update apparmor profiles

parent d573c776
......@@ -18,7 +18,15 @@
/dev/sd[a-z][0-9]* rk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-3]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rk,
/dev/mmcblk[0-9]*p[0-9]* rk,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
# Loop devices
/dev/loop[0-9]* rk,
......@@ -36,13 +44,18 @@
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
# CD-ROM
/dev/sr[0-9]* rk,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
/{var/,}run/udev/data/b254:[0-9]* r, # for /dev/zram*
/{var/,}run/udev/data/b253:[0-9]* r, # for /dev/dm*
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
/{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
/{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr*
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
/{var/,}run/udev/data/+usb:* r, # for ?
/{var/,}run/udev/data/+usb:* r, # for ?
......@@ -18,7 +18,15 @@
/dev/sd[a-z][0-9]* rwk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-3]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rwk,
/dev/mmcblk[0-9]*p[0-9]* rwk,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
# Loop devices
/dev/loop[0-9]* rwk,
......@@ -36,13 +44,18 @@
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
# CD-ROM
/dev/sr[0-9]* rwk,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
/{var/,}run/udev/data/b254:[0-9]* r, # for /dev/zram*
/{var/,}run/udev/data/b253:[0-9]* r, # for /dev/dm*
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
/{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
/{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr*
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
/{var/,}run/udev/data/+usb:* r, # for ?
/{var/,}run/udev/data/+usb:* r, # for ?
......@@ -19,3 +19,9 @@
/etc/protocols r,
/etc/default/nss r,
/etc/services r,
# NSS records from systemd-userdbd.service
/{var,}run/systemd/userdb/ r,
/{var,}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,
......@@ -165,7 +165,7 @@ profile amarok @{exec_path} {
deny @{sys}/devices/ r,
deny @{sys}/devices/virtual/net/**/{uevent,type} r,
deny @{sys}/devices/virtual/sound/seq/uevent r,
deny @{sys}/devices/pci[0-9]*/**/usb[1-3]/**/{manufacturer,product,uevent,type} r,
deny @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{manufacturer,product,uevent,type} r,
deny @{sys}/devices/system/node/ r,
deny /{,var/}run/udev/data/* r,
......
......@@ -110,6 +110,7 @@ profile apt-get @{exec_path} flags=(complain) {
profile dpkg-source flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
......@@ -127,10 +128,6 @@ profile apt-get @{exec_path} flags=(complain) {
/etc/dpkg/origins/debian r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/group r,
#include if exists <local/apt-get_dpkg-source>
}
......
......@@ -21,7 +21,7 @@ profile apt-listbugs @{exec_path} {
capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/ruby2.5 rix,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/logname rix,
......
......@@ -11,7 +11,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher /usr/libexec/at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......
......@@ -11,7 +11,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd /usr/libexec/at-spi2-registryd
profile at-spi2-registryd @{exec_path} {
#include <abstractions/base>
......
......@@ -170,8 +170,8 @@ profile brave @{exec_path} {
@{sys}/class/ r,
@{sys}/class/**/ r,
/{,var/}run/udev/data/* r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
@{sys}/devices/system/cpu/online r,
......
......@@ -35,6 +35,8 @@ profile child-systemctl {
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
/dev/kmsg w,
#include if exists <local/child-systemctl>
......
......@@ -149,8 +149,8 @@ profile chromium-chromium @{exec_path} {
@{sys}/class/ r,
@{sys}/class/**/ r,
/{,var/}run/udev/data/* r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
......
......@@ -32,7 +32,7 @@ profile colord @{exec_path} flags=(complain) {
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP}-*/{enabled,edid} r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{uevent,bDeviceClass,removable} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
......
......@@ -32,7 +32,7 @@ profile colord-sane @{exec_path} flags=(complain) {
@{sys}/bus/usb/devices/ r,
@{sys}/bus/scsi/devices/ r,
@{sys}/class/ r,
@{sys}/devices/pci*/**/usb[1-3]/{,**/}{uevent,busnum,devnum,speed,descriptors} r,
@{sys}/devices/pci*/**/usb[0-9]/{,**/}{uevent,busnum,devnum,speed,descriptors} r,
@{sys}/devices/pci*/**/{vendor,model,type} r,
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
......
