From b793968690432186277080922a9a69a6360d2968 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 27 Mar 2023 21:42:13 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/children/child-open | 1 + apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/pacman/mkinitcpio | 7 ++++++- .../groups/pacman/pacman-hook-mkinitcpio | 4 +++- apparmor.d/groups/systemd/systemd-sleep | 3 ++- apparmor.d/groups/systemd/systemd-sleep-tlp | 18 ++++++++++++++++++ apparmor.d/profiles-a-f/file-roller | 13 ++++++++++++- 7 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/groups/systemd/systemd-sleep-tlp diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 3bb56f49..49785fdd 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -64,6 +64,7 @@ profile child-open { /{usr/,}bin/eog rPUx, /{usr/,}bin/evince rPx, /{usr/,}bin/filezilla rPx, + /{usr/,}bin/file-roller rPUx, /{usr/,}bin/flameshot rPx, /{usr/,}bin/geany rPx, /{usr/,}bin/gnome-calculator rPUx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3973ccf6..38689586 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -555,7 +555,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**/ r, - owner @{HOME}/.var/app/**/icons/**.{png,jpg} r, + owner @{HOME}/.var/app/**.{png,jpg} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 083b5688..232e4014 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -21,12 +21,15 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} rmix, + /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/{,ba}sh rix, /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/bsdtar rix, /{usr/,}bin/cat rix, /{usr/,}bin/cp rix, /{usr/,}bin/dd rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/fc-match rix, /{usr/,}bin/find rix, /{usr/,}bin/findmnt rPx, /{usr/,}bin/fsck rix, @@ -35,12 +38,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gzip rix, /{usr/,}bin/hexdump rix, /{usr/,}bin/install rix, - /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/ldd rix, /{usr/,}bin/ln rix, /{usr/,}bin/loadkeys rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/mv rix, + /{usr/,}bin/od rix, /{usr/,}bin/readlink rix, /{usr/,}bin/realpath rix, /{usr/,}bin/rm rix, @@ -52,6 +55,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/touch rix, /{usr/,}bin/tput rix, /{usr/,}bin/uname rix, + /{usr/,}bin/xargs rix, /{usr/,}bin/xz rix, /{usr/,}bin/zcat rix, /{usr/,}bin/zstd rix, @@ -67,6 +71,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}lib{,32,64}/ld-*.so* rix, /etc/fstab r, + /etc/initcpio/{,**} r, /etc/locale.conf r, /etc/lvm/lvm.conf r, /etc/mkinitcpio.conf r, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 58c4fd8e..9dbef684 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -27,11 +27,13 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/od rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/stat rix, /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/{,**} r, - /etc/mkinitcpio.d/*.preset rw, + /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, /boot/vmlinuz-* rw, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index fd861c57..fc524efb 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,11 +19,12 @@ profile systemd-sleep @{exec_path} { @{exec_path} mr, + /{usr/,}lib/systemd/system-sleep/grub2.sleep rPx, /{usr/,}lib/systemd/system-sleep/hdparm rPx, /{usr/,}lib/systemd/system-sleep/nvidia rPx, /{usr/,}lib/systemd/system-sleep/sysstat.sleep rPx, + /{usr/,}lib/systemd/system-sleep/tlp rPx, /{usr/,}lib/systemd/system-sleep/unattended-upgrades rPx, - /{usr/,}lib/systemd/system-sleep/grub2.sleep rPx, /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp new file mode 100644 index 00000000..ce43be0e --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/system-sleep/tlp +profile systemd-sleep-tlp @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/tlp rPUx, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 7cfdbb94..14301316 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -17,7 +17,18 @@ profile file-roller @{exec_path} { @{exec_path} mr, - /{usr/,}bin/unzip rix, + # Archivers + /{usr/,}bin/7z rix, + /{usr/,}lib/p7zip/7z rix, + /{usr/,}bin/unrar-nonfree rix, + /{usr/,}bin/zip rix, + /{usr/,}bin/unzip rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/zstd rix, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r,