43 lines
1.1 KiB
Text
43 lines
1.1 KiB
Text
# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d
|
|
# This file keeps track of them and allow apparmor.d to replace them by our own.
|
|
# File format: one profile name by line.
|
|
|
|
# Overwrite unconfined upstream profiles that only allow userns
|
|
brave
|
|
chrome
|
|
chromium
|
|
element-desktop
|
|
epiphany
|
|
firefox
|
|
flatpak
|
|
foliate
|
|
loupe
|
|
msedge
|
|
mullvad
|
|
nautilus
|
|
opera
|
|
os-prober
|
|
plasmashell
|
|
signal-desktop
|
|
slirp4netns
|
|
systemd-coredump
|
|
thunderbird
|
|
virtiofsd
|
|
|
|
# Overwrite upstreamed profiles, our local version may be more up to date
|
|
unix-chkpwd
|
|
|
|
# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while
|
|
# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones:
|
|
# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile
|
|
# - Drop ours: when upstream profiles is better
|
|
fusermount3
|
|
lsblk
|
|
lsusb
|
|
openvpn
|
|
remmina
|
|
transmission
|
|
wg-quick
|
|
systemd-detect-virt # Missing integration with @{p_systemd}
|
|
hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables
|
|
|