feat(abs): add the pkexec app abs.

2024-09-20 23:24:15 +01:00 · 2024-09-20 23:24:15 +01:00 · 96defe021c
commit 96defe021c
parent 7a3a1f7725
8 changed files with 85 additions and 36 deletions
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@ -48,7 +48,7 @@ profile synaptic @{exec_path} {
  @{bin}/dpkg-preconfigure  rPx,
  @{bin}/localepurge        rPx,
  @{bin}/lsb_release        rPx -> lsb_release,
-  @{bin}/pkexec             rPx,
+  @{bin}/pkexec             rCx -> pkexec,
  @{bin}/ps                 rPx,
  @{bin}/software-properties-gtk rPx,
  @{bin}/tasksel            rPx,
@ -110,6 +110,13 @@ profile synaptic @{exec_path} {
  deny @{bin}/gdbus x,
  deny @{user_share_dirs}/gvfs-metadata/{*,} r,

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/synaptic_pkexec>
+  }
+
  include if exists <local/synaptic>
 }

--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -82,8 +82,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {

  profile pkexec {
    include <abstractions/base>
-
-    @{bin}/pkexec mr,
+    include <abstractions/app/pkexec>

    include if exists <local/gnome-system-monitor_pkexec>
  }
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} {
  @{bin}/ldd                    rix,
  @{bin}/lsb_release            rPx -> lsb_release,
  @{bin}/md5sum                 rix,
-  @{bin}/pkexec                 rPx, # TODO: rCx or something
+  @{bin}/pkexec                 rCx -> pkexec,
  @{bin}/systemctl              rCx -> systemctl,
  @{bin}/systemd-detect-virt    rPx,
  @{bin}/uname                  rix,
@ -124,6 +124,13 @@ profile apport-gtk @{exec_path} {
    include if exists <local/apport-gtk_gdb>
  }

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/apport-gtk_pkexec>
+  }
+
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -53,7 +53,7 @@ profile update-notifier @{exec_path} {

  @{bin}/dpkg                                    rPx -> child-dpkg,
  @{bin}/lsb_release                             rPx -> lsb_release,
-  @{bin}/pkexec                                  rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked
+  @{bin}/pkexec                                  rCx -> pkexec,
  @{bin}/snap                                   rPUx,
  @{bin}/software-properties-gtk                 rPx,
  @{bin}/systemctl                               rCx -> systemctl,
@ -85,6 +85,15 @@ profile update-notifier @{exec_path} {
        @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pid}/fd/ r,

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    @{lib}/update-notifier/package-system-locked Px,
+
+    include if exists <local/update-notifier_pkexec>
+  }
+
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>