Profile update.

2024-11-15 16:03:51 +01:00 · 2022-03-02 18:22:57 +00:00 · 2022-03-02 18:22:57 +00:00 · 60cb62334b
commit 60cb62334b
parent 683da55bb9
12 changed files with 28 additions and 25 deletions
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@ -43,9 +43,10 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/uid_map w,
  ptrace (trace) peer=@{profile_name},
-  ptrace (read) peer=xdg-settings,
+  ptrace (read) peer=browserpass,
  ptrace (read) peer=keepassxc-proxy,
  ptrace (read) peer=lsb_release,
  ptrace (read) peer=xdg-settings,
  signal (send) set=(term, kill) peer=keepassxc-proxy,
  signal (receive) peer=chromium-chrome-crashpad-handler,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -31,7 +31,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/themes/*/gtk-3.0/{,**} r,
  /usr/share/X11/xkb/** r,
  /var/lib/gdm/.config/dconf/user r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
        @{PROC}/zoneinfo r,
  /dev/ r,
  /dev/media[0-9]* r,
  /dev/video[0-9]* rw,
  include if exists <local/gnome-control-center>
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -20,9 +20,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icons/{,**} r,
@ -30,6 +27,9 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  /usr/share/sounds/freedesktop/stereo/*.oga r,
  /usr/share/X11/xkb/** r,
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
  owner @{user_config_dirs}/pulse/ rw,
  owner @{user_share_dirs}/ r,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -13,6 +13,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gnome>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/trash>
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh rix,
@ -27,11 +28,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  # Full access to user's data
  / r,
  owner @{HOME}/{,**} rw,
-  owner @{MOUNTS}/{,**} r,
+  owner @{MOUNTS}/{,**} rw,
  owner @{run}/user/@{uid}/{,**} rw,
  owner /tmp/{,**} rw,
-  # Silencer for non user's data
+  # Silence non user's data
  deny owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
  deny /boot rw,
  deny /opt rw,
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -80,6 +80,8 @@ profile git @{exec_path} {
  owner @{HOME}/@{XDG_PROJECTS_DIR}/   rw,
  owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**,
  owner @{user_cache_dirs}/**/.SRCINFO r,
  owner @{user_cache_dirs}/**/.git/** r,
  owner /tmp/**        rwkl -> /tmp/**,
  owner /tmp/**/bin/*  rCx -> exec,
@ -96,6 +98,7 @@ profile git @{exec_path} {
  owner /tmp/.git_vtag_tmp* rw,              # For git log --show-signature
  owner /tmp/git-commit-msg-.txt rw,         # For android studio
  deny @{user_share_dirs}/gvfs-metadata/* r,
  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@ -42,9 +42,9 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/modules/*/modules.* rw,
-  /var/lib/dkms/**/module/*.ko r,
+  /tmp/**/*.ko{,.zst} r,
  /usr/src/*/*.ko r,
-
+  /var/lib/dkms/**/module/*.ko r,
  /var/tmp/dracut.*/{,**} rw,
  @{sys}/module/{,**} r,
--- a/apparmor.d/profiles-m-r/pipewire-media-session
+++ b/apparmor.d/profiles-m-r/pipewire-media-session
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2015-2020 Mikhail Morfikov
+# Copyright (C) 2015-2022 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pipewire-media-session
 profile pipewire-media-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
@ -21,25 +22,19 @@ profile pipewire-media-session @{exec_path} {
  @{exec_path} mr,
  /usr/share/alsa-card-profile/{,**} r,
  /usr/share/alsa/{,**} r,
  /usr/share/pipewire/*.conf r,
  /usr/share/pipewire/media-session.d/{,**} r,
  /usr/share/spa-*/bluez[0-9]*/{,*} r,
  /etc/alsa/{,**} r,
  /etc/pipewire/*.conf r,
  /etc/pipewire/media-session.d/*.conf r,
  /etc/pulse/{,**} r,
  owner @{HOME}/.local/state/ rw,
  owner @{HOME}/.local/state/pipewire/{,**} rw,
  owner @{user_config_dirs}/pipewire/ rw,
  owner @{user_config_dirs}/pipewire/** rw,
  owner @{user_config_dirs}/pulse/ rw,
  owner @{user_config_dirs}/pulse/cookie rwk,
  owner @{run}/user/@{uid}/pulse/ rw,
  @{run}/shm/ r,
  @{run}/udev/data/+sound:card[0-9]* r, # For sound
  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
@ -54,10 +49,6 @@ profile pipewire-media-session @{exec_path} {
  @{run}/systemd/users/@{uid} r,
  /dev/shm/ r,
  /dev/snd/controlC[0-9]* rw,
  /dev/snd/pcmC[0-9]*D[0-9]*p rw,
  /dev/snd/pcmC[0-9]*D[0-9]*c rw,
  /dev/video[0-9]* rw,
  include if exists <local/pipewire-media-session>
--- a/apparmor.d/profiles-s-z/usbguard-applet-qt
+++ b/apparmor.d/profiles-s-z/usbguard-applet-qt
@ -34,7 +34,6 @@ profile usbguard-applet-qt @{exec_path} {
  owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw,
  owner @{PROC}/@{pid}/cmdline r,
        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/sys/kernel/core_pattern r,
  /usr/share/hwdata/pnp.ids r,
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/xdg-desktop-portal
-profile xdg-desktop-portal @{exec_path} {
+profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/freedesktop.org>
@ -22,6 +22,9 @@ profile xdg-desktop-portal @{exec_path} {
  /{usr/,}lib/x r,
  / r,
  /.flatpak-info r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/pipewire/client.conf r,
  /usr/share/xdg-desktop-portal/portals/{,*.portal} r,
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome
@ -17,7 +17,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
@ -15,20 +15,26 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/gtk>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download>
  include <abstractions/user-write>
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
  / r,
  owner @{HOME}/ r,
  owner @{HOME}/.* r,
  owner @{HOME}/@{XDG_DATA_HOME}/ r,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/user rw,
  @{run}/mount/utab r,
  owner @{PROC}/@{uid}/mountinfo r,
  include if exists <local/xdg-desktop-portal-gtk>
 }