rename apparmor profile names

parent 8952ecfb
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
profile at-spi2-core-at-spi-bus-launcher @{exec_path} {
profile at-spi-bus-launcher @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
......@@ -36,5 +36,5 @@ profile at-spi2-core-at-spi-bus-launcher @{exec_path} {
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
/var/log/lightdm/seat[0-9]*-greeter.log w,
#include <local/at-spi2-core-at-spi-bus-launcher>
#include <local/at-spi-bus-launcher>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd
profile at-spi2-core-at-spi2-registryd @{exec_path} {
profile at-spi2-registryd @{exec_path} {
#include <abstractions/base>
@{exec_path} mr,
......@@ -24,5 +24,5 @@ profile at-spi2-core-at-spi2-registryd @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/at-spi2-core-at-spi2-registryd>
#include <local/at-spi2-registryd>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/bluetooth/bluetoothd
profile bluetooth-bluetoothd @{exec_path} flags=(complain) {
profile bluetoothd @{exec_path} flags=(complain) {
#include <abstractions/base>
# Needed for configuring HCI interfaces
......@@ -36,5 +36,5 @@ profile bluetooth-bluetoothd @{exec_path} flags=(complain) {
# when connecting to a device
/dev/uinput rw,
#include <local/bluetooth-bluetoothd>
#include <local/bluetoothd>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord
profile colord-colord @{exec_path} flags=(complain) {
profile colord @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......@@ -44,5 +44,5 @@ profile colord-colord @{exec_path} flags=(complain) {
/usr/share/mime/mime.cache r,
#include <local/colord-colord>
#include <local/colord>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-sane
profile colord-colord-sane @{exec_path} flags=(complain) {
profile colord-sane @{exec_path} flags=(complain) {
#include <abstractions/base>
@{exec_path} mr,
......@@ -40,5 +40,5 @@ profile colord-colord-sane @{exec_path} flags=(complain) {
@{PROC}/sys/dev/parport/ r,
#include <local/colord-colord-sane>
#include <local/colord-sane>
}
......@@ -12,10 +12,10 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session
profile colord-colord-session @{exec_path} flags=(complain) {
profile colord-session @{exec_path} flags=(complain) {
#include <abstractions/base>
@{exec_path} mr,
#include <local/colord-colord-session>
#include <local/colord-session>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2017-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/cvlc
profile cvlc @{exec_path} {
#include <abstractions/base>
@{exec_path} mrix,
/{usr/,}bin/vlc rPx,
#include <local/cvlc>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/dconf/dconf-service
profile dconf-dconf-service @{exec_path} {
profile dconf-service @{exec_path} {
#include <abstractions/base>
@{exec_path} mr,
......@@ -29,5 +29,5 @@ profile dconf-dconf-service @{exec_path} {
@{PROC}/cmdline r,
#include <local/dconf-dconf-service>
#include <local/dconf-service>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/dkms/dkms_autoinstaller
profile dkms-dkms-autoinstaller @{exec_path} flags=(complain) {
profile dkms-autoinstaller @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
......@@ -36,5 +36,5 @@ profile dkms-dkms-autoinstaller @{exec_path} flags=(complain) {
}
#include <local/dkms-dkms-autoinstaller>
#include <local/dkms-autoinstaller>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/eject/dmcrypt-get-device
profile eject-dmcrypt-get-device @{exec_path} flags=(complain) {
profile dmcrypt-get-device @{exec_path} flags=(complain) {
#include <abstractions/base>
capability sys_admin,
......@@ -26,5 +26,5 @@ profile eject-dmcrypt-get-device @{exec_path} flags=(complain) {
/dev/mapper/control rw,
#include <local/eject-dmcrypt-get-device>
#include <local/dmcrypt-get-device>
}
......@@ -12,12 +12,12 @@
#include <tunables/global>
@{exec_path} = /{usr/,}bin/dcut /usr/share/dput/execute-dcut
profile dcut-execute-dcut @{exec_path} flags=(complain) {
profile execute-dcut @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
#include <local/dcut-execute-dcut>
#include <local/execute-dcut>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}bin/dput /usr/share/dput/execute-dput
profile dput-execute-dput @{exec_path} flags=(complain) {
profile execute-dput @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/python>
#include <abstractions/nameservice-strict>
......@@ -52,8 +52,8 @@ profile dput-execute-dput @{exec_path} flags=(complain) {
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
#include <local/dput-execute-dput_gpg>
#include <local/execute-dput_gpg>
}
#include <local/dput-execute-dput>
#include <local/execute-dput>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9]
profile xfce-exo-helper @{exec_path} {
profile exo-helper @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
......@@ -71,5 +71,5 @@ profile xfce-exo-helper @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
#include <local/xfce-exo-helper>
#include <local/exo-helper>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /usr/share/debconf/frontend
profile share-debconf-frontend @{exec_path} flags=(complain) {
