From 3c53e6916113049b969f0e8fd71c45e504b66252 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 07:42:05 +0000 Subject: [PATCH] Replace blanket capability, with specific capabilities in all AppArmor profiles Remove overly permissive blanket `capability,` rule (grants ALL Linux capabilities) from 107 addon AppArmor profiles. Replace with only the specific capabilities each addon needs based on its config.yaml `privileged` field. Base capabilities for all addons: setuid, setgid, chown, fowner, dac_override Additional capabilities mapped from config.yaml privileged list: - SYS_ADMIN -> sys_admin - DAC_READ_SEARCH -> dac_read_search - NET_ADMIN -> net_admin - NET_RAW -> net_raw - SYS_RAWIO -> sys_rawio - SYS_TIME -> sys_time - SYS_RESOURCE -> sys_resource Addons with full_access: true (portainer_agent) retain blanket capability. Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com> --- arpspoof/apparmor.txt | 14 +++++++------- autobrr/apparmor.txt | 14 +++++++------- baikal/apparmor.txt | 12 +++++------- battybirdnet-pi/apparmor.txt | 14 +++++++------- bazarr/apparmor.txt | 14 +++++++------- binance-trading-bot/apparmor.txt | 14 +++++++------- birdnet-go/apparmor.txt | 15 ++++++++------- birdnet-pi/apparmor.txt | 14 +++++++------- birdnet-pipy/apparmor.txt | 10 +++++----- bitwarden/apparmor.txt | 12 +++++------- booksonic_air/apparmor.txt | 14 +++++++------- browser_chromium/apparmor.txt | 14 +++++++------- browserless_chrome/apparmor.txt | 12 +++++------- calibre/apparmor.txt | 15 ++++++++------- calibre_web/apparmor.txt | 15 ++++++++------- changedetection.io/apparmor.txt | 12 +++++------- cleanuparr/apparmor.txt | 12 +++++------- cloudcommander/apparmor.txt | 14 +++++++------- codex/apparmor.txt | 14 +++++++------- collabora/apparmor.txt | 12 +++++------- comixed/apparmor.txt | 14 +++++++------- elasticsearch/apparmor.txt | 8 +++++--- emby/apparmor.txt | 14 +++++++------- emby_beta/apparmor.txt | 14 +++++++------- enedisgateway2mqtt/apparmor.txt | 8 +++++--- enedisgateway2mqtt_dev/apparmor.txt | 8 +++++--- ente/apparmor.txt | 14 +++++++------- epicgamesfree/apparmor.txt | 12 +++++------- filebrowser/apparmor.txt | 14 +++++++------- filebrowser_quantum/apparmor.txt | 14 +++++++------- fireflyiii/apparmor.txt | 12 +++++------- fireflyiii_data_importer/apparmor.txt | 12 +++++------- fireflyiii_fints_importer/apparmor.txt | 12 +++++------- flaresolverr/apparmor.txt | 12 +++++------- flexget/apparmor.txt | 8 +++++--- free_games_claimer/apparmor.txt | 12 +++++------- gazpar2mqtt/apparmor.txt | 8 +++++--- gitea/apparmor.txt | 12 +++++------- grampsweb/apparmor.txt | 12 +++++------- grav/apparmor.txt | 12 +++++------- guacamole/apparmor.txt | 12 +++++------- immich/apparmor.txt | 14 +++++++------- immich_frame/apparmor.txt | 12 +++++------- immich_power_tools/apparmor.txt | 12 +++++------- inadyn/apparmor.txt | 8 +++++--- jackett/apparmor.txt | 14 +++++++------- jellyfin/apparmor.txt | 15 ++++++++------- joal/apparmor.txt | 8 +++++--- joplin/apparmor.txt | 13 ++++++------- kometa/apparmor.txt | 14 +++++++------- librespeed/apparmor.txt | 12 +++++------- lidarr/apparmor.txt | 14 +++++++------- linkwarden/apparmor.txt | 12 +++++------- maintainerr/apparmor.txt | 12 +++++------- manyfold/apparmor.txt | 6 +++++- mealie/apparmor.txt | 8 +++++--- monica/apparmor.txt | 12 +++++------- mylar3/apparmor.txt | 14 +++++++------- navidrome/apparmor.txt | 14 +++++++------- netalertx/apparmor.txt | 8 +++++++- nextcloud/apparmor.txt | 14 +++++++------- nzbget/apparmor.txt | 14 +++++++------- omni-tools/apparmor.txt | 6 +++++- openproject/apparmor.txt | 12 +++++------- organizr/apparmor.txt | 8 +++++--- photoprism/apparmor.txt | 15 ++++++++------- piwigo/apparmor.txt | 14 +++++++------- plex/apparmor.txt | 14 +++++++------- portainer/apparmor.txt | 8 +++++--- postgres_15/apparmor.txt | 12 +++++------- prowlarr/apparmor.txt | 14 +++++++------- qbittorrent/apparmor.txt | 19 ++++++++----------- radarr/apparmor.txt | 14 +++++++------- readarr/apparmor.txt | 14 +++++++------- requestrr/apparmor.txt | 14 +++++++------- resiliosync/apparmor.txt | 15 ++++++++------- sabnzbd/apparmor.txt | 14 +++++++------- scrutiny/apparmor.txt | 15 ++++++++------- seafile/apparmor.txt | 15 ++++++++------- seerr/apparmor.txt | 12 +++++------- social_to_mealie/apparmor.txt | 12 +++++------- sonarr/apparmor.txt | 14 +++++++------- spotweb/apparmor.txt | 8 +++++--- tandoor_recipes/apparmor.txt | 8 +++++--- tdarr/apparmor.txt | 14 +++++++------- teamspeak/apparmor.txt | 8 +++++--- transmission/apparmor.txt | 14 +++++++------- transmission_openvpn/apparmor.txt | 15 ++++++++------- ubooquity/apparmor.txt | 14 +++++++------- unpackerr/apparmor.txt | 14 +++++++------- webtop_kde/apparmor.txt | 14 +++++++------- webtrees/apparmor.txt | 10 +++++++--- wger/apparmor.txt | 8 +++++--- whatsapper/apparmor.txt | 12 +++++------- whoogle/apparmor.txt | 12 +++++------- xteve/apparmor.txt | 8 +++++--- zoneminder/apparmor.txt | 12 +++++------- zzz_archived_code-server/apparmor.txt | 14 +++++++------- zzz_archived_jellyseerr/apparmor.txt | 12 +++++------- zzz_archived_omada/apparmor.txt | 12 +++++------- zzz_archived_omada_v3/apparmor.txt | 12 +++++------- zzz_archived_ombi/apparmor.txt | 12 +++++------- zzz_archived_overseerr/apparmor.txt | 12 +++++------- zzz_archived_paperless_ngx/apparmor.txt | 14 +++++++------- zzz_archived_papermerge/apparmor.txt | 14 +++++++------- zzz_archived_plex_meta_manager/apparmor.txt | 14 +++++++------- zzz_archived_tor/apparmor.txt | 12 +++++------- 107 files changed, 652 insertions(+), 669 deletions(-) diff --git a/arpspoof/apparmor.txt b/arpspoof/apparmor.txt index b634cbd61..b26a7dcf6 100644 --- a/arpspoof/apparmor.txt +++ b/arpspoof/apparmor.txt @@ -3,7 +3,13 @@ profile arpspoof_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile arpspoof_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/autobrr/apparmor.txt b/autobrr/apparmor.txt index ad452921c..fc964885f 100644 --- a/autobrr/apparmor.txt +++ b/autobrr/apparmor.txt @@ -3,7 +3,13 @@ profile autobrr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile autobrr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/baikal/apparmor.txt b/baikal/apparmor.txt index 21358b76b..d79b8b5d3 100644 --- a/baikal/apparmor.txt +++ b/baikal/apparmor.txt @@ -4,7 +4,11 @@ profile baikal_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -19,12 +23,6 @@ profile baikal_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/battybirdnet-pi/apparmor.txt b/battybirdnet-pi/apparmor.txt index 660a9003f..3177c146b 100644 --- a/battybirdnet-pi/apparmor.txt +++ b/battybirdnet-pi/apparmor.txt @@ -3,7 +3,13 @@ profile battybirdnet-pi_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile battybirdnet-pi_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/bazarr/apparmor.txt b/bazarr/apparmor.txt index a1354079c..fdf3c51e6 100644 --- a/bazarr/apparmor.txt +++ b/bazarr/apparmor.txt @@ -4,7 +4,13 @@ profile bazarr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -19,12 +25,6 @@ profile bazarr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/binance-trading-bot/apparmor.txt b/binance-trading-bot/apparmor.txt index 93d13b450..eed8e03ab 100644 --- a/binance-trading-bot/apparmor.txt +++ b/binance-trading-bot/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_binance-trading-bot flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_binance-trading-bot flags=(attach_disconnected,mediate_deleted) network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/birdnet-go/apparmor.txt b/birdnet-go/apparmor.txt index a8dff32af..64c538a8f 100644 --- a/birdnet-go/apparmor.txt +++ b/birdnet-go/apparmor.txt @@ -3,7 +3,14 @@ profile db21ed7f_birdnet-go flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, file, signal, mount, @@ -18,12 +25,6 @@ profile db21ed7f_birdnet-go flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/birdnet-pi/apparmor.txt b/birdnet-pi/apparmor.txt index 8fcd2487c..dfcc30fa6 100644 --- a/birdnet-pi/apparmor.txt +++ b/birdnet-pi/apparmor.txt @@ -3,7 +3,13 @@ profile birdnet-pi_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile birdnet-pi_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/birdnet-pipy/apparmor.txt b/birdnet-pipy/apparmor.txt index f60a12e43..6827db08a 100644 --- a/birdnet-pipy/apparmor.txt +++ b/birdnet-pipy/apparmor.txt @@ -3,7 +3,11 @@ profile birdnet-pipy_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,10 +22,6 @@ profile birdnet-pipy_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, # S6-Overlay /init ix, diff --git a/bitwarden/apparmor.txt b/bitwarden/apparmor.txt index d6d52bf20..9495ac440 100644 --- a/bitwarden/apparmor.txt +++ b/bitwarden/apparmor.txt @@ -3,7 +3,11 @@ profile bitwarden_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile bitwarden_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/booksonic_air/apparmor.txt b/booksonic_air/apparmor.txt index 96e9a90b3..35d952569 100644 --- a/booksonic_air/apparmor.txt +++ b/booksonic_air/apparmor.txt @@ -3,7 +3,13 @@ profile booksonic-air_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile booksonic-air_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/browser_chromium/apparmor.txt b/browser_chromium/apparmor.txt index 2342b9be5..ca8bb381e 100644 --- a/browser_chromium/apparmor.txt +++ b/browser_chromium/apparmor.txt @@ -3,7 +3,13 @@ profile chromium_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile chromium_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/browserless_chrome/apparmor.txt b/browserless_chrome/apparmor.txt index 57a90e59a..13e198c94 100644 --- a/browserless_chrome/apparmor.txt +++ b/browserless_chrome/apparmor.txt @@ -4,7 +4,11 @@ profile browserlesschrome_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -19,12 +23,6 @@ profile