cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hilfe mein git ist komisch

Browse Source
This commit is contained in:
cutemeli
2026-01-08 18:34:49 +01:00
parent 710537a25d
commit b2d2dce845
4644 changed files with 94994 additions and 1763 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
etc/apparmor.d/abstractions/X Normal file
View File

@@ -0,0 +1,66 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/dri-common>
# .ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
owner @{run}/user/*/ICEauthority r,
# .Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
owner @{HOME}/.local/share/sddm/.Xauthority r,
owner @{run}/gdm{,3}/*/database r,
owner @{run}/lightdm/authority/[0-9]* r,
owner @{run}/lightdm/*/xauthority r,
owner @{run}/user/*/gdm/Xauthority r,
owner @{run}/user/*/X11/Xauthority r,
owner @{run}/user/*/xauth_* r,
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,
# The X tree changes and is large -- grant read access to the whole thing
/usr/X11R6/** r,
/usr/share/X11/ r,
/usr/share/X11/** r,
/usr/X11R6/**.so* mr,
# EGL
/usr/lib/@{multiarch}/egl/*.so* mr,
# Xcompose
owner @{HOME}/.XCompose r,
/var/cache/libx11/compose/* r,
deny /var/cache/libx11/compose/* wlk,
# mouse themes
/etc/X11/cursors/ r,
/etc/X11/cursors/** r,
# Xwayland
owner @{run}/user/*/.mutter-Xwaylandauth.* r,
# Include additions to the abstraction
include if exists <abstractions/X.d>

43
etc/apparmor.d/abstractions/apache2-common Normal file
View File

@@ -0,0 +1,43 @@
# vim:syntax=apparmor
# This file contains basic permissions for Apache and every vHost
abi <abi/4.0>,
include <abstractions/nameservice>
# Allow other processes to read our /proc entries
ptrace (readby),
# Allow other processes to trace us by default
ptrace (tracedby),
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow apache to send us signals by default
signal (receive) peer=apache2,
# Allow other hats to signal by default
signal peer=apache2//*,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Apache
network inet stream,
network inet6 stream,
# apache manual, error pages and icons
/usr/share/apache2/** r,
# changehat itself
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
# htaccess files - for what ever it is worth
/**/.htaccess r,
/dev/urandom r,
# sasl-auth
@{run}/saslauthd/mux rw,
# OCSP stapling
@{run}/lock/apache2/stapling-cache* rw,
# Include additions to the abstraction
include if exists <abstractions/apache2-common.d>

13
etc/apparmor.d/abstractions/apparmor_api/change_profile Normal file
View File

@@ -0,0 +1,13 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/apparmor_api/introspect>
@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,

14
etc/apparmor.d/abstractions/apparmor_api/examine Normal file
View File

@@ -0,0 +1,14 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
abi <abi/4.0>,
@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,

16
etc/apparmor.d/abstractions/apparmor_api/find_mountpoint Normal file
View File

@@ -0,0 +1,16 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
#permissions needed for aa_find_mountpoint
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{pids}/mounts r,

14
etc/apparmor.d/abstractions/apparmor_api/introspect Normal file
View File

@@ -0,0 +1,14 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,

20
etc/apparmor.d/abstractions/apparmor_api/is_enabled Normal file
View File

@@ -0,0 +1,20 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# permissions needed for aa_is_enabled
# Make sure to include tunables/apparmorfs and tunables/global
# when using this abstraction
include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
@{sys}/module/apparmor/parameters/available r,
# TODO: add alternate apparmorfs interface for enabled

18
etc/apparmor.d/abstractions/aspell Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# aspell permissions
abi <abi/4.0>,
# per-user settings and dictionaries
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
# system libraries and dictionaries
/usr/lib/aspell/ r,
/usr/lib/aspell/* r,
/usr/lib/aspell/*.so m,
/usr/share/aspell/ r,
/usr/share/aspell/* r,
/var/lib/aspell/* r,
# Include additions to the abstraction
include if exists <abstractions/aspell.d>

93
etc/apparmor.d/abstractions/audio Normal file
View File

@@ -0,0 +1,93 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/dev/admmidi* rw,
/dev/adsp* rw,
/dev/aload* rw,
/dev/amidi* rw,
/dev/audio* rw,
/dev/dmfm* rw,
/dev/dmmidi* rw,
/dev/dsp* rw,
/dev/midi* rw,
/dev/mixer* rw,
/dev/mpu401data rw,
/dev/mpu401stat rw,
/dev/patmgr* rw,
/dev/phone* rw,
/dev/radio* rw,
/dev/rmidi* rw,
/dev/sequencer rw,
/dev/sequencer2 rw,
/dev/smpte* rw,
/dev/snd/* rw,
/dev/sound/* rw,
@{PROC}/asound/** rw,
/usr/share/alsa/** r,
/usr/share/sounds/ r,
/usr/share/sounds/** r,
owner @{HOME}/.esd_auth r,
/etc/asound.conf r,
owner @{HOME}/.asoundrc r,
/etc/esound/esd.conf r,
# libao
/etc/libao.conf r,
owner @{HOME}/.libao r,
# libcanberra
owner @{HOME}/.cache/event-sound-cache.* rwk,
# pulse
/etc/pulse/ r,
/etc/pulse/** r,
/dev/shm/ r,
@{run}/shm/ r,
owner /dev/shm/pulse-shm* rwk,
owner @{run}/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
owner @{run}/user/*/pulse/ rw,
owner @{run}/user/*/pulse/{native,pid} rwk,
owner @{HOME}/.config/pulse/*.conf r,
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
owner @{HOME}/.config/pulse/cookie rwk,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
# libgnome2
/etc/sound/ r,
/etc/sound/** r,
# openal
/etc/alsa/conf.d/{,*} r,
/etc/openal/alsoft.conf r,
owner @{HOME}/.alsoftrc r,
/usr/{,local/}share/openal/hrtf/{,**} r,
owner @{HOME}/.local/share/openal/hrtf/{,**} r,
# wildmidi
/etc/wildmidi/wildmidi.cfg r,
# pipewire
/usr/share/pipewire/client{,-rt}.conf r,
# Include additions to the abstraction
include if exists <abstractions/audio.d>

74
etc/apparmor.d/abstractions/authentication Normal file
View File

@@ -0,0 +1,74 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd
# Copyright (C) 2019-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Some services need to perform authentication of users
# Such authentication almost certainly needs access to the local users
# databases containing passwords, PAM configuration files, PAM libraries
@{etc_ro}/nologin r,
@{etc_ro}/pam.d/* r,
@{etc_ro}/securetty r,
@{etc_ro}/security/* r,
@{etc_ro}/shadow r,
@{etc_ro}/gshadow r,
@{etc_ro}/pwdb.conf r,
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
/{usr/,}lib{,32,64}/security/pam_*.so mr,
/{usr/,}lib{,32,64}/security/ r,
/{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
/{usr/,}lib/@{multiarch}/security/pam_*.so mr,
/{usr/,}lib/@{multiarch}/security/ r,
# pam_unix
owner /proc/@{pid}/loginuid r,
/{,usr/}{,s}bin/unix_chkpwd Px,
# pam_env
@{etc_ro}/environment r,
# pam_limit
@{etc_ro}/security/limits.d/ r,
@{etc_ro}/security/limits.d/*.conf r,
# gssapi
@{etc_ro}/gss/mech r,
@{etc_ro}/gss/mech.d/ r,
@{etc_ro}/gss/mech.d/*.conf r,
# kerberos
include <abstractions/kerberosclient>
# SuSE's pwdutils are different:
@{etc_ro}/default/passwd r,
@{etc_ro}/login.defs r,
@{etc_ro}/login.defs.d/ r,
@{etc_ro}/login.defs.d/*.defs r,
# nis
include <abstractions/nis>
# winbind
include <abstractions/winbind>
# likewise
include <abstractions/likewise>
# smbpass
include <abstractions/smbpass>
# p11-kit (PKCS#11 modules configuration)
include <abstractions/p11-kit>
# Include additions to the abstraction
include if exists <abstractions/authentication.d>

182
etc/apparmor.d/abstractions/base Normal file
View File

@@ -0,0 +1,182 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/crypto>
# (Note that the ldd profile has inlined this file; if you make
# modifications here, please consider including them in the ldd
# profile as well.)
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
/dev/random r,
/dev/urandom r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
@{run}/uuidd/request r,
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@{etc_rw}/localtime r,
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/ r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo{,-icu}/ r,
/usr/share/zoneinfo{,-icu}/** r,
/usr/share/X11/locale/** r,
@{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4))
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
@{etc_ro}/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
@{etc_ro}/ld-musl-*.path r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
/{usr/,}lib{,32,64}/** r,
/{usr/,}lib{,32,64}/**.so* mr,
/{usr/,}lib/@{multiarch}/** r,
/{usr/,}lib/@{multiarch}/**.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
/dev/zero rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
/dev/full rw,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Depending on which glibc routine uses this file, base may not be the
# best place -- but many profiles require it, and it is quite harmless.
@{PROC}/sys/kernel/ngroups_max r,
# glibc's sysconf(3) routine to determine free memory, etc
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r,
# transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
# some applications will display license information
/usr/share/common-licenses/** r,
# glibc statvfs
@{PROC}/filesystems r,
# glibc malloc (man 5 proc)
@{PROC}/sys/vm/overcommit_memory r,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace read ourselves
ptrace (read) peer=@{profile_name},
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix (receive) peer=(label=unconfined),
# Allow us to create abstract and anonymous sockets
unix (create),
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
# by him/her. Exceptions to this are explicit in the profiles. While this rule
# grants access to those exceptions, the intended privacy is maintained due to
# the encrypted contents of the files in this directory. Files in this
# directory will also use filename encryption by default, so the files are
# further protected. Also, with the use of 'owner', this rule properly
# prevents access to the files from processes running under a different uid.
# encrypted ~/.Private and old-style encrypted $HOME
owner @{HOME}/.Private/ r,
owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Include additions to the abstraction
include if exists <abstractions/base.d>

