feat(profiles): second general update. See #101

2025-01-18 00:48:10 +01:00 · 2023-01-15 17:38:28 +00:00 · 2023-01-15 17:38:28 +00:00 · 55edf06936
commit 55edf06936
parent c59a40ec4e
6 changed files with 7 additions and 4 deletions
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -82,7 +82,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /usr/share/terminfo/x/xterm-256color r,

  # Can copy any program to the initframs
-  /{usr/,}bin/ r,
+  /{usr/,}{local/,}{s,}bin/ r,
  /{usr/,}bin/[a-z0-9]* mr,
  /{usr/,}lib/ r,
  /{usr/,}lib/plymouth/plymouthd-* mr,
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@ -20,6 +20,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/bash       rix,
  /{usr/,}bin/cmp        rix,
  /{usr/,}bin/compgen    rix,
+  /{usr/,}bin/env        rix,
  /{usr/,}bin/install    rix,
  /{usr/,}bin/mkinitcpio rPx,
  /{usr/,}bin/mv         rix,
@ -36,7 +37,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /boot/initramfs-*.img rw,
  /boot/initramfs-*-fallback.img rw,

-  # /dev/tty rw,
+  /dev/tty rw,

  # # Inherit Silencer
  deny network inet6 stream,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -53,6 +53,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/c23[0-9]:[0-9]* r,
  @{run}/udev/data/c24[0-9]:[0-9]* r,
  @{run}/udev/data/c4:[0-9]* r,
+  @{run}/udev/data/c51[0-9]:[0-9]* r,

  @{sys}/devices/**/uevent r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@ -14,6 +14,7 @@ profile mission-control @{exec_path} {
  network netlink raw,

  @{exec_path} mr,
+
  /usr/share/telepathy/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@ -29,7 +29,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/+drm:* r,
  @{run}/udev/data/+pci* r,
  @{run}/udev/data/c226:[0-9]* r,
-  @{run}/udev/data/c236:[0-9]* r,
+  @{run}/udev/data/c23[0-9]:[0-9]* r,

  @{sys}/bus/ r,
  @{sys}/class/ r,
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -36,7 +36,7 @@ profile wireplumber @{exec_path} {

  @{run}/udev/data/+sound:card[0-9]* r, # For sound
  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
-  @{run}/udev/data/c236:[0-9]* r,
+  @{run}/udev/data/c23[0-9]:[0-9]* r,
  @{run}/udev/data/c50[0-9]:[0-9]* r,
  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux