Profiles update.

2025-01-18 00:48:10 +01:00 · 2022-01-28 13:00:18 +00:00 · 2022-01-28 13:00:18 +00:00 · 54472e187b
commit 54472e187b
parent fede23bc28
6 changed files with 16 additions and 9 deletions
--- a/apparmor.d/groups/desktop/xwayland
+++ b/apparmor.d/groups/desktop/xwayland
@ -32,7 +32,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {

  @{sys}/bus/pci/devices/ r,

-  owner @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/comm r,

  /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -144,18 +144,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
  @{sys}/devices/pci[0-9]*/**/drm/ r,

-  owner @{PROC}/@{pid}/attr/current r,
-  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/@{pid}/attr/current r,
+        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/net/* r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/task/@{tid}/stat r,
-        @{PROC}/@{pid}/net/* r,
-        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,

  /dev/input/event[0-9]* rw,

--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -11,6 +11,7 @@ profile tracker-extract @{exec_path} {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/gstreamer>
+  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>

  network netlink raw,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -47,8 +47,11 @@ profile pacman @{exec_path} {
  /{usr/,}{s,}bin/ldconfig                rix,
  /{usr/,}bin/{,ba}sh                     rix,
  /{usr/,}bin/cat                         rix,
+  /{usr/,}bin/chgrp                       rix,
+  /{usr/,}bin/chmod                       rix,
  /{usr/,}bin/dot                         rix,
  /{usr/,}bin/env                         rix,
+  /{usr/,}bin/getent                      rix,
  /{usr/,}bin/gettext                     rix,
  /{usr/,}bin/ghc-pkg-*                   rix,
  /{usr/,}bin/grep                        rix,
@ -63,6 +66,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/fc-cache                    rPx,
  /{usr/,}bin/gdk-pixbuf-query-loaders    rPx,
  /{usr/,}bin/glib-compile-schemas        rPx,
+  /{usr/,}bin/groupadd                    rPx,
  /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
  /{usr/,}bin/install-info                rPx,
  /{usr/,}bin/journalctl                  rPx,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -17,11 +17,12 @@ profile systemd-hostnamed @{exec_path} {

  @{exec_path} mr,

-  @{sys}/devices/virtual/dmi/id/product_name r,
-  @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/dmi/id/board_vendor r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
  @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/dmi/id/uevent r,

  @{run}/udev/data/+dmi:id r,
--- a/apparmor.d/profiles-m-r/pipewire-pulse
+++ b/apparmor.d/profiles-m-r/pipewire-pulse
@ -12,7 +12,8 @@ profile pipewire-pulse @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

-  # Needed for all sound/music apps.
+  capability sys_ptrace,
+
  ptrace (read),

  @{exec_path} mr,