49
etc/apparmor.d/abstractions/bash Normal file
View File

@@ -0,0 +1,49 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# user-specific bash files
@{HOMEDIRS} r,
@{HOME}/.bashrc r,
@{HOME}/.profile r,
@{HOME}/.bash_profile r,
@{HOME}/.bash_history rw,
# system-wide bash configuration
/etc/profile.dos r,
/etc/profile r,
/etc/profile.d/ r,
/etc/profile.d/* r,
/etc/bashrc r,
/etc/bash.bashrc r,
/etc/bash.bashrc.local r,
/etc/bash_completion r,
/etc/bash_completion.d/ r,
/etc/bash_completion.d/* r,
# bash relies on system-wide readline configuration
/etc/inputrc r,
# bash inspects filesystems at startup
/etc/mtab r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
# probably readline wants to know terminal capabilities
/usr/share/terminfo/** r,
# run out of /etc/bash.bashrc
/etc/DIR_COLORS r,
/{usr/,}bin/ls mix,
/usr/bin/dircolors mix,
# Include additions to the abstraction
include if exists <abstractions/bash.d>

27
etc/apparmor.d/abstractions/consoles Normal file
View File

@@ -0,0 +1,27 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# there are three common ways to refer to consoles
/dev/console rw,
/dev/tty rw,
# this next entry is a tad unfortunate; /dev/tty will always be
# associated with the controlling terminal by the kernel, but if a
# program uses the /dev/pts/ interface, it actually has access to
# -all- xterm, sshd, etc, terminals on the system.
/dev/pts/[0-9]* rw,
/dev/pts/ r,
# Include additions to the abstraction
include if exists <abstractions/consoles.d>

34
etc/apparmor.d/abstractions/crypto Normal file
View File

@@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Global config of openssl
include <abstractions/openssl>
@{etc_ro}/gcrypt/hwf.deny r,
@{etc_ro}/gcrypt/random.conf r,
@{PROC}/sys/crypto/fips_enabled r,
# libgcrypt reads some flags from /proc
@{PROC}/sys/crypto/* r,
# crypto policies used by various libraries
/etc/crypto-policies/*/*.txt r,
/usr/share/crypto-policies/*/*.txt r,
# Global gnutls config
@{etc_ro}/gnutls/config r,
@{etc_ro}/gnutls/pkcs11.conf r,
include if exists <abstractions/crypto.d>

23
etc/apparmor.d/abstractions/cups-client Normal file
View File

@@ -0,0 +1,23 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
@{run}/cups/cups.sock rw,
# client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r,
# Include additions to the abstraction
include if exists <abstractions/cups-client.d>

21
etc/apparmor.d/abstractions/dbus Normal file
View File

@@ -0,0 +1,21 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This abstraction grants full system bus access. Consider using the
# dbus-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-strict>
dbus bus=system,
# Include additions to the abstraction
include if exists <abstractions/dbus.d>

21
etc/apparmor.d/abstractions/dbus-accessibility Normal file
View File

@@ -0,0 +1,21 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This abstraction grants full accessibility bus access. Consider using the
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-accessibility-strict>
dbus bus=accessibility,
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility.d>

22
etc/apparmor.d/abstractions/dbus-accessibility-strict Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
dbus send
bus=accessibility
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility-strict.d>

47
etc/apparmor.d/abstractions/dbus-network-manager-strict Normal file
View File

@@ -0,0 +1,47 @@
# vim:syntax=apparmor
abi <abi/4.0>,
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member={GetDevices,ListConnections}
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(name=org.freedesktop.NetworkManager),
include if exists <abstractions/dbus-network-manager-strict.d>

22
etc/apparmor.d/abstractions/dbus-session Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This abstraction grants full session bus access. Consider using the
# dbus-session-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-session-strict>
/usr/bin/dbus-launch ix,
dbus bus=session,
# Include additions to the abstraction
include if exists <abstractions/dbus-session.d>

39
etc/apparmor.d/abstractions/dbus-session-strict Normal file
View File

@@ -0,0 +1,39 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# unique per-machine identifier
/etc/machine-id r,
/var/lib/dbus/machine-id r,
unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
# dbus with systemd and --enable-user-session
owner @{run}/user/[0-9]*/bus rw,
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
# Include additions to the abstraction
include if exists <abstractions/dbus-session-strict.d>

24
etc/apparmor.d/abstractions/dbus-strict Normal file
View File

@@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
@{run}/dbus/system_bus_socket rw,
dbus send
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-strict.d>

13
etc/apparmor.d/abstractions/dconf Normal file
View File

@@ -0,0 +1,13 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile.
/etc/dconf/** r,
owner @{run}/user/*/dconf/user r,
owner @{HOME}/.config/dconf/user r,
# Include additions to the abstraction
include if exists <abstractions/dconf.d>

24
etc/apparmor.d/abstractions/dovecot-common Normal file
View File

@@ -0,0 +1,24 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2014 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# used with dovecot/*
abi <abi/4.0>,
capability setgid,
deny capability block_suspend,
# dovecot's master can send us signals
signal receive peer=dovecot,
owner @{run}/dovecot/config rw,
# Include additions to the abstraction
include if exists <abstractions/dovecot-common.d>

19
etc/apparmor.d/abstractions/dri-common Normal file
View File

@@ -0,0 +1,19 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar).
/usr/lib{,32,64}/dri/** mr,
/usr/lib/@{multiarch}/dri/** mr,
/usr/lib/fglrx/dri/** mr,
/dev/dri/ r,
/dev/dri/** rw,
/etc/drirc r,
/usr/share/drirc.d/{,*.conf} r,
owner @{HOME}/.drirc r,
# Include additions to the abstraction
include if exists <abstractions/dri-common.d>

13
etc/apparmor.d/abstractions/dri-enumerate Normal file
View File

@@ -0,0 +1,13 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This file contains common DRI-specific rules useful for GUI applications that
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm).
@{sys}/devices/@{pci_bus}/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
# Include additions to the abstraction
include if exists <abstractions/dri-enumerate.d>

64
etc/apparmor.d/abstractions/enchant Normal file
View File

@@ -0,0 +1,64 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# abstraction for Enchant spellchecking frontend
/usr/share/enchant/ r,
/usr/share/enchant/enchant.ordering r,
/usr/share/enchant-2/ r,
/usr/share/enchant-2/enchant.ordering r,
# aspell
include <abstractions/aspell>
/var/lib/dictionaries-common/aspell/ r,
/var/lib/dictionaries-common/aspell/* r,
# hspell
/usr/share/hspell/ r,
/usr/share/hspell/*.wgz.* r,
# hunspell
/usr/share/hunspell/ r,
/usr/share/hunspell/* r,
# ispell
/usr/lib/ispell/ r,
/usr/lib/ispell/*.hash r,
/usr/share/dict/ r,
/usr/share/dict/* r,
/var/lib/dictionaries-common/ r,
/var/lib/dictionaries-common/{ispell,wordlist}/ r,
/var/lib/dictionaries-common/{ispell,wordlist}/* r,
# myspell
/usr/share/myspell/ r,
/usr/share/myspell/** r,
# voikko
/usr/lib/voikko/ r,
/usr/lib/voikko/2/ r,
/usr/lib/voikko/2/mor-standard/ r,
/usr/lib/voikko/2/mor-standard/voikko* r,
# zemberek
/usr/share/java/ r,
/usr/share/java/zemberek-[0-9]*.jar r,
/usr/share/java/zemberek-tr-[0-9]*.jar r,
# per-user dictionaries
owner @{HOME}/.config/enchant/ rw,
owner @{HOME}/.config/enchant/* rwk,
# Include additions to the abstraction
include if exists <abstractions/enchant.d>

69
etc/apparmor.d/abstractions/exo-open Normal file
View File

@@ -0,0 +1,69 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/exo-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/exo-open rPx -> foo//exo-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//exo-open {
# include <abstractions/exo-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accessibility access is considered as required
# # (for message box in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
# }
include <abstractions/X>
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/gnome>
# Main executables
/usr/bin/exo-open rix,
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
# Other executables
/{,usr/}bin/which rix,
# System files
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
/usr/share/sounds/freedesktop/** r, # for message box alert sound
/usr/share/xfce4/helpers/*.desktop r,
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
# User files
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.config/xfce4/helpers.rc r,
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
# Include additions to the abstraction
include if exists <abstractions/exo-open.d>

18
etc/apparmor.d/abstractions/fcitx Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/fcitx-strict>
dbus bus=fcitx,
# Include additions to the abstraction
include if exists <abstractions/fcitx.d>

26
etc/apparmor.d/abstractions/fcitx-strict Normal file
View File

@@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/dbus-session-strict>
dbus send
bus=fcitx
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
# Include additions to the abstraction
include if exists <abstractions/fcitx-strict.d>

