feat(abs): minor abstraction improvement.

2025-05-04 20:33:18 +02:00 · 2025-05-04 20:33:18 +02:00 · 37f70a0030
commit 37f70a0030
parent 74dcf2defc
7 changed files with 13 additions and 4 deletions
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@ -60,6 +60,8 @@
  # Backup
  @{lib}/deja-dup/deja-dup-monitor PUx,

+  @{bin}/gnome-session-quit     rPx,
+
  include if exists <abstractions/app-open.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -98,6 +98,7 @@
  owner @{tmp}/@{name}/* rwk,
  owner @{tmp}/firefox/ rw,
  owner @{tmp}/firefox/* rwk,
+  owner @{tmp}/remote-settings-startup-bundle- w,
  owner @{tmp}/Temp-@{uuid}/ rw,
  owner @{tmp}/Temp-@{uuid}/* rwk,
  owner @{tmp}/tmp-*.xpi rw,
--- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
@ -5,6 +5,10 @@
  abi <abi/4.0>,

  #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue
+  dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=org.freedesktop.DBus, label=geoclue),

  dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -34,8 +34,7 @@
  dbus bus=session,
  dbus bus=system,

-  /usr/cache/** r,
-  /usr/local/{,**} r,
+  /usr/** r,
  /usr/share/** rk,

  /etc/{,**} r,
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@ -32,7 +32,7 @@
  # If one is blocked the next is used instead.
  # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag.
  owner @{run}/user/@{uid}/orcexec.@{rand6} mrw,
-  #owner /tmp/orcexec.* mrw,
+  owner @{tmp}/orcexec.@{rand6} mrw,
  #owner @{HOME}/orcexec.* mrw,

  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
--- a/apparmor.d/abstractions/webkit
+++ b/apparmor.d/abstractions/webkit
@ -8,7 +8,7 @@

  mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info,

-  @{bin}/xdg-dbus-proxy  rix,
+  @{bin}/xdg-dbus-proxy  rix, # TODO: stack me

  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
@ -26,6 +26,8 @@
  owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,

+  @{sys}/firmware/acpi/pm_profile r,
+
  include if exists <abstractions/webkit.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/wine
+++ b/apparmor.d/abstractions/wine
@ -11,6 +11,7 @@

  owner @{tmp}/.wine-@{uid}/ rw,
  owner @{tmp}/.wine-@{uid}/** rwk,
+  owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m,

  owner /dev/shm/wine-@{hex6}-fsync rw,
  owner /dev/shm/wine-@{hex6}@{h}-fsync rw,