feat(profile): various improvements and update.
Some checks are pending
Ubuntu / check (push) Waiting to run
Ubuntu / build (default, ubuntu-22.04) (push) Blocked by required conditions
Ubuntu / build (default, ubuntu-24.04) (push) Blocked by required conditions
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Blocked by required conditions
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Blocked by required conditions
Ubuntu / tests (push) Blocked by required conditions

This commit is contained in:
Alexandre Pujol 2024-12-25 00:05:36 +01:00
parent 57ddfd29ce
commit 2560e9645f
Failed to generate hash of commit
20 changed files with 22 additions and 16 deletions

View file

@ -58,6 +58,8 @@ profile gnome-session @{exec_path} {
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r,
owner @{HOME}/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,

View file

@ -39,6 +39,7 @@ profile gnome-software @{exec_path} {
/usr/share/app-info/{,**} r,
/usr/share/appdata/{,**} r,
/usr/share/flatpak/remotes.d/ r,
/usr/share/metainfo/{,**} r,
/usr/share/swcatalog/{,**} r,
/usr/share/xml/iso-codes/{,**} r,

View file

@ -59,6 +59,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/@{uuid} rw,
owner @{tmp}/talpid-openvpn-@{uuid} rw,
@{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw,
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

View file

@ -44,6 +44,7 @@ profile pacman-hook-systemd @{exec_path} {
include <abstractions/app/systemctl>
capability net_admin,
capability sys_resource,
signal send set=term peer=systemd-tty-ask-password-agent,

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/bootctl
profile bootctl @{exec_path} {
profile bootctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/busctl
profile busctl @{exec_path} {
profile busctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>

View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-backlight
profile systemd-backlight @{exec_path} {
profile systemd-backlight @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/systemd>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup
profile systemd-cryptsetup @{exec_path} {
profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/systemd>
include <abstractions/disks-write>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator
profile systemd-generator-user-autostart @{exec_path} {
profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/systemd>
include <abstractions/nameservice-strict>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/user-environment-generators/*
profile systemd-generator-user-environment @{exec_path} {
profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/systemd>
include <abstractions/nameservice-strict>

View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-journald
profile systemd-journald @{exec_path} {
profile systemd-journald @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/common/systemd>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-machined
profile systemd-machined @{exec_path} {
profile systemd-machined @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/nameservice-strict>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-random-seed
profile systemd-random-seed @{exec_path} {
profile systemd-random-seed @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/systemd>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-update-done
profile systemd-update-done @{exec_path} {
profile systemd-update-done @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
capability net_admin,

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-update-utmp
profile systemd-update-utmp @{exec_path} {
profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/systemd>
include <abstractions/wutmp>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-user-runtime-dir
profile systemd-user-runtime-dir @{exec_path} {
profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1>

View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-user-sessions
profile systemd-user-sessions @{exec_path} {
profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/systemd>

View file

@ -171,6 +171,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply:* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+sound:card@{int} r, # For sound card
@{run}/udev/data/+thunderbolt:* r,

View file

@ -37,8 +37,9 @@ profile flatpak-system-helper @{exec_path} {
/etc/flatpak/{,**} r,
/etc/machine-id r,
/usr/share/mime/mime.cache r,
/usr/share/flatpak/remotes.d/ r,
/usr/share/flatpak/triggers/ r,
/usr/share/mime/mime.cache r,
/var/lib/flatpak/{,**} rwkl,
/var/tmp/flatpak-cache-*/{,**} rw,

View file

@ -17,7 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/bus/org.freedesktop.UDisks2>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/consoles>
include <abstractions/disks-read>
include <abstractions/disks-write>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
@ -129,7 +129,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
/dev/mei@{int} rw,
/dev/mem r,
/dev/mtd@{int} rw,
/dev/sd[a-z]* r,
/dev/tpm@{int} rw,
/dev/tpmrm@{int} rw,
/dev/wmi/* r,