68
etc/apparmor.d/abstractions/fonts Normal file
View File

@@ -0,0 +1,68 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/usr/share/AbiSuite/fonts/** r,
/usr/lib/xorg/modules/fonts/**.so* mr,
/usr/share/fonts/{,**} r,
/usr/share/fonts-*/{,**} r,
/etc/fonts/** r,
# Debian, openSUSE paths are different
/usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
/usr/share/ghostscript/fonts/{,**} r,
/opt/kde3/share/fonts/** r,
/usr/lib{,32,64}/openoffice/share/fonts/** r,
/var/cache/fonts/** r,
/var/cache/fontconfig/** mr,
/var/lib/defoma/** mr,
/usr/share/a2ps/fonts/** r,
/usr/share/xfce/fonts/** r,
/usr/share/ghostscript/fonts/** r,
/usr/share/javascript/*/fonts/** r,
/usr/share/texmf/{,*/}fonts/** r,
/usr/share/texlive/texmf-dist/fonts/** r,
/var/lib/ghostscript/** r,
owner @{HOME}/.fonts.conf r,
owner @{HOME}/.fonts/ r,
owner @{HOME}/.fonts/** r,
owner @{HOME}/.local/share/fonts/ r,
owner @{HOME}/.local/share/fonts/** r,
owner @{HOME}/.fonts.cache-2 mr,
owner @{HOME}/.{,cache/}fontconfig/ rw,
owner @{HOME}/.{,cache/}fontconfig/** mrwkl,
owner @{HOME}/.fonts.conf.d/ r,
owner @{HOME}/.fonts.conf.d/** r,
owner @{HOME}/.config/fontconfig/ r,
owner @{HOME}/.config/fontconfig/** r,
owner @{HOME}/.Fontmatrix/Activated/ r,
owner @{HOME}/.Fontmatrix/Activated/** r,
/usr/local/share/fonts/ r,
/usr/local/share/fonts/** r,
# poppler CMap tables
/usr/share/poppler/cMap/** r,
# data files for LibThai
/usr/share/libthai/thbrk.tri r,
# Include additions to the abstraction
include if exists <abstractions/fonts.d>

49
etc/apparmor.d/abstractions/freedesktop.org Normal file
View File

@@ -0,0 +1,49 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# system configuration
@{system_share_dirs}/applications/{**,} r,
@{system_share_dirs}/*ubuntu/applications/{**,} r,
@{system_share_dirs}/gnome/applications/{**,} r,
@{system_share_dirs}/xfce4/applications/{**,} r,
@{system_share_dirs}/icons/{**,} r,
@{system_share_dirs}/pixmaps/{**,} r,
# communitheme snap
/snap/communitheme/*/share/icons/ r,
/snap/communitheme/*/share/icons/** r,
# mimeinfo and desktop files for snaps
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/{,*.desktop} r,
# this should probably go elsewhere
@{system_share_dirs}/mime/** r,
@{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
/etc/gnome/defaults.list r,
/etc/xfce4/defaults.list r,
# per-user configurations
owner @{HOME}/.icons/{,**} r,
owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r,
owner @{HOME}/.config/mimeapps.list r,
owner @{user_share_dirs}/applications/{**,} r,
owner @{user_share_dirs}/icons/{**,} r,
owner @{user_share_dirs}/mime/{**,} r,
# Include additions to the abstraction
include if exists <abstractions/freedesktop.org.d>

59
etc/apparmor.d/abstractions/gio-open Normal file
View File

@@ -0,0 +1,59 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gio directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gio rPx -> foo//gio-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gio-open {
# include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
include <abstractions/base>
include <abstractions/dbus-session-strict>
# Main executables
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# System files
/etc/gnome/defaults.list r,
/usr/share/mime/* r,
/usr/share/{,*/}applications/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/applications/{,**} r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/gio-open.d>

121
etc/apparmor.d/abstractions/gnome Normal file
View File

@@ -0,0 +1,121 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/wayland>
# systemwide gtk defaults
/etc/gnome/gtkrc* r,
/etc/gtk/* r,
/usr/lib{,32,64}/gtk/** mr,
/usr/lib/@{multiarch}/gtk/** mr,
/usr/lib{,32,64}/gtk-[0-9]*/** mr,
/usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/gtk-3.0/settings.ini r,
# communitheme snap
/snap/communitheme/*/share/themes/ r,
/snap/communitheme/*/share/themes/** r,
# for gnome 1 applications
/etc/orbitrc r,
# gtk-2 needed some new rights
/etc/fonts/* r,
/etc/gtk-*/* r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib{,32,64}/gtk-*/** mr,
/usr/lib{,32,64}/gdk-pixbuf-*/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/lib/@{multiarch}/gtk-*/** mr,
/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
# per-user gtk configuration
owner @{HOME}/.config/gtk-3.0/ w,
owner @{HOME}/.config/gtk-3.0/* r,
owner @{HOME}/.gnome/Gnome r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.themes/ r,
owner @{HOME}/.themes/** r,
owner @{user_share_dirs}/themes/ r,
owner @{user_share_dirs}/themes/** r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ w,
owner @{HOME}/.config/gtk-2.0/** r,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# from evolution-mail
owner @{HOME}/.gconfd/lock/* r,
owner @{HOME}/.gnome/application-info r,
# per-user font business
owner @{HOME}/.fonts.cache-* rwl,
# GtkComposeTable
owner @{HOME}/.cache/gtk-3.0/** r,
# icon caches
/var/cache/**/icon-theme.cache r,
/usr/share/**/icon-theme.cache r,
# GLib schemas
/usr/{local/,}share/glib-[0-9]*/schemas/ r,
/usr/{local/,}share/glib-[0-9]*/schemas/** r,
# gnome VFS modules
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/* r,
/usr/lib/gnome-vfs-2.0/modules/*.so mr,
/usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
# gvfs
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/@{pid}/mounts r,
@{run}/mount/utab r,
# printing
/etc/papersize r,
/etc/cups/lpoptions r,
/usr/share/cups/charmaps/** r,
# holds MIT-MAGIC-COOKIE for gnome
owner @{run}/gdm/auth*/database r,
# mime-types
/etc/gnome/defaults.list r,
/etc/xdg/{,*-}mimeapps.list r,
/usr/share/gnome/applications/ r,
/usr/share/gnome/applications/mimeinfo.cache r,
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)
unix (send, receive, connect)
type=stream
peer=(addr="@/dbus-vfs-daemon/socket-*"),
# Include additions to the abstraction
include if exists <abstractions/gnome.d>

16
etc/apparmor.d/abstractions/gnupg Normal file
View File

@@ -0,0 +1,16 @@
# vim:syntax=apparmor
# gnupg sub-process running permissions
abi <abi/4.0>,
# user configurations
owner @{HOME}/.gnupg/options r,
owner @{HOME}/.gnupg/pubring.gpg r,
owner @{HOME}/.gnupg/pubring.kbx r,
owner @{HOME}/.gnupg/random_seed rw,
owner @{HOME}/.gnupg/secring.gpg r,
owner @{HOME}/.gnupg/so/*.x86_64 mr,
owner @{HOME}/.gnupg/trustdb.gpg rw,
# Include additions to the abstraction
include if exists <abstractions/gnupg.d>

67
etc/apparmor.d/abstractions/groff Normal file
View File

@@ -0,0 +1,67 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2023 SUSE LLC
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Note: executing groff and nroff themself is not included in this abstraction
# so that you can choose to ix, Px or Cx them in your profile
# groff/nroff helpers, preprocessors, and postprocessors
/usr/bin/addftinfo mrix,
/usr/bin/afmtodit mrix,
/usr/bin/chem mrix,
/usr/bin/eqn mrix,
/usr/bin/eqn2graph mrix,
/usr/bin/gdiffmk mrix,
/usr/bin/geqn mrix,
/usr/bin/grap2graph mrix,
/usr/bin/grn mrix,
/usr/bin/grodvi mrix,
/usr/bin/groffer mrix,
/usr/bin/grog mrix,
/usr/bin/grolbp mrix,
/usr/bin/grolj4 mrix,
/usr/bin/gropdf mrix,
/usr/bin/grops mrix,
/usr/bin/grotty mrix,
/usr/bin/gtbl mrix,
/usr/bin/hpftodit mrix,
/usr/bin/indxbib mrix,
/usr/bin/lkbib mrix,
/usr/bin/lookbib mrix,
/usr/bin/mmroff mrix,
/usr/bin/neqn mrix,
/usr/bin/pdfmom mrix,
/usr/bin/pdfroff mrix,
/usr/bin/pfbtops mrix,
/usr/bin/pic mrix,
/usr/bin/pic2graph mrix,
/usr/bin/post-grohtml mrix,
/usr/bin/pre-grohtml mrix,
/usr/bin/preconv mrix,
/usr/bin/refer mrix,
/usr/bin/roff2dvi mrix,
/usr/bin/roff2html mrix,
/usr/bin/roff2pdf mrix,
/usr/bin/roff2ps mrix,
/usr/bin/roff2text mrix,
/usr/bin/roff2x mrix,
/usr/bin/soelim mrix,
/usr/bin/tbl mrix,
/usr/bin/tfmtodit mrix,
/usr/bin/troff mrix,
/usr/bin/xtotroff mrix,
# at least its macros and fonts
/usr/libexec/groff/** r,
/usr/share/groff/** r,
# Include additions to the abstraction
include if exists <abstractions/groff.d>

58
etc/apparmor.d/abstractions/gtk Normal file
View File

@@ -0,0 +1,58 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/usr/share/themes/{,**} r,
/usr/share/gtksourceview-[0-9]*/{,**} r,
/usr/share/gtk-2.0/ r,
/usr/share/gtk-2.0/gtkrc r,
/usr/share/gtk-{3,4}.0/ r,
/usr/share/gtk-{3,4}.0/settings.ini r,
/etc/gtk-2.0/ r,
/etc/gtk-2.0/gtkrc r,
/etc/gtk-{3,4}.0/ r,
/etc/gtk-{3,4}.0/*.conf r,
/etc/gtk-{3,4}.0/settings.ini r,
/etc/gtk/gtkrc r,
owner @{HOME}/.themes/{,**} r,
owner @{HOME}/.local/share/themes/{,**} r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.config/gtkrc r,
owner @{HOME}/.config/gtkrc-2.0 r,
owner @{HOME}/.config/gtk-{3,4}.0/ rw,
owner @{HOME}/.config/gtk-{3,4}.0/settings.ini r,
owner @{HOME}/.config/gtk-{3,4}.0/bookmarks r,
owner @{HOME}/.config/gtk-{3,4}.0/gtk.css r,
owner @{HOME}/.config/gtk-{3,4}.0/colors.css r,
owner @{HOME}/.config/gtk-{3,4}.0/servers r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ rw,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# .Xauthority file required for X connections
owner @{HOME}/.Xauthority r,
# Xsession errors file
owner @{HOME}/.xsession-errors w,
# Include additions to the abstraction
include if exists <abstractions/gtk.d>

