diff --git a/addons_updater/apparmor.txt b/addons_updater/apparmor.txt index c800b272a..e4c3e4ce4 100644 --- a/addons_updater/apparmor.txt +++ b/addons_updater/apparmor.txt @@ -2,10 +2,17 @@ profile addon_updater flags=(attach_disconnected,mediate_deleted) { #include - + # Capabilities file, signal, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, # S6-Overlay /init rix, @@ -24,13 +31,13 @@ profile addon_updater flags=(attach_disconnected,mediate_deleted) { # Access to Options.json and other files within your addon /data/** rw, - + # Start new profile for service /usr/bin/myprogram cx, - + profile usr/bin/myprogram flags=(attach_disconnected,mediate_deleted) { #include - + # Receive signals from S6-Overlay signal receive, } diff --git a/arpspoof/apparmor.txt b/arpspoof/apparmor.txt index f1c902851..9bc1ba1c8 100644 --- a/arpspoof/apparmor.txt +++ b/arpspoof/apparmor.txt @@ -2,17 +2,25 @@ profile arpspoof_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile arpspoof_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/bazarr/apparmor.txt b/bazarr/apparmor.txt index 0b292a08b..443686b93 100644 --- a/bazarr/apparmor.txt +++ b/bazarr/apparmor.txt @@ -3,17 +3,25 @@ profile bazarr_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -29,20 +37,20 @@ profile bazarr_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/bitwarden/apparmor.txt b/bitwarden/apparmor.txt index 0db080278..2b57604fa 100644 --- a/bitwarden/apparmor.txt +++ b/bitwarden/apparmor.txt @@ -2,17 +2,25 @@ profile bitwarden_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile bitwarden_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/booksonic_air/apparmor.txt b/booksonic_air/apparmor.txt index b9f61c01b..088d5915a 100644 --- a/booksonic_air/apparmor.txt +++ b/booksonic_air/apparmor.txt @@ -2,17 +2,25 @@ profile booksonic-air_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile booksonic-air_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/cloudcommander/apparmor.txt b/cloudcommander/apparmor.txt index 2e5313d96..daaf6481f 100644 --- a/cloudcommander/apparmor.txt +++ b/cloudcommander/apparmor.txt @@ -2,9 +2,10 @@ profile cloudcommander_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, @@ -18,8 +19,8 @@ profile cloudcommander_addon flags=(attach_disconnected,mediate_deleted) { capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -35,21 +36,21 @@ profile cloudcommander_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access /data/** rw, /** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/code-server/apparmor.txt b/code-server/apparmor.txt index a97f19c8e..7688de2c4 100644 --- a/code-server/apparmor.txt +++ b/code-server/apparmor.txt @@ -2,17 +2,25 @@ profile code_server_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile code_server_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/elasticsearch/apparmor.txt b/elasticsearch/apparmor.txt index 4b9ced9e4..8603fd3c3 100644 --- a/elasticsearch/apparmor.txt +++ b/elasticsearch/apparmor.txt @@ -2,12 +2,20 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, @@ -24,14 +32,14 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, - + /dev/i2c-1 mrwkl, + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/emby/apparmor.txt b/emby/apparmor.txt index 7bdec833d..a5d8a51e7 100644 --- a/emby/apparmor.txt +++ b/emby/apparmor.txt @@ -2,17 +2,25 @@ profile addon_db21ed7f_emby_nas flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,7 +36,7 @@ profile addon_db21ed7f_emby_nas flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -36,13 +44,13 @@ profile addon_db21ed7f_emby_nas flags=(attach_disconnected,mediate_deleted) { /dev/ttyUSB0 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/enedisgateway2mqtt/apparmor.txt b/enedisgateway2mqtt/apparmor.txt index 4b9ced9e4..8603fd3c3 100644 --- a/enedisgateway2mqtt/apparmor.txt +++ b/enedisgateway2mqtt/apparmor.txt @@ -2,12 +2,20 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, @@ -24,14 +32,14 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, - + /dev/i2c-1 mrwkl, + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/enedisgateway2mqtt_dev/apparmor.txt b/enedisgateway2mqtt_dev/apparmor.txt index 4b9ced9e4..8603fd3c3 100644 --- a/enedisgateway2mqtt_dev/apparmor.txt +++ b/enedisgateway2mqtt_dev/apparmor.txt @@ -2,12 +2,20 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, @@ -24,14 +32,14 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, - + /dev/i2c-1 mrwkl, + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/filebrowser/apparmor.txt b/filebrowser/apparmor.txt index ba9ea373b..a242812f0 100644 --- a/filebrowser/apparmor.txt +++ b/filebrowser/apparmor.txt @@ -2,9 +2,10 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, @@ -18,8 +19,8 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -35,20 +36,20 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/fireflyiii/apparmor.txt b/fireflyiii/apparmor.txt index 64fe0c328..f8de3723b 