feat(profile): general update.

2025-02-20 17:05:36 +01:00 · 2024-02-01 13:19:19 +00:00 · 2024-02-01 13:19:19 +00:00 · 0a74d5c6fe
commit 0a74d5c6fe
parent 70a8407bd7
22 changed files with 39 additions and 16 deletions
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
@ -2,6 +2,11 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  dbus send bus=session path=/org/freedesktop/systemd1
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name=org.freedesktop.systemd1),
+
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@ -11,6 +11,7 @@
  include <abstractions/wayland>
  include <abstractions/X-strict>

+  /usr/share/hwdata/*.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,

  owner @{HOME}/.local/ rw,
--- a/apparmor.d/groups/_full/default-sudo
+++ b/apparmor.d/groups/_full/default-sudo
@ -56,6 +56,8 @@ profile default-sudo @{exec_path} {
  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,

+  / r,
+
        /var/db/sudo/lectured/ r,
        /var/lib/extrausers/shadow r,
        /var/lib/sudo/lectured/ r,
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -18,6 +18,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
 profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/groups/apps/discord
@ -90,7 +90,7 @@ profile discord @{exec_path} {
  /etc/fstab r,

  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-  deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
+  deny @{sys}/devices/virtual/tty/tty@{int}/active r,
  # To remove the following error:
  # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
  @{sys}/devices/@{pci}/irq r,
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/groups/apps/freetube
@ -70,7 +70,7 @@ profile freetube @{exec_path} {

  owner @{user_share_dirs} r,

-  deny @{sys}/devices/virtual/tty/tty0/active r,
+  deny @{sys}/devices/virtual/tty/tty@{int}/active r,
  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
  # To remove the following error:
  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@ -62,7 +62,7 @@ profile signal-desktop @{exec_path} {

  @{sys}/devices/@{pci}/{irq,vendor,device} r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-  @{sys}/devices/virtual/tty/tty[0-9]/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/fs/cgroup/** r,

        @{PROC}/ r,
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -53,8 +53,9 @@ profile plymouthd @{exec_path} {
  @{sys}/firmware/acpi/bgrt/{,*} r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

-        @{PROC}/cmdline r,
        @{PROC}/1/cmdline r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/printk r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/stat r,

--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -51,6 +51,7 @@ profile xrdb @{exec_path} {
  owner @{HOME}/.xsession-errors w,

  /dev/tty rw,
+  /dev/tty@{int} rw,

  include if exists <local/xrdb>
 }
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -85,7 +85,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {

  @{sys}/devices/**/uevent r,
  @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,

        @{PROC}/@{pid}/cgroup r,
        @{PROC}/1/environ r,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -59,7 +59,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/@{pci}/{vendor,device,class,config,resource,irq} r,
  @{sys}/devices/system/cpu/** r,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,

        @{PROC}/ r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
--- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
+++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
@ -13,7 +13,8 @@ profile systemd-generator-environment-flatpak @{exec_path} {

  @{exec_path} mr,

-  @{bin}/flatpak rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/flatpak     rix,

  /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -99,7 +99,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/class/power_supply/ r,
  @{sys}/devices/** r,
  @{sys}/devices/**/brightness rw,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -21,9 +21,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {

  /etc/systemd/oomd.conf r,

-  owner @{run}/systemd/journal/socket w,
        @{run}/systemd/io.system.ManagedOOM rw,
        @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,

  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/memory.pressure r,
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -12,12 +12,14 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-  audit capability net_admin,
+  capability dac_override,
+  capability net_admin,
+  capability sys_resource,

  signal (receive) set=(term cont) peer=default,
  signal (receive) set=(term cont) peer=logrotate,

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{run}/systemd/ask-password-block/{,*} rw,
  @{run}/systemd/ask-password/{,*} rw,
@ -25,6 +27,9 @@ profile systemd-tty-ask-password-agent @{exec_path} {

  @{PROC}/@{pids}/stat r,
  
+  @{sys}/devices/virtual/tty/console/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
+
  /dev/tty@{int} rw,

  include if exists <local/systemd-tty-ask-password-agent>
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -49,6 +49,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/less              rPx -> child-pager,
  @{bin}/ln                rix,
  @{bin}/logger            rix,
+  @{bin}/ls                rix,
  @{bin}/lvm               rPx,
  @{bin}/mknod             rPx,
  @{bin}/more              rPx -> child-pager,
@ -58,13 +59,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/pager             rPx -> child-pager,
  @{bin}/perl              rix,
  @{bin}/readlink          rix,
+  @{bin}/rm                rix,
  @{bin}/sed               rix,
  @{bin}/setfacl           rix,
  @{bin}/sg_inq            rix,
  @{bin}/snap             rPUx,
  @{bin}/systemctl         rCx -> systemctl,
+  @{bin}/systemd-run       rix,
  @{bin}/touch             rix,
  @{bin}/unshare           rix,
+  @{bin}/wc                rix,

  @{lib}/crda/*                           rPUx,
  @{lib}/gdm-runtime-config               rPx,
--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@ -70,7 +70,7 @@ profile deltachat-desktop @{exec_path} {
  # (#FIXME#)
  deny @{sys}/bus/pci/devices/ r,

-  deny @{sys}/devices/virtual/tty/tty0/active r,
+  deny @{sys}/devices/virtual/tty/tty@{int}/active r,

  # no new privs
  @{bin}/xdg-settings    rPx,
--- a/apparmor.d/profiles-a-f/edid-decode
+++ b/apparmor.d/profiles-a-f/edid-decode
@ -12,7 +12,7 @@ profile edid-decode @{exec_path} {

  @{exec_path} mr,

-  @{sys}/devices/@{pci}/drm/card[0-9]/*/edid r,
+  @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,

  include if exists <local/edid-decode>
 }
--- a/apparmor.d/profiles-g-l/hw-probe
+++ b/apparmor.d/profiles-g-l/hw-probe
@ -99,7 +99,7 @@ profile hw-probe @{exec_path} {
  @{sys}/class/power_supply/ r,

  @{sys}/devices/virtual/dmi/id/* r,
-  @{sys}/devices/@{pci}/drm/card[0-9]/*/edid r,
+  @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
  @{sys}/devices/**/power_supply/*/uevent r,

  @{sys}/firmware/efi/efivars/ r,
--- a/apparmor.d/profiles-m-r/mkswap
+++ b/apparmor.d/profiles-m-r/mkswap
@ -12,9 +12,10 @@ profile mkswap @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>

+  capability mknod,
+
  @{exec_path} mr,

-  # SWAP file common locations
  owner /swapfile rw,
  owner /swap/swapfile rw,

--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -15,6 +15,7 @@ profile snapd @{exec_path} {
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/bus/org.freedesktop.timedate1>
  include <abstractions/disks-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -176,7 +176,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
  @{sys}/devices/virtual/dmi/id/product_{name,version} r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/net/*/ r,
-  @{sys}/devices/virtual/tty/tty[0-9]/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/kernel/ r,
  @{sys}/power/suspend_stats/success rk,