feat(profile): general update.

2024-06-10 23:58:44 +01:00 · 2024-06-10 23:58:44 +01:00 · d283ef5196
commit d283ef5196
parent b4407fb7f8
17 changed files with 62 additions and 43 deletions
--- a/apparmor.d/groups/apt/debsign
+++ b/apparmor.d/groups/apt/debsign
@ -55,6 +55,7 @@ profile debsign @{exec_path} {
    owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r,
    owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw,

+    include if exists <local/debsign_gpg>
  }

  include if exists <local/debsign>
--- a/apparmor.d/groups/apt/debsums
+++ b/apparmor.d/groups/apt/debsums
@ -20,13 +20,6 @@ profile debsums @{exec_path} {
  @{sh_path}        rix,
  @{bin}/{m,g,}awk  rix,

-  /etc/dpkg/dpkg.cfg.d/{,*} r,
-  /etc/dpkg/dpkg.cfg r,
-
-  /var/lib/dpkg/info/* r,
-
-  /etc/locale.nopurge r,
-
  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
@ -35,6 +28,13 @@ profile debsums @{exec_path} {
  @{bin}/dpkg        rPx -> child-dpkg,
  @{bin}/dpkg-divert rPx -> child-dpkg-divert,

+  /etc/dpkg/dpkg.cfg.d/{,*} r,
+  /etc/dpkg/dpkg.cfg r,
+
+  /etc/locale.nopurge r,
+
+  /var/lib/dpkg/info/* r,
+
  # For shell pwd
  / r,
  /root/ r,
--- a/apparmor.d/groups/apt/dpkg-divert
+++ b/apparmor.d/groups/apt/dpkg-divert
@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {

  /var/lib/dpkg/** r,

-  /usr/share/*/** w,
+  /usr/share/*/** rw,

  /var/lib/dpkg/diversions rw,
  /var/lib/dpkg/diversions-new rw,
--- a/apparmor.d/groups/browsers/firefox-minidump-analyzer
+++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer
@ -15,7 +15,7 @@ include <tunables/global>
@{cache_dirs} = @{user_cache_dirs}/mozilla/

@{exec_path} = @{lib_dirs}/minidump-analyzer
-profile firefox-minidump-analyzer @{exec_path} {
+profile firefox-minidump-analyzer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

  signal (receive) set=(term, kill) peer=firefox,
@ -27,10 +27,10 @@ profile firefox-minidump-analyzer @{exec_path} {
  owner "@{config_dirs}/firefox/Crash Reports/" rw,
  owner "@{config_dirs}/firefox/Crash Reports/pending/" rw,
  owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
-  owner @{config_dirs}/*.*/extensions/*.xpi r,
-  owner @{config_dirs}/*.*/minidumps/ rw,
-  owner @{config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw,
-  owner @{config_dirs}/*.*/storage/default/* r,
+  owner @{config_dirs}/{,firefox/}*.*/extensions/*.xpi r,
+  owner @{config_dirs}/{,firefox/}*.*/minidumps/ rw,
+  owner @{config_dirs}/{,firefox/}*.*/minidumps/@{uuid}.{dmp,extra} rw,
+  owner @{config_dirs}/{,firefox/}*.*/storage/default/* r,

  owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r,

--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{lib}/{,ibus/}ibus-memconf
-profile ibus-memconf @{exec_path} {
+profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -27,5 +27,7 @@ profile ibus-memconf @{exec_path} {
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

+  owner /dev/tty@{int} rw,
+
  include if exists <local/ibus-memconf>
 }
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -49,6 +49,7 @@ profile cron-popularity-contest @{exec_path} {
  /var/log/popularity-contest{,.new} rw,
  /var/log/popularity-contest{,.new}.gpg rw,
  /var/log/popularity-contest.@{int} rw,
+  /var/log/popularity-contest.@{int}.gpg rw,

  # Store last successful http submission timestamp
  /var/lib/popularity-contest/ rw,
@ -66,15 +67,14 @@ profile cron-popularity-contest @{exec_path} {

    @{bin}/savelog mr,

-    @{bin}/date       rix,
    @{bin}/basename   rix,
-    @{bin}/which{,.debianutils}      rix,
+    @{bin}/date       rix,
    @{bin}/dirname    rix,
-    @{bin}/rm         rix,
-    @{bin}/mv         rix,
-    @{bin}/touch      rix,
    @{bin}/gzip       rix,
-
+    @{bin}/mv         rix,
+    @{bin}/rm         rix,
+    @{bin}/touch      rix,
+    @{bin}/which{,.debianutils}      rix,
    @{sh_path}        rix,

    /var/log/ r,
@ -82,9 +82,9 @@ profile cron-popularity-contest @{exec_path} {
    /var/log/popularity-contest.@{int} rw,
    /var/log/popularity-contest rw,

-    # file_inherit
-    owner @{tmp}/#@{int} rw,
+    owner @{tmp}/#@{int} rw,  # file_inherit

+    include if exists <local/cron-popularity-contest_savelog>
  }

  profile runuser {
@ -96,19 +96,18 @@ profile cron-popularity-contest @{exec_path} {
    @{bin}/runuser mr,

    @{sh_path}                 rix,
-
-    @{bin}/popularity-contest rPx,
-
-    owner @{PROC}/@{pids}/loginuid r,
-          @{PROC}/1/limits r,
+    @{bin}/popularity-contest  rPx,

    @{etc_ro}/security/limits.d/ r,

    /var/log/popularity-contest.new w,

-    # file_inherit
-    owner @{tmp}/#@{int} rw,
+          @{PROC}/1/limits r,
+    owner @{PROC}/@{pids}/loginuid r,

+    owner @{tmp}/#@{int} rw,  # file_inherit
+
+    include if exists <local/cron-popularity-contest_runuser>
  }

  profile gpg {
@ -126,9 +125,9 @@ profile cron-popularity-contest @{exec_path} {

    owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**,

-    # file_inherit
-    owner @{tmp}/#@{int} rw,
+    owner @{tmp}/#@{int} rw,  # file_inherit

+    include if exists <local/cron-popularity-contest_gpg>
  }

  profile popcon-upload {
@ -142,18 +141,18 @@ profile cron-popularity-contest @{exec_path} {
    network inet6 stream,
    network netlink raw,

-    /usr/share/popularity-contest/popcon-upload r,
    @{bin}/perl r,
-
    @{bin}/gzip rix,

+    /usr/share/popularity-contest/popcon-upload r,
+
    /var/log/ r,
    /var/log/popularity-contest.new.gpg r,
    /var/log/popularity-contest.@{int}.gpg r,

-    # file_inherit
-    owner @{tmp}/#@{int} rw,
+    owner @{tmp}/#@{int} rw,  # file_inherit

+    include if exists <local/cron-popularity-contest_/popcon-upload>
  }

  include if exists <local/cron-popularity-contest>
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@ -41,7 +41,7 @@ profile gdm-generate-config @{exec_path} {
  @{sys}/devices/system/node/node@{int}/meminfo r,

  @{PROC}/ r,
-  @{PROC}/@{pid}/cgroup  r,
+  @{PROC}/@{pid}/cgroup r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/stat r,
  @{PROC}/uptime r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -407,6 +407,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    /usr/games/*  PUx,
    /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,

+    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, 
+
    deny @{user_share_dirs}/gvfs-metadata/* r,

    include if exists <local/gnome-shell_open>
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -99,6 +99,9 @@ profile gnome-software @{exec_path} {
  owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
  owner @{run}/user/@{uid}/app/{,*/} rw,

+  owner /dev/shm/flatpak-com.*/ rw,
+  owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
+
  @{run}/systemd/inhibit/*.ref rw,

  @{sys}/module/nvidia/version r,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -206,6 +206,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {

  @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r,
  @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r,
+  @{sys}/devices/system/cpu/isolated r,
  @{sys}/devices/system/cpu/present r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/ r,