Created
July 11, 2025 04:17
-
-
Save drzraf/28fd981311e4cfb676c8f5281dfeca9f to your computer and use it in GitHub Desktop.
cursor's editor apparmor profile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/etc/apparmor.d/cursor | |
| abi <abi/4.0>, | |
| include <tunables/global> | |
| # observed net accesses | |
| # - api3.cursor.sh.cdn.cloudflare.net. | |
| # - cursor.sh.cdn.cloudflare.net. | |
| # - cursorapi.com. | |
| # - cursor-cdn.com. | |
| # - marketplace.cursorapi.com. | |
| profile cursor /{tmp/squashfs-root/,}usr/share/cursor/cursor { | |
| userns, | |
| include <abstractions/base> | |
| include <abstractions/X> | |
| include <abstractions/perl> | |
| include <abstractions/dbus-session-strict> | |
| include <abstractions/freedesktop.org> | |
| include <abstractions/dbus-strict> | |
| include if exists <local/cursor> | |
| #include <abstractions/fonts> | |
| #include <abstractions/wutmp> | |
| # network | |
| #network inet dgram, | |
| #network inet6 dgram, | |
| #network inet stream, | |
| #network inet6 stream, | |
| network netlink raw, | |
| /etc/nsswitch.conf r, | |
| /etc/hosts r, | |
| /etc/host.conf r, | |
| /etc/resolv.conf r, | |
| /{tmp/squashfs-root/,}usr/share/@{profile_name}/cursor ix, | |
| /{tmp/squashfs-root/,}usr/share/@{profile_name}/chrome_crashpad_handler ix, | |
| /tmp/squashfs-root/** rm, | |
| /usr/bin/git ix, | |
| /etc/gitconfig r, | |
| /usr/lib/@{multiarch}/{libm.so,ld-linux-x86-64.so}* rm, | |
| owner @{HOME}/.cursor/{,**} rw, | |
| owner @{HOME}/.config/Cursor/{,**} rwkl, | |
| owner @{HOME}/.local/share/glib-2.0/schemas/gschemas.compiled r, | |
| owner @{HOME}/.cache/mesa_shader_cache_db/** rwkl, | |
| #/usr/share/@{profile_name}/** r, | |
| #/usr/share/@{profile_name}/resources/system/plugins/*/*/* ix, | |
| /run/user/*/dconf/user rw, | |
| /run/user/*/vscode-* rw, | |
| @{sys}/devices/virtual/tty/tty*/active r, | |
| @{sys}/devices/virtual/dmi/id/chassis_type r, | |
| @{sys}/firmware/acpi/pm_profile r, | |
| @{sys}/devices/system/cpu/{kernel_max,present,cpufreq/**} r, | |
| @{sys}/devices/pci0000:00/**/{busnum,class,config,device,devnum,descriptors,irq,resource,revision,speed,subsystem_device,subsystem_vendor,uevent,vendor} r, | |
| owner @{sys}/fs/cgroup/user.slice/{cpu.max,user-[0-9]*.slice/{cpu.max,user@[0-9]*.service/{cpu.max,app.slice/{cpu.max,*.scope/memory.*}}}} r, | |
| @{PROC}/sys/net/core/somaxconn r, | |
| @{PROC}/sys/fs/inotify/max_user_watches r, | |
| @{PROC}/*/stat r, | |
| @{PROC}/ r, | |
| @{PROC}/sys/kernel/yama/ptrace_scope r, | |
| @{PROC}/@{pid}/oom_score_adj w, | |
| @{PROC}/loadavg r, | |
| owner @{PROC}/@{pid}/{cgroup,comm,cmdline,smaps,statm,stat,task/**,fd/{,*},fdinfo/*} r, | |
| /dev/pts/* rw, | |
| /dev/shm/ r, | |
| owner /dev/shm/** rw, | |
| /etc/ r, | |
| deny dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged peer=(label=unconfined), | |
| deny dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=Read peer=(label=unconfined), | |
| dbus send bus=session peer=(name=org.a11y.Bus), | |
| dbus (send) | |
| bus=session | |
| interface=org.freedesktop.DBus.Properties | |
| path=/org/freedesktop/portal/desktop{,/**} | |
| peer=(name=org.freedesktop.portal.Desktop), | |
| dbus send | |
| bus=system | |
| path=/org/freedesktop/login1 | |
| interface=org.freedesktop.login1.Manager | |
| member=Inhibit, | |
| dbus send | |
| bus=system | |
| path=/org/freedesktop/login1 | |
| interface=org.freedesktop.DBus.Properties | |
| member=RemoveMatch, | |
| dbus receive | |
| bus=system | |
| path=/org/freedesktop/login1 | |
| interface=org.freedesktop.DBus.Properties | |
| member=PropertiesChanged, | |
| dbus (send,receive) | |
| bus=system | |
| path=/ | |
| interface=org.freedesktop.DBus.ObjectManager | |
| member={GetManagedObjects,InterfacesAdded,InterfacesRemoved}, | |
| deny /etc/shells r, | |
| deny @{HOME}/.cache/Microsoft/DeveloperTools/deviceid r, | |
| deny dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListNames peer=(name=org.freedesktop.DBus), | |
| deny /etc/lsb-release r, | |
| deny /proc/uptime r, | |
| deny /sys/bus/pci/devices/ r, | |
| #deny dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), | |
| #deny dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member=ActiveChanged peer=(label=unconfined), | |
| #deny dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver member=UnInhibit, | |
| #deny dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get peer=(label=unconfined), | |
| #deny dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames peer=(label=unconfined), | |
| # file browser | |
| dbus (send) | |
| bus=session | |
| path=/ca/desrt/dconf/Writer/user | |
| interface=ca.desrt.dconf.Writer | |
| member=Change | |
| peer=(name=ca.desrt.dconf), | |
| dbus (send) | |
| bus=session | |
| path=/org/gtk/vfs/mounttracker | |
| interface=org.gtk.vfs.MountTracker | |
| member=LookupMount, | |
| dbus (send, receive) | |
| bus=session | |
| path=/ca/desrt/dconf/Writer/user | |
| interface=ca.desrt.dconf.Writer | |
| member=Notify, | |
| deny /run/systemd/userdb/ r, | |
| deny /etc/passwd r, | |
| deny /etc/fstab r, | |
| deny dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member=List peer=(label=unconfined), | |
| deny dbus send bus=session path=/org/gtk/vfs/* interface=org.gtk.vfs.{Mount,Monitor,Daemon} member={Unsubscribe,Subscribe,ListMonitorImplementations,CreateFileMonitor,Enumerate,QueryInfo,CreateDirectoryMonitor} peer=(label=unconfined), | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment