roddhjav/builders/opensuse
script: script:
- mkdir -p "$PKGDEST" - mkdir -p "$PKGDEST"
- sudo zypper install -y distribution-release golang-packaging apparmor-profiles - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
- bash dists/build.sh rpm - bash dists/build.sh rpm
artifacts: artifacts:
expire_in: 1 day expire_in: 1 day
@ -146,7 +147,7 @@ preprocess-archlinux:
preprocess-debian: preprocess-debian:
stage: preprocess stage: preprocess
image: debian:trixie image: debian
dependencies: dependencies:
- debian - debian
script: script:
@ -166,7 +167,7 @@ preprocess-ubuntu:
- dpkg --install $PKGDEST/* - dpkg --install $PKGDEST/*
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
.preprocess-whonix: preprocess-whonix:
extends: preprocess-debian extends: preprocess-debian
dependencies: dependencies:
- whonix - whonix

14
.golangci.yaml
View file

@ -1,15 +1,5 @@
--- ---
version: "2" linters-settings:
linters:
settings:
staticcheck: staticcheck:
checks: checks: ["all", "-SA1019" ]
- all
- -SA1019
- -ST1000
exclusions:
paths:
- pkg/paths
- tests/cmd/

399
Justfile
View file

@ -1,399 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Usage: `just`
# See https://apparmor.pujol.io/development/ for more information.
# Build settings
destdir := "/"
build := ".build"
pkgdest := `pwd` / ".pkg"
pkgname := "apparmor.d"
# Admin username
username := "user"
# Default admin password
password := "user"
# Disk size of the VM to build
disk_size := "40G"
# Virtual machine CPU
vcpus := "6"
# Virtual machine RAM
ram := "4096"
# Path to the ssh key
ssh_keyname := "id_ed25519"
ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname
ssh_publickey := ssh_privatekey + ".pub"
# Where the VM are stored
vm := home_dir() / ".vm"
# Where the VM images are stored
base_dir := home_dir() / ".libvirt/base"
# Where the packer temporary output is stored
output_dir := base_dir / "packer"
# SSH options
sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
# Libvirt connection address
c := "--connect=qemu:///system"
# VM prefix
prefix := "aa-"
# Show this help message
help:
@just --list --unsorted
@printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information."
# Build the go programs
[group('build')]
build:
@go build -o {{build}}/ ./cmd/aa-log
@go build -o {{build}}/ ./cmd/prebuild
# Prebuild the profiles in enforced mode
[group('build')]
enforce: build
@./{{build}}/prebuild --buildir {{build}}
# Prebuild the profiles in enforce mode (test)
enforce-test: build
@./{{build}}/prebuild --buildir {{build}} --test
# Prebuild the profiles in complain mode
[group('build')]
complain: build
./{{build}}/prebuild --buildir {{build}} --complain
# Prebuild the profiles in complain mode (test)
complain-test: build
@./{{build}}/prebuild --buildir {{build}} --complain --test
# Prebuild the profiles in FSP mode
[group('build')]
fsp: build
@./{{build}}/prebuild --buildir {{build}} --full
# Prebuild the profiles in FSP mode (complain)
[group('build')]
fsp-complain: build
@./{{build}}/prebuild --buildir {{build}} --complain --full
# Prebuild the profiles in FSP mode (debug)
[group('build')]
fsp-debug: build
@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
# Install prebuild profiles
[group('install')]
install:
#!/usr/bin/env bash
set -eu -o pipefail
install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n")
for file in "${share[@]}"; do
install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file"
done
mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n")
for file in "${aa[@]}"; do
install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
done
mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n")
for file in "${links[@]}"; do
mkdir -p "{{destdir}}/etc/apparmor.d/disable"
cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
done
for file in "{{build}}/systemd/system/"*; do
service="$(basename "$file")"
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf"
done
for file in "{{build}}/systemd/user/"*; do
service="$(basename "$file")"
install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
done
# Locally install prebuild profiles
[group('install')]
local +names:
#!/usr/bin/env bash
set -eu -o pipefail
install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n")
for file in "${abs[@]}"; do
install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file"
done;
mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n")
for file in "${tunables[@]}"; do
install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file"
done;
echo "Warning: profile dependencies fallback to unconfined."
for file in {{names}}; do
grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true
sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file"
install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
done;
systemctl restart apparmor || sudo journalctl -xeu apparmor.service
# Prebuild, install, and load a dev profile
[group('install')]
dev name:
go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}`
sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}}
sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
# Build & install apparmor.d on Arch based systems
[group('packages')]
pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
# Build & install apparmor.d on Debian based systems
[group('packages')]
dpkg:
@bash dists/build.sh dpkg
@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
# Build & install apparmor.d on OpenSUSE based systems
[group('packages')]
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
# Run the unit tests
[group('tests')]
tests:
@go test ./cmd/... -v -cover -coverprofile=coverage.out
@go test ./pkg/... -v -cover -coverprofile=coverage.out
@go tool cover -func=coverage.out
# Run the linters
[group('linter')]
lint:
golangci-lint run
packer fmt tests/packer/
packer validate --syntax-only tests/packer/
shellcheck --shell=bash \
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
# Run style checks on the profiles
[group('linter')]
check:
@bash tests/check.sh
# Generate the man pages
[group('docs')]
man:
@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
# Build the documentation
[group('docs')]
docs:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
# Serve the documentation
[group('docs')]
serve:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
# Remove all build artifacts
clean:
@rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
# Build the package in a clean OCI container
[group('packages')]
package dist:
#!/usr/bin/env bash
set -eu -o pipefail
dist="{{dist}}"
version=""
if [[ $dist =~ ubuntu([0-9]+) ]]; then
version="${BASH_REMATCH[1]}.04"
dist="ubuntu"
elif [[ $dist == debian* ]]; then
version="trixie"
dist="debian"
fi
bash dists/docker.sh $dist $version
# Build the VM image
[group('vm')]
img dist flavor: (package dist)
@mkdir -p {{base_dir}}
packer build -force \
-var dist={{dist}} \
-var flavor={{flavor}} \
-var prefix={{prefix}} \
-var username={{username}} \
-var password={{password}} \
-var ssh_publickey={{ssh_publickey}} \
-var disk_size={{disk_size}} \
-var cpus={{vcpus}} \
-var ram={{ram}} \
-var base_dir={{base_dir}} \
-var output_dir={{output_dir}} \
tests/packer/
# Create the machine
[group('vm')]
create dist flavor:
@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
@virt-install {{c}} \
--import \
--name {{prefix}}{{dist}}-{{flavor}} \
--vcpus {{vcpus}} \
--ram {{ram}} \
--machine q35 \
{{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \
--memorybacking source.type=memfd,access.mode=shared \
--disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \
--filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \
--os-variant "`just _get_osinfo {{dist}}`" \
--graphics spice \
--audio id=1,type=spice \
--sound model=ich9 \
--noautoconsole
# Start a machine
[group('vm')]
up dist flavor:
@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
# Stops the machine
[group('vm')]
halt dist flavor:
@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
# Reboot the machine
[group('vm')]
reboot dist flavor:
@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
# Destroy the machine
[group('vm')]
destroy dist flavor:
@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
# Connect to the machine
[group('vm')]
ssh dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
# Mount the shared directory on the machine
[group('vm')]
mount dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
# Unmout the shared directory on the machine
[group('vm')]
umount dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
# List the machines
[group('vm')]
list:
@printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State"
@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
# List the VM images
[group('vm')]
images:
#!/usr/bin/env bash
set -eu -o pipefail
mkdir -p {{base_dir}}
ls -lh {{base_dir}} | awk '
BEGIN {
printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date")
}
{
if ($9 ~ /^{{prefix}}.*\.qcow2$/) {
split($9, arr, "-|\\.")
printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8)
}
}
'
# List the VM images that can be created
[group('vm')]
available:
#!/usr/bin/env bash
set -eu -o pipefail
ls -lh tests/cloud-init | awk '
BEGIN {
printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor")
}
{
if ($9 ~ /^.*\.user-data.yml$/) {
split($9, arr, "-|\\.")
printf("%-18s %s\n", arr[1], arr[2])
}
}
'
# Install dependencies for the integration tests
[group('tests')]
init:
@bash tests/requirements.sh
# Run the integration tests
[group('tests')]
integration name="":
bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
# Install dependencies for the integration tests (machine)
[group('tests')]
tests-init dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
# Synchronize the integration tests (machine)
[group('tests')]
tests-sync dist flavor:
@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
# Re-synchronize the integration tests (machine)
[group('tests')]
tests-resync dist flavor: (mount dist flavor) \
(tests-sync dist flavor) \
(umount dist flavor)
# Run the integration tests (machine)
[group('tests')]
tests-run dist flavor name="": (tests-resync dist flavor)
ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
bats --recursive --pretty --timing --print-output-on-failure \
/home/{{username}}/Projects/tests/integration/{{name}}
_get_ip dist flavor:
@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
head -1 | \
grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
_get_osinfo dist:
#!/usr/bin/env python3
osinfo = {
"archlinux": "archlinux",
"debian12": "debian12",
"debian13": "debian13",
"ubuntu22": "ubuntu22.04",
"ubuntu24": "ubuntu24.04",
"ubuntu25": "ubuntu25.04",
"opensuse": "opensusetumbleweed",
}
print(osinfo.get("{{dist}}", "{{dist}}"))

