feat(profile): general update.

see #416
2025-01-18 00:48:10 +01:00 · 2024-07-15 23:47:01 +01:00 · 2024-07-15 23:47:01 +01:00 · cb30dcc4bc
commit cb30dcc4bc
parent 960135e593
7 changed files with 21 additions and 25 deletions
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -25,6 +25,7 @@ profile crontab @{exec_path} {
  @{bin}/vim.*           rCx -> editor,

  /etc/cron.{allow,deny} r,
+  /etc/pam.d/* r,

        /var/spool/cron/ r,
        /var/spool/cron/crontabs/ rw,
@ -32,19 +33,18 @@ profile crontab @{exec_path} {

  owner @{tmp}/crontab.*/{,crontab} rw,

-
  profile editor {
    include <abstractions/base>
    include <abstractions/app/editor>

    capability fsetid,

+    /etc/cron.{allow,deny} r,
+
          /tmp/ r,
    owner @{tmp}/crontab.*/crontab rw,

-    # file_inherit
-    /etc/cron.{allow,deny} r,
-
+    include if exists <local/crontab_editor>
  }

  include if exists <local/crontab>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -218,6 +218,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /.flatpak-info r,
  /etc/fstab r,
  /etc/timezone r,
+  /etc/tpm2-tss/*.json r,
  /etc/udev/hwdb.bin r,
  /etc/xdg/menus/gnome-applications.menu r,

@ -249,10 +250,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/.var/app/**/ r,
+  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
+  owner @{HOME}/.var/app/**/ r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,

  owner @{user_games_dirs}/**.{png,jpg,svg} r,
  owner @{user_music_dirs}/**.{png,jpg,svg} r,
@ -282,6 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
+  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -31,16 +31,16 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /etc/{,opensc/}opensc.conf r,
-  /etc/tpm2-tss/* r,
+  /etc/tpm2-tss/* rk,

  /var/tmp/ r,
  /tmp/ r,

-  owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
+  owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,

-  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
+  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,

  owner /dev/tty@{int} rw,

--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@ -39,20 +39,12 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
  @{bin}/sed                      rix,
  @{lib}/dhcpcd/dhcpcd-run-hooks  rix,

-  /var/lib/dhcpcd/*.lease{,6} rw,
-  /var/lib/dhcpcd/secret rw,
-
  /etc/dhcpcd.conf r,
  /etc/resolv.conf rw,

-  @{run}/dhcpcd/{.pid,pid} rwk,
-  @{run}/dhcpcd/{.sock,sock} w,
-  @{run}/dhcpcd/*.pid wk,
-  @{run}/dhcpcd/*.sock w,
-  @{run}/dhcpcd/hook-state/ rw,
-  @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw,
-  @{run}/dhcpcd/hook-state/resolv.conf/ rw,
-  @{run}/dhcpcd/unpriv.sock w,
+  /var/lib/dhcpcd/** rw,
+
+  @{run}/dhcpcd/** rwk,

  @{run}/udev/data/n@{int} r,

--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -24,7 +24,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,

-  signal (send) peer=aurpublish,
+  signal send peer=aurpublish,

  @{exec_path} mrix,

--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@ -20,9 +20,9 @@ profile nft @{exec_path} {

  @{exec_path} mr,

-  owner /etc/iproute2/** r,
-
-  owner /etc/nftables/**.nft r,
+  /etc/iproute2/** r,
+  /etc/nftables.conf r,
+  /etc/nftables/{,**} r,

  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -118,12 +118,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {

  @{sys}/bus/ r,
  @{sys}/bus/pci/slots/ r,
+  @{sys}/bus/pci/slots/@{int}/address r,
  @{sys}/class/ r,
  @{sys}/class/nvme-subsystem/ r,
  @{sys}/class/nvme/ r,
-  @{sys}/devices/@{pci}/uevent r,
  @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
  @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
+  @{sys}/devices/@{pci}/uevent r,
  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
  @{sys}/devices/virtual/block/*/{,**} rw,
  @{sys}/devices/virtual/block/loop@{int}/uevent rw,