fix(profile): various fix & cleanup

2025-02-21 17:35:50 +01:00 · 2024-05-06 20:33:01 +01:00 · 2024-05-06 20:33:01 +01:00 · 4b4e14b1d6
commit 4b4e14b1d6
parent e2c69f18fa
12 changed files with 32 additions and 81 deletions
--- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
+++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
@ -4,7 +4,7 @@
  dbus send bus=system path=/fi/w1/wpa_supplicant1
       interface=org.freedesktop.DBus.Properties
-       member={GetAll,PropertiesChanged},Set
+       member={GetAll,PropertiesChanged}
       peer=(name=:*, label=wpa-supplicant),
  dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
--- a/apparmor.d/groups/_full/bwrap
+++ b/apparmor.d/groups/_full/bwrap
@ -14,7 +14,6 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/common/bwrap>
  include <abstractions/common/app>
  include <abstractions/dbus>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/fontconfig-cache-write>
  capability dac_override,
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@ -21,7 +21,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
  @{bin}/cut        rix,
  @{bin}/file       rix,
  @{bin}/head       rix,
  @{bin}/kbuildsycoca5 rPx,
  @{bin}/mv         rix,
  @{bin}/readlink   rix,
  @{bin}/realpath   rix,
@ -31,9 +30,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
  @{bin}/which{,.debianutils}      rix,
  @{bin}/gio        rPx,
  @{bin}/kbuildsycoca5 rPx,
  @{bin}/ktraderclient5 rPUx,
  @{bin}/mimetype   rPx,
  @{bin}/xprop      rPx,
  @{bin}/ktraderclient5 rPUx,
  /usr/share/terminfo/** r,
--- a/apparmor.d/groups/kde/kauth-kded-smart-helper
+++ b/apparmor.d/groups/kde/kauth-kded-smart-helper
@ -13,12 +13,12 @@ profile kauth-kded-smart-helper @{exec_path} {
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/nameservice-strict>
-  # dbus: own bus=system name=org.kde.kded.smart
+  #aa:dbus own bus=system name=org.kde.kded.smart
  dbus send bus=system path=/
-            interface=org.kde.kf5auth
+       interface=org.kde.kf5auth
-            member=remoteSignal
+       member=remoteSignal
-            peer=(name=org.freedesktop.DBus, label=kded5),
+       peer=(name=org.freedesktop.DBus, label=kded5),
  @{exec_path} mr,
--- a/apparmor.d/groups/kde/kbuildsycoca5
+++ b/apparmor.d/groups/kde/kbuildsycoca5
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Jeroen Rijken
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -9,20 +10,13 @@ include <tunables/global>
@{exec_path} = @{bin}/kbuildsycoca5
 profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
  /usr/share/applications/kde-mimeapps.list r,
  /usr/share/mime/mime.cache r,
  /usr/share/mime/types r,
  /var/lib/flatpak/exports/share/mime/types r,
  owner @{user_cache_dirs}/ksycoca5_* l -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/ksycoca5_* rw,
-  owner @{user_config_dirs}/mimeapps.list r,
+  link owner @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int},
  owner @{user_share_dirs}/applications/mimeapps.list r,
  owner @{user_share_dirs}/mime/types r,
  /dev/tty r,
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@ -15,7 +15,6 @@ profile kded @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/graphics>
  include <abstractions/gtk>
@ -34,40 +33,9 @@ profile kded @{exec_path} {
  signal (send) set=hup peer=xsettingsd,
-  # dbus: own bus=system name=com.redhat.NewPrinterNotification
+  #aa:dbus own bus=system name=com.redhat.NewPrinterNotification
-
+  #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
-  dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent
+  #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
       interface=org.freedesktop.NetworkManager.SecretAgent
       member={GetSecrets,CancelGetSecrets}
       peer=(label=NetworkManager),
  dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int}
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
       peer=(label=NetworkManager),
  dbus receive bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
       interface=org.freedesktop.DBus.Properties
       member={PropertiesChanged,AccessPointAdded,AccessPointRemoved}
       peer=(label=NetworkManager),
  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
       interface=org.freedesktop.NetworkManager.AgentManager
       peer=(label=NetworkManager),
  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
       interface=org.freedesktop.NetworkManager.AgentManager