134
Makefile Normal file
View file

@ -0,0 +1,134 @@
#!/usr/bin/make -f
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
DESTDIR ?= /
BUILD ?= .build
PKGDEST ?= ${PWD}/.pkg
PKGNAME := apparmor.d
PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
.PHONY: all
all: build
@./${BUILD}/prebuild --complain
.PHONY: build
build:
@go build -o ${BUILD}/ ./cmd/aa-log
@go build -o ${BUILD}/ ./cmd/prebuild
.PHONY: enforce
enforce: build
@./${BUILD}/prebuild
.PHONY: full
full: build
@./${BUILD}/prebuild --complain --full
.PHONY: install
install:
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \
install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
done;
@for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \
mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in ${BUILD}/systemd/system/*; do \
service="$$(basename "$$file")"; \
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \
done;
@for file in ${BUILD}/systemd/user/*; do \
service="$$(basename "$$file")"; \
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done
.PHONY: $(PROFILES)
$(PROFILES):
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
done;
@for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
done;
@echo "Warning: profile dependencies fallback to unconfined."
@for file in ${@}; do \
grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \
sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@systemctl restart apparmor || sudo journalctl -xeu apparmor.service
.PHONY: dev
name ?=
dev:
@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
@sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
.PHONY: package
dist ?= archlinux
package:
@bash dists/docker.sh ${dist}
.PHONY: pkg
pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
.PHONY: dpkg
dpkg:
@bash dists/build.sh dpkg
@sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb
.PHONY: rpm
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm
.PHONY: tests
tests:
@go test ./cmd/... -v -cover -coverprofile=coverage.out
@go test ./pkg/... -v -cover -coverprofile=coverage.out
@go tool cover -func=coverage.out
.PHONY: lint
lint:
@golangci-lint run
@make --directory=tests lint
@shellcheck --shell=bash \
PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
.PHONY: check
check:
@bash tests/check.sh
.PHONY: bats
bats:
@bats --timing --print-output-on-failure tests/bats/
.PHONY: manual
manual:
@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
.PHONY: docs
docs:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
.PHONY: serve
serve:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
.PHONY: clean
clean:
@rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
.pkg/${PKGNAME}* ${BUILD} coverage.out

122
PKGBUILD
View file

@ -3,25 +3,19 @@
# Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use.
pkgbase=apparmor.d pkgname=apparmor.d
pkgname=( pkgver=0.001
apparmor.d
# apparmor.d.enforced
# apparmor.d.fsp apparmor.d.fsp.enforced
# apparmor.d.server apparmor.d.server.enforced
# apparmor.d.server.fsp apparmor.d.server.fsp.enforced
)
pkgver=0.0001
pkgrel=1 pkgrel=1
pkgdesc="Full set of apparmor profiles" pkgdesc="Full set of apparmor profiles"
arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') arch=("x86_64")
url="https://github.com/roddhjav/apparmor.d" url="https://github.com/roddhjav/$pkgname"
license=('GPL-2.0-only') license=('GPL2')
depends=('apparmor>=4.1.0' 'apparmor<5.0.0') depends=('apparmor')
makedepends=('go' 'git' 'rsync' 'just') makedepends=('go' 'git' 'rsync')
conflicts=("$pkgname-git")
pkgver() { pkgver() {
cd "$srcdir/$pkgbase" cd "$srcdir/$pkgname"
echo "0.$(git rev-list --count HEAD)" echo "0.$(git rev-list --count HEAD)"
} }
@ -30,104 +24,16 @@ prepare() {
} }
build() { build() {
cd "$srcdir/$pkgbase" cd "$srcdir/$pkgname"
export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}" export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}" export CGO_LDFLAGS="${LDFLAGS}"
export GOPATH="${srcdir}"
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
export DISTRIBUTION=arch make DISTRIBUTION=arch
local -A modes=(
# Mapping of modes to just build target.
[default]=complain
# [enforced]=enforce
# [fsp]=fsp-complain
# [fsp.enforced]=fsp
# [server]=server-complain
# [server.enforced]=server
# [server.fsp]=server-fsp-complain
# [server.fsp.enforced]=server-fsp
)
for mode in "${!modes[@]}"; do
just build=".build/$mode" "${modes[$mode]}"
done
} }
_conflicts() { package() {
local mode="$1" cd "$srcdir/$pkgname"
local pattern=".$mode" make install DESTDIR="$pkgdir"
if [[ "$mode" == "default" ]]; then
pattern=""
else
echo "$pkgbase"
fi
for pkg in "${pkgname[@]}"; do
if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then
continue
fi
echo "$pkg"
done
}
_install() {
local mode="${1:?}"
cd "$srcdir/$pkgbase"
just build=".build/$mode" destdir="$pkgdir" install
}
package_apparmor.d() {
mode=default
pkgdesc="$pkgdesc (complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.enforced() {
mode=enforced
pkgdesc="$pkgdesc (enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.fsp() {
mode="fsp"
pkgdesc="$pkgdesc (FSP mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.fsp.enforced() {
mode="fsp.enforced"
pkgdesc="$pkgdesc (FSP enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server() {
mode="server"
pkgdesc="$pkgdesc (server complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.enforced() {
mode="server.enforced"
pkgdesc="$pkgdesc (server enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.fsp() {
mode="server.fsp"
pkgdesc="$pkgdesc (server FSP complain mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
}
package_apparmor.d.server.fsp.enforced() {
mode="server.fsp.enforced"
pkgdesc="$pkgdesc (server FSP enforced mode)"
mapfile -t conflicts < <(_conflicts $mode)
_install $mode
} }

13
README.md
View file

@ -2,7 +2,7 @@
# apparmor.d # apparmor.d
[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] [![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link]
**Full set of AppArmor profiles** **Full set of AppArmor profiles**
@ -35,11 +35,8 @@
* Gnome (GDM) * Gnome (GDM)
* KDE (SDDM) * KDE (SDDM)
* XFCE (Lightdm) *(work in progress)* * XFCE (Lightdm) *(work in progress)*
- [Fully tested](https://apparmor.pujol.io/development/tests/) - Fully tested *(work in progress)*
**Demo**
You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
@ -62,10 +59,6 @@ Building the largest set of AppArmor profiles:
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
Lessons learned while making an AppArmor Play machine:
- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))*
## Installation ## Installation
Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)
@ -100,8 +93,6 @@ and thus has the same license (GPL2).
[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
[matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix
[matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org
[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square
[play-link]: https://play.pujol.io
[android_model]: https://arxiv.org/pdf/1904.05572 [android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/ [clipos]: https://clip-os.org/en/

16
apparmor.d/abstractions/X-strict
View file

@ -4,25 +4,25 @@
abi <abi/4.0>, abi <abi/4.0>,
# The unix socket to use to connect to the display # The unix socket to use to connect to the display
unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
unix type=stream addr=@/tmp/.ICE-unix/@{int}, unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix type=stream addr=@/tmp/.X11-unix/X@{int}, unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
/usr/share/X11/{,**} r, /usr/share/X11/{,**} r,
/usr/share/xsessions/{,*.desktop} r, # Available Xsessions /usr/share/xsessions/{,*.desktop} r, # Available Xsessions
/usr/share/xkeyboard-config-2/{,**} r,
/etc/X11/cursors/{,**} r, /etc/X11/cursors/{,**} r,
owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user
owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user
owner @{HOME}/.xsession-errors rw, owner @{HOME}/.xsession-errors rw,
/tmp/.ICE-unix/@{int} rw, /tmp/.ICE-unix/* rw,
/tmp/.X@{int}-lock rw, /tmp/.X@{int}-lock rw,
/tmp/.X11-unix/X@{int} rw, /tmp/.X11-unix/* rw,
owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int},
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland

15
apparmor.d/abstractions/accessibility
View file

@ -1,15 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow communication with Assistive Technology Service Provider Interface (AT-SPI)
abi <abi/4.0>,
include <abstractions/bus-accessibility>
include <abstractions/bus/accessibility/org.a11y>
include <abstractions/bus/session/org.a11y>
include if exists <abstractions/accessibility.d>
# vim:syntax=apparmor

30
apparmor.d/abstractions/amdgpu
View file

@ -1,30 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Kernel Fusion Driver for AMD GPUs
abi <abi/4.0>,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/dev r,
@{sys}/devices/virtual/kfd/kfd/topology/ r,
@{sys}/devices/virtual/kfd/kfd/topology/generation_id r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
@{sys}/devices/virtual/kfd/kfd/topology/system_properties r,
@{sys}/devices/virtual/kfd/kfd/uevent r,
@{sys}/module/amdgpu/initstate r,
/dev/kfd rw,
include if exists <abstractions/amdgpu.d>
# vim:syntax=apparmor

11
apparmor.d/abstractions/ansible
View file

@ -1,11 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw,
include if exists <abstractions/ansible.d>
# vim:syntax=apparmor

8
apparmor.d/abstractions/app-launcher-root
View file

@ -5,12 +5,14 @@
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/path>
@{bin}/** PUx, @{bin}/** PUx,
@{sbin}/** PUx,
/usr/local/{s,}bin/** PUx, /usr/local/{s,}bin/** PUx,
@{bin}/ r,
/ r,
/usr/ r,
/usr/local/{s,}bin/ r,
include if exists <abstractions/app-launcher-root.d> include if exists <abstractions/app-launcher-root.d>
# vim:syntax=apparmor # vim:syntax=apparmor

8
apparmor.d/abstractions/app-launcher-user
View file

@ -5,8 +5,6 @@
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/path>
@{bin}/** PUx, @{bin}/** PUx,
/opt/*/** PUx, /opt/*/** PUx,
/usr/share/** PUx, /usr/share/** PUx,
@ -20,6 +18,12 @@
@{thunderbird_path} Px, @{thunderbird_path} Px,
@{offices_path} PUx, @{offices_path} PUx,
@{bin}/ r,
/ r,
/usr/ r,
/usr/local/bin/ r,
@{user_bin_dirs}/ r,
@{user_bin_dirs}/** PUx, @{user_bin_dirs}/** PUx,
include if exists <abstractions/app-launcher-user.d> include if exists <abstractions/app-launcher-user.d>

