feat(profiles): general update.

2023-03-25 15:48:59 +00:00 · 2023-03-25 15:48:59 +00:00 · 02499d90f0
commit 02499d90f0
parent 5ea574c333
42 changed files with 119 additions and 33 deletions
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@ -16,6 +16,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
  /{usr/,}lib/udev/hwdb.bin w,

+  /etc/udev/.#hwdb.bind* rw,
+  /etc/udev/hwdb.bin rw,
  /etc/udev/hwdb.d/{,*} r,

  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@ -9,12 +9,16 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-inhibit
 profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability net_admin,
+  capability sys_resource,

  @{exec_path} mr,

  /{usr/,}bin/cat rix,

+  @{run}/systemd/inhibit/*.ref rw,
+
  include if exists <local/systemd-inhibit>
 }
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -32,15 +32,18 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  /usr/share/kbd/keymaps/{,**} r,
-  /usr/share/systemd/language-fallback-map r,
+  /usr/share/systemd/*-map r,
  /usr/share/X11/xkb/rules/evdev r,

+  /etc/.#vconsole.conf* rw,
  /etc/default/.#locale* rw,
  /etc/default/keyboard r,
  /etc/default/locale rw,
  /etc/locale.conf r,
-  /etc/vconsole.conf r,
-  /etc/X11/xorg.conf.d/*.conf r,
+  /etc/vconsole.conf rw,
+  /etc/X11/xorg.conf.d/ r,
+  /etc/X11/xorg.conf.d/.#*.confd* rw,
+  /etc/X11/xorg.conf.d/*.conf rw,

  @{run}/systemd/notify rw,

--- a/apparmor.d/groups/systemd/systemd-resolve
+++ b/apparmor.d/groups/systemd/systemd-resolve
@ -18,5 +18,8 @@ profile systemd-resolve @{exec_path} {

  @{exec_path} mr,

+        @{PROC}/ r,
+  owner @{PROC}/@{pids}/fd/ r,
+
  include if exists <local/systemd-resolve>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -61,6 +61,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  /{usr/,}lib/gdm-runtime-config           rPx,
  /{usr/,}lib/systemd/systemd-*            rPx,
  /{usr/,}lib/udev/*                      rPUx,
+  /{usr/,}lib/open-iscsi/net-interface-handler rPUx,
  /usr/share/hplip/config_usb_printer.py  rPUx,

  /etc/console-setup/*.sh       rPUx,
--- a/apparmor.d/groups/systemd/systemd-vconsole-setup
+++ b/apparmor.d/groups/systemd/systemd-vconsole-setup
@ -14,6 +14,7 @@ profile systemd-vconsole-setup @{exec_path} {
  include <abstractions/systemd-common>

  capability dac_override,
+  capability net_admin,
  capability sys_ptrace,
  capability sys_resource,
  capability sys_tty_config,
@ -23,9 +24,11 @@ profile systemd-vconsole-setup @{exec_path} {
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/gzip        rix,
  /{usr/,}bin/loadkeys    rix,
+  /{usr/,}bin/setfont     rix,
+  /{usr/,}bin/gzip        rix,

  / r,
-  /usr/share/kbd/keymaps/{,**} r,
+  /usr/share/kbd/{,**} r,

  /etc/vconsole.conf r,