47
etc/apparmor.d/abstractions/gvfs-open Normal file
View File

@@ -0,0 +1,47 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gvfs-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gvfs-open {
# include <abstractions/gvfs-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri>
include <abstractions/gio-open>
# Main executables
/usr/bin/gvfs-open r,
/{,usr/}bin/dash mr,
# Include additions to the abstraction
include if exists <abstractions/gvfs-open.d>

17
etc/apparmor.d/abstractions/hosts_access Normal file
View File

@@ -0,0 +1,17 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/hosts.deny r,
/etc/hosts.allow r,
include if exists <abstractions/hosts_access.d>

29
etc/apparmor.d/abstractions/ibus Normal file
View File

@@ -0,0 +1,29 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# abstraction for ibus input methods
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ rw,
owner @{HOME}/.config/ibus/bus/* rw,
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
# Include additions to the abstraction
include if exists <abstractions/ibus.d>

88
etc/apparmor.d/abstractions/kde Normal file
View File

@@ -0,0 +1,88 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/qt5>
/etc/qt3/kstylerc r,
/etc/qt3/qt_plugins_3.3rc r,
/etc/qt3/qtrc r,
/etc/kderc r,
/etc/kde3/* r,
/etc/kde4rc r,
/etc/xdg/kdeglobals r,
/etc/xdg/Trolltech.conf r,
/usr/share/desktop-base/kf5-settings/baloofilerc r,
/usr/share/desktop-base/kf5-settings/kdeglobals r,
/usr/share/desktop-base/kf5-settings/kscreenlockerrc r,
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
/usr/share/kubuntu-default-settings/kf5-settings/* r,
owner @{HOME}/.DCOPserver_* r,
owner @{HOME}/.ICEauthority r,
owner @{HOME}/.fonts.* lrw,
owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
owner @{HOME}/.qt/** rw,
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/share/X11/XKeysymDB r,
# kde3
/usr/lib*/kde3/plugins/styles/ r,
/usr/lib*/kde3/plugins/styles/* mr,
/usr/lib*/kde3/lib*so* mr,
/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
/usr/lib/@{multiarch}/kde3/lib*so* mr,
/usr/lib*/qt3/lib*/lib*so* mr,
/usr/lib*/qt3/plugins/** mr,
/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt3/plugins/** mr,
/usr/lib*/libqt-mt*so* mr,
/usr/lib*/libqui*so* mr,
/usr/lib/@{multiarch}/libqt-mt*so* mr,
/usr/lib/@{multiarch}/libqui*so* mr,
/usr/share/qt3/lib*/libqt-mt*so* mr,
/usr/share/qt3/lib*/libqui*so* mr,
# kde4
/usr/lib*/kde4/plugins/*/*.so mr,
/usr/lib*/kde4/plugins/*/ r,
/usr/lib*/kde4/lib*so* mr,
/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
/usr/lib/@{multiarch}/kde4/plugins/*/ r,
/usr/lib/@{multiarch}/kde4/lib*so* mr,
/usr/lib*/qt4/lib*/lib*so* mr,
/usr/lib*/qt4/plugins/** mr,
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r,
# Include additions to the abstraction
include if exists <abstractions/kde.d>

15
etc/apparmor.d/abstractions/kde-globals-write Normal file
View File

@@ -0,0 +1,15 @@
# vim:syntax=apparmor
# Rules for changing KDE settings (for KFileDialog and other).
abi <abi/4.0>,
# User files
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-globals-write.d>

12
etc/apparmor.d/abstractions/kde-icon-cache-write Normal file
View File

@@ -0,0 +1,12 @@
# vim:syntax=apparmor
# Rules for writing KDE icon cache
abi <abi/4.0>,
# User files
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# Include additions to the abstraction
include if exists <abstractions/kde-icon-cache-write.d>

18
etc/apparmor.d/abstractions/kde-language-write Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# Rules for changing per-application language settings on KDE. Some KDE
# applications have "Help -> Switch Application Language..." option, that needs
# write access to language settings file.
# User files
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/klanguageoverridesrc rw,
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-language-write.d>

105
etc/apparmor.d/abstractions/kde-open5 Normal file
View File

@@ -0,0 +1,105 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/kde-open5 directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//kde-open5 {
# include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accessibility access is considered as required
# # (for message box in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/kde-icon-cache-write>
include <abstractions/kde>
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/X>
# Main executables
/usr/bin/kde-open5 rix,
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
dbus
bus=session
interface=org.kde.KLauncher
member=start_service_by_desktop_path
peer=(name=org.kde.klauncher5),
# Denied system files
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9]*[0-9] m,
# System files
/dev/tty r,
/etc/xdg/accept-languages.codes r,
/etc/xdg/menus/{,*/} r,
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
/usr/share/mime/ r,
/usr/share/mime/generic-icons r,
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction
include if exists <abstractions/kde-open5.d>

44
etc/apparmor.d/abstractions/kerberosclient Normal file
View File

@@ -0,0 +1,44 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
/usr/lib{,32,64}/krb5/plugins/preauth/ r,
/usr/lib{,32,64}/krb5/plugins/preauth/* mr,
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
/usr/lib{,32,64}/krb5/plugins/authdata/ r,
/usr/lib{,32,64}/krb5/plugins/authdata/* mr,
/usr/lib/@{multiarch}/krb5/plugins/authdata/ r,
/usr/lib/@{multiarch}/krb5/plugins/authdata/* mr,
/etc/krb5.keytab rk,
/etc/krb5.conf r,
/etc/krb5.conf.d/ r,
/etc/krb5.conf.d/* r,
# config files found via strings on libs
/etc/krb.conf r,
/etc/krb.realms r,
/etc/srvtab r,
# credential caches
/tmp/krb5cc* r,
# Include additions to the abstraction
include if exists <abstractions/kerberosclient.d>

29
etc/apparmor.d/abstractions/ldapclient Normal file
View File

@@ -0,0 +1,29 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/ldap.conf r,
/etc/ldap.secret r,
/etc/openldap/* r,
/etc/openldap/cacerts/* r,
# SASL plugins and config
/etc/sasl2/* r,
/usr/lib{,32,64}/sasl2/* r,
# local LDAP name service daemon
@{run}/nslcd/socket rw,
include <abstractions/ssl_certs>
# Include additions to the abstraction
include if exists <abstractions/ldapclient.d>

24
etc/apparmor.d/abstractions/libpam-systemd Normal file
View File

@@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015-2016 Simon Deziel
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts
dbus send
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession},
# Include additions to the abstraction
include if exists <abstractions/libpam-systemd.d>

18
etc/apparmor.d/abstractions/likewise Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw,
# Include additions to the abstraction
include if exists <abstractions/likewise.d>

19
etc/apparmor.d/abstractions/mdns Normal file
View File

@@ -0,0 +1,19 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# mdnsd
/etc/mdns.allow r,
/etc/nss_mdns.conf r,
@{run}/mdnsd w,
# Include additions to the abstraction
include if exists <abstractions/mdns.d>

31
etc/apparmor.d/abstractions/mesa Normal file
View File

@@ -0,0 +1,31 @@
# vim:syntax=apparmor
# Rules for Mesa implementation of the OpenGL API
abi <abi/4.0>,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# Needed to check if the kernel supports the i915 perf interface
# (src/intel/perf/gen_perf.c, load_oa_metrics())
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
@{sys}/devices/@{pci_bus}/**/{revision,config} r,
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ rw,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Fallback location when @{HOME}/.cache is not available
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Include additions to the abstraction
include if exists <abstractions/mesa.d>

22
etc/apparmor.d/abstractions/mir Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# mir libraries sometimes do not have a lib prefix
# see LP: #1422521
/usr/lib/@{multiarch}/mir/*.so* mr,
/usr/lib/@{multiarch}/mir/**/*.so* mr,
# unprivileged mir socket for clients
# Include additions to the abstraction
include if exists <abstractions/mir.d>

17
etc/apparmor.d/abstractions/mozc Normal file
View File

@@ -0,0 +1,17 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
# Include additions to the abstraction
include if exists <abstractions/mozc.d>

20
etc/apparmor.d/abstractions/mysql Normal file
View File

@@ -0,0 +1,20 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/var/lib/mysql{,d}/mysql{,d}.sock rw,
@{run}/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
# Include additions to the abstraction
include if exists <abstractions/mysql.d>

