feat(profile): add only directive.

2024-11-14 23:43:56 +01:00 · 2024-03-21 23:18:03 +00:00 · 2024-03-21 23:18:03 +00:00 · 5149b55bd0
commit 5149b55bd0
parent 6052b95347
3 changed files with 16 additions and 11 deletions
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -39,7 +39,7 @@ profile gpg @{exec_path} {
  owner @{user_projects_dirs}/**/gnupg/ rw,
  owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,

-  # only: apt
+  #aa:only apt
  owner /etc/apt/keyrings/ rw,
  owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,

@ -50,6 +50,7 @@ profile gpg @{exec_path} {
  owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,

  # TODO: Remove after zypper profile is created
+  #aa:only zypper
  owner /var/tmp/zypp.@{rand6}/ rw,
  owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,

--- a/apparmor.d/profiles-g-l/lightdm
+++ b/apparmor.d/profiles-g-l/lightdm
@ -46,7 +46,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
  @{bin}/plymouth              rPx,
  @{bin}/gnome-keyring-daemon  rPx,

-  @{lib}/security-misc/* rPUx, # only: whonix
+  @{lib}/security-misc/* rPUx, #aa:only whonix
  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,

  /etc/X11/Xsession            rPUx,
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -63,15 +63,15 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  @{bin}/touch          rix,

  @{bin}/appstreamcli                rPx,
-  @{bin}/arch-audit                  rPx, # only: arch
-  @{bin}/dpkg                        rPx -> child-dpkg, # only: dpkg
+  @{bin}/arch-audit                  rPx, #aa:only arch
+  @{bin}/dpkg                        rPx -> child-dpkg, #aa:only apt
  @{bin}/fc-cache                    rPx,
  @{bin}/glib-compile-schemas        rPx,
  @{bin}/install-info                rPx,
-  @{bin}/rpmdb2solv                 rPUx, # only: opensuse
+  @{bin}/rpmdb2solv                 rPUx, #aa:only opensuse
  @{bin}/systemd-inhibit             rPx,
  @{bin}/update-desktop-database     rPx,
-  @{lib}/apt/methods/*               rPx, # only: dpkg
+  @{lib}/apt/methods/*               rPx, #aa:only apt
  @{lib}/cnf-update-db               rPx,
  @{lib}/update-notifier/update-motd-updates-available  rPx,
  @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
@ -94,10 +94,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  owner /tmp/packagekit* rw,

        @{run}/systemd/inhibit/*.ref rw,
-        @{run}/zypp.pid rwk, # only: opensuse
  owner @{run}/systemd/users/@{uid} r,
-  owner @{run}/zypp-rpm.pid rwk, # only: opensuse
-  owner @{run}/zypp/packages/ r, # only: opensuse
+
+  #aa:only opensuse
+        @{run}/zypp.pid rwk,
+  owner @{run}/zypp-rpm.pid rwk,
+  owner @{run}/zypp/packages/ r,

  owner /dev/shm/AP_0x@{rand6}/{,**} rw,
  owner /dev/shm/ r,
@ -132,10 +134,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

-    owner /etc/pacman.d/gnupg/ r, # only: arch
+    #aa:only arch
+    owner /etc/pacman.d/gnupg/ r,
    owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**,

-    owner /var/tmp/zypp.*/*/ r, # only: opensuse
+    #aa:only opensuse
+    owner /var/tmp/zypp.*/*/ r,
    owner /var/tmp/zypp.*/*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,

    owner @{run}/user/@{uid}/gnupg/ r,