......@@ -94,7 +94,7 @@ profile conky @{exec_path} {
deny ptrace (trace, read),
# Display the hard disk model name
@{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/**/model r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/**/model r,
@{sys}/block/sd[a-z]/device/model r,
# Display the disk write/read speed
@{PROC}/diskstats r,
......@@ -116,12 +116,20 @@ profile conky @{exec_path} {
/dev/shm/#[0-9]*[0-9] rw,
# Display CPU cores' temperature
# Display temperatures
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input r,
/{usr/,}bin/sensors rPUx,
# Display FAN speed
@{sys}/class/hwmon/ r,
@{PROC}/acpi/ibm/fan r,
# Display network data transfer status
/{usr/,}bin/vnstat rPUx,
# Display Secure Boot status
/{usr/,}bin/mokutil rPUx,
owner /tmp/xauth-[0-9]*-_[0-9] r,
/usr/share/X11/XErrorDB r,
......
......@@ -67,8 +67,8 @@ profile debsign @{exec_path} {
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/pubring.{gpg,kbx} r,
owner @{HOME}/.gnupg/ r,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
owner /tmp/debsign.*/*.{dsc,changes,buildinfo} r,
owner /tmp/debsign.*/*.{dsc,changes,buildinfo}.asc rw,
......
......@@ -26,6 +26,7 @@ profile dirmngr @{exec_path} {
/usr/share/gnupg/sks-keyservers.netCA.pem r,
owner /{var/,}run/user/[0-9]*/gnupg/ rw,
owner /{var/,}run/user/[0-9]*/gnupg/S.dirmngr rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
......
......@@ -19,19 +19,70 @@ profile dkms @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/bash r,
/{usr/,}bin/head rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/head rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/diff rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/find rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/egrep rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/pwd rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/make rix,
/{usr/,}bin/{,@{multiarch}-}* rix,
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/etc/dkms/framework.conf r,
/ r,
/{usr/,}lib/modules/*/updates/ rw,
/{usr/,}lib/modules/*/updates/dkms/ rw,
/{usr/,}lib/modules/*/updates/dkms/*.ko rw,
/var/lib/dkms/ r,
/var/lib/dkms/** rw,
/etc/dkms/{,**} r,
# For building module in /usr/src/ subdirs
/usr/src/** rw,
/usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
/usr/src/linux-headers-*/scripts/** rix,
/usr/src/linux-headers-*/tools/** rix,
/usr/include/**.h r,
# For autosign modules
owner /etc/kernel_key/sign-kernel.sh rix,
owner /etc/kernel_key/*.key r,
owner /etc/kernel_key/*.crt r,
owner /tmp/cc*.s rw,
owner /tmp/dkms.*/ rw,
owner /tmp/tmp.* rw,
owner /tmp/sh-thd.* rw,
owner @{PROC}/@{pid}/fd/ r,
#include if exists <local/dkms>
}
......@@ -24,10 +24,6 @@ profile dpkg-deb @{exec_path} flags=(complain) {
/{usr/,}bin/tar rix,
/{usr/,}bin/rm rix,
# A dir for compressing/decompressing deb packages
/media/*/debian_sources/dpkg-deb/ r,
/media/*/debian_sources/dpkg-deb/** rw,
owner /var/lib/dpkg/tmp.ci/ w,
owner /var/lib/dpkg/tmp.ci/md5sums w,
owner /var/lib/dpkg/tmp.ci/shlibs w,
......
......@@ -32,6 +32,8 @@ profile e2fsck @{exec_path} {
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/devices/**/power_supply/AC/online r,
# A place for file images
@{HOME}/** rwk,
/media/*/** rwk,
......
......@@ -74,6 +74,7 @@ profile engrampa @{exec_path} {
/etc/fstab r,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
......
