feat(profile): general update.

2025-08-28 21:09:09 +02:00 · 2025-08-28 21:09:09 +02:00 · 81d020173d
commit 81d020173d
parent cf96e7b1d0
40 changed files with 89 additions and 31 deletions
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@ -9,12 +9,13 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/gsettings>
  include <abstractions/nameservice-strict>

  network inet dgram,
@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
-       peer=(name=:*, label=gnome-shell),
+       peer=(name=@{busname}, label=gnome-shell),

  @{exec_path} mrix,

@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  /usr/share/dconf/profile/gdm r,
  /usr/share/defaults/at-spi2/{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) {
  @{browsers_path}               Px,
  @{file_explorers_path}         Px,

+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix,
+
  include if exists <usr/child-open-strict.d>
  include if exists <local/child-open-strict>
 }
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -33,7 +33,12 @@ profile gnome-software @{exec_path} {
  #aa:dbus own bus=session name=org.freedesktop.PackageKit
  #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application

-  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}"
+  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}"
+
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.PolicyKit1.Authority
+       member=Changed
+       peer=(name=@{busname}, label=polkitd),

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {

  signal send set=kill peer=loupe//bwrap,

+  #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application
+
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

  dbus send bus=system path=/org/freedesktop/hostname1
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2

  #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*"
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome
  #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center
  #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
  #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
--- a/apparmor.d/groups/gnome/papers
+++ b/apparmor.d/groups/gnome/papers
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/papers
-profile papers @{exec_path} {
+profile papers @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/common/gnome>
@ -16,6 +16,8 @@ profile papers @{exec_path} {
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>

+  #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application
+
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

  @{exec_path} mr,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -29,7 +29,7 @@ profile gpg @{exec_path} {
  @{lib}/{,gnupg/}scdaemon rPx,

  /usr/share/terminfo/** r,
-  /usr/share/keyrings/** rw,  #aa:only apt
+  /usr/share/keyrings/** rw,        #aa:only apt
  /usr/share/pacman/keyrings/** r,  #aa:only pacman

  /etc/inputrc r,
@ -39,6 +39,7 @@ profile gpg @{exec_path} {
  /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**,

  #aa:only apt
+        /etc/apt/trusted.gpg.d/{,*} r,
  owner /etc/apt/keyrings/ rw,
  owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,

--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) {
  /var/cache/pacman/pkg/{,*} rw,
  /var/lib/pacman/{,**} r,

+  @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
+  @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r,
+
  owner @{PROC}/@{pid}/fd/ r,

  /dev/tty rw,
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} {
  @{python_path} rix,

  @{lib}/code/product.json rw,
+  @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w,

  /usr/share/code-{features,marketplace}{,-insiders}/{,*} r,
  /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw,
--- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart
+++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart
@ -10,14 +10,13 @@ include <tunables/global>
 profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/systemd>
+  include <abstractions/desktop-files>
  include <abstractions/nameservice-strict>

  capability net_admin,

  @{exec_path} mr,

-  @{system_share_dirs}/applications/*.desktop r,
-
  @{etc_ro}/xdg/autostart/{,*.desktop} r,

  owner @{user_config_dirs}/autostart/{,*.desktop} r,
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  @{sh_path} mr,
+
  @{lib}/systemd/system-sleep/grub2.sleep          rPx,
  @{lib}/systemd/system-sleep/hdparm               rPx,
  @{lib}/systemd/system-sleep/nvidia               rPx,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/network/ r,
  @{run}/systemd/network/*.link rw,
  @{run}/systemd/notify rw,
+  @{run}/systemd/private rw,
  @{run}/systemd/seats/seat@{int} r,

  @{att}/@{run}/systemd/notify w,
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) {

        /dev/shm/ r,
  owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6},
-  owner /dev/shm/sem.mp-@{rand8} rw,
+  owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6},

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

--- a/apparmor.d/groups/usb/lsusb
+++ b/apparmor.d/groups/usb/lsusb
@ -14,6 +14,7 @@ profile lsusb @{exec_path} {
  include <abstractions/devices-usb-read>

  capability net_admin,
+  capability sys_admin,

  network netlink raw,

--- a/apparmor.d/groups/utils/dmesg
+++ b/apparmor.d/groups/utils/dmesg
@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>

  capability dac_read_search,
+  capability sys_admin,
  capability syslog,

  @{exec_path} mr,
--- a/apparmor.d/groups/utils/lsblk
+++ b/apparmor.d/groups/utils/lsblk
@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) {
  # File Inherit
  deny network inet stream,
  deny network inet6 stream,
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,

  include if exists <local/lsblk>
 }
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.freedesktop.timedate1>
  include <abstractions/consoles>
+  include <abstractions/icons>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} {

  #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus
  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/**  label=packagekitd
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd}
+  #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus

  @{exec_path} mr,

--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@ -10,6 +10,7 @@ include <tunables/global>
 profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
+  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  @{shells_path}         rix,
  @{bin}/cockpit-bridge  rPx,
  @{lib}/cockpit/cockpit-pcp  rPx,
-  @{bin}/ssh-agent rPx,
+  @{bin}/ssh-agent       rPx,
+  @{bin}/ssh-add         rix,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*.conf} r,
--- a/apparmor.d/groups/virt/libvirt-dbus
+++ b/apparmor.d/groups/virt/libvirt-dbus
@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} {
  #aa:dbus own bus=session name=org.libvirt
  #aa:dbus own bus=system name=org.libvirt

+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
  @{exec_path} mr,

  @{sbin}/libvirtd  rPx,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  # Allow changing to our UUID-based named profiles
  change_profile -> libvirt-@{uuid},

+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
  @{exec_path} mr,

  @{lib}/libvirt/libvirt_iohelper                   rix,
@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{user_vm_dirs}/{,**} rwk,
  @{user_publicshare_dirs}/{,**} rwk,

+  owner @{user_config_dirs}/libvirt/{,**} rwk,
+
  owner @{run}/user/@{uid}/libvirt/ rw,
  owner @{run}/user/@{uid}/libvirt/** rwk,