15
apparmor.d/abstractions/app-open
View file

@ -18,7 +18,6 @@
# Labeled programs # Labeled programs
@{archive_viewers_path} PUx, @{archive_viewers_path} PUx,
@{backup_path} PUx,
@{browsers_path} Px, @{browsers_path} Px,
@{document_viewers_path} PUx, @{document_viewers_path} PUx,
@{emails_path} PUx, @{emails_path} PUx,
@ -26,7 +25,6 @@
@{help_path} Px, @{help_path} Px,
@{image_viewers_path} PUx, @{image_viewers_path} PUx,
@{offices_path} PUx, @{offices_path} PUx,
@{terminal_path} Px,
@{text_editors_path} PUx, @{text_editors_path} PUx,
# Others # Others
@ -35,19 +33,17 @@
@{bin}/discord{,-ptb} Px, @{bin}/discord{,-ptb} Px,
@{bin}/draw.io PUx, @{bin}/draw.io PUx,
@{bin}/dropbox Px, @{bin}/dropbox Px,
@{bin}/ebook-edit PUx,
@{bin}/element-desktop Px, @{bin}/element-desktop Px,
@{bin}/extension-manager Px, @{bin}/extension-manager Px,
@{bin}/filezilla Px, @{bin}/filezilla Px,
@{bin}/flameshot Px, @{bin}/flameshot Px,
@{bin}/gimp{,-3.0} Px, @{bin}/gimp* PUx,
@{bin}/gnome-calculator Px, @{bin}/gnome-calculator PUx,
@{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disk-image-mounter Px,
@{bin}/gnome-disks Px, @{bin}/gnome-disks Px,
@{bin}/gnome-session-quit Px,
@{bin}/gnome-software Px, @{bin}/gnome-software Px,
@{bin}/gwenview PUx, @{bin}/gwenview PUx,
@{bin}/keepassxc Px, @{bin}/kgx Px,
@{bin}/qbittorrent Px, @{bin}/qbittorrent Px,
@{bin}/qpdfview Px, @{bin}/qpdfview Px,
@{bin}/smplayer Px, @{bin}/smplayer Px,
@ -55,12 +51,15 @@
@{bin}/telegram-desktop Px, @{bin}/telegram-desktop Px,
@{bin}/transmission-gtk Px, @{bin}/transmission-gtk Px,
@{bin}/viewnior PUx, @{bin}/viewnior PUx,
@{bin}/vlc Px, @{bin}/vlc PUx,
@{bin}/xbrlapi Px, @{bin}/xbrlapi Px,
#aa:only opensuse #aa:only opensuse
@{lib}/YaST2/** PUx, @{lib}/YaST2/** PUx,
# Backup
@{lib}/deja-dup/deja-dup-monitor PUx,
include if exists <abstractions/app-open.d> include if exists <abstractions/app-open.d>
# vim:syntax=apparmor # vim:syntax=apparmor

89
apparmor.d/abstractions/app/chromium
View file

@ -2,11 +2,6 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no # LOGPROF-SUGGEST: no
# NEEDS-VARIABLE: name
# NEEDS-VARIABLE: domain
# NEEDS-VARIABLE: lib_dirs
# NEEDS-VARIABLE: config_dirs
# NEEDS-VARIABLE: cache_dirs
# Full set of rules for all chromium based browsers. It works as a *function* # Full set of rules for all chromium based browsers. It works as a *function*
# and requires some variables to be provided as *arguments* and set in the # and requires some variables to be provided as *arguments* and set in the
@ -25,32 +20,39 @@
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/avahi-observe>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.bluez>
include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.FileManager1> include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.Notifications>
include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.Mutter.IdleMonitor> include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
include <abstractions/bus/session/org.gnome.SessionManager> include <abstractions/bus/org.gnome.ScreenSaver>
include <abstractions/bus/system/org.bluez> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/camera> include <abstractions/bus/org.kde.kwalletd>
include <abstractions/common/chromium>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/devices-u2f> include <abstractions/devices-usb>
include <abstractions/devices-usb-read>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/graphics> include <abstractions/graphics-full>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/notifications>
include <abstractions/pcscd>
include <abstractions/screensaver>
include <abstractions/secrets-service>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/uim> include <abstractions/uim>
include <abstractions/upower-observe>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/user-read-strict> include <abstractions/user-read-strict>
include <abstractions/video>
userns,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -76,7 +78,7 @@
@{lib_dirs}/chrome-sandbox rPx, @{lib_dirs}/chrome-sandbox rPx,
# Desktop integration # Desktop integration
@{bin}/lsb_release rPx, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-desktop-menu rPx, @{bin}/xdg-desktop-menu rPx,
@{bin}/xdg-email rPx, @{bin}/xdg-email rPx,
@{bin}/xdg-icon-resource rPx, @{bin}/xdg-icon-resource rPx,
@ -84,11 +86,16 @@
@{bin}/xdg-open rPx -> child-open, @{bin}/xdg-open rPx -> child-open,
@{bin}/xdg-settings rPx, @{bin}/xdg-settings rPx,
# Installing/removing extensions, applications, and stacked xdg menus # Installing/removing extensions & applications
@{sh_path} rix, @{bin}/{,e}grep rix,
@{bin}/{,e}grep ix, @{bin}/basename rix,
@{bin}/{m,g,}awk ix, @{bin}/cat rix,
@{coreutils_path} ix, @{bin}/cut rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/touch rix,
# For storing passwords externally # For storing passwords externally
@{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128
@ -108,14 +115,23 @@
/etc/@{name}/{,**} r, /etc/@{name}/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/{,opensc/}opensc.conf r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/ r, / r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{HOME}/.pki/ rw,
owner @{user_config_dirs}/gtk-3.0/servers r, owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{user_config_dirs}/gtk-3.0/servers r,
owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
owner @{config_dirs}/ rw, owner @{config_dirs}/ rw,
owner @{config_dirs}/** rwk, owner @{config_dirs}/** rwk,
@ -125,7 +141,7 @@
owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/menus/applications-merged/*.menu rw, owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
# For importing data (bookmarks, cookies, etc) from Firefox # For importing data (bookmarks, cookies, etc) from Firefox
# owner @{HOME}/.mozilla/firefox/profiles.ini r, # owner @{HOME}/.mozilla/firefox/profiles.ini r,
@ -139,8 +155,10 @@
/tmp/ r, /tmp/ r,
/var/tmp/ r, /var/tmp/ r,
owner @{tmp}/.@{domain}.@{rand6} rw,
owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6} rw,
owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/ rw,
owner @{tmp}/tmp.@{rand6}/** rwk, owner @{tmp}/tmp.@{rand6}/** rwk,
@ -148,6 +166,9 @@
owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
/dev/shm/ r,
owner /dev/shm/.@{domain}.@{rand6} rw,
@{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/bus/ r, @{sys}/bus/ r,
@ -155,7 +176,12 @@
@{sys}/class/**/ r, @{sys}/class/**/ r,
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
@{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/report_descriptor r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/**/report_descriptor r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@ -169,17 +195,20 @@
owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/clear_refs w,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/uid_map w,
/dev/ r, /dev/ r,
/dev/hidraw@{int} rw,
/dev/tty rw, /dev/tty rw,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

9
apparmor.d/abstractions/app/editor
View file

@ -10,12 +10,11 @@
include <abstractions/consoles> include <abstractions/consoles>
@{sh_path} rix, @{sh_path} rix,
@{bin}/nvim mrix, @{bin}/nvim mix,
@{bin}/sensible-editor mr, @{bin}/sensible-editor mr,
@{bin}/vim* mrix, @{bin}/vim{,.*} mrix,
@{bin}/which{,.debianutils} rix, @{bin}/which{,.debianutils} ix,
/usr/share/doc/{,**} r,
/usr/share/nvim/{,**} r, /usr/share/nvim/{,**} r,
/usr/share/terminfo/** r, /usr/share/terminfo/** r,
/usr/share/vim/{,**} r, /usr/share/vim/{,**} r,
@ -25,8 +24,6 @@
/etc/xdg/nvim/* r, /etc/xdg/nvim/* r,
owner @{HOME}/.selected_editor r, owner @{HOME}/.selected_editor r,
owner @{HOME}/.vim/{after/,}spell/{,**} rw,
owner @{HOME}/.vim/** r,
owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.viminf@{c}{,.tmp} rw,
owner @{HOME}/.vimrc r, owner @{HOME}/.vimrc r,

26
apparmor.d/abstractions/app/firefox
View file

@ -2,10 +2,6 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no # LOGPROF-SUGGEST: no
# NEEDS-VARIABLE: name
# NEEDS-VARIABLE: lib_dirs
# NEEDS-VARIABLE: config_dirs
# NEEDS-VARIABLE: cache_dirs
# Full set of rules for all firefox based browsers. It works as a *function* # Full set of rules for all firefox based browsers. It works as a *function*
# and requires some variables to be provided as *arguments* and set in the # and requires some variables to be provided as *arguments* and set in the
@ -22,21 +18,17 @@
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.FileManager1> include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.freedesktop.timedate1>
include <abstractions/cups-client> include <abstractions/cups-client>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/devices-u2f>
include <abstractions/enchant> include <abstractions/enchant>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/graphics> include <abstractions/graphics-full>
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/pcscd>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/uim> include <abstractions/uim>
@ -72,7 +64,7 @@
@{lib_dirs}/plugin-container rPx, @{lib_dirs}/plugin-container rPx,
# Desktop integration # Desktop integration
@{bin}/lsb_release rPx, @{bin}/lsb_release rPx -> lsb_release,
/usr/share/@{name}/{,**} r, /usr/share/@{name}/{,**} r,
/usr/share/doc/{,**} r, /usr/share/doc/{,**} r,
@ -80,6 +72,7 @@
/usr/share/webext/{,**} r, /usr/share/webext/{,**} r,
/usr/share/xul-ext/kwallet5/* r, /usr/share/xul-ext/kwallet5/* r,
/etc/{,opensc/}opensc.conf r,
/etc/@{name}/{,**} r, /etc/@{name}/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/lsb-release r, /etc/lsb-release r,
@ -103,14 +96,8 @@
/var/tmp/ r, /var/tmp/ r,
owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/ rw,
owner @{tmp}/@{name}/* rwk, owner @{tmp}/@{name}/* rwk,
owner @{tmp}/@{rand6}.tmp rw,
owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/ rw,
owner @{tmp}/firefox/* rwk, owner @{tmp}/firefox/* rwk,
owner @{tmp}/mozilla* rw,
owner @{tmp}/mozilla*/ rw,
owner @{tmp}/mozilla*/* rwk,
owner @{tmp}/remote-settings-startup-bundle- rw,
owner @{tmp}/remote-settings-startup-bundle-.tmp rw,
owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/ rw,
owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/Temp-@{uuid}/* rwk,
owner @{tmp}/tmp-*.xpi rw, owner @{tmp}/tmp-*.xpi rw,
@ -137,10 +124,8 @@
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/power/events/energy-* r, @{sys}/devices/power/events/energy-* r,
@{sys}/devices/power/type r, @{sys}/devices/power/type r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_sku r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
@{PROC}/@{pid}/net/arp r, @{PROC}/@{pid}/net/arp r,
@ -164,6 +149,7 @@
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
/dev/ r, /dev/ r,
/dev/hidraw@{int} rw,
/dev/tty rw, /dev/tty rw,
/dev/video@{int} rw, /dev/video@{int} rw,
owner /dev/tty@{int} rw, # File Inherit owner /dev/tty@{int} rw, # File Inherit

