feat(profile): gemeral update.

See: #104.
2025-01-18 00:48:10 +01:00 · 2023-01-18 23:22:49 +00:00 · 2023-01-18 23:22:49 +00:00 · 5b15521255
commit 5b15521255
parent a16d645dcb
8 changed files with 29 additions and 8 deletions
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -45,6 +45,7 @@ profile child-open {
  /{usr/,}bin/firefox                                                         rPx,
  /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}  rPx,
  /{usr/,}lib/chromium/chromium                                               rPx,
+  /{usr/,}lib/firefox/firefox                                                 rPx,
  /opt/brave.com/brave{,-beta,-dev}/brave{,-beta,-dev}                        rPx,
  /opt/google/chrome{,-beta,-unstable}/chrome{,-beta,-unstable}               rPx,

@ -58,6 +59,7 @@ profile child-open {
  /{usr/,}bin/draw.io          rPUx,
  /{usr/,}bin/dropbox           rPx,
  /{usr/,}bin/engrampa          rPx,
+  /{usr/,}bin/eog              rPUx,
  /{usr/,}bin/evince            rPx,
  /{usr/,}bin/filezilla         rPx,
  /{usr/,}bin/flameshot         rPx,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -108,12 +108,12 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/nautilus    rPx,
  /{usr/,}bin/snap        rPx,

  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
-
-  /{usr/,}bin/nautilus rPx,
+  /{usr/,}lib/xdg-desktop-portal-validate-icon             rPUx,

  / r,
  /.flatpak-info r,
@ -127,6 +127,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  /var/lib/flatpak/exports/share/mime/mime.cache r,
  /var/lib/flatpak/exports/share/applications/{**,} r,

+  owner /tmp/icon* rw,
+
  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,

--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@ -23,7 +23,7 @@ profile gnome-characters @{exec_path} {
  /{usr/,}bin/gjs-console rix,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
+  /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r,
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
  /usr/share/libdrm/*.ids r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -546,7 +546,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/.var/app/**/icons/**.png r,
+  owner @{HOME}/.var/app/**/ r,
+  owner @{HOME}/.var/app/**/icons/**.{png,jpg} r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@ -13,21 +13,31 @@ profile grub-install @{exec_path} flags=(complain) {
  include <abstractions/consoles>
  include <abstractions/disks-read>

+  capability dac_read_search,
+  capability sys_admin,
+
  @{exec_path} mr,

-  /{usr/,}bin/kmod              rPx,
  /{usr/,}bin/{,ba,da}sh        rix,
+  /{usr/,}bin/efibootmgr        rix,
+  /{usr/,}bin/kmod              rPx,
  /{usr/,}bin/lsb_release       rPx -> lsb_release,
  /{usr/,}bin/udevadm           rPx,

+  /usr/share/grub/{,**} r,
+
  /etc/default/grub.d/{,**} r,
+  /etc/default/grub r,

  /boot/efi/EFI/BOOT/{,**} rw,
+  /boot/EFI/*/grubx*.efi rw,
  /boot/grub/{,**} rw,

  @{sys}/firmware/efi/efivars/ r,
-  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
+  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r,
  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
+  @{sys}/firmware/efi/efivars/Timeout-@{uuid} r,
  @{sys}/firmware/efi/w_platform_size r,

        @{PROC}/devices r,
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@ -67,6 +67,7 @@ profile grub-mkconfig @{exec_path} {
  /etc/default/grub.d/{*,} r,

  /usr/share/grub/{**,} r,
+  /usr/share/terminfo/x/xterm-256color ,

  /.zfs/snapshot/*/etc/{machine-id,} r,
  /.zfs/snapshot/*/{usr/,}lib/os-release r,
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -11,8 +11,11 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability dac_read_search,
  capability sys_admin,

+  umount /var/lib/os-prober/mount/,
+
  @{exec_path} mrix,

  /{usr/,}{s,}bin/blkid         rPx,
@ -42,6 +45,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/os-probes/{,**}   rix,

  /usr/share/os-prober/common.sh r,
+  /usr/share/terminfo/x/xterm-256color r,

  /var/lib/os-prober/{,**} rw,

--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -29,13 +29,14 @@ profile wireplumber @{exec_path} {

  /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,

-  owner @{HOME}/.local/state/ w,
-  owner @{HOME}/.local/state/wireplumber/{,**} rw,
+  owner @{user_state_dirs}/ w,
+  owner @{user_state_dirs}/wireplumber/{,**} rw,

  @{run}/systemd/users/@{uid} r,

  @{run}/udev/data/+sound:card[0-9]* r, # For sound
  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
+  @{run}/udev/data/c14:[0-9]* r,
  @{run}/udev/data/c23[0-9]:[0-9]* r,
  @{run}/udev/data/c50[0-9]:[0-9]* r,
  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux