From 600d929d850157342dcf4963b35687b66e929adc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 15 Dec 2022 19:41:51 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/gnome/gdm-wayland-session | 5 ++++- apparmor.d/groups/gnome/gnome-tweaks | 3 +++ apparmor.d/groups/grub/grub-check-signatures | 4 ++++ apparmor.d/groups/grub/grub-multi-install | 4 +++- apparmor.d/groups/pacman/aurpublish | 2 ++ apparmor.d/groups/systemd/coredumpctl | 2 ++ apparmor.d/groups/systemd/networkctl | 1 + apparmor.d/groups/systemd/systemd-logind | 2 +- .../systemd/systemd-tty-ask-password-agent | 7 +++---- apparmor.d/groups/systemd/systemd-udevd | 17 +++++++++++------ apparmor.d/profiles-s-z/snap-update-ns | 1 + 11 files changed, 35 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index c989c467..f65d8b44 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -39,20 +39,22 @@ profile gdm-wayland-session @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, /{usr/,}bin/env rix, /{usr/,}bin/gettext rix, /{usr/,}bin/gnome-session rix, /{usr/,}bin/grep rix, /{usr/,}bin/gsettings rix, /{usr/,}bin/head rix, + /{usr/,}bin/id rix, /{usr/,}bin/locale rix, /{usr/,}bin/locale-check rix, /{usr/,}bin/qmake rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, + /{usr/,}bin/tr rix, /{usr/,}bin/tty rix, /{usr/,}bin/zsh rix, - /{usr/,}bin/id rix, /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-run-session rPx, @@ -63,6 +65,7 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/gettext.sh r, /usr/share/im-config/{,**} r, + /etc/debuginfod/{,*} r, /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index e8bd2935..67693da9 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -28,9 +28,12 @@ profile gnome-tweaks @{exec_path} { /etc/xdg/autostart/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{user_cache_dirs}/thumbnails/{,**} r, owner @{user_config_dirs}/autostart/ rw, owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, owner @{user_share_dirs}/recently-used.xbel* rw, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index a521a0f9..f568bb24 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -18,6 +18,10 @@ profile grub-check-signatures @{exec_path} { /{usr/,}bin//mktemp rix, /{usr/,}bin//od rix, + /usr/share/debconf/frontend rPx, + + /usr/share/debconf/confmodule r, + owner /tmp/tmp.*/ rw, include if exists diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 11185f7b..9b23051f 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -21,10 +21,12 @@ profile grub-multi-install @{exec_path} { /{usr/,}bin/readlink rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, - /{usr/,}bin/udevadm rPx, /{usr/,}bin/touch rix, + /{usr/,}bin/udevadm rPx, + /usr/share/debconf/frontend rPx, /usr/lib/terminfo/x/xterm-256color r, + /usr/share/debconf/confmodule r, /boot/grub/grub.cfg rw, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 6b822411..5fcc9bde 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -28,9 +28,11 @@ profile aurpublish @{exec_path} { /{usr/,}bin/nproc rix, /{usr/,}bin/rm rix, /{usr/,}bin/sha512sum rix, + /{usr/,}bin/tput rix, /{usr/,}bin/wc rix, /usr/share/makepkg/{,**} r, + /usr/share/terminfo/x/xterm-256color r, /etc/makepkg.conf r, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index f5c7900f..a1ddedef 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -12,6 +12,8 @@ profile coredumpctl @{exec_path} flags=(complain) { include include + capability net_admin, + signal (send) peer=child-pager, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index db2b6d10..b7cdcc26 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -54,6 +54,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) { @{sys}/devices/**/net/**/uevent r, @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a7c45b08..acc70a87 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -140,8 +140,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /dev/dri/card[0-9]* rw, /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/shm/{,**/} rw, /dev/tty[0-9]* rw, + owner /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 58bebab9..f6e98242 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -10,6 +10,7 @@ include profile systemd-tty-ask-password-agent @{exec_path} { include include + include # capability net_admin, @@ -18,12 +19,10 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{exec_path} mr, @{run}/systemd/ask-password-block/{,*} rw, - @{run}/systemd/ask-password/ r, + @{run}/systemd/ask-password/{,*} rw, + @{run}/utmp rk, @{PROC}/@{pids}/stat r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/cmdline r, - @{PROC}/1/environ r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 67bd011a..99905509 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -38,18 +38,22 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, /{usr/,}bin/chgrp rix, /{usr/,}bin/chmod rix, + /{usr/,}bin/cut rix, /{usr/,}bin/ln rix, /{usr/,}bin/logger rix, + /{usr/,}bin/mknod rPx, /{usr/,}bin/nohup rix, /{usr/,}bin/perl rix, /{usr/,}bin/readlink rix, /{usr/,}bin/setfacl rix, - /{usr/,}bin/unshare rix, /{usr/,}bin/snap rPx, + /{usr/,}bin/unshare rix, - /{usr/,}{s,}bin/* rPUx, + /{usr/,}{s,}bin/* rpux, + audit /{usr/,}{s,}bin/lvm rux, /{usr/,}lib/pm-utils/power.d/* rPUx, /{usr/,}lib/snapd/snap-device-helper rPx, @@ -82,7 +86,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /etc/systemd/network/[0-9][0-9]-*.link r, @{run}/udev/ rw, - @{run}/udev/** rw, + @{run}/udev/** rwk, @{run}/systemd/network/ r, @{run}/systemd/notify rw, @@ -90,12 +94,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { @{sys}/** rw, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/devices r, @{PROC}/driver/nvidia/gpus/ r, + @{PROC}/driver/nvidia/gpus/*/information r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/oom_score_adj rw, /dev/ rw, /dev/** rwk, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 90d9edd3..61c56784 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -23,6 +23,7 @@ profile snap-update-ns @{exec_path} { /var/lib/snapd/mount/{,*} r, + /snap/{,**} rw, /tmp/.snap/{,**} rwk, @{run}/snapd/lock/*.lock rwk,