Update profiles.

2021-11-09 21:49:16 +00:00 · 2021-11-09 21:49:16 +00:00 · 2cc4d69e9e
commit 2cc4d69e9e
parent 5eeccc84f8
8 changed files with 53 additions and 12 deletions
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-disk-image-mounter
 profile gnome-disk-image-mounter @{exec_path} {
  include <abstractions/base>
+  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -31,10 +31,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  ptrace (read),

  signal (receive) set=(term, hup) peer=gdm*,
-  signal (send) set=(kill) peer=unconfined,
-  signal (send) set=(term) peer=polkit*,
-  signal (send) set=(term) peer=xwayland,
-  signal (send) set=(usr1) peer=ibus-daemon,
+  signal (send),

  @{exec_path} mr,

@ -87,6 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
  owner @{user_cache_dirs}/libgweather/{,**} r,
  owner @{user_cache_dirs}/media-art/{,**} r,
+  owner @{user_cache_dirs}/vlc/**/*.jpg r,

  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -60,6 +60,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,

  owner /dev/tty[0-9]* rw,

--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -10,6 +10,10 @@ include <tunables/global>
 profile systemd-binfmt @{exec_path} {
  include <abstractions/base>

+  capability net_admin,
+
+  ptrace (read) peer=unconfined,
+
  @{exec_path} mr,

  # Config file locations
@ -18,6 +22,10 @@ profile systemd-binfmt @{exec_path} {
  /usr/lib/binfmt.d/*.conf r,

  owner @{PROC}/@{pid}/stat r,
+        @{PROC}/1/environ r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/fs/binfmt_misc/status w,
+        @{PROC}/sys/kernel/osrelease r,

  include if exists <local/systemd-binfmt>
 }
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -11,12 +11,8 @@ profile systemd-modules-load @{exec_path} {
  include <abstractions/base>
  include <abstractions/systemd-common>

-  # To load kernel modules
  capability sys_module,

-  # Needed?
-  audit deny capability net_admin,
-
  @{exec_path} mr,

  @{sys}/module/*/initstate r,