From af50944fb5fc933301936420c015f85e3fd79b5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 1 Oct 2024 20:17:13 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/gnome/nautilus | 9 ++++++--- apparmor.d/groups/gpg/gpg-connect-agent | 4 ++-- apparmor.d/groups/gvfs/gvfsd-fuse | 2 ++ apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 5 +++-- apparmor.d/groups/ubuntu/apport-gtk | 10 +++++----- apparmor.d/profiles-a-f/dkms | 1 + apparmor.d/profiles-a-f/element-desktop | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/kernel-install | 1 + apparmor.d/profiles-s-z/speech-dispatcher | 1 + 10 files changed, 23 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5704fa866..d7736d7a8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -80,9 +80,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rw, - owner @{HOME}/{,**} rw, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rw, + owner @{tmp}/ r, + owner @{tmp}/** rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index 1e257cfc0..9bf2bf897 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -18,8 +18,6 @@ profile gpg-connect-agent @{exec_path} { /etc/inputrc r, - owner @{PROC}/@{pid}/fd/ r, - owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, @@ -27,6 +25,8 @@ profile gpg-connect-agent @{exec_path} { owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 9cd6b77ca..b49ad1d90 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -14,6 +14,8 @@ profile gvfsd-fuse @{exec_path} { include include + capability sys_admin, + mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a182b23ca..178cee539 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -37,9 +37,10 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { / r, /boot/ r, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, + /boot/efi/boot/boot*.efi rw, /boot/initramfs-*-fallback.img rw, + /boot/initramfs-*.img rw, + /boot/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index dddb1f890..f8d2c9973 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -79,12 +79,12 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, - @{run}/snapd.socket rw, + @{run}/snapd.socket rw, - /tmp/[a-z0-9]* rw, - /tmp/apport_core_* rw, - /tmp/launchpadlib.cache.[a-z0-9]*/ rw, - /tmp/tmp[a-z0-9]*/{,**} rw, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apport_core_@{rand8} rw, + owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, + owner @{tmp}/tmp@{rand8}/{,**} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 4ebe8e464..bfd287741 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -27,6 +27,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, @{bin}/as rix, + @{bin}/bc rix, @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index e7d46f1f5..a792b7341 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/element-desktop -profile element-desktop @{exec_path} { +profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 7d9a5f59e..a400bf9d9 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile freetube @{exec_path} { +profile freetube @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 808528ce7..69096fe45 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -25,6 +25,7 @@ profile kernel-install @{exec_path} { @{bin}/chmod rix, @{bin}/basename rix, + @{pager_path} rPx -> child-pager, @{bin}/kmod rCx -> kmod, @{lib}/kernel/install.d/ r, diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 7a597ed5d..e2c00e2af 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -10,6 +10,7 @@ include profile speech-dispatcher @{exec_path} { include include + include include include