feat(profiles): modernize udev access.

2023-08-24 19:31:54 +01:00 · 2023-08-24 19:31:54 +01:00 · 07cfbcd952
commit 07cfbcd952
parent 73cb5a4545
37 changed files with 234 additions and 229 deletions
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -79,6 +79,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  @{run}/systemd/sessions/* r,

+  @{run}/udev/data/c81:@{int}  r,         # For video4linux
+
  @{sys}/class/drm/ r,
  @{sys}/class/video4linux/ r,
  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
--- a/apparmor.d/groups/freedesktop/iio-sensor-proxy
+++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy
@ -14,12 +14,12 @@ profile iio-sensor-proxy @{exec_path} {

  @{exec_path} mr,

-  @{run}/udev/data/+platform* r,
-  @{run}/udev/data/+input* r,
-  @{run}/udev/data/c13:[0-9]*  r,       # For /dev/input/*
-  @{run}/udev/data/c3[0-9]*:[0-9]* r,   # For dynamic assignment range 384 to 511
-  @{run}/udev/data/c4[0-9]*:[0-9]* r,
-  @{run}/udev/data/c5[0-9]*:[0-9]* r,
+  @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
+  @{run}/udev/data/c3[0-9]*:@{int} r,     # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:@{int} r,
+  @{run}/udev/data/c5[0-9]*:@{int} r,

  @{sys}/bus/ r,
  @{sys}/bus/iio/devices/ r,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -65,13 +65,13 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  owner /tmp/librnnoise-[0-9]*.so rm,
  owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,

-  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
-  @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
-  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/c25[0-4]:[0-9]* r,
-  @{run}/udev/data/c3[0-9]*:[0-9]* r,   # For dynamic assignment range 384 to 511
-  @{run}/udev/data/c4[0-9]*:[0-9]* r,
-  @{run}/udev/data/c5[0-9]*:[0-9]* r,
+  @{run}/udev/data/c81:@{int}  r,         # For video4linux
+  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:@{int} r,
+  @{run}/udev/data/c25[0-4]:@{int} r,
+  @{run}/udev/data/c3[0-9]*:@{int} r,     # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:@{int} r,
+  @{run}/udev/data/c5[0-9]*:@{int} r,

  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -58,8 +58,8 @@ profile pipewire-media-session @{exec_path} {

  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,

-  @{run}/udev/data/+sound:card[0-9]* r, # For sound
-  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
+  @{run}/udev/data/+sound:card@{int} r,   # For sound
+  @{run}/udev/data/c116:@{int} r,         # for ALSA

  @{run}/systemd/users/@{uid} r,

--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -38,9 +38,9 @@ profile plymouthd @{exec_path} {

  @{run}/plymouth/{,**} rw,

-  @{run}/udev/data/+drm:* r,
-  @{run}/udev/data/c226:[0-9]* r,     # For /dev/dri/card[0-9]*
-  @{run}/udev/data/c29:* r,           # For /dev/fb[0-9]*
+  @{run}/udev/data/+drm:card[0-9]-* r,    # for screen outputs
+  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
+  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*

  @{sys}/bus/ r,
  @{sys}/class/ r,
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -173,12 +173,12 @@ profile pulseaudio @{exec_path} {

  @{run}/systemd/users/@{uid} r,

-  @{run}/udev/data/+pci* r,
-  @{run}/udev/data/+sound:card[0-9]* r, # For sound
-  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
-  @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
-  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/c25[0-4]:[0-9]* r,
+  @{run}/udev/data/+pci:* r,
+  @{run}/udev/data/+sound:card@{int} r,   # For sound
+  @{run}/udev/data/c116:@{int} r,         # for ALSA
+  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:@{int} r,
+  @{run}/udev/data/c25[0-4]:@{int} r,

  @{sys}/class/sound/ r,
  @{sys}/devices/**/sound/**/{uevent,pcm_class} r,
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -48,16 +48,16 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
  /var/lib/upower/history-*.dat{,.*} rw,

  @{run}/udev/data/ r,
-  @{run}/udev/data/+acpi:* r,
-  @{run}/udev/data/+hid* r,
-  @{run}/udev/data/+input* r,
-  @{run}/udev/data/+pci* r,
-  @{run}/udev/data/+platform* r,
+  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+pci:* r,
+  @{run}/udev/data/+platform:* r,
  @{run}/udev/data/+power_supply* r,
-  @{run}/udev/data/+sound:card[0-9]* r, # for sound
-  @{run}/udev/data/c10:[0-9]* r,        # for non-serial mice, misc features
-  @{run}/udev/data/c13:[0-9]*  r,       # for /dev/input/*
-  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
+  @{run}/udev/data/+sound:card@{int} r,   # for sound
+  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+  @{run}/udev/data/c116:@{int} r,         # for ALSA

  @{run}/systemd/inhibit/[0-9]*.ref rw,

--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -117,22 +117,22 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/platform/ r,
  @{sys}/module/i915/{,**} r,

+  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+dmi* r,               # for ?
+  @{run}/udev/data/+drm:card[0-9]-* r,    # for screen outputs
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
  @{run}/udev/data/+i2c:* r,
-  @{run}/udev/data/+input* r,          # for mouse, keyboard, touchpad
-  @{run}/udev/data/+platform* r,       # for ?
-  @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs
-  @{run}/udev/data/+dmi* r,            # for ?
-  @{run}/udev/data/+acpi* r,           # for ?
-  @{run}/udev/data/+hid* r,            # for HID-Compliant Keyboard
-  @{run}/udev/data/+pci* r,            # for VGA compatible controller
-  @{run}/udev/data/+usb* r,            # for USB mouse and keyboard
-  @{run}/udev/data/+serio* r,          # for touchpad?
-  @{run}/udev/data/c4:[0-9]*   r,      # for /dev/tty[0-9]*
-  @{run}/udev/data/c5:[0-9]*   r,      # for /dev/tty, /dev/console, /dev/ptmx
-  @{run}/udev/data/c10:[0-9]* r,       # for non-serial mice, misc features
-  @{run}/udev/data/c13:[0-9]*  r,      # for /dev/input/*
-  @{run}/udev/data/c189:[0-9]* r,      # for /dev/bus/usb/**
-  @{run}/udev/data/c226:[0-9]* r,      # for /dev/dri/card*
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+pci:* r,              # for VGA compatible controller
+  @{run}/udev/data/+platform:* r,         # for ?
+  @{run}/udev/data/+serio:* r,            # for touchpad?
+  @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
+  @{run}/udev/data/c4:@{int}   r,         # for /dev/tty[0-9]*
+  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
+  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+  @{run}/udev/data/c189:@{int} r,         # for /dev/bus/usb/**
+  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*

  @{PROC}/@{pids}/cmdline r,
  @{PROC}/cmdline r,