From 6294159d7a0846176440619ba210f52e2d5cb43c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 8 Feb 2022 19:49:31 +0000 Subject: [PATCH] Update profile from #25. --- apparmor.d/abstractions/disks-write | 7 +++++++ apparmor.d/groups/bus/dbus-daemon | 6 +++++- apparmor.d/groups/desktop/accounts-daemon | 3 ++- apparmor.d/groups/desktop/dconf-service | 1 + apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gdm-session-worker | 11 ++++++----- apparmor.d/groups/gnome/gdm-x-session | 5 +++++ apparmor.d/groups/gnome/gnome-session-binary | 7 +++++++ apparmor.d/groups/gnome/gnome-shell | 11 +++++++---- apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-keyboard | 2 ++ apparmor.d/groups/gnome/gsd-media-keys | 2 ++ apparmor.d/groups/gnome/gsd-sound | 2 ++ apparmor.d/groups/gnome/gsd-xsettings | 1 + apparmor.d/groups/pacman/mkinitcpio | 4 ++++ apparmor.d/groups/pacman/pacman | 2 ++ apparmor.d/groups/pacman/pacman-hook-fontconfig | 2 ++ apparmor.d/groups/systemd/child-systemctl | 2 ++ apparmor.d/groups/systemd/journalctl | 5 +++-- apparmor.d/groups/systemd/systemd-hostnamed | 3 ++- apparmor.d/groups/systemd/systemd-logind | 7 ++++--- apparmor.d/groups/systemd/zram-generator | 2 ++ apparmor.d/profiles-a-f/auditd | 2 ++ apparmor.d/profiles-a-f/firecfg | 3 +++ apparmor.d/profiles-m-r/mkfs-btrfs | 2 ++ apparmor.d/profiles-s-z/sudo | 7 ++++--- apparmor.d/profiles-s-z/wireplumber | 1 + dists/ignore/main.ignore | 1 + 28 files changed, 83 insertions(+), 20 deletions(-) diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 2b79e2bd..ec836de5 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -43,6 +44,11 @@ @{sys}/devices/virtual/block/zram[0-9]*/ r, @{sys}/devices/virtual/block/zram[0-9]*/** r, + # Floppy disks + /dev/fd[0-9]* rwk, + @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/ r, + @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/** r, + # CD-ROM /dev/sr[0-9]* rwk, @@ -78,6 +84,7 @@ @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b2:[0-9]* r, # for /dev/fd* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 05f5d24e..a2582c01 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -17,9 +17,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_resource, - signal (receive) set=(term hup kill) peer=gdm*, signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, + signal (receive) set=(term hup kill) peer=dbus-run-session, + signal (receive) set=(term hup kill) peer=gdm*, signal (send) set=(term hup kill) peer=at-spi-bus-launcher, + signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-permission-store, network netlink raw, @@ -38,6 +40,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, /etc/dbus-1/{,**} r, + /etc/machine-id r, + /usr/share/dbus-1/{,**} r, /usr/share/defaults/**.conf r, diff --git a/apparmor.d/groups/desktop/accounts-daemon b/apparmor.d/groups/desktop/accounts-daemon index a326a5bf..2d633ff0 100644 --- a/apparmor.d/groups/desktop/accounts-daemon +++ b/apparmor.d/groups/desktop/accounts-daemon @@ -30,8 +30,9 @@ profile accounts-daemon @{exec_path} { /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r, /etc/gdm/custom.conf r, - /etc/shells r, + /etc/machine-id r, /etc/shadow r, + /etc/shells r, @{PROC}/sys/kernel/osrelease r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/desktop/dconf-service b/apparmor.d/groups/desktop/dconf-service index 5569b918..4782267f 100644 --- a/apparmor.d/groups/desktop/dconf-service +++ b/apparmor.d/groups/desktop/dconf-service @@ -13,6 +13,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { # Needed? deny capability sys_nice, + signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index aa5734d8..a5a4f1a7 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -47,6 +47,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/tty/tty[0-9]*/active r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index b57a4a7f..c3001161 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -32,7 +32,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, signal (send) set=hup peer=xwayland, - signal (send) set=term peer=gdm-wayland-session, + signal (send) set=term peer=gdm-*-session, network netlink raw, @@ -43,13 +43,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/gdm-x-session rPx, /etc/gdm/{Pre,Post}Session/Default rix, - /etc/motd r, - /etc/motd.d/ r, - /etc/shells r, - /etc/locale.conf r, /etc/environment r, /etc/gdm/custom.conf r, + /etc/locale.conf r, + /etc/machine-id r, + /etc/motd r, + /etc/motd.d/ r, /etc/security/limits.d/{,*.conf} r, + /etc/shells r, /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 5ade8675..fed5f788 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -10,6 +10,9 @@ include profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include + signal (receive) set=term peer=gdm*, + signal (send) set=term peer=unconfined, + @{exec_path} mr, /{usr/,}bin/Xorg rUx, @@ -18,7 +21,9 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /etc/gdm/custom.conf r, /usr/share/gdm/gdm.schemas r, + /var/lib/gdm/.cache/gdm/Xauthority rw, + /var/lib/gdm/.cache/gdm/ rw, owner @{run}/user/@{uid}/gdm/ w, owner @{run}/user/@{uid}/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 749c5361..2d5e59e4 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -21,6 +21,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,z,ba,da}sh rix, /{usr/,}bin/env rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/gsettings rix, /{usr/,}bin/xdg-user-dirs-gtk-update rix, /{usr/,}lib/gnome-session-check-accelerated rix, /{usr/,}lib/gnome-session-check-accelerated-gl-helper rix, @@ -42,14 +46,17 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/applications/org.gnome.Shell.desktop r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/glvnd/egl_vendor.d/ r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, /usr/share/icons/{,**} r, /usr/share/X11/xkb/{,**} r, + /var/lib/gdm/.cache/mesa_shader_cache/index rw, /var/lib/gdm/.config/gnome-session/ rw, /var/lib/gdm/.config/gnome-session/saved-session/ rw, + owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ r, owner @{user_config_dirs}/gtk-3.0/bookmarks rw, owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 046e1d24..94c1e98a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -63,21 +63,24 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/gdm/.config/ibus/ rw, + /var/lib/gdm/.config/ibus/bus/ rw, + /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, /var/lib/gdm/.config/pulse/ r, /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rw, - /var/lib/gdm/.local/share/gnome-shell/ rw, /var/lib/gdm/.local/share/applications/{,**} r, + /var/lib/gdm/.local/share/gnome-shell/ rw, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/.goutputstream{,*} rw, - owner @{user_config_dirs}/ibus/* r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/ rw, + owner @{user_config_dirs}/ibus/bus/ rw, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner @{user_config_dirs}/monitors.xml{,~} rwl, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gnome-shell/{,**} rw, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index b6170ff7..aecb4ea7 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -23,6 +23,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_cache_dirs}/thumbnails/{,**} rw, + owner @{user_share_dirs}/applications/ rw, include owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 7ec0fd7c..682d6e13 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -22,6 +22,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, + owner @{user_share_dirs}/gnome-settings-daemon/ rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 7ab7faaa..6bb57fc0 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -30,6 +30,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, + owner @{user_config_dirs}/pulse/ rw, + owner @{user_share_dirs}/ r, owner @{user_share_dirs}/event-sound-cache.tdb.* rwk, owner @{user_share_dirs}/recently-used.xbel{,.*} rw, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index c51a8cf6..b02881df 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -19,6 +19,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.local/share/sounds/ rw, + owner @{user_share_dirs}/sounds/ rw, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index efdd7066..8c20df1a 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -29,6 +29,7 @@ profile gsd-xsettings @{exec_path} { /{usr/,}bin/xrdb rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gdm/greeter-dconf-defaults r, /etc/xdg/Xwayland-session.d/ r, /etc/xdg/Xwayland-session.d/* rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 6ba09354..b9808c3d 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -36,6 +36,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ldconfig rix, /{usr/,}bin/ldd rix, /{usr/,}bin/ln rix, + /{usr/,}bin/loadkeys rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, @@ -59,10 +60,13 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/lvm/lvm.conf r, + /etc/vconsole.conf r, + /etc/locale.conf r, /etc/mkinitcpio.conf r, /etc/mkinitcpio.d/{,**} r, /etc/modprobe.d/{,*} r, + /usr/share/kbd/keymaps/{,**} r, /usr/share/terminfo/x/xterm-256color