feat(profile): general update.

2024-11-15 07:54:17 +01:00 · 2024-03-01 22:35:49 +00:00 · 2024-03-01 22:35:49 +00:00 · 92a1d9f65f
commit 92a1d9f65f
parent 81c55160e6
8 changed files with 31 additions and 8 deletions
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -21,6 +21,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/audio>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.bluez>
+  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/org.freedesktop.hostname1>
+  include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
  include <abstractions/video>

@ -31,7 +36,17 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {

  ptrace (read),

+  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system,
+
  # dbus: own bus=session name=org.freedesktop.systemd1
+  # dbus: own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int}
+  # dbus: own bus=session name=org.PulseAudio1
+  # dbus: own bus=session name=org.pulseaudio*
+
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=GetConnectionUnixUser
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -21,7 +21,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {

  @{exec_path} rmix,

-  @{bin}/{,ba}sh             rix,
+  @{sh_path}                 rix,
  @{bin}/{m,g,}awk           rix,
  @{bin}/bsdtar              rix,
  @{bin}/cat                 rix,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -49,7 +49,7 @@ profile pacman @{exec_path} {
  @{bin}/gpgsm        rCx -> gpg,
  
  # Pacman hooks & install scripts
-  @{bin}/{,ba}sh                     rix,
+  @{sh_path}                         rix,
  @{bin}/appstreamcli                rPx,
  @{bin}/arch-audit                  rPx,
  @{bin}/archlinux-java              rPx,
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -10,7 +10,7 @@ include <tunables/global>
 profile busctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
-  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>
@ -23,6 +23,7 @@ profile busctl @{exec_path} {
  unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,

  dbus eavesdrop bus=session,
+  dbus eavesdrop bus=system,

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Monitoring
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -24,6 +24,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {

  @{exec_path} rm,

+  @{sh_path}        rix,
+  @{bin}/as         rix,
  @{bin}/cat        rix,
  @{bin}/cp         rix,
  @{bin}/cut        rix,
@ -31,9 +33,11 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  @{bin}/diff       rix,
  @{bin}/echo       rix,
  @{bin}/find       rix,
+  @{bin}/gcc        rix,
  @{bin}/getconf    rix,
  @{bin}/head       rix,
  @{bin}/kmod       rCx -> kmod,
+  @{bin}/ld         rix,
  @{bin}/ln         rix,
  @{bin}/ls         rix,
  @{bin}/lsb_release rPx -> lsb_release,
@ -42,16 +46,19 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  @{bin}/mktemp     rix,
  @{bin}/mv         rix,
  @{bin}/nproc      rix,
+  @{bin}/objcopy    rix,
+  @{bin}/pahole     rix,
  @{bin}/pwd        rix,
  @{bin}/readlink   rix,
  @{bin}/rm         rix,
  @{bin}/rmdir      rix,
  @{bin}/sed        rix,
+  @{bin}/sleep      rix,
+  @{bin}/strip      rix,
  @{bin}/uname      rix,
  @{bin}/wc         rix,
  @{bin}/xargs      rix,
-  @{bin}/{,@{multiarch}-}* rix,
-  @{sh_path}        rix,
+  @{bin}/zstd       rix,
  @{bin}/{,e,f}grep rix,
  @{bin}/{,g,m}awk  rix,
  @{bin}/update-secureboot-policy rPUx,
--- a/apparmor.d/profiles-g-l/install-catalog
+++ b/apparmor.d/profiles-g-l/install-catalog
@ -14,7 +14,7 @@ profile install-catalog @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,ba}sh   rix,
+  @{sh_path}       rix,
  @{bin}/basename  rix,
  @{bin}/grep      rix,
  @{bin}/mv        rix,
--- a/apparmor.d/profiles-g-l/locale-gen
+++ b/apparmor.d/profiles-g-l/locale-gen
@ -17,7 +17,7 @@ profile locale-gen @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,ba}sh    rix,
+  @{sh_path}        rix,
  @{bin}/cat        rix,
  @{bin}/gzip       rix,
  @{bin}/localedef  rix,
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -115,7 +115,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  / r,
  /{usr/,}{local/,} r,
  /{usr/,}{local/,}lib{,32,64}/ r,
-  /bindfile* rw,
+  /bindfile@{rand6} rw,
  /home/ r,
  /tmp/ r,