Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

* 'tunables' of https://github.com/nobody43/apparmor.d: dbus temp tails Update apparmor.d Update gdm-runtime-config more unrelated changes adjust date-time random tails rename to int, convert more profiles fixes tunables
2023-08-17 20:01:53 +01:00 · 2023-08-17 20:01:53 +01:00 · 557d905543
commit 557d905543
parent 7b018a60bd
198 changed files with 560 additions and 507 deletions
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -49,17 +49,19 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  @{bin}/passwd      rPx,
  @{bin}/userdel     rPx,
  @{bin}/usermod     rPx,
+  @{bin}/locale     rPUx,

  /usr/share/language-tools/language-validate   rPx,
  /usr/share/language-tools/set-language-helper rPUx,
+  /usr/share/language-tools/save-to-pam-env rPUx,

  /usr/share/accountsservice/{,**} r,
  /usr/share/dbus-1/interfaces/*.xml r,

  /etc/default/locale r,
  /etc/gdm{3,}/ r,
-  /etc/gdm{3,}/custom.conf{,.??????} rw,
-  /etc/gdm{3,}/daemon.conf{,.??????} rw,
+  /etc/gdm{3,}/custom.conf{,.@{rand6}} rw,
+  /etc/gdm{3,}/daemon.conf{,.@{rand6}} rw,
  /etc/machine-id r,
  /etc/shadow r,
  /etc/shells r,
@ -68,7 +70,8 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/AccountsService/ r,
  owner /var/lib/AccountsService/** rw,

-  @{HOME}/ r,
+        @{HOME}/ r,
+  owner @{HOME}/.pam_environment r,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid rw,
@ -81,7 +84,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  # wtmp.d ?
  /var/log/wtmp r,

-  owner /tmp/gnome-control-center-user-icon-?????? rw,
+  owner /tmp/gnome-control-center-user-icon-@{rand6} rw,

  include if exists <local/accounts-daemon>
 }
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -39,10 +39,10 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,

-  owner /tmp/runtime-*/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,

  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/xauth_?????? r,
+  owner @{run}/user/@{uid}/xauth_@{rand6} r,

  /var/lib/lightdm/.Xauthority r,
  /var/lib/gdm{3,}/.config/dconf/user r,
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -89,11 +89,11 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,

-  owner /tmp/runtime-*/xauth_?????? r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
+  owner /tmp/xauth_@{rand6} r,

  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/xauth_?????? r,
+  owner @{run}/user/@{uid}/xauth_@{rand6} r,

  owner /dev/tty[0-9]* rw,

--- a/apparmor.d/groups/freedesktop/dconf
+++ b/apparmor.d/groups/freedesktop/dconf
@ -17,11 +17,12 @@ profile dconf @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  /etc/dconf/db/** rw,
+  /etc/gdm{3,}/greeter.dconf-defaults r,

  /usr/share/gdm/dconf/{,**} r,

  /var/lib/gdm{3,}/ r,
-  /var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw,
+  /var/lib/gdm{3,}/greeter-dconf-defaults{,.@{rand6}} rw,

  owner @{user_config_dirs}/dconf/ rw,
  owner @{user_config_dirs}/dconf/user{,.*} rw,
--- a/apparmor.d/groups/freedesktop/dconf-editor
+++ b/apparmor.d/groups/freedesktop/dconf-editor
@ -24,7 +24,7 @@ profile dconf-editor @{exec_path} {
  owner @{user_config_dirs}/glib-2.0/ rw,
  owner @{user_config_dirs}/glib-2.0/settings/ rw,
  owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
-  owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
+  owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw,

  owner @{HOME}/.Xauthority r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@ -48,8 +48,8 @@ profile polkit-kde-authentication-agent @{exec_path} {
  owner @{user_config_dirs}/kwinrc r,
  owner @{user_config_dirs}/qt5ct/{,**} r,

