Skip to content

Commit

Permalink
feat(profile): general update.
Browse files Browse the repository at this point in the history
  • Loading branch information
@roddhjav
roddhjav committed Dec 19, 2023
1 parent ef1776b commit 6a81d33
Show file tree
Hide file tree
Showing 10 changed files with 19 additions and 45 deletions.
10 changes: 2 additions & 8 deletions apparmor.d/abstractions/bwrap-app
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,22 +12,16 @@
include <abstractions/consoles>
include <abstractions/dbus-session>
include <abstractions/deny-sensitive-home>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/disks-read>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/video>
include <abstractions/vulkan>

/usr/** r,

Expand Down
20 changes: 3 additions & 17 deletions apparmor.d/abstractions/chromium
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,15 @@

include <abstractions/audio>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/graphics-full>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/user-read>
include <abstractions/vulkan>
include <abstractions/wayland>

# userns,

Expand Down Expand Up @@ -97,15 +92,13 @@
/usr/share/chromium/extensions/{,**} r,
/usr/share/egl/{,**} r,
/usr/share/hwdata/pnp.ids r,
/usr/share/libdrm/*.ids r,
/usr/share/mozilla/extensions/{,**} r,
/usr/share/qt{5,}/translations/*.qm r,
/usr/share/webext/{,**} r,

/etc/@{name}/{,**} r,
/etc/fstab r,
/etc/igfx_user_feature{,_next}.txt w,
/etc/libva.conf r,
/etc/opensc.conf r,

/var/lib/dbus/machine-id r,
Expand All @@ -119,10 +112,7 @@
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,

owner @{user_cache_dirs}/ rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/gtk-3.0/servers r,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/.@{domain}.* rw,

owner @{config_dirs}/ rw,
Expand Down Expand Up @@ -182,20 +172,16 @@

@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/{resource,irq} r,
@{sys}/devices/@{pci}/report_descriptor r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/system/cpu/present r,
@{sys}/devices/virtual/**/report_descriptor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
@{sys}/devices/virtual/tty/tty@{int}/active r,

/dev/ r,
/dev/hidraw@{int} rw,
Expand Down
2 changes: 1 addition & 1 deletion apparmor.d/abstractions/gstreamer
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
#owner /tmp/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,

@{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**

@{run}/udev/data/c81:@{int} r, # For video4linux
Expand Down
1 change: 0 additions & 1 deletion apparmor.d/abstractions/user-download-strict
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@

abi <abi/3.0>,

# new user; change to 'c'
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,

Expand Down
10 changes: 2 additions & 8 deletions apparmor.d/groups/_full/default
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,14 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/consoles>
include <abstractions/dbus-session>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gnome-strict>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
include <abstractions/video>
include <abstractions/vulkan>
include <abstractions/zsh>

capability dac_override,
Expand Down
3 changes: 1 addition & 2 deletions apparmor.d/groups/freedesktop/xdg-user-dirs-update
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-user-dirs-update
profile xdg-user-dirs-update @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-desktop>

@{exec_path} mr,

Expand Down Expand Up @@ -39,7 +40,6 @@ profile xdg-user-dirs-update @{exec_path} {
/var/lib/sddm/@{XDG_TEMPLATES_DIR}/ rw,
/var/lib/sddm/@{XDG_VIDEOS_DIR}/ rw,

# new user; change to 'c'

This comment has been minimized.

Sign in to view

Copy link
@nobody43

nobody43 Jan 16, 2024

Contributor

But how do we track these lines when 'c' will be implemented?

This comment has been minimized.

Sign in to view

Copy link
@roddhjav

roddhjav Jan 18, 2024

Author Owner

This is the purpose of abstractions/xdg-desktop, it will be changed here (if this feature get added)
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
Expand All @@ -48,7 +48,6 @@ profile xdg-user-dirs-update @{exec_path} {
owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ w,
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w,
owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
owner @{user_config_dirs}/ w,

owner @{user_config_dirs}/user-dirs.dirs rw,
owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw,
Expand Down
3 changes: 2 additions & 1 deletion apparmor.d/groups/gnome/gnome-music
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>

@{exec_path} = @{bin}/gnome-music
profile gnome-music @{exec_path} {
profile gnome-music @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dconf-write>
Expand Down Expand Up @@ -48,6 +48,7 @@ profile gnome-music @{exec_path} {
@{run}/systemd/inhibit/[0-9]*.ref rw,

owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
owner /var/tmp/etilqs_@{hex} rw,

@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/cmdline r,
Expand Down
6 changes: 1 addition & 5 deletions apparmor.d/groups/gnome/nautilus
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/com.canonical.Unity.LauncherEntry>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.hostname1>
include <abstractions/bus/org.freedesktop.portal.Desktop>
Expand Down Expand Up @@ -69,11 +70,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
member=Print
peer=(name=:*, label=nautilus),

dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=com.canonical.Unity.LauncherEntry
member=Update
peer=(name=org.freedesktop.DBus, label=gnome-shell),

dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=ListActivatableNames
Expand Down
8 changes: 6 additions & 2 deletions apparmor.d/groups/network/netplan.script
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {

/etc/netplan/{,*} r,

@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} w,
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
@{run}/NetworkManager/system-connections/ r,
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} w,
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
@{run}/systemd/system/ r,
@{run}/systemd/system/netplan-* rw,
@{run}/systemd/system/systemd-networkd.service.wants/ r,
Expand All @@ -51,8 +51,12 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/systemd-common>

capability net_admin,

@{bin}/systemctl mr,

owner @{run}/systemd/private rw,

include if exists <local/netplan.script_systemctl>
}

Expand Down
1 change: 1 addition & 0 deletions apparmor.d/profiles-g-l/irqbalance
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ include <tunables/global>
profile irqbalance @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

capability net_admin,
capability setpcap,

network netlink raw,
Expand Down

0 comments on commit 6a81d33

Please sign in to comment.