feat(profile): general update.

2025-01-30 14:55:15 +01:00 · 2024-05-03 18:16:12 +01:00 · 2024-05-03 18:16:12 +01:00 · 40abc98201
commit 40abc98201
parent b636b4b3e9
17 changed files with 31 additions and 48 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -159,14 +159,14 @@
  owner @{tmp}/tmp.*/ rw,
  owner @{tmp}/tmp.*/** rwk,

+  owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
+  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
+
        /dev/shm/ r,
  owner /dev/shm/.@{domain}* rw,

  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*

-  owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
-  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
-
  @{sys}/bus/ r,
  @{sys}/bus/**/devices/ r,
  @{sys}/class/**/ r,
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@ -14,17 +14,17 @@

  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
+       member=MakeThread*
       peer=(name=:*, label=rtkit-daemon),

  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
+       member=MakeThread*
       peer=(name=org.freedesktop.RealtimeKit1),

  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
-       member=MakeThreadRealtimeWithPID
+       member=MakeThread*
       peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),

  include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -48,7 +48,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {

  unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,

-  #aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon

  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -39,11 +39,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       peer=(name=:*, label=gnome-shell),

-  dbus send bus=session path=/org/gnome/ScreenSaver
-       interface=org.gnome.ScreenSaver
-       member=GetActive
-       peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell),
-
  dbus send bus=session path=/org/gnome/Shell
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -11,6 +11,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
@ -19,6 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
  network inet6 stream,

  #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User
+  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-shell
 profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
-  include <abstractions/app-launcher-user>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
@ -20,13 +19,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.background.Monitor>
-  include <abstractions/bus/org.freedesktop.ColorManager>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.locale1>
  include <abstractions/bus/org.freedesktop.login1.Session>
-  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.PackageKit>
@ -89,10 +86,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  # Talk with gnome-shell

  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
-  #aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm

  #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
+  #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
  #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*

@ -208,6 +206,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/{,**} r,

+  / r,
  /.flatpak-info r,
  /etc/fstab r,
  /etc/timezone r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -29,7 +29,7 @@ profile gnome-software @{exec_path} {
  @{exec_path} mr,

  @{bin}/baobab              rPUx,
-  @{bin}/bwrap               rPUx,
+  @{bin}/bwrap               rPx -> flatpak-app,
  @{bin}/fusermount{,3}      rCx -> fusermount,
  @{bin}/gpg{,2}             rCx -> gpg,
  @{bin}/gpgconf             rCx -> gpg,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} {
  ptrace (read) peer=htop,
  ptrace (read) peer=unconfined,

-  #aa:dbus own bus=session name=org.gnome.Terminal
+  #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions

  dbus receive bus=session path=/org/gnome/Terminal/SearchProvider
       interface=org.gnome.Shell.SearchProvider2
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -18,7 +18,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>

-  signal (receive) set=(term) peer=gdm,
+  signal (receive) set=(hup term) peer=gdm{,-session-worker},

  @{exec_path} mr,

--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} {
  dbus receive bus=session path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
       member=GetConnection
-       peer=(name=:*, label=gnome-shell),
+       peer=(name=:*, label="{gnome-shell,nautilus}"),

  dbus receive bus=session path=/org/gtk/vfs/mountable
       interface=org.gtk.vfs.Mountable
--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@ -20,11 +20,11 @@ profile archlinux-keyring-wkd-sync @{exec_path} {

  @{exec_path} mr,

+  @{sh_path}          rix,
  @{bin}/{m,g,}awk    rix,
-  @{bin}/bash         rix,
  @{bin}/dirmngr      rix,
-  @{bin}/gpg{,2}      rix,
  @{bin}/gpg-agent    rix,
+  @{bin}/gpg{,2}      rix,
  @{bin}/pacman-conf  rix,

  /etc/pacman.conf r,
--- a/apparmor.d/profiles-g-l/kanyremote
+++ b/apparmor.d/profiles-g-l/kanyremote
@ -101,6 +101,7 @@ profile kanyremote @{exec_path} {

    /usr/share/anyremote/{,**} r,

+    include if exists <local/kanyremote_pgrep>
  }

  include if exists <local/kanyremote>
--- a/apparmor.d/profiles-m-r/passimd
+++ b/apparmor.d/profiles-m-r/passimd
@ -29,6 +29,8 @@ profile passimd @{exec_path} flags=(attach_disconnected) {
  /var/lib/passim/{,**} r,
  /var/lib/passim/data/{,**} rw,

+  owner /var/log/passim/* rw,
+
  @{PROC}/@{pid}/cmdline r,

  include if exists <local/passimd>
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -31,19 +31,7 @@ profile snap @{exec_path} {
  #aa:dbus own bus=session name=io.snapcraft.Launcher
  #aa:dbus own bus=session name=io.snapcraft.Settings

-  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
-
-  dbus receive bus=system path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=JobRemoved
-       peer=(name=:*, label="@{p_systemd}"),
-  dbus receive bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=JobRemoved
-       peer=(name=:*, label="@{p_systemd_user}"),
+  #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -19,12 +19,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/dri>
+  include <abstractions/graphics>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
+  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
-  include <abstractions/X-strict>

  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
--- a/apparmor.d/profiles-s-z/ssurl
+++ b/apparmor.d/profiles-s-z/ssurl
@ -14,7 +14,7 @@ profile ssurl @{exec_path} {
  include <abstractions/consoles>

  capability dac_read_search,
-  deny capability dac_override,
+  capability dac_override,

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@ -10,13 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/vsftpd
 profile vsftpd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice>
-
-  # Only for local users authentication
  include <abstractions/authentication>
-
-  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
  include <abstractions/hosts_access>
+  include <abstractions/nameservice>
+  include <abstractions/wutmp>

  # To be able to listen on ports < 1024
  capability net_bind_service,
@ -43,7 +40,8 @@ profile vsftpd @{exec_path} {
  capability net_admin,
  capability dac_read_search,
  # If session_support=YES, vsftpd will also try and update utmp and wtmp
-  include <abstractions/wutmp>
+
+  @{exec_path} mr,

  # To validate allowed users shells
  /etc/shells r,