browserlesschrome_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/calibre/apparmor.txt b/calibre/apparmor.txt index bb76028f4..948d3bed3 100644 --- a/calibre/apparmor.txt +++ b/calibre/apparmor.txt @@ -3,7 +3,14 @@ profile calibre_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +25,6 @@ profile calibre_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/calibre_web/apparmor.txt b/calibre_web/apparmor.txt index 0e373b083..0675063e4 100644 --- a/calibre_web/apparmor.txt +++ b/calibre_web/apparmor.txt @@ -3,7 +3,14 @@ profile calibre-web_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +25,6 @@ profile calibre-web_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/changedetection.io/apparmor.txt b/changedetection.io/apparmor.txt index 9de4432d7..70852dde5 100644 --- a/changedetection.io/apparmor.txt +++ b/changedetection.io/apparmor.txt @@ -3,7 +3,11 @@ profile addon_db21ed7f_changedetection.io_nas flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile addon_db21ed7f_changedetection.io_nas flags=(attach_disconnected,mediate network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/cleanuparr/apparmor.txt b/cleanuparr/apparmor.txt index 84b2c153e..8010415bd 100644 --- a/cleanuparr/apparmor.txt +++ b/cleanuparr/apparmor.txt @@ -3,7 +3,11 @@ profile cleanuparr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile cleanuparr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/cloudcommander/apparmor.txt b/cloudcommander/apparmor.txt index a9ad3811d..999db6613 100644 --- a/cloudcommander/apparmor.txt +++ b/cloudcommander/apparmor.txt @@ -3,7 +3,13 @@ profile cloudcommander_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile cloudcommander_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/codex/apparmor.txt b/codex/apparmor.txt index 461e7a160..625bcb420 100644 --- a/codex/apparmor.txt +++ b/codex/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_codex flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_codex flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/collabora/apparmor.txt b/collabora/apparmor.txt index ca7141cd2..2dd21cfed 100644 --- a/collabora/apparmor.txt +++ b/collabora/apparmor.txt @@ -3,7 +3,11 @@ profile collabora_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile collabora_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/comixed/apparmor.txt b/comixed/apparmor.txt index 98e97c11d..e4d623117 100644 --- a/comixed/apparmor.txt +++ b/comixed/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/elasticsearch/apparmor.txt b/elasticsearch/apparmor.txt index 3963223e0..f136fa492 100644 --- a/elasticsearch/apparmor.txt +++ b/elasticsearch/apparmor.txt @@ -3,7 +3,11 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/emby/apparmor.txt b/emby/apparmor.txt index a7ea8b4fd..08bdf4294 100644 --- a/emby/apparmor.txt +++ b/emby/apparmor.txt @@ -3,7 +3,13 @@ profile addon_db21ed7f_emby_nas flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile addon_db21ed7f_emby_nas flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/emby_beta/apparmor.txt b/emby_beta/apparmor.txt index a7ea8b4fd..08bdf4294 100644 --- a/emby_beta/apparmor.txt +++ b/emby_beta/apparmor.txt @@ -3,7 +3,13 @@ profile addon_db21ed7f_emby_nas flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile addon_db21ed7f_emby_nas flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/enedisgateway2mqtt/apparmor.txt b/enedisgateway2mqtt/apparmor.txt index 7bfd52e8d..58f98f9c3 100644 --- a/enedisgateway2mqtt/apparmor.txt +++ b/enedisgateway2mqtt/apparmor.txt @@ -3,7 +3,11 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/enedisgateway2mqtt_dev/apparmor.txt b/enedisgateway2mqtt_dev/apparmor.txt index 856f6e948..06379cc7a 100644 --- a/enedisgateway2mqtt_dev/apparmor.txt +++ b/enedisgateway2mqtt_dev/apparmor.txt @@ -3,7 +3,11 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/ente/apparmor.txt b/ente/apparmor.txt index 98e97c11d..e4d623117 100644 --- a/ente/apparmor.txt +++ b/ente/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/epicgamesfree/apparmor.txt b/epicgamesfree/apparmor.txt index bdc6ba571..b5de86355 100644 --- a/epicgamesfree/apparmor.txt +++ b/epicgamesfree/apparmor.txt @@ -3,7 +3,11 @@ profile epicgamesfree_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile epicgamesfree_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/filebrowser/apparmor.txt b/filebrowser/apparmor.txt index 98e97c11d..e4d623117 100644 --- a/filebrowser/apparmor.txt +++ b/filebrowser/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/filebrowser_quantum/apparmor.txt b/filebrowser_quantum/apparmor.txt index 98e97c11d..e4d623117 100644 --- a/filebrowser_quantum/apparmor.txt +++ b/filebrowser_quantum/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/fireflyiii/apparmor.txt b/fireflyiii/apparmor.txt index bfc3c68d1..00c1c466f 100644 --- a/fireflyiii/apparmor.txt +++ b/fireflyiii/apparmor.txt @@ -3,7 +3,11 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/fireflyiii_data_importer/apparmor.txt b/fireflyiii_data_importer/apparmor.txt index bfc3c68d1..00c1c466f 100644 --- a/fireflyiii_data_importer/apparmor.txt +++ b/fireflyiii_data_importer/apparmor.txt @@ -3,7 +3,11 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/fireflyiii_fints_importer/apparmor.txt b/fireflyiii_fints_importer/apparmor.txt index a76a290e5..978728d36 100644 --- a/fireflyiii_fints_importer/apparmor.txt +++ b/fireflyiii_fints_importer/apparmor.txt @@ -3,7 +3,11 @@ profile fireflyiii_fints_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile fireflyiii_fints_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/flaresolverr/apparmor.txt b/flaresolverr/apparmor.txt index 423603f78..22c273541 100644 --- a/flaresolverr/apparmor.txt +++ b/flaresolverr/apparmor.txt @@ -3,7 +3,11 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - capability sys_rawio, # S6-Overlay /init ix, diff --git a/flexget/apparmor.txt b/flexget/apparmor.txt index bd606230d..5a2add076 100644 --- a/flexget/apparmor.txt +++ b/flexget/apparmor.txt @@ -3,7 +3,11 @@ profile flexget_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile flexget_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/free_games_claimer/apparmor.txt b/free_games_claimer/apparmor.txt index b26b699bc..558dab15f 100644 --- a/free_games_claimer/apparmor.txt +++ b/free_games_claimer/apparmor.txt @@ -3,7 +3,11 @@ profile free_games_claimer_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile free_games_claimer_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/gazpar2mqtt/apparmor.txt b/gazpar2mqtt/apparmor.txt index 856f6e948..06379cc7a 100644 --- a/gazpar2mqtt/apparmor.txt +++ b/gazpar2mqtt/apparmor.txt @@ -3,7 +3,11 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/gitea/apparmor.txt b/gitea/apparmor.txt index c25695e95..a007b16bf 100644 --- a/gitea/apparmor.txt +++ b/gitea/apparmor.txt @@ -3,7 +3,11 @@ profile gitea_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile gitea_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/grampsweb/apparmor.txt b/grampsweb/apparmor.txt index ddb432d34..b96d415de 100644 --- a/grampsweb/apparmor.txt +++ b/grampsweb/apparmor.txt @@ -3,7 +3,11 @@ profile grampsweb_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile grampsweb_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/grav/apparmor.txt b/grav/apparmor.txt index dac91b9b0..251fa2cb7 100644 --- a/grav/apparmor.txt +++ b/grav/apparmor.txt @@ -3,7 +3,11 @@ profile grav_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile grav_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/guacamole/apparmor.txt b/guacamole/apparmor.txt index 959e2aeeb..963a2b3a5 100644 --- a/guacamole/apparmor.txt +++ b/guacamole/apparmor.txt @@ -3,7 +3,11 @@ profile guacamole_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile guacamole_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/immich/apparmor.txt b/immich/apparmor.txt index 98e97c11d..e4d623117 100644 --- a/immich/apparmor.txt +++ b/immich/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/immich_frame/apparmor.txt b/immich_frame/apparmor.txt index d8a246fd1..617994e6e 100644 --- a/immich_frame/apparmor.txt +++ b/immich_frame/apparmor.txt @@ -3,7 +3,11 @@ profile db21ed7f_immich_frame flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile db21ed7f_immich_frame flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/immich_power_tools/apparmor.txt b/immich_power_tools/apparmor.txt index edb8345af..222f74d15 100644 --- a/immich_power_tools/apparmor.txt +++ b/immich_power_tools/apparmor.txt @@ -3,7 +3,11 @@ profile db21ed7f_immich_power_tools flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile db21ed7f_immich_power_tools flags=(attach_disconnected,mediate_deleted) network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/inadyn/apparmor.txt b/inadyn/apparmor.txt index 856f6e948..06379cc7a 100644 --- a/inadyn/apparmor.txt +++ b/inadyn/apparmor.txt @@ -3,7 +3,11 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/jackett/apparmor.txt b/jackett/apparmor.txt index e48fb0128..992910c81 100644 --- a/jackett/apparmor.txt +++ b/jackett/apparmor.txt @@ -3,7 +3,13 @@ profile jackett_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile jackett_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/jellyfin/apparmor.txt b/jellyfin/apparmor.txt index ab32eaf39..bcd9a1514 100644 --- a/jellyfin/apparmor.txt +++ b/jellyfin/apparmor.txt @@ -3,7 +3,14 @@ profile addon_db21ed7f_jellyfin_nas flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +25,6 @@ profile addon_db21ed7f_jellyfin_nas flags=(attach_disconnected,mediate_deleted) network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability sys_rawio, - capability dac_read_search, - # capability dac_override, # S6-Overlay /init ix, diff --git a/joal/apparmor.txt