feat(profile): minor improvement & update.

2025-04-12 23:00:52 +02:00 · 2025-04-12 23:00:52 +02:00 · cd890bb81b
commit cd890bb81b
parent e61529bd04
14 changed files with 24 additions and 16 deletions
--- a/apparmor.d/groups/apparmor/aa-notify
+++ b/apparmor.d/groups/apparmor/aa-notify
@ -102,6 +102,8 @@ profile aa-notify @{exec_path} {
    /etc/apparmor.d/** rw,
    /etc/apparmor/* r,

+    @{PROC}/@{pid}/mounts r,
+
    include if exists <local/aa-notify_pkexec>
  }

--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -50,6 +50,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  @{bin}/apt-listchanges          rPx,
  @{bin}/dpkg                     rPx,
+  @{bin}/dpkg-divert              rPx,
  @{bin}/dpkg-preconfigure        rPx,
  @{bin}/etckeeper                rPx,
  @{bin}/lsb_release              rPx -> lsb_release,
@ -64,6 +65,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  @{etc_ro}/login.defs r,
  @{etc_ro}/security/capability.conf r,
+  /etc/apport/report-ignore/ r,
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
--- a/apparmor.d/groups/cups/cups-pk-helper-mechanism
+++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism
@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} {

  /etc/cups/ppd/*.ppd r,

-  owner @{tmp}/[a-z0-9]* rw,
+  owner @{tmp}/@{int} rw,

  @{run}/cups/cups.sock rw,

--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -56,6 +56,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/**/power_supply/**/* r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r,

  /dev/input/event* r,

--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  signal send set=hup peer=xorg,
  signal send set=hup peer=xwayland,

-  unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
+  unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system,

  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
  #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@ -21,6 +21,7 @@ profile gnome-extension-gsconnect @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -17,13 +17,13 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  capability net_admin,
  capability sys_resource,

-  signal receive set=(term cont) peer=*//systemctl,
-  signal receive set=(term cont) peer=deb-systemd-invoke,
-  signal receive set=(term cont) peer=default,
-  signal receive set=(term cont) peer=logrotate,
-  signal receive set=(term cont) peer=makepkg//sudo,
-  signal receive set=(term cont) peer=role_*,
-  signal receive set=(term cont) peer=rpm,
+  signal receive set=(term cont winch) peer=*//systemctl,
+  signal receive set=(term cont winch) peer=deb-systemd-invoke,
+  signal receive set=(term cont winch) peer=default,
+  signal receive set=(term cont winch) peer=logrotate,
+  signal receive set=(term cont winch) peer=makepkg//sudo,
+  signal receive set=(term cont winch) peer=role_*,
+  signal receive set=(term cont winch) peer=rpm,

  @{exec_path} mrix,