feat(profile): general update.

2024-11-14 23:43:56 +01:00 · 2024-05-07 16:19:29 +01:00 · 2024-05-07 16:19:29 +01:00 · 239d5efe63
commit 239d5efe63
parent 4ada6f5879
14 changed files with 22 additions and 46 deletions
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@ -25,6 +25,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
  capability fsetid,
  capability mknod,
  capability sys_admin,
+  capability syslog,

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -57,11 +57,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {

  owner /var/lib/xkb/server-@{int}.xkm rw,

-  owner @{HOME}/ r,
-  owner @{HOME}/.* r,
-  owner @{HOME}/.icons/{,**} r,
-  owner @{HOME}/@{XDG_DATA_DIR}/ r,
-
  owner @{tmp}/runtime-*/xauth_@{rand6} r,

  @{run}/mount/utab r,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -94,6 +94,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.pam_environment r,

+        @{run}/cockpit/inactive.motd r,
  owner @{run}/systemd/seats/seat@{int} r,
  owner @{run}/user/@{uid}/keyring/control rw,

--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@ -19,7 +19,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {

  #aa:dbus own bus=system name=com.redhat.NewPrinterNotification
  #aa:dbus own bus=system name=com.redhat.PrinterDriversInstaller
-  
+
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -49,6 +49,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
  /etc/fstab r,

  # Mount points
+  @{MOUNTS}/ r,
  @{MOUNTS}/**/ r,
  @{HOME}/**/ r,

--- a/apparmor.d/groups/kde/kstart
+++ b/apparmor.d/groups/kde/kstart
@ -13,8 +13,9 @@ profile kstart @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/dri>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/kde-strict>
  include <abstractions/kde-open5>
+  include <abstractions/kde-strict>
+  include <abstractions/mesa>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,
@ -22,7 +23,6 @@ profile kstart @{exec_path} flags=(attach_disconnected) {
  @{bin}/** rPUx,
  @{bin}/konsole rPx,

-  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
  owner @{user_share_dirs}/kservices{5,6}/ r,
  owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -44,7 +44,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=system name=org.freedesktop.NetworkManager

  #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
-  #aa:dbus talk bus=system name=org.freedesktop.resolve1.Manager label=systemd-resolved
+  #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved

  dbus receive bus=system path=/org/freedesktop
       interface=org.freedesktop.DBus.ObjectManager
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -23,40 +23,18 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  @{exec_path} rmix,

  @{sh_path}                 rix,
-  @{bin}/{m,g,}awk           rix,
+  @{coreutils_path}          rix,
  @{bin}/bsdtar              rix,
-  @{bin}/cat                 rix,
-  @{bin}/cp                  rix,
-  @{bin}/dd                  rix,
-  @{bin}/dirname             rix,
  @{bin}/fc-match            rix,
-  @{bin}/find                rix,
  @{bin}/findmnt             rPx,
  @{bin}/fsck                rix,
  @{bin}/getent              rix,
-  @{bin}/grep                rix,
  @{bin}/gzip                rix,
  @{bin}/hexdump             rix,
-  @{bin}/install             rix,
  @{bin}/ldconfig            rix,
  @{bin}/ldd                 rix,
-  @{bin}/ln                  rix,
  @{bin}/loadkeys            rix,
-  @{bin}/mktemp              rix,
-  @{bin}/mv                  rix,
-  @{bin}/od                  rix,
-  @{bin}/readlink            rix,
-  @{bin}/realpath            rix,
-  @{bin}/rm                  rix,
-  @{bin}/sed                 rix,
-  @{bin}/sort                rix,
-  @{bin}/stat                rix,
-  @{bin}/sync                rix,
-  @{bin}/tee                 rix,
-  @{bin}/touch               rix,
  @{bin}/tput                rix,
-  @{bin}/uname               rix,
-  @{bin}/xargs               rix,
  @{bin}/xz                  rix,
  @{bin}/zcat                rix,
  @{bin}/zstd                rix,
@ -106,9 +84,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {

  # Temp files
  owner @{run}/initramfs/{,**} rw,
-  owner @{run}/mkinitcpio.@{rand6}/{,**} rw,
+  owner @{run}/mkinitcpio.@{rand6}/{,**} rwl,
  owner @{tmp}/mkinitcpio.@{rand6} rw,
-  owner @{tmp}/mkinitcpio.@{rand6}/{,**} rw,
+  owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl,
+  owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl,

  @{sys}/class/block/ r,
  @{sys}/devices/{,**} r,
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@ -16,8 +16,6 @@ profile borg @{exec_path} {

  capability dac_override,
  capability dac_read_search,
-  capability fowner,
-  capability sys_admin,

  network inet dgram,
  network inet6 dgram,
@ -77,6 +75,7 @@ profile borg @{exec_path} {
  owner /var/tmp/tmp*/idx rw,

  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/stat r,

  /dev/fuse rw,

@ -103,8 +102,8 @@ profile borg @{exec_path} {

    capability sys_admin,

-    mount fstype=fuse borgfs -> @{MOUNTS}/,
-    mount fstype=fuse borgfs -> @{MOUNTS}/*/,
+    mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/,
+    mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/,

    umount @{MOUNTS}/,
    umount @{MOUNTS}/*/,
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@ -25,7 +25,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
  @{bin}/flatpak                       rPx,
  @{bin}/ps                            rPx,
  @{bin}/p11-kit                       rix,
-  @{bin}/pkexec                        rPx,
+  @{bin}/pkexec                        rPx, # TODO: too wide, rCx.
  @{lib}/p11-kit/p11-kit-remote        rix,
  @{lib}/p11-kit/p11-kit-server        rix,
  /var/lib/flatpak/app/*/**/@{bin}/**  rPx -> flatpak-app,
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@ -61,6 +61,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {

    owner @{HOME}/.Xauthority r,

+    include if exists <local/fwupdmgr_dbus>
  }

  include if exists <local/fwupdmgr>
--- a/apparmor.d/profiles-m-r/pam-tmpdir-helper
+++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper
@ -19,6 +19,7 @@ profile pam-tmpdir-helper @{exec_path} {
  owner @{tmp}/ rw,

  /dev/ptmx rw,
+  /dev/tty@{int} rw,

  include if exists <local/pam-tmpdir-helper>
 }
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@ -38,8 +38,10 @@ profile syncthing @{exec_path} {

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

-  @{PROC}/sys/net/core/somaxconn r,
-  @{PROC}/@{pids}/net/route r,
+        @{PROC}/@{pids}/net/route r,
+        @{PROC}/sys/net/core/somaxconn r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,

  include if exists <local/syncthing>
 }
--- a/apparmor.d/profiles-s-z/xdpyinfo
+++ b/apparmor.d/profiles-s-z/xdpyinfo
@ -10,13 +10,9 @@ include <tunables/global>
@{exec_path} = @{bin}/xdpyinfo
 profile xdpyinfo @{exec_path} {
  include <abstractions/base>
+  include <abstractions/X-strict>

  @{exec_path} mr,

-  owner @{HOME}/.Xauthority r,
-
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
  include if exists <local/xdpyinfo>
 }