update apparmor profiles

parent 33aafe8e
......@@ -22,14 +22,17 @@ profile dhclient-script @{exec_path} {
/{usr/,}bin/dash mrix,
/{usr/,}bin/ping rPUx,
/{usr/,}bin/ping rPx,
# Needed to remove the following error:
# /sbin/dhclient-script: 133: hostname: Permission denied
/{usr/,}bin/hostname rPx,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
# To read scripts
/etc/dhcp/dhclient-enter-hooks.d/{,*} r,
/etc/dhcp/dhclient-exit-hooks.d/{,*} r,
/etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
/{usr/,}bin/run-parts rCx -> run-parts,
profile run-parts {
......@@ -57,13 +60,13 @@ profile dhclient-script @{exec_path} {
# For netbios name servers settings from a DHCP server
/var/lib/samba/dhcp.conf{,.new} rw,
# Many scripts can use ip command
# Many scripts may use the ip tool
capability net_admin,
/{usr/,}bin/ip rix,
# For loadbalance
/etc/iproute2/rt_tables r,
/etc/iproute2/rt_tables.d/ r,
/etc/iproute2/rt_tables.d/{,*} r,
owner @{PROC}/@{pid}/loginuid r,
# For updating the /etc/resolv.conf file
......
......@@ -82,7 +82,7 @@ profile dpkg @{exec_path} flags=(complain) {
/var/spool/ r,
/var/spool/** rwl -> /var/spool/**,
# To create log and cache dirs
/var/log/*/ rw,
/var/log/**/ rw,
/var/cache/**/ rw,
# file_inherit
......
......@@ -15,15 +15,17 @@
profile ifup @{exec_path} flags=(complain) {
#include <abstractions/base>
capability net_admin,
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/ip rCx -> ip,
/{usr/,}bin/ip rix,
/{usr/,}sbin/dhclient rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/etc/network/interfaces r,
/etc/network/interfaces.d/{,*} r,
......@@ -48,7 +50,7 @@ profile ifup @{exec_path} flags=(complain) {
/etc/hostapd/ifupdown.sh rPUx,
/etc/network/if-post-down.d/ifenslave rPUx,
/etc/network/if-post-down.d/macchanger rPUx,
/etc/macchanger/ifupdown.sh rPUx,
/etc/macchanger/ifupdown.sh rPUx,
/etc/network/if-post-down.d/wireless-tools rPUx,
/etc/network/if-post-down.d/wpasupplicant rPUx,
......@@ -70,14 +72,5 @@ profile ifup @{exec_path} flags=(complain) {
}
profile ip flags=(complain) {
#include <abstractions/base>
capability net_admin,
/{usr/,}bin/ip mr,
}
#include <local/ifup>
}
......@@ -32,10 +32,7 @@ profile ip @{exec_path} flags=(complain, attach_disconnected) {
umount /{var/,}run/netns/*,
umount /sys/,
/etc/iproute2/group r,
/etc/iproute2/rt_tables r,
/etc/iproute2/rt_tables.d/{,*} r,
/etc/iproute2/{,**} r,
/ r,
owner /{var/,}run/netns/ rw,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
owner /dev/log-gnupg w,
......@@ -43,6 +43,7 @@ profile mkinitramfs @{exec_path} {
/{usr/,}bin/gzip rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/env rix,
/{usr/,}bin/ldd rCx -> ldd,
/{usr/,}sbin/ldconfig rCx -> ldconfig,
......
......@@ -121,6 +121,7 @@ profile psi-plus @{exec_path} {
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
#include <local/psi-plus_gpg>
}
#include <local/psi-plus>
......
......@@ -30,7 +30,7 @@ profile qpdfview @{exec_path} {
@{exec_path} mr,
# What's this for?
# For PDF's internal compression
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/xz rix,
......@@ -60,10 +60,10 @@ profile qpdfview @{exec_path} {
/dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
......
......@@ -42,6 +42,9 @@ profile updatedb-mlocate @{exec_path} {
/opt/ r,
/opt/**/ r,
/srv/ r,
/srv/**/ r,
/{var/,}run/mlocate.daily.lock r,
owner @{PROC}/@{pid}/mountinfo r,
......
......@@ -42,7 +42,7 @@ profile xarchiver @{exec_path} {
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
# For deb packages
/{usr/,}bin/x86_64-linux-gnu-ar rix,
/{usr/,}bin/{,@{multiarch}-}ar rix,
/{usr/,}bin/xdg-open rPUx,
......
......@@ -146,7 +146,7 @@ profile xorg-xorg @{exec_path} flags=(attach_disconnected) {
# gdbus
capability setgid,
ptrace (trace) peer=lib-Xorg,
ptrace (trace) peer=xorg-xorg,
/{usr/,}bin/pkexec mr,
......
......@@ -53,6 +53,8 @@
@{ytdl_ext} += [mM][pP]2[tT]
# m4a
@{ytdl_ext} += [mM]4[aA]
# flv
@{ytdl_ext} += [fF][lL][vV]
# ytdl
@{ytdl_ext} += [yY][tT][dD][lL]
# part
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment