Profiles update.

2021-10-22 15:01:43 +01:00 · 2021-10-22 15:01:43 +01:00 · aac0a93080
commit aac0a93080
parent b91ddfa493
34 changed files with 136 additions and 144 deletions
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -48,6 +48,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/cat                         rix,
  /{usr/,}bin/dot                         rix,
  /{usr/,}bin/env                         rix,
+  /{usr/,}bin/ghc-pkg-*                   rix,
  /{usr/,}bin/rm                          rix,
  /{usr/,}bin/setcap                      rix,
  /{usr/,}bin/vercmp                      rix,
@ -81,8 +82,8 @@ profile pacman @{exec_path} {
  /etc/{,**} rwl,
  /opt/{,**} rwl,
  /srv/{,**} rwl,
-  /usr/{,**} rwl,
-  /var/{,**} rwl,
+  /usr/{,**} rwlk,
+  /var/{,**} rwlk,

  /bin/ rwl,
  /home/ rw,
--- a/apparmor.d/groups/pacman/pacman-hook-fontconfig
+++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig
@ -10,6 +10,8 @@ include <tunables/global>
 profile pacman-hook-fontconfig @{exec_path} {
  include <abstractions/base>

+  capability dac_read_search,
+
  @{exec_path} mr,

  /{usr/,}bin/bash  rix,
@ -19,5 +21,9 @@ profile pacman-hook-fontconfig @{exec_path} {
  /etc/fonts/conf.d/* rwl,
  /usr/share/fontconfig/conf.default/* r,

+  # Inherit Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
  include if exists <local/pacman-hook-fontconfig>
 }