fix: minor profiles fixes.

2024-11-14 23:43:56 +01:00 · 2023-09-10 12:41:47 +01:00 · 2023-09-10 12:41:47 +01:00 · b9fb4b72d2
commit b9fb4b72d2
parent 4f10cf802e
6 changed files with 11 additions and 8 deletions
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -31,7 +31,7 @@ profile systemd-journald @{exec_path} {
  @{run}/log/ rw,
  /{run,var}/log/journal/ rw,
  /{run,var}/log/journal/@{md5}/ rw,
-  /{run,var}/log/journal/@{md5}/* rw -> /{run,var}/log/journal/@{md5}/#@{int},
+  /{run,var}/log/journal/@{md5}/* rwl -> /{run,var}/log/journal/@{md5}/#@{int},

  owner @{run}/systemd/journal/{,**} rw,
  owner @{run}/systemd/notify rw,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -119,7 +119,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  deny /apparmor/.null rw,

-  profile systemctl {
+  profile systemctl flags=(attach_disconnected,complain) {
    include <abstractions/base>
    include <abstractions/systemd-common>

--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@ -19,7 +19,7 @@ profile aa-enforce @{exec_path} {
  @{bin}/ r,
  @{bin}/apparmor_parser     rPx,

-  /usr/share/terminfo/x/* r,
+  /usr/share/terminfo/{,**} r,

  /etc/apparmor/logprof.conf r,
  /etc/apparmor.d/{,**} rw,
--- a/apparmor.d/profiles-a-f/adduser
+++ b/apparmor.d/profiles-a-f/adduser
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -42,12 +43,12 @@ profile adduser @{exec_path} {
  /etc/adduser.conf r,
  /etc/skel/{,.*} r,

-  @{run}/adduser wk,
-
  # To create user dirs and copy files from /etc/skel/ to them
  @{HOME}/ rw,
  @{HOME}/.* w,
  /var/lib/*/{,*} rw,

+  @{run}/adduser wk,
+
  include if exists <local/adduser>
 }
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -102,6 +102,7 @@ profile snap @{exec_path} {
    owner @{HOME}/.snap/gnupg/ rw,
    owner @{HOME}/.snap/gnupg/** rwkl,

+    include if exists <local/snap_gpg>
  }

  include if exists <local/snap>
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -36,8 +36,8 @@ busctl complain
 cc-remote-login-helper complain
 cfdisk complain
 cgdisk complain
-chpasswd complain
 child-open complain
+chpasswd complain
 chronyd attach_disconnected,complain
 cockpit-askpass complain
 cockpit-bridge complain
@ -198,7 +198,7 @@ mke2fs complain
 ModemManager attach_disconnected,complain
 molly-guard complain
 mount attach_disconnected,complain
-multipath complain
+multipath attach_disconnected,complain
 multipathd complain
 mutter-x11-frames complain
 nautilus complain
@ -292,10 +292,11 @@ systemd-random-seed complain
 systemd-remount-fs complain
 systemd-resolve complain
 systemd-resolved attach_disconnected,complain
-systemd-sleep complain
 systemd-shutdown complain
+systemd-sleep complain
 systemd-timedated attach_disconnected,complain
 systemd-tty-ask-password-agent complain
+systemd-udevd attach_disconnected,complain
 systemd-update-done complain
 systemd-update-utmp complain
 systemd-user-generators-autostart complain