feat(profiles): small profiles update.

2025-01-18 08:58:15 +01:00 · 2023-03-29 23:55:43 +01:00 · 2023-03-29 23:55:43 +01:00 · cbc1d8faf3
commit cbc1d8faf3
parent f3d4912be8
8 changed files with 23 additions and 8 deletions
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -86,10 +86,11 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /usr/share/icu/{,**} r,
  /usr/share/X11/xkb/** r,
-  /var/lib/gdm{3,}/greeter-dconf-defaults r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /tmp/ r,
  /var/tmp/ r,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -45,6 +45,9 @@ profile gpg @{exec_path} {
  owner /var/lib/*/.gnupg/ rw,
  owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
  owner /tmp/ostree-gpg-*/ r,
  owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
  owner /tmp/tmp.[a-zA-Z0-9]* rw,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/grub/grub-mkrelpath
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@ -21,6 +21,11 @@ profile grub-mkrelpath @{exec_path} {
  / r,
  /usr/share/grub/* r,
  /boot/grub/themes/{,**} r,
  /tmp/grub-btrfs.*/@snapshots/[0-9]*/snapshot/boot/ r,
  /tmp/grub-btrfs.*/ r,
  @{PROC}/@{pids}/mountinfo r,
  include if exists <local/grub-mkrelpath>
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@ -25,6 +25,8 @@ profile grub-probe @{exec_path} {
  / r,
  /usr/share/grub/* r,
  /boot/grub/themes/{,**} r,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/devices r,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /opt/Mullvad*/mullvad-gui
-profile mullvad-gui @{exec_path} {
+profile mullvad-gui @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
  include <abstractions/chromium-common>
  include <abstractions/dconf-write>
@ -52,9 +52,12 @@ profile mullvad-gui @{exec_path} {
  owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
  @{run}/systemd/inhibit/*.ref rw,
  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
  @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config,resource,irq} r,
  @{sys}/devices/system/cpu/** r,
  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
        @{PROC}/ r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@ -48,6 +48,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{PROC}/@{pids}/cgroup r,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/oom_score_adj rw,
  @{PROC}/sys/net/core/somaxconn r,
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@ -23,7 +23,7 @@ profile augenrules @{exec_path} {
  /{usr/,}bin/mktemp    rix,
  /{usr/,}bin/rm        rix,
-  /etc/audit/audit.rules r,
+  /etc/audit/audit.rules rw,
  /etc/audit/rules.d/ r,
  owner /tmp/aurules.* rw,
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -52,9 +52,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  @{MOUNTS}/ r,
  / r,
-  /boot/ r,
+  /boot/{efi/,} r,
-  /boot/EFI/ r,
+  /boot/{efi/,}EFI/ r,
-  /boot/EFI/*/ r,
+  /boot/{efi/,}EFI/*/ r,
  owner /tmp/os-prober.*/{,**} rw,