feat(profile): general update.

This commit is contained in:
Alexandre Pujol 2024-03-18 14:31:01 +00:00
parent 437bef18ca
commit 77945674a5
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
23 changed files with 67 additions and 39 deletions

View File

@ -46,6 +46,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{lib}/systemd/systemd-executor rix,
@{sh_path} rix, # Should be handled by default profile?
@{bin}/grep rix,
@{bin}/sleep rix,
@{bin}/** Px,
@{lib}/** Px,

View File

@ -13,6 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/X-strict>
# dbus: own bus=accessibility name=org.a11y.atspi.{R,r}egistry
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root

View File

@ -13,7 +13,7 @@ include <tunables/global>
@{exec_path} = @{bin}/dbus-run-session
@{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
profile dbus-session flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-session>
@ -25,8 +25,8 @@ profile dbus-session flags=(attach_disconnected) {
signal (receive) set=(term hup) peer=gdm-session,
signal (receive) set=(term hup) peer=gdm,
signal (send) set=(term hup kill) peer=dbus-accessibility,
signal (send) set=(term hup kill) peer=dconf-service,
signal (send) set=(term hup kill) peer=xdg-permission-store,
signal (send) set=(hup) peer=dconf-service,
dbus bus=session,

View File

@ -12,9 +12,10 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/dbus-broker @{bin}/dbus-broker-launch
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
profile dbus-system flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-system>
include <abstractions/nameservice-strict>
@ -22,6 +23,7 @@ profile dbus-system flags=(attach_disconnected) {
capability net_admin,
capability setgid,
capability setuid,
capability sys_resource,
network netlink raw,
network bluetooth stream,
@ -59,6 +61,7 @@ profile dbus-system flags=(attach_disconnected) {
@{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj rw,
/dev/dri/card@{int} rw,
/dev/input/event@{int} rw,

View File

@ -36,6 +36,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/geoclue/{,**} r,
/etc/sysconfig/proxy r,
/var/lib/nscd/services r,
/var/lib/dbus/machine-id r,

View File

@ -13,6 +13,7 @@ profile plymouthd @{exec_path} {
include <abstractions/dri-common>
capability checkpoint_restore,
capability dac_override,
capability net_admin,
capability sys_admin,
capability sys_chroot,

View File

@ -19,13 +19,19 @@ profile DiscoverNotifier @{exec_path} {
@{exec_path} mr,
/usr/share/metainfo/{,**} r,
/etc/flatpak/remotes.d/ r,
/var/lib/flatpak/repo/{,**} r,
owner @{user_cache_dirs}/appstream/ r,
owner @{user_cache_dirs}/appstream/** r,
owner @{user_cache_dirs}/flatpak/{,**} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/PlasmaDiscoverUpdates r,
owner @{user_share_dirs}/flatpak/{,**} rw,
@{PROC}/sys/kernel/core_pattern r,

View File

@ -9,13 +9,18 @@ include <tunables/global>
@{exec_path} = @{lib}/drkonqi-coredump-processor
profile drkonqi-coredump-processor @{exec_path} {
include <abstractions/base>
include <abstractions/qt5>
@{exec_path} mr,
/etc/machine-id r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{md5}/ r,
/{run,var}/log/journal/@{md5}/system.journal r,
/{run,var}/log/journal/@{md5}/system@@{hex}.journal r,
/{run,var}/log/journal/@{md5}/user-@{uid}.journal r,
/{run,var}/log/journal/@{md5}/user-@{uid}@@{hex}.journal r,

View File

@ -13,6 +13,7 @@ profile kconf_update @{exec_path} {
include <abstractions/graphics>
include <abstractions/gtk>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/python>
@ -93,7 +94,6 @@ profile kconf_update @{exec_path} {
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/@{sys}/kernel/random/boot_id r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/cgroup r,

View File

@ -12,6 +12,8 @@ profile kde-systemd-start-condition @{exec_path} {
@{exec_path} mr,
/etc/xdg/baloofilerc r,
owner @{user_config_dirs}/baloofilerc r,
owner @{user_config_dirs}/plasma-welcomerc r,

View File

@ -74,10 +74,12 @@ profile kscreenlocker-greet @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
owner @{user_cache_dirs}/kscreenlocker_greet/** rwl,
owner @{user_cache_dirs}/ksvg-elements r,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,

View File

@ -38,9 +38,9 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/#@{int} rwlk,
owner @{user_cache_dirs}/kcrash-metadata/ r,
owner @{user_cache_dirs}/ksmserver-logout-greeter/qmlcache/{,*} r,
owner @{user_cache_dirs}/plasma_theme_breeze-dark_v5.114.0.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements r,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} l -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_config_dirs}/ r,

