feat(profiles): general update.

2025-02-20 08:55:34 +01:00 · 2022-07-03 20:27:48 +01:00 · 2022-07-03 20:27:48 +01:00 · f6de2fbe7a
commit f6de2fbe7a
parent 9b84ded0c2
28 changed files with 81 additions and 46 deletions
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -38,7 +38,7 @@ profile dpkg-preconfigure @{exec_path} {
  owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
  owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,

-  owner @{run}/user/@{uid}/pk-debconf-socket rw,
+  @{run}/user/@{uid}/pk-debconf-socket rw,

  # The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
  include <abstractions/gtk>
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -41,6 +41,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       member={GetAll,PropertiesChanged},

+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged,
+
  dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
       interface=org.freedesktop.Avahi.ServiceBrowser
       member={AllForNow,CacheExhausted},
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -18,6 +18,7 @@ profile plymouthd @{exec_path} {

  signal (send) peer=unconfined,

+  unix type=stream addr="@/org/freedesktop/plymouthd",
  unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),

  @{exec_path} mr,
@ -27,6 +28,7 @@ profile plymouthd @{exec_path} {
  /etc/default/keyboard r,

  @{run}/udev/data/+drm:* r,
+  @{run}/udev/data/c226:* r,

  @{sys}/bus/ r,
  @{sys}/class/ r,
@ -38,6 +40,8 @@ profile plymouthd @{exec_path} {
  @{PROC}/cmdline r,

  /dev/dri/card[0-9]* rw,
+  /dev/ptmx rw,
+  /dev/tty[0-9]* rw,

  include if exists <local/plymouthd>
 }
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -34,7 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {

  dbus receive bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
-       member={SessionNew,PrepareForShutdown},
+       member={SessionNew,SessionRemoved,PrepareForShutdown},

  dbus bind bus=system 
       name=org.freedesktop.UPower,
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} =   /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
+@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
 profile gnome-characters-backgroudservice @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -61,7 +61,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  dbus send bus=system path=/org/freedesktop/Accounts
       interface=org.freedesktop.Accounts
-       member=ListCachedUsers,
+       member={ListCachedUsers,FindUserById},

  dbus send bus=system path=/net/hadess/SwitcherooControl
       interface=org.freedesktop.DBus.Properties
@ -107,7 +107,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-background-properties/{,**} r,
-  /usr/share/gnome-bluetooth/{,**} r,
+  /usr/share/gnome-bluetooth{-*,}/{,**} r,
  /usr/share/gnome-color-manager/{,**} r,
  /usr/share/gnome-shell/search-providers/{,**} r,
  /usr/share/gnome/gnome-version.xml r,
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@ -15,6 +15,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
  include <abstractions/gnome>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
+  include <abstractions/opencl>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -31,6 +31,7 @@ profile gnome-music @{exec_path} {
  /{usr/,}bin/ r,
  /{usr/,}bin/python3.[0-9]* rix,

+  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/grilo-plugins/grl-lua-factory/{,*} r,
  /usr/share/org.gnome.Music/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -23,6 +23,9 @@ profile gnome-terminal-server @{exec_path} {
  /{usr/,}bin/{,b,d,rb}ash         rUx,
  /{usr/,}bin/{c,k,tc,z}sh         rUx,

+  # Some CLI program can be launched directly from Gnome Shell
+  /{usr/,}bin/htop                 rPx,
+
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,

--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@ -43,11 +43,14 @@ profile pacman-key @{exec_path} {

  profile gpg {
    include <abstractions/base>
+    include <abstractions/p11-kit>
+    include <abstractions/ssl_certs>

    capability dac_read_search,
    capability mknod,

    /{usr/,}bin/gpg        mr,
+    /{usr/,}bin/dirmngr    rix,
    /{usr/,}bin/gpg-agent  rix,

    /usr/share/pacman/keyrings/{,*} r,
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -39,15 +39,20 @@ profile bootctl @{exec_path} {

  @{run}/host/container-manager r,

+  @{sys}//class/tpmrm/ r,
+
  @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

  @{sys}/firmware/dmi/entries/*/raw r,
  @{sys}/firmware/efi/efivars/ r,
+  @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
  @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
+  @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@ -10,6 +10,8 @@ include <tunables/global>
 profile systemd-machine-id-setup @{exec_path} {
  include <abstractions/base>

+  capability dac_override,
+
  @{exec_path} mr,

  /etc/machine-id rw,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -11,6 +11,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/systemd-common>
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -49,8 +49,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {

  /{usr/,}{s,}bin/*             rPUx,

-  /{usr,/}lib/pm-utils/power.d/*          rPUx,
-  /{usr,/}lib/snapd/snap-device-helper     rPx,
+  /{usr/,}lib/pm-utils/power.d/*          rPUx,
+  /{usr/,}lib/snapd/snap-device-helper     rPx,
  /{usr/,}lib/crda/*                      rPUx,
  /{usr/,}lib/gdm-runtime-config           rPx,
  /{usr/,}lib/systemd/systemd-*            rPx,
--- a/apparmor.d/groups/ubuntu/apt-esm-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-hook
@ -18,7 +18,7 @@ profile apt-esm-hook @{exec_path} {

  /etc/machine-id r,

-  /var/cache/apt/pkgcache.bin.* rw,
+  /var/cache/apt/pkgcache.bin* rw,
  /var/lib/ubuntu-advantage/messages/{,**} rw,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@ -13,5 +13,7 @@ profile apt-esm-json-hook @{exec_path} {

  @{exec_path} mr,

+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
  include if exists <local/apt-esm-json-hook>
 }
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -30,7 +30,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {

  dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*}
       interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}}
-       member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll},
+       member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache},

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -54,13 +54,14 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /{usr/,}bin/dpkg                  rPx -> child-dpkg,
-  /{usr/,}bin/hwe-support-status    rPx,
-  /{usr/,}bin/ischroot              rix,
-  /{usr/,}bin/lsb_release           rPx -> lsb_release,
-  /{usr/,}bin/snap                 rPUx,
-  /{usr/,}bin/uname                 rix,
-  /{usr/,}lib/apt/methods/http{,s}  rPx,
+  /{usr/,}bin/dpkg                     rPx -> child-dpkg,
+  /{usr/,}bin/hwe-support-status       rPx,
+  /{usr/,}bin/ischroot                 rix,
+  /{usr/,}bin/lsb_release              rPx -> lsb_release,
+  /{usr/,}bin/snap                    rPUx,
+  /{usr/,}bin/software-properties-gtk  rPx,
+  /{usr/,}bin/uname                    rix,
+  /{usr/,}lib/apt/methods/http{,s}     rPx,

  /usr/share/distro-info/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -70,6 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  /usr/share/update-manager/{,**} r,
  /usr/share/X11/{,**} r,

+  /etc/gnome/defaults.list r,
  /etc/machine-id r,
  /etc/update-manager/{,**} r,

@ -82,6 +84,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  /var/lib/update-manager/{,**} rw,

  owner @{user_cache_dirs}/update-manager-core/{,**} rw,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -21,7 +21,9 @@ profile containerd @{exec_path} {
  /{usr/,}bin/containerd-shim-runc-v2 rPUx,
  /{usr/,}bin/kmod                    rPx,

+  /etc/cni/ rw,
  /etc/cni/{,**} r,
+  /etc/cni/net.d/ rw,
  /etc/containerd/*.toml r,

  /var/lib/containerd/{,**} rwk,
@ -30,6 +32,8 @@ profile containerd @{exec_path} {
  @{run}/docker/containerd/{,**} rwk,
  /opt/containerd/{,**} rw,

+  @{run}/systemd/notify w,
+
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  owner @{PROC}/@{pids}/uid_map r,
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/aa-notify
 profile aa-notify @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

--- a/apparmor.d/profiles-a-f/appstreamcli
+++ b/apparmor.d/profiles-a-f/appstreamcli
@ -11,6 +11,7 @@ include <tunables/global>
 profile appstreamcli @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>

  capability dac_read_search,

--- a/apparmor.d/profiles-a-f/font-manager
+++ b/apparmor.d/profiles-a-f/font-manager
@ -10,12 +10,12 @@ include <tunables/global>
 profile font-manager @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-write>
+  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice-strict>
  include <abstractions/gstreamer>
+  include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  network inet dgram,
@ -29,6 +29,8 @@ profile font-manager @{exec_path} {
  /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess     rix,
  /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix,

+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/font-manager/ rw,
  owner @{user_cache_dirs}/font-manager/* rwk,
@ -47,18 +49,16 @@ profile font-manager @{exec_path} {
  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/firmware/acpi/pm_profile r,
+  @{sys}/fs/cgroup/{,**} r,

  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/smaps r,
-        @{PROC}zoneinfo r,
-
-  @{sys}/devices/virtual/dmi/id/chassis_type r,
-  @{sys}/firmware/acpi/pm_profile r,
-  @{sys}/fs/cgroup/{,**} r,
+        @{PROC}/zoneinfo r,

  # Silencer
       owner /var/cache/fontconfig/ w,
--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@ -18,12 +18,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
  network netlink raw,

  dbus receive bus=system path=/net/reactivated/Fprint/Manager
-       interface=net.reactivated.Fprint.Manager
-       member={GetDefaultDevice,GetDevices},
-
-  dbus receive bus=system path=/net/reactivated/Fprint/Manager
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+       interface={org.freedesktop.DBus.Properties,net.reactivated.Fprint.Manager},

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -33,7 +28,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
       member=Inhibit
-        peer=(name=org.freedesktop.login[0-9]),
+       peer=(name=org.freedesktop.login[0-9]),

  dbus bind bus=system 
       name=net.reactivated.Fprint,
--- a/apparmor.d/profiles-a-f/frontend
+++ b/apparmor.d/profiles-a-f/frontend
@ -23,13 +23,14 @@ profile frontend @{exec_path} flags=(complain) {
  /{usr/,}bin/locale     rix,

  # debconf apps
+  /{usr/,}{s,}bin/aspell-autobuildhash     rPx,
+  /{usr/,}{s,}bin/pam-auth-update          rPx,
  /{usr/,}bin/adequate                     rPx,
  /{usr/,}bin/debconf-apt-progress         rPx,
-  /{usr/,}lib/tasksel/tasksel-debconf      rPx -> tasksel,
  /{usr/,}bin/linux-check-removal          rPx,
  /{usr/,}bin/ucf                          rPx,
-  /{usr/,}sbin/pam-auth-update             rPx,
-  /{usr/,}sbin/aspell-autobuildhash        rPx,
+  /{usr/,}bin/whiptail                     rPx,
+  /{usr/,}lib/tasksel/tasksel-debconf      rPx -> tasksel,
  /usr/share/debian-security-support/check-support-status.hook rPx,

  # Run the package maintainer's scripts
@ -55,13 +56,16 @@ profile frontend @{exec_path} flags=(complain) {
  /{usr/,}lib/dkms/dkms-*                 rPUx,
  /{usr/,}lib/dkms/dkms_*                 rPUx,

-  /etc/debconf.conf r,
  /usr/share/debconf/{,**} r,
+
+  /etc/debconf.conf r,
+  /etc/inputrc r,
+  /etc/shadow r,
+
+  owner /tmp/file* w,
  owner /var/cache/debconf/* rwk,

-  /etc/inputrc r,
-
-  /etc/shadow r,
+  @{run}/user/@{uid}/pk-debconf-socket rw,

  # The following is needed when debconf uses GUI frontends.
  include <abstractions/gtk>
@ -74,11 +78,6 @@ profile frontend @{exec_path} flags=(complain) {
  owner @{PROC}/@{pid}/mounts r,
  @{HOME}/.Xauthority r,

-  # The following is needed when debconf uses dialog/whiptail frontend.
-  /{usr/,}bin/whiptail    rPx,
-  owner /tmp/file* w,
-
-
  profile scripts flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -86,11 +86,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /dev/bus/usb/ r,
  /dev/bus/usb/[0-9]*/[0-9]* rw,
  /dev/drm_dp_aux[0-9]* rw,
+  /dev/gpiochip[0-9]* r,
  /dev/hidraw[0-9]* rw,
  /dev/mei[0-9]* rw,
  /dev/mem r,
+  /dev/mtd[0-9]* rw,
  /dev/sd[a-z]* r,
  /dev/tpm[0-9]* rw,
+  /dev/tpmrm[0-9]* rw,
  /dev/wmi/* r,

  profile gpg flags=(complain) {
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@ -32,7 +32,7 @@ profile ifup @{exec_path} {

  /{usr/,}bin/run-parts  rCx -> run-parts,
  /{usr/,}bin/kmod       rCx -> kmod,
-  /{usr/,}sbin/sysctl    rCx -> sysctl,
+  /{usr/,}{s,}bin/sysctl rCx -> sysctl,

  /etc/network/interfaces r,
  /etc/network/interfaces.d/{,*} r,
@ -114,7 +114,7 @@ profile ifup @{exec_path} {
   capability sys_admin,
 #    capability sys_resource,

-    /{usr/,}sbin/sysctl mr,
+    /{usr/,}{s,}bin/sysctl mr,

    @{PROC}/sys/ r,
    @{PROC}/sys/** r,
--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@ -19,6 +19,7 @@ profile lspci @{exec_path} {

  @{sys}/bus/pci/devices/ r,
  @{sys}/bus/pci/slots/ r,
+  @{sys}/bus/pci/slots/[0-9]*/address r,
  @{sys}/devices/pci[0-9]*/** r,

  /usr/share/hwdata/pci.ids r,
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -50,6 +50,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/system/cpu/cpufreq/ r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw,
+  @{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw,

  include if exists <local/power-profiles-daemon>
 }
--- a/apparmor.d/profiles-s-z/sensors
+++ b/apparmor.d/profiles-s-z/sensors
@ -27,6 +27,7 @@ profile sensors @{exec_path} {
  @{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r,
  @{sys}/devices/i2c-[0-9]*/name r,
  @{sys}/devices/pci[0-9]*/**/name r,
+  @{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r,
  @{sys}/devices/virtual/hwmon/hwmon[0-9]* r,
  @{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r,
  @{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r,