Adding /dev/tty[0-9]* and /dev/pts/[0-9]* to various profiles; update kded5 and reflector (#183)

* Update update-mime-database

* Update btrfs

* Update update-grub

* Update pacman-hook-depmod

* Update pacman

* Update systemd-sysusers

* Update lscpu

* Update pacman-hook-systemd

* Update pacman-hook-perl

* Update pacman-hook-gtk

* Update needrestart-iucode-scan-versions

* Update reflector

* Update kded5
This commit is contained in:
curiosityseeker 2023-07-27 13:23:04 +02:00 committed by GitHub
parent 0f9b7cb474
commit 4894d6a3c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 55 additions and 14 deletions

View File

@ -18,6 +18,9 @@ profile update-mime-database @{exec_path} {
/usr/share/mime/{,**} rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,

View File

@ -15,5 +15,7 @@ profile update-grub @{exec_path} {
@{bin}/{,ba,da}sh rix,
@{bin}/grub-mkconfig rPx,
/dev/tty[0-9]* rw,
include if exists <local/update-grub>
}

View File

@ -120,12 +120,17 @@ profile kded5 @{exec_path} {
@{bin}/pgrep mr,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{PROC}/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/tty/drivers r,
include if exists <local/kded5_pgrep>
}

View File

@ -150,7 +150,8 @@ profile pacman @{exec_path} {
@{run}/utmp rk,
owner /dev/tty[0-9]* rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
# Silencer,
deny /tmp/ r,
@ -174,7 +175,8 @@ profile pacman @{exec_path} {
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
/dev/tty[0-9]* rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
deny network inet stream,
deny network inet6 stream,

View File

@ -23,7 +23,9 @@ profile pacman-hook-depmod @{exec_path} {
/usr/lib/modules/*/{,**} rw,
/dev/tty rw,
/dev/tty rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
# Inherit Silencer
deny network inet6 stream,

View File

@ -23,7 +23,9 @@ profile pacman-hook-gtk @{exec_path} {
/usr/share/icons/{,**} rw,
/dev/tty rw,
/dev/tty rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
# Inherit Silencer
deny network inet6 stream,

View File

@ -23,7 +23,9 @@ profile pacman-hook-perl @{exec_path} {
@{lib}/perl[0-9]*/{,**} r,
/dev/tty rw,
/dev/tty rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
# Inherit silencer
deny network inet6 stream,

View File

@ -30,7 +30,9 @@ profile pacman-hook-systemd @{exec_path} {
/usr/ rw,
/dev/tty rw,
/dev/tty rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
# Inherit silencer
deny network inet6 stream,

View File

@ -14,6 +14,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
include <abstractions/python>
include <abstractions/ssl_certs>
capability net_admin,
capability dac_read_search,
capability dac_override,
network inet dgram,
network inet6 dgram,
network inet stream,
@ -33,5 +37,8 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
include if exists <local/reflector>
}

View File

@ -39,6 +39,10 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
/etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
/etc/.pwd.lock rwk,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,

View File

@ -44,7 +44,10 @@ profile btrfs @{exec_path} {
@{PROC}/partitions r,
owner @{PROC}/@{pid}/mounts r,
/dev/btrfs-control rw,
/dev/btrfs-control rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
include if exists <local/btrfs>
}

View File

@ -25,5 +25,10 @@ profile lscpu @{exec_path} {
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/cpumap r,
owner @{sys}/kernel/cpu_byteorder r,
/dev/tty[0-9]* rw,
include if exists <local/lscpu>
}

View File

@ -29,7 +29,9 @@ profile needrestart-iucode-scan-versions @{exec_path} {
@{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r,
/dev/tty rw,
/dev/tty rw,
/dev/tty[0-9]* rw,
owner /dev/pts/[0-9]* rw,
include if exists <local/needrestart-iucode-scan-versions>
}