141
etc/apparmor.d/abstractions/nameservice Normal file
View File

@@ -0,0 +1,141 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
@{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/gai.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
# On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
@{etc_ro}/authselect/nsswitch.conf r,
# libtirpc (used for NIS/YP login) needs this
@{etc_ro}/netconfig r,
# When using libnss-extrausers, the passwd and group files are merged from
# an alternate path
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
/var/lib/sss/mc/initgroups r,
/var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw,
@{etc_ro}/resolv.conf r,
# On systems where /etc/resolv.conf is managed programmatically, it is
# a symlink to @{run}/(whatever program is managing it)/resolv.conf.
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
@{etc_ro}/resolvconf/run/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
/mnt/wsl/resolv.conf r,
@{etc_ro}/samba/lmhosts r,
@{etc_ro}/services r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
# to vast speed increases when working with network-based lookups.
@{run}/.nscd_socket rw,
@{run}/nscd/socket rw,
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
# nscd renames and unlinks files in it's operation that clients will
# have open
@{run}/nscd/db* rmix,
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
@{etc_ro}/default/nss r,
# avahi-daemon is used for mdns4 resolution
@{run}/avahi-daemon/socket rw,
# libnl-3-200 via libnss-gw-name
@{PROC}/@{pid}/net/psched r,
@{etc_ro}/libnl-*/classid r,
# nis
include <abstractions/nis>
# ldap
include <abstractions/ldapclient>
# winbind
include <abstractions/winbind>
# likewise
include <abstractions/likewise>
# mdnsd
include <abstractions/mdns>
# kerberos
include <abstractions/kerberosclient>
#libnss-systemd
include <abstractions/nss-systemd>
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
# resolve
#
# Allow access to the safe members of the systemd-resolved D-Bus API:
#
# https://www.freedesktop.org/wiki/Software/systemd/resolved/
#
# This API may be used directly over the D-Bus system bus or it may be used
# indirectly via the nss-resolve plugin:
#
# https://www.freedesktop.org/software/systemd/man/nss-resolve.html
#
#include <abstractions/dbus-strict>
dbus send
bus=system
path="/org/freedesktop/resolve1"
interface="org.freedesktop.resolve1.Manager"
member="Resolve{Address,Hostname,Record,Service}"
peer=(name="org.freedesktop.resolve1"),
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
# interface details
@{PROC}/@{pid}/net/route r,
# Include additions to the abstraction
include if exists <abstractions/nameservice.d>

20
etc/apparmor.d/abstractions/nis Normal file
View File

@@ -0,0 +1,20 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# NIS rules
/var/yp/binding/* r,
# portmapper may ask root processes to do nis/ldap at low ports
capability net_bind_service,
# Include additions to the abstraction
include if exists <abstractions/nis.d>

31
etc/apparmor.d/abstractions/nss-systemd Normal file
View File

@@ -0,0 +1,31 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# libnss-systemd
#
# https://systemd.io/USER_GROUP_API/
# https://systemd.io/USER_RECORD/
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined
@{PROC}/sys/kernel/random/boot_id r,
include if exists <abstractions/nss-systemd.d>

40
etc/apparmor.d/abstractions/nvidia Normal file
View File

@@ -0,0 +1,40 @@
# vim:syntax=apparmor
# nvidia access requirements
abi <abi/4.0>,
# configuration queries
capability ipc_lock,
/etc/nvidia/nvidia-application-profiles* r,
/usr/share/nvidia/nvidia-application-profiles* r,
# libvdpau config file for nvidia workarounds
/etc/vdpau_wrapper.cfg r,
# device files
/dev/nvidiactl rw,
/dev/nvidia-modeset rw,
/dev/nvidia[0-9]* rw,
@{PROC}/interrupts r,
@{PROC}/sys/vm/max_map_count r,
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
@{sys}/devices/system/memory/block_size_bytes r,
owner @{HOME}/.cache/nvidia/ w,
owner @{HOME}/.cache/nvidia/GLCache/ rw,
owner @{HOME}/.cache/nvidia/GLCache/** rwk,
owner @{HOME}/.nv/ w,
owner @{HOME}/.nv/GLCache/ rw,
owner @{HOME}/.nv/GLCache/** rwk,
owner @{HOME}/.nv/nvidia-application-profiles* r,
owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),
# Include additions to the abstraction
include if exists <abstractions/nvidia.d>

15
etc/apparmor.d/abstractions/opencl Normal file
View File

@@ -0,0 +1,15 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements
# TODO: use conditionals to select allowed implementations
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/opencl-pocl>
# Include additions to the abstraction
include if exists <abstractions/opencl.d>

16
etc/apparmor.d/abstractions/opencl-common Normal file
View File

@@ -0,0 +1,16 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# implementation-independent OpenCL access requirements
# System files
/etc/OpenCL/** r,
@{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
# Include additions to the abstraction
include if exists <abstractions/opencl-common.d>

23
etc/apparmor.d/abstractions/opencl-intel Normal file
View File

@@ -0,0 +1,23 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements for Intel implementation
include <abstractions/opencl-common>
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
include <abstractions/X>
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
include <abstractions/dri-enumerate>
# System files
/dev/dri/card[0-9]* rw, # beignet/libcl.so
@{sys}/devices/@{pci_bus}/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r,
# Include additions to the abstraction
include if exists <abstractions/opencl-intel.d>

26
etc/apparmor.d/abstractions/opencl-mesa Normal file
View File

@@ -0,0 +1,26 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements for Mesa implementation
include <abstractions/opencl-common>
# Additional libraries
/usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
/usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
# System files
/dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
/dev/dri/render* rw, # libMesaOpenCL.so
/etc/drirc r, # libMesaOpenCL.so
# User files
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
# Include additions to the abstraction
include if exists <abstractions/opencl-mesa.d>

36
etc/apparmor.d/abstractions/opencl-nvidia Normal file
View File

@@ -0,0 +1,36 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements for NVIDIA implementation
include <abstractions/nvidia>
include <abstractions/opencl-common>
# Executables
# https://github.com/NVIDIA/nvidia-modprobe
# This setuid executable is used to create various device files and load the
# the nvidia kernel module.
/usr/bin/nvidia-modprobe Px -> nvidia_modprobe,
# System files
# libnvidia-opencl.so rules:
/dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools rw,
@{sys}/devices/@{pci_bus}/**/config r,
@{sys}/devices/system/memory/block_size_bytes r,
/usr/share/nvidia/** r,
@{PROC}/devices r,
@{PROC}/sys/vm/mmap_min_addr r,
# User files
owner @{HOME}/.nv/ComputeCache/ w,
owner @{HOME}/.nv/ComputeCache/** rw,
owner @{HOME}/.nv/ComputeCache/index rwk,
# Include additions to the abstraction
include if exists <abstractions/opencl-nvidia.d>

81
etc/apparmor.d/abstractions/opencl-pocl Normal file
View File

@@ -0,0 +1,81 @@
# vim:syntax=apparmor
# OpenCL access requirements for POCL implementation
abi <abi/4.0>,
include <abstractions/opencl-common>
# Executables
/usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
# System files
/ r, # libpocl.so -> libhwloc.so
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/@{pci_bus}/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
@{sys}/devices/@{pci_bus}/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
@{sys}/devices/@{pci_bus}/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
@{sys}/devices/@{pci_bus}/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
@{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
@{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
@{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
/usr/share/pocl/** r,
@{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
# User files
owner @{HOME}/.cache/pocl/ w,
owner @{HOME}/.cache/pocl/kcache/ w,
owner @{HOME}/.cache/pocl/kcache/** rw,
owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
# Child profiles
profile opencl_pocl_ld {
include <abstractions/base>
# Main executables
/usr/bin/{,@{multiarch}-}ld.bfd mr,
# User files
owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
owner @{HOME}/.cache/pocl/kcache/**.so.o r,
}
profile opencl_pocl_clang {
include <abstractions/base>
# Main executables
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
# Additional executables
/usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
# System files
/etc/debian-version r,
/etc/lsb-release r,
# User files
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
}
# Include additions to the abstraction
include if exists <abstractions/opencl-pocl.d>

20
etc/apparmor.d/abstractions/openssl Normal file
View File

@@ -0,0 +1,20 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/ssl/openssl.cnf r,
/etc/ssl/openssl-*.cnf r,
/etc/ssl/{engdef*,engines*}.d/ r,
/etc/ssl/{engdef*,engines*}.d/*.cnf r,
/usr/share/ssl/openssl.cnf r,
# Include additions to the abstraction
include if exists <abstractions/openssl.d>

10
etc/apparmor.d/abstractions/orbit2 Normal file
View File

@@ -0,0 +1,10 @@
# vim:syntax=apparmor
# orbit2 permissions
abi <abi/4.0>,
# system library
/usr/lib/orbit-2.0/*.so mr,
# Include additions to the abstraction
include if exists <abstractions/orbit2.d>

32
etc/apparmor.d/abstractions/p11-kit Normal file
View File

@@ -0,0 +1,32 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/pkcs11/ r,
/etc/pkcs11/pkcs11.conf r,
/etc/pkcs11/modules/ r,
/etc/pkcs11/modules/* r,
/usr/lib{,32,64}/pkcs11/*.so mr,
/usr/lib/@{multiarch}/pkcs11/*.so mr,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
# gnome-keyring pkcs11 module
owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction.
# Include additions to the abstraction
include if exists <abstractions/p11-kit.d>

28
etc/apparmor.d/abstractions/perl Normal file
View File

@@ -0,0 +1,28 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# a few files typically required for perl scripts
/usr/bin/perl rmix,
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
/usr/lib{,32,64}/perl5/** r,
/usr/lib{,32,64}/perl{,5}/**.so* mr,
/usr/lib/@{multiarch}/perl{,5,-base}/** r,
/usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
/usr/share/perl/** r,
/usr/share/perl5/** r,
/etc/perl/** r,
# Include additions to the abstraction
include if exists <abstractions/perl.d>

43
etc/apparmor.d/abstractions/php Normal file
View File

@@ -0,0 +1,43 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# shared snippets for config files
/etc/php{,5,7,8}/** r,
# Xlibs
/usr/X11R6/lib{,32,64}/lib*.so* mr,
# php extensions
/usr/lib{64,}/php{,5,7,8}/*/*.so mr,
# ICU (unicode support) data tables
/usr/share/icu/*/*.dat r,
# php session mmap socket
/var/lib/php{,5,7,8}/session_mm_* rwlk,
# file based session handler
/var/lib/php{,5,7,8}/sess_* rwlk,
/var/lib/php{,5,7,8}/sessions/* rwlk,
# php libraries
/usr/share/php{,5,7,8}/ r,
/usr/share/php{,5,7,8}/** mr,
# MySQL extension
/usr/share/mysql/** r,
# Zend opcache
/tmp/.ZendSem.* rwlk,
# Include additions to the abstraction
include if exists <abstractions/php.d>

