feat(profile): general update.

2024-05-18 22:35:05 +01:00 · 2024-05-18 22:35:05 +01:00 · c785b41451
commit c785b41451
parent 7d1380530a
26 changed files with 56 additions and 31 deletions
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@ -56,9 +56,9 @@ profile dbus-session flags=(attach_disconnected) {
  @{sys}/kernel/security/apparmor/.access rw,
  @{sys}/kernel/security/apparmor/features/dbus/mask r,
  @{sys}/module/apparmor/parameters/enabled r,
-
+ 
+        @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/attr/apparmor/current r,
-  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/oom_score_adj r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -27,6 +27,13 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {

  @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,

+  owner @{desktop_share_dirs}/flatpak/ w,
+  audit owner @{desktop_share_dirs}/flatpak/db/ rw,
+  audit owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
+  audit owner @{desktop_share_dirs}/flatpak/db/background rw,
+  audit owner @{desktop_share_dirs}/flatpak/db/devices r,
+  audit owner @{desktop_share_dirs}/flatpak/db/notifications rw,
+
  owner @{user_share_dirs}/flatpak/ w,
  owner @{user_share_dirs}/flatpak/db/ rw,
  owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path}  = @{bin}/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/nameservice-strict>
  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>

  signal (receive) set=(term hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -235,7 +235,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{gdm_config_dirs}/pulse/cookie rwk,
  owner @{gdm_share_dirs}/applications/{,**} r,
  owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
-  owner @{gdm_share_dirs}/icc/ r,
+  owner @{gdm_share_dirs}/icc/ rw,
  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
  owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,

@ -260,7 +260,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-  owner @{user_share_dirs}/icc/ r,
+  owner @{user_share_dirs}/icc/ rw,
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,

@ -273,6 +273,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_cache_dirs}/media-art/{,**} r,
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

+        @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -43,6 +43,11 @@ profile gpg @{exec_path} {
  owner /etc/apt/keyrings/ rw,
  owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,

+  #aa:only pacman
+  owner /etc/pacman.d/gnupg/gpg.conf r,
+  owner /etc/pacman.d/gnupg/pubring.gpg r,
+  owner /etc/pacman.d/gnupg/trustdb.gpg r,
+
  owner /var/lib/*/gnupg/ rw,
  owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,

--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@ -25,6 +25,7 @@ profile baloo @{exec_path} {
  @{lib}/{,kf6/}baloo_file_extractor rix,

  /usr/share/poppler/{,**} r,
+  /usr/share/desktop-base/kf5-settings/baloofilerc r,

  /etc/fstab r,
  /etc/machine-id r,
--- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup
+++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup
@ -14,7 +14,7 @@ profile drkonqi-coredump-cleanup @{exec_path} {
  @{exec_path} mr,

        @{user_cache_dirs}/kcrash-metadata/ r,
-  owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w,
+  owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w,

  include if exists <local/drkonqi-coredump-cleanup>
 }
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@ -18,6 +18,7 @@ profile gmenudbusmenuproxy @{exec_path} {
  @{exec_path} mr,

  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,

  owner @{HOME}/.gtkrc-2.0 rw,
  owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw,
--- a/apparmor.d/groups/kde/kde-systemd-start-condition
+++ b/apparmor.d/groups/kde/kde-systemd-start-condition
@ -16,6 +16,7 @@ profile kde-systemd-start-condition @{exec_path} {
  /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r,

  owner @{user_config_dirs}/baloofilerc r,
+  owner @{user_config_dirs}/konquerorrc r,
  owner @{user_config_dirs}/plasma-welcomerc r,

  include if exists <local/kde-systemd-start-condition>
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@ -32,6 +32,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
  #aa:exec kscreenlocker_greet

  /usr/share/color-schemes/*.colors r,
+  /usr/share/desktop-base/kf5-settings/{,**} r,
  /usr/share/desktop-directories/*.directory r,
  /usr/share/kglobalaccel/{,**} r,
  /usr/share/knotifications{5,6}/ksmserver.notifyrc r,
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -168,7 +168,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {

        /tmp/sddm-* rw,
        /tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
-  owner @{tmp}/*/{,s} rw,
+  owner @{tmp}/.@{rand6}/{,s} rw,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/sddm-auth* rw,

@ -209,15 +209,15 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {

    @{bin}/xauth mr,

-    owner @{HOME}/.Xauthority-c  w,
-    owner @{HOME}/.Xauthority-l  wl -> @{HOME}/.Xauthority-c,
+    owner @{HOME}/.Xauthority-c rw,
+    owner @{HOME}/.Xauthority-l rwl -> @{HOME}/.Xauthority-c,
    owner @{HOME}/.Xauthority-n rw,
    owner @{HOME}/.Xauthority   rwl -> @{HOME}/.Xauthority-n,

    owner @{user_share_dirs}/sddm/xorg-session.log w,

-    owner @{run}/sddm/\{@{uuid}\}-c  w,
-    owner @{run}/sddm/\{@{uuid}\}-l  wl -> @{run}/sddm/\{@{uuid}\}-c,
+    owner @{run}/sddm/\{@{uuid}\}-c rw,
+    owner @{run}/sddm/\{@{uuid}\}-l rwl -> @{run}/sddm/\{@{uuid}\}-c,
    owner @{run}/sddm/\{@{uuid}\}-n rw,
    owner @{run}/sddm/\{@{uuid}\}   rwl -> @{run}/sddm/\{@{uuid}\}-n,

--- a/apparmor.d/groups/kde/wayland-session
+++ b/apparmor.d/groups/kde/wayland-session
@ -24,5 +24,7 @@ profile wayland-session @{exec_path} {

  owner @{user_share_dirs}/sddm/wayland-session.log rw,

+  /dev/tty rw,
+
  include if exists <local/wayland-session>
 }
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@ -30,8 +30,7 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
  
  /var/lib/calico/{,**} r,
  /var/log/calico/cni/ r,
-  /var/log/calico/cni/cni.log rw,
-  /var/log/calico/cni/cni-@{date}T@{time}.@{int}.log rw,
+  /var/log/calico/cni/*.log rw,
  
  /usr/share/mime/globs2 r,