update apparmor profiles

parent db70c29a
......@@ -136,6 +136,7 @@
signal (receive) peer=top,
signal (receive) peer=htop,
signal (receive) set=(term, kill) peer=systemd-shutdown,
signal (receive) set=(term, kill) peer=openbox,
signal (receive) set=(cont) peer=su,
signal (receive) set=(cont) peer=sudo,
......
......@@ -17,6 +17,8 @@
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/fonts-*/**.{eot,svg,ttf,otf,woff,woff2} r,
/etc/fonts/** r,
# Debian, openSUSE paths are different
/usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
......
......@@ -29,6 +29,11 @@
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
# NSS records from systemd-userdbd.service
/{,var/}run/systemd/userdb/ r,
/{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
......@@ -69,11 +74,6 @@
@{PROC}/@{pid}/net/psched r,
/etc/libnl-*/classid r,
# NSS records from systemd-userdbd.service
/{var,}run/systemd/userdb/ r,
/{var,}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,
# nis
#include <abstractions/nis>
......
......@@ -14,7 +14,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-daemon
profile dbus-daemon @{exec_path} flags=(complain) {
profile dbus-daemon @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......
......@@ -17,6 +17,9 @@
profile dconf-service @{exec_path} {
#include <abstractions/base>
# Needed?
deny capability sys_nice,
@{exec_path} mr,
owner /{,var/}run/user/[0-9]*/dconf/ rw,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
......@@ -21,6 +21,8 @@ profile openbox @{exec_path} {
#include <abstractions/freedesktop.org>
#include <abstractions/nameservice-strict>
signal (send) set=(term, kill),
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart,
......
......@@ -33,6 +33,7 @@ profile strawberry-tagreader @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
owner @{HOME}/.anyRemote/anyremote.stdout w,
owner @{HOME}/.cache/gstreamer-*/registry.x86_64.bin.tmp* rw,
#include if exists <local/strawberry-tagreader>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /{usr/,}bin/syncthing
profile syncthing @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/ssl_certs>
@{exec_path} mrix,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/ip rix,
owner @{HOME}/ r,
owner @{HOME}/.config/syncthing/ rw,
owner @{HOME}/.config/syncthing/** rwk,
# The sync folders
#owner @{HOME}/Sync/{,**} rw,
owner /media/*/syncthing/{,**} rw,
/etc/mime.types r,
@{PROC}/sys/net/core/somaxconn r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Silecne the noise
deny /etc/ssl/certs/java/ r,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
}
#include if exists <local/syncthing>
}
......@@ -14,7 +14,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}bin/journalctl
profile systemd-journalctl @{exec_path} flags=(complain) {
profile systemd-journalctl @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/systemd-common>
......
......@@ -128,7 +128,7 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/@{pid}/net/arp r,
deny @{PROC}/@{pid}/net/route r,
# for did
# for dig
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/var/lib/dbus/machine-id r,
......
......@@ -35,6 +35,7 @@ profile update-pciids @{exec_path} {
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/zgrep rix,
/{usr/,}bin/wget rCx -> browse,
/{usr/,}bin/curl rCx -> browse,
......@@ -58,6 +59,7 @@ profile update-pciids @{exec_path} {
owner @{HOME}/.wget-hsts rwk,
/usr/share/misc/pci.ids.new w,
/usr/share/misc/pci.ids.gz.new w,
}
......
......@@ -16,21 +16,29 @@
network packet raw,
network packet dgram,
/usr/bin/dash rix,
/usr/bin/bash rix,
/bin/dash rix,
/bin/bash rix,
/etc/fwknop/access.conf r,
/etc/fwknop/fwknopd.conf r,
/etc/host.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/protocols r,
/etc/resolv.conf r,
/etc/services r,
@{PROC}/@{pid}/net/ip_tables_names r,
/root/.gnupg/* rwkl,
/run/fwknop/ rw,
/run/fwknop/* rwk,
/run/resolvconf/resolv.conf r,
/run/xtables.lock rwk,
/usr/sbin/xtables-multi rix,
/sbin/ipset rix,
/sbin/xtables-legacy-multi rix,
/sbin/xtables-multi rix,
/usr/bin/gpg rix,
/usr/sbin/fwknopd mr,
/usr/sbin/ipset rix,
/usr/sbin/xtables-legacy-multi rix,
/usr/sbin/xtables-nft-multi rix,
/var/cache/nscd/passwd r,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment