feat(profiles): general update.

2023-08-27 14:54:04 +01:00 · 2023-08-27 14:54:04 +01:00 · 75ef5ef6ad
commit 75ef5ef6ad
parent 19331acaa9
48 changed files with 205 additions and 141 deletions
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -55,6 +55,7 @@ profile gnome-music @{exec_path} {

  owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,

+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mounts r,

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -19,6 +19,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
+  include <abstractions/freedesktop.org>
  include <abstractions/gnome>
  include <abstractions/gstreamer>
  include <abstractions/ibus>
@ -478,6 +479,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /opt/*/**/*.png r,
  /snap/*/@{uid}/**.png r,
  /usr/share/{,zoneinfo-}icu/{,**} r,
+  /usr/share/**.{png,jpg,svg} r,
  /usr/share/app-info/icons/{,**} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/byobu/desktop/byobu* r,
@ -498,15 +500,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /usr/share/libinput*/libinput/ r,
  /usr/share/libwacom/{,*.stylus,*.tablet} r,
  /usr/share/pipewire/client.conf r,
-  /usr/share/plymouth/*.png r,
  /usr/share/wallpapers/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,

-  # freedesktop.org-strict
-  /usr/share/*ubuntu/applications/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  /.flatpak-info r,
  /etc/fstab r,
  /etc/udev/hwdb.bin r,
@ -547,12 +544,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/.var/app/**/ r,
-  owner @{HOME}/.var/app/**.{png,jpg} r,
+  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

-  owner @{user_games_dirs}/**/*.{png,jpg} r,
-  owner @{user_music_dirs}/**/*.{png,jpg} r,
+  owner @{user_games_dirs}/**.{png,jpg,svg} r,
+  owner @{user_music_dirs}/**.{png,jpg,svg} r,

  owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
  owner @{user_config_dirs}/ibus/ w,
@ -627,9 +624,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/pci[0-9]*/**/boot_vga r,
  @{sys}/devices/pci[0-9]*/**/drm/ r,
-  @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
+  @{sys}/devices/pci[0-9]*/**/input@{int}/{properties,name} r,
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
-  @{sys}/devices/platform/**/input[0-9]*/{properties,name} r,
+  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
  @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,

--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -185,8 +185,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/inhibit/[0-9]*.ref rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

-  owner /dev/tty@{int} rw,
-
  @{run}/udev/data/+sound:card@{int} r,   # For sound
  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
  @{run}/udev/data/c189:@{int} r,         # For /dev/bus/usb/**
@ -199,5 +197,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,

+  owner /dev/tty@{int} rw,
+
  include if exists <local/gsd-media-keys>
 }
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -187,7 +187,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {

  @{run}/udev/data/+backlight:* r,
  @{run}/udev/data/+drm:card* r,
-  @{run}/udev/data/+leds:*backlight* r,
+  @{run}/udev/data/+leds:* r,

  @{run}/systemd/inhibit/[0-9]*.ref rw,

--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -121,12 +121,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {

  @{run}/blkid/blkid.tab r,

-  @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
-  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/c25[0-4]:[0-9]* r,
-  @{run}/udev/data/c3[0-9]*:[0-9]* r,   # For dynamic assignment range 384 to 511
-  @{run}/udev/data/c4[0-9]*:[0-9]* r,
-  @{run}/udev/data/c5[0-9]*:[0-9]* r,
+  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:@{int} r,
+  @{run}/udev/data/c25[0-4]:@{int} r,
+  @{run}/udev/data/c3[0-9]*:@{int} r,     # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:@{int} r,
+  @{run}/udev/data/c5[0-9]*:@{int} r,

  @{run}/mount/utab r,