feat(profile): general update.

2024-02-01 13:19:19 +00:00 · 2024-02-01 13:19:19 +00:00 · 0a74d5c6fe
commit 0a74d5c6fe
parent 70a8407bd7
22 changed files with 39 additions and 16 deletions
--- a/apparmor.d/groups/_full/default-sudo
+++ b/apparmor.d/groups/_full/default-sudo
@ -56,6 +56,8 @@ profile default-sudo @{exec_path} {
  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,

+  / r,
+
        /var/db/sudo/lectured/ r,
        /var/lib/extrausers/shadow r,
        /var/lib/sudo/lectured/ r,
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -18,6 +18,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
 profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/groups/apps/discord
@ -90,7 +90,7 @@ profile discord @{exec_path} {
  /etc/fstab r,

  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-  deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
+  deny @{sys}/devices/virtual/tty/tty@{int}/active r,
  # To remove the following error:
  # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
  @{sys}/devices/@{pci}/irq r,
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/groups/apps/freetube
@ -70,7 +70,7 @@ profile freetube @{exec_path} {

  owner @{user_share_dirs} r,

-  deny @{sys}/devices/virtual/tty/tty0/active r,
+  deny @{sys}/devices/virtual/tty/tty@{int}/active r,
  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
  # To remove the following error:
  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@ -62,7 +62,7 @@ profile signal-desktop @{exec_path} {

  @{sys}/devices/@{pci}/{irq,vendor,device} r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-  @{sys}/devices/virtual/tty/tty[0-9]/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/fs/cgroup/** r,

        @{PROC}/ r,
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -53,8 +53,9 @@ profile plymouthd @{exec_path} {
  @{sys}/firmware/acpi/bgrt/{,*} r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

-        @{PROC}/cmdline r,
        @{PROC}/1/cmdline r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/printk r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/stat r,

--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -51,6 +51,7 @@ profile xrdb @{exec_path} {
  owner @{HOME}/.xsession-errors w,

  /dev/tty rw,
+  /dev/tty@{int} rw,

  include if exists <local/xrdb>
 }
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -85,7 +85,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {

  @{sys}/devices/**/uevent r,
  @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,

        @{PROC}/@{pid}/cgroup r,
        @{PROC}/1/environ r,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -59,7 +59,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/@{pci}/{vendor,device,class,config,resource,irq} r,
  @{sys}/devices/system/cpu/** r,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,

        @{PROC}/ r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
--- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
+++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
@ -13,7 +13,8 @@ profile systemd-generator-environment-flatpak @{exec_path} {

  @{exec_path} mr,

-  @{bin}/flatpak rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/flatpak     rix,

  /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -99,7 +99,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/class/power_supply/ r,
  @{sys}/devices/** r,
  @{sys}/devices/**/brightness rw,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -21,9 +21,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {

  /etc/systemd/oomd.conf r,

-  owner @{run}/systemd/journal/socket w,
        @{run}/systemd/io.system.ManagedOOM rw,
        @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,

  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/memory.pressure r,
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -12,12 +12,14 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-  audit capability net_admin,
+  capability dac_override,
+  capability net_admin,
+  capability sys_resource,

  signal (receive) set=(term cont) peer=default,
  signal (receive) set=(term cont) peer=logrotate,

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{run}/systemd/ask-password-block/{,*} rw,
  @{run}/systemd/ask-password/{,*} rw,
@ -25,6 +27,9 @@ profile systemd-tty-ask-password-agent @{exec_path} {

  @{PROC}/@{pids}/stat r,
  
+  @{sys}/devices/virtual/tty/console/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
+
  /dev/tty@{int} rw,

  include if exists <local/systemd-tty-ask-password-agent>
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -49,6 +49,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/less              rPx -> child-pager,
  @{bin}/ln                rix,
  @{bin}/logger            rix,
+  @{bin}/ls                rix,
  @{bin}/lvm               rPx,
  @{bin}/mknod             rPx,
  @{bin}/more              rPx -> child-pager,
@ -58,13 +59,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/pager             rPx -> child-pager,
  @{bin}/perl              rix,
  @{bin}/readlink          rix,
+  @{bin}/rm                rix,
  @{bin}/sed               rix,
  @{bin}/setfacl           rix,
  @{bin}/sg_inq            rix,
  @{bin}/snap             rPUx,
  @{bin}/systemctl         rCx -> systemctl,
+  @{bin}/systemd-run       rix,
  @{bin}/touch             rix,
  @{bin}/unshare           rix,
+  @{bin}/wc                rix,

  @{lib}/crda/*                           rPUx,
  @{lib}/gdm-runtime-config               rPx,