b/joal/apparmor.txt index 89e23bc88..0e17841ab 100644 --- a/joal/apparmor.txt +++ b/joal/apparmor.txt @@ -3,7 +3,11 @@ profile joal_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile joal_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/joplin/apparmor.txt b/joplin/apparmor.txt index 423603f78..078355e7e 100644 --- a/joplin/apparmor.txt +++ b/joplin/apparmor.txt @@ -3,7 +3,12 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, + capability sys_time, file, signal, mount, @@ -18,12 +23,6 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - capability sys_rawio, # S6-Overlay /init ix, diff --git a/kometa/apparmor.txt b/kometa/apparmor.txt index c690a3a41..408f8b52a 100644 --- a/kometa/apparmor.txt +++ b/kometa/apparmor.txt @@ -3,7 +3,13 @@ profile kometa_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile kometa_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/librespeed/apparmor.txt b/librespeed/apparmor.txt index d9f06e970..397d3d777 100644 --- a/librespeed/apparmor.txt +++ b/librespeed/apparmor.txt @@ -3,7 +3,11 @@ profile librespeed_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile librespeed_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/lidarr/apparmor.txt b/lidarr/apparmor.txt index b3c45a848..79884515a 100644 --- a/lidarr/apparmor.txt +++ b/lidarr/apparmor.txt @@ -3,7 +3,13 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/linkwarden/apparmor.txt b/linkwarden/apparmor.txt index 7417d344e..40201f7c4 100644 --- a/linkwarden/apparmor.txt +++ b/linkwarden/apparmor.txt @@ -3,7 +3,11 @@ profile linkwarden_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile linkwarden_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/maintainerr/apparmor.txt b/maintainerr/apparmor.txt index cebe37e41..c36ba131c 100644 --- a/maintainerr/apparmor.txt +++ b/maintainerr/apparmor.txt @@ -3,7 +3,11 @@ profile maintainerr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile maintainerr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/manyfold/apparmor.txt b/manyfold/apparmor.txt index 91fcc4abe..2620064ab 100644 --- a/manyfold/apparmor.txt +++ b/manyfold/apparmor.txt @@ -10,7 +10,11 @@ profile hassio-addons/manyfold flags=(attach_disconnected,mediate_deleted) { # denying known high-risk kernel interfaces. file, network, - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, deny /proc/kcore rwklx, deny /proc/sysrq-trigger rwklx, diff --git a/mealie/apparmor.txt b/mealie/apparmor.txt index 4b173ddad..20893cbab 100644 --- a/mealie/apparmor.txt +++ b/mealie/apparmor.txt @@ -3,7 +3,11 @@ profile mealie_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile mealie_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/monica/apparmor.txt b/monica/apparmor.txt index a9d564319..137aca2ae 100644 --- a/monica/apparmor.txt +++ b/monica/apparmor.txt @@ -3,7 +3,11 @@ profile monica_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile monica_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/mylar3/apparmor.txt b/mylar3/apparmor.txt index 5218a8a93..ac181b7ed 100644 --- a/mylar3/apparmor.txt +++ b/mylar3/apparmor.txt @@ -3,7 +3,13 @@ profile mylar3_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile mylar3_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/navidrome/apparmor.txt b/navidrome/apparmor.txt index ee17b6b23..14200b955 100644 --- a/navidrome/apparmor.txt +++ b/navidrome/apparmor.txt @@ -3,7 +3,13 @@ profile navidrome_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile navidrome_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/netalertx/apparmor.txt b/netalertx/apparmor.txt index c025dcf76..723e7e94f 100644 --- a/netalertx/apparmor.txt +++ b/netalertx/apparmor.txt @@ -3,7 +3,13 @@ profile netalertx_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability net_admin, + capability net_raw, + capability setgid, + capability setuid, file, signal, mount, diff --git a/nextcloud/apparmor.txt b/nextcloud/apparmor.txt index c0d67cd07..e475cdd11 100644 --- a/nextcloud/apparmor.txt +++ b/nextcloud/apparmor.txt @@ -3,7 +3,13 @@ profile nextcloud_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile nextcloud_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/nzbget/apparmor.txt b/nzbget/apparmor.txt index 885804f46..7dd4b1406 100644 --- a/nzbget/apparmor.txt +++ b/nzbget/apparmor.txt @@ -3,7 +3,13 @@ profile nzbget_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile nzbget_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/omni-tools/apparmor.txt b/omni-tools/apparmor.txt index 98a6c893f..5792ee418 100644 --- a/omni-tools/apparmor.txt +++ b/omni-tools/apparmor.txt @@ -4,7 +4,11 @@ profile omni-tools flags=(attach_disconnected,mediate_deleted) { #include # Capabilities - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal (send) set=(kill,term,int,hup,cont), diff --git a/openproject/apparmor.txt b/openproject/apparmor.txt index