From 7b018a60bd0841daeaca4c2a4263f2b8a5b461e2 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Thu, 17 Aug 2023 20:49:56 +0200 Subject: [PATCH] Update pacman (#193) * Update pacman `@{exec_path} mr,` is causing the following errors: ``` ALLOWED pacman exec owner /usr/bin/pacman -> pacman//null-/usr/bin/pacman comm=bash requested_mask=x denied_mask=x ALLOWED pacman//null-/usr/bin/pacman file_inherit owner /dev/pts/4 comm=pacman requested_mask=wr denied_mask=wr ALLOWED pacman//null-/usr/bin/pacman file_mmap owner /usr/bin/pacman comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman file_mmap owner /usr/lib/ld-linux-x86-64.so.2 comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman open owner /etc/ld.so.preload comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman getattr owner /etc/ld.so.preload comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman open owner /etc/ld.so.cache comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman getattr owner /etc/ld.so.cache comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman open owner /usr/lib/libalpm.so.13.0.2 comm=pacman requested_mask=r denied_mask=r ALLOWED pacman//null-/usr/bin/pacman getattr owner /usr/lib/libalpm.so.13.0.2 comm=pacman requested_mask=r denied_mask=r etc. ``` `@{exec_path} mrix,` fixes it. Commits for new profiles for `checkrebuild` and `pkgfile` will follow. * Fix pacman update * Update apparmor.d/groups/pacman/pacman Co-authored-by: Alex --------- Co-authored-by: Alex --- apparmor.d/groups/pacman/pacman | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index a6f7a35c..c29ec7b7 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -43,7 +43,7 @@ profile pacman @{exec_path} { ptrace (read), - @{exec_path} mr, + @{exec_path} mrix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -58,11 +58,13 @@ profile pacman @{exec_path} { @{bin}/archlinux-java rPx, @{bin}/bootctl rPx, @{bin}/cat rix, + @{bin}/checkrebuild rPUx, @{bin}/chgrp rix, @{bin}/chmod rix, @{bin}/cp rix, @{bin}/dconf rPx, @{bin}/dot rix, + @{bin}/echo rix, @{bin}/env rix, @{bin}/fc-cache{,-32} rPx, @{bin}/filecap rix, @@ -87,12 +89,15 @@ profile pacman @{exec_path} { @{bin}/ln rix, @{bin}/locale-gen rPx, @{bin}/mkinitcpio rPx, + @{bin}/needrestart rPx, @{bin}/pacdiff rPx, @{bin}/pacman-key rPx, @{bin}/perl rix, + @{bin}/pkgfile rPUx, @{bin}/pkill rix, @{bin}/pwd rix, @{bin}/rm rix, + @{bin}/rsync rix, @{bin}/sbctl rPx, @{bin}/sed rix, @{bin}/setcap rix, @@ -102,8 +107,10 @@ profile pacman @{exec_path} { @{bin}/touch rix, @{bin}/tput rix, @{bin}/update-ca-trust rPx, + @{bin}/uname rPx, @{bin}/update-desktop-database rPx, @{bin}/update-mime-database rPx, + @{bin}/update-grub rPx, @{bin}/vercmp rix, @{bin}/xmlcatalog rix, @{lib}/ghc-*/bin/ghc-pkg rix, @@ -174,6 +181,8 @@ profile pacman @{exec_path} { /etc/pacman.d/gnupg/** rwkl, @{HOME}/@{XDG_GPG_DIR}/*.conf r, + + deny @{user_share_dirs}/sddm/* rw, /dev/tty[0-9]* rw, owner /dev/pts/[0-9]* rw,