       peer=(label=NetworkManager),
  dbus send bus=system path=/org/freedesktop/bolt
       interface=org.freedesktop.bolt1.Manager
       member=ListDevices
       peer=(name="{:*,org.freedesktop.bolt}", label=boltd),
  dbus send bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.Properties
       member=Get
       peer=(name="{:*,org.freedesktop.bolt}", label=boltd),
  dbus receive bus=system path=/
       interface=org.kde.kf5auth
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -46,8 +46,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  @{lib}/libheif/            r,
  @{lib}/libheif/{,**}      mr,
-  @{lib}/kf5/kdesu{,d}     rix,
+
-  @{bin}/dolphin          rPUx, # TODO: rPx,
+  @{bin}/dolphin           rPx,
  @{bin}/ksysguardd        rix,
  @{bin}/plasma-discover  rPUx,
  @{bin}/xrdb              rPx,
--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@ -58,21 +58,20 @@ profile sddm-xsession @{exec_path} {
  #@{bin}/openbox-session  rPx,
  #@{bin}/openbox          rPx,
  @{system_share_dirs}/im-config/data/{,*} r,
  @{system_share_dirs}/im-config/xinputrc.common r,
  /etc/default/{,*} r,
  /etc/X11/{,**} r,
  owner @{HOME}/.xinputrc r,
  owner @{HOME}/.xsession-errors rw,
        @{HOME}/tmp.* rw,
  @{system_share_dirs}/im-config/data/{,*} r,
  @{system_share_dirs}/im-config/xinputrc.common r,
  owner @{user_share_dirs}/sddm/xorg-session.log w,
  owner @{tmp}/xsess-env-* rw,
  owner @{tmp}/file* rw,
-  owner @{tmp}/tmp.* rw,
+  audit owner @{tmp}/tmp.* rw,
  owner @{PROC}/@{pid}/loginuid r,
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@ -18,10 +18,7 @@ profile startplasma @{exec_path} {
  @{exec_path} mr,
-  @{sh_path}  rix,
+  @{sh_path}                rix,
  @{bin}/env  rix,
  @{bin}/{,ba,da}sh         rix,
  @{bin}/env                rix,
  @{bin}/grep               rix,
  @{bin}/kapplymousetheme  rPUx,
@ -47,9 +44,6 @@ profile startplasma @{exec_path} {
  /var/lib/flatpak/exports/share/mime/ r,
  @{HOME}/ r,
  @{HOME}/.xsession-errors w,
        @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/#@{int} rwk,
  owner @{user_cache_dirs}/kcrash-metadata/ rw,
--- a/apparmor.d/groups/kde/systemsettings
+++ b/apparmor.d/groups/kde/systemsettings
@ -21,9 +21,10 @@ profile systemsettings @{exec_path} {
  @{bin}/kcminit rPx,
  /usr/share/kglobalaccel/org.kde.krunner.desktop r,
  /usr/share/kcmkeys/{,*.kksrc} r,
  /usr/share/kcm_networkmanagement/{,**} r,
  /usr/share/kcmkeys/{,*.kksrc} r,
  /usr/share/kglobalaccel/* r,
  /usr/share/kinfocenter/{,**} r,
  /usr/share/kinfocenter/{,**} r,
  /usr/share/kpackage/{,**} r,
  /usr/share/kservices{5,6}/{,**} r,
@ -31,11 +32,8 @@ profile systemsettings @{exec_path} {
  /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r,
  /usr/share/plasma/{,**} r,
  /usr/share/sddm/themes/{,**} r,
  /usr/share/systemsettings/{,**} r,
  /usr/share/kinfocenter/{,**} r,
  /usr/share/sddm/themes/{,**} r,
-
+  /usr/share/systemsettings/{,**} r,
  /var/lib/flatpak/exports/share/mime/ r,
  /etc/fstab r,
  /etc/machine-id r,
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -23,9 +23,9 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher
  dbus send bus=system path=/org/freedesktop
-            interface=org.freedesktop.DBus.ObjectManager
+       interface=org.freedesktop.DBus.ObjectManager
-            member=GetManagedObjects
+       member=GetManagedObjects
-            peer=(name=:*, label=NetworkManager),
+       peer=(name=:*, label=NetworkManager),
  @{exec_path} mr,
@ -58,13 +58,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  /etc/NetworkManager/dispatcher.d/** rix,
  /etc/dhcp/dhclient-exit-hooks.d/ntp r,
  # chown
  / r,
  /usr/share/tlp/{,**} rw,
  /etc/sysconfig/network/config r,
  /etc/fstab r,
  /etc/ntp.conf r,
  /etc/sysconfig/network/config r,
  / r,
        @{run}/chrony-dhcp/ rw,
        @{run}/ntp.conf.dhcp rw,
@ -72,7 +72,6 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/notify rw,
        @{run}/tlp/{,*} rw,
  owner @{run}/ntp.conf.dhcp.@{rand6} rw,
  owner /etc/ntp.conf r,
  @{sys}/class/net/ r,
--- a/apparmor.d/profiles-s-z/usbguard
+++ b/apparmor.d/profiles-s-z/usbguard
@ -22,7 +22,7 @@ profile usbguard @{exec_path} {
  unix (send, receive, connect) type=stream peer=(label="usbguard-daemon",addr=@@{int}),
-  # dbus: own bus=system name=org.usbguard1
+  #aa:dbus own bus=system name=org.usbguard1
  @{exec_path} mr,