feat(profiles): general update.

2023-08-17 18:43:56 +01:00 · 2023-08-17 18:43:56 +01:00 · 5d47dfba95
commit 5d47dfba95
parent f7b9ff959a
50 changed files with 174 additions and 50 deletions
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -12,6 +12,7 @@ profile spice-vdagent @{exec_path} {
  include <abstractions/audio>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
+  include <abstractions/dri-common>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
--- a/apparmor.d/profiles-s-z/start-pulseaudio-x11
+++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11
@ -12,8 +12,11 @@ profile start-pulseaudio-x11 @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,ba,da}sh rix,
-  @{bin}/pactl      rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/head        rix,
+  @{bin}/pactl       rPx,
+  @{bin}/plasmashell rPx,
+  @{bin}/sed         rix,

  /dev/tty rw,

--- a/apparmor.d/profiles-s-z/sysctl
+++ b/apparmor.d/profiles-s-z/sysctl
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} = @{bin}/sysctl
 profile sysctl @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability net_admin,
  capability sys_admin,
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -95,6 +95,11 @@ profile thunderbird @{exec_path} {

  @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,

+  # GPG integration
+  @{bin}/gpg{,2}     rPx,
+  @{bin}/gpgconf     rPx,
+  @{bin}/gpgsm       rPx,
+
  # Desktop integration
  @{bin}/exo-open                                    rPx -> child-open,
  @{bin}/lsb_release                                 rPx -> lsb_release,
--- a/apparmor.d/profiles-s-z/wget
+++ b/apparmor.d/profiles-s-z/wget
@ -11,10 +11,10 @@ profile wget @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  include <abstractions/user-download-strict>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>

  # For downloading files as root to user owned dirs
  capability dac_read_search,
@ -28,12 +28,13 @@ profile wget @{exec_path} {

  @{exec_path} mr,

+  /usr/share/publicsuffix/public_suffix_list.* r,
+
  /etc/wgetrc r,

+  owner @{HOME}/.rnd r,
  owner @{HOME}/.wget-hsts rwk,

-  /usr/share/publicsuffix/public_suffix_list.* r,
-
  # For apt
  owner /var/cache/google-android-build-tools-*-installer/build-tools_*-linux.zip w,
  owner /var/cache/google-android-platform-*-installer/platform-*.zip w,
--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@ -32,6 +32,9 @@ profile xauth @{exec_path} {
  owner /tmp/serverauth.*   rwl -> /tmp/serverauth.*-n,

  owner /tmp/runtime-*/xauth_?????? r,
+  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_??????-c w,
+  owner /tmp/xauth_??????-l wl,

  owner @{run}/user/@{uid}/xauth_?????? rw,
  owner @{run}/user/@{uid}/xauth_??????-c w,