feat(profiles): general update.

2025-01-30 14:55:15 +01:00 · 2022-07-18 23:57:25 +01:00 · 2022-07-18 23:57:25 +01:00 · 9692926752
commit 9692926752
parent 2ec802d40d
13 changed files with 30 additions and 26 deletions
--- a/apparmor.d/abstractions/dbus-session-strict.d/complete
+++ b/apparmor.d/abstractions/dbus-session-strict.d/complete
@ -2,13 +2,10 @@
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  unix (connect, send, receive, accept)
-       type=stream
-       addr="@/tmp/dbus-*",
+  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-*",

-  unix (connect, receive, send, accept)
-       type=stream
-       peer=(addr="@/tmp/dbus-*"),
+  unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),

  owner @{run}/user/@{uid}/at-spi/ rw,
  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
--- a/apparmor.d/abstractions/lxc/start-container
+++ b/apparmor.d/abstractions/lxc/start-container
@ -11,7 +11,7 @@
  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
-  mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
+  mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -29,6 +29,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {

  signal (send) peer=apt-methods-*,

+  unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
+
  dbus send bus=system path=/org/freedesktop/PackageKit
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -34,11 +34,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.login[0-9].Manager
       member=Inhibit,

-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
-
-  dbus receive bus=system path=/org/freedesktop/NetworkManager
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.DBus.Properties
       member={PropertiesChanged,GetAll},

--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -46,6 +46,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd  rPUx,
  /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd    rPUx,

+  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
+
  /etc/dbus-1/{,**} r,

  /usr/share/dbus-1/{,**} r,
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -17,6 +17,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {

  signal (receive) set=(term hup kill) peer=dbus-daemon,
  signal (receive) set=(term hup kill) peer=gdm*,
+  signal (receive) set=(term hup kill) peer=gnome-session-binary,
  signal (send)    set=(term hup kill) peer=dbus-daemon,

  network inet stream,
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -51,7 +51,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {

  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged},
+       member={CheckPermissions,StateChanged,PropertiesChanged},

  dbus bind bus=system 
       name=org.freedesktop.GeoClue2,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -25,8 +25,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network netlink raw,

-  signal (send) set=(term) peer=gsd-*,
  signal (receive) set=(term, hup) peer=gdm*,
+  signal (send) set=(term) peer=at-spi-bus-launcher,
+  signal (send) set=(term) peer=gsd-*,

  dbus send bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -124,7 +124,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx,

  /opt/*/**/*.png r,
-  /snap/*/@{uid}/*.png r,
+  /snap/*/@{uid}/**.png r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/desktop-directories/{,*.directory} r,
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -18,18 +18,13 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {

  signal (receive) set=(term, hup) peer=gdm*,

+  dbus (send, receive) bus=system path=/org/freedesktop/ColorManager
+       interface=org.freedesktop.ColorManager,
+
  dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*}
       interface=org.freedesktop.DBus.Properties
       member=GetAll,

-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member={FindDeviceByProperty,GetDevices,CreateDevice},
-
-  dbus receive bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member={DeviceAdded,ProfileAdded},
-
  @{exec_path} mr,

  /usr/share/dconf/profile/gdm r,
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@ -11,6 +11,8 @@ profile apt-esm-json-hook @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

+  unix (receive, send) type=stream peer=(label=apt),
+
  @{exec_path} mr,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -21,6 +21,7 @@ profile software-properties-gtk @{exec_path} {
  /{usr/,}bin/aplay                    rPx,
  /{usr/,}bin/apt-key                  rPx,
  /{usr/,}bin/dpkg                     rPx -> child-dpkg,
+  /{usr/,}bin/ischroot                 rix,
  /{usr/,}bin/lsb_release              rPx -> lsb_release,
  /{usr/,}bin/ubuntu-advantage         rPx,

--- a/apparmor.d/profiles-g-l/hugo
+++ b/apparmor.d/profiles-g-l/hugo
@ -10,23 +10,30 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/hugo
 profile hugo @{exec_path} {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>

  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

-  /{usr/,}bin/git rPx,
+  /{usr/,}bin/git                       rix,
+  /{usr/,}lib/go/bin/go                 rix,
+  /{usr/,}lib/git-core/git-remote-http  rix,

+  /usr/share/git-core/{,**} r,
  /usr/share/mime/{,**} r,
+  /usr/share/terminfo/x/xterm-256color r,

  /etc/mime.types r,

  owner @{user_projects_dirs}/{,**} rw,
  owner @{user_projects_dirs}/**/.hugo_build.lock rwk,
+  owner @{user_projects_dirs}/**/go.{mod,sum} rwk,

-  owner /tmp/hugo_cache/ rw,
-  owner /tmp/hugo_cache/**/ rw,
+  owner /tmp/hugo_cache/{,**} rwk,
+  owner /tmp/go-codehost-[0-9]* rw,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,