......@@ -45,7 +45,6 @@ profile exim4 @{exec_path} {
/var/spool/exim4/db/retry.lockfile rwk,
/var/spool/exim4/msglog/*-*-* w,
owner /var/mail/* rwk,
owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w,
owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*,
......
......@@ -45,6 +45,12 @@ profile frontend @{exec_path} flags=(complain) {
/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx,
/var/lib/dpkg/tmp.ci/control r,
# DKMS scipts
# What to do with it? (#FIXME#)
/{usr/,}lib/dkms/common.postinst rPUx,
/{usr/,}lib/dkms/dkms-* rPUx,
/{usr/,}lib/dkms/dkms_* rPUx,
/etc/debconf.conf r,
/usr/share/debconf/{,**} r,
owner /var/cache/debconf/* rwk,
......
......@@ -156,8 +156,8 @@ profile google-chrome-chrome @{exec_path} {
@{sys}/class/ r,
@{sys}/class/**/ r,
/{,var/}run/udev/data/* r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
......
......@@ -56,6 +56,10 @@ profile gpg @{exec_path} {
# For SDDM
owner /var/lib/sddm/.gnupg/ rw,
# For fwupd
owner /var/lib/fwupd/gnupg/ rw,
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
/etc/nsswitch.conf r,
/etc/passwd r,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}bin/gpg-agent
profile gpg-agent @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
signal (receive) peer=pinentry-kwallet,
......@@ -36,6 +37,10 @@ profile gpg-agent @{exec_path} {
owner /var/lib/lightdm/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/lightdm/.gnupg/private-keys-v1.d/[0-9A-F]*.key r,
# For fwupd
owner /var/lib/fwupd/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/fwupd/.gnupg/private-keys-v1.d/[0-9A-F]*.key r,
@{PROC}/@{pid}/fd/ r,
# PIN-entry apps
......
......@@ -25,6 +25,8 @@ profile gpgconf @{exec_path} {
/{usr/,}bin/gpgsm rPx,
/{usr/,}lib/gnupg/scdaemon rPx,
/{usr/,}bin/pinentry-qt rPx,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
......
......@@ -17,6 +17,8 @@ profile gpgsm @{exec_path} {
@{exec_path} mr,
deny /usr/bin/.gnupg/ w,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
/etc/nsswitch.conf r,
......
......@@ -37,7 +37,7 @@ profile hardinfo @{exec_path} {
/{usr/,}bin/python2.[0-9]* rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/ruby2.5 rix,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/make rix,
/{usr/,}bin/strace rix,
/{usr/,}bin/gdb rix,
......
......@@ -15,6 +15,8 @@
profile hciconfig @{exec_path} flags=(complain) {
#include <abstractions/base>
capability net_raw,
capability net_admin,
@{exec_path} mr,
......
......@@ -20,7 +20,7 @@ profile jekyll @{exec_path} {
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/ruby2.5 r,
/{usr/,}bin/ruby2.[0-9]* r,
/usr/share/rubygems-integration/** r,
/usr/share/ruby-addressable/unicode.data r,
......@@ -28,6 +28,7 @@ profile jekyll @{exec_path} {
# Jekyll dir
owner @{JEKYLL_DIR}/{,**} r,
owner @{JEKYLL_DIR}/_site/{,**} rw,
owner @{JEKYLL_DIR}/.sass-cache/** rw,
@{PROC}/version r,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass
profile kcheckpass @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/authentication>
#include <abstractions/wutmp>
......@@ -23,9 +24,6 @@ profile kcheckpass @{exec_path} flags=(complain) {
/{usr/,}sbin/unix_chkpwd rPx,
/etc/nsswitch.conf r,
/etc/passwd r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -77,8 +77,8 @@ profile keepassxc @{exec_path} {
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{uevent,speed,descriptors} r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,speed,descriptors} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
/{var/,}run/udev/data/+usb:* r, #
......
