feat(profile): general update.

2024-02-01 13:19:19 +00:00 · 2024-02-01 13:19:19 +00:00 · 0a74d5c6fe
commit 0a74d5c6fe
parent 70a8407bd7
22 changed files with 39 additions and 16 deletions
--- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
+++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
@ -13,7 +13,8 @@ profile systemd-generator-environment-flatpak @{exec_path} {

  @{exec_path} mr,

-  @{bin}/flatpak rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/flatpak     rix,

  /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -99,7 +99,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/class/power_supply/ r,
  @{sys}/devices/** r,
  @{sys}/devices/**/brightness rw,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -21,9 +21,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {

  /etc/systemd/oomd.conf r,

-  owner @{run}/systemd/journal/socket w,
        @{run}/systemd/io.system.ManagedOOM rw,
        @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,

  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/memory.pressure r,
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -12,12 +12,14 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-  audit capability net_admin,
+  capability dac_override,
+  capability net_admin,
+  capability sys_resource,

  signal (receive) set=(term cont) peer=default,
  signal (receive) set=(term cont) peer=logrotate,

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{run}/systemd/ask-password-block/{,*} rw,
  @{run}/systemd/ask-password/{,*} rw,
@ -25,6 +27,9 @@ profile systemd-tty-ask-password-agent @{exec_path} {

  @{PROC}/@{pids}/stat r,
  
+  @{sys}/devices/virtual/tty/console/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
+
  /dev/tty@{int} rw,

  include if exists <local/systemd-tty-ask-password-agent>
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -49,6 +49,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/less              rPx -> child-pager,
  @{bin}/ln                rix,
  @{bin}/logger            rix,
+  @{bin}/ls                rix,
  @{bin}/lvm               rPx,
  @{bin}/mknod             rPx,
  @{bin}/more              rPx -> child-pager,
@ -58,13 +59,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/pager             rPx -> child-pager,
  @{bin}/perl              rix,
  @{bin}/readlink          rix,
+  @{bin}/rm                rix,
  @{bin}/sed               rix,
  @{bin}/setfacl           rix,
  @{bin}/sg_inq            rix,
  @{bin}/snap             rPUx,
  @{bin}/systemctl         rCx -> systemctl,
+  @{bin}/systemd-run       rix,
  @{bin}/touch             rix,
  @{bin}/unshare           rix,
+  @{bin}/wc                rix,

  @{lib}/crda/*                           rPUx,
  @{lib}/gdm-runtime-config               rPx,