35
apparmor.d/abstractions/app/fusermount
View file

@ -1,35 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should
# be defined in the calling profile.
abi <abi/4.0>,
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_override,
capability dac_read_search,
capability sys_admin, # To mount anything
@{bin}/fusermount{,3} mr,
@{bin}/mount rix,
@{bin}/umount rix,
@{etc_ro}/fuse{,3}.conf r,
@{run}/mount/utab r,
@{run}/mount/utab.* rwk,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
/dev/fuse rw,
include if exists <abstractions/app/fusermount.d>
# vim:syntax=apparmor

6
apparmor.d/abstractions/app/kmod
View file

@ -7,7 +7,13 @@
include <abstractions/consoles> include <abstractions/consoles>
@{bin}/depmod mr,
@{bin}/insmod mr,
@{bin}/kmod mr, @{bin}/kmod mr,
@{bin}/lsmod mr,
@{bin}/modinfo mr,
@{bin}/modprobe mr,
@{bin}/rmmod mr,
@{lib}/modprobe.d/ r, @{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r, @{lib}/modprobe.d/*.conf r,

31
apparmor.d/abstractions/app/open
View file

@ -3,44 +3,19 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no # LOGPROF-SUGGEST: no
# Full set of rules for desktop generic open-* used in child-open-* profiles. # Full set of rules for child-open-* profiles.
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/accessibility>
include <abstractions/bus-session>
include <abstractions/desktop> include <abstractions/desktop>
# We cannot use `@{open_path} mrix,` here because it includes: @{open_path} mrix,
# @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
# And `@{multiarch}` has a wildcard that cannot be merged and that will generate
# "has merged rule with conflicting x modifiers" error when used with other
# wilcard over PUx transition.
@{bin}/exo-open mrix,
@{bin}/xdg-open mrix,
@{bin}/gio mrix,
@{bin}/kde-open mrix,
@{bin}/gio-launch-desktop mrix,
@{lib}/gio-launch-desktop mrix,
@{bin}/env rix,
@{sh_path} r, @{sh_path} r,
@{bin}/env rix,
/dev/tty rw, /dev/tty rw,
# if @{DE} == kde
include <abstractions/audio-client>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@{PROC}/sys/kernel/random/boot_id r,
# fi
include if exists <abstractions/app/open.d> include if exists <abstractions/app/open.d>
# vim:syntax=apparmor # vim:syntax=apparmor

39
apparmor.d/abstractions/app/pager
View file

@ -1,39 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Minimal set of rules for pagers.
abi <abi/4.0>,
include <abstractions/consoles>
capability dac_override,
capability dac_read_search,
signal receive set=(stop, cont, term, kill),
@{bin}/ r,
@{pager_path} mrix,
@{system_share_dirs}/terminfo/{,**} r,
/usr/share/file/misc/** r,
/usr/share/nvim/{,**} r,
@{etc_ro}/lesskey.bin r,
@{HOME}/.lesshst r,
owner @{HOME}/ r,
owner @{HOME}/.lesshs* rw,
owner @{HOME}/.terminfo/@{int}/* r,
owner @{user_cache_dirs}/lesshs* rw,
owner @{user_state_dirs}/ r,
owner @{user_state_dirs}/lesshs* rw,
/dev/tty@{int} rw,
include if exists <abstractions/app/pager.d>
# vim:syntax=apparmor

3
apparmor.d/abstractions/app/pgrep
View file

@ -19,13 +19,10 @@
@{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r, @{PROC}/uptime r,
include if exists <abstractions/app/pgrep.d> include if exists <abstractions/app/pgrep.d>

2
apparmor.d/abstractions/app/pkexec
View file

@ -30,8 +30,6 @@
/etc/shells r, /etc/shells r,
@{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

8
apparmor.d/abstractions/app/sudo
View file

@ -3,7 +3,7 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no # LOGPROF-SUGGEST: no
# Minimal set of rules for sudo. # Minimal set of rules for sudo. Interactive sudo need more rules.
abi <abi/4.0>, abi <abi/4.0>,
@ -24,10 +24,10 @@
network netlink raw, # PAM network netlink raw, # PAM
unix type=stream addr=@@{udbus}/bus/sudo/system, unix bind type=stream addr=@@{udbus}/bus/sudo/system,
#aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
dbus (send receive) bus=session path=/org/freedesktop/systemd1 dbus (send receive) bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd.Manager interface=org.freedesktop.systemd.Manager

3
apparmor.d/abstractions/app/systemctl
View file

@ -11,12 +11,9 @@
ptrace read peer=@{p_systemd}, ptrace read peer=@{p_systemd},
unix bind type=stream addr=@@{udbus}/bus/systemctl/, unix bind type=stream addr=@@{udbus}/bus/systemctl/,
unix bind type=stream addr=@@{udbus}/bus/systemctl/system,
@{bin}/systemctl mr, @{bin}/systemctl mr,
@{att}/@{run}/systemd/private rw,
owner @{run}/systemd/private rw, owner @{run}/systemd/private rw,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,

3
apparmor.d/abstractions/app/udevadm
View file

@ -11,8 +11,7 @@
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
@{run}/udev/data/+*:* r, # Identifies all subsystems @{run}/udev/data/* r,
@{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices
@{sys}/** r, @{sys}/** r,

12
apparmor.d/abstractions/attached/base
View file

@ -3,21 +3,15 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no # LOGPROF-SUGGEST: no
# Do not use it manually, It automatically replaces the base abstraction in a # Do not use it manually, it is automatically included in profiles when it is required.
# profile with the attach_disconnected flag set and the re-attached path enabled.
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/base>
@{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/dev-log w,
@{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/socket w,
@{att}/@{run}/systemd/journal/stdout rw,
@{att}/dev/null rw, deny /apparmor/.null rw,
deny @{att}/apparmor/.null rw,
/apparmor/.null rw,
@{att}/apparmor/.null rw,
include if exists <abstractions/attached/base.d> include if exists <abstractions/attached/base.d>

20
apparmor.d/abstractions/attached/consoles
View file

@ -3,26 +3,10 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no # LOGPROF-SUGGEST: no
# Do not use it manually, It automatically replaces the consoles abstraction in a
# profile with the attach_disconnected flag set and the re-attached path enabled.
abi <abi/4.0>, abi <abi/4.0>,
# There are the common ways to refer to consoles @{att}/dev/tty@{int} rw,
/dev/console rw, owner @{att}/dev/pts/@{int} rw,
/dev/tty rw,
/dev/tty@{u8} rw,
@{att}/dev/tty rw,
@{att}/dev/tty@{u8} rw,
# These entries are a bit unfortunate; /dev/tty will always be
# associated with the controlling terminal by the kernel, but if a
# program uses the /dev/pts/ interface, it actually has access to
# -all- xterm, sshd, etc, terminals on the system.
/dev/pts/ r,
owner /dev/pts/@{u16} rw,
@{att}/pts/ r,
owner @{att}/dev/pts/@{u16} rw,
include if exists <abstractions/attached/consoles.d> include if exists <abstractions/attached/consoles.d>

7
apparmor.d/abstractions/audio-client
View file

@ -21,7 +21,6 @@
/etc/openal/alsoft.conf r, /etc/openal/alsoft.conf r,
/etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf r,
/etc/pipewire/client{,-rt}.conf.d/{,**} r, /etc/pipewire/client{,-rt}.conf.d/{,**} r,
/etc/pipewire/jack.conf.d/{,**} r,
/etc/pulse/client.conf r, /etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r, /etc/pulse/client.conf.d/{,**} r,
/etc/wildmidi/wildmidi.cfg r, /etc/wildmidi/wildmidi.cfg r,
@ -57,18 +56,12 @@
owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/ rw,
owner @{run}/user/@{uid}/pulse/native rw, owner @{run}/user/@{uid}/pulse/native rw,
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/+sound:card@{int} r, # For sound card
@{sys}/class/ r,
@{sys}/class/sound/ r, @{sys}/class/sound/ r,
/dev/shm/ r, /dev/shm/ r,
owner /dev/shm/pulse-shm-@{int} rw, owner /dev/shm/pulse-shm-@{int} rw,
/dev/snd/controlC@{int} r, /dev/snd/controlC@{int} r,
/dev/snd/pcmC@{int}D@{int}[cp] r,
/dev/snd/timer r,
include if exists <abstractions/audio-client.d> include if exists <abstractions/audio-client.d>

5
apparmor.d/abstractions/audio-server
View file

@ -9,6 +9,11 @@
include <abstractions/audio-client> include <abstractions/audio-client>
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{PROC}/asound/** rw, @{PROC}/asound/** rw,
/dev/admmidi* rw, /dev/admmidi* rw,

