Adding /dev/tty[0-9]* and /dev/pts/[0-9]* to various profiles; update kded5 and reflector (#183)

* Update update-mime-database * Update btrfs * Update update-grub * Update pacman-hook-depmod * Update pacman * Update systemd-sysusers * Update lscpu * Update pacman-hook-systemd * Update pacman-hook-perl * Update pacman-hook-gtk * Update needrestart-iucode-scan-versions * Update reflector * Update kded5
2024-11-15 16:03:51 +01:00 · 2023-07-27 13:23:04 +02:00 · 2023-07-27 13:23:04 +02:00 · 4894d6a3c4
commit 4894d6a3c4
parent 0f9b7cb474
13 changed files with 55 additions and 14 deletions
--- a/apparmor.d/groups/freedesktop/update-mime-database
+++ b/apparmor.d/groups/freedesktop/update-mime-database
@ -18,9 +18,12 @@ profile update-mime-database @{exec_path} {

  /usr/share/mime/{,**} rw,

+  /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,
+
  # Inherit silencer
  deny network inet6 stream,
  deny network inet stream,

  include if exists <local/update-mime-database>
-}
+}
--- a/apparmor.d/groups/grub/update-grub
+++ b/apparmor.d/groups/grub/update-grub
@ -15,5 +15,7 @@ profile update-grub @{exec_path} {
  @{bin}/{,ba,da}sh rix,
  @{bin}/grub-mkconfig rPx,

+  /dev/tty[0-9]* rw,
+
  include if exists <local/update-grub>
 }
--- a/apparmor.d/groups/kde/kded5
+++ b/apparmor.d/groups/kde/kded5
@ -120,12 +120,17 @@ profile kded5 @{exec_path} {

    @{bin}/pgrep mr,

+    @{sys}/devices/system/node/ r,
+    @{sys}/devices/system/node/node[0-9]*/meminfo r,
+
    @{PROC}/ r,
+    @{PROC}/@{pids}/cgroup r,
    @{PROC}/@{pids}/cmdline r,
    @{PROC}/@{pids}/stat r,
    @{PROC}/sys/kernel/osrelease r,
    @{PROC}/uptime r,
    @{PROC}/@{pids}/cgroup r,
+    @{PROC}/tty/drivers r,

    include if exists <local/kded5_pgrep>
  }
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -150,7 +150,8 @@ profile pacman @{exec_path} {

  @{run}/utmp rk,
  
-  owner /dev/tty[0-9]* rw,
+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,

  # Silencer, 
  deny /tmp/ r,
@ -174,7 +175,8 @@ profile pacman @{exec_path} {

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,
    
-    /dev/tty[0-9]* rw,
+          /dev/tty[0-9]* rw,
+    owner /dev/pts/[0-9]* rw,

    deny network inet stream,
    deny network inet6 stream,
--- a/apparmor.d/groups/pacman/pacman-hook-depmod
+++ b/apparmor.d/groups/pacman/pacman-hook-depmod
@ -23,11 +23,13 @@ profile pacman-hook-depmod @{exec_path} {

  /usr/lib/modules/*/{,**} rw,

-  /dev/tty rw,
+        /dev/tty rw,
+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,

  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,

  include if exists <local/pacman-hook-depmod>
-}
+}
--- a/apparmor.d/groups/pacman/pacman-hook-gtk
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk
@ -23,11 +23,13 @@ profile pacman-hook-gtk @{exec_path} {

  /usr/share/icons/{,**} rw,

-  /dev/tty rw,
+        /dev/tty rw,
+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,

  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,

  include if exists <local/pacman-hook-gtk>
-}
+}
--- a/apparmor.d/groups/pacman/pacman-hook-perl
+++ b/apparmor.d/groups/pacman/pacman-hook-perl
@ -23,11 +23,13 @@ profile pacman-hook-perl @{exec_path} {

  @{lib}/perl[0-9]*/{,**} r,

-  /dev/tty rw,
+        /dev/tty rw,
+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,

  # Inherit silencer
  deny network inet6 stream,
  deny network inet stream,

  include if exists <local/pacman-hook-perl>
-}
+}
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@ -30,11 +30,13 @@ profile pacman-hook-systemd @{exec_path} {

  /usr/ rw,

-  /dev/tty rw,
+        /dev/tty rw,
+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,

  # Inherit silencer
  deny network inet6 stream,
  deny network inet stream,

  include if exists <local/pacman-hook-systemd>
-}
+}
--- a/apparmor.d/groups/pacman/reflector
+++ b/apparmor.d/groups/pacman/reflector
@ -14,6 +14,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
  include <abstractions/python>
  include <abstractions/ssl_certs>

+  capability net_admin,
+  capability dac_read_search,
+  capability dac_override,
+
  network inet dgram,
  network inet6 dgram,
  network inet stream,
@ -33,5 +37,8 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,

+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,
+
  include if exists <local/reflector>
 }
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -39,6 +39,10 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  /etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
  /etc/.pwd.lock rwk,

+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,
+
+
  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@ -44,7 +44,10 @@ profile btrfs @{exec_path} {
        @{PROC}/partitions r,
  owner @{PROC}/@{pid}/mounts r,

-  /dev/btrfs-control rw,
+        /dev/btrfs-control rw,
+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,
+

  include if exists <local/btrfs>
 }
--- a/apparmor.d/profiles-g-l/lscpu
+++ b/apparmor.d/profiles-g-l/lscpu
@ -25,5 +25,10 @@ profile lscpu @{exec_path} {
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node[0-9]*/cpumap r,

+  owner @{sys}/kernel/cpu_byteorder r,
+
+  /dev/tty[0-9]* rw,
+  
+
  include if exists <local/lscpu>
 }
--- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
+++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
@ -29,7 +29,9 @@ profile needrestart-iucode-scan-versions @{exec_path} {
 
  @{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r,

-  /dev/tty rw,
+        /dev/tty rw,
+        /dev/tty[0-9]* rw,
+  owner /dev/pts/[0-9]* rw,

  include if exists <local/needrestart-iucode-scan-versions>
-}
+}