feat(profile): general update.

2023-11-27 19:35:42 +00:00 · 2023-11-27 19:35:42 +00:00 · 209688fe86
commit 209688fe86
parent fade97486d
16 changed files with 37 additions and 30 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -43,6 +43,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  capability dac_override,
  capability dac_read_search,
  capability fowner,
+  capability fsetid,
  capability kill,
  capability mknod,
  capability perfmon,
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@ -40,7 +40,7 @@ profile gdm-xsession @{exec_path} {

  @{bin}/dbus-update-activation-environment    rCx -> dbus,
  @{bin}/dpkg-query                            rpx,
-  @{bin}/flatpak                               rPUx,
+  @{bin}/flatpak                               rPx,
  @{bin}/gpgconf                               rPx,
  @{bin}/gsettings                             rPx,
  @{bin}/im-launch                             rPx,
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@ -27,11 +27,13 @@ profile gnome-control-center-goa-helper @{exec_path} {
  network inet6 stream,
  network netlink raw,

+  signal (send) set=(kill) peer=bwrap,
+
  @{exec_path} mr,

  @{bin}/bwrap  rPUx,

-  @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  @{lib}/webkit2gtk-*/WebKitNetworkProcess rix,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/themes/{,**} r,
@ -43,6 +45,7 @@ profile gnome-control-center-goa-helper @{exec_path} {

  owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl,

+  owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk,
  owner @{user_share_dirs}/webkitgtk/{,**} rw,
  owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,

--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -69,7 +69,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{bin}/Xorg         rPx,
  /etc/sddm/Xsession  rPx,

-  @{bin}/flatpak     rPUx,
+  @{bin}/flatpak      rPx,
  @{bin}/sway        rPUx,
  @{bin}/xauth        rCx -> xauth,
  @{bin}/xsetroot     rPx,
--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@ -36,7 +36,7 @@ profile sddm-xsession @{exec_path} {
  @{bin}/zsh        rix,

  @{bin}/dbus-update-activation-environment  rCx -> dbus,
-  @{bin}/flatpak                             rPUx,
+  @{bin}/flatpak                             rPx,
  @{bin}/numlockx                            rPx,
  @{bin}/xhost                               rPx,
  @{bin}/xrdb                                rPx,
--- a/apparmor.d/groups/kde/xdm-xsession
+++ b/apparmor.d/groups/kde/xdm-xsession
@ -36,7 +36,7 @@ profile xdm-xsession @{exec_path} {
  @{bin}/whoami             rix,

  @{bin}/dbus-update-activation-environment rCx -> dbus,
-  @{bin}/flatpak                            rPUx,
+  @{bin}/flatpak                            rPx,
  @{bin}/pidof                              rPx,
  @{bin}/startplasma-x11                    rPx,
  @{bin}/systemctl                          rPx -> child-systemctl,
@ -77,13 +77,7 @@ profile xdm-xsession @{exec_path} {

  owner @{user_share_dirs}/sddm/xorg-session.log rw,

-  owner @{run}/user/@{uid}/gnupg/ rw,
-  owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
-  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
-  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
-  owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
-  owner @{run}/user/@{uid}/gnupg/sshcontrol r,
-        @{run}/user/@{uid}/xauth_@{rand6} rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,

  owner /tmp/ssh-*/ rw,
  owner /tmp/ssh-*/agent.* rw,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -54,10 +54,10 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  ptrace (read,trace) peer=@{systemd},

-  dbus send bus=system path=/org/freedesktop/login[0-9]
-    interface=org.freedesktop.login[0-9].Manager
+  dbus send bus=system path=/org/freedesktop/login1
+    interface=org.freedesktop.login1.Manager
    member={CreateSession,ReleaseSession}
-    peer=(name=org.freedesktop.login[0-9]),
+    peer=(name=org.freedesktop.login1),

  @{exec_path} mrix,

--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -29,22 +29,21 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,

+  dbus bind bus=system name=org.freedesktop.resolve1,
+
+  dbus receive bus=system path=/org/freedesktop/resolve1
+       interface=org.freedesktop.{resolve1.Manager,DBus.Peer,DBus.Properties},
+
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,GetConnectionUnixUser}
       peer=(name=org.freedesktop.DBus),

-  dbus receive bus=system path=/org/freedesktop/resolve[0-9]
-       interface=org.freedesktop.{resolve[0-9].Manager,DBus.Peer,DBus.Properties},
-
-  dbus receive bus=system path=/org/freedesktop/login[0-9]*
-       interface=org.freedesktop.login[0-9]*.Manager
+  dbus receive bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
       member={PrepareForSleep,PrepareForShutdown}
       peer=(name=:*, label=systemd-logind),

-  dbus bind bus=system 
-       name=org.freedesktop.resolve[0-9],
-
  @{exec_path} mr,

  /etc/systemd/resolved.conf r,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -137,6 +137,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {

  @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r,
  @{etc_rw}/libvirt/{,**} rw,
+  /etc/gnutls/config r,
  /etc/mdevctl.d/{,**} r,
  /etc/sasl2/qemu.conf r,
  /etc/xml/catalog r,