22
etc/apparmor.d/abstractions/php-worker Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# This file contains basic permissions for php-fpm workers
abi <abi/4.0>,
# load common libraries and their support files
include <abstractions/base>
# common php files and support files that php needs
include <abstractions/php>
signal (receive) peer=php-fpm,
# This is some php opcaching file
/tmp/.ZendSem.* rwk,
# I think this is adaptive memory management
/sys/devices/system/node/* r,
/sys/devices/system/node/*/meminfo r,
/sys/devices/system/node/ r,
include if exists <abstractions/php-worker.d>

8
etc/apparmor.d/abstractions/php5 Normal file
View File

@@ -0,0 +1,8 @@
#backwards compatibility include, actual abstraction moved from php5 to php
abi <abi/4.0>,
include <abstractions/php>
# Include additions to the abstraction
include if exists <abstractions/php5.d>

45
etc/apparmor.d/abstractions/postfix-common Normal file
View File

@@ -0,0 +1,45 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2015-2018 Canonical, Ltd.
# Copyright (C) 2020-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# used with postfix/*
abi <abi/4.0>,
capability setuid,
capability setgid,
capability sys_chroot,
# postfix's master can send us signals
signal receive peer=postfix-master,
unix (send, receive) peer=(label=postfix-master),
/etc/mailname r,
/etc/postfix/*.cf r,
/etc/postfix/*.db rk,
/etc/postfix/*.lmdb rk,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
/usr/lib{,32,64}/sasl2/* mr,
/usr/lib{,32,64}/sasl2/ r,
/usr/lib/@{multiarch}/sasl2/* mr,
/usr/lib/@{multiarch}/sasl2/ r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/var/spool/postfix/etc/* r,
/var/spool/postfix/lib/lib*.so* mr,
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
/etc/postfix/dynamicmaps.cf.d/ r,
# Include additions to the abstraction
include if exists <abstractions/postfix-common.d>

52
etc/apparmor.d/abstractions/private-files Normal file
View File

@@ -0,0 +1,52 @@
# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access
abi <abi/4.0>,
# privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories)
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*.bak mrwkl,
# special attention to (potentially) executable files
audit deny @{HOME}/bin/{,**} wl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/autostart/{,**} wl,
audit deny @{HOME}/.config/upstart/{,**} wl,
audit deny @{HOME}/.init/{,**} wl,
audit deny @{HOME}/.kde{,4}/ w,
audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
audit deny @{HOME}/.kde{,4}/env/{,**} wl,
audit deny @{HOME}/.local/{,share/} w,
audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
audit deny @{HOME}/.pki/ w,
audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
audit deny @{HOME}/.*rc wl,
# bash
deny @{HOME}/.bash* mrk,
audit deny @{HOME}/.bash* wl,
deny @{HOME}/.inputrc mrk,
audit deny @{HOME}/.inputrc wl,
# sh/dash/csh/tcsh/pdksh/zsh
deny @{HOME}/.{,z}profile* mrk,
audit deny @{HOME}/.{,z}profile* wl,
deny @{HOME}/.{,z}log{in,out} mrk,
audit deny @{HOME}/.{,z}log{in,out} wl,
deny @{HOME}/.zshenv mrk,
audit deny @{HOME}/.zshenv wl,
# Include additions to the abstraction
include if exists <abstractions/private-files.d>

30
etc/apparmor.d/abstractions/private-files-strict Normal file
View File

@@ -0,0 +1,30 @@
# vim:syntax=apparmor
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access
abi <abi/4.0>,
include <abstractions/private-files>
# potentially extremely sensitive files
audit deny @{HOME}/.aws/{,**} mrwkl,
audit deny @{HOME}/.gnupg/{,**} mrwkl,
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
# don't allow access to any gnome-keyring modules
audit deny @{run}/user/[0-9]*/keyring** mrwkl,
audit deny @{HOME}/.mozilla/{,**} mrwkl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
audit deny @{HOME}/.config/evolution/{,**} mrwkl,
audit deny @{HOME}/.evolution/{,**} mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
# Include additions to the abstraction
include if exists <abstractions/private-files-strict.d>

49
etc/apparmor.d/abstractions/python Normal file
View File

@@ -0,0 +1,49 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/{usr/,}bin/ r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.VERSION r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
/usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
/etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
/usr/lib/python3/dist-packages/**.so mr,
# wx paths
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
# Include additions to the abstraction
include if exists <abstractions/python.d>

27
etc/apparmor.d/abstractions/qt5 Normal file
View File

@@ -0,0 +1,27 @@
# vim:syntax=apparmor
# Common rules for Qt5-based applications
abi <abi/4.0>,
# Additional libraries
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
# System files
/etc/xdg/QtProject/qtlogging.ini r,
/usr/share/qt5/translations/*.qm r,
/usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
/usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
# User files
owner @{HOME}/.config/QtProject/qtlogging.ini r,
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
# Include additions to the abstraction
include if exists <abstractions/qt5.d>

13
etc/apparmor.d/abstractions/qt5-compose-cache-write Normal file
View File

@@ -0,0 +1,13 @@
# vim:syntax=apparmor
# Allow writing cache for Qt5 "platforminputcontexts" plugins
abi <abi/4.0>,
# User files
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Include additions to the abstraction
include if exists <abstractions/qt5-compose-cache-write.d>

16
etc/apparmor.d/abstractions/qt5-settings-write Normal file
View File

@@ -0,0 +1,16 @@
# vim:syntax=apparmor
# Allow writing shared settings for Qt-based applications
abi <abi/4.0>,
# User files
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
# for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/QtProject.conf.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/qt5-settings-write.d>

15
etc/apparmor.d/abstractions/recent-documents-write Normal file
View File

@@ -0,0 +1,15 @@
# vim:syntax=apparmor
# Allow updating recent documents
abi <abi/4.0>,
# User files
owner @{HOME}/.local/share/RecentDocuments/ rw,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/recent-documents-write.d>

26
etc/apparmor.d/abstractions/ruby Normal file
View File

@@ -0,0 +1,26 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/**.rb r,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
# Include additions to the abstraction
include if exists <abstractions/ruby.d>

42
etc/apparmor.d/abstractions/samba Normal file
View File

@@ -0,0 +1,42 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/samba/* r,
/etc/gnutls/config r,
/usr/lib*/ldb/*.so mr,
/usr/lib*/ldb2/*.so mr,
/usr/lib*/ldb2/modules/ldb/*.so mr,
/usr/lib*/samba/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
/var/cache/samba/lck/* rwk,
/var/lib/samba/** rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/* rw,
@{run}/{,lock/}samba/ w,
@{run}/{,lock/}samba/*.tdb rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
/var/cache/samba/*.tdb rwk,
/var/cache/samba/msg.lock/ rwk,
/var/cache/samba/msg.lock/[0-9]* rwk,
# required for clustering
/var/lib/ctdb/** rwk,
deny capability net_admin, # noisy setsockopt() calls from systemd
# Include additions to the abstraction
include if exists <abstractions/samba.d>

30
etc/apparmor.d/abstractions/samba-rpcd Normal file
View File

@@ -0,0 +1,30 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2022 SUSE LLC
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# This file contains basic permissions for samba rpcd_xyz services
abi <abi/4.0>,
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/samba>
capability setgid,
capability setuid,
signal receive set=term peer=smbd,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/samba-rpcd.d>

18
etc/apparmor.d/abstractions/smbpass Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# libpam-smbpass/pam_smbpass.so permissions
/var/lib/samba/*.[lt]db rwk,
# Include additions to the abstraction
include if exists <abstractions/smbpass.d>

39
etc/apparmor.d/abstractions/snap_browsers Normal file
View File

@@ -0,0 +1,39 @@
profile snap_browsers {
include if exists <abstractions/snap_browsers.d>
include <abstractions/base>
include <abstractions/dbus-session-strict>
/etc/passwd r,
/etc/nsswitch.conf r,
/etc/fstab r,
# noisy
deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
/var/lib/snapd/system-key r,
/run/snapd.socket rw,
@{PROC}/version r,
@{PROC}/cmdline r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{HOME}/.snap/auth.json r, # if exists, required
dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
/sys/kernel/security/apparmor/features/ r,
# allow launching official browser snaps.
/snap/{brave,chromium,firefox,opera}/[0-9]*/meta/{snap.yaml,hooks/} r,
/var/lib/snapd/sequence/{brave,chromium,firefox,opera}.json r,
/var/lib/snapd/inhibit/{brave,chromium,firefox,opera}.lock rk,
}

46
etc/apparmor.d/abstractions/ssl_certs Normal file
View File

@@ -0,0 +1,46 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2010-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/ca-certificates/{,**} r,
/etc/{,libre}ssl/ r,
/etc/{,libre}ssl/cert.pem r,
/etc/{,libre}ssl/certs/{,**} r,
/{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
/{etc,usr/share}/pki/trust/{,*} r,
/{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
/usr/share/ca-certificates/{,**} r,
/usr/share/ssl/certs/ca-bundle.crt r,
/usr/local/share/ca-certificates/{,**} r,
/var/lib/ca-certificates/{,**} r,
# acmetool
/var/lib/acme/certs/*/chain r,
/var/lib/acme/certs/*/cert r,
# dehydrated
/{etc,var/lib}/dehydrated/certs/*/cert*.pem r,
/{etc,var/lib}/dehydrated/certs/*/chain*.pem r,
/{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r,
/{etc,var/lib}/dehydrated/certs/*/ocsp*.der r,
# certbot
/etc/letsencrypt/archive/*/cert*.pem r,
/etc/letsencrypt/archive/*/chain*.pem r,
/etc/letsencrypt/archive/*/fullchain*.pem r,
/etc/certbot/archive/*/cert*.pem r,
/etc/certbot/archive/*/chain*.pem r,
/etc/certbot/archive/*/fullchain*.pem r,
# Include additions to the abstraction
include if exists <abstractions/ssl_certs.d>

