feat(abs): general update.

2024-11-14 23:43:56 +01:00 · 2024-06-03 18:37:12 +01:00 · 2024-06-03 18:37:12 +01:00 · ff16790421
commit ff16790421
parent a1fe682e7a
6 changed files with 21 additions and 17 deletions
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@ -3,8 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  @{bin}/*                      rPUx,
-  /usr/local/{s,}bin/*          rPUx,
+  @{bin}/*                      PUx,
+  /usr/local/{s,}bin/*          PUx,

  @{bin}/                       r,
  /                             r,
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -3,19 +3,18 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  @{bin}/*                      rPUx,
-  /opt/*/**                     rPUx,
-  /usr/share/*/*                rPUx,
-  /usr/local/bin/*              rPUx,
+  @{bin}/*                      PUx,
+  /opt/*/**                     PUx,
+  /usr/share/*/*                PUx,
+  /usr/local/bin/*              PUx,

-  @{bin}/chromium               rPx,
-  @{brave_path}                 rPx,
-  @{chrome_path}                rPx,
-  @{chromium_path}              rPx,
-  @{firefox_path}               rPx,
-  @{opera_path}                 rPx,
-  @{thunderbird_path}           rPx,
-  @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx,
+  @{brave_path}                 Px,
+  @{chrome_path}                Px,
+  @{chromium_path}              Px,
+  @{firefox_path}               Px,
+  @{opera_path}                 Px,
+  @{thunderbird_path}           Px,
+  @{offices_path}              PUx,

  @{bin}/                       r,
  /                             r,
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -41,6 +41,8 @@
  network inet6 stream,
  network netlink raw,

+  ptrace trace peer=@{profile_name},
+
  signal (send) set=(term, kill) peer=@{profile_name}-*,

  @{sh_path}                 rix,
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no

 # Common rules for applications sandboxed using bwrap.

@ -40,8 +41,9 @@
        @{bin}/ r,
        @{lib}/ r,
        /usr/local/bin/ r,
-  owner /@{uuid}/ w,
  owner /_@{int}_/ w,
+  owner /@{uuid}/ w,
+  owner /var/cache/ldconfig/{,**} rw,

  # Full access to user's data
  / r,
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@ -5,7 +5,8 @@
  # Extra Mesa rules for desktop environments
  owner @{desktop_cache_dirs}/ w,
  owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
-  owner @{desktop_cache_dirs}/mesa_shader_cache/index rw,
  owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
  owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,
  owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk,
+  owner @{desktop_cache_dirs}/mesa_shader_cache/index rw,
+  owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw,
--- a/apparmor.d/abstractions/vulkan-strict
+++ b/apparmor.d/abstractions/vulkan-strict
@ -15,7 +15,7 @@
  /etc/vulkan/implicit_layer.d/{,*.json} r,

  owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r,
-  owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache
+  owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache

  @{sys}/class/ r,
  @{sys}/class/drm/ r,