feat(profile): small profile update.

2024-12-26 06:58:00 +01:00 · 2024-11-11 22:18:39 +00:00 · 2024-11-11 22:18:39 +00:00 · 9a3adc66d0
commit 9a3adc66d0
parent 0206e04b3f
6 changed files with 9 additions and 3 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -186,6 +186,7 @@
        @{PROC}/ r,
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/statm r,
        @{PROC}/@{pid}/task/@{tid}/status r,
        @{PROC}/pressure/{memory,cpu,io} r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
@ -201,7 +202,6 @@
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -41,6 +41,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  @{bin}/flatpak         rPUx,
  @{bin}/fusermount{,3}  rCx -> fusermount,

+              / r,
  owner @{att}/ r,
  owner @{att}/.flatpak-info r,

--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {

  / r,

+  owner @{user_cache_dirs}/glycin/{,**} rw,
+
  @{run}/mount/utab r,

  @{sys}/fs/cgroup/user.slice/cpu.max r,
@ -51,7 +53,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
    signal (receive) set=(kill) peer=loupe,

    @{bin}/bwrap mr,
-    @{lib}/glycin-loaders/*/glycin-image-rs rix,
+    @{lib}/glycin-loaders/*/glycin-* rix,
+
+    owner @{PROC}/@{pid}/fd/ r,

    deny @{user_share_dirs}/gvfs-metadata/* r,

--- a/apparmor.d/profiles-a-f/cctk
+++ b/apparmor.d/profiles-a-f/cctk
@ -11,6 +11,7 @@ profile cctk @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability dac_read_search,
  capability mknod,
  capability sys_admin,
  capability sys_rawio,
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@ -84,6 +84,7 @@ profile libreoffice @{exec_path} {

  owner @{tmp}/ r,
  owner @{tmp}/.java_pid@{int}{,.tmp} rw,
+  owner @{tmp}/@{hex} rw,
  owner @{tmp}/@{rand6} rwk,
  owner @{tmp}/@{u64} rw,
  owner @{tmp}/*.tmp/{,**} rwk,
--- a/apparmor.d/profiles-s-z/scrcpy
+++ b/apparmor.d/profiles-s-z/scrcpy
@ -25,7 +25,6 @@ profile scrcpy @{exec_path} {
  @{bin}/adb  rPx,

  /usr/share/scrcpy/{,*} r,
-  /usr/share/icons/{,**} r,

  /etc/machine-id r,