From e3f9013c3a6c069a4a3307837cdf65825138eb9d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Mar 2024 16:21:17 +0000 Subject: [PATCH] feat(profile): add some new profiles. --- apparmor.d/groups/gnome/deja-dup-monitor | 37 ++++++++++++++++++++++++ apparmor.d/groups/gnome/gnome-recipes | 31 ++++++++++++++++++++ apparmor.d/groups/gnome/gnome-tour | 20 +++++++++++++ apparmor.d/groups/grub/grub-sort-version | 20 +++++++++++++ apparmor.d/groups/ubuntu/apport | 5 ++-- 5 files changed, 111 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/gnome/deja-dup-monitor create mode 100644 apparmor.d/groups/gnome/gnome-recipes create mode 100644 apparmor.d/groups/gnome/gnome-tour create mode 100644 apparmor.d/groups/grub/grub-sort-version diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor new file mode 100644 index 00000000..3b0cdef1 --- /dev/null +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/deja-dup/deja-dup-monitor +profile deja-dup-monitor @{exec_path} { + include + include + include + include + include + include + include + + network netlink raw, + + # dbus: own bus=session name=org.gnome.DejaDup.Monitor + # dbus: talk bus=session name=org.gnome.DejaDup label=xdg-desktop-portal + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=NetworkManager), + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /var/tmp/ r, + /tmp/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes new file mode 100644 index 00000000..55db2679 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-recipes +profile gnome-recipes @{exec_path} { + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/tar rix, + + /usr/share/gnome-recipes/{,**} r, + + owner @{user_cache_dirs}/gnome-recipes/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour new file mode 100644 index 00000000..44f87f32 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-tour @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-tour +profile gnome-tour @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version new file mode 100644 index 00000000..d91ccffd --- /dev/null +++ b/apparmor.d/groups/grub/grub-sort-version @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/grub/grub-sort-version +profile grub-sort-version @{exec_path} { + include + include + include if exists + + capability dac_read_search, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index db297ba3..09d2da63 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -28,8 +28,9 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dpkg rPx, - @{bin}/gdbus rix, + @{bin}/gdbus rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, /usr/share/apport/{,**} r,