update apparmor profiles

parent da8164ce
......@@ -131,6 +131,9 @@ profile anki @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile mpv {
#include <abstractions/base>
......
......@@ -50,6 +50,9 @@ profile apt-methods-http @{exec_path} flags=(complain) {
owner /tmp/apt-changelog-*/*.changelog rw,
@{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r,
# file_inherit
/dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
......
......@@ -165,6 +165,9 @@ profile atom @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile gpg {
#include <abstractions/base>
......
......@@ -209,6 +209,7 @@ profile brave @{exec_path} {
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -121,6 +121,10 @@ profile discord @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
deny /{usr/,}bin/xdg-mime mrx,
#/{usr/,}bin/xdg-mime rCx -> xdg-mime,
#profile xdg-mime {
......
......@@ -127,6 +127,9 @@ profile dropbox @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile dbus {
#include <abstractions/base>
......
......@@ -74,6 +74,11 @@ profile engrampa @{exec_path} {
/etc/fstab r,
# Allowed apps to open
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/viewnior rPUx,
profile open {
#include <abstractions/base>
......
......@@ -75,6 +75,7 @@
@{exec_path} = /{usr/,}bin/ffmpeg
profile ffmpeg @{exec_path} {
#include <abstractions/base>
#include <abstractions/audio>
#include <abstractions/nameservice-strict>
@{exec_path} mr,
......@@ -92,6 +93,11 @@ profile ffmpeg @{exec_path} {
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
owner @{HOME}/.Xauthority r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# To generate thumbnails in some apps
owner /tmp/*.{png,jpg} rw,
......
......@@ -160,6 +160,19 @@ profile firefox @{exec_path} {
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/qbittorrent rPUx,
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/okular rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/xarchiver rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/thunderbird rPUx,
/{usr/,}bin/telegram-desktop rPUx,
/{usr/,}bin/spacefm rPUx,
/{usr/,}bin/qpdfview rPUx,
profile open {
#include <abstractions/base>
......
......@@ -34,6 +34,7 @@ profile firefox-minidump-analyzer @{exec_path} {
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
# file_inherit
owner @{MOZ_CACHEDIR}/firefox/*.*/startupCache/*Cache* r,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -105,6 +105,9 @@ profile freetube @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -23,8 +23,10 @@ profile fwupdmgr @{exec_path} flags=(complain) {
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/fwupd/ rw,
owner @{HOME}/.cache/fwupd/lvfs-metadata.xml.gz rw,
owner @{HOME}/.cache/fwupd/lvfs-metadata.xml.gz.* rw,
owner @{HOME}/.cache/fwupd/lvfs-metadata.xml.gz{,.*} rw,
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw,
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
......
......@@ -31,11 +31,11 @@ profile gpg @{exec_path} {
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/fd/ r,
owner /var/lib/*/gnupg/ rw,
owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,
/etc/inputrc r,
owner /var/lib/*/.gnupg/ rw,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
# For flatpak
owner /tmp/ostree-gpg-*/ r,
......@@ -53,12 +53,11 @@ profile gpg @{exec_path} {
# For spamassassin
owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
# For SDDM
owner /var/lib/sddm/.gnupg/ rw,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/fd/ r,
# For fwupd
owner /var/lib/fwupd/gnupg/ rw,
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
/etc/inputrc r,
/etc/nsswitch.conf r,
/etc/passwd r,
......
......@@ -29,17 +29,13 @@ profile gpg-agent @{exec_path} {
owner @{HOME}/.gnupg/private-keys-v1.d/ rw,
owner @{HOME}/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
# For SDDM
owner /var/lib/sddm/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/sddm/.gnupg/private-keys-v1.d/[0-9A-F]*.key r,
owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key r,
owner /var/lib/*/.gnupg/S.gpg-agent rw,
# For LightDM
owner /var/lib/lightdm/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/lightdm/.gnupg/private-keys-v1.d/[0-9A-F]*.key r,
# For fwupd
owner /var/lib/fwupd/.gnupg/private-keys-v1.d/ rw,
owner /var/lib/fwupd/.gnupg/private-keys-v1.d/[0-9A-F]*.key r,
owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
owner /var/lib/*/gnupg/S.gpg-agent rw,
@{PROC}/@{pid}/fd/ r,
......
......@@ -102,6 +102,9 @@ profile hardinfo @{exec_path} {
owner /tmp/#[0-9]*[0-9] rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile ccache {
#include <abstractions/base>
......
