Update pacman (#193)

* Update pacman `@{exec_path} mr,` is causing the following errors: ``` ALLOWED pacman exec owner /usr/bin/pacman -> pacman//null-/usr/bin/pacman comm=bash requested_mask=x denied_mask=x ALLOWED pacman//null-/usr/bin/pacman file_inherit owner /dev/pts/4 comm=pacman requested_mask=wr denied_mask=wr ALLOWED pacman//null-/usr/bin/pacman file_mmap owner /usr/bin/pacman comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman file_mmap owner /usr/lib/ld-linux-x86-64.so.2 comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman open owner /etc/ld.so.preload comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman getattr owner /etc/ld.so.preload comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman open owner /etc/ld.so.cache comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman getattr owner /etc/ld.so.cache comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman open owner /usr/lib/libalpm.so.13.0.2 comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman getattr owner /usr/lib/libalpm.so.13.0.2 comm=pacman requested_mask=r denied_mask=r etc. ``` `@{exec_path} mrix,` fixes it. Commits for new profiles for `checkrebuild` and `pkgfile` will follow. * Fix pacman update * Update apparmor.d/groups/pacman/pacman Co-authored-by: Alex <roddhjav@users.noreply.github.com> --------- Co-authored-by: Alex <roddhjav@users.noreply.github.com>
2025-01-18 00:48:10 +01:00 · 2023-08-17 20:49:56 +02:00 · 2023-08-17 20:49:56 +02:00 · 7b018a60bd
commit 7b018a60bd
parent c2c745888c
1 changed files with 10 additions and 1 deletions
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -43,7 +43,7 @@ profile pacman @{exec_path} {

  ptrace (read),

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{bin}/gpg{,2}      rCx -> gpg,
  @{bin}/gpgconf      rCx -> gpg,
@ -58,11 +58,13 @@ profile pacman @{exec_path} {
  @{bin}/archlinux-java              rPx,
  @{bin}/bootctl                     rPx,
  @{bin}/cat                         rix,
+  @{bin}/checkrebuild                rPUx,
  @{bin}/chgrp                       rix,
  @{bin}/chmod                       rix,
  @{bin}/cp                          rix,
  @{bin}/dconf                       rPx,
  @{bin}/dot                         rix,
+  @{bin}/echo                        rix,
  @{bin}/env                         rix,
  @{bin}/fc-cache{,-32}              rPx,
  @{bin}/filecap                     rix,
@ -87,12 +89,15 @@ profile pacman @{exec_path} {
  @{bin}/ln                          rix,
  @{bin}/locale-gen                  rPx,
  @{bin}/mkinitcpio                  rPx,
+  @{bin}/needrestart                 rPx,
  @{bin}/pacdiff                     rPx,
  @{bin}/pacman-key                  rPx,
  @{bin}/perl                        rix,
+  @{bin}/pkgfile                     rPUx,
  @{bin}/pkill                       rix,
  @{bin}/pwd                         rix,
  @{bin}/rm                          rix,
+  @{bin}/rsync                       rix,
  @{bin}/sbctl                       rPx,
  @{bin}/sed                         rix,
  @{bin}/setcap                      rix,
@ -102,8 +107,10 @@ profile pacman @{exec_path} {
  @{bin}/touch                       rix,
  @{bin}/tput                        rix,
  @{bin}/update-ca-trust             rPx,
+  @{bin}/uname                       rPx,
  @{bin}/update-desktop-database     rPx,
  @{bin}/update-mime-database        rPx,
+  @{bin}/update-grub                 rPx,
  @{bin}/vercmp                      rix,
  @{bin}/xmlcatalog                  rix,
  @{lib}/ghc-*/bin/ghc-pkg           rix,
@ -174,6 +181,8 @@ profile pacman @{exec_path} {
    /etc/pacman.d/gnupg/** rwkl,

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,
+
+    deny @{user_share_dirs}/sddm/* rw,
    
          /dev/tty[0-9]* rw,
    owner /dev/pts/[0-9]* rw,