feat(profiles): general update.

2023-03-25 15:48:59 +00:00 · 2023-03-25 15:48:59 +00:00 · 02499d90f0
commit 02499d90f0
parent 5ea574c333
42 changed files with 119 additions and 33 deletions
--- a/apparmor.d/profiles-m-r/needrestart-dpkg-status
+++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status
@ -11,6 +11,8 @@ profile needrestart-dpkg-status @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability  dac_read_search,
+
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh  rix,
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -41,6 +41,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/udevadm           rPx,
  /{usr/,}bin/umount            rix,
  /{usr/,}bin/uname             rix,
+  /{usr/,}lib/newns             rix,
  /{usr/,}lib/os-prober/*       rix,
  /{usr/,}lib/os-probes/{,**}   rix,

--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -157,8 +157,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
    owner /etc/pacman.d/gnupg/ r, # only: arch
    owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**,

-    owner /var/tmp/zypp.*/zypp-trusted-*/ r, # only: opensuse
-    owner /var/tmp/zypp.*/zypp-trusted-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
+    owner /var/tmp/zypp.*/zypp-*/ r, # only: opensuse
+    owner /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,

    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -42,7 +42,7 @@ profile pass @{exec_path} {
  /{usr/,}bin/which     rix,

  /{usr/,}bin/git             rCx -> git,
-  /{usr/,}bin/gpg{2,}         rUx,
+  /{usr/,}bin/gpg{2,}         rCx -> gpg,
  /{usr/,}bin/qdbus           rCx -> qdbus,
  /{usr/,}bin/vim{,.*}        rCx -> editor,
  /{usr/,}bin/wl-{copy,paste} rPx,
@ -116,7 +116,7 @@ profile pass @{exec_path} {
    /{usr/,}bin/less          rPx -> child-pager,
    /{usr/,}bin/more          rPx -> child-pager,

-    /{usr/,}bin/gpg{2,}  rUx,
+    /{usr/,}bin/gpg{2,}  rPx -> pass//gpg,

    /usr/share/git-core/{,**} r,

@ -135,7 +135,28 @@ profile pass @{exec_path} {
    include if exists <local/pass_git>
  }

-    profile qdbus {
+  profile gpg flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    capability dac_read_search,
+
+    /{usr/,}bin/gpg{,2}    mr,
+
+    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+
+    owner @{user_password_store_dirs}/   rw,
+    owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
+    owner @{user_projects_dirs}/**/*-store/   rw,
+    owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
+    owner @{user_config_dirs}/*-store/   rw,
+    owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**,
+
+    include if exists <local/pass_gpg>
+  }
+
+  profile qdbus {
    include <abstractions/base>

    /{usr/,}bin/qdbus mr,
--- a/apparmor.d/profiles-m-r/pcscd
+++ b/apparmor.d/profiles-m-r/pcscd
@ -11,6 +11,8 @@ profile pcscd @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>

+  capability sys_ptrace,
+
  network netlink raw,

  ptrace (read) peer=rngd,