feat(profile): improve general integration

See #407
2024-07-12 20:08:58 +01:00 · 2024-07-12 20:08:58 +01:00 · d864f5c975
commit d864f5c975
parent 872b8fc30a
14 changed files with 53 additions and 16 deletions
--- a/apparmor.d/profiles-m-r/nemo
+++ b/apparmor.d/profiles-m-r/nemo
@ -11,15 +11,31 @@ include <tunables/global>
 profile nemo @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
+  include <abstractions/trash-strict>

  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

-#   @{lib}/@{multiarch}/nemo/** mrix,
+  /usr/share/nemo/** r,
+
+  # Full access to user's data
+  / r,
+  /*/ r,
+  @{bin}/ r,
+  @{lib}/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/** rw,
+  owner @{HOME}/{,**} rw,
+  owner @{run}/user/@{uid}/{,**} rw,
+  owner @{tmp}/{,**} rw,
+
+  @{run}/mount/utab r,

  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@ -35,13 +35,10 @@ profile pkexec @{exec_path} {

  @{exec_path} mr,

-  # Apps to be run via pkexec
-  @{bin}/*            rPUx,
-  @{lib}/{,gvfs/}gvfsd-admin    rPx,
-  @{lib}/cc-remote-login-helper rPx,
-  @{lib}/update-notifier/package-system-locked  rPx,
-  /usr/share/apport/apport-gtk rPx,
-  #aa:exec polkit-agent-helper
+  @{bin}/*       PUx,
+  @{lib}/**      PUx,
+  /opt/*/**      PUx,
+  /usr/share/**  PUx,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*} r,
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -14,7 +14,9 @@ profile run-parts @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  @{exec_path} mr,
+  capability mknod,
+
+  @{exec_path} mrix,
  
  @{sh_path}         rix,
  @{bin}/anacron     rix,
@ -29,6 +31,7 @@ profile run-parts @{exec_path} {
  /etc/ r,
  /etc/anacrontab                                      r,
  /etc/conf.d/snapper{,**}                             r,
+  /etc/default/*                                       r,
  /etc/snapper/configs/root                            r,

  # Crontab
@ -134,10 +137,14 @@ profile run-parts @{exec_path} {

  /usr/share/landscape/landscape-sysinfo.wrapper rPUx,

+  /root/ r,
+
+  /var/spool/anacron/cron.daily k,
+
  owner @{tmp}/#@{int} rw,
-  owner @{tmp}/$anacron* rw,
+  owner @{tmp}/$anacron@{rand6} rw,
  owner @{tmp}/file@{rand6} rw,
-  
+
  owner @{sys}/class/power_supply/            r,

  /dev/tty@{int} rw,