feat(profile): general update.

2024-03-10 21:21:00 +00:00 · 2024-03-10 21:21:00 +00:00 · 68fbd81e17
commit 68fbd81e17
parent ad8e5a9797
18 changed files with 94 additions and 38 deletions
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -46,7 +46,6 @@ profile git @{exec_path} {
  @{bin}/{,e}grep    rix,
  @{bin}/basename    rix,
  @{bin}/cat         rix,
-  @{bin}/cat         rix,
  @{bin}/date        rix,
  @{bin}/dirname     rix,
  @{bin}/envsubst    rix,
@ -57,6 +56,7 @@ profile git @{exec_path} {
  @{bin}/mv          rix,
  @{bin}/rm          rix,
  @{bin}/sed         rix,
+  @{bin}/tar         rix,
  @{bin}/uname       rix,
  @{bin}/wc          rix,
  @{bin}/whoami      rix,
--- a/apparmor.d/profiles-g-l/gpartedbin
+++ b/apparmor.d/profiles-g-l/gpartedbin
@ -20,14 +20,14 @@ profile gpartedbin @{exec_path} {
  include <abstractions/gtk>

  capability dac_read_search,
+  capability ipc_lock,
  capability sys_admin,
  capability sys_rawio,

-  # Needed?
-  # deny capability sys_nice,
-
  ptrace (read),

+  signal (send) peer=mke2fs,
+
  @{exec_path} mr,

  @{sh_path}         rix,
--- a/apparmor.d/profiles-g-l/i3lock-fancy
+++ b/apparmor.d/profiles-g-l/i3lock-fancy
@ -11,19 +11,21 @@ include <tunables/global>
 profile i3lock-fancy @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/X-strict>

  @{exec_path} r,
-  @{sh_path}        rix,

-  @{bin}/rm         rix,
-  @{bin}/fc-match   rix,
-  @{bin}/getopt     rix,
-  @{bin}/mktemp     rix,
+  @{sh_path}        rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/basename   rix,
  @{bin}/env        rix,
+  @{bin}/fc-match   rix,
+  @{bin}/getopt     rix,
+  @{bin}/mktemp     rix,
+  @{bin}/rm         rix,
+  @{bin}/wmctrl     rix,

  @{bin}/i3lock     rPx,
  @{bin}/xrandr     rPx,
@ -32,16 +34,15 @@ profile i3lock-fancy @{exec_path} {
  @{bin}/import-im6.q16  rCx -> imagemagic,
  @{bin}/scrot           rCx -> imagemagic,

+  /usr/share/i3lock-fancy/{,*} r,
+
  owner /tmp/tmp.*.png rw,
  owner /tmp/tmp.* rw,
  owner /tmp/sh-thd.* rw,

-  /usr/share/i3lock-fancy/{,*} r,
-
  # file_inherit
  owner /dev/tty@{int} rw,

-
  profile imagemagic {
    include <abstractions/base>
    include <abstractions/fonts>
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@ -67,6 +67,8 @@ profile keepassxc @{exec_path} {
  owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int},
  owner @{user_config_dirs}/keepassxc/ rw,
  owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int},
+  owner @{user_share_dirs}/keepassxc/ rw,
+  owner @{user_share_dirs}/keepassxc/* rwkl -> @{user_share_dirs}/keepassxc/#@{int},

  owner /tmp/.[a-zA-Z]*/{,s} rw,
  owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
@ -77,8 +79,12 @@ profile keepassxc @{exec_path} {
  owner /tmp/keepassxc.lock rw,
  owner /tmp/keepassxc.socket rw,

+  owner @{run}/user/@{pid}/app/ w,
+  owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw,
  owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
  owner @{run}/user/@{uid}/kpxc_server rw,
+  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
+  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w,

             @{PROC}/@{pids}/comm r,
             @{PROC}/modules r,
@ -87,11 +93,6 @@ profile keepassxc @{exec_path} {
  deny       @{PROC}/sys/kernel/random/boot_id r,
  deny owner @{PROC}/@{pid}/cmdline r,

-  owner @{run}/user/@{pid}/app/ w,
-  owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw,
-  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
-  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w,
-
        /dev/shm/#@{int} rw,
        /dev/tty rw,
        /dev/urandom rw,