feat(profiles): general update.

2023-03-12 15:35:59 +00:00 · 2023-03-12 15:35:59 +00:00 · 1042728ca6
commit 1042728ca6
parent 25e2d9d1f4
15 changed files with 26 additions and 14 deletions
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@ -26,14 +26,14 @@ profile vlc @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/vulkan>

-  signal (receive) set=(term, kill) peer=anyremote//*,
-
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

+  signal (receive) set=(term, kill) peer=anyremote//*,
+
  dbus send    bus=session path=/org/freedesktop/DBus 
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName,GetConnectionUnixProcessID}
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -14,6 +14,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -10,10 +10,11 @@ include <tunables/global>
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -112,6 +112,7 @@ profile tracker-extract @{exec_path} {

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/dri/card[0-9]* rw,
  /dev/dri/renderD128 rw,
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@ -67,8 +67,6 @@ profile coredumpctl @{exec_path} flags=(complain) {

    @{PROC}/@{pids}/fd/  r,

-    # Silencer
-    deny /usr/share/** w,

  }

--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -89,6 +89,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  @{run}/udev/** rwk,

  @{run}/systemd/network/ r,
+  @{run}/systemd/network/*.link rw,
  @{run}/systemd/notify rw,
  @{run}/systemd/seats/seat[0-9]* r,

--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@ -23,7 +23,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /{usr/,}lib/systemd/systemd-userwork rPx,
+  /{usr/,}lib/systemd/systemd-userwork rix,

  /etc/shadow r,
  /etc/machine-id r,
--- a/apparmor.d/groups/virt/cockpit-pcp
+++ b/apparmor.d/groups/virt/cockpit-pcp
@ -26,6 +26,8 @@ profile cockpit-pcp @{exec_path} {

  /var/lib/pcp/{,**} rw,

+  /var/log/pcp/pmlogger/ r,
+
        @{PROC}/diskstats r,
        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/virt/docker-proxy
+++ b/apparmor.d/groups/virt/docker-proxy
@ -12,6 +12,9 @@ profile docker-proxy @{exec_path} {

  capability net_admin,

+  network inet stream,
+  network inet6 stream,
+
  @{exec_path} mr,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,