feat(profile): general update.

2024-02-29 21:45:42 +00:00 · 2024-02-29 21:45:42 +00:00 · 06abeac2ee
commit 06abeac2ee
parent cd09dc7688
33 changed files with 154 additions and 47 deletions
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -19,6 +19,7 @@ profile snap @{exec_path} {
  include <abstractions/nameservice-strict>

  capability dac_read_search,
+  capability setuid,
  capability sys_admin,

  unix (send, receive) type=stream peer=(label=apt),
@ -28,12 +29,12 @@ profile snap @{exec_path} {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),

  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
-       peer=(name=:*, label="@{systemd}"),
+       peer=(name=:*, label="@{systemd_user}"),

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
@ -47,9 +48,6 @@ profile snap @{exec_path} {
  @{bin}/gpg{,2}          rCx -> gpg,
  @{bin}/systemctl        rPx -> child-systemctl,

-  /snap/{,**} rw,
-  @{lib}/snapd/snap-confine rPx -> /usr/lib/snapd/snap-confine,
-
  @{lib_dirs}/snapd/snap-confine     rPx,
  @{lib_dirs}/snapd/snap-seccomp     rPx,
  @{lib_dirs}/snapd/snapd            rPx,
@ -60,6 +58,7 @@ profile snap @{exec_path} {
  /var/cache/snapd/commands.db rwk,
  /var/cache/snapd/names r,

+  /snap/{,**} rw,
  @{HOME}/snap/{,**} rw,

  owner /tmp/snapd-auto-import-mount-@{int}/ rw,
--- a/apparmor.d/profiles-s-z/snapd-apparmor
+++ b/apparmor.d/profiles-s-z/snapd-apparmor
@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} {
  @{bin}/systemd-detect-virt         rPx,
  @{bin}/apparmor_parser             rPx,

+  @{lib_dirs}/snapd/apparmor_parser  rPx -> apparmor_parser,
  @{lib_dirs}/snapd/info r,

  /var/lib/snapd/apparmor/profiles/ r,
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -7,7 +7,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{name} = thunderbird{,-bin}
+@{name} = thunderbird{,.sh,-bin} 
@{lib_dirs} = @{lib}/@{name}
@{config_dirs} = @{HOME}/.@{name}/
@{cache_dirs} = @{user_cache_dirs}/@{name}/
@ -59,7 +59,8 @@ profile thunderbird @{exec_path} {

  @{exec_path} mrix,

-  @{sh_path}         rix,
+  @{sh_path}                rix,
+  @{bin}/which.debianutils  rix,

  @{lib_dirs}/{,**}                            r,
  @{lib_dirs}/*.so                            mr,