feat(profile): improve integration with ubuntu.

2025-08-10 19:00:42 +02:00 · 2025-08-10 19:00:42 +02:00 · 67c9e86d83
commit 67c9e86d83
parent 526a7e704c
20 changed files with 48 additions and 22 deletions
--- a/apparmor.d/groups/apt/dpkg-script-apparmor
+++ b/apparmor.d/groups/apt/dpkg-script-apparmor
@ -11,6 +11,8 @@ profile dpkg-script-apparmor @{exec_path} {
  include <abstractions/base>
  include <abstractions/common/debconf>

+  capability dac_read_search,
+
  @{exec_path} mrix,

  @{bin}/{,e}grep   ix,
@ -43,11 +45,16 @@ profile dpkg-script-apparmor @{exec_path} {

    capability net_admin,
    capability sys_resource,
+    capability dac_override,
+    capability dac_read_search,

    signal send set=(cont term) peer=systemd-tty-ask-password-agent,

    @{bin}/systemd-tty-ask-password-agent rix,

+    @{run}/user/@{uid}/systemd/ask-password/ rw,
+    @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw,
+
    owner @{run}/systemd/ask-password/ rw,
    owner @{run}/systemd/ask-password-block/{,*} rw,

--- a/apparmor.d/groups/cups/cups-browsed
+++ b/apparmor.d/groups/cups/cups-browsed
@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>

-  capability net_admin,
+#   capability net_admin,
  capability net_bind_service,
-  capability sys_nice,
+#   capability sys_nice,

  network inet dgram,
  network inet6 dgram,
@ -43,6 +43,8 @@ profile cups-browsed @{exec_path} {

  @{exec_path} mr,

+  @{bin}/ippfind rPx,
+
  /usr/share/cups/locale/{,**} r,

  /etc/cups/{,**} r,
--- a/apparmor.d/groups/cups/cupsd
+++ b/apparmor.d/groups/cups/cupsd
@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  capability setuid,
  capability wake_alarm,

+  network inet dgram,
  network inet stream,
+  network inet6 dgram,
  network inet6 stream,

  network appletalk dgram,
@ -99,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {

  @{run}/cups/{,**} rw,
  @{run}/systemd/notify w,
+  @{run}/avahi-daemon/socket rw,

  @{sys}/module/apparmor/parameters/enabled r,

--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} {
  @{sh_path}         rix,
  @{bin}/dconf       rix,
  @{bin}/install     rix,
-  @{bin}/pgrep       rCx -> pgrep,
-  @{bin}/pkill       rCx -> pgrep,
+  @{bin}/pgrep       rCx -> &pgrep,
+  @{bin}/pkill       rCx -> &pgrep,
  @{bin}/setpriv     rix,
  @{bin}/setsid      rix,

--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -38,6 +38,8 @@ profile gnome-terminal-server @{exec_path} {

  @{exec_path} mr,

+  @{lib}/gnome-terminal-preferences ix,
+
  # The shell is not confined on purpose.
  @{bin}/@{shells}            Ux,

--- a/apparmor.d/groups/gnome/papers
+++ b/apparmor.d/groups/gnome/papers
@ -26,6 +26,7 @@ profile papers @{exec_path} {
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  owner @{tmp}/.goutputstream-@{rand6} rw,
+  owner @{tmp}/papers-@{int}/{,**} rw,
  owner @{tmp}/gtkprint_@{rand6} rw,
  owner @{tmp}/gtkprint@{rand6} rw,

--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -35,6 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
  @{bin}/* r,
  @{sbin}/* r,
  /opt/** r,
+  /usr/share/*/** r,
  @{user_lib_dirs}/** r,

  /etc/systemd/coredump.conf r,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -136,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sysvipc/{shm,sem,msg} r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,

-        /dev/dri/card@{int} rw,
-        /dev/input/event@{int} rw,  # Input devices (keyboard, mouse, etc)
-        /dev/mqueue/ r,
-        /dev/tty@{int} rw,
-  owner /dev/shm/{,**/} rw,
+  /dev/dri/card@{int} rw,
+  /dev/input/event@{int} rw,  # Input devices (keyboard, mouse, etc)
+  /dev/mqueue/ r,
+  /dev/tty@{int} rw,
+  /dev/shm/{,**/} rw,

  include if exists <local/systemd-logind>
 }
--- a/apparmor.d/groups/systemd/systemd-sleep-hdparm
+++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm
@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} {
  include <abstractions/base>

