feat(profile): merge colord-sane into colord.

Required due to nnp flag enabled on colord-sane. As the profiles are similar it is easier to merge them.
2025-01-18 17:08:09 +01:00 · 2024-03-10 20:27:05 +00:00 · 2024-03-10 20:27:05 +00:00 · 10ce0ba4a1
commit 10ce0ba4a1
parent 7882ae2153
2 changed files with 14 additions and 54 deletions
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -7,7 +7,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = @{lib}/{,colord/}colord
+@{exec_path} = @{lib}/{,colord/}colord{,-sane}
 profile colord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
@ -28,21 +28,25 @@ profile colord @{exec_path} flags=(attach_disconnected) {
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

-  @{exec_path} mr,
-
-  @{lib}/{,colord/}colord-sane  rPx -> colord//&colord-sane,
+  @{exec_path} mrix,

  /etc/machine-id r,
-  /etc/udev/hwdb.bin r,
  /etc/sane.d/{,**} r,
+  /etc/snmp/snmp.conf r,
+  /etc/udev/hwdb.bin r,

-  /usr/share/mime/mime.cache r,
  /usr/share/color/icc/{,**} r,
+  /usr/share/mime/mime.cache r,
+  /usr/share/snmp/mibs/{,*} r,

-  owner /var/lib/colord/** r,
  owner /var/lib/colord/.cache/ rw,
  owner /var/lib/colord/.cache/** rw,
  owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
+  owner /var/lib/colord/** r,
+
+  owner /var/lib/snmp/{mib,cert}_indexes/ rw,
+  owner /var/lib/snmp/mibs/{iana,ietf}/ r,
+  owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,

  /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
  /var/lib/flatpak/exports/share/mime/mime.cache r,
@ -50,6 +54,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  @{user_share_dirs}/icc/edid-*.icc r,

+  @{run}/systemd/journal/socket rw,
  @{run}/systemd/sessions/* r,

  @{run}/udev/data/+pci:* r,
@ -70,5 +75,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
        @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,

+  /dev/parport@{int} r,
+
  include if exists <local/colord>
 }
--- a/apparmor.d/groups/freedesktop/colord-sane
+++ b/apparmor.d/groups/freedesktop/colord-sane
@ -1,47 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{lib}/{,colord/}colord-sane
-profile colord-sane @{exec_path} flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
-  include <abstractions/devices-usb>
-  include <abstractions/openssl>
-
-  network inet dgram,
-  network inet6 dgram,
-  network netlink raw,
-
-  # dbus: talk bus=system name=org.freedesktop.ColorManager label=colord
-
-  @{exec_path} mr,
-
-  /usr/share/snmp/mibs/{,*} r,
-
-  /etc/sane.d/{,**} r,
-  /etc/snmp/snmp.conf r,
-
-  /var/lib/snmp/{mib,cert}_indexes/ rw,
-  /var/lib/snmp/mibs/{iana,ietf}/ r,
-  /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
-
-  @{run}/systemd/journal/socket rw,
-
-  @{sys}/bus/scsi/devices/ r,
-  @{sys}/devices/@{pci}/{vendor,model,type} r,
-
-  @{PROC}/sys/dev/parport/ r,
-  @{PROC}/sys/dev/parport/parport@{int}/base-addr r,
-  @{PROC}/sys/dev/parport/parport@{int}/irq r,
-
-  /dev/parport@{int} r,
-
-  include if exists <local/colord-sane>
-}