From 10966661916160134fd86af30a03f6958470db03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 22:36:46 +0200 Subject: [PATCH] feat(profile): general minor update. --- apparmor.d/groups/firewall/firewalld | 1 + apparmor.d/groups/freedesktop/wireplumber | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 ++ apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 3 +++ apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gvfs/gvfsd-computer | 1 + apparmor.d/groups/polkit/pkexec | 1 + apparmor.d/groups/polkit/polkitd | 2 +- apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/utils/uuidd | 1 + apparmor.d/groups/utils/whereis | 1 + apparmor.d/profiles-a-f/finalrd | 9 ++++++--- apparmor.d/profiles-g-l/gtk-query-immodules | 2 +- apparmor.d/profiles-g-l/kerneloops-applet | 6 +++++- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 1 + apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-s-z/wpa-supplicant | 1 + 17 files changed, 29 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 7a6b7a9cf..ddf0291ee 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -33,6 +33,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{python_path} r, @{bin}/ r, + @{sbin}/ r, @{bin}/alts rix, @{sbin}/ebtables-legacy rix, @{sbin}/ebtables-legacy-restore rix, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7d0836f7a..aa6928298 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -50,6 +50,7 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, /dev/shm/lttng-ust-wait-@{int} r, owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index ff4a6730a..b77ad03d7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -61,7 +61,9 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, owner @{gdm_config_dirs}/dconf/user r, + owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 436d82443..8c637920b 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 07a6ff6ed..871203e6c 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -16,7 +16,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term, hup) peer=gdm*, + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 0a520d138..6eebca738 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -13,6 +13,7 @@ profile gvfsd-computer @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/groups/polkit/pkexec index f4fc76639..8c6d868da 100644 --- a/apparmor.d/groups/polkit/pkexec +++ b/apparmor.d/groups/polkit/pkexec @@ -21,6 +21,7 @@ profile pkexec @{exec_path} { @{exec_path} mr, @{bin}/* PUx, + @{sbin}/* PUx, @{lib}/** PUx, /opt/*/** PUx, /usr/share/** PUx, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 46d7adc60..4dc1380c0 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -20,7 +20,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace (read), + ptrace read, #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b3ee8a5da..38d803655 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -150,6 +150,7 @@ profile snapd @{exec_path} { @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, + @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 0f03325c8..787914537 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -16,6 +16,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner /var/lib/libuuid/clock.txt rwk, + owner /var/lib/libuuid/clock-cont.txt rwk, @{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw, diff --git a/apparmor.d/groups/utils/whereis b/apparmor.d/groups/utils/whereis index 32d4ffa51..36e457998 100644 --- a/apparmor.d/groups/utils/whereis +++ b/apparmor.d/groups/utils/whereis @@ -15,6 +15,7 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, + @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 74c6ad3b1..bc6c4cf62 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -42,8 +42,9 @@ profile finalrd @{exec_path} { @{lib}/systemd/systemd-shutdown rPx, /usr/share/finalrd/*.finalrd rix, - @{lib}/{,*} r, @{bin}/{,*} r, + @{lib}/{,*} r, + @{sbin}/{,*} r, /usr/share/finalrd/{,**} r, /usr/share/initramfs-tools/hook-functions r, @@ -54,10 +55,11 @@ profile finalrd @{exec_path} { / r, - @{run}/initramfs/{,**} rw, @{run}/ r, - @{run}/mount/ r, @{run}/finalrd-libs.conf rw, + @{run}/initramfs/{,**} rw, + @{run}/mount/ r, + @{run}/mount/utab r, @{PROC}/@{pid}/mountinfo r, @@ -66,6 +68,7 @@ profile finalrd @{exec_path} { include @{bin}/* mr, + @{sbin}/* mr, @{lib}/@{multiarch}/ld-linux-*so* mrix, include if exists diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 46aece91a..509769698 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 +@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 8f5e66cbc..758ead716 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,8 +10,12 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include + include + include + include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index cf51936da..3484ea298 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -21,6 +21,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { /usr/share/misc/ r, /usr/share/misc/intel-microcode* r, + /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index fe4e35724..43f27b2fc 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,6 +12,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 24f87b5a7..b20c6f1b4 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -42,6 +42,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, + owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r,