feat(profile): general update.

2025-01-18 17:08:09 +01:00 · 2024-02-07 13:50:40 +00:00 · 2024-02-07 13:50:40 +00:00 · cdaf72eb3d
commit cdaf72eb3d
parent 9b705ab76c
22 changed files with 31 additions and 63 deletions
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -17,6 +17,7 @@ profile ibus-memconf @{exec_path} {
  @{exec_path} mr,
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
  /var/lib/gdm{3,}/.config/ibus/bus/ r,
  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -33,7 +33,7 @@ profile pipewire-media-session @{exec_path} {
  /usr/share/alsa-card-profile/{,**} r,
  /usr/share/pipewire/*.conf r,
  /usr/share/pipewire/media-session.d/{,**} r,
-  /usr/share/spa-*/bluez[0-9]*/{,*} r,
+  /usr/share/spa-*/bluez@{int}/{,*} r,
  /etc/pipewire/*.conf r,
  /etc/pipewire/media-session.d/*.conf r,
@ -48,7 +48,7 @@ profile pipewire-media-session @{exec_path} {
  owner @{user_config_dirs}/pipewire/** rw,
  owner @{user_config_dirs}/pulse/ rw,
-  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
  @{run}/udev/data/c116:@{int} r,         # for ALSA
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -20,8 +20,7 @@ profile pulseaudio @{exec_path} {
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
-  include <abstractions/dri-common>
+  include <abstractions/dri>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -82,7 +82,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  owner /tmp/icon* rw,
  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
-  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
        @{PROC}/ r,
        @{PROC}/*/ r,
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@ -33,7 +33,7 @@ profile epiphany-search-provider @{exec_path} {
  owner @{user_share_dirs}/epiphany/{,**} rwk,
  owner /tmp/ContentRuleList@{rand6} rw,
-  owner /tmp/Serialized* rw, 
+  owner /tmp/Serialized* rw,
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -87,7 +87,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.pam_environment r,
  owner @{run}/systemd/seats/seat@{int} r,
-  owner @{run}/user/@{uid}/keyring/control rw, 
+  owner @{run}/user/@{uid}/keyring/control rw,
  @{run}/cockpit/active.motd r,
  @{run}/faillock/[a-zA-z0-9]* rwk,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -72,7 +72,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/thumbnailers/{,*} r,
  /usr/share/wallpapers/{,**} r,
  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
  /usr/share/zoneinfo/{,**} r,
  /etc/cups/client.conf r,
  /etc/machine-info r,
@ -111,7 +110,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
  owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
-  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
        @{run}/cups/cups.sock rw,
        @{run}/samba/ rw,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -115,8 +115,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  @{etc_ro}/xdg/autostart/{,*.desktop} r,
  /var/lib/gdm{3,}/.cache/gdm/Xauthority r,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
-  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/.config/dconf/user rw,
  /var/lib/gdm{3,}/.config/gnome-session/ rw,
  /var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw,
  /var/lib/gdm{3,}/.local/share/applications/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -249,7 +249,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.cache/ w,
  /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
-  /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, 
+  /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl,
  /var/lib/gdm{3,}/.cache/gstreamer-@{int}/ rw,
  /var/lib/gdm{3,}/.cache/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
  /var/lib/gdm{3,}/.cache/libgweather/ r,
--- a/apparmor.d/groups/grub/grub-mount
+++ b/apparmor.d/groups/grub/grub-mount
@ -15,7 +15,7 @@ profile grub-mount @{exec_path} {
  capability sys_admin,
-  mount fstype=fuse.grub-mount -> /var/lib/os-prober/mount/, 
+  mount fstype=fuse.grub-mount -> /var/lib/os-prober/mount/,
  umount /var/lib/os-prober/mount/,
  @{exec_path} mr,
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -16,7 +16,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
  @{lib}/netplan/generate  rix,
  @{bin}/udevadm           rCx -> udevadm,
-  @{bin}/systemctl         rCx -> systemctl, 
+  @{bin}/systemctl         rCx -> systemctl,
  /usr/share/netplan/{,**} r,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -105,7 +105,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/1/environ r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/ngroups_max r,
  owner @{PROC}/@{pid}/limits r,
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/systemd/systemd-user-generators-flatpak
+++ b/apparmor.d/groups/systemd/systemd-user-generators-flatpak
@ -1,16 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{lib}/systemd/user-environment-generators/60-flatpak
