feat(profile): general update.

2025-01-30 14:55:15 +01:00 · 2024-05-03 18:16:12 +01:00 · 2024-05-03 18:16:12 +01:00 · 40abc98201
commit 40abc98201
parent b636b4b3e9
17 changed files with 31 additions and 48 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -159,14 +159,14 @@
  owner @{tmp}/tmp.*/ rw,
  owner @{tmp}/tmp.*/** rwk,
  owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
        /dev/shm/ r,
  owner /dev/shm/.@{domain}* rw,
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
  @{sys}/bus/ r,
  @{sys}/bus/**/devices/ r,
  @{sys}/class/**/ r,
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@ -14,17 +14,17 @@
  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
+       member=MakeThread*
       peer=(name=:*, label=rtkit-daemon),
  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
+       member=MakeThread*
       peer=(name=org.freedesktop.RealtimeKit1),
  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
-       member=MakeThreadRealtimeWithPID
+       member=MakeThread*
       peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
  include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -48,7 +48,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -39,11 +39,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       peer=(name=:*, label=gnome-shell),
  dbus send bus=session path=/org/gnome/ScreenSaver
       interface=org.gnome.ScreenSaver
       member=GetActive
       peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell),
  dbus send bus=session path=/org/gnome/Shell
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -11,6 +11,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
@ -19,6 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
  network inet6 stream,
  #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-shell
 profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
@ -20,13 +19,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.ColorManager>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.locale1>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.PackageKit>
@ -89,10 +86,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  # Talk with gnome-shell
  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
-  #aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
  #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
  #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
  #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
@ -208,6 +206,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/{,**} r,
  / r,
  /.flatpak-info r,
  /etc/fstab r,
  /etc/timezone r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -29,7 +29,7 @@ profile gnome-software @{exec_path} {
  @{exec_path} mr,
  @{bin}/baobab              rPUx,
-  @{bin}/bwrap               rPUx,
+  @{bin}/bwrap               rPx -> flatpak-app,
  @{bin}/fusermount{,3}      rCx -> fusermount,
  @{bin}/gpg{,2}             rCx -> gpg,
  @{bin}/gpgconf             rCx -> gpg,
@ -61,7 +61,7 @@ profile gnome-software @{exec_path} {
  /var/lib/flatpak/appstream/{,**} r,
  /var/lib/flatpak/repo/{,**} r,
  /var/lib/flatpak/runtime/{,**} r,
-  
+
  /var/lib/PackageKit/offline-update-competed r,
  /var/lib/PackageKit/prepared-update r,
  /var/lib/swcatalog/icons/**.png r,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} {
  ptrace (read) peer=htop,
  ptrace (read) peer=unconfined,
-  #aa:dbus own bus=session name=org.gnome.Terminal
+  #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions
  dbus receive bus=session path=/org/gnome/Terminal/SearchProvider
       interface=org.gnome.Shell.SearchProvider2
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -18,7 +18,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
-  signal (receive) set=(term) peer=gdm,
+  signal (receive) set=(hup term) peer=gdm{,-session-worker},
  @{exec_path} mr,
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} {
  dbus receive bus=session path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
       member=GetConnection
-       peer=(name=:*, label=gnome-shell),
+       peer=(name=:*, label="{gnome-shell,nautilus}"),
  dbus receive bus=session path=/org/gtk/vfs/mountable
       interface=org.gtk.vfs.Mountable
--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@ -20,11 +20,11 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
  @{exec_path} mr,
  @{sh_path}          rix,
  @{bin}/{m,g,}awk    rix,
  @{bin}/bash         rix,
  @{bin}/dirmngr      rix,
  @{bin}/gpg{,2}      rix,
  @{bin}/gpg-agent    rix,
  @{bin}/gpg{,2}      rix,
  @{bin}/pacman-conf  rix,
  /etc/pacman.conf r,
--- a/apparmor.d/profiles-g-l/kanyremote
+++ b/apparmor.d/profiles-g-l/kanyremote
@ -101,6 +101,7 @@ profile kanyremote @{exec_path} {
    /usr/share/anyremote/{,**} r,
    include if exists <local/kanyremote_pgrep>
  }
  include if exists <local/kanyremote>
--- a/apparmor.d/profiles-m-r/passimd
+++ b/apparmor.d/profiles-m-r/passimd
@ -29,6 +29,8 @@ profile passimd @{exec_path} flags=(attach_disconnected) {
  /var/lib/passim/{,**} r,
  /var/lib/passim/data/{,**} rw,
  owner /var/log/passim/* rw,
  @{PROC}/@{pid}/cmdline r,
  include if exists <local/passimd>
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -31,19 +31,7 @@ profile snap @{exec_path} {
  #aa:dbus own bus=session name=io.snapcraft.Launcher
  #aa:dbus own bus=session name=io.snapcraft.Settings
-  dbus send bus=session path=/org/freedesktop/systemd1
+  #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
  dbus receive bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
       peer=(name=:*, label="@{p_systemd}"),
  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
       peer=(name=:*, label="@{p_systemd_user}"),
  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -19,12 +19,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/dri>
+  include <abstractions/graphics>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>
  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
--- a/apparmor.d/profiles-s-z/ssurl
+++ b/apparmor.d/profiles-s-z/ssurl
@ -13,8 +13,8 @@ profile ssurl @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-       capability dac_read_search,
+  capability dac_read_search,
-  deny capability dac_override,
+  capability dac_override,
  @{exec_path} mr,
--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@ -10,13 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/vsftpd
 profile vsftpd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice>
  # Only for local users authentication
  include <abstractions/authentication>
  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
  include <abstractions/hosts_access>
  include <abstractions/nameservice>
  include <abstractions/wutmp>
  # To be able to listen on ports < 1024
  capability net_bind_service,
@ -43,7 +40,8 @@ profile vsftpd @{exec_path} {
  capability net_admin,
  capability dac_read_search,
  # If session_support=YES, vsftpd will also try and update utmp and wtmp
-  include <abstractions/wutmp>
+
  @{exec_path} mr,
  # To validate allowed users shells
  /etc/shells r,