profile frontend @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
......@@ -73,5 +73,5 @@ profile share-debconf-frontend @{exec_path} flags=(complain) {
# file_inherit
/dev/tty[0-9]* rw,
#include <local/share-debconf-frontend>
#include <local/frontend>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9]
profile gconf-gconfd @{exec_path} {
profile gconfd @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......@@ -24,5 +24,5 @@ profile gconf-gconfd @{exec_path} {
owner @{HOME}/.gconf/ rw,
owner @{HOME}/.gconf/.testing.writeability rw,
#include <local/gconf-gconfd>
#include <local/gconfd>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
profile glib-gio-launch-desktop @{exec_path} {
profile gio-launch-desktop @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
......@@ -51,5 +51,5 @@ profile glib-gio-launch-desktop @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/glib-gio-launch-desktop>
#include <local/gio-launch-desktop>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{JD_INSTALLDIR} = /home/*/jd2
@{exec_path} = "@{JD_INSTALLDIR}/Uninstall JDownloader"
profile home-jdownloader-uninstall @{exec_path} {
#include <abstractions/base>
#include <abstractions/freedesktop.org>
#include <abstractions/fonts>
#include <abstractions/fontconfig-cache-read>
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/egrep rix,
/{usr/,}bin/find rix,
# These are needed when the above tools are in some nonstandard locations
#/{usr/,}bin/which rix,
#/usr/ r,
#/usr/local/ r,
#/{usr/,}bin/ r,
#/{usr/,}lib/ r,
deny /opt/ r,
owner @{HOME}/ r,
owner @{JD_INSTALLDIR}/{,**} rw,
owner @{JD_INSTALLDIR}/jre/bin/java rix,
owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw,
owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw,
owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw,
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,
owner @{HOME}/.install4j r,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
owner /tmp/i4j_log_jd2_[0-9]*.log rw,
owner /tmp/install4jError[0-9]*.log rw,
owner @{HOME}/.Xauthority r,
deny @{PROC}/@{pid}/net/ipv6_route r,
deny @{PROC}/@{pid}/net/if_inet6 r,
deny owner @{PROC}/@{pid}/cmdline r,
#include <local/home-jdownloader-uninstall>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{JD_INSTALLDIR} = /home/*/jd2
@{exec_path} = @{JD_INSTALLDIR}/JDownloader2Update
profile home-jdownloader-update @{exec_path} {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/fontconfig-cache-read>
#include <abstractions/freedesktop.org>
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/chmod rix,
owner @{HOME}/ r,
owner @{JD_INSTALLDIR}/ r,
owner @{JD_INSTALLDIR}/** rwk,
owner @{JD_INSTALLDIR}/jre/bin/java rix,
owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw,
owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw,
owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw,
owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw,
owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,
owner @{HOME}/.install4j rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
# If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead
owner /tmp/SevenZipJBinding-*/ rw,
owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
# For auto updates
owner /tmp/lastChanceSrc[0-9]*lch rw,
owner /tmp/lastChanceDst[0-9]*.jar rw,
owner @{HOME}/.Xauthority r,
# What's this for?
deny owner @{HOME}/.mozilla/firefox/ r,
deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/@{pid}/net/ipv6_route r,
deny @{PROC}/@{pid}/net/if_inet6 r,
deny owner @{PROC}/@{pid}/cmdline r,
#include <local/home-jdownloader-update>
}
......@@ -13,27 +13,33 @@
@{JD_INSTALLDIR} = /home/*/jd2
@{exec_path} = @{JD_INSTALLDIR}/JDownloader2
profile home-jdownloader @{exec_path} {
@{exec_path} = @{JD_INSTALLDIR}/*JDownloader*
profile jdownloader @{exec_path} {
#include <abstractions/base>
#include <abstractions/freedesktop.org>
#include <abstractions/fonts>
#include <abstractions/fontconfig-cache-read>
#include <abstractions/freedesktop.org>
#include <abstractions/user-download-strict>
##include <abstractions/audio>
#include <abstractions/nameservice-strict>
@{exec_path} rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/dirname rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/egrep rix,
/{usr/,}bin/find rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/ffmpeg rPUx,
# These are needed when the above tools are in some nonstandard locations
#/{usr/,}bin/which rix,
#/{usr/,}bin/which rix,
#/usr/ r,
#/usr/local/ r,
#/{usr/,}bin/ r,
......@@ -42,7 +48,7 @@ profile home-jdownloader @{exec_path} {
deny /opt/ r,
owner @{HOME}/ r,
owner @{JD_INSTALLDIR}/ r,
owner @{JD_INSTALLDIR}/ rw,
owner @{JD_INSTALLDIR}/** rwk,
owner @{JD_INSTALLDIR}/jre/bin/java rix,
owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw,
......@@ -53,10 +59,12 @@ profile home-jdownloader @{exec_path} {
owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
owner @{HOME}/.java/fonts/[0-9]*/ rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,
owner @{HOME}/.install4j r,
owner @{HOME}/.install4j rw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/@{pid} rw,
