From 8c6b0ce33f12020f067d530e1927310eab721605 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:47:50 +0200 Subject: [PATCH] feat(profile): cleanup profiles using the new abs. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/common/app | 3 +++ apparmor.d/abstractions/common/game | 5 +---- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/steam/steam | 4 +--- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- 6 files changed, 8 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 725b57fca..efb108586 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -34,7 +34,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 70a50b8c1..043ed7125 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,8 +28,11 @@ include include include + include include include + include + include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 753d4cf0b..2198c8537 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -20,6 +20,7 @@ include include include + include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -67,9 +68,6 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -80,7 +78,6 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2800a4124..12c8e2e80 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -57,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index abfab75d7..e3fcb1931 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -41,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, @@ -245,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -353,8 +353,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/version r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 95013d8e0..33957504c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -11,6 +11,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists