Skip to content

Instantly share code, notes, and snippets.

@kainz

kainz/abstractions-base.d-locallibs

Created September 1, 2024 18:12
Show Gist options
  • Save kainz/5bae2f1092c7edd231496eb08449c148 to your computer and use it in GitHub Desktop.
Save kainz/5bae2f1092c7edd231496eb08449c148 to your computer and use it in GitHub Desktop.
Download ZIP
discord-canary apparmor stuff
Raw
abstractions-base.d-locallibs
# vim:syntax=apparmor
/usr/local/share/locale-bundle/** r,
/usr/local/share/locale-langpack/** r,
/usr/local/share/locale/** r,
/usr/local/share/**/locale/** r,
/usr/local/share/zoneinfo/ r,
/usr/local/share/zoneinfo/** r,
/usr/local/share/X11/locale/** r,
/usr/local/lib{,32,64}/locale/** mr,
/usr/local/lib{,32,64}/gconv/*.so mr,
/usr/local/lib{,32,64}/gconv/gconv-modules* mr,
/usr/local/lib/@{multiarch}/gconv/*.so mr,
/usr/local/lib/@{multiarch}/gconv/gconv-modules* mr,
/{usr/local/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/local/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/local/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/{usr/local/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
# we might as well allow everything to use common libraries
/usr/local/lib{,32,64}/** r,
/usr/local/lib{,32,64}/**.so* mr,
/usr/local/lib/@{multiarch}/** r,
/usr/local/lib/@{multiarch}/**.so* mr,
/usr/local/lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/usr/local/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/usr/local/lib{,32,64}/.lib*.so*.hmac r,
/usr/local/lib/@{multiarch}/.lib*.so*.hmac r,
# some applications will display license information
/usr/local/share/common-licenses/** r,
/etc/vulkan/** r,
/usr{,/local}/share/vulkan/** r,
owner @{HOME}/.local/share/vulkan/** r,
/usr{,/local}/share/libdrm/amdgpu.ids r,
/etc/opensc/opensc.conf r,
Raw
usr.share.discord-canary.DiscordCanary
#include <tunables/global>
/usr/share/discord-canary/DiscordCanary {
#/usr/share/discord-canary/DiscordCanary flags=(complain) {
#include <abstractions/X>
#include <abstractions/gtk>
#include <abstractions/ibus>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/audio>
#include <abstractions/consoles>
#include <abstractions/mesa>
#include <abstractions/dbus-session>
#include <abstractions/nameservice>
#include <abstractions/freedesktop.org>
#include <abstractions/private-files>
ptrace (trace,read) peer=/usr/share/discord-canary/DiscordCanary,
ptrace (read) peer=/usr/games/steam,
deny ptrace (read) peer=/usr/lib/firefox/firefox,
deny ptrace (read) peer=/usr/share/spotify/spotify,
deny ptrace (read) peer=unconfined,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
capability setgid,
/usr/share/discord-canary/** rix,
owner @{HOME}/.config/discord/ rw,
owner @{HOME}/.config/discord/** rwkm,
owner @{HOME}/.config/discordcanary/ rw,
owner @{HOME}/.config/discordcanary/** rwkm,
owner @{HOME}/.pki/nssdb/{cert9.db,pkcs11.txt} r,
@{PROC}/ r,
@{PROC}/[0-9]*/cmdline r,
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/status r,
owner @{PROC}/[0-9]*/clear_refs w,
owner @{PROC}/[0-9]*/setgroups w,
owner @{PROC}/[0-9]*/gid_map w,
owner @{PROC}/[0-9]*/uid_map w,
owner @{PROC}/[0-9]*/oom_score_adj w,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/** r,
/dev/ r,
/dev/video[0-9]* rw,
/tmp/ r,
/var/tmp/ r,
/tmp/.org.chromium.Chromium.*/ rw,
/tmp/.org.chromium.Chromium.*/** rw,
/dev/shm/.org.chromium.Chromium.* rw,
/tmp/scoped_dir*/ rw,
/tmp/scoped_dir*/** rw,
/usr{,/local}/share/glib-2.0/schemas/gschemas.compiled r,
owner /run/user/*/discord-ipc-* rw,
owner /run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user rw,
owner @{HOME}/.pki/nssdb/* rk,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment