# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/gparted profile gparted @{exec_path} { include ptrace (read), @{exec_path} r, @{bin}/ r, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cut rix, @{bin}/id rix, @{bin}/ls rix, @{bin}/mkdir rix, @{bin}/pidof rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/touch rix, @{bin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @{lib}/{,udisks2/}udisks2-inhibit rix, @{run}/udev/rules.d/ rw, @{run}/udev/rules.d/90-udisks-inhibit.rules rw, @{bin}/udevadm rCx -> udevadm, @{bin}/killall5 rCx -> killall, @{bin}/ps rPx, @{bin}/xhost rPx, @{bin}/pkexec rPx, @{bin}/systemctl rPx -> child-systemctl, # For shell pwd / r, /root/ r, /usr/local/bin/ r, /usr/local/sbin/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, # file_inherit owner /dev/tty@{int} rw, profile udevadm { include ptrace (read), @{bin}/udevadm mr, /etc/udev/udev.conf r, owner @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/1/sched r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, @{sys}/** r, @{sys}/devices/virtual/block/**/uevent rw, @{sys}/devices/@{pci}/block/**/uevent rw, @{run}/udev/data/* r, } profile killall flags=(attach_disconnected) { include include capability sys_ptrace, signal (send) set=(int, term, kill), ptrace (read), @{bin}/killall5 mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied @{PROC}/ r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/cmdline r, } include if exists }