-  owner /tmp/#[0-9]*[0-9] rw,
-  owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9],
+  owner /tmp/#@{int} rw,
+  owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},

  @{run}/systemd/users/@{uid} r,

@ -58,7 +58,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/sys/kernel/core_pattern r,

-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,

  include if exists <local/polkit-kde-authentication-agent>
 }
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -159,7 +159,7 @@ profile pulseaudio @{exec_path} {
  owner /var/lib/lightdm/.config/pulse/cookie   k,

  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
-  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,

  owner @{user_config_dirs}/ w,
  owner @{user_config_dirs}/pulse/{,**} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -164,12 +164,12 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  owner @{HOME}/.icons/{,**} r,
  owner @{HOME}/@{XDG_DATA_DIR}/ r,

-  owner /tmp/runtime-*/xauth_?????? r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
+  owner /tmp/xauth_@{rand6} r,

        @{run}/mount/utab r,
-        @{run}/user/@{uid}/xauth_* rl,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+        @{run}/user/@{uid}/xauth_@{rand6} rl,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@ -45,9 +45,9 @@ profile xdg-desktop-portal-kde @{exec_path} {
  owner @{user_config_dirs}/kwinrc r,
  owner @{user_config_dirs}/xdg-desktop-portal-kderc r,

-  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_@{rand6} r,

-  @{run}/user/@{uid}/xauth_* rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,

  @{PROC}/sys/kernel/core_pattern r,

--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -50,7 +50,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {

  owner @{user_share_dirs}/flatpak/ w,
  owner @{user_share_dirs}/flatpak/db/ rw,
-  owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
+  owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/flatpak/db/background rw,
  owner @{user_share_dirs}/flatpak/db/notifications rw,

--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
@ -50,7 +50,7 @@ profile xdg-user-dirs-update @{exec_path} {
  owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,

  owner @{user_config_dirs}/user-dirs.dirs rw,
-  owner @{user_config_dirs}/user-dirs.dirs?????? rw,
+  owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw,
  owner @{user_config_dirs}/user-dirs.locale rw,

  include if exists <local/xdg-user-dirs-update>
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -141,7 +141,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {

  /dev/fb[0-9] rw,
  /dev/input/event[0-9]* rw,
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
  /dev/shm/shmfd-* rw,
  /dev/tty rw,
  /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@ -19,10 +19,10 @@ profile xprop @{exec_path} {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.icons/default/index.theme r,
  
-  owner /tmp/runtime-*/xauth_?????? r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
+  owner /tmp/xauth_@{rand6} r,

-  owner @{run}/user/@{uid}/xauth_* rl,
+  owner @{run}/user/@{uid}/xauth_@{rand6} rl,

  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -35,8 +35,8 @@ profile xrdb @{exec_path} {

  owner /tmp/kcminit.* r,
  owner /tmp/plasma-apply-lookandfeel.* r,
-  owner /tmp/runtime-*/xauth_?????? r,
-  owner /tmp/startplasma-x11.?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
+  owner /tmp/startplasma-x11.@{rand6} r,
  owner /tmp/xauth-[0-9]*-_[0-9] r,

  @{run}/sddm/\{@{uuid}\} r,
--- a/apparmor.d/groups/freedesktop/xsetroot
+++ b/apparmor.d/groups/freedesktop/xsetroot
@ -24,8 +24,8 @@ profile xsetroot @{exec_path} {
  owner @{user_share_dirs}/sddm/xorg-session.log w,

  @{run}/sddm/\{@{uuid}\} r,
-  @{run}/sddm/xauth_?????? r,
-  @{run}/user/@{uid}/xauth_* rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,
+  @{run}/sddm/xauth_@{rand6} r,

  include if exists <local/xsetroot>
 }
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -37,8 +37,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,

  owner /tmp/server-[0-9]*.xkm rwk,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
-  owner @{run}/user/@{uid}/xwayland-shared-?????? rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
+  owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw,

  @{sys}/bus/pci/devices/ r,