feat(profiles): general update.

2025-01-29 22:35:15 +01:00 · 2023-03-27 21:42:13 +01:00 · 2023-03-27 21:42:13 +01:00 · b793968690
commit b793968690
parent c7cf156de9
7 changed files with 43 additions and 5 deletions
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -64,6 +64,7 @@ profile child-open {
  /{usr/,}bin/eog              rPUx,
  /{usr/,}bin/evince            rPx,
  /{usr/,}bin/filezilla         rPx,
+  /{usr/,}bin/file-roller      rPUx,
  /{usr/,}bin/flameshot         rPx,
  /{usr/,}bin/geany             rPx,
  /{usr/,}bin/gnome-calculator rPUx,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -555,7 +555,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/.var/app/**/ r,
-  owner @{HOME}/.var/app/**/icons/**.{png,jpg} r,
+  owner @{HOME}/.var/app/**.{png,jpg} r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -21,12 +21,15 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {

  @{exec_path} rmix,

+  /{usr/,}{s,}bin/ldconfig        rix,
  /{usr/,}bin/{,ba}sh             rix,
  /{usr/,}bin/{m,g,}awk           rix,
  /{usr/,}bin/bsdtar              rix,
  /{usr/,}bin/cat                 rix,
  /{usr/,}bin/cp                  rix,
  /{usr/,}bin/dd                  rix,
+  /{usr/,}bin/dirname             rix,
+  /{usr/,}bin/fc-match            rix,
  /{usr/,}bin/find                rix,
  /{usr/,}bin/findmnt             rPx,
  /{usr/,}bin/fsck                rix,
@ -35,12 +38,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/gzip                rix,
  /{usr/,}bin/hexdump             rix,
  /{usr/,}bin/install             rix,
-  /{usr/,}{s,}bin/ldconfig        rix,
  /{usr/,}bin/ldd                 rix,
  /{usr/,}bin/ln                  rix,
  /{usr/,}bin/loadkeys            rix,
  /{usr/,}bin/mktemp              rix,
  /{usr/,}bin/mv                  rix,
+  /{usr/,}bin/od                  rix,
  /{usr/,}bin/readlink            rix,
  /{usr/,}bin/realpath            rix,
  /{usr/,}bin/rm                  rix,
@ -52,6 +55,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/touch               rix,
  /{usr/,}bin/tput                rix,
  /{usr/,}bin/uname               rix,
+  /{usr/,}bin/xargs               rix,
  /{usr/,}bin/xz                  rix,
  /{usr/,}bin/zcat                rix,
  /{usr/,}bin/zstd                rix,
@ -67,6 +71,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib{,32,64}/ld-*.so*    rix,

  /etc/fstab r,
+  /etc/initcpio/{,**} r,
  /etc/locale.conf r,
  /etc/lvm/lvm.conf r,
  /etc/mkinitcpio.conf r,
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@ -27,11 +27,13 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/od         rix,
  /{usr/,}bin/rm         rix,
  /{usr/,}bin/sed        rix,
+  /{usr/,}bin/sort       rix,
+  /{usr/,}bin/stat       rix,

  /usr/share/mkinitcpio/*.preset r,

  /etc/mkinitcpio.d/{,**} r,
-  /etc/mkinitcpio.d/*.preset rw,
+  /etc/mkinitcpio.d/*.preset{,.pacsave} rw,

  / r,
  /boot/vmlinuz-* rw,
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@ -19,11 +19,12 @@ profile systemd-sleep @{exec_path} {

  @{exec_path} mr,

+  /{usr/,}lib/systemd/system-sleep/grub2.sleep          rPx,
  /{usr/,}lib/systemd/system-sleep/hdparm               rPx,
  /{usr/,}lib/systemd/system-sleep/nvidia               rPx,
  /{usr/,}lib/systemd/system-sleep/sysstat.sleep        rPx,
+  /{usr/,}lib/systemd/system-sleep/tlp                  rPx,
  /{usr/,}lib/systemd/system-sleep/unattended-upgrades  rPx,
-  /{usr/,}lib/systemd/system-sleep/grub2.sleep          rPx,

  /etc/systemd/sleep.conf r,
  /etc/systemd/sleep.conf.d/{,*} r,
--- a/apparmor.d/groups/systemd/systemd-sleep-tlp
+++ b/apparmor.d/groups/systemd/systemd-sleep-tlp
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/system-sleep/tlp
+profile systemd-sleep-tlp @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/tlp rPUx,
+
+  include if exists <local/systemd-sleep-tlp>
+}
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@ -17,7 +17,18 @@ profile file-roller @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/unzip  rix,
+  # Archivers
+  /{usr/,}bin/7z            rix,
+  /{usr/,}lib/p7zip/7z      rix,
+  /{usr/,}bin/unrar-nonfree rix,
+  /{usr/,}bin/zip           rix,
+  /{usr/,}bin/unzip         rix,
+  /{usr/,}bin/tar           rix,
+  /{usr/,}bin/xz            rix,
+  /{usr/,}bin/bzip2         rix,
+  /{usr/,}bin/cpio          rix,
+  /{usr/,}bin/gzip          rix,
+  /{usr/,}bin/zstd          rix,

  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,