feat(profile): modernize some profiles.

2024-03-12 15:48:43 +00:00 · 2024-03-12 15:48:43 +00:00 · 9c859cec9d
commit 9c859cec9d
parent 81b9de3aff
14 changed files with 124 additions and 211 deletions
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -13,14 +13,11 @@ profile reportbug @{exec_path} {
  include <abstractions/apt-common>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
-  include <abstractions/wayland>

  network inet dgram,
  network inet6 dgram,
@ -54,18 +51,17 @@ profile reportbug @{exec_path} {
  @{bin}/lsb_release      rPx -> lsb_release,
  @{bin}/more             rPx -> child-pager,
  @{bin}/pager            rPx -> child-pager,
-  @{bin}/systemctl        rPx -> child-systemctl,
+  @{bin}/systemctl        rCx -> systemctl,
  @{lib}/firefox/firefox rPUx,  # App allowed to open
  /usr/share/bug/*       rPUx,

  @{bin}/gpg{,2}          rCx -> gpg,
  @{bin}/run-parts        rCx -> run-parts,
-  @{bin}/xdg-open         rCx -> open,
+  @{open_path}            rPx -> child-open,

  @{lib}/python3/dist-packages/pylocales/locales.db rk,

  /usr/share/bug/*/{control,presubj} r,
-  /usr/share/X11/xkb/** r,

  /etc/** r,
  /etc/reportbug.conf r,
@ -94,6 +90,7 @@ profile reportbug @{exec_path} {

    @{bin}/run-parts mr,

+    include if exists <local/reportbug_run-parts>
  }

  profile gpg {
@ -107,29 +104,14 @@ profile reportbug @{exec_path} {
    owner /tmp/reportbug-*-{signed,unsigned}-* rw,
    owner @{HOME}/draftbugreports/reportbug-*-{signed,unsigned}-* rw,

+    include if exists <local/reportbug_gpg>
  }

-  profile open {
+  profile systemctl {
    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
+    include <abstractions/systemctl>
+  
+    include if exists <local/reportbug_systemctl>
  }

  include if exists <local/reportbug>
--- a/apparmor.d/groups/kde/xdm-xsession
+++ b/apparmor.d/groups/kde/xdm-xsession
@ -39,7 +39,7 @@ profile xdm-xsession @{exec_path} {
  @{bin}/flatpak                            rPx,
  @{bin}/pidof                              rPx,
  @{bin}/startplasma-x11                    rPx,
-  @{bin}/systemctl                          rPx -> child-systemctl,
+  @{bin}/systemctl                          rCx -> systemctl,
  @{bin}/xdg-user-dirs-update               rPx,
  @{bin}/xrdb                               rPx,

@ -101,5 +101,12 @@ profile xdm-xsession @{exec_path} {
    include if exists <local/xdm-xsession_dbus>
  }

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+  
+    include if exists <local/xdm-xsession_systemctl>
+  }
+
  include if exists <local/xdm-xsession>
 }