Update profiles.

2022-02-08 18:16:45 +00:00 · 2022-02-08 18:16:45 +00:00 · 9ecc1aa240
commit 9ecc1aa240
parent 7274f98fa6
10 changed files with 33 additions and 14 deletions
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -20,8 +20,10 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  /usr/share/locale/locale.alias r,

  /var/lib/dbus/machine-id r,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
+  /var/lib/gdm/.config/ibus/bus/ r,
+  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
+  owner @{user_config_dirs}/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,

  owner /dev/tty[0-9]* rw,
  /dev/null rw,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -17,6 +17,7 @@ profile gnome-control-center-print-renderer @{exec_path} {

  @{exec_path} mr,

+  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/icons/{,**} r,
@ -25,6 +26,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
  /usr/share/X11/xkb/** r,

  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
+  owner @{user_share_dirs}/icons/{,**} r,

  owner @{run}/user/@{uid}/gdm/Xauthority r,

--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -27,7 +27,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  # Full access to user's data
  / r,
  owner @{HOME}/{,**} rw,
-  owner @{MOUNTS}/*/{,**} rw,
+  owner @{MOUNTS}/{,**} r,
  owner @{run}/user/@{uid}/{,**} rw,
  owner /tmp/{,**} rw,

--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@ -10,9 +10,17 @@ include <tunables/global>
 profile systemd-makefs @{exec_path} {
  include <abstractions/base>

+  capability net_admin,
+  capability sys_resource,
+
  @{exec_path} mr,

  /{usr/,}{s,}bin/mkswap     rPx,

+  @{sys}/devices/virtual/block/zram[0-9]*/ r,
+  @{sys}/devices/virtual/block/zram[0-9]*/** r,
+
+  /dev/zram[0-9]* rwk,
+
  include if exists <local/systemd-makefs>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -15,17 +15,17 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-  # (##FIXME##)
-  capability sys_admin,
-  capability net_admin,
-  capability dac_read_search,
+  capability chown,
  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability mknod,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_module,
  capability sys_ptrace,
  capability sys_resource,
-  capability chown,
-  capability fsetid,
-  capability sys_module,
-  capability mknod,

  ptrace (read),