update apparmor profiles

parent 2f0069ae
......@@ -11,7 +11,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord
@{exec_path} = /{usr/,}lib/colord/colord /usr/libexec/colord
profile colord @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......@@ -19,6 +19,7 @@ profile colord @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}lib/colord/colord-sane rPx,
/usr/libexec/colord-sane rPx,
owner /var/lib/colord/** r,
owner /var/lib/colord/{mapping,storage}.db rwk,
......@@ -31,6 +32,7 @@ profile colord @{exec_path} flags=(complain) {
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/video4linux/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP}-*/{enabled,edid} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
......
......@@ -11,7 +11,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-sane
@{exec_path} = /{usr/,}lib/colord/colord-sane /usr/libexec/colord-sane
profile colord-sane @{exec_path} flags=(complain) {
#include <abstractions/base>
......
......@@ -11,7 +11,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session
@{exec_path} = /{usr/,}lib/colord/colord-session /usr/libexec/colord-session
profile colord-session @{exec_path} flags=(complain) {
#include <abstractions/base>
......
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}libexec/rtkit-daemon
@{exec_path} = /usr/libexec/rtkit-daemon
profile rtkit-daemon @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......
......@@ -68,6 +68,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
owner @{torbrowser_home_dir}/fonts/* l,
owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
......
......@@ -24,6 +24,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
# Support some of the included pluggable transports
owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
@{PROC}/sys/net/core/somaxconn r,
#include <abstractions/ssl_certs>
# Silence file_inherit logs
deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
......@@ -31,6 +32,9 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
# Silence logs from included pluggable transports
deny /etc/hosts r,
deny /etc/services r,
@{PROC}/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
......
......@@ -11,8 +11,8 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/udisks2/udisksd
profile udisks-udisksd @{exec_path} {
@{exec_path} = /{usr/,}lib/udisks2/udisksd /usr/libexec/udisks2/udisksd
profile udisksd @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/disks-write>
......@@ -137,5 +137,5 @@ profile udisks-udisksd @{exec_path} {
}
#include if exists <local/udisks-udisksd>
#include if exists <local/udisksd>
}
......@@ -11,7 +11,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/upower/upowerd
@{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd
profile upowerd @{exec_path} {
#include <abstractions/base>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment