feat(profile): improve xsession.

2025-01-30 23:05:11 +01:00 · 2024-04-03 21:22:26 +01:00 · 2024-04-03 21:22:26 +01:00 · 766b53beb3
commit 766b53beb3
parent c623e6921c
2 changed files with 29 additions and 9 deletions
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@ -18,14 +18,7 @@ profile ssh-agent @{exec_path} {
  @{exec_path} mr,

  @{sh_path}                   rix,
-  @{bin}/enlightenment_start  rPUx,
  @{bin}/gpg-agent             rPx,
-  @{bin}/im-launch             rPx,
-  @{bin}/kwalletaskpass       rPUx,
-  @{bin}/openbox-session       rPx,
-  @{bin}/startkde             rPUx,
-  @{bin}/startxfce4           rPUx,
-  @{bin}/sway                 rPUx,

  owner @{HOME}/@{XDG_SSH_DIR}/ rw,
  owner @{HOME}/@{XDG_SSH_DIR}/* r,
--- a/apparmor.d/profiles-s-z/x11-xsession
+++ b/apparmor.d/profiles-s-z/x11-xsession
@ -11,7 +11,7 @@ include <tunables/global>
 profile x11-xsession @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/X>
+  include <abstractions/X-strict>

  @{exec_path} r,

@ -54,7 +54,7 @@ profile x11-xsession @{exec_path} {
  @{bin}/openbox-session      rPx,
  @{bin}/enlightenment_start  rPUx,
  @{bin}/sway                 rPUx,
-  @{bin}/ssh-agent            rPx,
+  @{bin}/ssh-agent            rCx -> ssh-agent,

  @{bin}/sudo rPx, #aa:only whonix
  @{lib}/*/*.sh r,
@ -67,6 +67,31 @@ profile x11-xsession @{exec_path} {

  owner /tmp/file* rw,
  owner /tmp/tmp.@{rand10} rw,
+  owner /tmp/user/@{uid}/tmp.@{rand10} rw,
+
+  profile ssh-agent {
+    include <abstractions/base>
+  
+    @{bin}/ssh-agent mr,
+
+    audit @{bin}/gpg-agent             rPx,
+    @{sh_path}                   rix,   
+    @{bin}/enlightenment_start  rPUx,
+    @{bin}/env                   rix,
+    @{bin}/im-launch             rPx,
+    @{bin}/kwalletaskpass       rPUx,
+    @{bin}/openbox-session       rPx,
+    @{bin}/startkde             rPUx,
+    @{bin}/startxfce4           rPUx,
+    @{bin}/sway                 rPUx,
+
+    owner @{HOME}/.xsession-errors w,
+
+    owner /tmp/ssh-*/ rw,
+    owner /tmp/ssh-*/agent.* rw,
+
+    include if exists <local/x11-xsession_ssh-agent>
+  }

  profile run-parts {
    include <abstractions/base>
@ -104,6 +129,8 @@ profile x11-xsession @{exec_path} {

    @{bin}/gpg-agent rix,

+    owner @{HOME}/.xsession-errors w,
+
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,