From 01dd9ebb0c9addb786faa6033ae3828c0d530eb6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:25:01 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/freedesktop/dconf-service | 2 +- .../freedesktop/polkit-gnome-authentication-agent | 1 - apparmor.d/groups/gnome/epiphany-search-provider | 8 ++++---- apparmor.d/groups/gnome/gdm-session-worker | 3 +++ apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/yelp | 2 ++ apparmor.d/groups/pacman/pacman | 14 ++++++++++++++ apparmor.d/profiles-a-f/flatpak-portal | 2 ++ apparmor.d/profiles-s-z/virt-manager | 5 +++-- 10 files changed, 31 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 8a56a9b8..f3a857a4 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -17,7 +17,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm, + signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, dbus bus=accessibility, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 70184421..7ef2e530 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -14,7 +14,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term kill hup) peer=dbus-session, - signal (receive) set=(term hup) peer=gdm, + signal (receive) set=(term hup) peer=gdm{,-session-worker}, #aa:dbus own bus=session name=ca.desrt.dconf diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 5f48d5c2..f1d235c9 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,7 +12,6 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index e58d5877..a67dc3c5 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -34,10 +34,10 @@ profile epiphany-search-provider @{exec_path} { owner /tmp/ContentRuleList@{rand6} rw, owner /tmp/Serialized* rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/driver/nvidia/params r, @{PROC}/modules r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 27936849..f7219c98 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -33,11 +33,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=gdm, signal (send) set=(hup term) peer=gdm-session, signal (send) set=hup peer=at-spi*, + signal (send) set=hup peer=dbus-accessibility, signal (send) set=hup peer=dbus-session, + signal (send) set=hup peer=dconf-service, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, + signal (send) set=hup peer=mutter-x11-frames, signal (send) set=hup peer=tracker-miner, signal (send) set=hup peer=xdg-*, signal (send) set=hup peer=xorg, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index a23f6152..4df820c8 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.Calendar interface={org.freedesktop.Application,org.gtk.Actions} + #aa:dbus own bus=session name=org.gnome.Calendar #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 28931a3c..f54d7654 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -27,6 +27,8 @@ profile yelp @{exec_path} { @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, + @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ac6bafdd..04e2dacc 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -100,6 +100,7 @@ profile pacman @{exec_path} { @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/vlc/vlc-cache-gen rPx, + /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, /usr/share/code-marketplace/patch.py rPx, /usr/share/libalpm/scripts/* rPUx, @@ -189,6 +190,19 @@ profile pacman @{exec_path} { include capability net_admin, + capability dac_read_search, + capability sys_resource, + + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/diff rPx -> child-pager, + + /etc/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/*.journal* r, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index 38941785..d82c3865 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -29,6 +29,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + / r, /.flatpak-info r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d4f8d403..68f52dd3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -85,10 +85,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, + @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/stat r, /dev/media@{int} r, /dev/video@{int} rw,