feat(profile): general update.

2024-04-03 21:04:18 +01:00 · 2024-04-03 21:04:18 +01:00 · 095254864f
commit 095254864f
parent 4490db45c9
26 changed files with 52 additions and 37 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -2,15 +2,19 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# For chromium based browser. If your application requires chromium to run
-# (like electron) use abstractions/common/chromium instead.
-
-# This abstraction requires the following variables definied in the profile header:
+# Full set of rules for all chromium based browsers. It works as a *function*
+# and requires some variables to be provided as *arguments* and set in the
+# header of the calling profile. Example:
+#
 # @{name} = chromium
 # @{domain} = org.chromium.Chromium
 # @{lib_dirs} = @{lib}/chromium
 # @{config_dirs} = @{user_config_dirs}/chromium
 # @{cache_dirs} = @{user_cache_dirs}/chromium
+#
+# If your application requires chromium to run use abstractions/common/chromium
+# or abstractions/common/electron instead.
+#

  include <abstractions/audio-client>
  include <abstractions/bus-session>
@ -98,7 +102,6 @@

  /usr/share/@{name}/{,**} r,
  /usr/share/chromium/extensions/{,**} r,
-  /usr/share/egl/{,**} r,
  /usr/share/hwdata/pnp.ids r,
  /usr/share/mozilla/extensions/{,**} r,
  /usr/share/qt{5,}/translations/*.qm r,
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -25,4 +25,6 @@

  @{sys}/devices/system/cpu/possible r,

+  @{PROC}/sys/kernel/core_pattern r,
+
  deny /apparmor/.null rw,
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -17,8 +17,8 @@

  network netlink raw,

+  mount               options=(rw rbind)                               -> /newroot/{,**},
  mount               options=(rw rbind)                 /tmp/newroot/ -> /tmp/newroot/,
-  mount               options=(rw rbind)                /oldroot/{,**} -> /newroot/{,**},
  mount               options=(rw silent rprivate)                     -> /oldroot/,
  mount               options=(rw silent rslave)                       -> /,
  mount fstype=devpts options=(rw nosuid noexec)                devpts -> /newroot/dev/pts/,
@ -40,10 +40,9 @@
  owner /tmp/newroot/ w,
  owner /tmp/oldroot/ w,

-
        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
-        @{PROC}/sys/user/max_user_namespaces r,
+        @{PROC}/sys/user/max_user_namespaces rw,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/gid_map rw,
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@ -74,6 +74,7 @@
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
+  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
  owner @{PROC}/@{pid}/stat r,