100644 --- a/fireflyiii/apparmor.txt +++ b/fireflyiii/apparmor.txt @@ -2,17 +2,25 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/fireflyiii_data_importer/apparmor.txt b/fireflyiii_data_importer/apparmor.txt index 64fe0c328..f8de3723b 100644 --- a/fireflyiii_data_importer/apparmor.txt +++ b/fireflyiii_data_importer/apparmor.txt @@ -2,17 +2,25 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile fireflyiii_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/flaresolverr/apparmor.txt b/flaresolverr/apparmor.txt index d904cf768..a3aa20e1f 100644 --- a/flaresolverr/apparmor.txt +++ b/flaresolverr/apparmor.txt @@ -2,17 +2,25 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, capability dac_override, capability sys_rawio, @@ -28,7 +36,7 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -36,13 +44,13 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { /dev/ttyUSB0 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/flexget/apparmor.txt b/flexget/apparmor.txt new file mode 100644 index 000000000..f279721e3 --- /dev/null +++ b/flexget/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile flexget_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/gazpar2mqtt/apparmor.txt b/gazpar2mqtt/apparmor.txt index 4b9ced9e4..8603fd3c3 100644 --- a/gazpar2mqtt/apparmor.txt +++ b/gazpar2mqtt/apparmor.txt @@ -2,12 +2,20 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, @@ -24,14 +32,14 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, - + /dev/i2c-1 mrwkl, + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/grav/apparmor.txt b/grav/apparmor.txt index a745d395d..5b7377763 100644 --- a/grav/apparmor.txt +++ b/grav/apparmor.txt @@ -2,17 +2,25 @@ profile grav_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile grav_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/inadyn/apparmor.txt b/inadyn/apparmor.txt index 4b9ced9e4..8603fd3c3 100644 --- a/inadyn/apparmor.txt +++ b/inadyn/apparmor.txt @@ -2,12 +2,20 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, @@ -24,14 +32,14 @@ profile inadyn_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, - + /dev/i2c-1 mrwkl, + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/jackett/apparmor.txt b/jackett/apparmor.txt index 9e180360c..3dec4bcea 100644 --- a/jackett/apparmor.txt +++ b/jackett/apparmor.txt @@ -2,17 +2,25 @@ profile jackett_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile jackett_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/jellyfin/apparmor.txt b/jellyfin/apparmor.txt index 6499b7c61..44395c850 100644 --- a/jellyfin/apparmor.txt +++ b/jellyfin/apparmor.txt @@ -2,17 +2,25 @@ profile addon_db21ed7f_jellyfin_nas flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,7 +36,7 @@ profile addon_db21ed7f_jellyfin_nas flags=(attach_disconnected,mediate_deleted) /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -37,13 +45,13 @@ profile addon_db21ed7f_jellyfin_nas flags=(attach_disconnected,mediate_deleted) /dev/* mrwkl, /tmp/** mrkwl, /opt/vc/lib/ mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/joal/apparmor.txt b/joal/apparmor.txt new file mode 100644 index 000000000..8bfb181c4 --- /dev/null +++ b/joal/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile joal_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/joplin/apparmor.txt b/joplin/apparmor.txt index d904cf768..a3aa20e1f 100644 --- a/joplin/apparmor.txt +++ b/joplin/apparmor.txt @@ -2,17 +2,25 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, capability dac_override, capability sys_rawio, @@ -28,7 +36,7 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -36,13 +44,13 @@ profile joplin flags=(attach_disconnected,mediate_deleted) { /dev/ttyUSB0 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/lidarr/apparmor.txt b/lidarr/apparmor.txt index 5443b3d37..e85371433 100644 --- a/lidarr/apparmor.txt +++ b/lidarr/apparmor.txt @@ -2,17 +2,25 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/mealie/apparmor.txt b/mealie/apparmor.txt new file mode 100644 index 000000000..6926ca0b0 --- /dev/null +++ b/mealie/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile mealie_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/mylar3/apparmor.txt b/mylar3/apparmor.txt index 21b805c76..3047d0ae1 100644 --- a/mylar3/apparmor.txt +++ b/mylar3/apparmor.txt @@ -2,17 +2,25 @@ profile mylar3_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile mylar3_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/nextcloud/apparmor.txt b/nextcloud/apparmor.txt index ceccc03f4..54f13dd9d 100644 --- a/nextcloud/apparmor.txt +++ b/nextcloud/apparmor.txt @@ -2,17 +2,25 @@ profile nextcloud_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile nextcloud_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/nzbget/apparmor.txt b/nzbget/apparmor.txt index cbf4e4a95..b6c97dae8 100644 --- a/nzbget/apparmor.txt +++ b/nzbget/apparmor.txt @@ -2,17 +2,25 @@ profile