Rules fix.

2025-01-30 14:55:15 +01:00 · 2021-04-07 18:05:15 +01:00 · 2021-04-07 18:05:15 +01:00 · 04f2d2c9a3
commit 04f2d2c9a3
parent 9446af57f8
9 changed files with 14 additions and 3 deletions
--- a/apparmor.d/groups/desktop/accounts-daemon
+++ b/apparmor.d/groups/desktop/accounts-daemon
@ -14,6 +14,8 @@ profile accounts-daemon @{exec_path} {
  include <abstractions/nameservice-strict>

  # Needed?
+  capability dac_read_search,
+  capability sys_ptrace,
  deny capability sys_nice,

  @{exec_path} mr,
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -19,6 +20,7 @@ profile gvfsd-fuse @{exec_path} {

  /dev/fuse rw,

+  @{PROC}/sys/fs/pipe-max-size r,

  profile fusermount {
    include <abstractions/base>
--- a/apparmor.d/groups/systemd/systemd-rfkill
+++ b/apparmor.d/groups/systemd/systemd-rfkill
@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} {
  include <abstractions/systemd-common>

  capability net_admin,
+  capability sys_ptrace,

  network netlink raw,

--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@ -21,6 +21,7 @@ profile systemd-tmpfiles @{exec_path} {
  @{exec_path} mr,

  /etc/machine-id r,
+  /etc/brlapi.key w,
  /usr/share/factory/{,**} r,

  # Config file locations
--- a/apparmor.d/profiles-a-l/browserpass
+++ b/apparmor.d/profiles-a-l/browserpass
@ -22,8 +22,8 @@ profile browserpass @{exec_path} {
  owner @{HOME}/.password-store/{,**} r,
  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw,
  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

--- a/apparmor.d/profiles-a-l/git
+++ b/apparmor.d/profiles-a-l/git
@ -18,6 +18,7 @@ include <tunables/global>
 profile git @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/profiles-a-l/gitstatusd
+++ b/apparmor.d/profiles-a-l/gitstatusd
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /usr/share/zsh-theme-powerlevel10k/gitstatus/usrbin/gitstatusd{,-*}
+@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*}
 profile gitstatusd @{exec_path} {
  include <abstractions/base>

--- a/apparmor.d/profiles-m-z/polkitd
+++ b/apparmor.d/profiles-m-z/polkitd
@ -16,6 +16,7 @@ profile polkitd @{exec_path} {
  capability setgid,

  # Needed?
+  capability sys_ptrace,
  audit deny capability net_admin,

  @{exec_path} mr,
--- a/apparmor.d/profiles-m-z/udisksd
+++ b/apparmor.d/profiles-m-z/udisksd
@ -23,6 +23,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  #  Error mounting /dev/sd* at /media/*/*: Operation not permitted.
  capability sys_admin,

+  capability dac_read_search,
+  capability dac_override,
+
  # Needed?
  deny capability sys_nice,