feat(profiles): general update.

2023-11-22 21:37:09 +00:00 · 2023-11-22 21:37:09 +00:00 · 31bc5a6053
commit 31bc5a6053
parent a49d83993a
16 changed files with 56 additions and 103 deletions
--- a/apparmor.d/profiles-m-r/netcap
+++ b/apparmor.d/profiles-m-r/netcap
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -13,9 +14,6 @@ profile netcap @{exec_path} {
  include <abstractions/nameservice-strict>

  capability sys_ptrace,
-
-  # To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other
-  # users than root, for instance systemd-timesync.
  capability dac_read_search,

  ptrace (read),
--- a/apparmor.d/profiles-m-r/pactl
+++ b/apparmor.d/profiles-m-r/pactl
@ -20,7 +20,7 @@ profile pactl @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

-  /var/lib/gdm/.config/pulse/cookie rk,
+  /var/lib/gdm{3,}/.config/pulse/cookie rk,

  owner @{HOME}/.Xauthority r,

--- a/apparmor.d/profiles-m-r/redshift
+++ b/apparmor.d/profiles-m-r/redshift
@ -1,42 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
-#    Copyright (C) 2017-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/redshift
-profile redshift @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/wayland>
-  include <abstractions/nameservice-strict>
-
-  @{exec_path} mr,
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/GeoClue2/Client/@{int},
-
-  dbus receive
-       bus=system
-       path=/org/freedesktop/GeoClue2/Manager,
-
-  # Allow but log any other dbus activity
-  audit dbus bus=system,
-
-  # Redshift config files
-  owner @{user_config_dirs}/redshift/{,**} rw,
-  owner @{user_config_dirs}/redshift.conf rw,
-
-  owner @{run}/user/@{uid}/redshift-shared-* rw,
-
-  owner @{HOME}/.Xauthority r,
-  owner /tmp/xauth-[0-9]*-_[0-9] r,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
-
-  include if exists <local/redshift>
-}