......@@ -16,6 +16,7 @@ profile kmod @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
capability sys_admin,
capability sys_module,
capability syslog,
capability dac_read_search,
......@@ -32,6 +33,11 @@ profile kmod @{exec_path} flags=(complain) {
@{PROC}/cmdline r,
@{PROC}/modules r,
/{var/,}run/tmpfiles.d/ w,
/{var/,}run/tmpfiles.d/static-nodes.conf w,
owner /boot/System.map-* r,
# For update-initramfs
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,
......
......@@ -8,3 +8,6 @@
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# file_inherit
owner /dev/log-xsession w,
......@@ -17,6 +17,13 @@
/media/*/debian_sources/git-kernel/linux-*/debian/{hdr,header,}tmp/** r,
/media/*/debian_sources/git-kernel/linux-*.deb rw,
# A dir for compressing/decompressing deb packages
/media/*/debian_sources/dpkg-deb/ r,
/media/*/debian_sources/dpkg-deb/** rw,
# For pbuilder --create
/media/*/pbuilder/build/[0-9]*/var/cache/apt/archives/*.deb r,
# For lintian
/media/*/pbuilder/result/*.deb r,
......
......@@ -11,7 +11,11 @@
#include <abstractions/file-browsing-strict>
# To view deb packages
/var/cache/apt/archives/*.deb r,
# To view backup files
@{HOME}/backup/*.tar.gz r,
# file_inherit
owner /dev/log-xsession w,
......@@ -12,6 +12,7 @@
# For pbuilder
owner /media/*/pbuilder/build/** rw,
owner /media/*/debian_sources/*/** rw,
owner /media/*/pbuilder/apt-packages/**.deb rw,
#
owner /media/*/download/ r,
......
......@@ -10,3 +10,12 @@
# ------------------------------------------------------------------
#include <abstractions/file-browsing-strict>
# To view deb packages
/var/cache/apt/archives/*.deb r,
# To view backup files
@{HOME}/backup/*.tar.gz r,
# file_inherit
owner /dev/log-xsession w,
......@@ -8,3 +8,6 @@
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# file_inherit
owner /dev/log-xsession w,
......@@ -59,6 +59,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
# logrotate[]: error: could not change directory to '.'
/ r,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
profile systemctl flags=(attach_disconnected, complain) {
#include <abstractions/base>
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}bin/lsblk
profile lsblk @{exec_path} {
#include <abstractions/base>
#include <abstractions/disks-read>
#include <abstractions/nameservice-strict>
@{exec_path} mr,
......@@ -21,19 +22,6 @@ profile lsblk @{exec_path} {
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mountinfo r,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
@{sys}/devices/**/block/{,**} r,
# For -o "TYPE,STATE,TRAN,REV,VENDOR"
@{sys}/devices/pci[0-9]*/**/{ata,usb}[1-3]/**/{type,state,proc_name,rev,vendor} r,
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
/{var/,}run/udev/data/b253:[0-9]* r, # for /dev/dm-*
/{var/,}run/udev/data/b254:[0-9]* r, # for /dev/zram*
/{var/,}run/mount/utab r,
#include if exists <local/lsblk>
......
......@@ -24,7 +24,7 @@ profile lsusb @{exec_path} {
@{sys}/bus/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r,
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
/{var/,}run/udev/data/+usb:* r, #
......
......@@ -55,6 +55,9 @@ profile megasync @{exec_path} {
owner @{HOME}/.config/QtProject.conf r,
# Sync folder
#/ r,
#/media/ r,
#/media/*/ r,
owner @{SYNC_FOLDER}/ r,
owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**,
......@@ -88,6 +91,7 @@ profile megasync @{exec_path} {
/{usr/,}bin/spacefm rPUx,
# file_inherit
owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -26,6 +26,8 @@ profile mount @{exec_path} flags=(complain) {
# Mount points
/media/*/ r,
/media/*/*/ r,
/mnt/ r,
/media/cdrom[0-9]/ r,
# Mount of iso files
......
......@@ -149,8 +149,8 @@ profile opera @{exec_path} {
@{sys}/class/ r,
@{sys}/class/**/ r,
/{,var/}run/udev/data/* r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[1-3]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
...