update apparmor profiles

parent 81cdeb76
......@@ -86,6 +86,7 @@ profile apt-key @{exec_path} flags=(complain) {
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
# File_inherit
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
......
......@@ -29,7 +29,7 @@ profile brave @{exec_path} {
#include <abstractions/user-download-strict>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
capability sys_ptrace,
......
......@@ -31,7 +31,7 @@ profile child-dpkg {
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/var/lib/dpkg/arch r,
/var/lib/dpkg/** r,
# file_inherit
/dev/tty[0-9]* rw,
......
......@@ -26,7 +26,7 @@ profile chromium-chromium @{exec_path} {
#include <abstractions/mesa>
#include <abstractions/audio>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
......
......@@ -22,7 +22,7 @@ profile claws-mail @{exec_path} flags=(complain) {
#include <abstractions/user-download-strict>
#include <abstractions/nameservice-strict>
#include <abstractions/audio>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
@{exec_path} mr,
......
......@@ -22,7 +22,11 @@ profile crontab @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/dash rix,
# When editing the crontab file
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
/var/spool/cron/ r,
/var/spool/cron/crontabs/ rw,
......@@ -30,9 +34,8 @@ profile crontab @{exec_path} {
owner /tmp/crontab.*/{,crontab} rw,
# When editing the crontab file
/{usr/,}bin/sensible-editor rCx -> sensibleeditor,
profile sensibleeditor {
profile editor {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......
......@@ -28,7 +28,7 @@ profile discord @{exec_path} {
#include <abstractions/audio>
#include <abstractions/mesa>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
signal (send) set=(kill, term) [email protected]{profile_name}//lsb_release,
......
......@@ -20,7 +20,7 @@ profile engrampa @{exec_path} {
#include <abstractions/freedesktop.org>
#include <abstractions/nameservice-strict>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/dconf-deny>
@{exec_path} mr,
......
......@@ -27,10 +27,10 @@ profile firefox @{exec_path} {
#include <abstractions/audio>
#include <abstractions/enchant>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
# #include <abstractions/nvidia>
##include <abstractions/nvidia>
ptrace [email protected]{profile_name},
......@@ -179,6 +179,7 @@ profile firefox @{exec_path} {
/{usr/,}bin/thunderbird rPUx,
/{usr/,}bin/telegram-desktop rPUx,
/{usr/,}bin/spacefm rPUx,
/{usr/,}bin/qpdfview rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
......
......@@ -23,7 +23,7 @@ profile flameshot @{exec_path} {
#include <abstractions/mesa>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/qt5-settings-write>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/user-download-strict>
#include <abstractions/nameservice-strict>
......
......@@ -27,7 +27,7 @@ profile freetube @{exec_path} {
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
......
......@@ -22,6 +22,7 @@ profile ganyremote @{exec_path} {
#include <abstractions/fontconfig-cache-read>
#include <abstractions/user-download-strict>
#include <abstractions/python>
##include <abstractions/thumbnails-cache-write>
@{exec_path} r,
......@@ -71,8 +72,6 @@ profile ganyremote @{exec_path} {
deny /usr/share/doc/ r,
/usr/share/doc/anyremote{,-data}/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r,
profile killall {
#include <abstractions/base>
......
......@@ -26,7 +26,7 @@ profile google-chrome-chrome @{exec_path} {
#include <abstractions/mesa>
#include <abstractions/audio>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/nameservice-strict>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
......
......@@ -27,6 +27,7 @@ profile gpg @{exec_path} {
/{usr/,}lib/gnupg/scdaemon rPx,
# GPG config files
owner @{HOME}/ r,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
......
......@@ -21,10 +21,12 @@ profile gpg-agent @{exec_path} {
/{usr/,}lib/gnupg/scdaemon rPx,
/usr/share/gnupg/* r,
owner @{HOME}/.gnupg/ w,
owner @{HOME}/.gnupg/gpg-agent.conf r,
owner @{HOME}/.gnupg/private-keys-v1.d/ rw,
owner @{HOME}/.gnupg/private-keys-v1.d/[0-9A-F]*.key r,
owner @{HOME}/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
# For SDDM
owner /var/lib/sddm/.gnupg/private-keys-v1.d/ rw,
......
......@@ -119,6 +119,7 @@ profile keepassxc @{exec_path} {
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/geany rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
......
......@@ -12,3 +12,6 @@
#include <abstractions/file-browsing-strict>
/var/cache/apt/archives/*.deb r,
# file_inherit
owner /dev/log-xsession w,
......@@ -26,7 +26,7 @@ profile opera @{exec_path} {
#include <abstractions/mesa>
#include <abstractions/audio>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
......
......@@ -27,6 +27,7 @@ profile qpdfview @{exec_path} {
#include <abstractions/dri-enumerate>
#include <abstractions/qt5-settings-write>
#include <abstractions/qt5-compose-cache-write>
##include <abstractions/thumbnails-cache-write>
@{exec_path} mr,
......@@ -73,8 +74,6 @@ profile qpdfview @{exec_path} {
/usr/share/hwdata/pnp.ids r,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r,
# Print
owner /tmp/[0-9a-f]* rw,
......
......@@ -28,6 +28,7 @@ profile telegram-desktop @{exec_path} {
#include <abstractions/qt5-settings-write>
#include <abstractions/mesa>
#include <abstractions/nameservice-strict>
#include <abstractions/enchant>
@{exec_path} mr,
......@@ -79,6 +80,7 @@ profile telegram-desktop @{exec_path} {
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
......
......@@ -30,7 +30,7 @@ profile thunderbird @{exec_path} {
#include <abstractions/audio>
#include <abstractions/enchant>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/mesa>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
......@@ -218,6 +218,7 @@ profile thunderbird @{exec_path} {
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
......
......@@ -21,7 +21,7 @@ profile udiskie @{exec_path} {
#include <abstractions/gtk>
#include <abstractions/python>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/mesa>
#include <abstractions/dri-enumerate>
......
......@@ -20,7 +20,7 @@ profile xarchiver @{exec_path} {
#include <abstractions/freedesktop.org>
#include <abstractions/nameservice-strict>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
##include <abstractions/thumbnails-cache-write>
@{exec_path} mrix,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment