feat(profile): small general upgrade.

2025-06-21 20:27:06 +02:00 · 2025-06-21 20:27:06 +02:00 · 0572688c59
commit 0572688c59
parent f8250f7e0c
18 changed files with 57 additions and 34 deletions
--- a/apparmor.d/groups/systemd-service/dmesg.service
+++ b/apparmor.d/groups/systemd-service/dmesg.service
@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) {

  capability chown,
  capability fsetid,
+  capability sys_admin,

  ptrace read peer=@{p_systemd},

--- a/apparmor.d/groups/systemd-service/man-db.service
+++ b/apparmor.d/groups/systemd-service/man-db.service
@ -3,6 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only

 # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man
+# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete
 # ExecStart=/usr/bin/mandb --quiet

 abi <abi/4.0>,
@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

+  @{bin}/find     ix,
  @{bin}/install  ix,
  @{bin}/mandb    r,

--- a/apparmor.d/groups/ubuntu/esm_cache
+++ b/apparmor.d/groups/ubuntu/esm_cache
@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py
+profile esm_cache @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  include if exists <local/esm_cache>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  @{bin}/uname                    rix,
  @{lib}/apt/methods/http{,s}     rPx,

-  @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
-  @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
-  @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
+  @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,
+  @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,
+  @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,

  /usr/share/distro-info/{,**} r,
  /usr/share/ubuntu-release-upgrader/{,**} r,
--- a/apparmor.d/groups/usb/lsusb
+++ b/apparmor.d/groups/usb/lsusb
@ -21,6 +21,8 @@ profile lsusb @{exec_path} {

  /etc/udev/hwdb.bin r,

+  /dev/bus/usb/@{int}/@{int} w,
+
  include if exists <local/lsusb>
 }

--- a/apparmor.d/groups/whonix/sdwdate
+++ b/apparmor.d/groups/whonix/sdwdate
@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) {
  @{bin}/touch                          rix,
  @{lib}/helper-scripts/*               rix,
  @{bin}/url_to_unixtime                rix,
-  @{bin}/{,e}grep rix,
+  @{bin}/{,e}grep                       rix,

  @{lib}/helper-scripts/ r,
  @{lib}/sdwdate/ r,