Profiles update.

2021-09-10 00:17:44 +01:00 · 2021-09-10 00:17:44 +01:00 · 70b4fa665b
commit 70b4fa665b
parent 6583a7bfb2
18 changed files with 80 additions and 37 deletions
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -41,17 +41,22 @@ profile pacman @{exec_path} {
  /{usr/,}bin/gpg          rCx -> gpg,
  /{usr/,}bin/gpgconf      rCx -> gpg,
  /{usr/,}bin/gpgsm        rCx -> gpg,
-  /{usr/,}{s,}bin/ldconfig rix,
-  /{usr/,}bin/{,ba}sh      rix,
+

  # Pacman hooks & install scripts
+  /{usr/,}{s,}bin/ldconfig                rix,
+  /{usr/,}bin/{,ba}sh                     rix,
+  /{usr/,}bin/dot                         rix,
+  /{usr/,}bin/env                         rix,
+  /{usr/,}bin/rm                          rix,
+  /{usr/,}bin/vercmp                      rix,
+  /{usr/,}lib/ghc-*/bin/ghc-pkg           rix,
  /{usr/,}bin/arch-audit                  rPx,
  /{usr/,}bin/bootctl                     rPx,
-  /{usr/,}bin/env                         rix,
  /{usr/,}bin/fc-cache                    rPx,
  /{usr/,}bin/gdk-pixbuf-query-loaders    rPx,
  /{usr/,}bin/glib-compile-schemas        rPx,
-  /{usr/,}bin/gtk-query-immodules-3.0     rPx,
+  /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
  /{usr/,}bin/install-info                rPx,
  /{usr/,}bin/killall                     rPx,
  /{usr/,}bin/pacdiff                     rPx,
@ -61,9 +66,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/update-ca-trust             rPx,
  /{usr/,}bin/update-desktop-database     rPx,
  /{usr/,}bin/update-mime-database        rPx,
-  /{usr/,}bin/vercmp                      rix,
  /{usr/,}lib/dkms/alpm-hook              rPx,
-  /{usr/,}lib/ghc-*/bin/ghc-pkg           rix,
  /{usr/,}lib/systemd/systemd-*           rPx,
  /{usr/,}lib/vlc/vlc-cache-gen           rPx,
  /usr/share/libalpm/scripts/*            rPx,
@ -77,6 +80,17 @@ profile pacman @{exec_path} {
  /usr/{,**} rwl,
  /var/{,**} rwl,

+  /bin/ rwl,
+  /home/ rw,
+  /lib/ rwl,
+  /lib64/ rwl,
+  /sbin/ rwl,
+
+  @{PROC}/ r,
+  @{run}/ r,
+  @{sys}/ r,
+  /mnt r,
+
  # Read packages files
  @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,

@ -116,5 +130,6 @@ profile pacman @{exec_path} {
    owner /etc/pacman.d/gnupg/** rwkl,
  }

+  include if exists <distribution/pacman.d>
  include if exists <local/pacman>
 }
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@ -10,9 +10,12 @@ include <tunables/global>
 profile pacman-hook-dkms @{exec_path} {
  include <abstractions/base>

+  capability dac_read_search,
+
  @{exec_path} mr,

  /{usr/,}bin/kmod rPx,
+  /{usr/,}bin/dkms rPx,

  # Inherit Silencer
  deny network inet6 stream,
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@ -15,6 +15,7 @@ profile pacman-key @{exec_path} {
  /{usr/,}bin/basename     rix,
  /{usr/,}bin/gettext      rix,
  /{usr/,}bin/gpg          rCx -> gpg,
+  /{usr/,}bin/grep         rix,
  /{usr/,}bin/pacman-conf  rPx,
  /{usr/,}bin/tput         rix,