......@@ -110,6 +110,10 @@ profile keepassxc @{exec_path} {
# file_inherit
/dev/tty[0-9]* rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/geany rPUx,
profile open {
#include <abstractions/base>
......
......@@ -13,7 +13,7 @@
owner /tmp/depmod.*/lib/modules/*/ r,
owner /tmp/depmod.*/lib/modules/*/modules.* rw,
owner /media/*/debian_sources/git-kernel/linux-*/System.map r,
owner /media/*/debian_sources/git-kernel/linux-*/debian/tmp/lib/modules/*/ r,
owner /media/*/debian_sources/git-kernel/linux-*/debian/tmp/lib/modules/*/modules.* rw,
owner /media/*/debian_sources/git-kernel/linux-*/debian/tmp/lib/modules/*/kernel/{,**/} r,
owner /media/*/debian_sources/git-kernel/linux-*/debian/tmp/lib/modules/*/kernel/**/*.ko r,
owner /media/*/debian_sources/git-kernel/linux-*/debian/*/lib/modules/*/ r,
owner /media/*/debian_sources/git-kernel/linux-*/debian/*/lib/modules/*/modules.* rw,
owner /media/*/debian_sources/git-kernel/linux-*/debian/*/lib/modules/*/kernel/{,**/} r,
owner /media/*/debian_sources/git-kernel/linux-*/debian/*/lib/modules/*/kernel/**/*.ko r,
......@@ -79,6 +79,10 @@ profile megasync @{exec_path} {
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/spacefm rPUx,
profile open {
#include <abstractions/base>
......
......@@ -90,6 +90,9 @@ profile minitube @{exec_path} {
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rPUx,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -72,6 +72,8 @@ profile mumble @{exec_path} {
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -96,6 +96,9 @@ profile okular @{exec_path} {
# About
/usr/share/kf5/licenses/GPL_V2 r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -45,6 +45,9 @@ profile orage @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -94,6 +94,9 @@ profile psi-plus @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile aplay {
#include <abstractions/base>
......
......@@ -98,6 +98,17 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}bin/spacefm rPUx,
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPUx,
/{usr/,}bin/ebook-viewer rPUx,
profile python3 {
#include <abstractions/base>
#include <abstractions/python>
......
......@@ -100,6 +100,9 @@ profile qnapi @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -87,6 +87,9 @@ profile qpdfview @{exec_path} {
#/{usr/,}lib/qpdfview/libqpdfview_ps.so mr,
#/{usr/,}lib/qpdfview/libqpdfview_djvu.so mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -55,6 +55,9 @@ profile querybts @{exec_path} {
/etc/fstab r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -84,6 +84,9 @@ profile quiterss @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -87,6 +87,9 @@ profile reportbug @{exec_path} flags=(complain) {
owner /tmp/[a-z0-9]* rw,
owner /var/tmp/*.bug{,~} rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile run-parts flags=(complain) {
#include <abstractions/base>
......
......@@ -78,6 +78,9 @@ profile smtube @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -96,6 +96,8 @@ profile strawberry @{exec_path} {
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/*= w,
owner /var/tmp/etilqs_[0-9a-f]* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
......@@ -108,6 +110,9 @@ profile strawberry @{exec_path} {
# file_inherit
owner @{HOME}/.anyRemote/anyremote.stdout w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -71,6 +71,11 @@ profile telegram-desktop @{exec_path} {
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/ca-certificates/mozilla/*.crt r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/qpdfview rPx,
profile open {
#include <abstractions/base>
......
......@@ -169,6 +169,10 @@ profile thunderbird @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
profile gpg {
#include <abstractions/base>
......
......@@ -134,5 +134,14 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
# u2f (tested with Yubikey 4)
/sys/class/ r,
/sys/bus/ r,
/sys/class/hidraw/ r,
/run/udev/data/c24{7,9}:* r,
/dev/hidraw* rw,
# Yubikey NEO also needs this:
/sys/devices/**/hidraw/hidraw*/uevent r,
#include <local/torbrowser.Browser.firefox>
}
......@@ -93,6 +93,9 @@ profile vidcutter @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -86,6 +86,9 @@ profile wireshark @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
#include <abstractions/base>
......
......@@ -68,6 +68,11 @@ profile xarchiver @{exec_path} {
/etc/fstab r,
# Allowed apps to open
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/viewnior rPUx,
profile open {
#include <abstractions/base>
......
......@@ -82,6 +82,7 @@ profile youtube-dl @{exec_path} {
/{usr/,}bin/ r,
/{usr/,}bin/gcc rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/uname rix,
# Which files youtube-dl should be able to open
owner @{HOME}/ r,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment