feat(profile): general update.

2024-05-03 18:16:12 +01:00 · 2024-05-03 18:16:12 +01:00 · 40abc98201
commit 40abc98201
parent b636b4b3e9
17 changed files with 31 additions and 48 deletions
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -31,19 +31,7 @@ profile snap @{exec_path} {
  #aa:dbus own bus=session name=io.snapcraft.Launcher
  #aa:dbus own bus=session name=io.snapcraft.Settings

-  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
-
-  dbus receive bus=system path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=JobRemoved
-       peer=(name=:*, label="@{p_systemd}"),
-  dbus receive bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=JobRemoved
-       peer=(name=:*, label="@{p_systemd_user}"),
+  #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -19,12 +19,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/dri>
+  include <abstractions/graphics>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
+  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
-  include <abstractions/X-strict>

  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
--- a/apparmor.d/profiles-s-z/ssurl
+++ b/apparmor.d/profiles-s-z/ssurl
@ -13,8 +13,8 @@ profile ssurl @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

-       capability dac_read_search,
-  deny capability dac_override,
+  capability dac_read_search,
+  capability dac_override,

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@ -10,13 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/vsftpd
 profile vsftpd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice>
-
-  # Only for local users authentication
  include <abstractions/authentication>
-
-  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
  include <abstractions/hosts_access>
+  include <abstractions/nameservice>
+  include <abstractions/wutmp>

  # To be able to listen on ports < 1024
  capability net_bind_service,
@ -43,7 +40,8 @@ profile vsftpd @{exec_path} {
  capability net_admin,
  capability dac_read_search,
  # If session_support=YES, vsftpd will also try and update utmp and wtmp
-  include <abstractions/wutmp>
+
+  @{exec_path} mr,

  # To validate allowed users shells
  /etc/shells r,