feat(abs): add proc stat to the gnome common abs.

2025-05-18 13:47:08 +02:00 · 2025-05-18 13:47:08 +02:00 · 1fab846875
commit 1fab846875
parent 9499116542
15 changed files with 1 additions and 17 deletions
--- a/apparmor.d/abstractions/common/gnome
+++ b/apparmor.d/abstractions/common/gnome
@ -32,6 +32,7 @@
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,

  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  include if exists <abstractions/common/gnome.d>
--- a/apparmor.d/groups/apparmor/aa-notify
+++ b/apparmor.d/groups/apparmor/aa-notify
@ -75,7 +75,6 @@ profile aa-notify @{exec_path} {
    owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,

    owner @{PROC}/@{pid}/mountinfo r,
-    owner @{PROC}/@{pid}/stat r,

    deny @{user_share_dirs}/gvfs-metadata/* r,

--- a/apparmor.d/groups/gnome/decibels
+++ b/apparmor.d/groups/gnome/decibels
@ -28,7 +28,6 @@ profile decibels @{exec_path} {
  owner @{user_videos_dirs}/{,**} r,

  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

  include if exists <local/decibels>
--- a/apparmor.d/groups/gnome/gnome-calculator
+++ b/apparmor.d/groups/gnome/gnome-calculator
@ -23,8 +23,6 @@ profile gnome-calculator @{exec_path} {

  @{open_path}  rPx -> child-open-help,

-  owner @{PROC}/@{pid}/stat r,
-
  include if exists <local/gnome-calculator>
 }

--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} {
  /usr/share/xml/iso-codes/{,**} r,

  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/status r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@ -22,7 +22,6 @@ profile gnome-extensions-app @{exec_path} {
  /usr/share/terminfo/** r,

  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/task/@{tid}/stat r,

  /dev/tty rw,
--- a/apparmor.d/groups/gnome/gnome-logs
+++ b/apparmor.d/groups/gnome/gnome-logs
@ -27,8 +27,6 @@ profile gnome-logs @{exec_path} {
  /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r,
  /{run,var}/log/journal/remote/ r,

-  owner @{PROC}/@{pid}/stat r,
-
  include if exists <local/gnome-logs>
 }

--- a/apparmor.d/groups/gnome/gnome-maps
+++ b/apparmor.d/groups/gnome/gnome-maps
@ -45,7 +45,6 @@ profile gnome-maps @{exec_path} {
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

  include if exists <local/gnome-maps>
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@ -24,7 +24,6 @@ profile gnome-text-editor @{exec_path} {
  owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,

  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,

  deny @{user_share_dirs}/gvfs-metadata/* r,

--- a/apparmor.d/groups/gnome/gnome-weather
+++ b/apparmor.d/groups/gnome/gnome-weather
@ -31,7 +31,6 @@ profile gnome-weather @{exec_path} {

        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

  deny owner @{user_share_dirs}/gvfs-metadata/* r,
--- a/apparmor.d/groups/gnome/papers
+++ b/apparmor.d/groups/gnome/papers
@ -32,7 +32,6 @@ profile papers @{exec_path} {
  @{run}/mount/utab r,

  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,

  profile open {
    include <abstractions/base>
--- a/apparmor.d/groups/gnome/ptyxis
+++ b/apparmor.d/groups/gnome/ptyxis
@ -28,8 +28,6 @@ profile ptyxis @{exec_path} {
  owner @{user_share_dirs}/org.gnome.Ptyxis/ rw,
  owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**,

-  owner @{PROC}/@{pid}/stat r,
-
  /dev/ptmx rw,

  include if exists <local/ptyxis>
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@ -48,7 +48,6 @@ profile file-roller @{exec_path} {
  @{run}/mount/utab r,

  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,

  include if exists <local/file-roller>
 }
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@ -51,7 +51,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/smaps r,
-  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@ -41,7 +41,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,

  /dev/ r,