feat(profile): general update.

apparmor.d/profiles-a-f/cups-notifier-dbus

@@ -10,6 +10,7 @@ include <tunables/global>
 profile cups-notifier-dbus @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/nameservice-strict>
 
   signal (receive) set=(term) peer=cupsd,
 

apparmor.d/profiles-a-f/dkms

@@ -20,7 +20,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   capability setgid,
   capability setuid,
 
-  unix (receive) type=stream,
+  deny unix (receive) type=stream,
 
   @{exec_path} rm,
 
@@ -56,7 +56,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{bin}/{,g,m}awk  rix,
   @{bin}/update-secureboot-policy rPUx,
 
-  @{lib}/gcc/@{multiarch}/@{int}*/*             rix,
+  @{lib}/gcc/@{multiarch}/@{int}*/*            rix,
   @{lib}/linux-kbuild-*/scripts/**             rix,
   @{lib}/linux-kbuild-*/tools/objtool/objtool  rix,
   @{lib}/llvm-[0-9]*/bin/clang                 rix,
@@ -81,28 +81,28 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   /etc/dkms/{,**} r,
 
   # For building module in /usr/src/ subdirs
+  /usr/include/**.h r,
   /usr/src/ r,
   /usr/src/** rw,
-  /usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
   /usr/src/linux-headers-*/scripts/**              rix,
+  /usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
   /usr/src/linux-headers-*/tools/**                rix,
-  /usr/include/**.h r,
 
   # For autosign modules
-  owner /etc/kernel_key/sign-kernel.sh rix,
-  owner /etc/kernel_key/*.key r,
   owner /etc/kernel_key/*.crt r,
+  owner /etc/kernel_key/*.key r,
+  owner /etc/kernel_key/sign-kernel.sh rix,
 
   owner @{HOME}/ r,
 
+  owner /tmp/* rw,
   owner /tmp/cc* rw,
   owner /tmp/dkms.*/ rw,
-  owner /tmp/tmp.* rw,
   owner /tmp/sh-thd.* rw,
-  owner /tmp/* rw,
+  owner /tmp/tmp.* rw,
 
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   # Inherit silencer
   deny /apparmor/.null rw,
@@ -125,7 +125,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
 
     owner /tmp/tmp.* r,
 
-    # Inherit silencer
     deny /apparmor/.null rw,
 
     include if exists <local/dkms_kmod>

apparmor.d/profiles-a-f/fzsftp

@@ -1,42 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/fzsftp
-profile fzsftp @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/nameservice>
-
-  signal (receive) set=(term, kill) peer=filezilla,
-
-  # Needed?
-  deny ptrace (trace),
-
-  @{exec_path} mr,
-
-  @{bin}/{,ba,da}sh mrix,
-  @{bin}/ps          rix,
-  @{bin}/ls          rix,
-
-       @{PROC}/ r,
-       @{PROC}/uptime r,
-       @{PROC}/sys/kernel/osrelease r,
-       @{PROC}/sys/kernel/pid_max r,
-       @{PROC}/tty/drivers r,
-  deny @{PROC}/@{pids}/stat r,
-  deny @{PROC}/@{pids}/cmdline r,
-
-  /tmp/ r,
-
-  owner @{HOME}/.putty/randomseed rw,
-
-  # file_inherit
-  #deny @{user_cache_dirs}/filezilla/** rw,
-
-  include if exists <local/fzsftp>
-}