Profiles update.

2025-01-18 08:58:15 +01:00 · 2021-04-06 12:42:47 +01:00 · 2021-04-06 12:42:47 +01:00 · 550c3957de
commit 550c3957de
parent 49bb492766
9 changed files with 24 additions and 4 deletions
--- a/apparmor.d/groups/desktop/accounts-daemon
+++ b/apparmor.d/groups/desktop/accounts-daemon
@ -29,5 +29,9 @@ profile accounts-daemon @{exec_path} {
  /etc/shells r,
  /etc/shadow r,

+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+
  include if exists <local/accounts-daemon>
 }
--- a/apparmor.d/groups/desktop/colord
+++ b/apparmor.d/groups/desktop/colord
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -29,7 +30,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  /usr/share/color/icc/{,**} r,

-  owner /run/systemd/sessions/1 r,
+  owner @{run}/systemd/sessions/[0-9] r,

  @{sys}/class/drm/ r,
  @{sys}/class/video4linux/ r,
@ -44,7 +45,5 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  @{user_share_dirs}/icc/edid-*.icc r,

-  /run/systemd/sessions/1 r,
-
  include if exists <local/colord>
 }
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -14,6 +14,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>

+  network netlink raw,
+
  @{exec_path} mr,
  /{usr/,}bin/          r,
  /{usr/,}bin/[a-z0-9]* rPix,
@ -51,5 +53,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /dev/tty rw,
  /dev/tty[0-9]* rw,

+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+
  include if exists <local/gjs-console>
 }
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} {
  include <abstractions/base>
+  include <abstractions/openssl>
  include <abstractions/deny-root-dir-access>

  # Remove the following error:
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -13,5 +14,8 @@ profile gvfsd-dnssd @{exec_path} {

  @{exec_path} mr,

+  owner @{run}/user/[0-9]*/gvfsd/ rw,
+  owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
+
  include if exists <local/gvfsd-dnssd>
 }
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@ -14,6 +14,8 @@ profile ssh @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>

+  signal (receive) set=(term) peer=gnome-keyring-daemon,
+
  network inet stream,
  network inet6 stream,
  network inet dgram,
--- a/apparmor.d/profiles-a-l/browserpass
+++ b/apparmor.d/profiles-a-l/browserpass
@ -30,5 +30,7 @@ profile browserpass @{exec_path} {
  @{user_share_dirs}/gvfs-metadata/home r,
  @{user_share_dirs}/gvfs-metadata/home-*.log r,

+  owner @{PROC}/@{pid}/mountinfo r,
+
  include if exists <local/browserpass>
 }
--- a/apparmor.d/profiles-m-z/polkit-agent-helper
+++ b/apparmor.d/profiles-m-z/polkit-agent-helper
@ -36,7 +36,7 @@ profile polkit-agent-helper @{exec_path} {
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,

-  @{run}/faillock/[a-zA-z0-9]* rw,
+  @{run}/faillock/[a-zA-z0-9]* rwk,

  include if exists <local/polkit-agent-helper>
 }
--- a/apparmor.d/profiles-m-z/polkitd
+++ b/apparmor.d/profiles-m-z/polkitd
@ -24,6 +24,9 @@ profile polkitd @{exec_path} {
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/task/@{tid}/stat r,
  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,

  # System rules
  /etc/polkit-1/rules.d/{,[0-9][0-9]-*.rules} r,