e4796de8f..2f510f2bc 100644 --- a/openproject/apparmor.txt +++ b/openproject/apparmor.txt @@ -3,7 +3,11 @@ profile openproject_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile openproject_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/organizr/apparmor.txt b/organizr/apparmor.txt index 19b59e65f..a3016461d 100644 --- a/organizr/apparmor.txt +++ b/organizr/apparmor.txt @@ -3,7 +3,11 @@ profile organizr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,8 +22,6 @@ profile organizr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/photoprism/apparmor.txt b/photoprism/apparmor.txt index d23dd8813..40bd2d287 100644 --- a/photoprism/apparmor.txt +++ b/photoprism/apparmor.txt @@ -3,7 +3,14 @@ profile photoprism flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_rawio, file, signal, mount, @@ -18,12 +25,6 @@ profile photoprism flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability dac_override, - capability sys_admin, - capability dac_read_search, - capability sys_rawio, # S6-Overlay /init ix, diff --git a/piwigo/apparmor.txt b/piwigo/apparmor.txt index c9e4dab8b..e980b8620 100644 --- a/piwigo/apparmor.txt +++ b/piwigo/apparmor.txt @@ -3,7 +3,13 @@ profile piwigo_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile piwigo_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/plex/apparmor.txt b/plex/apparmor.txt index 69170a941..ccd64d889 100644 --- a/plex/apparmor.txt +++ b/plex/apparmor.txt @@ -3,7 +3,13 @@ profile addon_db21ed7f_plex_nas flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile addon_db21ed7f_plex_nas flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/portainer/apparmor.txt b/portainer/apparmor.txt index ef354c8cc..41b6a2faa 100644 --- a/portainer/apparmor.txt +++ b/portainer/apparmor.txt @@ -3,7 +3,11 @@ profile portainer_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile portainer_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/postgres_15/apparmor.txt b/postgres_15/apparmor.txt index 70262be68..2e806546f 100644 --- a/postgres_15/apparmor.txt +++ b/postgres_15/apparmor.txt @@ -3,7 +3,11 @@ profile postgres_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile postgres_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/prowlarr/apparmor.txt b/prowlarr/apparmor.txt index 8e48cd94b..5bedb9bdc 100644 --- a/prowlarr/apparmor.txt +++ b/prowlarr/apparmor.txt @@ -3,7 +3,13 @@ profile prowlarr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile prowlarr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/qbittorrent/apparmor.txt b/qbittorrent/apparmor.txt index bf6a6b0e2..af4538926 100644 --- a/qbittorrent/apparmor.txt +++ b/qbittorrent/apparmor.txt @@ -3,7 +3,14 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,16 +25,6 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability chown, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability net_admin, - capability dac_override, - capability net_bind_service, - capability net_broadcast, - capability sys_rawio, # S6-Overlay /init ix, diff --git a/radarr/apparmor.txt b/radarr/apparmor.txt index b3c45a848..79884515a 100644 --- a/radarr/apparmor.txt +++ b/radarr/apparmor.txt @@ -3,7 +3,13 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/readarr/apparmor.txt b/readarr/apparmor.txt index b7cc34eae..5dc39e473 100644 --- a/readarr/apparmor.txt +++ b/readarr/apparmor.txt @@ -3,7 +3,13 @@ profile readarr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile readarr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/requestrr/apparmor.txt b/requestrr/apparmor.txt index 478167cbb..bfac78dfa 100644 --- a/requestrr/apparmor.txt +++ b/requestrr/apparmor.txt @@ -3,7 +3,13 @@ profile requestrr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile requestrr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/resiliosync/apparmor.txt b/resiliosync/apparmor.txt index f9448c7bb..50aedd229 100644 --- a/resiliosync/apparmor.txt +++ b/resiliosync/apparmor.txt @@ -3,7 +3,14 @@ profile resiliosync_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +25,6 @@ profile resiliosync_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/sabnzbd/apparmor.txt b/sabnzbd/apparmor.txt index 45dda937d..34c6473b6 100644 --- a/sabnzbd/apparmor.txt +++ b/sabnzbd/apparmor.txt @@ -3,7 +3,13 @@ profile sabnzbd_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile sabnzbd_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/scrutiny/apparmor.txt b/scrutiny/apparmor.txt index 2cf1edb58..3129a1e10 100644 --- a/scrutiny/apparmor.txt +++ b/scrutiny/apparmor.txt @@ -3,7 +3,14 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_rawio, file, signal, mount, @@ -18,12 +25,6 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability dac_override, - capability sys_admin, - capability dac_read_search, - capability sys_rawio, # S6-Overlay /init ix, diff --git a/seafile/apparmor.txt b/seafile/apparmor.txt index 