 profile systemd-generator-user-environment-flatpak @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  include if exists <local/systemd-generator-user-environment-flatpak>
 }
--- a/apparmor.d/groups/whonix/torbrowser
+++ b/apparmor.d/groups/whonix/torbrowser
@ -92,7 +92,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  owner /tmp/@{name}/* rwk,
  owner /tmp/Temp-@{uuid}/ rw,
  owner "/tmp/Tor Project*/" rw,
-  owner "/tmp/Tor Project*/**" rwk, 
+  owner "/tmp/Tor Project*/**" rwk,
  owner "/tmp/Tor Project*" rwk,
  @{run}/mount/utab r,
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@ -18,7 +18,7 @@ profile gsettings @{exec_path} {
  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/.config/dconf/user rw,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /dev/tty@{int} rw,
--- a/apparmor.d/profiles-g-l/ip
+++ b/apparmor.d/profiles-g-l/ip
@ -35,8 +35,8 @@ profile ip @{exec_path} flags=(attach_disconnected) {
  /etc/iproute2/{,**} r,
  /etc/netns/*/ r,
  owner @{run}/netns/ rw,
        @{run}/netns/* rw,
  owner @{run}/netns/ rw,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/net/dev_mcast r,
--- a/apparmor.d/profiles-m-r/mount-nfs
+++ b/apparmor.d/profiles-m-r/mount-nfs
@ -60,7 +60,6 @@ profile mount-nfs @{exec_path} flags=(complain) {
  owner @{run}/mount/utab{,.*} rw,
  owner @{run}/rpc.statd.lock wk,
        @{PROC}/filesystems r,
  owner @{PROC}/@{pid}/mountinfo r,
  include if exists <local/mount-nfs>
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -7,9 +7,6 @@ abi <abi/3.0>,
 include <tunables/global>
@{FIREFOX_BIN}  = @{lib}/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{exec_path} = @{bin}/qbittorrent
 profile qbittorrent @{exec_path} {
  include <abstractions/base>
@ -20,25 +17,17 @@ profile qbittorrent @{exec_path} {
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
-  include <abstractions/dri-common>
+  include <abstractions/desktop>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/graphics>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/ibus>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/nvidia>
  include <abstractions/openssl>
  include <abstractions/private-files-strict>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
  include <abstractions/qt5>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/wayland>
  include <abstractions/X-strict>
  signal send set=(term, kill) peer=qbittorrent//python3,
@ -82,21 +71,19 @@ profile qbittorrent @{exec_path} {
  @{bin}/python3.@{int}  rCx -> python, # For "search engine"
  # Allowed apps to open
  @{bin}/spacefm         rPx,
  @{bin}/smplayer        rPx,
  @{bin}/vlc             rPx,
  @{bin}/mpv             rPx,
  @{bin}/geany           rPx,
  @{bin}/viewnior       rPUx,
  @{bin}/qpdfview        rPx,
  @{bin}/ebook-viewer    rPx,
  @{bin}/geany           rPx,
  @{bin}/mpv             rPx,
  @{bin}/nautilus        rPx,
-  @{FIREFOX_BIN}         rPx,
+  @{bin}/qpdfview        rPx,
  @{bin}/smplayer        rPx,
  @{bin}/spacefm         rPx,
  @{bin}/viewnior       rPUx,
  @{bin}/vlc             rPx,
  @{browsers_path}       rPx,
  /usr/share/GeoIP/GeoIP.dat r,
  /usr/share/gvfs/remote-volume-monitors/{,*} r,
  /usr/share/hwdata/*.ids r,
  /usr/share/qt5ct/** r,
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/#@{int} rw,
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -127,7 +127,7 @@ profile snapd @{exec_path} {
  /tmp/read-file[0-9]*/{,**} rw,
  /boot/ r,
-  /boot/grub/grubenv r, 
+  /boot/grub/grubenv r,
  / r,
  /home/ r,
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -40,6 +40,7 @@ profile spice-vdagent @{exec_path} {
  /etc/pipewire/client.conf r,
  /var/lib/gdm{3,}/.config/user-dirs.dirs r,
  /var/lib/nscd/passwd r,
  owner @{user_config_dirs}/user-dirs.dirs r,
--- a/apparmor.d/profiles-s-z/update-ca-certificates
+++ b/apparmor.d/profiles-s-z/update-ca-certificates
@ -36,9 +36,9 @@ profile update-ca-certificates @{exec_path} {
  @{bin}/wc         rix,
  @{lib}/ca-certificates/update.d/ r,
-  @{lib}/ca-certificates/update.d/* rix, 
+  @{lib}/ca-certificates/update.d/* rix,
  /etc/ca-certificates/update.d/ r,
-  /etc/ca-certificates/update.d/* rix, 
+  /etc/ca-certificates/update.d/* rix,
  /usr/share/p11-kit/modules/{,*} r,
@ -56,8 +56,6 @@ profile update-ca-certificates @{exec_path} {
        /tmp/ r,
  owner /tmp/ca-certificates{,.crt}.tmp.* rw,
  @{PROC}/filesystems r,
  /dev/tty rw,
  include if exists <local/update-ca-certificates>
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -38,7 +38,7 @@ profile wireplumber @{exec_path} {
  /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
  /usr/share/alsa-card-profile/{,**} r,
-  /usr/share/spa-*/bluez[0-9]*/{,*} r,
+  /usr/share/spa-*/bluez@{int}/{,*} r,
  /usr/share/wireplumber/{,**} r,
  /etc/machine-id r,