From 2bea426d278cf935bff3e5df767d5c132e799ec9 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 3 Jun 2022 23:00:08 +0300 Subject: [PATCH] polishing --- apparmor.d/groups/apps/vlc | 1 + apparmor.d/groups/freedesktop/polkit-agent-helper | 13 ++++++++++++- apparmor.d/groups/freedesktop/polkitd | 9 +++++---- apparmor.d/profiles-m-r/pkexec | 6 +++--- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index fffbd401..4cabe624 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -118,6 +118,7 @@ profile vlc @{exec_path} { owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, + /dev/snd/ r, /dev/shm/#[0-9]*[0-9] rw, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 4e9e67fe..4285ad4d 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -35,7 +35,18 @@ profile polkit-agent-helper @{exec_path} { owner @{HOME}/.xsession-errors w, @{run}/faillock/[a-zA-z0-9]* rwk, - @{run}/systemd/userdb/io.systemd.DynamicUser w, + + # DBus + @{run}/dbus/system_bus_socket rw, + + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="AuthenticationAgentResponse2" peer=(name=":*"), include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 735532d1..cef1ed60 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -53,8 +53,6 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/systemd/userdb/io.systemd.Machine rw, # Silencer deny /.cache/ rw, @@ -67,10 +65,13 @@ profile polkitd @{exec_path} { bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name="{org.freedesktop.DBus,:*}"), + bus="system" path="/org/freedesktop/PolicyKit1{,/**}" interface="org.freedesktop.PolicyKit1{,.**}" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus send + bus="system" path="/org/gnome/PolicyKit1/AuthenticationAgent" interface="org.freedesktop.PolicyKit1.AuthenticationAgent" peer=(name=":*"), dbus receive - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent}" peer=(name=":*"), + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2}" peer=(name=":*"), dbus bind bus="system" name="org.freedesktop.PolicyKit1", diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 2c5932f4..9033252a 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -10,9 +10,9 @@ include profile pkexec @{exec_path} flags=(complain) { include include - include - include include + include + include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -53,7 +53,7 @@ profile pkexec @{exec_path} flags=(complain) { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - # DBus + # DBus stricter @{run}/dbus/system_bus_socket rw, dbus send