feat(profile): general update.

2024-06-04 20:13:40 +01:00 · 2024-06-04 20:13:40 +01:00 · 8b60e56002
commit 8b60e56002
parent d98621625a
21 changed files with 71 additions and 59 deletions
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} {

  @{sh_path}        rix,
  @{bin}/{,e}grep   rix,
+  @{bin}/{,g,m}awk  rix,
+  @{bin}/cat        rix,
  @{bin}/dialog     rix,
  @{bin}/locale     rix,
  @{bin}/sed        rix,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  signal (send) peer=apt-methods-http,

+  unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
+
  @{exec_path} mr,

  @{bin}/ r,
@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/apt-dpkg-install-*/{,*} rw,

        @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/fd/ r,

  /dev/ptmx rw,
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) {

  @{bin}/**                   PUx,
  @{lib}/**                   PUx,
-  /usr/share/**               PUx,
+  /usr/share/*/**             PUx,

  /etc/dbus-1/{,**} r,
  /usr/share/dbus-1/{,**} r,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) {

  @{exec_path} mrix,

-  @{bin}/**                         PUx,
-  @{lib}/**                         PUx,
-  /usr/share/*/**                   PUx,
+  @{bin}/**                   PUx,
+  @{lib}/**                   PUx,
+  /usr/share/*/**             PUx,

  /etc/dbus-1/{,**} r,
  /usr/share/dbus-1/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{bin}/grep          rix,
  @{bin}/locale        rix,
  @{bin}/sed           rix,
+  @{bin}/tecla         rix,

  @{bin}/bwrap                                   rCx -> bwrap,
  @{bin}/gkbd-keyboard-display                   rPx,
@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,

        @{PROC}/cmdline r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
        @{PROC}/zoneinfo r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} {

  @{exec_path} mr,

+  /usr/share/gnome-remote-desktop/{,**} r,
+
+  owner /var/lib/gnome-remote-desktop//{,**} r,
+
  include if exists <local/gnome-remote-desktop-daemon>
 }
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_cache_dirs}/media-art/{,**} r,
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

-        @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
+        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@ -398,9 +398,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/base>
    include <abstractions/app-launcher-user>

+    unix receive type=stream,
+
    @{lib}/gio-launch-desktop                               mr,
    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
-  
+
    @{lib}/*      PUx,
    /usr/games/*  PUx,
    /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} {

  @{exec_path} mr,

+  /usr/share/enchant-*/{,**} r,
+
  owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,

  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/gvfs/gvfsd-wsdd
+++ b/apparmor.d/groups/gvfs/gvfsd-wsdd
@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} {

  @{exec_path} mr,

+  @{bin}/env r,
  @{bin}/wsdd rPx,

        @{run}/mount/utab r,
--- a/apparmor.d/groups/network/nmcli
+++ b/apparmor.d/groups/network/nmcli
@ -15,7 +15,9 @@ profile nmcli @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less rCx -> pager,
+  @{bin}/less            rPx -> child-pager,
+  @{bin}/more            rPx -> child-pager,
+  @{bin}/pager           rPx -> child-pager,

  owner @{HOME}/.nm-vpngate/*.ovpn r,
  owner @{HOME}/.cert/nm-openvpn/*.pem rw,
@ -26,16 +28,5 @@ profile nmcli @{exec_path} {
  @{sys}/devices/virtual/net/{,**} r,
  @{sys}/devices/@{pci}/net/*/{,**} r,

-  profile pager {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/less  mr,
-
-    owner @{HOME}/.lesshs* rw,
-    owner @{user_cache_dirs}/.lesshs* rw,
-
-  }
-
  include if exists <local/nmcli>
 }
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -117,11 +117,6 @@ profile pacman @{exec_path} {
  /usr/** rwlk -> /usr/**,
  /var/** rwlk -> /var/**,

-  @{PROC}/ r,
-  @{run}/ r,
-  @{sys}/{,**} r,
-  /mnt r,
-
  # Read packages files
  @{user_pkg_dirs}/**/ r,
  @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
@ -132,13 +127,16 @@ profile pacman @{exec_path} {
  owner @{tmp}/checkup-db-@{int}/db.lck rw,

  @{run}/utmp rk,
-  
+
+  @{sys}/{,**} r,
+
        @{PROC}/@{pids}/ r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/1/environ r,
        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/tty/drivers r,
        @{PROC}/uptime r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@ -16,13 +16,14 @@ profile pacman-key @{exec_path} {

  @{exec_path} mr,

+  @{bin}/{m,g,}awk    rix,
  @{bin}/basename     rix,
  @{bin}/bash         rix,
  @{bin}/chmod        rix,
-  @{bin}/{m,g,}awk    rix,
  @{bin}/gettext      rix,
  @{bin}/gpg{,2}      rCx -> gpg,
  @{bin}/grep         rix,
+  @{bin}/ngettext     rix,
  @{bin}/pacman-conf  rPx,
  @{bin}/touch        rix,
  @{bin}/tput         rix,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  @{etc_ro}/ssh/sshd_config.d/{,*} r,
  /etc/ssh/ssh_host_* r,

+  /var/lib/lastlog/ r,
+  /var/lib/lastlog/* rwk,
+  /var/lib/wtmpdb/ r,
+  /var/lib/wtmpdb/* rwk,
+
  # For scp
  owner @{user_download_dirs}/{,**} rwl,
  owner @{user_sync_dirs}/{,**} rwl,