From 60e4a01a7603d37287f8d1248510ae6c558f768d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 29 Nov 2023 17:50:26 +0000 Subject: [PATCH] feat(abs): add some files into the base abstaction. --- apparmor.d/abstractions/base.d/complete | 12 +++++++----- apparmor.d/abstractions/chromium | 1 - apparmor.d/groups/_full/default | 1 - .../groups/freedesktop/xdg-desktop-portal-gnome | 2 -- apparmor.d/groups/gnome/evolution-calendar-factory | 2 -- apparmor.d/groups/gnome/evolution-source-registry | 2 -- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/goa-daemon | 2 -- apparmor.d/groups/gnome/gsd-print-notifications | 1 - apparmor.d/groups/gnome/mutter-x11-frames | 2 -- apparmor.d/groups/gvfs/gvfsd-http | 2 -- apparmor.d/groups/kde/plasma-discover | 1 - apparmor.d/groups/network/NetworkManager | 1 - apparmor.d/groups/virt/libvirtd | 1 - apparmor.d/profiles-a-f/fwupd | 1 - apparmor.d/profiles-m-r/passimd | 1 - apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/wireplumber | 1 - 19 files changed, 7 insertions(+), 29 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 11cd008c..48831dbe 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -1,12 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2022 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - /usr/share/locale/ r, - - @{etc_rw}/localtime r, - # Allow to receive some signals signal (receive) peer=htop, signal (receive) peer=sudo, @@ -21,4 +17,10 @@ ptrace (readby) peer=systemd-coredump, + /usr/share/locale/ r, + + @{etc_rw}/localtime r, + /etc/gnutls/config r, + /etc/locale.conf r, + @{sys}/devices/system/cpu/possible r, diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 3c23ca7f..15e89c89 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -104,7 +104,6 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/gnutls/config r, /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, /etc/opensc.conf r, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 027dc15f..7ccb4dc6 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -69,7 +69,6 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/** r, /etc/xdg/** r, - /etc/gnutls/config r, # Full access to user's data / r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 606852d2..00921e7a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -134,8 +134,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { /usr/share/X11/xkb/{,**} r, - /etc/gnutls/config r, - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index ee8e67d3..b9a9e66d 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -47,8 +47,6 @@ profile evolution-calendar-factory @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/gnutls/config r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index b8e32743..6c8e769f 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -50,8 +50,6 @@ profile evolution-source-registry @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/gnutls/config r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a44a0bc6..b4185765 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -500,7 +500,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, /etc/fstab r, - /etc/gnutls/config r, /etc/pipewire/client.conf.d/{,**} r, /etc/timezone r, /etc/udev/hwdb.bin r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 57237123..522bf36c 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -53,7 +53,6 @@ profile gnome-software @{exec_path} { /etc/appstream.conf r, /etc/flatpak/remotes.d/{,**} r, - /etc/gnutls/config r, /etc/PackageKit/Vendor.conf r, /etc/pulse/client.conf r, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 8373ff25..83507c1e 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -65,8 +65,6 @@ profile goa-daemon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/gnutls/config r, - /var/lib/gdm{3,}/.config/dconf/user r, owner @{user_config_dirs}/goa-1.0/ rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 0a020ab1..be2c2798 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -80,7 +80,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { @{lib}/gsd-printer rPx, /etc/cups/client.conf r, - /etc/gnutls/config r, /etc/machine-id r, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 83ccf409..7c170612 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -27,8 +27,6 @@ profile mutter-x11-frames @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /etc/gnutls/config r, - /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 9d5e0841..abb98c80 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,8 +24,6 @@ profile gvfsd-http @{exec_path} { @{exec_path} mr, - /etc/gnutls/config r, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 032f21b2..b9a49e74 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -48,7 +48,6 @@ profile plasma-discover @{exec_path} { /etc/appstream.conf r, /etc/flatpak/remotes.d/{,**} r, - /etc/gnutls/config r, /etc/machine-id r, /etc/xdg/ r, /etc/xdg/accept-languages.codes r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fc1542c3..604f451a 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -118,7 +118,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { / r, /etc/ r, - /etc/gnutls/config r, /etc/iproute2/* r, /etc/machine-id r, /etc/network/interfaces r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 4a72812c..1b5564c0 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -137,7 +137,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r, @{etc_rw}/libvirt/{,**} rw, - /etc/gnutls/config r, /etc/mdevctl.d/{,**} r, /etc/sasl2/qemu.conf r, /etc/xml/catalog r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 3e711268..fad36516 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -87,7 +87,6 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, - /etc/gnutls/config r, /etc/lsb-release r, /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 895e0433..e725ecfe 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -24,7 +24,6 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /usr/share/dbus-1/interfaces/org.freedesktop.Passim.xml r, - /etc/gnutls/config r, /etc/passim.conf r, /var/lib/passim/{,**} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 0d7f883c..c6fb08ef 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -42,7 +42,6 @@ profile spotify @{exec_path} { @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open, - /etc/gnutls/config r, /etc/libva.conf r, /etc/machine-id r, /etc/spotify-adblock/* r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index f4d3304f..a92aa2ed 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -37,7 +37,6 @@ profile wireplumber @{exec_path} { /usr/share/spa-*/bluez[0-9]*/{,*} r, /usr/share/wireplumber/{,**} r, - /etc/gnutls/config r, /etc/machine-id r, /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,