feat(profiles): second general update. See #101

2023-01-15 17:38:28 +00:00 · 2023-01-15 17:38:28 +00:00 · 55edf06936
commit 55edf06936
parent c59a40ec4e
6 changed files with 7 additions and 4 deletions
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -82,7 +82,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /usr/share/terminfo/x/xterm-256color r,

  # Can copy any program to the initframs
-  /{usr/,}bin/ r,
+  /{usr/,}{local/,}{s,}bin/ r,
  /{usr/,}bin/[a-z0-9]* mr,
  /{usr/,}lib/ r,
  /{usr/,}lib/plymouth/plymouthd-* mr,
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@ -20,6 +20,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/bash       rix,
  /{usr/,}bin/cmp        rix,
  /{usr/,}bin/compgen    rix,
+  /{usr/,}bin/env        rix,
  /{usr/,}bin/install    rix,
  /{usr/,}bin/mkinitcpio rPx,
  /{usr/,}bin/mv         rix,
@ -36,7 +37,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /boot/initramfs-*.img rw,
  /boot/initramfs-*-fallback.img rw,

-  # /dev/tty rw,
+  /dev/tty rw,

  # # Inherit Silencer
  deny network inet6 stream,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -53,6 +53,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/c23[0-9]:[0-9]* r,
  @{run}/udev/data/c24[0-9]:[0-9]* r,
  @{run}/udev/data/c4:[0-9]* r,
+  @{run}/udev/data/c51[0-9]:[0-9]* r,

  @{sys}/devices/**/uevent r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,