From 1675a26fbf06d3085759ccd63b102b3ce8583c3a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 2 Jul 2024 22:08:15 +0100 Subject: [PATCH] feat(profile): general update. --- .../abstractions/authentication.d/complete | 6 +- apparmor.d/groups/systemd/systemd-udevd | 76 +++++++++---------- apparmor.d/profiles-g-l/libreoffice | 6 +- 3 files changed, 44 insertions(+), 44 deletions(-) diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 63819cc1..738166db 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -8,8 +8,8 @@ @{bin}/unix_chkpwd rPx, #aa:only whonix - @{lib}/security-misc/pam_faillock_not_if_x rPx, - @{lib}/security-misc/pam-abort-on-locked-password rPx, - @{lib}/security-misc/pam-info rPx, + @{lib}/security-misc/pam-abort-on-locked-password rPx, + @{lib}/security-misc/pam-info rPx, + @{lib}/security-misc/pam_faillock_not_if_x rPx, # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index e5be870f..76a7e21c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { include + include include include - include capability chown, capability dac_override, @@ -27,7 +27,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability sys_rawio, capability sys_resource, - ptrace (read), + ptrace read, network inet dgram, network inet6 dgram, @@ -35,54 +35,52 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/*-print-pci-ids rix, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/*-print-pci-ids rix, @{bin}/alsactl rPUx, - @{bin}/ddcutil rPx, + @{bin}/ddcutil rPx, @{bin}/dmsetup rPUx, - @{bin}/ethtool rix, - @{bin}/issue-generator rPx, - @{bin}/kmod rPx, - @{bin}/less rPx -> child-pager, - @{bin}/logger rix, - @{bin}/ls rix, - @{bin}/lvm rPx, - @{bin}/mknod rix, - @{bin}/more rPx -> child-pager, - @{bin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/pager rPx -> child-pager, - @{bin}/perl rix, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, + @{bin}/ethtool rix, + @{bin}/issue-generator rPx, + @{bin}/kmod rPx, + @{bin}/less rPx -> child-pager, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/lvm rPx, + @{bin}/mknod rix, + @{bin}/more rPx -> child-pager, + @{bin}/multipath rPx, + @{bin}/nfsrahead rix, + @{bin}/pager rPx -> child-pager, + @{bin}/perl rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rix, + @{bin}/unshare rix, - @{lib}/crda/* rPUx, - @{lib}/gdm-runtime-config rPx, - @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, - @{lib}/pm-utils/power.d/* rPUx, - @{lib}/snapd/snap-device-helper rPx, - @{lib}/systemd/systemd-* rPx, - @{lib}/udev/* rPUx, - /usr/share/hplip/config_usb_printer.py rPUx, + @{lib}/crda/* rPUx, + @{lib}/gdm-runtime-config rPx, + @{lib}/nfsrahead rPUx, + @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/pm-utils/power.d/* rPUx, + @{lib}/snapd/snap-device-helper rPx, + @{lib}/systemd/systemd-* rPx, + @{lib}/udev/* rPUx, + /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, - - /etc/machine-id r, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, - + /etc/machine-id r, /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/hwdb.bin rw, /etc/udev/.#hwdb.bin* rw, + /etc/udev/hwdb.bin rw, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 313b34a2..2a7295f4 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -39,7 +39,7 @@ profile libreoffice @{exec_path} { @{bin}/sed rix, @{bin}/uname rix, - @{open_path} rpx -> child-open-browsers, + @{open_path} rPx -> child-open-browsers, @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, @@ -51,8 +51,10 @@ profile libreoffice @{exec_path} { @{lib}/jvm/java*/bin/java rix, @{lib}/jvm/java*/lib/** rm, - @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @{lib}/libreoffice/{,**} rm, + @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, + @{lib}/libreoffice/program/{,**/}__pycache__/ w, + @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w, /usr/share/hyphen/{,**} r, /usr/share/libexttextcat/{,**} r,