feat(profile): general update.

2024-11-14 23:43:56 +01:00 · 2023-01-24 20:07:10 +00:00 · 2023-01-24 20:07:10 +00:00 · 807bf7f1c8
commit 807bf7f1c8
parent 9343807632
7 changed files with 26 additions and 16 deletions
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -267,6 +267,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  deny owner @{HOME}/.* r,
  deny /tmp/MozillaUpdateLock-* w,
+  deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,

  include if exists <local/firefox>
 }
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -57,6 +57,7 @@ profile child-open {
  # Others
  /{usr/,}bin/discord{,-ptb}    rPx,
  /{usr/,}bin/draw.io          rPUx,
+  /{usr/,}bin/*Foliate         rPUx,
  /{usr/,}bin/dropbox           rPx,
  /{usr/,}bin/engrampa          rPx,
  /{usr/,}bin/eog              rPUx,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -59,6 +59,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  / r,
  /.flatpak-info r,

+  owner /tmp/librnnoise-[0-9]*.so rm,
  owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,

  @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@ -86,7 +86,8 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /sys/devices/virtual/misc/rfkill/uevent r,
+  @{sys}/devices/virtual/misc/rfkill/uevent r,
+
  /dev/rfkill rw,

  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -160,23 +160,26 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/+dmi:id r,
  @{run}/udev/data/+drm:* r,
  @{run}/udev/data/+hid:* r,
-  @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
+  @{run}/udev/data/+input* r,         # For mouse, keyboard, touchpad
  @{run}/udev/data/+leds:* r,
  @{run}/udev/data/+pci* r,
  @{run}/udev/data/+platform* r,
  @{run}/udev/data/+rfkill:* r,
-  @{run}/udev/data/+sound:card* r,  # for sound
+  @{run}/udev/data/+sound:card* r,    # For sound
  @{run}/udev/data/+thunderbolt:* r,
-  @{run}/udev/data/c1:[0-9]* r,
-  @{run}/udev/data/c10:[0-9]* r,
-  @{run}/udev/data/c116:[0-9]* r,   # for ALSA
-  @{run}/udev/data/c13:[0-9]* r,    # for /dev/input/*
-  @{run}/udev/data/c2[0-9]*:[0-9]* r,
-  @{run}/udev/data/c23[0-9]:[0-9]* r,
+  @{run}/udev/data/c1:[0-9]* r  ,     # For RAM disk
+  @{run}/udev/data/c10:[0-9]* r,      # For non-serial mice, misc features
+  @{run}/udev/data/c13:[0-9]* r,      # For /dev/input/*
+  @{run}/udev/data/c29:* r,           # For /dev/fb[0-9]*
+  @{run}/udev/data/c90:[0-9]* r,      # For RAM, ROM, Flash
+  @{run}/udev/data/c116:[0-9]* r,     # For ALSA
+  @{run}/udev/data/c226:[0-9]* r,     # For /dev/dri/card[0-9]*
+  @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/c50[0-9]:[0-9]* r,
-  @{run}/udev/data/c51[0-9]:[0-9]* r,
-  @{run}/udev/data/c90:[0-9]* r,
+  @{run}/udev/data/c25[0-4]:[0-9]* r,
+  @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:[0-9]* r,
+  @{run}/udev/data/c5[0-9]*:[0-9]* r,
  @{run}/udev/data/n[0-9]* r,

  @{sys}/bus/[a-z]*/devices/ r,
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -35,12 +35,15 @@ profile wireplumber @{exec_path} {
  @{run}/systemd/users/@{uid} r,

  @{run}/udev/data/+sound:card[0-9]* r, # For sound
-  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
  @{run}/udev/data/c14:[0-9]* r,        # Open Sound System (OSS)
+  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
+  @{run}/udev/data/c116:[0-9]* r,       # For ALSA
  @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
  @{run}/udev/data/c24[0-9]:[0-9]* r,
  @{run}/udev/data/c25[0-4]:[0-9]* r,
-  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
+  @{run}/udev/data/c3[0-9]*:[0-9]* r,   # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:[0-9]* r,
+  @{run}/udev/data/c5[0-9]*:[0-9]* r,

  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
--- a/apparmor.d/tunables/xdg-user-dirs
+++ b/apparmor.d/tunables/xdg-user-dirs
@ -34,7 +34,7 @@
 # User personal keyrings
@{XDG_SSH_DIR}=".ssh"
@{XDG_GPG_DIR}=".gnupg"
-@{XDP_PASSWORD_STORE_DIR}=".password-store"
+@{XDG_PASSWORD_STORE_DIR}=".password-store"

 # Definition of local user configuration directories
@{XDG_CACHE_HOME}=".cache"
@ -71,7 +71,7 @@
@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}
@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}
@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}
-@{user_password_store_dirs}=@{HOME}/@{XDP_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDP_PASSWORD_STORE_DIR}
+@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}

 # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
 # to the various XDG directories