35
etc/apparmor.d/abstractions/ssl_keys Normal file
View File

@@ -0,0 +1,35 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# private ssl permissions
# Just include the whole /etc/ssl directory if we should have access to
# private keys too
/etc/ssl/ r,
/etc/ssl/** r,
# acmetool
/var/lib/acme/live/* r,
/var/lib/acme/certs/** r,
/var/lib/acme/keys/** r,
# dehydrated
/{etc,var/lib}/dehydrated/certs/*/privkey*.pem r,
# certbot / letsencrypt
/etc/letsencrypt/archive/*/privkey*.pem r,
/etc/certbot/archive/*/privkey*.pem r,
# Include additions to the abstraction
include if exists <abstractions/ssl_keys.d>

57
etc/apparmor.d/abstractions/svn-repositories Normal file
View File

@@ -0,0 +1,57 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This little snippet should abstract the read/write access to a repository.
# it is intended to be included in profiles for svnserve/apache2 and maybe
# some repository viewers like trac/viewvc
# no hooks exec by default; please define whatever you need explicitly.
/srv/svn/**/conf/* r,
/srv/svn/**/format r,
/srv/svn/**/db/fs-type r,
/srv/svn/**/db/format r,
# FSFS
/srv/svn/**/db/ r,
/srv/svn/**/db/uuid r,
/srv/svn/**/db/write-lock rwl,
/srv/svn/**/db/current rwl,
/srv/svn/**/db/current*.tmp rwl,
/srv/svn/**/db/revs/ r,
/srv/svn/**/db/revs/* rw,
/srv/svn/**/db/revprops/ r,
/srv/svn/**/db/revprops/* rw,
/srv/svn/**/db/transactions/** rw,
# BDB
/srv/svn/**/db/DB_CONFIG r,
/srv/svn/**/db/__db.[0-9]* rwl,
/srv/svn/**/db/log.[0-9]* rwl,
/srv/svn/**/db/nodes rwl,
/srv/svn/**/db/revisions rwl,
/srv/svn/**/db/transactions rwl,
/srv/svn/**/db/copies rwl,
/srv/svn/**/db/changes rwl,
/srv/svn/**/db/representations rwl,
/srv/svn/**/db/strings rwl,
/srv/svn/**/db/uuids rwl,
/srv/svn/**/db/locks rwl,
/srv/svn/**/db/lock-tokens rwl,
# temp files
/tmp/apr* rwl,
/var/tmp/apr* rwl,
/tmp/report*.tmp rwl,
# Include additions to the abstraction
include if exists <abstractions/svn-repositories.d>

153
etc/apparmor.d/abstractions/transmission-common Normal file
View File

@@ -0,0 +1,153 @@
# vim:syntax=apparmor
# LOGPROF-SUGGEST: no
# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice>
include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network netlink dgram,
network inet stream,
network inet6 stream,
dbus (bind)
bus=session
name=com.transmissionbt.Transmission,
dbus (bind)
bus=session
name=com.transmissionbt.transmission_*,
dbus (receive)
bus=session
path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Notify,
dbus (send)
bus=session
path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Change
peer=(name=ca.desrt.dconf),
dbus (receive)
bus=accessibility
path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set,
dbus (send)
bus=accessibility
path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus (send)
bus=accessibility
path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry),
dbus (send)
bus=accessibility
path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetDeviceEventListeners,GetKeystrokeListeners}
peer=(name=org.a11y.atspi.Registry),
dbus (send)
bus={accessibility,session}
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Introspectable
path=/StatusNotifierWatcher
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/StatusNotifierWatcher
member=Get
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/a11y/bus
member=Get
peer=(name=org.a11y.Bus),
dbus (send)
bus=system
interface=org.freedesktop.DBus.Properties
path=/org/freedesktop/hostname1
member=GetAll,
dbus (send)
bus=session
interface=org.freedesktop.Notifications
path=/org/freedesktop/Notifications
member={GetCapabilities,Notify},
dbus (send)
bus=session
path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,List},
dbus (send)
bus=session
path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member={GetConnection,ListMonitorImplementations},
dbus (send)
bus=session
path=/org/gtk/vfs/mount/[1-9]*
interface=org.gtk.vfs.Mount
member={CreateFileMonitor,Enumerate,QueryInfo},
dbus (receive)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=Mounted,
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member={ListMountableInfo,ListMounts2,LookupMount},
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
@{etc_ro}/fstab r,
@{system_share_dirs}/hwdata/** r,
@{system_share_dirs}/lxqt/** r,
owner /tmp/tr_session_id_* rwk,
# allow a top-level directory listing
@{HOME}/ r,
owner @{HOME}/.cache/transmission/ w,
owner @{HOME}/.cache/transmission/** rw,
owner @{HOME}/.config/transmission/ w,
owner @{HOME}/.config/transmission/** rw,
owner @{HOME}/.config/lxqt/lxqt.conf r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rw,
# exclude these for now
deny /usr/share/thumbnailers/ r,
deny @{HOME}/.local/share/gvfs-metadata/** r,
deny @{HOME}/.config/lxqt/** rw,
include if exists <abstractions/transmission-common.d>

75
etc/apparmor.d/abstractions/trash Normal file
View File

@@ -0,0 +1,75 @@
abi <abi/4.0>,
# requires <tunables/home>
owner @{HOME}/.config/trashrc rw,
owner @{HOME}/.config/trashrc.lock rwk,
owner @{HOME}/.config/#[0-9]*[0-9] rwk,
owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
# Home trash location
owner @{HOME}/.local/share/Trash/ rw,
owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw,
owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9],
owner @{HOME}/.local/share/Trash/files/{,**} rw,
owner @{HOME}/.local/share/Trash/info/ rw,
owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw,
owner @{HOME}/.local/share/Trash/expunged/ rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]*/ rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]*/** rw,
# Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /media/*/.Trash/ rw,
owner /media/*/.Trash/@{uid}/ rw,
owner /media/*/.Trash/@{uid}/#[0-9]*[0-9] rw,
owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#[0-9]*[0-9],
owner /media/*/.Trash/@{uid}/files/{,**} rw,
owner /media/*/.Trash/@{uid}/info/ rw,
owner /media/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash/@{uid}/expunged/ rw,
owner /media/*/.Trash/@{uid}/expunged/[0-9]* rw,
owner /media/*/.Trash/@{uid}/expunged/[0-9]*/ rw,
owner /media/*/.Trash/@{uid}/expunged/[0-9]*/** rw,
# Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /media/*/.Trash-@{uid}/ rw,
owner /media/*/.Trash-@{uid}/#[0-9]*[0-9] rw,
owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#[0-9]*[0-9],
owner /media/*/.Trash-@{uid}/files/{,**} rw,
owner /media/*/.Trash-@{uid}/info/ rw,
owner /media/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash-@{uid}/expunged/ rw,
owner /media/*/.Trash-@{uid}/expunged/[0-9]* rw,
owner /media/*/.Trash-@{uid}/expunged/[0-9]*/ rw,
owner /media/*/.Trash-@{uid}/expunged/[0-9]*/** rw,
# Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /media/*/*/.Trash/ rw,
owner /media/*/*/.Trash/@{uid}/ rw,
owner /media/*/*/.Trash/@{uid}/#[0-9]*[0-9] rw,
owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#[0-9]*[0-9],
owner /media/*/*/.Trash/@{uid}/files/{,**} rw,
owner /media/*/*/.Trash/@{uid}/info/ rw,
owner /media/*/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/*/.Trash/@{uid}/expunged/ rw,
owner /media/*/*/.Trash/@{uid}/expunged/[0-9]* rw,
owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/ rw,
owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/** rw,
# Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /media/*/*/.Trash-@{uid}/ rw,
owner /media/*/*/.Trash-@{uid}/#[0-9]*[0-9] rw,
owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#[0-9]*[0-9],
owner /media/*/*/.Trash-@{uid}/files/{,**} rw,
owner /media/*/*/.Trash-@{uid}/info/ rw,
owner /media/*/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/*/.Trash-@{uid}/expunged/ rw,
owner /media/*/*/.Trash-@{uid}/expunged/[0-9]* rw,
owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/ rw,
owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/** rw,
include if exists <abstractions/trash.d>

22
etc/apparmor.d/abstractions/ubuntu-bittorrent-clients Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
#
# abstraction for allowing graphical bittorrent clients in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
/usr/bin/azureus Cxr -> sanitized_helper,
/usr/bin/bitstormlite Cxr -> sanitized_helper,
/usr/bin/btmaketorrentgui Cxr -> sanitized_helper,
/usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper,
/usr/bin/gnome-btdownload Cxr -> sanitized_helper,
/usr/bin/kget Cxr -> sanitized_helper,
/usr/bin/ktorrent Cxr -> sanitized_helper,
/usr/bin/qbittorrent Cxr -> sanitized_helper,
/usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-bittorrent-clients.d>

