feat(profile): general update.

2024-06-04 20:13:40 +01:00 · 2024-06-04 20:13:40 +01:00 · 8b60e56002
commit 8b60e56002
parent d98621625a
21 changed files with 71 additions and 59 deletions
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -153,7 +153,7 @@ profile snapd @{exec_path} {
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
  @{sys}/kernel/kexec_loaded r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  @{sys}/kernel/security/apparmor/features/{,*/} r,
+  @{sys}/kernel/security/apparmor/features/{,**} r,
  @{sys}/kernel/security/apparmor/profiles r,

  @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -41,7 +41,10 @@ profile spotify @{exec_path} {
  owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
  owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,

-  owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
+
+  @{sys}/bus/ r,
+  @{sys}/bus/*/devices/ r,

  @{PROC}/pressure/* r,

--- a/apparmor.d/profiles-s-z/wsdd
+++ b/apparmor.d/profiles-s-z/wsdd
@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/wsdd
+profile wsdd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  @{bin}/env r,
+  @{bin}/python3.@{int} rix,
+
+  /etc/machine-id r,
+
+  owner @{run}/user/@{uid}/gvfsd/wsdd w,
+
+  include if exists <local/wsdd>
+}