feat(profile): general update.

2024-07-06 23:46:06 +01:00 · 2024-07-06 23:46:06 +01:00 · d480156e09
commit d480156e09
parent 8b2434c0a5
20 changed files with 64 additions and 33 deletions
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -61,6 +61,11 @@ profile xdg-desktop-portal-gtk @{exec_path} {

  @{run}/mount/utab r,

+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
  owner @{PROC}/@{pid}/mountinfo r,

  include if exists <local/xdg-desktop-portal-gtk>
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -126,6 +126,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
    /usr/games/**                 PUx,

    /dev/tty rw,
+    /dev/tty@{int} rw,

    include if exists <usr/gnome-session-binary_open.d>
    include if exists <local/gnome-session-binary_open>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -339,6 +339,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/net/*/statistics/collisions r,
  @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -86,8 +86,8 @@ profile gnome-software @{exec_path} {
  owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
  owner @{user_share_dirs}/gnome-software/{,**} rw,

-  owner @{tmp}/ostree-gpg-*/ rw,
-  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner @{tmp}/ostree-gpg-@{rand6}/ rw,
+  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
  owner @{tmp}/#@{int} rw,

  owner @{run}/user/@{uid}/.dbus-proxy/ rw,
@ -125,8 +125,8 @@ profile gnome-software @{exec_path} {
    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

          @{tmp}/ r,
-    owner @{tmp}/ostree-gpg-*/ r,
-    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/ r,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    owner @{run}/user/@{uid}/gnupg/ w,

--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@ -39,6 +39,13 @@ profile dirmngr @{exec_path} {
  owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
  owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw,

+  # FIXME: Needed by dirmngr@.service
+  owner /etc/pacman.d/gnupg/ rw,
+  owner /etc/pacman.d/gnupg/S.dirmngr rw,
+  owner /etc/pacman.d/gnupg/d.*/S.dirmngr rw,
+  owner /etc/pacman.d/gnupg/crls.d/ rw,
+  owner /etc/pacman.d/gnupg/crls.d/DIR.txt rw,
+
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  include if exists <local/dirmngr>
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -60,10 +60,10 @@ profile gpg @{exec_path} {
  owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,

  #aa:exclude ubuntu
-  owner @{tmp}/ostree-gpg-*/ r,
-  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner @{tmp}/ostree-gpg-@{rand6}/ r,
+  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

-  owner @{tmp}/tmp.[a-zA-Z0-9]* rw,
+  owner /tmp/@{int}@{int} rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@ -58,6 +58,13 @@ profile gpg-agent @{exec_path} {
  owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,

+  #aa:only pacman
+  owner /etc/pacman.d/gnupg/ rw,
+  owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw,
+  owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw,
+  owner /etc/pacman.d/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner /etc/pacman.d/gnupg/sshcontrol r,
+
  owner /var/lib/*/.gnupg/ rw,
  owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
  owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw,
@ -70,17 +77,12 @@ profile gpg-agent @{exec_path} {
  owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner /var/lib/*/gnupg/sshcontrol r,

+  #aa:only zypper
  owner /var/tmp/zypp.*/ rw,
  owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/ rw,
  owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw,
  owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw,

-  owner @{tmp}/tmp.*/gnupg/ rw,
-  owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw,
-  owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw,
-  owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
-  owner @{tmp}/tmp.*/gnupg/sshcontrol r,
-
  @{PROC}/@{pid}/fd/ r,

  # Silencer
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@ -71,7 +71,7 @@ profile DiscoverNotifier @{exec_path} {

          @{tmp}/ r,
    owner @{tmp}/ostree-gpg-@{rand6}/ r,
-    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    owner @{run}/user/@{uid}/gnupg/ w,

--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@ -86,8 +86,8 @@ profile plasma-discover @{exec_path} {
  owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int},
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/discover-@{rand6}/{,**} rw,
-  owner @{tmp}/ostree-gpg-*/ rw,
-  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner @{tmp}/ostree-gpg-@{rand6}/ rw,
+  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

  owner @{run}/user/@{uid}/.flatpak-cache rw,
  owner @{run}/user/@{uid}/.flatpak/{,**} rw,
@ -108,8 +108,8 @@ profile plasma-discover @{exec_path} {

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

-    owner @{tmp}/ostree-gpg-*/ r,
-    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/ r,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    include if exists <local/plasma-discover_gpg>
  }
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -43,6 +43,8 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

+  owner /var/lib/systemd/network/ r,
+
  # To be able to read logs
  @{run}/log/ r,
  /{run,var}/log/journal/ r,
@ -60,8 +62,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  @{sys}/devices/**/net/**/uevent r,

-        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/1/cgroup r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/random/boot_id r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/stat r,

--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -48,6 +48,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/homed.conf r,
  /etc/skel/{,**} r,

+  /var/cache/systemd/home/{,**} rw,
  /var/lib/systemd/home/{,**} rw,

  / r,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -53,6 +53,8 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/firmware/dmi/entries/*/raw r,

+  /dev/vsock r,
+
  include if exists <local/systemd-hostnamed>
 }

--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -52,6 +52,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {

  / r,

+  owner /var/lib/systemd/network/ r,
+
        @{run}/systemd/network/ r,
        @{run}/systemd/network/*.network r,
        @{run}/systemd/notify rw,