From 7a24f98f486574431ddd453f96f4e0b06eb2524e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Jan 2023 22:31:55 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/bus/dbus-daemon | 4 ++-- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/profiles-s-z/s3fs | 15 ++++++++------- apparmor.d/profiles-s-z/snapd | 3 +++ 5 files changed, 15 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 99e738fd..44db67c2 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -214,7 +214,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner /tmp/mozilla_*/* rw, owner /tmp/Temp-*/ rw, - audit @{run}/udev/data/* r, + @{run}/udev/data/* r, @{sys}/bus/ r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index c37666ce..de7c7de6 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -60,8 +60,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r, # Extra rules for Flatpak - /var/lib/flatpak/exports/share/dbus-1/{,**} r, - /var/lib/flatpak/app/**/export/share/dbus-1/services/{,**} r, + @{system_share_dirs}/dbus-1/{,**} r, + @{system_share_dirs}/dbus-1/services/{,**} r, # Extra rules for Snap /var/lib/snapd/dbus-1/services/ r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 6149b8a7..98b3ffbf 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -68,7 +68,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, - /var/lib/flatpak/exports/share/mime/mime.cache r, + @{system_share_dirs}/mime/mime.cache r, /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r, @{user_share_dirs}/icc/edid-*.icc r, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index 81d787ed..f9e6a6d3 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -41,24 +41,25 @@ profile s3fs @{exec_path} { include include + capability dac_read_search, capability sys_admin, network inet stream, network inet6 stream, - /{usr/,}bin/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{MOUNTS}/ r, - @{MOUNTS}/*/ r, - mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, + /{usr/,}bin/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + owner /tmp/s3fstmp.* rw, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index f6616f98..8b8e7193 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -60,6 +60,7 @@ profile snapd @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cp rix, /{usr/,}bin/gzip rix, + /{usr/,}bin/journalctl rPx, /{usr/,}bin/mount rix, /{usr/,}bin/snap rPx, /{usr/,}bin/sync rix, @@ -86,6 +87,7 @@ profile snapd @{exec_path} { /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, + /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, /etc/fstab r, /etc/mime.types r, @@ -147,6 +149,7 @@ profile snapd @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, + owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/mountinfo r, /dev/loop-control rw,