Core abstractions

accounts-observe¶

Allow communication with accounts-daemon. This is used by gnome-shell's agent implementation to display user information in the authorisation dialog.

amdgpu¶

Kernel Fusion Driver for AMD GPUs

app-open¶

Instead of allowing the run of all software in @{bin}/, @{lib} the purpose of this abstraction is to list all GUI program that can open resources.

Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail should be present here. Until this day, this profile will be a controlled mess.

bash-strict¶

This abstraction is only required when .bashrc is loaded (e.g. interactive shell). Classic shell scripts do not need it.

bwrap¶

Bubblewrap creates isolated environments for applications. It requires the sys_admin capability to enter a new PID namespace. Until this capability is dropped, the process can potentially escape confinement. For this reason, we typically transition to another application profile, even if it requires managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) flag. The resulting profile should take the form: <bwrap>//&<app>

A profile using this abstraction still needs to set:

• the flag: attach_disconnected
• bwrap execution: @{bin}/bwrap ix, or memory mapping @{bin}/bwrap mr,

Required variables: att,

contacts-service¶

Allow access to Evolution Data Service for contacts

deny-sensitive-home¶

Per the first rule of this project:

The only legitimate use in this project is for file browser and search engine.

devices-u2f¶

Allows access to Universal 2^nd Factor (U2F) devices

devices-usb-read¶

Allow detection of usb devices. Leaks plugged in USB device info

devtools¶

Allows common file for various development tools. This abstraction is meant to be included in profiles of development tools only.

It does not aims at allowing execution of development tools, only file access. The tools are defined in the @{devtools} variable.

Required variables: devtools,

dri¶

The Direct Rendering Infrastructure (DRI) is the framework comprising the modern Linux graphics stack which allows unprivileged user-space programs to issue commands to graphics hardware without conflicting with other programs.

fish¶

This abstraction is only required when zshrc is loaded (e.g. interactive shell). Classic shell scripts do not need it.

fontconfig-cache¶

The fontconfig cache can be generated via the following command:

fc-cache -f -v

There is no need to give apps the ability to create cache for their own. However, apps can generate the fontconfig cache if some cache files are missing. Therefore, if this behavior is desirable, you can use:

<abstractions/fontconfig-cache-write>

If not, you can block writing to the cache directories with

<abstractions/fontconfig-cache-ro>

glibc¶

golang-strict¶

Container-aware GOMAXPROCS

gstreamer-registry¶

Plugin registry cache for the multimedia framework GStreamer. It stores metadata about all the GStreamer plugins available on the system, including their types, capabilities, and locations.

It is usually needed by application calling GStreamer libraries.

gvfs¶

Allow access to GVFS files.

ibus-strict¶

Allow communicating with ibus-daemon (this allows sniffing key events)

input¶

Allow reading and writing to raw input devices

kde-base¶

Minimal kde specific rules.

ld¶

ld.so.cache and ld are used to load shared libraries, therefore they are required by almost all applications.

locale¶

lttng¶

LTTng is an open source tracing framework for Linux - https://lttng.org

Lttng tracing is very noisy and should not be allowed by confined apps.

media-control¶

Allows access to media controller such as microphones, and video capture hardware. See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst

nss¶

Network Security Services (NSS)

It only allows access to the system-provided configuration files, not the ones that are applications specific.

nvidia-drivers¶

Allow creating nvidia device files to be used by unprivileged user-space programs

oneapi¶

Intel oneAPI compiler libraries

path¶

Common directories in $PATH, used by launchers and interactive shells.

pcscd¶

Allows interacting with PC/SC Smart Card Daemon

screen-inhibit¶

Can inhibit and uninhibit screen savers in desktop sessions.

sqlite¶

SQlite temporary files (hexadecimal from 12 to 16 characters)

tests¶

Common temporary tests directories used by autopkgtest.

tpm¶

Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM resource manager /dev/tpmrm@{int}

trash-strict¶

Already upstreamed. Different because recent change does not play well with upstream's version.

There is no owner rule on expunged folders because some internally sandboxed app (using bwrap) run on a different private user.

uinput¶

Allow write access to the uinput device for emulating input devices from userspace for sending input events.

user-read¶

Warning: This abstraction gives unrestricted read access on all non hidden user directories.

user-read-strict¶

This abstraction gives read access on all defined user directories. It should only be used if access to ALL folders is required.

user-write-strict¶

This abstraction gives write only access on all defined user directories. It should only be used if access to ALL folders is required.

webkit¶

Minimal set of rules for webkit GTK UI.

wine¶

Basic set of resources for wine regardless of the installation method (system or through a game launcher).

xfce-base¶

Minimal xfce specific rules.

zsh¶

This abstraction is only required when zshrc is loaded (e.g. interactive shell). Classic shell scripts do not need it.