667900889..59ccd2f68 100644 --- a/seafile/apparmor.txt +++ b/seafile/apparmor.txt @@ -3,7 +3,14 @@ profile seafile_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +25,6 @@ profile seafile_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/seerr/apparmor.txt b/seerr/apparmor.txt index a6e2134ee..894a2dcab 100644 --- a/seerr/apparmor.txt +++ b/seerr/apparmor.txt @@ -3,7 +3,11 @@ profile seerr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile seerr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/social_to_mealie/apparmor.txt b/social_to_mealie/apparmor.txt index e5ac2e175..ec6b3bade 100644 --- a/social_to_mealie/apparmor.txt +++ b/social_to_mealie/apparmor.txt @@ -3,7 +3,11 @@ profile social_to_mealie_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile social_to_mealie_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/sonarr/apparmor.txt b/sonarr/apparmor.txt index 608bbb4ab..09a642fb5 100644 --- a/sonarr/apparmor.txt +++ b/sonarr/apparmor.txt @@ -3,7 +3,13 @@ profile sonarr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile sonarr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/spotweb/apparmor.txt b/spotweb/apparmor.txt index 7d4265c61..9c1e03409 100644 --- a/spotweb/apparmor.txt +++ b/spotweb/apparmor.txt @@ -3,7 +3,11 @@ profile spotweb_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile spotweb_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/tandoor_recipes/apparmor.txt b/tandoor_recipes/apparmor.txt index 1d0c543e5..830250be3 100644 --- a/tandoor_recipes/apparmor.txt +++ b/tandoor_recipes/apparmor.txt @@ -3,7 +3,11 @@ profile tandoor_recipes_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile tandoor_recipes_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/tdarr/apparmor.txt b/tdarr/apparmor.txt index 63b89643c..83af16408 100644 --- a/tdarr/apparmor.txt +++ b/tdarr/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_tdarr flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_tdarr flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/teamspeak/apparmor.txt b/teamspeak/apparmor.txt index 4e81f2903..481ae5d5b 100644 --- a/teamspeak/apparmor.txt +++ b/teamspeak/apparmor.txt @@ -3,7 +3,11 @@ profile teamspeak_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile teamspeak_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/transmission/apparmor.txt b/transmission/apparmor.txt index 93d572322..4c81f971d 100644 --- a/transmission/apparmor.txt +++ b/transmission/apparmor.txt @@ -3,7 +3,13 @@ profile db21ed7f_transmission flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile db21ed7f_transmission flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/transmission_openvpn/apparmor.txt b/transmission_openvpn/apparmor.txt index 0a596920a..64f9dc8a3 100644 --- a/transmission_openvpn/apparmor.txt +++ b/transmission_openvpn/apparmor.txt @@ -3,7 +3,14 @@ profile db21ed7f_transmission_openvpn flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +25,6 @@ profile db21ed7f_transmission_openvpn flags=(attach_disconnected,mediate_deleted network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/ubooquity/apparmor.txt b/ubooquity/apparmor.txt index 65ae73ffb..822212b75 100644 --- a/ubooquity/apparmor.txt +++ b/ubooquity/apparmor.txt @@ -3,7 +3,13 @@ profile ubooquity_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile ubooquity_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/unpackerr/apparmor.txt b/unpackerr/apparmor.txt index 7e4c1ed66..941a191fd 100644 --- a/unpackerr/apparmor.txt +++ b/unpackerr/apparmor.txt @@ -3,7 +3,13 @@ profile unpackerr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile unpackerr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/webtop_kde/apparmor.txt b/webtop_kde/apparmor.txt index 9c2ab2eba..52c5f1f0c 100644 --- a/webtop_kde/apparmor.txt +++ b/webtop_kde/apparmor.txt @@ -3,7 +3,13 @@ profile webtop_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile webtop_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/webtrees/apparmor.txt b/webtrees/apparmor.txt index f6d52b4d0..0136730bc 100644 --- a/webtrees/apparmor.txt +++ b/webtrees/apparmor.txt @@ -3,7 +3,13 @@ profile webtrees_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -17,8 +23,6 @@ profile webtrees_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/wger/apparmor.txt b/wger/apparmor.txt index e94f74db7..924f07469 100644 --- a/wger/apparmor.txt +++ b/wger/apparmor.txt @@ -3,7 +3,11 @@ profile wger_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile wger_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/whatsapper/apparmor.txt b/whatsapper/apparmor.txt index c25695e95..a007b16bf 100644 --- a/whatsapper/apparmor.txt +++ b/whatsapper/apparmor.txt @@ -3,7 +3,11 @@ profile gitea_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile gitea_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/whoogle/apparmor.txt b/whoogle/apparmor.txt