Skip to content

Commit

Permalink
Merge branch 'feat/update' of https://github.com/Jeroen0494/apparmor.d
Browse files Browse the repository at this point in the history 
…into Jeroen0494-feat/update

* 'feat/update' of https://github.com/Jeroen0494/apparmor.d:
  signal to socket
  Add kstart, XDG KDE updates
  Plank profile
  containerd and KDE updates
  • Loading branch information
@roddhjav
roddhjav committed Nov 29, 2023
2 parents 5944206 + d042526 commit f06f01a
Show file tree
Hide file tree
Showing 8 changed files with 67 additions and 2 deletions.
1 change: 1 addition & 0 deletions apparmor.d/groups/freedesktop/xdg-mime
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{bin}/cut rix,
@{bin}/file rix,
@{bin}/head rix,
@{bin}/ktraderclient5 rPUx,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/sed rix,
Expand Down
1 change: 1 addition & 0 deletions apparmor.d/groups/freedesktop/xdg-settings
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ profile xdg-settings @{exec_path} {
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/kreadconfig5 rPx,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/readlink rix,
Expand Down
2 changes: 1 addition & 1 deletion apparmor.d/groups/kde/kglobalaccel5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ profile kglobalaccel5 @{exec_path} {

@{exec_path} mr,

@{bin}/kstart rPUx,
@{bin}/kstart rPx,

/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
Expand Down
4 changes: 4 additions & 0 deletions apparmor.d/groups/kde/ksmserver
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/X-strict>

signal (send) set=(usr1,term) peer=kscreenlocker-greet,

unix (connect, receive, send, accept)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

@{exec_path} mr,

Expand Down
25 changes: 25 additions & 0 deletions apparmor.d/groups/kde/kstart
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/kstart
profile kstart @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>

unix (connect, send, receive) type=stream peer=(addr="@/tmp/.ICE-unix/4979"),

@{exec_path} mr,
/{usr/,}bin/** rPUx,
/{usr/,}bin/konsole rUx,

@{HOME}.Xauthority r,

include if exists <local/kstart>
}
3 changes: 2 additions & 1 deletion apparmor.d/groups/virt/containerd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
umount @{run}/netns/cni-@{uuid},

signal (receive) set=term peer={dockerd,k3s},
signal (send) set=kill peer=cni-calico,
signal (send) set=kill peer={containerd-shim-runc-v2,cni-calico},

@{exec_path} mr,

Expand Down Expand Up @@ -91,6 +91,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
/tmp/ctd-volume[0-9]*/{,**} rw,

@{sys}/fs/cgroup/kubepods/** r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/apparmor/parameters/enabled r,
Expand Down
1 change: 1 addition & 0 deletions apparmor.d/groups/virt/containerd-shim-runc-v2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
ptrace (read) peer=unconfined,

signal (send) set=kill peer=cri-containerd.apparmor.d,
signal (receive) set=kill peer=containerd,

mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
Expand Down
32 changes: 32 additions & 0 deletions apparmor.d/profiles-m-r/plank
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/plank
profile plank @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/dbus-session-strict>
include <abstractions/dconf>
include <abstractions/freedesktop.org>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/gtk>

@{exec_path} rm,

unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),

@{user_config_dirs}/plank/{,**} rw,
/usr/{,local/}share/plank/{,**} r,

/usr/{,local/}share/mime/mime.cache r,
/var/lib/flatpak/exports/share/icons/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,

include if exists <local/plank>
}

0 comments on commit f06f01a

Please sign in to comment.