feat(profile): general minor update.

2025-05-14 22:36:46 +02:00 · 2025-05-14 22:36:46 +02:00 · 1096666191
commit 1096666191
parent c972607ca4
17 changed files with 29 additions and 7 deletions
--- a/apparmor.d/groups/firewall/firewalld
+++ b/apparmor.d/groups/firewall/firewalld
@ -33,6 +33,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
  @{python_path} r,

  @{bin}/ r,
+  @{sbin}/ r,
  @{bin}/alts                     rix,
  @{sbin}/ebtables-legacy         rix,
  @{sbin}/ebtables-legacy-restore rix,
--- a/apparmor.d/groups/freedesktop/wireplumber
+++ b/apparmor.d/groups/freedesktop/wireplumber
@ -50,6 +50,7 @@ profile wireplumber @{exec_path} {
  owner @{user_config_dirs}/wireplumber/{,**} r,

  owner @{run}/user/@{uid}/pipewire-@{int} rw,
+  owner @{run}/user/@{uid}/pipewire-@{int}-manager rw,

        /dev/shm/lttng-ust-wait-@{int} r,
  owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -61,7 +61,9 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {

  owner /var/lib/xkb/server-@{int}.xkm rw,

+  owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r,
  owner @{gdm_config_dirs}/dconf/user r,
+  owner /var/lib/gdm3/greeter-dconf-defaults r,

  owner @{tmp}/runtime-*/xauth_@{rand6} r,

--- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers
+++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers
@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) {
  owner @{tmp}/gnome-desktop-thumbnailer.png w,
  owner @{tmp}/gsf-thumbnailer-@{rand6} rw,

+  owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw,
+  owner /dev/shm/lttng-ust-wait-@{int} rw,
+
  include if exists <local/gnome-desktop-thumbnailers>
 }

--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@ -16,7 +16,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>

-  signal (receive) set=(term, hup) peer=gdm*,
+  signal receive set=(term, hup) peer=gdm*,

  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound

--- a/apparmor.d/groups/gvfs/gvfsd-computer
+++ b/apparmor.d/groups/gvfs/gvfsd-computer
@ -13,6 +13,7 @@ profile gvfsd-computer @{exec_path} {
  include <abstractions/bus-session>

  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}
+  #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor

  @{exec_path} mr,

--- a/apparmor.d/groups/polkit/pkexec
+++ b/apparmor.d/groups/polkit/pkexec
@ -21,6 +21,7 @@ profile pkexec @{exec_path} {
  @{exec_path} mr,

  @{bin}/*       PUx,
+  @{sbin}/*      PUx,
  @{lib}/**      PUx,
  /opt/*/**      PUx,
  /usr/share/**  PUx,
--- a/apparmor.d/groups/polkit/polkitd
+++ b/apparmor.d/groups/polkit/polkitd
@ -20,7 +20,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
  capability sys_ptrace,
  audit capability net_admin,

-  ptrace (read),
+  ptrace read,

  #aa:dbus own bus=system name=org.freedesktop.PolicyKit1

--- a/apparmor.d/groups/snap/snapd
+++ b/apparmor.d/groups/snap/snapd
@ -150,6 +150,7 @@ profile snapd @{exec_path} {
  @{run}/user/@{uid}/snapd-session-agent.socket rw,
  @{run}/user/snap.*/{,**} rw,

+  @{run}/mount/utab.act rk,
  @{run}/snapd*.socket rw,
  @{run}/snapd/{,**} rw,
  @{run}/snapd/lock/*.lock rwk,
--- a/apparmor.d/groups/utils/uuidd
+++ b/apparmor.d/groups/utils/uuidd
@ -16,6 +16,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  owner /var/lib/libuuid/clock.txt rwk,
+  owner /var/lib/libuuid/clock-cont.txt rwk,

  @{run}/uuidd/request rw,
  @{att}/@{run}/uuidd/request rw,
--- a/apparmor.d/groups/utils/whereis
+++ b/apparmor.d/groups/utils/whereis
@ -15,6 +15,7 @@ profile whereis @{exec_path} {
  @{exec_path} mr,

  @{bin}/{,*/} r,
+  @{sbin}/{,*/} r,
  @{lib}/ r,
  @{lib}/go-*/bin/ r,
  /usr/{local/,}games/ r,