update apparmor profiles

2021-10-22 15:41:13 +01:00 · 2021-10-22 15:41:13 +01:00 · 7da59b4984
commit 7da59b4984
parent 6c34573727
18 changed files with 122 additions and 6 deletions
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} {
  include <abstractions/audio>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
  include <abstractions/deny-root-dir-access>

  # Needed?
@ -95,6 +96,8 @@ profile signal-desktop @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
  # No new privs
  /{usr/,}bin/xdg-settings rPUx,

--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@ -21,6 +21,7 @@ profile telegram-desktop @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-shader-cache>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/enchant>
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@ -61,6 +61,7 @@ profile apt-listchanges @{exec_path} {
  owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw,
  owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw,
  owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw,
+  owner /tmp/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw,

  # The following is needed when apt-listchanges uses debcconf GUI frontends.
  include <abstractions/gtk>
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -26,7 +26,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  network bluetooth stream,
  network bluetooth seqpacket,

-  ptrace (read) peer=unconfined,
+  ptrace (read),

  @{exec_path} mr,

--- a/apparmor.d/groups/gvfs/gvfsd-smb
+++ b/apparmor.d/groups/gvfs/gvfsd-smb
@ -24,6 +24,8 @@ profile gvfsd-smb @{exec_path} {
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

+  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /etc/samba/smb.conf r,
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@ -24,6 +24,8 @@ profile gvfsd-smb-browse @{exec_path} {
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

+  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /etc/samba/smb.conf r,
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -27,7 +27,7 @@ profile gvfsd-trash @{exec_path} {
  @{run}/mount/utab r,

  owner @{run}/user/@{uid}/gvfsd/ rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-* rw,

  # Can restore all user files
  owner @{HOME}/{,**} rw,