General profiles update.

2022-03-26 20:43:47 +00:00 · 2022-03-26 20:43:47 +00:00 · 20c3b0575c
commit 20c3b0575c
parent d7be27411b
22 changed files with 101 additions and 155 deletions
--- a/apparmor.d/groups/pacman/arch-audit
+++ b/apparmor.d/groups/pacman/arch-audit
@ -29,8 +29,8 @@ profile arch-audit @{exec_path} {

  /var/lib/pacman/local/{,**} r,

-  @{PROC}/@{pid}/cgroup r,
-  @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,

  @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -12,10 +12,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  capability mknod,
  capability dac_read_search,
-  capability sys_chroot,
+  capability mknod,
  capability sys_admin,
+  capability sys_chroot,

  unix (receive) type=stream,

@ -59,12 +59,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib{,32,64}/ld-*.so*    rix,

  /etc/fstab r,
-  /etc/lvm/lvm.conf r,
-  /etc/vconsole.conf r,
  /etc/locale.conf r,
+  /etc/lvm/lvm.conf r,
  /etc/mkinitcpio.conf r,
  /etc/mkinitcpio.d/{,**} r,
  /etc/modprobe.d/{,*} r,
+  /etc/vconsole.conf r,

  /usr/share/kbd/keymaps/{,**} r,
  /usr/share/terminfo/x/xterm-256color r,
@ -88,7 +88,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  owner @{run}/mkinitcpio.*/{,**} rw,
  owner /tmp/mkinitcpio.*/{,**} rw,

-  owner @{PROC}/[0-9]*/mountinfo r,
+  owner @{PROC}/@{pid}/mountinfo r,

  # Inherit silencer
  deny @{HOME}/** r,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -57,9 +57,12 @@ profile pacman @{exec_path} {
  /{usr/,}bin/gettext                     rix,
  /{usr/,}bin/ghc-pkg-*                   rix,
  /{usr/,}bin/grep                        rix,
+  /{usr/,}bin/head                        rix,
  /{usr/,}bin/iscsi-iname                 rix,
  /{usr/,}bin/killall                     rix,
+  /{usr/,}bin/ln                          rix,
  /{usr/,}bin/rm                          rix,
+  /{usr/,}bin/sed                         rix,
  /{usr/,}bin/setcap                      rix,
  /{usr/,}bin/vercmp                      rix,
  /{usr/,}bin/xmlcatalog                  rix,
@ -77,6 +80,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/install-info                rPx,
  /{usr/,}bin/journalctl                  rPx,
  /{usr/,}bin/locale-gen                  rPx,
+  /{usr/,}bin/mkinitcpio                  rPx,
  /{usr/,}bin/pacdiff                     rPx,
  /{usr/,}bin/pacman-key                  rPx,
  /{usr/,}bin/sysctl                      rPx,