feat(profiles): general update.

2023-08-21 23:32:10 +01:00 · 2023-08-21 23:32:10 +01:00 · 360230b2a5
commit 360230b2a5
parent 6756ca8138
34 changed files with 156 additions and 36 deletions
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@ -32,6 +32,8 @@ profile sbctl @{exec_path} {

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

+  /dev/pts/@{int} rw,
+
  # File Inherit
  deny network inet stream,
  deny network inet6 stream,
--- a/apparmor.d/profiles-s-z/sfdisk
+++ b/apparmor.d/profiles-s-z/sfdisk
@ -30,5 +30,7 @@ profile sfdisk @{exec_path} {
  # For disk images
  owner @{user_img_dirs}/{,**} rwk,

+  owner @{sys}/devices/pci[0-9]*/**/model r,
+
  include if exists <local/sfdisk>
 }
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd
+@{exec_path} = @{lib}/snapd/snapd /snap/snapd@{lib}/snapd/snapd
 profile snapd @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -33,6 +33,11 @@ profile spice-vdagent @{exec_path} {
       member=EventListenerDeregistered
       peer=(name=:*, label=at-spi2-registryd),

+  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set 
+       peer=(name=:*, label=at-spi2-registryd),
+
  dbus send    bus=accessibility path=/org/a11y/atspi/registry
       interface=org.a11y.atspi.Registry
       member=GetRegisteredEvents
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -45,7 +45,8 @@ profile su @{exec_path} {

  @{bin}/{,b,d,rb}ash  rUx,
  @{bin}/{c,k,tc,z}sh  rUx,
-  @{bin}/nologin   rPx,
+
+  @{bin}/nologin       rPx,

  @{etc_ro}/default/su r,
  @{etc_ro}/environment r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -51,12 +51,11 @@ profile sudo @{exec_path} {

  @{exec_path} mr,

-  @{lib}/sudo/** mr,
-
  @{bin}/{,b,d,rb}ash               rUx,
  @{bin}/{c,k,tc,z}sh               rUx,
-  @{lib}/cockpit/cockpit-askpass    rPx,
-  @{lib}/molly-guard/molly-guard    rPx,
+
+  @{lib}/**                        rPUx,
+  @{lib}/sudo/**                     mr,
  /snap/snapd/@{int}/usr/bin/snap   rPx,

  @{etc_ro}/environment r,
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -58,6 +58,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  /usr/share/ladspa/rdf/{,ladspa.rdfs} r,
  /usr/share/misc/*.ids r,
  /usr/share/osinfo/{,**} r,
+  /usr/share/pci.ids r,
  /usr/share/virt-manager/{,**} r,
  /usr/share/virtio/{,*} r,
  /var/lib/usbutils/*.ids r,
--- a/apparmor.d/profiles-s-z/xclip
+++ b/apparmor.d/profiles-s-z/xclip
@ -16,8 +16,8 @@ profile xclip @{exec_path} {

  @{exec_path} mr,

-  # Mutt
  owner /tmp/mutt-* rw,
+  owner /tmp/xauth_@{rand6} r,

  owner @{HOME}/.Xauthority r,