From 7f1576a1797a95f2ee2b8d65048447c5d1c60b69 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Sat, 22 Feb 2025 10:36:01 +0800 Subject: [PATCH] Apply suggestions --- apparmor.d/profiles-s-z/wechat | 3 +-- apparmor.d/profiles-s-z/wechat-appimage | 34 +++++++++++++++--------- apparmor.d/profiles-s-z/wechat-universal | 1 - 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index 2d832d38..ab7b1357 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -18,7 +18,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, @@ -33,7 +32,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/crashpad_handler ix, @{bin}/mkdir ix, @{bin}/gawk rix, - @{bin}/lsblk rix, + @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index b3ac3735..43edf999 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -11,17 +11,15 @@ include @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat +@{exec_path} = @{bin}/wechat +@{exec_path} += @{lib_dirs}/wechat-appimage.Appimage +@{exec_path} += /tmp/.mount_wechat??????/user/bin/wechat profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include include include - include - - capability dac_override, - capability dac_read_search, network netlink raw, network netlink dgram, @@ -30,6 +28,10 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet6 stream, + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) wechat-appimage.AppImage -> @{tmp}/.mount_wechat??????/, + + umount @{tmp}/.mount_wechat??????/, + @{exec_path} r, @{sh_path} rix, @@ -44,13 +46,9 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{tmp}/.mount_wechat??????/usr/bin/wechat ix, @{open_path} rpx -> child-open-strict, - mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) wechat-appimage.AppImage -> @{tmp}/.mount_wechat??????/, - - umount @{tmp}/.mount_wechat??????/, - - @{bin}/fusermount{,3} ix -> fusermount, - @{bin}/dirname rix -> fusermount, - @{bin}/readlink rix -> fusermount, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/dirname rix, + @{bin}/readlink rix, @{bin}/ r, @{bin}/core_perl/ r, @@ -61,7 +59,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { /usr/local/sbin/ r, /etc/machine-id r, - /etc/fuse.conf r, @{tmp}/.mount_wechat??????/AppRun r, @{tmp}/.mount_wechat??????/ rw, @@ -79,12 +76,23 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include + + capability dac_override, + capability dac_read_search, + capability sys_admin, + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) wechat-appimage.AppImage -> @{tmp}/.mount_wechat??????/, + + umount @{tmp}/.mount_wechat??????/, + @{bin}/fusermount{,3} mr, @{lib_dirs}/wechat-appimage.AppImage r, @{PROC}/@{pid}/mounts r, + /etc/fuse.conf r, + /dev/fuse rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index d03588bb..d327dc07 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -19,7 +19,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram,