From 5bfebf6ea525945042a14d98d5358dd005d5ef76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:34:30 +0200 Subject: [PATCH] feat(profile): small general improvments. --- apparmor.d/groups/flatpak/flatpak | 6 +++++- apparmor.d/groups/freedesktop/xdg-desktop-portal-kde | 8 ++++++++ apparmor.d/profiles-a-f/finalrd | 3 +-- apparmor.d/profiles-s-z/spotify | 2 ++ apparmor.d/profiles-s-z/syncthing | 4 ++++ 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 42d9fd9c3..c958bd2cd 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -98,7 +98,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, owner /dev/shm/flatpak*/{,**} rw, - @{run}/.userns r, + @{run}/.userns r, + @{att}/@{run}/.userns r, + @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -146,6 +148,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include + capability setuid, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 3b02d2b16..8c1c1686f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,10 +10,12 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include + include include include include include + include network inet dgram, network inet6 dgram, @@ -27,8 +29,14 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker + /usr/share/plasma/look-and-feel/** r, + + owner @{HOME}/ r, + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 7578b505d..bb68e873e 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -65,9 +65,8 @@ profile finalrd @{exec_path} { include include - @{bin}/ldd mr, + @{bin}/* mr, @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, include if exists } diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a6d349b9c..1a0bd0ea9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -36,6 +36,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, + owner @{HOME}/.tmp rw, + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index d03ece9e4..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -36,10 +36,14 @@ profile syncthing @{exec_path} { @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/bus/pci/devices r, + @{PROC}/modules r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, include if exists }