Update profiles.

2024-11-15 07:54:17 +01:00 · 2022-02-08 18:16:45 +00:00 · 2022-02-08 18:16:45 +00:00 · 9ecc1aa240
commit 9ecc1aa240
parent 7274f98fa6
10 changed files with 33 additions and 14 deletions
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -20,8 +20,10 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  /usr/share/locale/locale.alias r,

  /var/lib/dbus/machine-id r,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
+  /var/lib/gdm/.config/ibus/bus/ r,
+  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
+  owner @{user_config_dirs}/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,

  owner /dev/tty[0-9]* rw,
  /dev/null rw,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -17,6 +17,7 @@ profile gnome-control-center-print-renderer @{exec_path} {

  @{exec_path} mr,

+  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/icons/{,**} r,
@ -25,6 +26,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
  /usr/share/X11/xkb/** r,

  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
+  owner @{user_share_dirs}/icons/{,**} r,

  owner @{run}/user/@{uid}/gdm/Xauthority r,

--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -27,7 +27,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  # Full access to user's data
  / r,
  owner @{HOME}/{,**} rw,
-  owner @{MOUNTS}/*/{,**} rw,
+  owner @{MOUNTS}/{,**} r,
  owner @{run}/user/@{uid}/{,**} rw,
  owner /tmp/{,**} rw,

--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@ -10,9 +10,17 @@ include <tunables/global>
 profile systemd-makefs @{exec_path} {
  include <abstractions/base>

+  capability net_admin,
+  capability sys_resource,
+
  @{exec_path} mr,

  /{usr/,}{s,}bin/mkswap     rPx,

+  @{sys}/devices/virtual/block/zram[0-9]*/ r,
+  @{sys}/devices/virtual/block/zram[0-9]*/** r,
+
+  /dev/zram[0-9]* rwk,
+
  include if exists <local/systemd-makefs>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -15,17 +15,17 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-  # (##FIXME##)
-  capability sys_admin,
-  capability net_admin,
-  capability dac_read_search,
+  capability chown,
  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability mknod,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_module,
  capability sys_ptrace,
  capability sys_resource,
-  capability chown,
-  capability fsetid,
-  capability sys_module,
-  capability mknod,

  ptrace (read),

--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@ -16,6 +16,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {

  /etc/apparmor/{,**} r,
  /etc/apparmor.d/{,**} r,
+  /etc/apparmor.d/cache.d/{,**} rw,

  owner /var/cache/apparmor/{,**} rw,
  owner /var/lib/docker/tmp/docker-default[0-9]* r,
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@ -14,6 +14,7 @@ profile auditd @{exec_path} {
  capability audit_control,
  capability chown,
  capability fsetid,
+  capability sys_nice,
  capability sys_resource,

  network netlink raw,
@ -24,11 +25,13 @@ profile auditd @{exec_path} {

  /var/log/audit/{,**} rw,

+  @{run}/auditd.pid rw,
  @{run}/systemd/userdb/ r,

  owner @{PROC}/@{pid}/attr/current r,
  owner @{PROC}/@{pid}/loginuid r,
-  owner @{PROC}/@{pid}/oom_score_adj r,
+  owner @{PROC}/@{pid}/sessionid r,
+  owner @{PROC}/@{pid}/oom_score_adj rw,

  include if exists <local/auditd>
 }
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@ -23,6 +23,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {

  /etc/login.defs r,
  /etc/firejail/firejail.users r,
+  /etc/firejail/firecfg.config r,

  /usr/local/bin/ r,
  /usr/local/bin/* rw,
--- a/apparmor.d/profiles-a-f/fusermount
+++ b/apparmor.d/profiles-a-f/fusermount
@ -38,6 +38,7 @@ profile fusermount @{exec_path} {
  umount @{MOUNTS}/*/*/,
  umount /tmp/.mount_*/,
  umount @{run}/user/@{uid}/doc/,
+  umount @{run}/user/@{uid}/gvfs/,

  /etc/fuse.conf r,

--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@ -30,10 +30,11 @@ profile syncthing @{exec_path} {
  /etc/mime.types r,
  /usr/share/mime/globs2 r,

-  owner @{user_config_dirs}/syncthing/{,**} rwk,
+  owner @{HOME}/ r,
  owner @{HOME}/@{XDG_DATA_HOME}/syncthing/{,**} rwk,
+  owner @{user_config_dirs}/syncthing/{,**} rwk,

-  @{HOME}/ r,
+  /home/ r,
  @{user_sync_dirs}/{,**} rw,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,