From f7948962fc87c16f8a56ce220fa7ec1c76be8582 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 May 2021 12:58:46 +0100 Subject: [PATCH] Profiles update. --- apparmor.d/groups/desktop/blueman | 2 +- apparmor.d/groups/ssh/ssh-agent | 3 ++- apparmor.d/groups/systemd/systemd-tmpfiles | 12 ++++++------ apparmor.d/profiles-m-z/mission-control | 2 +- apparmor.d/profiles-m-z/pulseaudio | 4 ++-- apparmor.d/profiles-m-z/udisksd | 6 +----- apparmor.d/profiles-m-z/w | 3 +++ 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/desktop/blueman b/apparmor.d/groups/desktop/blueman index 83a6c95a..2c4ed938 100644 --- a/apparmor.d/groups/desktop/blueman +++ b/apparmor.d/groups/desktop/blueman @@ -76,7 +76,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - @{run}/user/1000/gdm/Xauthority r, + @{run}/user/@{uid}/gdm/Xauthority r, # file_inherit /dev/dri/card[0-9]* rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 84f0707f..58fdbaae 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -42,7 +42,8 @@ profile ssh-agent @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - @{run}/user/1000/keyring/.ssh rw, + @{run}/user/@{uid}/keyring/.ssh rw, + @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 7bc99e10..b9ce3dfb 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -22,7 +22,6 @@ profile systemd-tmpfiles @{exec_path} { /etc/machine-id r, /etc/brlapi.key w, - /usr/share/factory/{,**} r, # Config file locations /etc/tmpfiles.d/{,*.conf} r, @@ -35,13 +34,14 @@ profile systemd-tmpfiles @{exec_path} { # Where the tmpfiles can be created, /{,*} rw, - /home/ rw, /dev/{,**} rw, - /var/{,**} rwk, - /run/{,**} rw, - /tmp/{,**} rwk, - /srv/{,**} rw, /etc/{,**} r, + /home/ rw, + /run/{,**} rw, + /srv/{,**} rw, + /tmp/{,**} rwk, + /usr/{,**} rw, + /var/{,**} rwk, @{run}/systemd/userdb/ r, @{sys}/devices/system/cpu/microcode/reload w, diff --git a/apparmor.d/profiles-m-z/mission-control b/apparmor.d/profiles-m-z/mission-control index 2e3e8525..dcd8d6b0 100644 --- a/apparmor.d/profiles-m-z/mission-control +++ b/apparmor.d/profiles-m-z/mission-control @@ -21,7 +21,7 @@ profile mission-control @{exec_path} { owner @{user_share_dirs}/telepathy/mission-control/*.cfg r, - @{run}/user/1000/dconf/user rw, + @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, include if exists diff --git a/apparmor.d/profiles-m-z/pulseaudio b/apparmor.d/profiles-m-z/pulseaudio index e99ed3f3..12b31798 100644 --- a/apparmor.d/profiles-m-z/pulseaudio +++ b/apparmor.d/profiles-m-z/pulseaudio @@ -67,8 +67,8 @@ profile pulseaudio @{exec_path} { @{run}/systemd/users/@{uid} r, - @{run}/user/1000/dconf/user rw, - @{run}/user/1000/ICEauthority r, + @{run}/user/@{uid}/dconf/user rw, + @{run}/user/@{uid}/ICEauthority r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd index af9a9539..6f07181d 100644 --- a/apparmor.d/profiles-m-z/udisksd +++ b/apparmor.d/profiles-m-z/udisksd @@ -125,11 +125,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /var/lib/udisks2/ r, /var/lib/udisks2/mounted-fs{,*} rw, - @{run}/udisks2/ rw, - @{run}/udisks2/loop{,.*} rw, - @{run}/udisks2/unlocked-luks{,.*} rw, - @{run}/udisks2/unlocked-crypto-dev{,.*} rw, - @{run}/udisks2/mounted-fs{,.*} rw, + @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/profiles-m-z/w b/apparmor.d/profiles-m-z/w index 773f34f3..230c7d65 100644 --- a/apparmor.d/profiles-m-z/w +++ b/apparmor.d/profiles-m-z/w @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,6 +13,8 @@ profile w @{exec_path} { include include + capability sys_ptrace, + ptrace (read), @{exec_path} mr,