feat(profiles): ensure gpg stays confined.

2025-01-29 22:35:15 +01:00 · 2023-03-12 15:33:21 +00:00 · 2023-03-12 15:33:21 +00:00 · 25e2d9d1f4
commit 25e2d9d1f4
parent 3349dbda7f
4 changed files with 4 additions and 4 deletions
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -39,7 +39,7 @@ profile seahorse @{exec_path} {
  @{exec_path} mr,

  /{usr/,}bin/gpgconf  rPx,
-  /{usr/,}bin/gpg{,2}  rUx,
+  /{usr/,}bin/gpg{,2}  rPx,
  /{usr/,}bin/gpgsm    rPx,

  # freedesktop.org-strict
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@ -18,7 +18,7 @@ profile gpgconf @{exec_path} {
  @{exec_path} mrix,

  /{usr/,}bin/gpg-connect-agent rPx,
-  /{usr/,}bin/gpg{,2}               rPUx,
+  /{usr/,}bin/gpg{,2}           rPx,
  /{usr/,}bin/gpg-agent         rPx,
  /{usr/,}bin/dirmngr           rPx,
  /{usr/,}bin/gpgsm             rPx,
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -20,7 +20,7 @@ profile aurpublish @{exec_path} {
  /{usr/,}bin/date        rix,
  /{usr/,}bin/gettext     rix,
  /{usr/,}bin/git         rPx,
-  /{usr/,}bin/gpg{,2}     rPUx,
+  /{usr/,}bin/gpg{,2}     rPx,
  /{usr/,}bin/grep        rix,
  /{usr/,}bin/makepkg     rix,
  /{usr/,}bin/mkdir       rix,
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@ -15,7 +15,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /{usr/,}bin/gpg{,2} rUx,
+  /{usr/,}bin/gpg{,2} rPx,

  owner @{HOME}/.password-store/{,**} r,
  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,