feat(profile): general update

2023-09-29 19:25:30 +01:00 · 2023-09-29 19:25:30 +01:00 · c8ee832c11
commit c8ee832c11
parent 6f2ae26749
23 changed files with 66 additions and 35 deletions
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/groups/apps/dropbox
@ -108,7 +108,7 @@ profile dropbox @{exec_path} {
  owner /tmp/dropbox-antifreeze-* rw,
  owner /tmp/[a-zA-z0-9]* rw,
  owner /tmp/#@{int} rw,
-  owner /var/tmp/etilqs_* rw,
+  owner /var/tmp/etilqs_@{hex} rw,

  @{run}/systemd/users/@{uid} r,

--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -67,6 +67,7 @@ profile child-open {
  @{bin}/discord{,-ptb}    rPx,
  @{bin}/draw.io          rPUx,
  @{bin}/dropbox           rPx,
+  @{bin}/element-desktop   rPx,
  @{bin}/engrampa          rPx,
  @{bin}/eog              rPUx,
  @{bin}/evince            rPx,
@ -74,6 +75,7 @@ profile child-open {
  @{bin}/filezilla         rPx,
  @{bin}/flameshot         rPx,
  @{bin}/geany             rPx,
+  @{bin}/gimp*            rPUx,
  @{bin}/gnome-calculator rPUx,
  @{bin}/gnome-disk-image-mounter rPx,
  @{bin}/gnome-disks       rPx,
@ -84,6 +86,7 @@ profile child-open {
  @{bin}/qpdfview          rPx,
  @{bin}/smplayer          rPx,
  @{bin}/spacefm           rPx,
+  @{bin}/steam-runtime    rPUx,
  @{bin}/teams            rPUx,
  @{bin}/telegram-desktop  rPx,
  @{bin}/thunderbird       rPx,
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -28,5 +28,7 @@ profile evolution-alarm-notify @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/*ubuntu/applications/ r,

+  /etc/timezone r,
+
  include if exists <local/evolution-alarm-notify>
 }
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -46,9 +46,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/sessions/*     r,
  @{run}/systemd/sessions/*.ref r,

-  @{sys}/devices/@{pci}/{,*/}net/*/statistics/collisions r,
-  @{sys}/devices/@{pci}/{,*/}net/*/statistics/rx_{bytes,errors,packets} r,
-  @{sys}/devices/@{pci}/{,*/}net/*/statistics/tx_{bytes,errors,packets} r,
+  @{sys}/devices/@{pci}/net/*/statistics/collisions r,
+  @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
+  @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -38,11 +38,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/{,ba,da}sh        rix,
  @{bin}/{,e}grep          rix,
  @{bin}/*-print-pci-ids   rix,
+  @{bin}/alsactl          rPUx,
  @{bin}/cat               rix,
  @{bin}/chgrp             rix,
  @{bin}/chmod             rix,
  @{bin}/cut               rix,
  @{bin}/dmsetup          rPUx,
+  @{bin}/ethtool           rix,
+  @{bin}/kmod              rPx,
  @{bin}/ln                rix,
  @{bin}/logger            rix,
  @{bin}/lvm               rPx,
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -18,6 +18,7 @@ profile cockpit-bridge @{exec_path} {
  capability dac_read_search,
  capability net_admin,
  capability sys_nice,
+  capability sys_ptrace,

  network inet dgram,
  network inet stream,
@ -55,9 +56,12 @@ profile cockpit-bridge @{exec_path} {
  @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
  @{run}/utmp r,

+  @{sys}/class/hwmon/ r,
  @{sys}/devices/**/hwmon@{int}/ r,
  @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
-  @{sys}/fs/cgroup/*.slice/**/memory* r,
+  @{sys}/fs/cgroup/**/ r,
+  @{sys}/fs/cgroup/**/cpu.{stat,weight} r,
+  @{sys}/fs/cgroup/**/memory* r,

        @{PROC}/ r,
        @{PROC}/@{pids}/cgroup r,
@ -68,6 +72,7 @@ profile cockpit-bridge @{exec_path} {
        @{PROC}/diskstats r,
        @{PROC}/loadavg r,
        @{PROC}/uptime r,
+  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,

--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@ -29,10 +29,11 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  @{lib}/cockpit/cockpit-pcp  rPx,

  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
+  /etc/cockpit/disallowed-users r,
  /etc/group r,
  /etc/motd r,
  /etc/motd.d/ r,
-  @{etc_ro}/security/limits.d/{,*.conf} r,
  /etc/shells r,

  @{run}/faillock/[a-zA-z0-9]* rwk,