feat(profile): general update.

2024-05-07 16:19:29 +01:00 · 2024-05-07 16:19:29 +01:00 · 239d5efe63
commit 239d5efe63
parent 4ada6f5879
14 changed files with 22 additions and 46 deletions
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@ -25,6 +25,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
  capability fsetid,
  capability mknod,
  capability sys_admin,
+  capability syslog,

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -57,11 +57,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {

  owner /var/lib/xkb/server-@{int}.xkm rw,

-  owner @{HOME}/ r,
-  owner @{HOME}/.* r,
-  owner @{HOME}/.icons/{,**} r,
-  owner @{HOME}/@{XDG_DATA_DIR}/ r,
-
  owner @{tmp}/runtime-*/xauth_@{rand6} r,

  @{run}/mount/utab r,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -94,6 +94,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.pam_environment r,

+        @{run}/cockpit/inactive.motd r,
  owner @{run}/systemd/seats/seat@{int} r,
  owner @{run}/user/@{uid}/keyring/control rw,

--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@ -19,7 +19,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {

  #aa:dbus own bus=system name=com.redhat.NewPrinterNotification
  #aa:dbus own bus=system name=com.redhat.PrinterDriversInstaller
-  
+
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -49,6 +49,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
  /etc/fstab r,

  # Mount points
+  @{MOUNTS}/ r,
  @{MOUNTS}/**/ r,
  @{HOME}/**/ r,

--- a/apparmor.d/groups/kde/kstart
+++ b/apparmor.d/groups/kde/kstart
@ -13,8 +13,9 @@ profile kstart @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/dri>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/kde-strict>
  include <abstractions/kde-open5>
+  include <abstractions/kde-strict>
+  include <abstractions/mesa>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,
@ -22,7 +23,6 @@ profile kstart @{exec_path} flags=(attach_disconnected) {
  @{bin}/** rPUx,
  @{bin}/konsole rPx,

-  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
  owner @{user_share_dirs}/kservices{5,6}/ r,
  owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -44,7 +44,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=system name=org.freedesktop.NetworkManager

  #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
-  #aa:dbus talk bus=system name=org.freedesktop.resolve1.Manager label=systemd-resolved
+  #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved

  dbus receive bus=system path=/org/freedesktop
       interface=org.freedesktop.DBus.ObjectManager
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -23,40 +23,18 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  @{exec_path} rmix,

  @{sh_path}                 rix,
-  @{bin}/{m,g,}awk           rix,
+  @{coreutils_path}          rix,
  @{bin}/bsdtar              rix,
-  @{bin}/cat                 rix,
-  @{bin}/cp                  rix,
-  @{bin}/dd                  rix,
-  @{bin}/dirname             rix,
  @{bin}/fc-match            rix,
-  @{bin}/find                rix,
  @{bin}/findmnt             rPx,
  @{bin}/fsck                rix,
  @{bin}/getent              rix,
-  @{bin}/grep                rix,
  @{bin}/gzip                rix,
  @{bin}/hexdump             rix,
-  @{bin}/install             rix,
  @{bin}/ldconfig            rix,
  @{bin}/ldd                 rix,
-  @{bin}/ln                  rix,
  @{bin}/loadkeys            rix,
-  @{bin}/mktemp              rix,
-  @{bin}/mv                  rix,
-  @{bin}/od                  rix,
-  @{bin}/readlink            rix,
-  @{bin}/realpath            rix,
-  @{bin}/rm                  rix,
-  @{bin}/sed                 rix,
-  @{bin}/sort                rix,
-  @{bin}/stat                rix,
-  @{bin}/sync                rix,
-  @{bin}/tee                 rix,
-  @{bin}/touch               rix,
  @{bin}/tput                rix,
-  @{bin}/uname               rix,
-  @{bin}/xargs               rix,
  @{bin}/xz                  rix,
  @{bin}/zcat                rix,
  @{bin}/zstd                rix,
@ -106,9 +84,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {

  # Temp files
  owner @{run}/initramfs/{,**} rw,
-  owner @{run}/mkinitcpio.@{rand6}/{,**} rw,
+  owner @{run}/mkinitcpio.@{rand6}/{,**} rwl,
  owner @{tmp}/mkinitcpio.@{rand6} rw,
-  owner @{tmp}/mkinitcpio.@{rand6}/{,**} rw,
+  owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl,
+  owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl,

  @{sys}/class/block/ r,
  @{sys}/devices/{,**} r,