feat(profile): general update.

2024-05-11 17:38:43 +01:00 · 2024-05-11 17:38:43 +01:00 · 1739c07ca1
commit 1739c07ca1
parent 533b7ac937
36 changed files with 57 additions and 56 deletions
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -22,7 +22,7 @@ profile busctl @{exec_path} {

  ptrace (read),

-  unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
+  unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl,

  signal (send) set=(cont) peer=child-pager,

--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  ptrace (read) peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system,

  #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
  # No label available
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -16,7 +16,7 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {

  capability sys_admin,  # To set a hostname

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-hostnam/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system,

  #aa:dbus own bus=system name=org.freedesktop.hostname1

--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -17,7 +17,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  # Needed?
  audit capability net_admin,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-localed/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,

  #aa:dbus own bus=system name=org.freedesktop.locale1

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {

  # mqueue r type=posix /,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-logind/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system,

  #aa:dbus own bus=system name=org.freedesktop.login1

--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -17,14 +17,14 @@ profile systemd-modules-load @{exec_path} {

  @{exec_path} mr,

-  @{sys}/module/*/initstate r,
-
  /etc/modprobe.d/ r,
  /etc/modprobe.d/*.conf r,
  /etc/modules r,
  /etc/modules-load.d/ r,
  /etc/modules-load.d/*.conf r,

+  @{sys}/devices/@{pci}/config r,
+  @{sys}/module/*/initstate r,
  @{sys}/module/compression r,

  include if exists <local/systemd-modules-load>
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
  network packet dgram,
  network packet raw,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-network/bus-api-network,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network,

  #aa:dbus own bus=system name=org.freedesktop.network1

--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability kill,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom,

  #aa:dbus own bus=system name=org.freedesktop.oom1

--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {

  capability sys_time,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-timedat/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system,

  #aa:dbus own bus=system name=org.freedesktop.timedate1

--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync,
  unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none),

  #aa:dbus own bus=system name=org.freedesktop.timesync1
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -36,40 +36,29 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{exec_path} mrix,

  @{sh_path}               rix,
-  @{bin}/{,e}grep          rix,
+  @{coreutils_path}        rix,
  @{bin}/*-print-pci-ids   rix,
  @{bin}/alsactl          rPUx,
-  @{bin}/cat               rix,
-  @{bin}/chgrp             rix,
-  @{bin}/chmod             rix,
-  @{bin}/cut               rix,
  @{bin}/dmsetup          rPUx,
  @{bin}/ethtool           rix,
-  @{bin}/issue-generator  rPUx,
+  @{bin}/issue-generator   rPx,
  @{bin}/kmod              rPx,
  @{bin}/less              rPx -> child-pager,
-  @{bin}/ln                rix,
  @{bin}/logger            rix,
  @{bin}/ls                rix,
  @{bin}/lvm               rPx,
-  @{bin}/mknod             rPx,
+  @{bin}/mknod             rix,
  @{bin}/more              rPx -> child-pager,
  @{bin}/multipath         rPx,
  @{bin}/nfsrahead         rix,
-  @{bin}/nohup             rix,
  @{bin}/pager             rPx -> child-pager,
  @{bin}/perl              rix,
-  @{bin}/readlink          rix,
-  @{bin}/rm                rix,
-  @{bin}/sed               rix,
  @{bin}/setfacl           rix,
  @{bin}/sg_inq            rix,
  @{bin}/snap             rPUx,
  @{bin}/systemctl         rCx -> systemctl,
  @{bin}/systemd-run       rix,
-  @{bin}/touch             rix,
  @{bin}/unshare           rix,
-  @{bin}/wc                rix,

  @{lib}/crda/*                           rPUx,
  @{lib}/gdm-runtime-config               rPx,
@ -90,13 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  /etc/nfs.conf rk,

-  /etc/udev/ r,
-  /etc/udev/udev.conf r,
-  /etc/udev/rules.d/ r,
-  /etc/udev/rules.d/*.rules r,
-
-  /etc/udev/hwdb.d/ r,
-  /etc/udev/hwdb.d/[0-9][0-9]-*.hwdb r,
+  /etc/udev/{,**} r,
  /etc/udev/hwdb.bin rw,
  /etc/udev/.#hwdb.bin* rw,

@ -121,6 +104,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
        @{PROC}/devices r,
        @{PROC}/driver/nvidia/gpus/ r,
        @{PROC}/driver/nvidia/gpus/*/information r,
+        @{PROC}/driver/nvidia/params r,
        @{PROC}/pressure/* r,
        @{PROC}/sys/fs/nr_open r,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/systemd/systemd-update-utmp
+++ b/apparmor.d/groups/systemd/systemd-update-utmp
@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} {

  network netlink raw,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-update-/,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/,

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@ -23,7 +23,7 @@ profile systemd-user-runtime-dir @{exec_path} {
  mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
  umount @{run}/user/@{uid}/,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-user-ru/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system,

  @{exec_path} mr,