felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/_full/default
Alexandre Pujol 7d3d01ac01
fix(fsp): conflicting x modifiers
2024-01-25 21:18:09 +00:00

128 lines
3.5 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Default profile for unconfined programs
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /**
profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/bash>
include <abstractions/consoles>
include <abstractions/dbus-session>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/video>
include <abstractions/zsh>
capability dac_override,
capability dac_read_search,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
signal (receive) set=(hup),
@{bin}/bwrap rPx -> bwrap,
@{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse,
@{bin}/pulseaudio rPx -> systemd//&pulseaudio,
@{bin}/su rPx -> default-sudo,
@{bin}/sudo rPx -> default-sudo,
@{bin}/systemctl rix,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
# @{open_path} rPx -> child-open,
audit @{bin}/** Pix,
audit @{lib}/** Pix,
audit /opt/*/** Pix,
audit /usr/share/*/* Pix,
@{bin}/{,**} r,
@{lib}/{,**} r,
/usr/share/** r,
/etc/xdg/** r,
# Full access to user's data
/ r,
/*/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rwl,
owner @{HOME}/{,**} rwlk,
owner @{run}/user/@{uid}/{,**} rw,
owner @{user_config_dirs}/** rwkl,
owner @{user_share_dirs}/** rwkl,
owner /tmp/{,**} rwk,
owner @{run}/user/@{uid}/{,**} rw,
@{run}/systemd/userdb/ r,
@{run}/motd.dynamic.new rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/bus/pci/devices/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pids}/task/ r,
/dev/ r,
/dev/ptmx rwk,
/dev/tty rwk,
owner /dev/tty@{int} rw,
include if exists <usr/default.d>
include if exists <local/default>
}
Reference in a new issue View git blame Copy permalink