3
apparmor.d/abstractions/authentication.d/complete
View file

@ -3,10 +3,9 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
@{bin}/pam-tmpdir-helper rPx, @{bin}/pam-tmpdir-helper rPx,
@{lib}/pam-tmpdir/pam-tmpdir-helper rPx,
#aa:only abi3 #aa:only abi3
@{sbin}/unix_chkpwd rPx, @{bin}/unix_chkpwd rPx,
#aa:only whonix #aa:only whonix
@{lib}/security-misc/pam-abort-on-locked-password rPx, @{lib}/security-misc/pam-abort-on-locked-password rPx,

25
apparmor.d/abstractions/avahi-observe
View file

@ -1,25 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2016 Canonical Ltd
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allows domain, record, service, and service type browsing as well as address,
# host and service resolving
abi <abi/4.0>,
include <abstractions/bus/system/org.freedesktop.Avahi.Server>
include <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver>
include <abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser>
include <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver>
include <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser>
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver>
include <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser>
@{run}/avahi-daemon/socket rw,
include if exists <abstractions/avahi-observe.d>
# vim:syntax=apparmor

132
apparmor.d/abstractions/base-strict
View file

@ -1,132 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, It automatically replaces the base abstraction in
# profiles when the re-attached mode is enabled.
# For now, it is only a restructuring of the base abstraction with awareness
# of the apparmor.d architecture.
abi <abi/4.0>,
include <abstractions/crypto>
include <abstractions/glibc>
include <abstractions/ld>
include <abstractions/locale>
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=exists,
#aa:exclude RBAC
# Allow unconfined processes to send us signals by default
signal receive peer=unconfined,
# Systemd: allow to receive any signal from the systemd profiles stack
signal receive peer=@{p_systemd},
signal receive peer=@{p_systemd_user},
# Htop like programs can send any signal to any process
signal receive peer=btop,
signal receive peer=htop,
signal receive peer=top,
signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor,
# Allow to receive termination signal from manager such as sudo, login, shutdown or systemd
signal receive peer=su,
signal receive peer=sudo,
signal receive set=(cont,term,kill,stop) peer=gnome-shell,
signal receive set=(cont,term,kill,stop) peer=login,
signal receive set=(cont,term,kill,stop) peer=openbox,
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
signal receive set=(cont,term,kill,stop) peer=xinit,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace readby ...
ptrace readby,
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace tracedby ...
ptrace tracedby,
# Allow us to ptrace read ourselves
ptrace read peer=@{profile_name},
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix receive peer=(label=unconfined),
# Allow communication to children and stacked profiles
signal peer=@{profile_name}//*,
signal peer=@{profile_name}//&*,
unix type=stream peer=(label=@{profile_name}//*),
# Allow us to create abstract and anonymous sockets
unix create,
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Allow all programs to use common libraries
@{lib}/** r,
@{lib}/**.so* m,
@{lib}/@{multiarch}/**.so* m,
@{lib}/@{multiarch}/** r,
# Some applications will display license information
/usr/share/common-licenses/** r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
@{run}/uuidd/request r,
# Transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Systemd's equivalent of /dev/log
@{run}/systemd/journal/dev-log w,
# Systemd native journal API (see sd_journal_print(4))
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Controls how core dump files are named
@{PROC}/sys/kernel/core_pattern r,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Harmless and frequently used
/dev/null rw,
/dev/random r,
/dev/urandom r,
/dev/zero rw,
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
include if exists <abstractions/base-strict.d>
# vim:syntax=apparmor

39
apparmor.d/abstractions/base.d/complete
View file

@ -3,33 +3,34 @@
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Systemd: allow to receive any signal from the systemd profiles stack
signal receive peer=@{p_systemd},
signal receive peer=@{p_systemd_user},
# Allow to receive some signals from new well-known profiles # Allow to receive some signals from new well-known profiles
signal receive peer=btop, signal (receive) peer=btop,
signal receive peer=htop, signal (receive) peer=htop,
signal receive peer=pkill, signal (receive) peer=sudo,
signal receive peer=sudo, signal (receive) peer=top,
signal receive peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, signal (receive) set=(cont,term) peer=@{p_systemd_user},
signal receive set=(hup term) peer=login, signal (receive) set=(cont,term) peer=@{p_systemd},
signal receive set=(hup) peer=xinit, signal (receive) set=(hup term) peer=login,
signal receive set=(term,kill) peer=gnome-shell, signal (receive) set=(hup) peer=xinit,
signal receive set=(term,kill) peer=gnome-system-monitor, signal (receive) set=(term,kill) peer=gnome-shell,
signal receive set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=gnome-system-monitor,
signal receive set=(term,kill) peer=su, signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(term,kill) peer=su,
ptrace readby peer=@{p_systemd_coredump}, ptrace (readby) peer=systemd-coredump,
@{etc_rw}/localtime r, @{etc_rw}/localtime r,
/etc/locale.conf r, /etc/locale.conf r,
# mesa 24.2 introduced a shader disk cache which opens quite a lot of fd.
# They are not closed and get inherited by child programs. Denying it can cause
# crash, so we are allowing it globally while the issue is beeing fixed in mesa.
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw,
owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw,
@{sys}/devices/system/cpu/possible r, @{sys}/devices/system/cpu/possible r,
@{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,
/apparmor/.null rw,
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/abstractions/bash-strict
View file

@ -2,7 +2,7 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # This abstraction is only required when an interactive shell is started.
# Classic shell scripts do not need it. # Classic shell scripts do not need it.
abi <abi/4.0>, abi <abi/4.0>,

5
apparmor.d/abstractions/bus-accessibility
View file

@ -9,6 +9,11 @@
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/at-spi/bus rw,
owner @{run}/user/@{uid}/at-spi/bus_@{int} rw, owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,

11
apparmor.d/abstractions/bus-session
View file

@ -4,13 +4,20 @@
abi <abi/4.0>, abi <abi/4.0>,
unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),
dbus send bus=session path=/org/freedesktop/{dbus,DBus} dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,

8
apparmor.d/abstractions/bus-system
View file

@ -4,15 +4,17 @@
abi <abi/4.0>, abi <abi/4.0>,
unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system,
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{run}/dbus/system_bus_socket rw, @{run}/dbus/system_bus_socket rw,
@{att}/@{run}/dbus/system_bus_socket rw,
include if exists <abstractions/bus-system.d> include if exists <abstractions/bus-system.d>

65
apparmor.d/abstractions/bus/accessibility/org.a11y
View file

@ -1,65 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017 Canonical Ltd
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# Allow the accessibility services in the user session to send us any events
dbus receive bus=accessibility
peer=(label="@{p_at_spi2_registryd}"),
# Allow querying for capabilities and registering
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member=NotifyListenersSync
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
# org.a11y.atspi is not designed for application isolation and these rules
# can be used to send change events for other processes.
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Event.Object
member=ChildrenChanged
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Accessible
member=Get*
peer=(label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
interface=org.a11y.atspi.Event.Object
member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/cache
interface=org.a11y.atspi.Cache
member={AddAccessible,RemoveAccessible}
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
include if exists <abstractions/bus/accessibility/org.a11y.d>
# vim:syntax=apparmor

25
apparmor.d/abstractions/bus/accessibility/own
View file

@ -1,25 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Do not use it manually, It is automatically included in a profile by the
# `aa:dbus own` directive.
# Allow owning a name on DBus public bus
abi <abi/4.0>,
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
include if exists <abstractions/bus/accessibility/own.d>
# vim:syntax=apparmor

19
apparmor.d/abstractions/bus/ca.desrt.dconf.Writer
View file

@ -1,19 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Change
peer=(name=ca.desrt.dconf), # no peer's labels
dbus receive bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Notify
peer=(name=@{busname}, label=dconf-service),
include if exists <abstractions/bus/ca.desrt.dconf.Writer.d>
# vim:syntax=apparmor

4
apparmor.d/abstractions/bus/com.canonical.dbusmenu
View file

@ -4,10 +4,6 @@
abi <abi/4.0>, abi <abi/4.0>,
dbus send bus=session path=/com/canonical/unity/launcherentry/**
interface=com.canonical.dbusmenu
member={GetGroupProperties,GetLayout}
peer=(name=@{busname}, label=nautilus),
include if exists <abstractions/bus/com.canonical.dbusmenu.d> include if exists <abstractions/bus/com.canonical.dbusmenu.d>

17
apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
View file

@ -4,11 +4,14 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant dbus send bus=system path=/fi/w1/wpa_supplicant1
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="@{busname}", label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Set member={GetAll,Set}
peer=(name="@{busname}", label=wpa-supplicant), peer=(name="@{busname}", label=wpa-supplicant),
dbus send bus=system path=/fi/w1/wpa_supplicant1 dbus send bus=system path=/fi/w1/wpa_supplicant1
@ -36,6 +39,16 @@
member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged}
peer=(name="@{busname}", label=wpa-supplicant), peer=(name="@{busname}", label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="@{busname}", label=wpa-supplicant),
dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="@{busname}", label=wpa-supplicant),
include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d> include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
# vim:syntax=apparmor # vim:syntax=apparmor

5
apparmor.d/abstractions/bus/net.hadess.PowerProfiles
View file

@ -4,7 +4,10 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=power-profiles-daemon),
include if exists <abstractions/bus/net.hadess.PowerProfiles.d> include if exists <abstractions/bus/net.hadess.PowerProfiles.d>

5
apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
View file

@ -4,7 +4,10 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control dbus send bus=system path=/net/hadess/SwitcherooControl
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=switcheroo-control),
include if exists <abstractions/bus/net.hadess.SwitcherooControl.d> include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>

