diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd new file mode 100644 index 00000000..a3f7c235 --- /dev/null +++ b/apparmor.d/profiles-m-r/packagekitd @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/packagekitd +profile packagekitd @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + /etc/pacman.conf r, + /etc/pacman.d//{,**} r, + /etc/PackageKit/{,**} r, + + /var/cache/PackageKit/{,**} rw, + /var/cache/pacman/pkg/{,**} rw, + /var/lib/PackageKit/{,**} rwk, + /var/lib/pacman/{,**} rwk, + /var/log/*PackageKit.log rw, + /var/log/pacman.log rw, + + owner /tmp/packagekit* rw, + + @{run}/systemd/inhibit/*.ref rw, + owner @{run}/systemd/users/@{uid} r, + + @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pid}/mounts r, + + profile gpg { + include + include + + capability dac_read_search, + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpgsm mr, + + @{HOME}/@{XDG_GPG_DIR}/*.conf r, + + owner /etc/pacman.d/gnupg/ r, + owner /etc/pacman.d/gnupg/** rwkl -> /tmp/ostree-gpg-*/**, + + } + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 694d16e9..352c12a5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -119,6 +119,7 @@ networkd-dispatcher complain nft complain nmap complain nullmailer-send complain +packagekitd attach_disconnected,complain pass complain pass-import complain pinentry complain