feat(profile): general update.

This commit is contained in:
Alexandre Pujol 2024-06-04 20:13:40 +01:00
parent d98621625a
commit 8b60e56002
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
21 changed files with 71 additions and 59 deletions

View File

@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} {
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/{,g,m}awk rix,
@{bin}/cat rix,
@{bin}/dialog rix,
@{bin}/locale rix,
@{bin}/sed rix,

View File

@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
signal (send) peer=apt-methods-http,
unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
@{exec_path} mr,
@{bin}/ r,
@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/apt-dpkg-install-*/{,*} rw,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/fd/ r,
/dev/ptmx rw,

View File

@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) {
@{bin}/** PUx,
@{lib}/** PUx,
/usr/share/** PUx,
/usr/share/*/** PUx,
/etc/dbus-1/{,**} r,
/usr/share/dbus-1/{,**} r,

View File

@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) {
@{exec_path} mrix,
@{bin}/** PUx,
@{lib}/** PUx,
/usr/share/*/** PUx,
@{bin}/** PUx,
@{lib}/** PUx,
/usr/share/*/** PUx,
/etc/dbus-1/{,**} r,
/usr/share/dbus-1/{,**} r,

View File

@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{bin}/grep rix,
@{bin}/locale rix,
@{bin}/sed rix,
@{bin}/tecla rix,
@{bin}/bwrap rCx -> bwrap,
@{bin}/gkbd-keyboard-display rPx,
@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
@{PROC}/cmdline r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,

View File

@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} {
@{exec_path} mr,
/usr/share/gnome-remote-desktop/{,**} r,
owner /var/lib/gnome-remote-desktop//{,**} r,
include if exists <local/gnome-remote-desktop-daemon>
}

View File

@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_cache_dirs}/media-art/{,**} r,
owner @{user_cache_dirs}/vlc/**/*.jpg r,
@{run}/gdm{3,}/dbus/dbus-@{rand8} w,
@{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@ -398,9 +398,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/app-launcher-user>
unix receive type=stream,
@{lib}/gio-launch-desktop mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{lib}/* PUx,
/usr/games/* PUx,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,

View File

@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} {
@{exec_path} mr,
/usr/share/enchant-*/{,**} r,
owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
owner @{PROC}/@{pid}/mountinfo r,

View File

@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} {
@{exec_path} mr,
@{bin}/env r,
@{bin}/wsdd rPx,
@{run}/mount/utab r,

View File

@ -15,7 +15,9 @@ profile nmcli @{exec_path} {
@{exec_path} mr,
@{bin}/less rCx -> pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
owner @{HOME}/.nm-vpngate/*.ovpn r,
owner @{HOME}/.cert/nm-openvpn/*.pem rw,
@ -26,16 +28,5 @@ profile nmcli @{exec_path} {
@{sys}/devices/virtual/net/{,**} r,
@{sys}/devices/@{pci}/net/*/{,**} r,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/less mr,
owner @{HOME}/.lesshs* rw,
owner @{user_cache_dirs}/.lesshs* rw,
}
include if exists <local/nmcli>
}

View File

@ -117,11 +117,6 @@ profile pacman @{exec_path} {
/usr/** rwlk -> /usr/**,
/var/** rwlk -> /var/**,
@{PROC}/ r,
@{run}/ r,
@{sys}/{,**} r,
/mnt r,
# Read packages files
@{user_pkg_dirs}/**/ r,
@{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
@ -132,13 +127,16 @@ profile pacman @{exec_path} {
owner @{tmp}/checkup-db-@{int}/db.lck rw,
@{run}/utmp rk,
@{sys}/{,**} r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,

View File

@ -16,13 +16,14 @@ profile pacman-key @{exec_path} {
@{exec_path} mr,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/chmod rix,
@{bin}/{m,g,}awk rix,
@{bin}/gettext rix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/grep rix,
@{bin}/ngettext rix,
@{bin}/pacman-conf rPx,
@{bin}/touch rix,
@{bin}/tput rix,

View File

@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/ssh/ssh_host_* r,
/var/lib/lastlog/ r,
/var/lib/lastlog/* rwk,
/var/lib/wtmpdb/ r,
/var/lib/wtmpdb/* rwk,
# For scp
owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl,

View File

@ -21,11 +21,6 @@ profile borg @{exec_path} {
network inet6 dgram,
network netlink raw,
mount fstype=fuse -> @{MOUNTS}/,
mount fstype=fuse -> @{MOUNTS}/*/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{exec_path} r,
@{bin}/ r,

View File

@ -21,5 +21,7 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
@{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw,
@{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw,
/usr/share/gvfs/remote-volume-monitors/{,**} r,
include if exists <local/gdk-pixbuf-query-loaders>
}

View File

@ -26,6 +26,9 @@ profile gpu-manager @{exec_path} {
/var/log/gpu-manager.log w,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/module/compression r,
@{PROC}/modules r,
@{PROC}/cmdline r,

View File

@ -1,27 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/hostapd
profile hostapd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability net_admin,
capability net_raw,
@{exec_path} mr,
/dev/rfkill r,
/etc/hostapd.conf r,
/etc/hostapd/{,*} r,
@{run}/hostapd/{,**} rw,
@{run}/hostapd.pid rw,
include if exists <local/hostapd>
}

View File

@ -153,7 +153,7 @@ profile snapd @{exec_path} {
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
@{sys}/kernel/kexec_loaded r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/features/{,*/} r,
@{sys}/kernel/security/apparmor/features/{,**} r,
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,

View File

@ -41,7 +41,10 @@ profile spotify @{exec_path} {
owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{PROC}/pressure/* r,

View File

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/wsdd
profile wsdd @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} mr,
@{bin}/env r,
@{bin}/python3.@{int} rix,
/etc/machine-id r,
owner @{run}/user/@{uid}/gvfsd/wsdd w,
include if exists <local/wsdd>
}

View File

@ -373,6 +373,7 @@ virtsecretd attach_disconnected,complain
virtstoraged attach_disconnected,complain
wg complain
wg-quick complain
wsdd complain
xdg-dbus-proxy attach_disconnected,complain
xdg-desktop-icon complain
xdg-desktop-portal-kde complain