6
apparmor.d/abstractions/bus/net.reactivated.Fprint
View file

@ -4,12 +4,10 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}"
dbus send bus=system path=/net/reactivated/Fprint/Manager dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager interface=net.reactivated.Fprint.Manager
member={GetDevices,GetDefaultDevice} member={GetDevices,GetDefaultDevice}
peer=(name="@{busname}", label="@{p_fprintd}"), peer=(name="@{busname}", label=fprintd),
dbus send bus=system path=/net/reactivated/Fprint/Manager dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager interface=net.reactivated.Fprint.Manager
@ -19,7 +17,7 @@
dbus send bus=system path=/net/reactivated/Fprint/Manager dbus send bus=system path=/net/reactivated/Fprint/Manager
interface=net.reactivated.Fprint.Manager interface=net.reactivated.Fprint.Manager
member={GetDevices,GetDefaultDevice} member={GetDevices,GetDefaultDevice}
peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), peer=(name=net.reactivated.Fprint, label=fprintd),
include if exists <abstractions/bus/net.reactivated.Fprint.d> include if exists <abstractions/bus/net.reactivated.Fprint.d>

48
apparmor.d/abstractions/bus/org.a11y Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# Accessibility bus
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name="@{busname}", label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name="@{busname}", label=at-spi2-registryd),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
# Session bus
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus),
include if exists <abstractions/bus/org.a11y.d>
# vim:syntax=apparmor

28
apparmor.d/abstractions/bus/system/org.bluez → apparmor.d/abstractions/bus/org.bluez
View file

@ -4,38 +4,46 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}"
dbus receive bus=system path=/ dbus receive bus=system path=/
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member={InterfacesAdded,InterfacesRemoved} member=InterfacesRemoved
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects member=GetManagedObjects
peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus send bus=system path=/org/bluez dbus send bus=system path=/org/bluez
interface=org.bluez.AgentManager@{int} interface=org.bluez.AgentManager@{int}
member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent}
peer=(name=org.bluez, label="@{p_bluetoothd}"), peer=(name=org.bluez, label=bluetoothd),
dbus send bus=system path=/org/bluez dbus send bus=system path=/org/bluez
interface=org.bluez.ProfileManager@{int} interface=org.bluez.ProfileManager@{int}
member=RegisterProfile member=RegisterProfile
peer=(name=org.bluez, label="@{p_bluetoothd}"), peer=(name=org.bluez, label=bluetoothd),
dbus send bus=system path=/org/bluez/hci@{int}
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name="{@{busname},org.bluez}", label=bluetoothd),
dbus send bus=system path=/org/bluez/hci@{int} dbus send bus=system path=/org/bluez/hci@{int}
interface=org.bluez.BatteryProviderManager@{int} interface=org.bluez.BatteryProviderManager@{int}
member=RegisterProfile member=RegisterProfile
peer=(name=org.bluez, label="@{p_bluetoothd}"), peer=(name=org.bluez, label=bluetoothd),
dbus send bus=system path=/org/bluez/hci@{int} dbus send bus=system path=/org/bluez/hci@{int}
interface=org.bluez.Media@{int} interface=org.bluez.Media@{int}
member=RegisterApplication member=RegisterApplication
peer=(name=org.bluez, label="@{p_bluetoothd}"), peer=(name=org.bluez, label=bluetoothd),
include if exists <abstractions/bus/system/org.bluez.d> include if exists <abstractions/bus/org.bluez.d>
# vim:syntax=apparmor # vim:syntax=apparmor

17
apparmor.d/abstractions/bus/org.freedesktop.Accounts
View file

@ -4,27 +4,30 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
dbus send bus=system path=/org/freedesktop/Accounts dbus send bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts interface=org.freedesktop.Accounts
member={FindUserByName,ListCachedUsers,FindUserById} member={FindUserByName,ListCachedUsers}
peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), peer=(name="@{busname}", label=accounts-daemon),
dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.Accounts.User interface=org.freedesktop.Accounts.User
member=*Changed member=*Changed
peer=(name="@{busname}", label="@{p_accounts_daemon}"), peer=(name="@{busname}", label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts dbus receive bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts interface=org.freedesktop.Accounts
member=UserAdded member=UserAdded
peer=(name="@{busname}", label="@{p_accounts_daemon}"), peer=(name="@{busname}", label=accounts-daemon),
dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=*Changed member=*Changed
peer=(name="@{busname}", label="@{p_accounts_daemon}"), peer=(name="@{busname}", label=accounts-daemon),
include if exists <abstractions/bus/org.freedesktop.Accounts.d> include if exists <abstractions/bus/org.freedesktop.Accounts.d>

27
apparmor.d/abstractions/bus/org.freedesktop.Avahi
View file

@ -4,42 +4,25 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}"
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer interface=org.freedesktop.DBus.Peer
member=Ping member=Ping
peer=(name=org.freedesktop.Avahi), peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,Service*New} member={GetAPIVersion,GetState,Service*New}
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser interface=org.freedesktop.Avahi.ServiceBrowser
member=Free member=Free
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser interface=org.freedesktop.Avahi.ServiceBrowser
member={ItemNew,ItemRemove,AllForNow,CacheExhausted} member={ItemNew,AllForNow,CacheExhausted}
peer=(name="@{busname}", label="@{p_avahi_daemon}"), peer=(name="@{busname}", label=avahi-daemon),
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
interface=org.freedesktop.Avahi.ServiceResolver
member=Found
peer=(name=@{busname}, label="@{p_avahi_daemon}"),
dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
interface=org.freedesktop.Avahi.ServiceResolver
member=Free
peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
include if exists <abstractions/bus/org.freedesktop.Avahi.d> include if exists <abstractions/bus/org.freedesktop.Avahi.d>

29
apparmor.d/abstractions/bus/org.freedesktop.ColorManager Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=GetDevices
peer=(name="@{busname}", label=colord),
dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=colord),
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member=CreateDevice
peer=(name="@{busname}", label=colord),
dbus receive bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager
member={DeviceAdded,DeviceRemoved}
peer=(name="@{busname}", label=colord),
include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
# vim:syntax=apparmor

13
apparmor.d/abstractions/bus/org.freedesktop.FileManager1
View file

@ -4,12 +4,15 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus
dbus send bus=session path=/org/freedesktop/FileManager1 dbus send bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.FileManager1 interface=org.freedesktop.DBus.Properties
member=ShowItems member=GetAll
peer=(name=org.freedesktop.FileManager1, label=nautilus), peer=(name="@{busname}", label=nautilus),
dbus receive bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=nautilus),
include if exists <abstractions/bus/org.freedesktop.FileManager1.d> include if exists <abstractions/bus/org.freedesktop.FileManager1.d>

19
apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
View file

@ -4,26 +4,35 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Agent dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=PropertiesChanged member=PropertiesChanged
peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), peer=(name=org.freedesktop.DBus, label=geoclue),
dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name="@{busname}", label="@{p_geoclue}"), peer=(name="@{busname}", label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name="@{busname}", label="@{p_geoclue}"), peer=(name="@{busname}", label=geoclue),
dbus send bus=system path=/org/freedesktop/GeoClue2/Manager dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.GeoClue2.Manager interface=org.freedesktop.GeoClue2.Manager
member=AddAgent member=AddAgent
peer=(name="@{busname}", label="@{p_geoclue}"), peer=(name="@{busname}", label=geoclue),
dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=geoclue),
include if exists <abstractions/bus/org.freedesktop.GeoClue2.d> include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>

13
apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
View file

@ -4,17 +4,20 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.freedesktop.ModemManager1, label=ModemManager),
dbus send bus=system path=/org/freedesktop/ModemManager1 dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects member=GetManagedObjects
peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), peer=(name="@{busname}", label=ModemManager),
dbus send bus=system path=/org/freedesktop/ModemManager1 dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.Properties
member=GetManagedObjects member=GetAll
peer=(name="@{busname}", label="@{p_ModemManager}"), peer=(name="@{busname}", label=ModemManager),
include if exists <abstractions/bus/org.freedesktop.ModemManager1.d> include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>

26
apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
View file

@ -4,11 +4,14 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager
dbus send bus=system path=/org/freedesktop dbus send bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member={GetManagedObjects,InterfacesRemoved} member=GetManagedObjects
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager dbus send bus=system path=/org/freedesktop/NetworkManager
@ -26,9 +29,19 @@
member=GetSettings member=GetSettings
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member={InterfacesAdded,InterfacesRemoved} member=InterfacesAdded
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager dbus receive bus=system path=/org/freedesktop/NetworkManager
@ -51,11 +64,6 @@
member=Updated member=Updated
peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
interface=org.freedesktop.NetworkManager.Connection.Active
member=StateChanged
peer=(name=@{busname}, label=NetworkManager),
include if exists <abstractions/bus/org.freedesktop.NetworkManager.d> include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
# vim:syntax=apparmor # vim:syntax=apparmor

29
apparmor.d/abstractions/bus/org.freedesktop.Notifications Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gjs-console),
dbus send bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={GetCapabilities,GetServerInformation,Notify}
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member={GetAll,NotificationClosed,CloseNotification}
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=Notify
peer=(name=org.freedesktop.DBus, label=gjs-console),
include if exists <abstractions/bus/org.freedesktop.Notifications.d>
# vim:syntax=apparmor

22
apparmor.d/abstractions/bus/org.freedesktop.PackageKit
View file

@ -2,13 +2,17 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Allow communication with PackageKit transactions. Transactions are exported
# with random object paths that currently take the form /@{int}_@{hex8}.
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=packagekitd),
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.freedesktop.PackageKit, label=packagekitd),
dbus send bus=system path=/org/freedesktop/PackageKit dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
@ -17,15 +21,7 @@
dbus send bus=system path=/org/freedesktop/PackageKit dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.PackageKit interface=org.freedesktop.PackageKit
member=StateHasChanged member=StateHasChanged
peer=(name=org.freedesktop.PackageKit), peer=(name=org.freedesktop.PackageKit, label=packagekitd),
dbus send bus=system path=/@{int}_@{hex8}
interface=org.freedesktop.PackageKit.Transaction
peer=(label=packagekitd),
dbus receive bus=system path=/@{int}_@{hex8}
interface=org.freedesktop.PackageKit.Transaction
peer=(label=packagekitd),
include if exists <abstractions/bus/org.freedesktop.PackageKit.d> include if exists <abstractions/bus/org.freedesktop.PackageKit.d>

