Skip to content

Commit

Permalink
feat(profile): unify udev char dynamic assignment ranges.
Browse files Browse the repository at this point in the history
  • Loading branch information
roddhjav committed Dec 17, 2023
1 parent ceb4c58 commit e1a30cb
Show file tree
Hide file tree
Showing 19 changed files with 23 additions and 86 deletions.
4 changes: 1 addition & 3 deletions apparmor.d/groups/freedesktop/iio-sensor-proxy
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,7 @@ profile iio-sensor-proxy @{exec_path} {
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/bus/ r,
@{sys}/bus/iio/devices/ r,
Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/groups/freedesktop/pipewire
Original file line number Diff line number Diff line change
Expand Up @@ -58,12 +58,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,

@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/bus/ r,
@{sys}/bus/media/devices/ r,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/groups/freedesktop/pulseaudio
Original file line number Diff line number Diff line change
Expand Up @@ -102,9 +102,7 @@ profile pulseaudio @{exec_path} {

@{run}/udev/data/+pci:* r,
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/groups/gnome/gnome-control-center
Original file line number Diff line number Diff line change
Expand Up @@ -130,12 +130,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,

@{sys}/bus/ r,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {

owner @{user_config_dirs}/pulse/cookie rk,

@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/devices/@{pci}/revision r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/groups/gnome/tracker-extract
Original file line number Diff line number Diff line change
Expand Up @@ -85,12 +85,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {

@{run}/blkid/blkid.tab r,

@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{run}/mount/utab r,

Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/groups/systemd/systemd-journald
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,7 @@ profile systemd-journald @{exec_path} {
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
@{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters
@{run}/udev/data/c29:[0-9]* r, # For CD-ROM
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/devices/**/uevent r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/groups/systemd/systemd-logind
Original file line number Diff line number Diff line change
Expand Up @@ -77,12 +77,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{run}/systemd/inhibit/ rw,
@{run}/systemd/inhibit/.#* rw,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/groups/ubuntu/subiquity-console-conf
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,7 @@ profile subiquity-console-conf @{exec_path} {
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,

@{sys}/**/devices/ r,
Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/groups/virt/libvirtd
Original file line number Diff line number Diff line change
Expand Up @@ -185,12 +185,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,

@{sys}/bus/[a-z]*/devices/ r,
Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/groups/virt/virtnodedevd
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,

@{sys}/**/ r,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/profiles-a-f/fprintd
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {

@{run}/systemd/journal/socket rw,
@{run}/systemd/inhibit/*.ref w,
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/class/hidraw/ r,
@{sys}/devices/@{pci}/hidraw/hidraw[0-9]*/uevent r,
Expand Down
13 changes: 2 additions & 11 deletions apparmor.d/profiles-m-r/nvtop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+drm:card[0-9]-* r,
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/bus/ r,
@{sys}/class/ r,
Expand All @@ -50,14 +48,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/stat r,
@{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r,

/dev/char/c23[4-9]:@{int} w, # For dynamic assignment range 234 to 254
/dev/char/c24[0-9]:@{int} w,
/dev/char/c25[0-4]:@{int} w,
/dev/char/c38[4-9]:@{int} w, # For dynamic assignment range 384 to 511
/dev/char/c39[0-9]:@{int} w,
/dev/char/c4[0-9][0-9]:@{int} w,
/dev/char/c50[0-9]:@{int} w,
/dev/char/c51[0-1]:@{int} w,
/dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511

/dev/dri/ r,
/dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/profiles-s-z/steam
Original file line number Diff line number Diff line change
Expand Up @@ -167,9 +167,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)

@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,

@{sys}/ r,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/profiles-s-z/steam-game
Original file line number Diff line number Diff line change
Expand Up @@ -193,9 +193,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {

@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/ r,
@{sys}/bus/ r,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/profiles-s-z/udisksd
Original file line number Diff line number Diff line change
Expand Up @@ -113,9 +113,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+pci:* r,
@{run}/udev/data/+platform:* r,

@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/bus/ r,
@{sys}/bus/pci/slots/ r,
Expand Down
4 changes: 1 addition & 3 deletions apparmor.d/profiles-s-z/virt-manager
Original file line number Diff line number Diff line change
Expand Up @@ -90,9 +90,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,

@{run}/mount/utab r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
@{sys}/devices/@{pci}/drm/ r,
Expand Down
7 changes: 1 addition & 6 deletions apparmor.d/profiles-s-z/wireplumber
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,7 @@ profile wireplumber @{exec_path} {
@{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

@{sys}/bus/ r,
@{sys}/bus/media/devices/ r,
Expand Down
4 changes: 4 additions & 0 deletions apparmor.d/tunables/multiarch.d/system
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,7 @@

# Name of the systemd profile: unconfined || systemd
@{systemd}=unconfined

# Udev data dynamic assignment ranges
@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511

0 comments on commit e1a30cb

Please sign in to comment.