View File

@ -40,14 +40,18 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
/usr/share/kservices{5,6}/{,**} r,
/usr/share/kservicetypes5/{,*.desktop} r,
/usr/share/kwin/{,**} r,
/usr/share/libinput-*/{,**} r,
/usr/share/libinput/{,**} r,
/usr/share/plasma/desktoptheme/default/** r,
/usr/share/pipewire/client.conf r,
/usr/share/plasma/desktoptheme/** r,
/usr/share/qt/translations/*.qm r,
/etc/machine-id r,
/etc/xdg/menus/{,applications.menu} r,
/etc/pipewire/client.conf.d/ r,
/usr/share/pipewire/client.conf r,
/etc/xdg/kscreenlockerrc r,
/etc/xdg/menus/{,applications.menu} r,
/etc/xdg/menus/applications-merged/ r,
/etc/xdg/plasmarc r,
owner /var/lib/sddm/.cache/#@{int} rwk,
owner /var/lib/sddm/.cache/fontconfig/* rwk,
@ -70,7 +74,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw,
owner @{user_cache_dirs}/kwin/ w,
owner @{user_cache_dirs}/kwin/qmlcache/ w,
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rwl,
owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int},
owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,

View File

@ -20,23 +20,29 @@ profile systemsettings @{exec_path} {
@{bin}/kcminit rPx,
/usr/share/kcm_networkmanagement/{,**} r,
/usr/share/kinfocenter/{,**} r,
/usr/share/kpackage/{,**} r,
/usr/share/kservices{5,6}/{,**} r,
/usr/share/kservicetypes5/{,**} r,
/usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r,
/usr/share/plasma/{,**} r,
/usr/share/systemsettings/{,**} r,
/usr/share/kinfocenter/{,**} r,
/usr/share/sddm/themes/{,**} r,
/usr/share/systemsettings/{,**} r,
/etc/fstab r,
/etc/machine-id r,
/etc/xdg/menus/ r,
/etc/xdg/ui/ui_standards.rc r,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/kinfocenter/{,**} rwl,
owner @{user_cache_dirs}/ksvg-elements rw,
owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/systemsettings/ rw,
owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**,

View File

@ -53,11 +53,9 @@ profile xdm-xsession @{exec_path} {
@{HOME}/.xinitrc rPix,
@{lib}/xinit/xinitrc rix,
/usr/share/bash-completion/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mc/mc.sh r,
@{etc_ro}/profile.d/{,*} r,
@{etc_ro}/X11/xdm/scripts/{,*} r,
@{etc_ro}/X11/xim r,
@{etc_ro}/X11/xim.d/none r,
@ -71,8 +69,6 @@ profile xdm-xsession @{exec_path} {
/etc/sysconfig/* r,
owner @{HOME}/ r,
owner @{HOME}/.alias r,
owner @{HOME}/.i18n r,
owner @{user_share_dirs}/sddm/xorg-session.log rw,

View File

@ -70,22 +70,15 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
profile systemctl {
include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/systemctl>
@{bin}/systemctl mr,
/ r,
capability net_admin,
@{etc_ro}/ r,
@{etc_ro}/systemd/ r,
@{etc_ro}/systemd/system/ r,
@{etc_ro}/systemd/system/ntp.service r,
owner @{run}/systemd/private rw,
@{run}/utmp k,
/dev r,
include if exists <local/nm-dispatcher_systemctl>
}

View File

@ -15,6 +15,7 @@ profile systemd-cat @{exec_path} {
@{exec_path} mr,
@{bin}/cat rix,
@{bin}/echo rix,
include if exists <local/systemd-cat>
}

View File

@ -36,6 +36,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
/opt/** r,
/etc/systemd/coredump.conf r,
/etc/systemd/coredump.conf.d/{,**} r,
/var/lib/systemd/coredump/{,**} rwl,

View File

@ -32,10 +32,12 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
@{run}/blkid/blkid.tab{,-@{rand6}} rw,
@{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
@{run}/cloud-init/ds-identify.log w, # file_inherit
# For the EVALUATE=scan method
@{PROC}/partitions r,
/dev/tty@{int} rw,
owner /dev/tty@{int} rw,
include if exists <local/blkid>
}

View File

@ -11,6 +11,7 @@ include <tunables/global>
profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
@ -26,18 +27,16 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
ptrace (read) peer=gjs-console,
# dbus: own bus=session name=org.blueman.Applet
# dbus: own bus=session name=org.blueman.Manager
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/blueman-tray rPx,
@{open_path} rPx -> child-open,
@{open_path} rix,
/usr/share/blueman/{,**} r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/blueman/network.state r,
owner @{HOME}/ r,
@ -53,9 +52,9 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/obexd/ rw,
owner @{user_cache_dirs}/obexd/* rw,
@{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/cmdline r,
/dev/dri/card@{int} rw,
/dev/rfkill r,

View File

@ -133,8 +133,9 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
@{bin}/gpg-agent mrix,
@{lib}/gnupg/scdaemon rix,
@{bin}/gpg-agent rix,
@{lib}/{,gnupg/}scdaemon rix,
owner /var/lib/fwupd/gnupg/ rw,
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,

View File

@ -68,7 +68,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{bin}/fc-cache rPx,
@{bin}/glib-compile-schemas rPx,
@{bin}/install-info rPx,
@{bin}/rpmdb2solv rPx, # only: opensuse
@{bin}/rpmdb2solv rPUx, # only: opensuse
@{bin}/systemd-inhibit rPx,
@{bin}/update-desktop-database rPx,
@{lib}/apt/methods/* rPx, # only: dpkg

View File

@ -15,6 +15,7 @@ profile pcscd @{exec_path} {
network netlink raw,
ptrace (read) peer=gsd-smartcard,
ptrace (read) peer=pkcs11-register,
ptrace (read) peer=rngd,
ptrace (read) peer=scdaemon,