feat(profiles): general update.

2024-11-15 07:54:17 +01:00 · 2023-11-09 17:31:45 +00:00 · 2023-11-09 17:31:45 +00:00 · 758991f67b
commit 758991f67b
parent ee658c41a6
10 changed files with 20 additions and 3 deletions
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@ -13,6 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
+  include <abstractions/X-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -60,6 +60,7 @@ profile gvfsd-fuse @{exec_path} {

    /dev/fuse rw,

+    include if exists <local/gvfsd-fuse_fusermount>
  }

  include if exists <local/gvfsd-fuse>
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -38,7 +38,7 @@ profile aurpublish @{exec_path} {
  @{bin}/mv          rix,
  @{bin}/nproc       rix,
  @{bin}/rm          rix,
-  @{bin}/sha512sum   rix,
+  @{bin}/sha*sum     rix,
  @{bin}/tput        rix,
  @{bin}/wc          rix,

--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -14,8 +14,11 @@ profile systemd-journald @{exec_path} {
  include <abstractions/systemd-common>

  capability audit_control,
+  capability audit_read,
+  capability chown,
+  capability dac_override,
  capability dac_read_search,
-  capability kill,
+  capability fowner,
  capability setgid,
  capability setuid,
  capability sys_admin,
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@ -12,6 +12,11 @@ profile ubuntu-report @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
  @{exec_path} mr,

  @{bin}/dpkg  rPx -> child-dpkg,
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@ -47,6 +47,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {

  @{sys}/fs/cgroup/{,**} rw,
  @{sys}/fs/cgroup/kubepods/{,**} rw,
+  @{sys}/kernel/mm/hugepages/ r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@ -36,7 +36,7 @@ profile aa-notify @{exec_path} {
  owner @{HOME}/.inputrc r,
  owner @{HOME}/.terminfo/@{int}/dumb r,

-  owner /tmp/_@{c}@{rand6} rw,
+  owner /tmp/*@{rand6} rw,
  owner /tmp/apparmor-bugreport-*.txt rw,

  @{PROC}/ r,
--- a/apparmor.d/profiles-a-f/cctk
+++ b/apparmor.d/profiles-a-f/cctk
@ -12,6 +12,7 @@ profile cctk @{exec_path} {
  include <abstractions/consoles>

  capability mknod,
+  capability sys_admin,
  capability sys_rawio,

  @{exec_path} mr,
@ -19,6 +20,8 @@ profile cctk @{exec_path} {
  @{lib}/ r,
  /opt/dell/dcc/*.so* mr,
  /opt/dell/srvadmin/{,**} r,
+  /opt/dell/srvadmin/lib64/*.so* rm,
+  /opt/dell/srvadmin/var/lib/openmanage/.ipc/* rwk,

  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@ -20,6 +20,7 @@ profile install-info @{exec_path} {

  /usr/share/info/{,**} r,
  /usr/share/info/dir rw,
+  /usr/share/info/dir-@{rand6} rw,

  /dev/tty rw,

--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@ -65,6 +65,8 @@ profile s3fs @{exec_path} {
    @{PROC}/@{pids}/mounts r,

    /dev/fuse rw,
+
+    include if exists <local/s3fs_fusermount>
  }

  include if exists <local/s3fs>