diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 6aa98d84..d62e509e 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -52,6 +52,7 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index d90daf9b..c1dbb002 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -64,6 +64,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gdk-pixbuf-query-loaders rPx, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/ghc-pkg-@{version} rix, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{bin}/groupadd rPx, @@ -99,6 +100,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/vercmp rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, @{lib}/vlc/vlc-cache-gen rPx, /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay new file mode 100644 index 00000000..8f280462 --- /dev/null +++ b/apparmor.d/groups/pacman/yay @@ -0,0 +1,104 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/yay +profile yay @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{editor_path} Cx -> editor, + @{bin}/git Cx -> git, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/makepkg Px, + @{bin}/pacman-conf Px, + @{bin}/sudo Cx -> sudo, + + /var/lib/pacman/** r, + + owner @{user_cache_dirs}/yay/ rw, + owner @{user_cache_dirs}/yay/** rwkl -> @{user_cache_dirs}/yay/**, + + owner @{user_config_dirs}/yay/{,**} rw, + + profile git { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{bin}/git* mrix, + @{lib}/git{,-core}/git* mrix, + + @{pager_path} rPx -> child-pager, + @{bin}/gpg{2,} rPx -> yay//gpg, + + /usr/share/git{,-core}/{,**} r, + + owner @{HOME}/.gitconfig r, + owner @{user_cache_dirs}/yay/ rw, + owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**, + owner @{user_config_dirs}/git/{,*} r, + + include if exists + } + + profile editor { + include + include + + owner @{user_cache_dirs}/yay/*/** rw, + + include if exists + } + + profile gpg { + include + include + + @{bin}/gpg{,2} mr, + @{bin}/gpg-agent rPx, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + include if exists + } + + profile sudo { + include + include + + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{bin}/pacman Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index b94fae2c..e65ae552 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -13,3 +13,4 @@ pacman-hook-mkinitcpio attach_disconnected,complain pacman-hook-perl complain pacman-hook-systemd attach_disconnected,complain pacman-key complain +yay complain