feat(profile): general update.

see #422
2024-07-20 13:13:27 +01:00 · 2024-07-20 13:13:27 +01:00 · 52a2ae8c23
commit 52a2ae8c23
parent 245898a9d2
19 changed files with 48 additions and 28 deletions
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -54,6 +54,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {

  owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r,

+  owner @{PROC}/@{pid}/cmdline r,
+
  /dev/dri/card@{int} rw,
  /dev/dri/renderD128 rw,

--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@ -54,6 +54,8 @@ profile dbus-session flags=(attach_disconnected) {
  owner @{HOME}/.var/app/*/**/.ref rw,
  owner @{HOME}/.var/app/*/**/logs/* rw,

+  owner @{user_share_dirs}/dbus-1/services/{,**} r,
+
        @{run}/systemd/users/@{uid} r,
  owner @{run}/user/@{uid}/dbus-1/ rw,
  owner @{run}/user/@{uid}/dbus-1/services/ rw,
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -42,6 +42,7 @@ profile plymouthd @{exec_path} {
  /etc/vconsole.conf r,

  /var/lib/plymouth/{,**} rw,
+  /var/log/plymouth-*.log w,

  @{run}/plymouth/{,**} rw,

--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@ -17,9 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -32,10 +30,10 @@ profile gnome-extension-gsconnect @{exec_path} {

  @{exec_path} mr,

+  @{sh_path}          rix,
  @{bin}/env          rix,
  @{bin}/gjs-console  rix,
  @{bin}/openssl      rix,
-  @{sh_path}          rix,
  @{bin}/ssh-add      rix,

  @{bin}/ssh-keygen rPx,
@ -49,18 +47,12 @@ profile gnome-extension-gsconnect @{exec_path} {
  @{share_dirs}/{,**} r,
  @{share_dirs}/gsconnect-preferences rix,

-  /etc/machine-id r,
-
  owner @{user_cache_dirs}/gsconnect/{,**} rw,

-  owner @{user_config_dirs}/ r,
-
  owner @{user_config_dirs}/gsconnect/{,**} rw,
  owner @{user_config_dirs}/mimeapps.list w,
  owner @{user_config_dirs}/mimeapps.list.@{rand6} rw,

-  owner @{user_share_dirs}/ r,
-
  owner @{run}/user/@{uid}/gsconnect/ w,

  @{sys}/devices/virtual/dmi/id/chassis_type r,
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -38,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {

  @{bin}/ssh-add   rix,
  @{bin}/ssh-agent rPx,
+  @{lib}/gcr-ssh-askpass rPUx,

  /etc/gcrypt/hwf.deny r,

--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -78,6 +78,7 @@ profile gnome-software @{exec_path} {
  owner @{user_cache_dirs}/flatpak/{,**} rwl,
  owner @{user_cache_dirs}/gnome-software/{,**} rw,

+  owner @{user_config_dirs}/flatpak/{,**} r,
  owner @{user_config_dirs}/pulse/*.conf r,

  owner @{user_share_dirs}/ r,
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} {
  include <abstractions/audio-client>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
+  include <abstractions/graphics>
  include <abstractions/python>
  include <abstractions/thumbnails-cache-read>

@ -38,6 +39,9 @@ profile gnome-tweaks @{exec_path} {
  owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
  owner @{user_share_dirs}/recently-used.xbel* rw,

+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
  owner @{PROC}/@{pid}/fd/ r,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -65,6 +65,8 @@ profile gpg @{exec_path} {

  owner /tmp/@{int}@{int} rw,

+  owner @{run}/user/@{uid}/gnupg/d.*/ rw,
+
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@ -27,12 +27,11 @@ profile ssh @{exec_path} {
  @{bin}/{c,k,tc,z}sh  rix,

  @{etc_ro}/ssh/ssh_config r,
+  @{etc_ro}/ssh/ssh_config.d/{,*} r,
  @{etc_ro}/ssh/sshd_config r,
  @{etc_ro}/ssh/sshd_config.d/{,*} r,
  /etc/machine-id r,
-  /etc/ssh/ssh_config r,
-  /etc/ssh/ssh_config.d/{,*} r,
-  
+
  owner @{HOME}/@{XDG_SSH_DIR}/ r,
  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
  owner @{HOME}/@{XDG_SSH_DIR}/config r,