......@@ -66,9 +74,15 @@ profile home-jdownloader @{exec_path} {
# For auto updates
owner /tmp/lastChanceSrc[0-9]*lch rw,
owner /tmp/lastChanceDst[0-9]*.jar rw,
owner /tmp/i4j_log_jd2_[0-9]*.log rw,
owner /tmp/install4jError[0-9]*.log rw,
owner @{HOME}/.Xauthority r,
# What's this for?
deny owner @{HOME}/.mozilla/firefox/ r,
deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/@{pid}/net/ipv6_route r,
deny @{PROC}/@{pid}/net/if_inet6 r,
......@@ -87,5 +101,5 @@ profile home-jdownloader @{exec_path} {
# To open a web browser for CAPTCHA
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPUx,
#include <local/home-jdownloader>
#include <local/jdownloader>
}
......@@ -16,7 +16,7 @@
@{JD_SH_PATH} += /home/*/[dD]esktop
@{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh
profile home-jdownloader-install @{exec_path} {
profile jdownloader-install @{exec_path} {
#include <abstractions/base>
#include <abstractions/freedesktop.org>
#include <abstractions/fonts>
......@@ -106,5 +106,5 @@ profile home-jdownloader-install @{exec_path} {
deny owner @{JD_INSTALLDIR}/jre/lib/*/*.so m,
deny owner @{JD_INSTALLDIR}/JDownloader2 rx,
#include <local/home-jdownloader-install>
#include <local/jdownloader-install>
}
......@@ -12,12 +12,12 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass
profile libexec-kcheckpass @{exec_path} flags=(complain) {
profile kcheckpass @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/authentication>
#include <abstractions/wutmp>
signal (receive) peer=libexec-kscreenlocker-greet,
signal (receive) peer=kscreenlocker-greet,
@{exec_path} mr,
......@@ -30,5 +30,5 @@ profile libexec-kcheckpass @{exec_path} flags=(complain) {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/libexec-kcheckpass>
#include <local/kcheckpass>
}
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet
profile libexec-kscreenlocker-greet @{exec_path} flags=(complain) {
profile kscreenlocker-greet @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/fontconfig-cache-read>
......@@ -22,7 +22,7 @@ profile libexec-kscreenlocker-greet @{exec_path} flags=(complain) {
#include <abstractions/mesa>
#include <abstractions/qt5-compose-cache-write>
signal (send) peer=libexec-kcheckpass,
signal (send) peer=kcheckpass,
@{exec_path} mr,
......@@ -79,5 +79,5 @@ profile libexec-kscreenlocker-greet @{exec_path} flags=(complain) {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/libexec-kscreenlocker-greet>
#include <local/kscreenlocker-greet>
}
......@@ -52,7 +52,7 @@ profile lightdm @{exec_path} {
deny capability net_admin,
signal (send) set=(term, kill, usr1),
signal (receive) set=(usr1) peer=xorg-xorg,
signal (receive) set=(usr1) peer=xorg,
@{exec_path} mrix,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <abstractions/file-browsing-strict>
# Silencer
deny owner @{HOME}/ r,
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <abstractions/file-browsing-strict>
# Silencer
deny owner @{HOME}/ r,
......@@ -9,5 +9,15 @@
#
# ------------------------------------------------------------------
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
#audit deny capability sys_admin,
#audit deny capability sys_chroot,
#audit deny owner @{PROC}/@{pid}/setgroups w,
#audit deny owner @{PROC}/@{pid}/gid_map w,
#audit deny owner @{PROC}/@{pid}/uid_map w,
#include <abstractions/file-browsing-strict>
# file_inherit
owner /dev/log-xsession w,
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
#audit deny capability sys_admin,
#audit deny capability sys_chroot,
#audit deny owner @{PROC}/@{pid}/setgroups w,
#audit deny owner @{PROC}/@{pid}/gid_map w,