From: Tomas Mudrunka Date: Sun, 22 Jan 2012 19:03:18 +0000 (+0100) Subject: more logprof tuning... X-Git-Url: https://git.harvie.cz/?a=commitdiff_plain;h=badba64050a197bf984938d469ab40b36a2e6017;p=mirrors%2FAppArmor-Profiles.git more logprof tuning... --- diff --git a/home.harvie.Work.bash-offline.sh b/home.harvie.Work.bash-offline.sh index c2abf33..fd16cfd 100644 --- a/home.harvie.Work.bash-offline.sh +++ b/home.harvie.Work.bash-offline.sh @@ -1,6 +1,14 @@ -# Last Modified: Thu Jan 19 09:45:04 2012 -#include - +# Last Modified: Fri Jan 20 21:18:46 2012 /home/harvie/Work/bash-offline.sh { - /** rixwmkl, + deny capability chown, + deny capability net_raw, + deny capability setgid, + deny capability setuid, + deny capability sys_ptrace, + deny capability sys_resource, + + + + /** mrwlkix, + } diff --git a/usr.bin.makepkg b/usr.bin.makepkg index eddc4c2..5fd9e34 100644 --- a/usr.bin.makepkg +++ b/usr.bin.makepkg @@ -1,4 +1,4 @@ -# Last Modified: Wed Jan 18 13:58:35 2012 +# Last Modified: Sun Jan 22 20:02:45 2012 # This profile is made for users that are building # AUR packages from untrusted PKGBUILDs often @@ -9,8 +9,10 @@ #include #include - /** rix, - /etc/** r, + + + / rix, + /** rkix, /home/*/.ccache/** rwix, /home/*/{Temp,Work/PKGBUILDs}/** rw, /tmp/** rwkix, diff --git a/usr.bin.pidgin b/usr.bin.pidgin index feef7bf..1d52578 100644 --- a/usr.bin.pidgin +++ b/usr.bin.pidgin @@ -1,4 +1,4 @@ -# Last Modified: Wed Jan 18 12:29:15 2012 +# Last Modified: Thu Jan 19 19:56:19 2012 # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE @@ -37,6 +37,7 @@ /opt/MozillaFirefox/bin/firefox.sh Px, /opt/kde/share/** r, /opt/kde3/bin/kde-config mrix, + /sys/devices/system/cpu/* r, owner /tmp/** rwlk, /tmp/** m, /usr/X11R6/lib/Acrobat*/Resource/Font/* r, diff --git a/usr.lib.chromium.chromium b/usr.lib.chromium.chromium index e1344ad..fb9bf23 100644 --- a/usr.lib.chromium.chromium +++ b/usr.lib.chromium.chromium @@ -1,11 +1,12 @@ -# Last Modified: Wed Jan 18 18:05:11 2012 +# Last Modified: Fri Jan 20 21:18:46 2012 # Author: Thomas Mudrunka #include -/usr/lib/chromium/chromium { +/usr/lib/chromium/chromium flags=(complain) { #include #include + #include #include #include #include @@ -27,15 +28,19 @@ /bin/ps mrix, /dev/shm/* rw, /etc/** r, - /home/*/* r, - /home/*/.adobe/**/ rw, + /home/*/* rwk, + /home/*/.adobe/** rw, /home/*/.cache/chromium/** rw, /home/*/.cups/* r, /home/*/.icons/** r, + /home/*/.local/share/** r, /home/*/.macromedia/** rw, - /home/*/.mozilla/** r, + /home/*/.mozilla/** rwk, /home/*/.pki/** rwk, /home/*/.themes/** r, + /home/*/Desktop/ r, + /home/*/Desktop/* rw, + /home/*/Downloads/ r, /home/*/Downloads/** rw, /home/*/Work/GIT/plugins/chrome-extensions/** r, /home/*/private/dotfiles/.config/chromium/** mrwk, @@ -44,10 +49,16 @@ /proc/ r, /proc/** rw, /sys/** r, - /tmp/* r, + owner /tmp/** lk, + /tmp/** rw, + /usr/bin/gpg mrix, + /usr/bin/xdg-open rix, + /usr/bin/xdg-settings rix, /usr/lib/chromium/chromium rix, /usr/lib/chromium/chromium-sandbox rix, + /usr/lib/chromium/nacl_helper_bootstrap rix, /usr/lib/lib*so* mr, + /usr/lib/totem/totem-plugin-viewer rix, /var/db/nscd/* r, /var/tmp/* rw,