index 3d5cefeab..fba07a798 100644 --- a/whoogle/apparmor.txt +++ b/whoogle/apparmor.txt @@ -3,7 +3,11 @@ profile whoogle-search_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile whoogle-search_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/xteve/apparmor.txt b/xteve/apparmor.txt index ed7458191..1814a0b9b 100644 --- a/xteve/apparmor.txt +++ b/xteve/apparmor.txt @@ -3,7 +3,11 @@ profile xteve_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -17,8 +21,6 @@ profile xteve_addon flags=(attach_disconnected,mediate_deleted) { network inet6, network netlink raw, network unix dgram, - capability setgid, - capability setuid, # S6-Overlay diff --git a/zoneminder/apparmor.txt b/zoneminder/apparmor.txt index d1c9df0aa..25580d516 100644 --- a/zoneminder/apparmor.txt +++ b/zoneminder/apparmor.txt @@ -3,7 +3,11 @@ profile zoneminder_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile zoneminder_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_code-server/apparmor.txt b/zzz_archived_code-server/apparmor.txt index bc6a0ac75..10fbb32a9 100644 --- a/zzz_archived_code-server/apparmor.txt +++ b/zzz_archived_code-server/apparmor.txt @@ -3,7 +3,13 @@ profile code_server_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile code_server_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_jellyseerr/apparmor.txt b/zzz_archived_jellyseerr/apparmor.txt index 006a14b5f..885e0e88b 100644 --- a/zzz_archived_jellyseerr/apparmor.txt +++ b/zzz_archived_jellyseerr/apparmor.txt @@ -3,7 +3,11 @@ profile jellyseer_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile jellyseer_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_omada/apparmor.txt b/zzz_archived_omada/apparmor.txt index 36dd9a3d8..679948649 100644 --- a/zzz_archived_omada/apparmor.txt +++ b/zzz_archived_omada/apparmor.txt @@ -3,7 +3,11 @@ profile omada_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile omada_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_omada_v3/apparmor.txt b/zzz_archived_omada_v3/apparmor.txt index 36dd9a3d8..679948649 100644 --- a/zzz_archived_omada_v3/apparmor.txt +++ b/zzz_archived_omada_v3/apparmor.txt @@ -3,7 +3,11 @@ profile omada_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile omada_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_ombi/apparmor.txt b/zzz_archived_ombi/apparmor.txt index 6a073fe20..a4c2a2b67 100644 --- a/zzz_archived_ombi/apparmor.txt +++ b/zzz_archived_ombi/apparmor.txt @@ -3,7 +3,11 @@ profile ombi_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile ombi_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_overseerr/apparmor.txt b/zzz_archived_overseerr/apparmor.txt index 6d7b07528..74a9fabe3 100644 --- a/zzz_archived_overseerr/apparmor.txt +++ b/zzz_archived_overseerr/apparmor.txt @@ -3,7 +3,11 @@ profile overseerr_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile overseerr_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_paperless_ngx/apparmor.txt b/zzz_archived_paperless_ngx/apparmor.txt index 3e5e3da74..aa9b70174 100644 --- a/zzz_archived_paperless_ngx/apparmor.txt +++ b/zzz_archived_paperless_ngx/apparmor.txt @@ -3,7 +3,13 @@ profile addon_db21ed7f_paperless_ngx flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile addon_db21ed7f_paperless_ngx flags=(attach_disconnected,mediate_deleted) network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_papermerge/apparmor.txt b/zzz_archived_papermerge/apparmor.txt index 212046345..d4c6d24bb 100644 --- a/zzz_archived_papermerge/apparmor.txt +++ b/zzz_archived_papermerge/apparmor.txt @@ -3,7 +3,13 @@ profile papermerge_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile papermerge_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_plex_meta_manager/apparmor.txt b/zzz_archived_plex_meta_manager/apparmor.txt index 653d4a943..941aef171 100644 --- a/zzz_archived_plex_meta_manager/apparmor.txt +++ b/zzz_archived_plex_meta_manager/apparmor.txt @@ -3,7 +3,13 @@ profile plex-meta-manager_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setgid, + capability setuid, + capability sys_admin, file, signal, mount, @@ -18,12 +24,6 @@ profile plex-meta-manager_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix, diff --git a/zzz_archived_tor/apparmor.txt b/zzz_archived_tor/apparmor.txt index 709ccf59a..008fc758e 100644 --- a/zzz_archived_tor/apparmor.txt +++ b/zzz_archived_tor/apparmor.txt @@ -3,7 +3,11 @@ profile tor_addon flags=(attach_disconnected,mediate_deleted) { #include - capability, + capability chown, + capability dac_override, + capability fowner, + capability setgid, + capability setuid, file, signal, mount, @@ -18,12 +22,6 @@ profile tor_addon flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix dgram, - capability setgid, - capability setuid, - capability sys_admin, - capability dac_read_search, - # capability dac_override, - # capability sys_rawio, # S6-Overlay /init ix,