28
apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
View file

@ -2,26 +2,36 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Can talk to polkitd's CheckAuthorization API
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority interface=org.freedesktop.PolicyKit1.Authority
member=Changed member=Changed
peer=(name="@{busname}", label="@{p_polkitd}"), peer=(name="@{busname}", label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority interface=org.freedesktop.PolicyKit1.Authority
member={CheckAuthorization,CancelCheckAuthorization} member=CheckAuthorization
peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority interface=org.freedesktop.PolicyKit1.Authority
member=RegisterAuthenticationAgentWithOptions member=CheckAuthorization
peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), peer=(name="@{busname}", label=polkitd),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="@{busname}", label=polkitd),
include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d> include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>

23
apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
View file

@ -2,25 +2,32 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Allow setting realtime priorities.
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}"
dbus send bus=system path=/org/freedesktop/RealtimeKit1 dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member=Get
peer=(name=org.freedesktop.RealtimeKit1), peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit1 dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1 interface=org.freedesktop.DBus.Properties
member={MakeThreadHighPriority,MakeThreadRealtime} member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), peer=(name="@{busname}", label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1 dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1 interface=org.freedesktop.RealtimeKit1
member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} member=MakeThread*
peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), peer=(name="@{busname}", label=rtkit-daemon),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d> include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>

14
apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
# vim:syntax=apparmor

4
apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
View file

@ -7,12 +7,12 @@
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.DBus.Peer interface=org.freedesktop.DBus.Peer
member=Ping member=Ping
peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.Tracker3.Endpoint interface=org.freedesktop.Tracker3.Endpoint
member=Query member=Query
peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d> include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>

22
apparmor.d/abstractions/bus/org.freedesktop.UDisks2
View file

@ -4,13 +4,16 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd
dbus send bus=system path=/org/freedesktop/UDisks2 dbus send bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects member=GetManagedObjects
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/**
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
@ -26,6 +29,16 @@
member=Introspect member=Introspect
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2 dbus receive bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=InterfacesAdded member=InterfacesAdded
@ -36,6 +49,11 @@
member=Completed member=Completed
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
include if exists <abstractions/bus/org.freedesktop.UDisks2.d> include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
# vim:syntax=apparmor # vim:syntax=apparmor

48
apparmor.d/abstractions/bus/org.freedesktop.UPower Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.UPower, label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Properties
member=GetDisplayDevice
peer=(name=org.freedesktop.UPower, label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower/devices/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus send bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus receive bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=DeviceAdded
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
dbus receive bus=system path=/org/freedesktop/UPower/devices/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
include if exists <abstractions/bus/org.freedesktop.UPower.d>
# vim:syntax=apparmor

11
apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles
View file

@ -1,11 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
include if exists <abstractions/bus/org.freedesktop.UPower.PowerProfiles.d>
# vim:syntax=apparmor

10
apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
View file

@ -4,7 +4,15 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal dbus send bus=session path=/org/freedesktop/background/monitor
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/background/monitor
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=xdg-desktop-portal),
include if exists <abstractions/bus/org.freedesktop.background.Monitor.d> include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>

12
apparmor.d/abstractions/bus/org.freedesktop.hostname1
View file

@ -4,13 +4,21 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
dbus send bus=system path=/org/freedesktop/hostname1 dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member={Get,GetAll}
peer=(name=org.freedesktop.hostname1), peer=(name=org.freedesktop.hostname1),
dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
include if exists <abstractions/bus/org.freedesktop.hostname1.d> include if exists <abstractions/bus/org.freedesktop.hostname1.d>
# vim:syntax=apparmor # vim:syntax=apparmor

10
apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
View file

@ -4,18 +4,16 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=xdg-permission-store),
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.impl.portal.PermissionStore interface=org.freedesktop.impl.portal.PermissionStore
member=Lookup member=Lookup
peer=(name="@{busname}", label=xdg-permission-store), peer=(name="@{busname}", label=xdg-permission-store),
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.impl.portal.PermissionStore
member=Lookup
peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store),
include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d> include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
# vim:syntax=apparmor # vim:syntax=apparmor

6
apparmor.d/abstractions/bus/system/org.freedesktop.locale1 → apparmor.d/abstractions/bus/org.freedesktop.locale1
View file

@ -4,11 +4,15 @@
abi <abi/4.0>, abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=systemd-localed),
dbus send bus=system path=/org/freedesktop/locale1 dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=org.freedesktop.locale1), peer=(name=org.freedesktop.locale1),
include if exists <abstractions/bus/system/org.freedesktop.locale1.d> include if exists <abstractions/bus/org.freedesktop.locale1.d>
# vim:syntax=apparmor # vim:syntax=apparmor

23
apparmor.d/abstractions/bus/org.freedesktop.login1
View file

@ -4,22 +4,35 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1 dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/* dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session interface=org.freedesktop.login1.Session
member=PauseDeviceComplete member=PauseDeviceComplete
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), peer=(name=org.freedesktop.login1, label=systemd-logind),
include if exists <abstractions/bus/org.freedesktop.login1.d> include if exists <abstractions/bus/org.freedesktop.login1.d>

28
apparmor.d/abstractions/bus/org.freedesktop.login1.Session
View file

@ -4,22 +4,40 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member=GetSession member=GetSession
peer=(name="@{busname}", label="@{p_systemd_logind}"), peer=(name="@{busname}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="@{busname}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/* dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session interface=org.freedesktop.login1.Session
member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/seat/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1/session/* dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session interface=org.freedesktop.login1.Session
member={PauseDevice,Unlock} member={PauseDevice,Unlock}
peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
include if exists <abstractions/bus/org.freedesktop.login1.Session.d> include if exists <abstractions/bus/org.freedesktop.login1.Session.d>

5
apparmor.d/abstractions/bus/org.freedesktop.network1
View file

@ -4,7 +4,10 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.network1, label=systemd-networkd),
include if exists <abstractions/bus/org.freedesktop.network1.d> include if exists <abstractions/bus/org.freedesktop.network1.d>

39
apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
View file

@ -4,57 +4,30 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal
dbus send bus=session path=/org/freedesktop/portal/desktop dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Read member={Get,GetAll,Read}
peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings interface=org.freedesktop.portal.Settings
member={Read,ReadAll} member={Read,ReadAll}
peer=(name=@{busname}, label=xdg-desktop-portal), peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings interface=org.freedesktop.portal.Settings
member=SettingChanged member=SettingChanged
peer=(name=@{busname}, label=xdg-desktop-portal), peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member={Get,GetAll} member={Get,GetAll}
peer=(name=@{busname}, label=xdg-desktop-portal), peer=(name="@{busname}", label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings interface=org.freedesktop.impl.portal.Settings
member={Read,ReadAll} member={Read,ReadAll}
peer=(name=@{busname}, label=xdg-desktop-portal), peer=(name="@{busname}", label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.host.portal.Registry
member=Register
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop/**
interface=org.freedesktop.portal.Request
member=Response
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Inhibit
member={StateChanged,CreateMonitor}
peer=(name=@{busname}, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop/session/**
interface=org.freedesktop.impl.portal.Session
member=Close
peer=(name=@{busname}, label=xdg-desktop-portal),
include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d> include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>

14
apparmor.d/abstractions/bus/org.freedesktop.resolve1 Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=system path=/org/freedesktop/resolve1
interface=org.freedesktop.resolve1.Manager
member={SetLink*,ResolveHostname}
peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
include if exists <abstractions/bus/org.freedesktop.resolve1.d>
# vim:syntax=apparmor

14
apparmor.d/abstractions/bus/org.freedesktop.secrets
View file

@ -4,12 +4,15 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon dbus send bus=session path=/org/freedesktop/secrets{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gnome-keyring-daemon),
dbus send bus=session path=/org/freedesktop/secrets dbus send bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service interface=org.freedesktop.Secret.Service
member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} member={OpenSession,GetSecrets,SearchItems,ReadAlias}
peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), peer=(name="@{busname}", label=gnome-keyring-daemon),
dbus send bus=session path=/org/freedesktop/secrets/aliases/default dbus send bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.Secret.Collection interface=org.freedesktop.Secret.Collection
@ -21,6 +24,11 @@
member=ItemCreated member=ItemCreated
peer=(name="@{busname}", label=gnome-keyring-daemon), peer=(name="@{busname}", label=gnome-keyring-daemon),
dbus receive bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=gnome-keyring-daemon),
include if exists <abstractions/bus/org.freedesktop.secrets.d> include if exists <abstractions/bus/org.freedesktop.secrets.d>
# vim:syntax=apparmor # vim:syntax=apparmor

12
apparmor.d/abstractions/bus/org.freedesktop.systemd1
View file

@ -4,16 +4,14 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" dbus send bus=system path=/org/freedesktop/systemd1{,/**}
interface=org.freedesktop.DBus.Properties
dbus send bus=system path=/org/freedesktop/systemd1 member={Get,GetAll}
interface=org.freedesktop.systemd1.Manager
member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit}
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
dbus send bus=system path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member=ListUnitsByPatterns member={GetUnit,StartUnit,StartTransientUnit}
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
dbus send bus=session path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1

22
apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 → apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
View file

@ -4,23 +4,21 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.systemd1),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
dbus send bus=session path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member=GetUnit member=GetUnit
peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=StartTransientUnit
peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
include if exists <abstractions/bus/session/org.freedesktop.systemd1.d>
# vim:syntax=apparmor # vim:syntax=apparmor

16
apparmor.d/abstractions/bus/org.freedesktop.timedate1
View file

@ -4,7 +4,21 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.timedate1, label=systemd-timedated),
# FIXME: should be under the systemd-timedated label
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.timedate1, label=unconfined),
dbus send bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=systemd-timedated),
include if exists <abstractions/bus/org.freedesktop.timedate1.d> include if exists <abstractions/bus/org.freedesktop.timedate1.d>

9
apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 → apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
View file

