feat(profile): general update.

2025-01-18 00:48:10 +01:00 · 2023-12-03 16:57:50 +00:00 · 2023-12-03 16:57:50 +00:00 · dd1d9107e8
commit dd1d9107e8
parent 1edf507abf
13 changed files with 41 additions and 15 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -12,12 +12,12 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/bus/polkit>
-  include <abstractions/dbus-strict>
  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
  include <abstractions/openssl>
  include <abstractions/python>
+  include <abstractions/ssl_certs>

  capability chown,
  capability dac_override,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -24,7 +24,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {

  dbus bind bus=session name=org.freedesktop.portal.Desktop,
  dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.portal.Settings
+       interface=org.freedesktop.portal.Settings,
  dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.DBus.Properties
       peer=(name=:*),
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -91,6 +91,9 @@ profile gnome-extension-ding @{exec_path} {
  /usr/share/thumbnailers/{,*.thumbnailer} r,
  /usr/share/X11/{,**} r,

+  /etc/pulse/client.conf r,
+  /etc/pulse/client.conf.d/{,*} r,
+
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
@ -98,6 +101,13 @@ profile gnome-extension-ding @{exec_path} {

  owner @{user_share_dirs}/nautilus/scripts/ r,

+  owner @{user_config_dirs}/pulse/cookie rk,
+
+  /dev/shm/ r,
+
+  owner @{run}/user/@{uid}/pulse/ r,
+  owner @{run}/user/@{uid}/pulse/native rw,
+
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -58,7 +58,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),
-  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
+  unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -584,6 +584,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner /dev/shm/.org.chromium.Chromium.* rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

+        /tmp/dbus-@{rand8} rw,
  owner /tmp/.X[0-9]-lock rw,
  owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -57,8 +57,10 @@ profile gnome-terminal-server @{exec_path} {
  /etc/pulse/client.conf.d/{,**} r,
  /etc/shells r,

+  owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
+
  owner @{user_config_dirs}/*xdg-terminals.list* rw,
-  owner @{user_config_dirs}/pulse/cookie r,
+  owner @{user_config_dirs}/pulse/cookie rk,

  owner @{run}/user/@{uid}/pulse/ r,
  owner @{run}/user/@{uid}/pulse/native rw,
@ -67,6 +69,7 @@ profile gnome-terminal-server @{exec_path} {
  @{PROC}/@{pids}/cgroup r,

  /dev/ptmx rw,
+  /dev/shm/ r,

  include if exists <local/gnome-terminal-server>
 }
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -126,6 +126,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
  @{sys}/fs/cgroup/memory.max r,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -14,8 +14,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/systemd-common>

  capability net_admin,
-  capability net_raw,
  capability net_bind_service,
+  capability net_broadcast,
+  capability net_raw,

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -16,6 +16,8 @@ profile apport @{exec_path} {

  capability fsetid,

+  ptrace (read) peer=snap.cups.cupsd,
+
  @{exec_path} mr,

  /usr/share/apport/ r,
@ -23,10 +25,13 @@ profile apport @{exec_path} {
        /var/crash/ rw,
  owner /var/log/apport.log rw,

-  @{PROC}/sys/fs/suid_dumpable w,
-  @{PROC}/sys/kernel/core_pattern r,
-  @{PROC}/sys/kernel/core_pattern w,
-  @{PROC}/sys/kernel/core_pipe_limit w,
+  @{run}/apport.lock rwk,
+
+        @{PROC}/sys/fs/suid_dumpable w,
+        @{PROC}/sys/kernel/core_pattern r,
+        @{PROC}/sys/kernel/core_pattern w,
+        @{PROC}/sys/kernel/core_pipe_limit w,
+  owner @{PROC}/@{pid}/stat r,

  include if exists <local/apport>
 }
--- a/apparmor.d/groups/ubuntu/apport-checkreports
+++ b/apparmor.d/groups/ubuntu/apport-checkreports
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /usr/share/apport/apport-checkreports
-profile apport-checkreports @{exec_path} {
+profile apport-checkreports @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
@ -27,5 +27,7 @@ profile apport-checkreports @{exec_path} {

  /var/crash/ r,

+  @{run}/apport.lock rwk,
+
  include if exists <local/apport-checkreports>
 }
--- a/apparmor.d/profiles-a-f/e2scrub_all
+++ b/apparmor.d/profiles-a-f/e2scrub_all
@ -10,6 +10,7 @@ include <tunables/global>
 profile e2scrub_all @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>

  capability sys_admin,
  capability sys_rawio,
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -50,8 +50,8 @@ profile snap @{exec_path} {
  @{bin}/systemctl        rPx -> child-systemctl,

  /snap/{,**} rw,
-  /snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx,
-  @{lib}/snapd/snap-confine rPx,
+  /snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx -> /snap/snapd/@{int}/usr/lib/snapd/snap-confine,
+  @{lib}/snapd/snap-confine rPx -> /usr/lib/snapd/snap-confine,

  @{lib_dirs}/snapd/snap-seccomp     rPx,
  @{lib_dirs}/snapd/snapd            rPx,
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -51,7 +51,8 @@ profile spice-vdagent @{exec_path} {

  owner @{user_config_dirs}/user-dirs.dirs r,

-  @{run}/spice-vdagentd/spice-vdagent-sock rw,
+        @{run}/spice-vdagentd/spice-vdagent-sock rw,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,

  @{sys}/devices/@{pci}/{device,vendor} r,

--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@ -23,8 +23,9 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
  capability net_raw,
  capability sys_module,

-  network packet raw,
+  network netlink raw,
  network packet dgram,
+  network packet raw,

  dbus bind bus=system name=fi.w1.wpa_supplicant1,
  dbus receive bus=system path=/fi/w1/wpa_supplicant1