feat(profile): general update.

Also include some preparation for the systemd profile.
2023-11-19 11:08:35 +00:00 · 2023-11-19 11:08:35 +00:00 · b79a1fcd31
commit b79a1fcd31
parent 3197f52a97
31 changed files with 86 additions and 48 deletions
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -101,14 +101,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  @{bin}/appstreamcli                rPx,
  @{bin}/arch-audit                  rPx, # only: arch
  @{bin}/dpkg                        rPx -> child-dpkg, # only: dpkg
+  @{bin}/fc-cache                    rPx
  @{bin}/glib-compile-schemas        rPx,
+  @{bin}/install-info                rPx 
  @{bin}/systemd-inhibit             rPx,
  @{bin}/update-desktop-database     rPx,
  @{lib}/apt/methods/*               rPx, # only: dpkg
  @{lib}/cnf-update-db               rPx,
  @{lib}/update-notifier/update-motd-updates-available  rPx,
  @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
-  /usr/share/libalpm/scripts/*            rPx,
+  /usr/share/libalpm/scripts/*       rPx,

  # Install/update packages
  / r,
@ -122,6 +124,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {

        /tmp/apt-changelog-@{rand6}/ w,
        /tmp/apt-changelog-@{rand6}/*.changelog rw,
+  owner /tmp/alpm_*/{,**} rw,
  owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
  owner /tmp/packagekit* rw,

--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@ -8,13 +8,14 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/rngd
-profile rngd @{exec_path} {
+profile rngd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>

  capability dac_read_search,
+  capability net_admin,
  capability sys_admin,
  capability sys_nice,