nzbget_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile nzbget_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/organizr/apparmor.txt b/organizr/apparmor.txt index a88500cf3..ec86101bb 100644 --- a/organizr/apparmor.txt +++ b/organizr/apparmor.txt @@ -2,12 +2,20 @@ profile organizr_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, @@ -25,14 +33,14 @@ profile organizr_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, - + /dev/i2c-1 mrwkl, + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/paperless_ng/apparmor.txt b/paperless_ng/apparmor.txt index 3cddeadb2..08dffec45 100644 --- a/paperless_ng/apparmor.txt +++ b/paperless_ng/apparmor.txt @@ -2,17 +2,25 @@ profile addon_db21ed7f_paperless_ng flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,7 +36,7 @@ profile addon_db21ed7f_paperless_ng flags=(attach_disconnected,mediate_deleted) /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -36,14 +44,14 @@ profile addon_db21ed7f_paperless_ng flags=(attach_disconnected,mediate_deleted) /dev/ttyUSB0 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/papermerge/apparmor.txt b/papermerge/apparmor.txt index 0dff893f1..4fc91511b 100644 --- a/papermerge/apparmor.txt +++ b/papermerge/apparmor.txt @@ -2,17 +2,25 @@ profile papermerge_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile papermerge_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/photoprism/apparmor.txt b/photoprism/apparmor.txt index ae1fcbb1c..cb17dfeb0 100644 --- a/photoprism/apparmor.txt +++ b/photoprism/apparmor.txt @@ -2,17 +2,25 @@ profile photoprism flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, capability dac_override, capability sys_rawio, @@ -28,7 +36,7 @@ profile photoprism flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -36,13 +44,13 @@ profile photoprism flags=(attach_disconnected,mediate_deleted) { /dev/ttyUSB0 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/piwigo/apparmor.txt b/piwigo/apparmor.txt index 3de988835..8cd98e562 100644 --- a/piwigo/apparmor.txt +++ b/piwigo/apparmor.txt @@ -2,17 +2,25 @@ profile piwigo_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile piwigo_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/plex/apparmor.txt b/plex/apparmor.txt index 0369bb2b6..a8450aa01 100644 --- a/plex/apparmor.txt +++ b/plex/apparmor.txt @@ -2,17 +2,25 @@ profile addon_db21ed7f_plex_nas flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,7 +36,7 @@ profile addon_db21ed7f_plex_nas flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -36,13 +44,13 @@ profile addon_db21ed7f_plex_nas flags=(attach_disconnected,mediate_deleted) { /dev/ttyUSB0 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/portainer/apparmor.txt b/portainer/apparmor.txt new file mode 100644 index 000000000..d94bd8ca7 --- /dev/null +++ b/portainer/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile portainer_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/prowlarr/apparmor.txt b/prowlarr/apparmor.txt index bdcbc21f2..a029cd032 100644 --- a/prowlarr/apparmor.txt +++ b/prowlarr/apparmor.txt @@ -2,17 +2,25 @@ profile prowlarr_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile prowlarr_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/qbittorrent/apparmor.txt b/qbittorrent/apparmor.txt index cf40bc380..51682a1d2 100644 --- a/qbittorrent/apparmor.txt +++ b/qbittorrent/apparmor.txt @@ -2,9 +2,10 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, @@ -19,12 +20,12 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { capability setgid, capability chown, capability setuid, - capability sys_admin, + capability sys_admin, capability dac_read_search, capability net_admin, capability dac_override, - capability net_bind_service, - capability net_broadcast, + capability net_bind_service, + capability net_broadcast, capability sys_rawio, # S6-Overlay @@ -39,7 +40,7 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, @@ -47,13 +48,13 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) { /dev/* mrwkl, /tmp/** mrkwl, /dev/net/tun mrwkl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/radarr/apparmor.txt b/radarr/apparmor.txt index 8f0b615e3..e85371433 100644 --- a/radarr/apparmor.txt +++ b/radarr/apparmor.txt @@ -2,17 +2,25 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile radarr_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/readarr/apparmor.txt b/readarr/apparmor.txt index 2a2fbdb93..32f913cf2 100644 --- a/readarr/apparmor.txt +++ b/readarr/apparmor.txt @@ -2,17 +2,25 @@ profile readarr_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile readarr_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/scrutiny/apparmor.txt b/scrutiny/apparmor.txt index bb7a4e5a3..08a51a81f 100644 --- a/scrutiny/apparmor.txt +++ b/scrutiny/apparmor.txt @@ -2,9 +2,10 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, @@ -19,8 +20,8 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) { capability setgid, capability setuid, capability