feat(profiles): general update.

This commit is contained in:
Alexandre Pujol 2022-06-26 16:40:48 +01:00
parent c04363c1b6
commit e69182e1df
Failed to generate hash of commit
9 changed files with 41 additions and 7 deletions

View file

@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
/usr/share/*/*.desktop r,
/var/lib/flatpak/{app/**,}exports/share/applications/{,**/} r,
/var/lib/flatpak/{app/**,}exports/share/applications/**.desktop r,
/var/lib/flatpak/{app/**,}exports/share/applications/.mimeinfo.cache.* rw,
/var/lib/flatpak/{app/**,}exports/share/applications/mimeinfo.cache w,
/var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
/var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
/var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
/var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,
/var/lib/snapd/desktop/applications/{,**/} r,
/var/lib/snapd/desktop/applications/**.desktop r,

View file

@ -18,6 +18,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
@{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
owner @{user_share_dirs}/flatpak/db/ rw,
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
owner @{user_share_dirs}/flatpak/db/background rw,

View file

@ -74,6 +74,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/gdm/custom.conf r,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
@{run}/utmp rwk,

View file

@ -23,8 +23,9 @@ profile gnome-calendar @{exec_path} {
@{exec_path} mr,
/usr/share/libgweather/Locations.xml r,
/usr/share/egl/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/libgweather/Locations.xml r,
owner @{run}/user/@{uid}/gdm/Xauthority r,

View file

@ -103,6 +103,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/snap/*/[0-9]*/*.png r,
/usr/share/backgrounds/{,**} r,
/usr/share/cups/data/testprint r,
/usr/share/egl/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-background-properties/{,**} r,
@ -123,8 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/snapd/desktop/icons/ r,
/var/cache/samba/ rw,
owner @{HOME}/.cat_installer/ca.pem r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,

View file

@ -15,6 +15,7 @@ profile tailscaled @{exec_path} {
capability dac_read_search,
capability mknod,
capability net_admin,
capability net_raw,
capability sys_ptrace,
network inet dgram,
@ -30,10 +31,14 @@ profile tailscaled @{exec_path} {
/{usr/,}bin/ip rix,
/{usr/,}{s,}bin/xtables-nft-multi rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemctl rCx -> systemctl,
/etc/iproute2/rt_tables r,
/etc/resolv.*.conf rw,
/etc/resolv.conf rw,
/etc/resolv.conf.*.tmp rw,
owner /var/lib/tailscale/{,**} rw,
owner @{run}/tailscale/{,**} rw,
@ -54,5 +59,21 @@ profile tailscaled @{exec_path} {
/dev/net/tun rw,
profile systemctl {
include <abstractions/base>
capability mknod,
capability net_admin,
network netlink raw,
ptrace (read),
/{usr/,}bin/systemctl mr,
/dev/net/tun rw,
}
include if exists <local/tailscaled>
}

View file

@ -225,7 +225,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{PROC}/mtrr w,
@{PROC}/sys/net/ipv{4,6}/** rw,
/dev/dri/ r, # include <abstractions/dri-common> ?
/dev/dri/ r,
/dev/hugepages/{,**} w,
/dev/kvm r,
/dev/mapper/ r,

View file

@ -49,9 +49,13 @@ profile flatpak-system-helper @{exec_path} {
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
owner /tmp/ostree-gpg-*/ r,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{PROC}/@{uid}/fd/ r,
}
include if exists <local/flatpak-system-helper>

View file

@ -10,6 +10,7 @@ include <tunables/global>
profile nvtop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
@ -25,6 +26,7 @@ profile nvtop @{exec_path} {
@{PROC}/@{pids}/stat r,
@{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r,
/dev/dri/ r,
/dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
include if exists <local/nvtop>