feat(profiles): general update.

2023-11-22 21:37:09 +00:00 · 2023-11-22 21:37:09 +00:00 · 31bc5a6053
commit 31bc5a6053
parent a49d83993a
16 changed files with 56 additions and 103 deletions
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  capability sys_tty_config,

  signal (receive) set=term peer=gdm,
+  signal (receive) set=hup peer=@{systemd},
  signal (send) set=hup peer=at-spi*,
  signal (send) set=hup peer=dbus-daemon,
  signal (send) set=hup peer=dbus-run-session,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -34,6 +34,7 @@ profile gnome-software @{exec_path} {

  @{exec_path} mr,

+  @{bin}/baobab              rPUx,
  @{bin}/bwrap               rPUx,
  @{bin}/fusermount{,3}      rCx -> fusermount,
  @{bin}/gpg{,2}             rCx -> gpg,
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -27,7 +27,8 @@ profile mutter-x11-frames @{exec_path} {
  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,

-  /var/lib/gdm/.config/dconf/user r,
+  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,

  owner @{PROC}/@{pid}/cmdline r,

--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -104,6 +104,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  @{run}/blkid/blkid.tab r,
  @{run}/mount/utab r,

+        @{PROC}/@{pid}/cmdline r,
        @{PROC}/sys/fs/fanotify/max_user_marks r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -25,6 +25,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted

  mount -> /,

+  ptrace (read),
+
  @{exec_path} mr,

  @{lib}/** r,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -27,6 +27,8 @@ profile systemd-journald @{exec_path} {

  network netlink raw,

+  ptrace (read),
+
  @{exec_path} mr,

  /etc/systemd/journald.conf r,
--- a/apparmor.d/groups/systemd/systemd-portabled
+++ b/apparmor.d/groups/systemd/systemd-portabled
@ -13,16 +13,9 @@ profile systemd-portabled @{exec_path} {

  capability sys_ptrace,

-  ptrace (read) peer=unconfined,
-
  @{exec_path} mr,

  /var/lib/portables/{,**} rw,

-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/sys/kernel/random/boot_id r,
-
  include if exists <local/systemd-portabled>
 }
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -14,6 +14,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {

  audit capability net_admin,

+  signal (receive) set=(term cont) peer=default,
  signal (receive) set=(term cont) peer=logrotate,

  @{exec_path} mr,