41
etc/apparmor.d/abstractions/ubuntu-browsers Normal file
View File

@@ -0,0 +1,41 @@
# vim:syntax=apparmor
#
# abstraction for allowing access to graphical browsers in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
/usr/bin/arora Cx -> sanitized_helper,
/usr/bin/dillo Cx -> sanitized_helper,
/usr/bin/Dooble Cx -> sanitized_helper,
/usr/bin/epiphany Cx -> sanitized_helper,
/usr/bin/epiphany-browser Cx -> sanitized_helper,
/usr/bin/epiphany-webkit Cx -> sanitized_helper,
/usr/lib/fennec-*/fennec Cx -> sanitized_helper,
/usr/bin/kazehakase Cx -> sanitized_helper,
/usr/bin/konqueror Cx -> sanitized_helper,
/usr/bin/midori Cx -> sanitized_helper,
/usr/bin/netsurf Cx -> sanitized_helper,
/usr/bin/seamonkey Cx -> sanitized_helper,
/usr/bin/sensible-browser Pixr,
/usr/bin/chromium{,-browser} Cx -> sanitized_helper,
/usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper,
# this should cover all firefox browsers and versions (including shiretoko
# and abrowser)
/usr/bin/firefox Cxr -> sanitized_helper,
/usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper,
# Iceweasel
/usr/bin/iceweasel Cxr -> sanitized_helper,
/usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
# some unpackaged, but popular browsers
/usr/lib/icecat-*/icecat Cx -> sanitized_helper,
/usr/bin/opera Cx -> sanitized_helper,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
/opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,

26
etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser Normal file
View File

@@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Author: Jamie Strandboge <jamie@canonical.com>
# For site-specific adjustments, please see:
# /etc/apparmor.d/local/chromium-browser
abi <abi/4.0>,
include <abstractions/ubuntu-browsers.d/plugins-common>
include <abstractions/ubuntu-browsers.d/mailto>
include <abstractions/ubuntu-browsers.d/multimedia>
include <abstractions/ubuntu-browsers.d/productivity>
include <abstractions/ubuntu-browsers.d/java>
include <abstractions/ubuntu-browsers.d/kde>
include <abstractions/ubuntu-browsers.d/text-editors>
include <abstractions/ubuntu-browsers.d/ubuntu-integration>
include <abstractions/ubuntu-browsers.d/user-files>

120
etc/apparmor.d/abstractions/ubuntu-browsers.d/java Normal file
View File

@@ -0,0 +1,120 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# Java plugin
owner @{HOME}/.java/deployment/deployment.properties k,
/etc/java-*/ r,
/etc/java-*/** r,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
/usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
owner /{,var/}run/user/*/icedteaplugin-*/ rw,
owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
# Profile for the supported OpenJDK in Ubuntu. This doesn't require the
# unfortunate workarounds of the proprietary Javas, so have a separate
# profile.
profile browser_openjdk {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/gnome>
include <abstractions/kde>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
include <abstractions/private-files-strict>
network inet stream,
network inet6 stream,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
/etc/java-*/ r,
/etc/java-*/** r,
/etc/lsb-release r,
/etc/ssl/certs/java/* r,
/etc/timezone r,
/etc/writable/timezone r,
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/** r,
/usr/share/** r,
/var/lib/dbus/machine-id r,
/usr/bin/env ix,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
# Why would java need this?
deny /usr/bin/gconftool-2 x,
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
owner @{HOME}/ r,
owner @{HOME}/** rwk,
}
# Profile for commercial Javas. These need workarounds to work right (eg
# Sun's forcing of an executable stack (LP: #535247)).
profile browser_java {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/gnome>
include <abstractions/kde>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
include <abstractions/private-files-strict>
network inet stream,
network inet6 stream,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
@{PROC}/loadavg r,
/etc/debian_version r,
/etc/java-*/ r,
/etc/java-*/** r,
/etc/lsb-release r,
/etc/ssl/certs/java/* r,
/etc/timezone r,
/etc/writable/timezone r,
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/** r,
/usr/share/** r,
/var/lib/dbus/machine-id r,
/usr/bin/env ix,
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
/usr/lib/j2*-ibm/jre/bin/java ix,
# noisy, can't write here anyway
deny /etc/.java/ w,
deny /etc/.java/** w,
deny /usr/bin/gconftool-2 x,
owner @{HOME}/ r,
owner @{HOME}/** rwk,
# These are seriously unfortunate, but required due to LP: #535247
/etc/passwd m,
owner @{HOME}/.java/**/cache/** m,
owner /tmp/** m,
/usr/lib{,32,64}/jvm/**/*.jar mr,
/usr/share/fonts/** m,
}

12
etc/apparmor.d/abstractions/ubuntu-browsers.d/kde Normal file
View File

@@ -0,0 +1,12 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
include <abstractions/kde>
/usr/bin/kde4-config Cx -> sanitized_helper,
# https://bugs.kde.org/show_bug.cgi?id=397399
/usr/bin/plasma-browser-integration-host Cx -> sanitized_helper,

11
etc/apparmor.d/abstractions/ubuntu-browsers.d/mailto Normal file
View File

@@ -0,0 +1,11 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# for mailto:
include <abstractions/ubuntu-email>
include <abstractions/ubuntu-console-email>
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrct access to what only firefox is allowed to do
include <abstractions/ubuntu-gnome-terminal>

51
etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia Normal file
View File

@@ -0,0 +1,51 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
include <abstractions/X>
# Pulseaudio
/usr/bin/pulseaudio Pixr,
# Image viewers
/usr/bin/eog Cxr -> sanitized_helper,
/usr/bin/gimp* Cxr -> sanitized_helper,
/usr/bin/shotwell Cxr -> sanitized_helper,
/usr/bin/digikam Cxr -> sanitized_helper,
/usr/bin/gwenview Cxr -> sanitized_helper,
include <abstractions/ubuntu-media-players>
owner @{HOME}/.adobe/ w,
owner @{HOME}/.adobe/** rw,
owner @{HOME}/.macromedia/ w,
owner @{HOME}/.macromedia/** rw,
/opt/real/RealPlayer/mozilla/nphelix.so rm,
/usr/bin/lpstat Cxr -> sanitized_helper,
/usr/bin/lpr Cxr -> sanitized_helper,
# Bittorrent clients
include <abstractions/ubuntu-bittorrent-clients>
# Archivers
/usr/bin/ark Cxr -> sanitized_helper,
/usr/bin/file-roller Cxr -> sanitized_helper,
/usr/bin/xarchiver Cxr -> sanitized_helper,
/usr/local/lib{,32,64}/*.so* mr,
# News feed readers
include <abstractions/ubuntu-feed-readers>
# If we allow the above, nvidia based systems will also need this
include <abstractions/nvidia>
# Virus scanners
/usr/bin/clamscan Cx -> sanitized_helper,
# gxine (LP: #1057642)
/var/lib/xine/gxine.desktop r,
# For WebRTC camera access (LP: #1665535)
/dev/video[0-9]* rw,

18
etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
abi <abi/4.0>,
#
# Plugins/helpers
#
@{PROC}/@{pid}/fd/ r,
/usr/lib/** rm,
/{,usr/}bin/bash ixr,
/{,usr/}bin/dash ixr,
/{,usr/}bin/grep ixr,
/{,usr/}bin/sed ixr,
/usr/bin/m4 ixr,
# Since all the ubuntu-browsers.d abstractions need this, just include it
# here
include <abstractions/ubuntu-helpers>

26
etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity Normal file
View File

@@ -0,0 +1,26 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
# Openoffice.org
/usr/bin/ooffice Cxr -> sanitized_helper,
/usr/bin/oocalc Cxr -> sanitized_helper,
/usr/bin/oodraw Cxr -> sanitized_helper,
/usr/bin/ooimpress Cxr -> sanitized_helper,
/usr/bin/oowriter Cxr -> sanitized_helper,
/usr/lib/openoffice/program/soffice Cxr -> sanitized_helper,
# LibreOffice
/usr/bin/libreoffice Cxr -> sanitized_helper,
/usr/bin/localc Cxr -> sanitized_helper,
/usr/bin/lodraw Cxr -> sanitized_helper,
/usr/bin/loimpress Cxr -> sanitized_helper,
/usr/bin/lowriter Cxr -> sanitized_helper,
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
# PDFs
/usr/bin/evince Cxr -> sanitized_helper,
/usr/bin/okular Cxr -> sanitized_helper,

16
etc/apparmor.d/abstractions/ubuntu-browsers.d/text-editors Normal file
View File

@@ -0,0 +1,16 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
# Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
/usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
/usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper,
/usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper,
/usr/bin/gedit Cxr -> sanitized_helper,
/usr/bin/vim.gnome Cxr -> sanitized_helper,
/usr/bin/leafpad Cxr -> sanitized_helper,
/usr/bin/mousepad Cxr -> sanitized_helper,
/usr/bin/kate Cxr -> sanitized_helper,

37
etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration Normal file
View File

@@ -0,0 +1,37 @@
# vim:syntax=apparmor
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
# Apport
/usr/bin/apport-bug Cx -> sanitized_helper,
# Package installation
/usr/bin/apturl Cxr -> sanitized_helper,
/usr/share/software-center/software-center Cxr -> sanitized_helper,
# Input Methods
/usr/bin/scim Cx -> sanitized_helper,
/usr/bin/scim-bridge Cx -> sanitized_helper,
# File managers
/usr/bin/nautilus Cxr -> sanitized_helper,
/usr/bin/{t,T}hunar Cxr -> sanitized_helper,
/usr/bin/dolphin Cxr -> sanitized_helper,
# Themes
/usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,
# Kubuntu
/usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
# Exo-aware applications
include <abstractions/exo-open>
# unity webapps integration. Could go in its own abstraction
owner /run/user/*/dconf/user rw,
owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
/usr/bin/debconf-communicate Cxr -> sanitized_helper,
owner @{HOME}/.config/libaccounts-glib/accounts.db rk,

Some files were not shown because too many files have changed in this diff Show More