r, # Can copy any program to the initframs diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 698f7e20..420d79f1 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -52,6 +52,7 @@ profile pacman @{exec_path} { /{usr/,}bin/dot rix, /{usr/,}bin/env rix, /{usr/,}bin/filecap rix, + /{usr/,}bin/find rix, /{usr/,}bin/getent rix, /{usr/,}bin/gettext rix, /{usr/,}bin/ghc-pkg-* rix, @@ -64,6 +65,7 @@ profile pacman @{exec_path} { /{usr/,}bin/arch-audit rPx, /{usr/,}bin/archlinux-java rPx, /{usr/,}bin/bootctl rPx, + /{usr/,}bin/dconf rPx, /{usr/,}bin/fc-cache rPx, /{usr/,}bin/gdk-pixbuf-query-loaders rPx, /{usr/,}bin/glib-compile-schemas rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 959714c2..38166f03 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -21,6 +21,8 @@ profile pacman-hook-fontconfig @{exec_path} { /etc/fonts/conf.d/* rwl, /usr/share/fontconfig/conf.default/* r, + /dev/tty rw, + # Inherit Silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index ad243183..53696bf7 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -28,6 +28,8 @@ profile child-systemctl flags=(attach_disconnected) { /{usr/,}bin/systemctl mr, + /etc/systemd/user/{,**} rwl, + owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 0a65609e..29d18806 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -14,9 +14,10 @@ profile journalctl @{exec_path} { include include - capability sys_resource, - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability net_admin, + capability sys_resource, signal (send) peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 922eb3de..12d99659 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -28,8 +28,9 @@ profile systemd-hostnamed @{exec_path} { @{run}/udev/data/+dmi:id r, @{sys}/firmware/dmi/entries/*/raw r, - /etc/hostname rw, /etc/.#hostname* rw, + /etc/hostname rw, + /etc/machine-info r, @{run}/udev/data/+dmi:id r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index d75f9a9b..014bff0f 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -22,10 +22,11 @@ profile systemd-logind @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/systemd/sleep.conf r, - /etc/systemd/logind.conf r, - /etc/passwd r, + /etc/machine-id r, /etc/nsswitch.conf r, + /etc/passwd r, + /etc/systemd/logind.conf r, + /etc/systemd/sleep.conf r, /boot/{,**} r, diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 1336fcca..ea8cba12 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -16,6 +16,8 @@ profile zram-generator @{exec_path} { /{usr/,}lib/systemd/systemd-makefs rPx, /{usr/,}bin/systemd-detect-virt rPx, + /etc/systemd/zram-generator.conf r, + @{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset} rw, @{sys}/block/zram[0-9]*/{disksize,reset} rw, diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 88ed3313..687174d9 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -25,6 +25,8 @@ profile auditd @{exec_path} { /var/log/audit/{,**} rw, + /etc/machine-id r, + @{run}/auditd.pid rw, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index 1c3f3849..f29127dc 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -31,6 +31,9 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, + @{user_share_dirs}/applications/ r, + @{user_share_dirs}/applications/*.desktop r, + /dev/tty rw, deny /apparmor/.null rw, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 4675072b..9613134a 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -17,6 +17,8 @@ profile mkfs-btrfs @{exec_path} { /dev/btrfs-control rw, + @{run}/blkid/blkid.* rw, + owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 347b8496..2b0cea82 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -42,12 +43,12 @@ profile sudo @{exec_path} { /{usr/,}{s,}bin/[a-z0-9]* rPUx, /{usr/,}lib/cockpit/cockpit-askpass rPUx, + /etc/environment r, + /etc/machine-id r, + /etc/security/limits.d/{,*} r, /etc/sudo.conf r, - /etc/sudoers r, /etc/sudoers.d/{,*} r, - /etc/environment r, - /etc/security/limits.d/{,*} r, /var/log/sudo.log wk, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index ee2f5b57..bbb42281 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -24,6 +24,7 @@ profile wireplumber @{exec_path} { /usr/share/spa-*/bluez[0-9]*/{,*} r, /usr/share/wireplumber/{,**} r, + owner @{HOME}/.local/state/ w, owner @{HOME}/.local/state/wireplumber/{,**} rw, @{run}/systemd/users/@{uid} r, diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index f3d1fd85..d5effd8b 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -8,3 +8,4 @@ apparmor.d/groups/_full apparmor.d/groups/apps anki +man