  @{exec_path} mr,
+  @{sh_path} r,

  include if exists <local/systemd-sleep-hdparm>
 }
--- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
+++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} {

  @{exec_path} mr,

-  @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw,
-  @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw,
+  @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w,
+  @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w,
+  @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw,
+  @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw,

  /usr/share/gvfs/remote-volume-monitors/{,**} r,

--- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer
+++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer
@ -10,6 +10,8 @@ include <tunables/global>
 profile gdk-pixbuf-thumbnailer @{exec_path} {
  include <abstractions/base>

+  @{exec_path} mr,
+
  include if exists <local/gdk-pixbuf-thumbnailer>
 }

--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) {

    owner @{tmp}/.git_vtag_tmp@{rand6} r,

+    owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw,
+
    deny @{user_share_dirs}/gvfs-metadata/* r,

    include if exists <local/git_gpg>
@ -138,13 +140,14 @@ profile git @{exec_path} flags=(attach_disconnected) {
    @{etc_ro}/ssh/ssh_config.d/{,*} r,
    @{etc_ro}/ssh/ssh_config r,

-    owner @{HOME}/@{XDG_SSH_DIR}/* r,
+    owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
    owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl,

    owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*,
    owner @{tmp}/ssh-*/agent.@{int} rw,
+    owner @{run}/user/@{uid}/keyring/ssh rw,

    owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@ -6,12 +6,14 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*}
+@{exec_path}  = @{user_cache_dirs}/gitstatus/gitstatusd{,-*}
+@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*}
 profile gitstatusd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

  signal receive set=term peer=*//shell,
+  signal receive set=term peer=vscode,

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/host
+++ b/apparmor.d/profiles-g-l/host
@ -22,10 +22,11 @@ profile host @{exec_path} {

  @{exec_path} mr,

-  owner @{PROC}/@{pids}/task/@{tid}/comm rw,
-
  @{sys}/kernel/mm/transparent_hugepage/enabled r,

+        @{PROC}/version_signature r,
+  owner @{PROC}/@{pids}/task/@{tid}/comm rw,
+
  include if exists <local/host>
 }

--- a/apparmor.d/profiles-g-l/language-validate
+++ b/apparmor.d/profiles-g-l/language-validate
@ -18,7 +18,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) {
  @{bin}/{,e}grep    rix,
  @{bin}/locale      rix,

-  /usr/share/locale-langpack/{,*} r,
  /usr/share/language-tools/{,*} r,

  include if exists <local/language-validate>
--- a/apparmor.d/profiles-m-r/on-ac-power
+++ b/apparmor.d/profiles-m-r/on-ac-power
@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} {
  @{bin}/cat        rix,

  @{sys}/class/power_supply/ r,
+  @{sys}/class/typec/ r,
  @{sys}/devices/**/power_supply/**/{online,type} r,

  @{PROC}/pmu/info r,
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -146,6 +146,7 @@ profile pass @{exec_path} {
    owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**,
    owner /dev/shm/pass.@{rand}/* rw,
    owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
+    owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw,

    owner /dev/pts/@{int} rw,

--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{name} = spotify
-@{lib_dirs} = /opt/spotify/
+@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
@{config_dirs} = @{user_config_dirs}/@{name}
@{cache_dirs} = @{user_cache_dirs}/@{name}

--- a/apparmor.d/profiles-s-z/sysstat-sadc
+++ b/apparmor.d/profiles-s-z/sysstat-sadc
@ -24,10 +24,9 @@ profile sysstat-sadc @{exec_path} {
  @{sys}/class/fc_host/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/i2c-adapter/ r,
-  @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r,
-  @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r,
  @{sys}/devices/@{pci}/net/*/duplex r,
-  @{sys}/devices/**/i2c-*/name r,
+  @{sys}/devices/**/hwmon@{int}/ r,
+  @{sys}/devices/**/name r,
  @{sys}/devices/**/net/*/duplex r,
  @{sys}/devices/**/net/*/speed r,
  @{sys}/devices/virtual/net/*/duplex r,
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
  /etc/thermald/{,*} r,

  owner @{run}/thermald/ rw,
-  owner @{run}/thermald/thd_preference.conf rw,
-  owner @{run}/thermald/thd_preference.conf.save w,
+  owner @{run}/thermald/** rw,
  owner @{run}/thermald/thermald.pid rwk,

  @{sys}/class/hwmon/ r,