feat(profile): general update.

2024-04-03 21:04:18 +01:00 · 2024-04-03 21:04:18 +01:00 · 095254864f
commit 095254864f
parent 4490db45c9
26 changed files with 52 additions and 37 deletions
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -26,7 +26,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  network netlink raw,

  signal (send) set=(term, cont, kill),
-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},

  ptrace (read),@{p_systemd}

--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -31,7 +31,7 @@ profile child-systemctl flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=GetUnitFileState
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -12,15 +12,16 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>

-  capability sys_nice,
-  capability sys_resource,
  capability sys_admin,
+  capability sys_nice,
+  capability sys_ptrace,
+  capability sys_resource,

  mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/,

  signal (receive) set=(term) peer=gdm,

-  ptrace (read) peer=xdg-desktop-portal,
+  ptrace (read),

  unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount),

@ -37,6 +38,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  @{bin}/fusermount{,3}  rCx -> fusermount,

  / r,
+  owner /.flatpak-info r,

  owner @{user_share_dirs}/flatpak/db/documents r,
  owner @{user_share_dirs}/Trash/files/** r,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -56,7 +56,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  /var/lib/xkb/server-@{int}.xkm rw,
  /var/lib/xkb/compiled/server-@{int}.xkm rw,

-  /usr/share/egl/{,**} rw,
  /usr/share/libinput*/ r,
  /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
  /usr/share/libinput*/libinput/ r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -20,6 +20,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
+  include <abstractions/thumbnails-cache-write>

  network inet dgram,
  network inet6 dgram,
@ -99,7 +100,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

  owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
-  owner @{user_cache_dirs}/thumbnails/{,**} rw,

  owner @{user_config_dirs}/background rw,
  owner @{user_config_dirs}/gnome-control-center/{,**} rw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -211,7 +211,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /usr/share/dconf/profile/gdm r,
  /usr/share/desktop-base/** r,
  /usr/share/desktop-directories/{,*.directory} r,
-  /usr/share/egl/{,**} r,
  /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -71,6 +71,8 @@ profile gnome-software @{exec_path} {
  /var/tmp/flatpak-cache-*/** rwkl,
  /var/tmp/#@{int} rw,

+  / r,
+
  owner @{HOME}/.var/app/{,**} rw,

  owner @{user_cache_dirs}/flatpak/{,**} rwl,
@ -92,7 +94,7 @@ profile gnome-software @{exec_path} {
  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/.flatpak-cache rw,
-  owner @{run}/user/@{uid}/.flatpak/{,**} rw,
+  owner @{run}/user/@{uid}/.flatpak/{,**} rwl,
  owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
  owner @{run}/user/@{uid}/app/{,*/} rw,

--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -13,6 +13,7 @@ profile gnome-tweaks @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/python>
+  include <abstractions/thumbnails-cache-read>

  @{exec_path} mr,

@ -28,7 +29,6 @@ profile gnome-tweaks @{exec_path} {

  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

-  owner @{user_cache_dirs}/thumbnails/{,**} r,
  owner @{user_config_dirs}/autostart/ rw,
  owner @{user_config_dirs}/autostart/*.desktop r,
  owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw,
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -14,7 +14,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
-  include <abstractions/thumbnails-cache-read>
+  include <abstractions/thumbnails-cache-write>

  signal (receive) set=(term, hup) peer=gdm*,
  signal (receive) set=(term, hup) peer=gnome*,
@ -38,7 +38,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_share_dirs}/applications/ w,

-  owner @{user_cache_dirs}/thumbnails/{,**} rw,
  owner @{user_share_dirs}/applications/ rw,

        @{run}/mount/utab r,
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -48,6 +48,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
  /usr/share/ladspa/rdf/{,**} r,
+  /usr/share/poppler/{,**} r,
  /usr/share/tracker3-miners/{,**} r,
  /usr/share/tracker3/{,**} r,

--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -77,6 +77,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  /etc/issue.net r,
  /etc/legal r,
  /etc/machine-id r,
+  /etc/motd r,
  /etc/shells r,

  @{etc_ro}/ssh/sshd_config r,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -33,7 +33,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/memory.pressure r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,

-  @{PROC}/pressure/{cpu,io,memory} r,
+  @{PROC}/pressure/cpu r,
+  @{PROC}/pressure/io r,
+  @{PROC}/pressure/memory r,

  include if exists <local/systemd-oomd>
 }
--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@ -31,7 +31,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
  @{run}/systemd/userdb/{,**} rw,

  @{PROC}/@{pid}/cgroup r,
-  @{PROC}/pressure/* r,
+  @{PROC}/pressure/cpu r,
+  @{PROC}/pressure/io r,
+  @{PROC}/pressure/memory r,

  include if exists <local/systemd-userdbd>
 }