dac_override, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, capability sys_rawio, # S6-Overlay @@ -35,11 +36,11 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, - /dev/mmcblk0p1 mrwkl, + /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, /dev/sda mrwkl, @@ -54,13 +55,13 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) { /dev/nvme2 mrwkl, /dev/nvme3 mrwkl, /dev/nvme4 mrwkl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/sonarr/apparmor.txt b/sonarr/apparmor.txt index 4c0eded04..e73eb0ce4 100644 --- a/sonarr/apparmor.txt +++ b/sonarr/apparmor.txt @@ -2,17 +2,25 @@ profile sonarr_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile sonarr_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/spotweb/apparmor.txt b/spotweb/apparmor.txt new file mode 100644 index 000000000..1b34b8e9f --- /dev/null +++ b/spotweb/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile spotweb_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/tandoor_recipes/apparmor.txt b/tandoor_recipes/apparmor.txt new file mode 100644 index 000000000..19685785f --- /dev/null +++ b/tandoor_recipes/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile tandoor_recipes_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/teamspeak/apparmor.txt b/teamspeak/apparmor.txt new file mode 100644 index 000000000..d96fe9af7 --- /dev/null +++ b/teamspeak/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile teamspeak_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/transmission/apparmor.txt b/transmission/apparmor.txt index 10a712764..6fe522169 100644 --- a/transmission/apparmor.txt +++ b/transmission/apparmor.txt @@ -2,17 +2,25 @@ profile db21ed7f_transmission flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile db21ed7f_transmission flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/ubooquity/apparmor.txt b/ubooquity/apparmor.txt index 3223d49ab..65b053c4c 100644 --- a/ubooquity/apparmor.txt +++ b/ubooquity/apparmor.txt @@ -2,17 +2,25 @@ profile ubooquity_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,20 +36,20 @@ profile ubooquity_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, diff --git a/webtop/apparmor.txt b/webtop/apparmor.txt index 9baa61772..5c93b1494 100644 --- a/webtop/apparmor.txt +++ b/webtop/apparmor.txt @@ -2,17 +2,25 @@ profile webtop_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile webtop_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/webtrees/apparmor.txt b/webtrees/apparmor.txt new file mode 100644 index 000000000..e2bd5a472 --- /dev/null +++ b/webtrees/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile webtrees_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/wger/apparmor.txt b/wger/apparmor.txt new file mode 100644 index 000000000..c4fd69840 --- /dev/null +++ b/wger/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile wger_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +} diff --git a/whoogle/apparmor.txt b/whoogle/apparmor.txt index 212b99b11..8fb81ea80 100644 --- a/whoogle/apparmor.txt +++ b/whoogle/apparmor.txt @@ -2,17 +2,25 @@ profile whoogle-search_addon flags=(attach_disconnected,mediate_deleted) { #include - + capability, file, + signal, mount, umount, remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, capability setgid, capability setuid, - capability sys_admin, - capability dac_read_search, + capability sys_admin, + capability dac_read_search, # capability dac_override, # capability sys_rawio, @@ -28,21 +36,21 @@ profile whoogle-search_addon flags=(attach_disconnected,mediate_deleted) { /init rix, /var/run/** mrwkl, /var/run/ mrwkl, - /dev/i2c-1 mrwkl, + /dev/i2c-1 mrwkl, # Files required /dev/sda1 mrwkl, /dev/sdb1 mrwkl, /dev/mmcblk0p1 mrwkl, /dev/* mrwkl, /tmp/** mrkwl, - + # Data access - /data/** rw, + /data/** rw, # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, - + # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer=/usr/bin/docker, -} +} diff --git a/xteve/apparmor.txt b/xteve/apparmor.txt new file mode 100644 index 000000000..9abe422a1 --- /dev/null +++ b/xteve/apparmor.txt @@ -0,0 +1,46 @@ +#include + +profile xteve_addon flags=(attach_disconnected,mediate_deleted) { + #include + + capability, + file, + signal, + mount, + umount, + remount, + network udp, + network tcp, + network dgram, + network stream, + network inet, + network inet6, + network netlink raw, + capability setgid, + capability setuid, + + +# S6-Overlay + /bin/** ix, + /usr/bin/** ix, + /usr/lib/bashio/** ix, + /etc/s6/** rix, + /run/s6/** rix, + /etc/services.d/** rwix, + /etc/cont-init.d/** rwix, + /etc/cont-finish.d/** rwix, + /init rix, + /var/run/** mrwkl, + /var/run/ mrwkl, + /dev/i2c-1 mrwkl, + + # Data access + /data/** rw, + + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container + ptrace (trace,read) peer=docker-default, + + # docker daemon confinement requires explict allow rule for signal + signal (receive) set=(kill,term) peer=/usr/bin/docker, + +}