From 0c5e71f971f32c704c347c7dba8aeb0416b2d295 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Mar 2024 21:40:35 +0000 Subject: [PATCH] feat(profile): cleanup some rules already included in abs. --- apparmor.d/abstractions/sudo | 3 --- apparmor.d/groups/_full/systemd-user | 3 --- apparmor.d/groups/akonadi/akonadi_archivemail_agent | 1 - apparmor.d/groups/akonadi/akonadi_indexing_agent | 1 - apparmor.d/groups/akonadi/akonadi_mailfilter_agent | 1 - .../groups/akonadi/akonadi_newmailnotifier_agent | 13 +------------ apparmor.d/groups/freedesktop/polkit-agent-helper | 2 -- apparmor.d/groups/gnome/gdm-session-worker | 1 - apparmor.d/groups/gnome/gnome-disk-image-mounter | 11 +++-------- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/kde/baloo | 1 - apparmor.d/groups/kde/dolphin | 1 - apparmor.d/groups/kde/gmenudbusmenuproxy | 2 -- apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/kde-powerdevil | 1 - apparmor.d/groups/kde/kded | 1 - apparmor.d/groups/kde/ksmserver-logout-greeter | 2 -- apparmor.d/groups/kde/kwalletmanager | 1 - apparmor.d/groups/kde/kwin_wayland | 3 +-- apparmor.d/groups/kde/kwin_x11 | 3 ++- apparmor.d/groups/kde/plasma-discover | 1 - apparmor.d/groups/kde/plasmashell | 8 +++++--- apparmor.d/groups/kde/sddm-greeter | 7 ++++--- apparmor.d/groups/kde/startplasma | 1 - apparmor.d/groups/systemd/systemd-homework | 2 -- apparmor.d/groups/systemd/systemd-machined | 2 +- apparmor.d/groups/systemd/systemd-userwork | 2 -- apparmor.d/profiles-a-f/aa-log | 4 +--- apparmor.d/profiles-m-r/qbittorrent | 1 - apparmor.d/profiles-s-z/YACReader | 1 - apparmor.d/profiles-s-z/YACReaderLibrary | 1 - apparmor.d/profiles-s-z/snap | 1 - apparmor.d/profiles-s-z/snapd | 1 - apparmor.d/profiles-s-z/spice-vdagentd | 4 ++-- apparmor.d/profiles-s-z/swtpm_setup | 2 -- apparmor.d/profiles-s-z/vlc | 1 - 36 files changed, 20 insertions(+), 72 deletions(-) diff --git a/apparmor.d/abstractions/sudo b/apparmor.d/abstractions/sudo index 435c0a9a..33bd8cfc 100644 --- a/apparmor.d/abstractions/sudo +++ b/apparmor.d/abstractions/sudo @@ -19,8 +19,6 @@ @{lib}/sudo/** mr, - @{bin}/unix_chkpwd rPx, - @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, /etc/sudo.conf r, @@ -34,7 +32,6 @@ @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/cap_last_cap r, @{PROC}/sys/kernel/ngroups_max r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, # interactive login diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 65b1d58b..9b095c64 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -60,11 +60,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{bin}/wireplumber rPx -> systemd-user//&wireplumber, /usr/ r, - /usr/share/dbus-1/{,**} r, /usr/share/defaults/**.conf r, - /etc/machine-id r, - /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index 5a5c5a0d..22a2568c 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -43,7 +43,6 @@ profile akonadi_archivemail_agent @{exec_path} { owner @{user_share_dirs}/akonadi/file_db_data/{,**} r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index 46059bf8..0bffc97f 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -46,7 +46,6 @@ profile akonadi_indexing_agent @{exec_path} { owner @{user_share_dirs}/akonadi/** rwlk -> @{user_share_dirs}/akonadi/**, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 5ede9dfa..53a6fc02 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -57,7 +57,6 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_share_dirs}/akonadi/file_db_data/{,**} rw, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index f610dcad..ffd40e8d 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -9,23 +9,16 @@ include @{exec_path} = @{bin}/akonadi_newmailnotifier_agent profile akonadi_newmailnotifier_agent @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications{5,6}/akonadi_newmailnotifier_agent.notifyrc r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -36,15 +29,11 @@ profile akonadi_newmailnotifier_agent @{exec_path} { owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities.lock rwk, owner @{user_config_dirs}/emailidentities* rwl, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/specialmailcollectionsrc r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 9506ccb0..c5c2b090 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -42,8 +42,6 @@ profile polkit-agent-helper @{exec_path} { @{exec_path} mr, - @{bin}/unix_chkpwd rPx, - owner @{HOME}/.xsession-errors w, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 4b2d4bb3..44f0220e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -60,7 +60,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{bin}/gnome-keyring-daemon rPx, - @{bin}/unix_chkpwd rPx, @{etc_ro}/X11/xdm/Xstartup rPUx, @{lib}/{,gdm/}gdm-{x,wayland}-session rPx -> gdm-session, /etc/gdm{3,}/{Pre,Post}Session/Default rix, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 1c7e84cc..044a780c 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -10,23 +10,18 @@ include profile gnome-disk-image-mounter @{exec_path} { include include - include - include - include - include + include @{exec_path} mr, - /usr/share/X11/xkb/{,**} r, - # Allow to mount user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner @{PROC}/@{pid}/mountinfo r, - @{run}/mount/utab r, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index bfd78620..4a21d7e2 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -101,7 +101,6 @@ profile gnome-software @{exec_path} { @{PROC}/@{pids}/mounts r, @{PROC}/sys/fs/pipe-max-size r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 297906b4..28efb9f5 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -41,7 +41,6 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 4a9548a4..71cbb5f5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -87,7 +87,6 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index 8818aeaf..ec36ee18 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -24,7 +24,5 @@ profile gmenudbusmenuproxy @{exec_path} { owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, - @{PROC}/sys/kernel/random/boot_id r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index d0a702da..33628b07 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -38,7 +38,6 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/recently-used.xbel r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 7bea54a8..b287fda5 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -65,7 +65,6 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty rw, /dev/rfkill r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index f54d28f2..ca808d84 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -154,7 +154,6 @@ profile kded @{exec_path} { @{PROC}/@{pids}/fd/info/@{int} r, @{PROC}/sys/fs/inotify/max_user_{instances,watches} r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 3c53dd17..7fb15b46 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -17,7 +17,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { include include include - include @{exec_path} mr, @@ -60,7 +59,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, include if exists } diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index c49c4b3e..ac751776 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -46,7 +46,6 @@ profile kwalletmanager @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, /dev/shm/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 5b98a720..9444a5f0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -73,7 +73,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw, owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int}, owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw, - owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw, + owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, @@ -118,7 +118,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/input/event@{int} rw, /dev/tty r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index d6d5e5bf..d108023d 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -41,8 +41,9 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/kwin/{,**} rwl, owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements rw, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl, owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 1e3d63fa..e9c82cc5 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -99,7 +99,6 @@ profile plasma-discover @{exec_path} { owner @{run}/user/@{uid}/discover@{rand6}.* rwl -> @{run}/user/@{uid}/#@{int}, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mountinfo r, /dev/tty r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 372994ef..ba82cad1 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -108,12 +108,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w, - owner @{user_cache_dirs}/ksvg-elements* rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksvg-elements rw, + owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements rw, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwkl -> @{user_cache_dirs}/plasmashell/**, owner @{user_cache_dirs}/org.kde.*/ rw, @@ -191,7 +194,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{PROC}/diskstats r, @{PROC}/loadavg r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/uptime r, @{PROC}/vmstat r, owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index ceece849..5f298c74 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -38,7 +38,6 @@ profile sddm-greeter @{exec_path} { /usr/share/hunspell/** r, /etc/fstab r, - /etc/machine-id r, /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, @@ -53,7 +52,9 @@ profile sddm-greeter @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements-* rw, + owner @{user_cache_dirs}/plasma-svgelements rw, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rw, + owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_cache_dirs}/sddm-greeter/{,**} rwl, owner @{user_config_dirs}/plasmarc r, @@ -68,9 +69,9 @@ profile sddm-greeter @{exec_path} { owner @{run}/sddm/{,*} rw, + @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/core_pattern r, include if exists } diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index f7bd7729..8ecb60f5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -66,7 +66,6 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index e3c0a06f..e4a34f05 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -16,7 +16,5 @@ profile systemd-homework @{exec_path} { /etc/machine-id r, - @{run}/systemd/userdb/ r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 7aaee86e..bb2f6d37 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -10,6 +10,7 @@ include profile systemd-machined @{exec_path} { include include + include include capability chown, @@ -40,7 +41,6 @@ profile systemd-machined @{exec_path} { /etc/machine-id r, @{run}/systemd/machines/{,**} rw, - @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 14e79c6f..cc83b3ae 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -21,7 +21,5 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /etc/shadow r, - @{run}/systemd/userdb/ r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index d79bb35d..d9e38e52 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -10,6 +10,7 @@ include profile aa-log @{exec_path} { include include + include capability dac_read_search, @@ -18,8 +19,6 @@ profile aa-log @{exec_path} { @{bin}/journalctl rix, /etc/machine-id r, - /etc/nsswitch.conf r, - /etc/passwd r, /var/lib/dbus/machine-id r, /var/log/audit/* r, @@ -30,7 +29,6 @@ profile aa-log @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/cap_last_cap r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 579a2dc5..5a84a838 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -109,7 +109,6 @@ profile qbittorrent @{exec_path} { owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, owner /tmp/tmp* rw, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index 98ca1c18..6c2cb9c9 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -43,7 +43,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/shm/ r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index f2894f1b..b82576a1 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -43,7 +43,6 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner /tmp/@{uuid} w, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 515b6c85..76ab62e2 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -80,7 +80,6 @@ profile snap @{exec_path} { @{PROC}/@{pids}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 130b8dcc..e747a45d 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -169,7 +169,6 @@ profile snapd @{exec_path} { @{PROC}/@{pids}/stat r, @{PROC}/cgroups r, @{PROC}/cmdline r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, owner @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 14c4f1d7..cdaf03b9 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -16,12 +16,12 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{run}/spice-vdagentd/spice-vdagent-sock r, - owner @{run}/spice-vdagentd/spice-vdagentd.pid rw, @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, + owner @{run}/spice-vdagentd/spice-vdagent-sock r, + owner @{run}/spice-vdagentd/spice-vdagentd.pid rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 7771ba10..bb516789 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -25,7 +25,5 @@ profile swtpm_setup @{exec_path} { owner /tmp/swtpm_setup.certs.*/*.cert rw, owner /tmp/.swtpm_setup.pidfile* rw, - @{run}/systemd/userdb/ r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 06125ef6..d02a5ce3 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -111,7 +111,6 @@ profile vlc @{exec_path} { owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, @{PROC}/@{pids}/net/if_inet6 r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r,