feat(profile): general update on some core profiles.

2025-07-10 00:56:31 +02:00 · 2025-07-10 00:56:31 +02:00 · 35ae596fd9
commit 35ae596fd9
parent 51560bbbf5
13 changed files with 36 additions and 9 deletions
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -29,8 +29,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  @{bin}/as         rix,
  @{bin}/bc         rix,
  @{bin}/clang-@{version} rix,
-  @{bin}/gcc        rix,
  @{bin}/g++        rix,
+  @{bin}/gcc        rix,
  @{bin}/getconf    rix,
  @{bin}/kill       rix,
  @{bin}/kmod       rCx -> kmod,
@ -44,8 +44,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  @{bin}/readelf    rix,
  @{bin}/rpm       rPUx,
  @{bin}/strip      rix,
-  @{sbin}/update-secureboot-policy rPUx,
+  @{bin}/xz         rix,
  @{bin}/zstd       rix,
+  @{sbin}/update-secureboot-policy rPUx,

  @{lib}/gcc/@{multiarch}/@{version}/*         rix,
  @{lib}/linux-kbuild-*/scripts/**             rix,
--- a/apparmor.d/profiles-g-l/gimp
+++ b/apparmor.d/profiles-g-l/gimp
@ -28,6 +28,7 @@ profile gimp @{exec_path} {

  @{python_path}                         rix,
  @{bin}/env                             rix,
+  @{bin}/gimp-debug-tool-3.0             rix,
  @{bin}/gimp-script-fu-interpreter-*    rix,
  @{bin}/gjs-console                     rix,
  @{bin}/lua                             rix,
@ -41,6 +42,7 @@ profile gimp @{exec_path} {

  /usr/share/gimp/{,**} r,
  /usr/share/mypaint-data/{,**} r,
+  /usr/share/poppler/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,

  /etc/fstab r,
@ -68,6 +70,8 @@ profile gimp @{exec_path} {

  owner @{tmp}/gimp/{,**} rw,

+  @{run}/mount/utab r,
+
        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@ -81,6 +81,7 @@ profile libreoffice @{exec_path} {
  /etc/papersize r,
  /etc/xdg/* r,

+        /var/tmp/ r,
  owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w,

  owner @{user_cache_dirs}/libreoffice/{,**} rw,
@ -93,7 +94,7 @@ profile libreoffice @{exec_path} {
  owner @{user_share_dirs}/#@{int} rw,
  owner @{user_share_dirs}/user-places.xbel r,

-  owner @{tmp}/ r,
+        @{tmp}/ r,
  owner @{tmp}/.java_pid@{int}{,.tmp} rw,
  owner @{tmp}/@{hex} rw,
  owner @{tmp}/@{rand6} rwk,
--- a/apparmor.d/profiles-m-r/initramfs-hooks
+++ b/apparmor.d/profiles-m-r/initramfs-hooks
@ -25,10 +25,10 @@ profile initramfs-hooks @{exec_path} {
  @{lib}/klibc/bin/fstype                   ix,
  /usr/share/mdadm/mkconf                   Px,

-  @{bin}/* r,
-  @{sbin}/* r,
+  @{bin}/* mr,
+  @{sbin}/* mr,
  @{lib}/ r,
-  @{lib}/** r,
+  @{lib}/** mr,

  /usr/share/initramfs-tools/{,**} r,
  /usr/share/plymouth/{,**} r,
--- a/apparmor.d/profiles-m-r/mdadm-mkconf
+++ b/apparmor.d/profiles-m-r/mdadm-mkconf
@ -19,6 +19,7 @@ profile mdadm-mkconf @{exec_path} {
  @{sbin}/mdadm   Px,

  /etc/default/mdadm r,
+  /etc/mdadm/mdadm.conf r,

  / r,

--- a/apparmor.d/profiles-m-r/nvidia-smi
+++ b/apparmor.d/profiles-m-r/nvidia-smi
@ -25,7 +25,7 @@ profile nvidia-smi @{exec_path} {

  /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
  /dev/nvidia-caps/ rw,
-  /dev/nvidia-caps/nvidia-cap@{int} r,
+  /dev/nvidia-caps/nvidia-cap@{int} rw,
  /dev/nvidia-uvm rw,
  /dev/nvidia-uvm-tools r,

--- a/apparmor.d/profiles-m-r/ollama
+++ b/apparmor.d/profiles-m-r/ollama
@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/ollama@{int}/{,**} rw,
  owner @{tmp}/ollama@{int}/runners/{,**} mr,

+  @{sys}/devices/@{pci}/drm/card@{int}/ r,
+  @{sys}/devices/@{pci}/drm/card@{int}/*/ r,
+  @{sys}/devices/@{pci}/mem_info_vram_total r,
+  @{sys}/devices/@{pci}/mem_info_vram_used r,
  @{sys}/devices/@{pci}/numa_node r,
  @{sys}/devices/system/node/node@{int}/cpumap r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,

        @{PROC}/devices r,
        @{PROC}/sys/net/core/somaxconn r,
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -30,10 +30,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {

  @{run}/udev/data/+platform:* r,
  @{run}/udev/data/+power_supply:* r,
+  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
+  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*

  @{sys}/bus/ r,
  @{sys}/bus/platform/devices/ r,
  @{sys}/class/ r,
+  @{sys}/class/drm/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/power_supply/*/scope r,
  @{sys}/devices/**/uevent r,
--- a/apparmor.d/profiles-s-z/speech-dispatcher
+++ b/apparmor.d/profiles-s-z/speech-dispatcher
@ -20,16 +20,20 @@ profile speech-dispatcher @{exec_path} {
  @{exec_path} mr,

  @{sh_path} ix,
+  @{lib}/speech-dispatcher-modules/* ix,
  @{lib}/speech-dispatcher/** r,
  @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,

  /etc/machine-id r,
  /etc/speech-dispatcher/{,**} r,

+  owner @{user_config_dirs}/speech-dispatcher/{,**} r,
+
  owner @{run}/user/@{uid}/speech-dispatcher/ rw,
  owner @{run}/user/@{uid}/speech-dispatcher/** rwk,

-  owner @{user_config_dirs}/speech-dispatcher/{,**} r,
+  owner /dev/shm/sem.@{rand6} rw,
+  owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6},

  include if exists <local/speech-dispatcher>
 }
--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/terminator
 profile terminator @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
--- a/apparmor.d/profiles-s-z/update-shells
+++ b/apparmor.d/profiles-s-z/update-shells
@ -17,12 +17,14 @@ profile update-shells @{exec_path} {
  @{bin}/chmod         ix,
  @{bin}/chown         ix,
  @{bin}/dirname       ix,
-  @{bin}/dpkg-realpath ix,
+  @{bin}/dpkg-realpath rix,
  @{bin}/mv            ix,
  @{bin}/sync          ix,
+  @{bin}/readlink      ix,

  /usr/share/debianutils/shells r,
  /usr/share/debianutils/shells.d/{,**} r,
+  /usr/share/dpkg/sh/dpkg-error.sh r,

  /etc/shells r,
  /etc/shells.tmp w,
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -84,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
  owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,

+  @{run}/libvirt/libvirt-sock rw,
  @{run}/mount/utab r,
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

--- a/apparmor.d/profiles-s-z/whoopsie
+++ b/apparmor.d/profiles-s-z/whoopsie
@ -25,6 +25,8 @@ profile whoopsie @{exec_path} {
  owner @{run}/lock/whoopsie/ rw,
  owner @{run}/lock/whoopsie/lock rwk,

+  @{sys}/devices/virtual/dmi/id/product_uuid r,
+
  include if exists <local/whoopsie>
 }