feat(profile): general update.

2023-11-26 21:24:40 +00:00 · 2023-11-26 21:24:40 +00:00 · 8250e202a0
commit 8250e202a0
parent 4b61abf7ce
37 changed files with 67 additions and 53 deletions
--- a/apparmor.d/profiles-s-z/snapd-apparmor
+++ b/apparmor.d/profiles-s-z/snapd-apparmor
@ -16,6 +16,7 @@ profile snapd-apparmor @{exec_path} {

  @{bin}/systemd-detect-virt         rPx,
  @{lib_dirs}/snapd/apparmor_parser  rPx,
+  @{bin}/apparmor_parser             rPx,

  @{lib_dirs}/snapd/info r,

--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -42,6 +42,7 @@ profile spotify @{exec_path} {
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
  @{lib}/gio-launch-desktop                          rPx -> child-open,

+  /etc/gnutls/config r,
  /etc/libva.conf r,
  /etc/machine-id r,
  /etc/spotify-adblock/* r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -35,10 +35,10 @@ profile sudo @{exec_path} {

  ptrace (read),

+  signal (send,receive) peer=cockpit-bridge,
  signal (send) peer=unconfined,
  signal (send) set=(cont,hup) peer=su,
-  signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot,pacman},
-  signal (send,receive) peer=cockpit-bridge,
+  signal (send) set=(winch),

  dbus send bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
@ -50,12 +50,11 @@ profile sudo @{exec_path} {
         member={JobRemoved,StartTransientUnit},

  @{exec_path} mr,
+  @{lib}/sudo/** mr,

  @{bin}/{,b,d,rb}ash               rUx,
  @{bin}/{c,k,tc,z}sh               rUx,
-
  @{lib}/**                        rPUx,
-  @{lib}/sudo/**                     mr,
  /opt/*/**                        rPUx,
  /snap/snapd/@{int}@{bin}/snap    rPUx,

--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -53,7 +53,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,
  umount @{run}/udisks2/temp-mount-*/,
-  umount /media/cdrom[0-9]/,
+  umount /media/cdrom@{int}/,

  signal (receive) set=(int) peer=@{systemd},

--- a/apparmor.d/profiles-s-z/useradd
+++ b/apparmor.d/profiles-s-z/useradd
@ -24,6 +24,7 @@ profile useradd @{exec_path} {

  @{exec_path} mr,

+  @{bin}/nscd    rix,
  @{bin}/usermod rPx,

  @{bin}/pam_tally2 rCx -> pam_tally2,
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -37,6 +37,7 @@ profile wireplumber @{exec_path} {
  /usr/share/spa-*/bluez[0-9]*/{,*} r,
  /usr/share/wireplumber/{,**} r,

+  /etc/gnutls/config r,
  /etc/machine-id r,

  /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
@ -61,7 +62,6 @@ profile wireplumber @{exec_path} {
  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/**/sound/**/pcm_class r,
  @{sys}/devices/**/sound/**/uevent r,
-  @{sys}/devices/pci[0-9]*/**/modalias r,
  @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,