feat(profile): general update.

2025-03-30 16:27:41 +02:00 · 2025-03-30 16:27:41 +02:00 · 735f5de518
commit 735f5de518
parent 5861da3f33
50 changed files with 127 additions and 80 deletions
--- a/apparmor.d/profiles-m-r/motd
+++ b/apparmor.d/profiles-m-r/motd
@ -10,9 +10,12 @@ include <tunables/global>
 profile motd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>

  network inet dgram,
+  network inet stream,
  network inet6 dgram,
+  network inet6 stream,
  network netlink raw,

  @{exec_path} mr,
@ -20,8 +23,11 @@ profile motd @{exec_path} {
  @{sh_path}         rix,
  @{coreutils_path}  rix,
  @{bin}/cloud-id    rix,
+  @{bin}/systemctl   rCx -> systemctl,
  @{bin}/hostname    rPx,
  @{bin}/snap        rPx,
+  @{bin}/dpkg        rPx -> child-dpkg,
+  @{bin}/systemd-detect-virt rPx,
  @{bin}/wget        rix,

  @{lib}/ubuntu-release-upgrader/release-upgrade-motd            rPx,
@ -34,20 +40,35 @@ profile motd @{exec_path} {
  /etc/default/motd-news r,
  /etc/lsb-release r,
  /etc/update-motd.d/* r,
+  /etc/cloud/cloud.cfg r,
+  /etc/cloud/cloud.cfg.d/{,*} r,

  /var/cache/motd-news rw,
  /var/lib/update-notifier/updates-available r,
  /var/lib/ubuntu-advantage/messages/motd-esm-announce r,

-  /tmp/tmp.@{rand10} w,
+  /tmp/tmp.@{rand10} rw,

  @{run}/motd.d/{,*} r,
  @{run}/motd.dynamic.new rw,
+  @{run}/reboot-required r,

  @{PROC}/@{pids}/mounts r,

  /dev/tty@{int} rw,

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{run}/systemd/private rw,
+
+    include if exists <local/motd_systemctl>
+  }
+
  include if exists <local/motd>
 }

--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@ -22,6 +22,8 @@ profile qemu-ga @{exec_path} {
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,

+  @{PROC}/sys/vm/max_map_count r,
+
  /dev/vport@{int}p@{int} rw,

  profile systemctl {
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@ -35,7 +35,7 @@ profile remmina @{exec_path} {
  network inet6 dgram,
  network netlink raw,

-  #aa:dbus own bus=session name=org.remmina.Remmina
+  #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions
  #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"