feat(profile): minor fsp related improvment.

2025-05-31 13:49:16 +02:00 · 2025-05-31 13:49:16 +02:00 · 6c6e1c3456
commit 6c6e1c3456
parent 2282128cbd
6 changed files with 10 additions and 9 deletions
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=system name=org.freedesktop.ColorManager

  @{exec_path} mrix,
+  @{lib}/colord-sane ix,

  /etc/machine-id r,
  /etc/sane.d/{,**} r,
@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/snmp/mibs/{iana,ietf}/ r,
  owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,

-  @{att}/@{desktop_share_dirs}/icc/edid-*.icc r,
-  @{att}/@{user_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,

  @{run}/systemd/sessions/* r,

--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
  @{bin}/tr                   rix,
  @{bin}/umount               rPx,
  @{bin}/uname                rix,
-  @{bin}/which                rix,
+  @{bin}/which{,.debianutils} rix,
  @{bin}/zfs                  rPx,
  @{bin}/zpool                rPx,
  /etc/grub.d/{,**}           rix,
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -31,7 +31,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {

  ptrace (read),

-  #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
+  #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service
+++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service
@ -13,9 +13,9 @@ include <tunables/global>
 profile snapd.system-shutdown.service {
  include <abstractions/base>

-  audit @{bin}/cp     ix,
-  audit @{bin}/mkdir  ix,
-  audit @{bin}/mount  ix,
+  @{bin}/cp     ix,
+  @{bin}/mkdir  ix,
+  @{bin}/mount  ix,

  @{lib}/snapd/system-shutdown r,

--- a/apparmor.d/groups/ubuntu/fanctl
+++ b/apparmor.d/groups/ubuntu/fanctl
@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) {
  @{bin}/id      ix,
  @{bin}/touch   ix,
  @{bin}/mkdir   ix,
-  @{sbin}/ip     ix,
+  @{bin}/ip      ix,
  @{bin}/sed     ix,

  /etc/network/fan r,
--- a/apparmor.d/profiles-g-l/ischroot
+++ b/apparmor.d/profiles-g-l/ischroot
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/ischroot
-profile ischroot @{exec_path} {
+profile ischroot @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>