@ -4,13 +4,16 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=file-roller),
dbus send bus=session path=/org/gnome/ArchiveManager1 dbus send bus=session path=/org/gnome/ArchiveManager1
interface=org.gnome.ArchiveManager1 interface=org.gnome.ArchiveManager1
member=GetSupportedTypes member=GetSupportedTypes
peer=(name="@{busname}", label="@{p_file_roller}"), peer=(name="@{busname}", label=file-roller),
include if exists <abstractions/bus/session/org.gnome.ArchiveManager1.d> include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
# vim:syntax=apparmor # vim:syntax=apparmor

6
apparmor.d/abstractions/bus/system/org.gnome.DisplayManager → apparmor.d/abstractions/bus/org.gnome.DisplayManager
View file

@ -1,16 +1,14 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm
dbus send bus=system path=/org/gnome/DisplayManager/Manager dbus send bus=system path=/org/gnome/DisplayManager/Manager
interface=org.gnome.DisplayManager.Manager interface=org.gnome.DisplayManager.Manager
member=RegisterDisplay member=RegisterDisplay
peer=(name="@{busname}", label=gdm), peer=(name="@{busname}", label=gdm),
include if exists <abstractions/bus/system/org.gnome.DisplayManager.d> include if exists <abstractions/bus/org.gnome.DisplayManager.d>
# vim:syntax=apparmor # vim:syntax=apparmor

12
apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
View file

@ -4,8 +4,6 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig interface=org.gnome.Mutter.DisplayConfig
member={GetResources,GetCrtcGamma} member={GetResources,GetCrtcGamma}
@ -16,6 +14,16 @@
member=GetCurrentState member=GetCurrentState
peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell), peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig interface=org.gnome.Mutter.DisplayConfig
member=MonitorsChanged member=MonitorsChanged

6
apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
View file

@ -4,8 +4,6 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects member=GetManagedObjects
@ -13,8 +11,8 @@
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor interface=org.gnome.Mutter.IdleMonitor
member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor interface=org.gnome.Mutter.IdleMonitor

24
apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=nautilus),
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name="@{busname}", label=nautilus),
dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=nautilus),
include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
# vim:syntax=apparmor

24
apparmor.d/abstractions/bus/org.gnome.ScreenSaver Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gjs-console),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=GetActive
peer=(name="@{busname}", label=gjs-console),
dbus receive bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member={ActiveChanged,WakeUpScreen}
peer=(name="@{busname}", label=gjs-console),
include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
# vim:syntax=apparmor

66
apparmor.d/abstractions/bus/org.gnome.SessionManager Normal file
View file

@ -0,0 +1,66 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# FIXME: Too large, restrict it.
abi <abi/4.0>,
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={RegisterClient,IsSessionRunning}
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Setenv,IsSessionRunning}
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member={CancelEndSession,QueryEndSession,EndSession,Stop}
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Presence
interface=org.gnome.SessionManager.Presence
member=StatusChanged
peer=(name="@{busname}", label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
include if exists <abstractions/bus/org.gnome.SessionManager.d>
# vim:syntax=apparmor

15
apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
View file

@ -4,7 +4,15 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.gnome.Shell.Introspect, label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell/Introspect dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.gnome.Shell.Introspect interface=org.gnome.Shell.Introspect
@ -16,6 +24,11 @@
member={RunningApplicationsChanged,WindowsChanged} member={RunningApplicationsChanged,WindowsChanged}
peer=(name="@{busname}", label=gnome-shell), peer=(name="@{busname}", label=gnome-shell),
dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="@{busname}", label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Shell.Introspect.d> include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
# vim:syntax=apparmor # vim:syntax=apparmor

22
apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2
View file

@ -1,22 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas}
peer=(name=@{busname}, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
member=*Cancel
peer=(name=@{busname}, label=gnome-shell),
include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>
# vim:syntax=apparmor

28
apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter
View file

@ -1,28 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow accessing the GNOME crypto services prompt APIs as used by
# applications using libgcr (such as pinentry-gnome3) for secure pin
# entry to unlock GPG keys etc. See:
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
abi <abi/4.0>,
unix type=stream peer=(label=gnome-keyring-daemon),
dbus send bus=session path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member={BeginPrompting,PerformPrompt,StopPrompting}
peer=(name=@{busname}, label=pinentry-*),
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
interface=org.gnome.keyring.internal.Prompter.Callback
member={PromptReady,PromptDone}
peer=(name=@{busname}, label=pinentry-*),
include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
# vim:syntax=apparmor

2
apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor → apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
View file

@ -19,6 +19,6 @@
member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged}
peer=(name="@{busname}", label=gvfs-*-volume-monitor), peer=(name="@{busname}", label=gvfs-*-volume-monitor),
include if exists <abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor.d> include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
# vim:syntax=apparmor # vim:syntax=apparmor

14
apparmor.d/abstractions/bus/org.gtk.vfs.Daemon Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member={GetConnection,ListMonitorImplementations,ListMountableInfo}
peer=(name="@{busname}", label=gvfsd),
include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
# vim:syntax=apparmor

19
apparmor.d/abstractions/bus/org.gtk.vfs.Metadata Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name="@{busname}", label=gvfsd-metadata),
dbus receive bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=AttributeChanged
peer=(name="@{busname}", label=gvfsd-metadata),
include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
# vim:syntax=apparmor

13
apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker → apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
View file

@ -2,13 +2,11 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# The mount tracking interface.
abi <abi/4.0>, abi <abi/4.0>,
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
member=LookupMount member=ListMountableInfo
peer=(name="@{busname}", label=gvfsd), peer=(name="@{busname}", label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
@ -16,16 +14,11 @@
member=ListMounts2 member=ListMounts2
peer=(name="@{busname}", label=gvfsd), peer=(name="@{busname}", label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(name="@{busname}", label=gvfsd),
dbus receive bus=session path=/org/gtk/vfs/mounttracker dbus receive bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
member={Mounted,Unmounted} member=Mounted
peer=(name="@{busname}", label=gvfsd), peer=(name="@{busname}", label=gvfsd),
include if exists <abstractions/bus/session/org.gtk.vfs.MountTracker.d> include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
# vim:syntax=apparmor # vim:syntax=apparmor

4
apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 → apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
View file

@ -4,8 +4,6 @@
abi <abi/4.0>, abi <abi/4.0>,
#aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
include if exists <abstractions/bus/session/org.gnome.Nautilus.FileOperations2.d>
# vim:syntax=apparmor # vim:syntax=apparmor

42
apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
View file

@ -2,52 +2,22 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Allow to display Status Notifier Items in the KDE Plasma systray
abi <abi/4.0>, abi <abi/4.0>,
#aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member=Get
peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label="@{pp_app_indicator}"),
dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
interface=com.canonical.dbusmenu
member={LayoutUpdated,ItemsPropertiesUpdated}
peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
member={Get*,AboutTo*,Event*}
peer=(label="@{pp_app_indicator}"),
dbus send bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem member=RegisterStatusNotifierItem
peer=(label="@{pp_app_indicator}"), peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
dbus receive bus=session path=/StatusNotifierItem dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierItem interface=org.freedesktop.DBus.Introspectable
member={ProvideXdgActivationToken,Activate} member=Introspect
peer=(label="@{pp_app_indicator}"), peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,GetLayout,Event}
peer=(label="@{pp_app_indicator}"),
include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d> include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>

4
apparmor.d/abstractions/bus/session/org.kde.kwalletd → apparmor.d/abstractions/bus/org.kde.kwalletd
View file

@ -1,9 +1,9 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>, abi <abi/4.0>,
include if exists <abstractions/bus/session/org.kde.kwalletd.d> include if exists <abstractions/bus/org.kde.kwalletd.d>
# vim:syntax=apparmor # vim:syntax=apparmor

21
apparmor.d/abstractions/bus/session/io.snapcraft.Launcher
View file

@ -1,21 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow use of snapd's internal xdg-open
abi <abi/4.0>,
dbus send bus=session path=/
interface=com.canonical.SafeLauncher
member=OpenURL
peer=(name=@{busname}, label=snap),
dbus send bus=session path=/io/snapcraft/Launcher
interface=io.snapcraft.Launcher
member={OpenURL,OpenFile}
peer=(name=@{busname}, label=snap),
include if exists <abstractions/bus/session/io.snapcraft.Launcher.d>
# vim:syntax=apparmor

16
apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher
View file

@ -1,16 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Can identify and launch other snaps.
abi <abi/4.0>,
dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher
interface=io.snapcraft.PrivilegedDesktopLauncher
member=OpenDesktopEntry
peer=(name=io.snapcraft.Launcher, label=snap),
include if exists <abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher.d>
# vim:syntax=apparmor

16
apparmor.d/abstractions/bus/session/io.snapcraft.Settings
View file

@ -1,16 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow use of snapd's internal 'xdg-settings'
abi <abi/4.0>,
dbus send bus=session path=/io/snapcraft/Settings
interface=io.snapcraft.Settings
member={Check,CheckSub,Get,GetSub,Set,SetSub}
peer=(name=io.snapcraft.Settings, label=snap),
include if exists <abstractions/bus/session/io.snapcraft.Settings.d>
# vim:syntax=apparmor

29
apparmor.d/abstractions/bus/session/org.a11y
View file

@ -1,29 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus),
include if exists <abstractions/bus/session/org.a11y.d>
# vim:syntax=apparmor

24
apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal
View file

@ -1,24 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow access to the IBus portal
abi <abi/4.0>,
dbus send bus=session path=/org/freedesktop/IBus
interface=org.freedesktop.IBus.Portal
member=CreateInputContext
peer=(name=org.freedesktop.portal.IBus),
dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int}
interface=org.freedesktop.IBus.InputContext
peer=(label=ibus-daemon),
dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int}
interface=org.freedesktop.IBus.InputContext
peer=(label=ibus-daemon),
include if exists <abstractions/bus/session/org.freedesktop.IBus.Portal.d>
# vim:syntax=apparmor

Some files were not shown because too many files have changed in this diff Show more