feat(profiles): general update.

2023-09-15 22:01:08 +01:00 · 2023-09-15 22:01:08 +01:00 · 6a78b17d23
commit 6a78b17d23
parent 1d68b5bbc4
22 changed files with 62 additions and 35 deletions
--- a/apparmor.d/profiles-a-f/aa-teardown
+++ b/apparmor.d/profiles-a-f/aa-teardown
@ -18,6 +18,8 @@ profile aa-teardown @{exec_path} {
  @{bin}/{,ba,da}sh rix,
  @{lib}/apparmor/apparmor.systemd rPx,

+  /usr/share/terminfo/x/* r,
+
  /dev/tty rw,

  include if exists <local/aa-teardown>
--- a/apparmor.d/profiles-a-f/element
+++ b/apparmor.d/profiles-a-f/element
@ -41,6 +41,10 @@ profile element @{exec_path} {
  @{lib}/element/{,**} r,
  @{lib}/element/app.asar.unpacked/node_modules/**.node mr,

+  @{bin}/xdg-open                                     rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
+
  /opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
  /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,

--- a/apparmor.d/profiles-a-f/findmnt
+++ b/apparmor.d/profiles-a-f/findmnt
@ -15,8 +15,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {

  capability dac_read_search,

-  unix (receive) type=stream,
-
  @{exec_path} mr,

  /etc/fstab r,
@ -26,6 +24,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {

  # File Inherit
  deny /apparmor/.null rw,
+  deny unix (receive) type=stream,

  include if exists <local/findmnt>
 }