update apparmor profiles

parent b3a7bef0
......@@ -11,6 +11,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/dri-common>
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/apt-pkgcache>
/var/cache/apt/archives/ r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# For downloading the source of packages (apt-get source)
owner /media/*/debian_sources/.apt-acquire-privs-test.* w,
owner /media/*/debian_sources/*.dsc rw,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# For local Debian repository (reprepro)
/media/*/*/ r,
/media/*/*/debian/ r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
/var/cache/apt/ r,
/var/cache/apt/pkgcache.bin{,.*} rw,
/var/cache/apt/srcpkgcache.bin{,.*} rw,
abi <abi/3.0>,
/var/cache/apt/ r,
/var/cache/apt/pkgcache.bin{,.*} rw,
/var/cache/apt/srcpkgcache.bin{,.*} rw,
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
deny /etc/dconf/{,**} r,
# When this is blocked, expect lots of the following errors:
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# The /sys/ entries probably should be tightened
/dev/ r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# The /sys/ entries probably should be tightened
/dev/ r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
deny @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/@{pid}/mounts r,
......
......@@ -11,6 +11,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Flatpak
/var/lib/flatpak/exports/share/{,**} r,
/var/lib/flatpak/app/**/export/share/applications/{,*.desktop} r,
......
......@@ -9,33 +9,35 @@
#
# ------------------------------------------------------------------
# The fontconfig cache can be generated via the following command:
# $ fc-cache -f -v
# There's no need to give apps the ability to create cache for their own. Apps can generate the
# fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
# the "fontconfig-cache-write" abstraction.
abi <abi/3.0>,
owner @{HOME}/.cache/fontconfig/ r,
deny @{HOME}/.cache/fontconfig/ w,
deny @{HOME}/.cache/fontconfig/** w,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
# The fontconfig cache can be generated via the following command:
# $ fc-cache -f -v
# There's no need to give apps the ability to create cache for their own. Apps can generate the
# fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
# the "fontconfig-cache-write" abstraction.
owner @{HOME}/.fontconfig/ r,
deny @{HOME}/.fontconfig/ w,
deny @{HOME}/.fontconfig/** w,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.cache/fontconfig/ r,
deny @{HOME}/.cache/fontconfig/ w,
deny @{HOME}/.cache/fontconfig/** w,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
/var/cache/fontconfig/ r,
deny /var/cache/fontconfig/ w,
deny /var/cache/fontconfig/** w,
/var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
/var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.fontconfig/ r,
deny @{HOME}/.fontconfig/ w,
deny @{HOME}/.fontconfig/** w,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid r,
deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
/usr/share/**/.uuid r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
/var/cache/fontconfig/ r,
deny /var/cache/fontconfig/ w,
deny /var/cache/fontconfig/** w,
/var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
/var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid r,
deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
/usr/share/**/.uuid r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
......@@ -9,17 +9,19 @@
#
# ------------------------------------------------------------------
owner @{HOME}/.cache/fontconfig/ rw,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
abi <abi/3.0>,
owner @{HOME}/.fontconfig/ rw,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
owner @{HOME}/.cache/fontconfig/ rw,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw,
link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
owner @{HOME}/.fontconfig/ rw,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw,
link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/.fzf/{,**} r,
owner @{HOME}/.fzf.* r,
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/themes/{,**} r,
/etc/gtk-2.0/gtkrc r,
......
......@@ -33,7 +33,7 @@
#
# # Add if audio support for message box is
# # considered as required.
# #include if exists <abstractions/gstreamer>
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/kde4/** r,
/{usr/,}lib/kde4/*.so mr,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
##include <abstractions/thumbnails-cache-write>
# KDE/Plasma5 themes
......
......@@ -9,19 +9,21 @@
#
# ------------------------------------------------------------------
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
abi <abi/3.0>,
# Mesa cache (since mesa v18.1.1)
owner @{HOME}/.cache/mesa_shader_cache/ rw,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# If the dir in @{HOME}/.cache is not writable, it uses a dir in /tmp/
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Mesa cache (since mesa v18.1.1)
owner @{HOME}/.cache/mesa_shader_cache/ rw,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# If the dir in @{HOME}/.cache is not writable, it uses a dir in /tmp/
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
#owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/hosts r,
/etc/host.conf r,
/etc/resolv.conf r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
ptrace (read),
owner @{PROC}/@{pid}/stat r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/.cache/thumbnails/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/.config/trashrc rw,
owner @{HOME}/.config/trashrc.lock rwk,
owner @{HOME}/.config/#[0-9]*[0-9] rwk,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner @{HOME}/[dD]ownload{,s}/ r,
owner @{HOME}/[dD]ownload{,s}/** rwl,
......
......@@ -9,11 +9,13 @@
#
# ------------------------------------------------------------------
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/vlc/ rw,
owner @{HOME}/.cache/vlc/art/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art.jpg rw,
abi <abi/3.0>,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/vlc/ rw,
owner @{HOME}/.cache/vlc/art/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art.jpg rw,
......@@ -10,6 +10,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
owner /{,var/}run/user/[0-9]*/weston-shared-* rw,
owner /{,var/}run/user/[0-9]*/wayland-[0-9]* rw,
owner /{,var/}run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
......@@ -24,7 +24,7 @@
#
# # Enable gstreamer support if considered required by
# # profile author for (rare) error message boxes.
# #include if exists <abstractions/gstreamer>
# include if exists <abstractions/gstreamer>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/zsh/{,**} r,
/usr/local/share/zsh/{,**} r,
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon /usr/libexec/accounts-daemon
......@@ -34,5 +36,5 @@ profile accounts-daemon @{exec_path} {
/var/log/wtmp r,
#include if exists <local/accounts-daemon>
include if exists <local/accounts-daemon>
}
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /{usr/,}bin/acpi
......@@ -23,5 +25,5 @@ profile acpi @{exec_path} flags=(complain) {
@{sys}/devices/**/power_supply/*/{online,type} r,
@{sys}/devices/virtual/thermal/{,**} r,
#include if exists <local/acpi>
include if exists <local/acpi>
}
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /{usr/,}sbin/adduser
......@@ -49,5 +51,5 @@ profile adduser @{exec_path} {
# For lightdm
/var/lib/lightdm/{,*} w,
#include if exists <local/adduser>
include if exists <local/adduser>
}
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /{usr/,}bin/adequate
......@@ -108,5 +110,5 @@ profile adequate @{exec_path} flags=(complain) {
}
#include if exists <local/adequate>