Generic abstractions
accessibility¶
Allow communication with Assistive Technology Service Provider Interface (AT-SPI)
app-indicator¶
App Indicator, modern systray icons
audio-client¶
Most programs do not need access to audio devices, audio-client only includes configuration files to be used by client applications.
TODO
Will have to be split into pipewire-client and pulse-client abstractions
audio-server¶
Provide access to audio devices. It should only be used by audio servers that need direct access to them.
avahi-observe¶
Allows domain, record, service, and service type browsing as well as address, host and service resolving
base-strict¶
It is mostly a restructuring of the base abstraction with awareness of the apparmor.d architecture.
Changes from the base abstraction:
- Removed access to
@{run}/uuidd/request - owner only access to some files in
@{PROC}/@{pid}/ - denied lttng
Warning
Do not use it manually, It automatically replaces the base abstraction in profiles when the base-strict prebuild feature is enabled (default).
bluetooth-control¶
Allows control over Bluetooth devices such as pairing, connecting, and managing profiles.
bluetooth-observe¶
Allows listing Bluetooth devices and their properties.
camera¶
Allows access to all cameras
dconf-write¶
Permissions for querying dconf settings with write access; use the dconf abstraction first, and dconf-write only for specific application's profile.
desktop¶
Unified minimal abstraction for all UI application regardless of the desktop environment.
Note
When supported in apparmor, condition will be used in this abstraction to filter resources specific for supported DE.
development¶
Allows access to various development tools such as compilers and, build tools etc.
Required variables: devtools,
devices-usb¶
Allow raw access to all connected USB devices
fontconfig-cache-read¶
See
fontconfig-cache-write¶
See
gnome-base¶
Minimal gnome specific rules.
gvfs-backend¶
Allow to act as a gvfs backend app
hwmon¶
hwmon nodes are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface
hwmon-write¶
hwmon-write abstraction includes all rules from hwmon with read permission and adds rules for write and write-only permission in hwmon structure
mediakeys¶
Allow requesting interest in receiving media key events. This tells Gnome settings that our application should be notified when key events we are interested in are pressed, and allows us to receive those events.
modem-manager-observe¶
Allows observing ModemManager settings. It grants access to listing MAC addresses, previous networks, etc but not secrets.
mpris¶
Allow operating as an MPRIS player.
nameservice-strict¶
Many programs wish to perform nameservice-like operations, such as looking up users by name or id, groups by name or id, hosts by name or IP, etc.
network-manager-observe¶
Allows observing NetworkManager settings. It grants access to listing MAC addresses, previous networks, etc but not secrets.
power-profiles¶
Allow to read power profiles configuration.
screensaver¶
Allow checking status, activating and locking the screensaver
secrets-service¶
Provide full access to the secret-service API: https://standards.freedesktop.org/secret-service/
The secret-service allows managing (add/delete/lock/etc) collections and (add/delete/etc) items within collections. The API also has the concept of aliases for collections which is typically used to access the default collection. While it would be possible for an application developer to use a snap-specific collection and mediate by object path, application developers are meant to instead to treat collections (typically the default collection) as a database of key/value attributes each with an associated secret that applications may query. Because AppArmor does not mediate member data, typical and recommended usage of the API does not allow for application isolation. For details, see: https://standards.freedesktop.org/secret-service/ch03.html
session-manager¶
Allow registering a client with the session manager. This is needed for applications that want to be notified of session events, such as shutdown or logout, and to be able to inhibit those actions.
shells¶
This abstraction is only required when an interactive shell is started. Classic shell scripts do not need it.
upower-observe¶
Can query UPower for power devices, history and statistics.