feat(profile): general update

2023-09-29 19:25:30 +01:00 · 2023-09-29 19:25:30 +01:00 · c8ee832c11
commit c8ee832c11
parent 6f2ae26749
23 changed files with 66 additions and 35 deletions
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -51,8 +51,8 @@ profile snap @{exec_path} {

  /snap/{,**} rw,
  # @{lib_dirs}/snap-confine           rPx -> /usr/lib/snapd/snap-confine,
-  @{lib_dirs}/snapd/snap-seccomp     rPx -> snap-seccomp,
-  @{lib_dirs}/snapd/snapd            rPx -> snapd,
+  @{lib_dirs}/snapd/snap-seccomp     rPx,
+  @{lib_dirs}/snapd/snapd            rPx,

  /etc/fstab r,

--- a/apparmor.d/profiles-s-z/snap-failure
+++ b/apparmor.d/profiles-s-z/snap-failure
@ -15,7 +15,7 @@ profile snap-failure @{exec_path} {
  @{exec_path} mr,

  @{bin}/systemctl         rPx -> child-systemctl,
-  @{lib_dirs}/snapd/snapd  rPx -> snapd,
+  @{lib_dirs}/snapd/snapd  rPx,

  /var/lib/snapd/sequence/snapd.json r,

--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -92,9 +92,9 @@ profile snapd @{exec_path} {
  @{lib_dirs}/@{multiarch}/**         mr,
  @{lib_dirs}/@{multiarch}/ld-*.so   rix,
  @{lib_dirs}/snapd/apparmor_parser  rPx -> apparmor_parser,
-  @{lib_dirs}/snapd/snap-discard-ns  rPx -> snap-discard-ns,
-  @{lib_dirs}/snapd/snap-seccomp     rPx -> snap-seccomp,
-  @{lib_dirs}/snapd/snap-update-ns   rPx -> snap-update-ns,
+  @{lib_dirs}/snapd/snap-discard-ns  rPx,
+  @{lib_dirs}/snapd/snap-seccomp     rPx,
+  @{lib_dirs}/snapd/snap-update-ns   rPx,

  /usr/share/bash-completion/{,**} r,
  /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -82,6 +82,7 @@ profile spotify @{exec_path} {
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/status r,

+        /dev/tty rw,
  owner /dev/shm/pulse-shm-@{int} r,

  deny @{user_share_dirs}/gvfs-metadata/* r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -56,6 +56,7 @@ profile sudo @{exec_path} {

  @{lib}/**                        rPUx,
  @{lib}/sudo/**                     mr,
+  /opt/*/**                        rPUx,
  /snap/snapd/@{int}@{bin}/snap    rPUx,

  @{etc_ro}/environment r,
--- a/apparmor.d/profiles-s-z/transmission-gtk
+++ b/apparmor.d/profiles-s-z/transmission-gtk
@ -50,6 +50,7 @@ profile transmission-gtk @{exec_path} {
  @{run}/mount/utab r,

        @{PROC}/@{pid}/net/route r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -136,12 +136,17 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  @{run}/cryptsetup/L* rwk,

  @{sys}/bus/ r,
+  @{sys}/bus/pci/slots/ r,
  @{sys}/class/ r,
-  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
+  @{sys}/class/nvme-subsystem/ r,
+  @{sys}/class/nvme/ r,
  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
+  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
  @{sys}/devices/virtual/block/*/{,**} rw,
  @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,
+  @{sys}/devices/virtual/nvme-subsystem/{,**} r,
  @{sys}/fs/ r,

        @{PROC}/cmdline r,
--- a/apparmor.d/profiles-s-z/update-cracklib
+++ b/apparmor.d/profiles-s-z/update-cracklib
@ -22,6 +22,7 @@ profile update-cracklib @{exec_path} {
  @{bin}/grep                 rix,
  @{bin}/gzip                 rix,
  @{bin}/install              rix,
+  @{bin}/install              rix,
  @{bin}/sort                 rix,
  @{bin}/tr                   rix,