feat(profiles): general update.

2022-11-03 21:40:01 +00:00 · 2022-11-03 21:40:01 +00:00 · a90cdbe879
commit a90cdbe879
parent fabddee9d6
23 changed files with 97 additions and 35 deletions
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@ -7,12 +7,13 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}bin/nvtop
-profile nvtop @{exec_path} {
+profile nvtop @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
+  include <abstractions/vulkan>

  capability sys_ptrace,

@ -22,7 +23,23 @@ profile nvtop @{exec_path} {

  /usr/share/terminfo/x/xterm-256color r,

+  @{run}/systemd/inhibit/*.ref r,
+  @{run}/udev/data/+drm:* r,
+  @{run}/udev/data/c226:[0-9]* r,
+  @{run}/udev/data/c236:[0-9]* r,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/devices/pci[0-9]*/**/enable r,
+  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_cur_freq_mhz r,
+
+  @{PROC}/ r,
+  @{PROC}/@{pids}/ r,
  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/fd/ r,
+  @{PROC}/@{pids}/fdinfo/ r,
+  @{PROC}/@{pids}/fdinfo/[0-9]* r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/driver/nvidia/capabilities/mig/{config,monitor}  r,

--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -7,15 +7,20 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}bin/os-prober
-profile os-prober @{exec_path} {
+profile os-prober @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>

-  @{exec_path} mr,
+  capability sys_admin,

+  @{exec_path} mrix,
+
+  /{usr/,}{s,}bin/blkid         rPx,
  /{usr/,}bin/{,ba,da}sh        rix,
  /{usr/,}bin/{e,f,}grep        rix,
  /{usr/,}bin/cut               rix,
  /{usr/,}bin/head              rix,
+  /{usr/,}bin/kmod              rPx,
  /{usr/,}bin/logger            rix,
  /{usr/,}bin/lsblk             rPx,
  /{usr/,}bin/mktemp            rix,
@ -30,5 +35,8 @@ profile os-prober @{exec_path} {

  owner /tmp/os-prober.*/{,**} rw,

+  @{sys}/block/ r,
+  @{sys}/devices/pci[0-9]*/**/block/*/ r,
+
  include if exists <local/os-prober>
 }
--- a/apparmor.d/profiles-m-r/pactl
+++ b/apparmor.d/profiles-m-r/pactl
@ -20,6 +20,8 @@ profile pactl @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

+  /var/lib/gdm/.config/pulse/cookie rk,
+
  owner @{HOME}/.Xauthority r,

  owner @{user_config_dirs}/pulse/ rw,