update apparmor profiles

parent 318973d3
......@@ -11,7 +11,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <abstractions/dri-common>
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <abstractions/apt-pkgcache>
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
# For downloading the source of packages (apt-get source)
owner /media/*/debian_sources/.apt-acquire-privs-test.* w,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
# For local Debian repository (reprepro)
/media/*/*/ r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
/var/cache/apt/ r,
/var/cache/apt/pkgcache.bin{,.*} rw,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
deny /etc/dconf/{,**} r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
# The /sys/ entries probably should be tightened
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
# The /sys/ entries probably should be tightened
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
deny @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/@{pid}/mounts r,
......
......@@ -11,7 +11,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
# Flatpak
/var/lib/flatpak/exports/share/{,**} r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
# The fontconfig cache can be generated via the following command:
# $ fc-cache -f -v
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
owner @{HOME}/.cache/fontconfig/ rw,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
owner @{HOME}/.fzf/{,**} r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
/usr/share/themes/{,**} r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
/usr/share/kde4/** r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
##include <abstractions/thumbnails-cache-write>
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
......@@ -22,8 +22,10 @@
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# If the dir in @{HOME}/.cache is not writable, it uses a dir in /tmp/
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
/etc/hosts r,
/etc/host.conf r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
ptrace (read),
......@@ -20,6 +20,6 @@
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
/dev/kmsg rw,
/dev/kmsg w,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
owner @{HOME}/.cache/thumbnails/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
owner @{HOME}/.config/trashrc rw,
owner @{HOME}/.config/trashrc.lock rwk,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
owner @{HOME}/[dD]ownload{,s}/ r,
owner @{HOME}/[dD]ownload{,s}/** rwl,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/vlc/ rw,
......
......@@ -10,7 +10,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
owner /{,var/}run/user/[0-9]*/weston-shared-* rw,
owner /{,var/}run/user/[0-9]*/wayland-[0-9]* rw,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
/usr/share/zsh/{,**} r,
/usr/local/share/zsh/{,**} r,
......
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -36,5 +36,5 @@ profile accounts-daemon @{exec_path} {
/var/log/wtmp r,
include if exists <local/accounts-daemon>
#include if exists <local/accounts-daemon>
}
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -25,5 +25,5 @@ profile acpi @{exec_path} flags=(complain) {
@{sys}/devices/**/power_supply/*/{online,type} r,
@{sys}/devices/virtual/thermal/{,**} r,
include if exists <local/acpi>
#include if exists <local/acpi>
}
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -51,5 +51,5 @@ profile adduser @{exec_path} {
# For lightdm
/var/lib/lightdm/{,*} w,
include if exists <local/adduser>
#include if exists <local/adduser>
}
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -110,5 +110,5 @@ profile adequate @{exec_path} flags=(complain) {
}
include if exists <local/adequate>
#include if exists <local/adequate>
}
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -201,5 +201,5 @@ profile amarok @{exec_path} {
}
include if exists <local/amarok>
#include if exists <local/amarok>
}
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -27,5 +27,5 @@ profile amixer @{exec_path} {
owner @{HOME}/.config/pulse/ r,
include if exists <local/amixer>
#include if exists <local/amixer>
}
......@@ -9,14 +9,14 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /{usr/,}bin/anki
profile anki @{exec_path} {
#include <abstractions/base>
#include <abstractions/X>
#include <abstractions/opencl-intel>
#include <abstractions/gtk>
#include <abstractions/fonts>
#include <abstractions/fontconfig-cache-read>
......@@ -25,7 +25,6 @@ profile anki @{exec_path} {
#include <abstractions/python>
#include <abstractions/audio>
#include <abstractions/mesa>
#include <abstractions/dri-enumerate>
#include <abstractions/qt5-settings-write>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/user-download-strict>
......@@ -112,10 +111,8 @@ profile anki @{exec_path} {
owner /dev/shm/.org.chromium.Chromium.* rw,
/dev/shm/#[0-9]*[0-9] rw,
@{sys}/devices/pci[0-9]*/**/{resource,irq,vendor,device,class} r,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/pci[0-9]*/**/{vendor,device} r,
/usr/share/hwdata/pnp.ids r,
......@@ -172,7 +169,7 @@ profile anki @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
include if exists <local/anki_mpv>
#include if exists <local/anki_mpv>
}
profile lame {
......@@ -197,8 +194,8 @@ profile anki @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
include if exists <local/anki_open>
#include if exists <local/anki_open>
}
include if exists <local/anki>
#include if exists <local/anki>
}
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -175,5 +175,5 @@ profile anyremote @{exec_path} {
}
include if exists <local/anyremote>
#include if exists <local/anyremote>
}
......@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#abi <abi/3.0>,
#include <tunables/global>
......@@ -27,5 +27,5 @@ profile aplay @{exec_path} flags=(complain) {
owner @{HOME}/.config/pulse/ r,
include if exists <local/aplay>
#include if exists <local/aplay>
}