Tunables polishing (#281)

* adjust xorg display number * remove wildcard from python version * python wildcard #2 * unconventional tails * Delete apparmor.d/groups/apps/android-studio --------- Co-authored-by: nobody43 <nobody43@users.noreply.github.com>
2024-01-25 12:44:47 +00:00 · 2024-01-25 12:44:47 +00:00 · b376e9fade
commit b376e9fade
parent 765fa1bdb8
69 changed files with 88 additions and 88 deletions
--- a/apparmor.d/profiles-m-r/mpsyt
+++ b/apparmor.d/profiles-m-r/mpsyt
@ -24,7 +24,7 @@ profile mpsyt @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/ldconfig  rix,
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -28,7 +28,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
  @{bin}/dpkg-query                        rpx,
  @{bin}/fail2ban-server                   rPx,
  @{bin}/locale                            rix,
-  @{bin}/python3.[0-9]*                    rix,
+  @{bin}/python3.@{int}                    rix,
  @{bin}/sed                               rix,
  @{bin}/stty                              rix,
  @{bin}/systemctl                         rPx -> child-systemctl,
--- a/apparmor.d/profiles-m-r/obamenu
+++ b/apparmor.d/profiles-m-r/obamenu
@ -12,7 +12,7 @@ profile obamenu @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

  @{bin}/ r,

--- a/apparmor.d/profiles-m-r/pass-import
+++ b/apparmor.d/profiles-m-r/pass-import
@ -25,10 +25,10 @@ profile pass-import @{exec_path} {
  @{bin}/ld               rix,
  @{bin}/ldconfig         rix,
  @{bin}/pass             rPx,
-  @{bin}/python3.[0-9]*   rix,
+  @{bin}/python3.@{int}   rix,
  @{lib}/gcc/**/collect2  rix,

-  @{lib}/python{2.[4-7],3,3.[0-9]*}/** w, # TODO: Test deny
+  @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny

  /usr/share/file/misc/magic.mgc r,

@ -39,4 +39,4 @@ profile pass-import @{exec_path} {
  @{PROC}/@{pids}/fd/ r,

  include if exists <local/pass-import>
-}
+}
--- a/apparmor.d/profiles-m-r/ps-mem
+++ b/apparmor.d/profiles-m-r/ps-mem
@ -16,7 +16,7 @@ profile ps-mem @{exec_path} {
  ptrace (read),

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,

--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -79,7 +79,7 @@ profile qbittorrent @{exec_path} {
  @{exec_path} mr,

  @{open_path}           rPx -> child-open,
-  @{bin}/python3.[0-9]*  rCx -> python, # For "search engine"
+  @{bin}/python3.@{int}  rCx -> python, # For "search engine"

  # Allowed apps to open
  @{bin}/spacefm         rPx,
@ -147,13 +147,13 @@ profile qbittorrent @{exec_path} {
    network inet6 stream,
    network netlink raw,

-    @{bin}/python3.[0-9]* r,
+    @{bin}/python3.@{int} r,

    owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw,

    owner @{user_torrents_dirs}/** r,

-    owner /dev/shm/sem.mp-* rwl -> /dev/shm/@{int},
+    owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int},  # unconventional '_' tail
    owner /dev/shm/* rw,

    owner /tmp/@{int} rw,
--- a/apparmor.d/profiles-m-r/repo
+++ b/apparmor.d/profiles-m-r/repo
@ -23,7 +23,7 @@ profile repo @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

  @{bin}/               r,
  @{bin}/env            rix,
@ -57,7 +57,7 @@ profile repo @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,

  owner /dev/shm/* rw,
-  owner /dev/shm/sem.mp* rwl -> /dev/shm/*,
+  owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*,  # unconventional '_' tail

  # Silencer
  deny /etc/.repo_gitconfig.json w,
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@ -37,7 +37,7 @@ profile rustdesk @{exec_path} {
  @{bin}/curl     rix,
  @{bin}/ls       rix,

-  @{bin}/python3.[0-9]* rPx -> rustdesk_python,
+  @{bin}/python3.@{int} rPx -> rustdesk_python,
  @{bin}/{,ba,da}sh     rPx -> rustdesk_shell,

  /etc/gdm{,3}/custom.conf r,
@ -141,7 +141,7 @@ profile rustdesk @{exec_path} {
    owner @{PROC}/@{pid}/fd/ r,

    /{,usr/}{,local/}bin/rustdesk rPx,
-    @{bin}/python3.[0-9]*    rPx -> rustdesk_python,
+    @{bin}/python3.@{int}    rPx -> rustdesk_python,

    include if exists <local/rustdesk_sudo>
  }
@ -165,14 +165,14 @@ profile rustdesk_python {
  capability dac_read_search,
  capability dac_override,

-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/{,ba,da}sh rix,
  @{bin}/chmod rix,
  @{bin}/uname rPx,
  /usr/share/rustdesk/files/pynput_service.py rPx,

-  /usr/local/lib/python3.[0-9]*/dist-packages/pynput/{,**} r,
+  /usr/local/lib/python3.@{int}/dist-packages/pynput/{,**} r,
  /usr/share/[rR]ust[dD]esk/files/{,**} r,
  /tmp/[rR]ust[dD]esk/ w,
  /tmp/[rR]ust[dD]esk/pynput_service rw,