Profiles update.

2021-10-07 14:50:46 +01:00 · 2021-10-07 14:50:46 +01:00 · 9c8c2144b8
commit 9c8c2144b8
parent f7a08b666d
26 changed files with 186 additions and 136 deletions
--- a/apparmor.d/profiles-m-r/man
+++ b/apparmor.d/profiles-m-r/man
@ -37,58 +37,70 @@ profile man @{exec_path} {
  /{usr/,}bin/tr         rCx -> man_filter,
  /{usr/,}bin/xz         rCx -> man_filter,

-  profile man_groff {
-    include <abstractions/base>
-    include <abstractions/consoles>
+  /{usr/,}bin/pager      rPx -> child-pager,
+  /{usr/,}bin/less       rPx -> child-pager,
+  /{usr/,}bin/more       rPx -> child-pager,

-    signal peer=man,
+  /usr/**/man/** r,
+  /var/**/man/** r,
+  /var/cache/man/index.db rk,

-    /{usr/,}bin/eqn      rm,
-    /{usr/,}bin/grap     rm,
-    /{usr/,}bin/pic      rm,
-    /{usr/,}bin/preconv  rm,
-    /{usr/,}bin/refer    rm,
-    /{usr/,}bin/tbl      rm,
-    /{usr/,}bin/troff    rm,
-    /{usr/,}bin/vgrind   rm,
+  /etc/man_db.conf r,

-    /{usr/,}lib/groff/site-tmac/** r,
-    /usr/share/groff/** r,
-
-    /etc/groff/** r,
-    /etc/papersize r,
-  
-    /tmp/groff* rw,
-    owner /tmp/* rw,
-  }
-
-  profile man_filter {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    signal peer=man,
-
-    /{usr/,}bin/bzip2      rm,
-    /{usr/,}bin/gzip       rm,
-    /{usr/,}bin/col        rm,
-    /{usr/,}bin/compress   rm,
-    /{usr/,}bin/iconv      rm,
-    /{usr/,}bin/lzip.lzip  rm,
-    /{usr/,}bin/tr         rm,
-    /{usr/,}bin/xz         rm,
-
-    # Manual pages can be more or less anywhere, especially with "man -l", and
-    # there's no harm in allowing wide read access here since the worst it can
-    # do is feed data to the invoking man process.
-          /usr/** r,
-    owner @{HOME}/@{XDG_DATA_HOME}/** r,
-    owner @{HOME}/@{XDG_PROJECTS_DIR}/** r,
-    owner @{user_cache_dirs}/** r,
-    owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r,
-    owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r,
-
-    /var/cache/man/** w,
-  }
+  /dev/tty r,

  include if exists <local/man>
 }
+
+profile man_groff {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  signal peer=man,
+
+  /{usr/,}bin/eqn      rm,
+  /{usr/,}bin/grap     rm,
+  /{usr/,}bin/pic      rm,
+  /{usr/,}bin/preconv  rm,
+  /{usr/,}bin/refer    rm,
+  /{usr/,}bin/tbl      rm,
+  /{usr/,}bin/troff    rm,
+  /{usr/,}bin/vgrind   rm,
+
+  /{usr/,}lib/groff/site-tmac/** r,
+  /usr/share/groff/** r,
+
+  /etc/groff/** r,
+  /etc/papersize r,
+
+  /tmp/groff* rw,
+  owner /tmp/* rw,
+}
+
+profile man_filter {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  signal peer=man,
+
+  /{usr/,}bin/bzip2      rm,
+  /{usr/,}bin/gzip       rm,
+  /{usr/,}bin/col        rm,
+  /{usr/,}bin/compress   rm,
+  /{usr/,}bin/iconv      rm,
+  /{usr/,}bin/lzip.lzip  rm,
+  /{usr/,}bin/tr         rm,
+  /{usr/,}bin/xz         rm,
+
+  # Manual pages can be more or less anywhere, especially with "man -l", and
+  # there's no harm in allowing wide read access here since the worst it can
+  # do is feed data to the invoking man process.
+        /usr/** r,
+  owner @{HOME}/@{XDG_DATA_HOME}/** r,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/** r,
+  owner @{user_cache_dirs}/** r,
+  owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r,
+  owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r,
+
+  /var/cache/man/** w,
+}
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -49,7 +49,7 @@ profile pass @{exec_path} {

  # Pass extensions
  /{usr/,}bin/oathtool       rix,   # pass-otp
-  /{usr/,}bin/python3.[0-9]* rPx -> pass-extension-python,  # pass-import, pass-audit
+  /{usr/,}bin/python3.[0-9]* rPx -> pass-import,  # pass-import
  /{usr/,}bin/qrencode       rPUx,  # pass-otp
  /{usr/,}bin/tomb           rPUx,  # pass-tomb

--- a/apparmor.d/profiles-m-r/pipewire
+++ b/apparmor.d/profiles-m-r/pipewire
@ -12,9 +12,6 @@ profile pipewire @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

-  ptrace (read) peer=pipewire-media-session,
-  ptrace (read) peer=pipewire-pulse,
-
  # Needed for all sound/music apps.
  ptrace (read),

--- a/apparmor.d/profiles-m-r/pipewire-pulse
+++ b/apparmor.d/profiles-m-r/pipewire-pulse
@ -12,9 +12,6 @@ profile pipewire-pulse @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

-  ptrace (read) peer=pipewire,
-  ptrace (read) peer=pipewire-media-session,
-
  # Needed for all sound/music apps.
  ptrace (read),