feat(profile): general update.

2025-02-09 00:11:09 +01:00 · 2025-02-09 00:11:09 +01:00 · da68c4f2d9
commit da68c4f2d9
parent 5784ff83cf
20 changed files with 65 additions and 27 deletions
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -41,8 +41,11 @@ profile dpkg-preconfigure @{exec_path} {
  /etc/debconf.conf r,
  /etc/default/grub r,
  /etc/inputrc r,
+  /etc/locale.gen r,
  /etc/shadow r,

+  /var/lib/locales/supported.d/{,*} r,
+
  owner @{tmp}/*.template.* rw,
  owner @{tmp}/*.config.* rwPUx,

--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@ -76,6 +76,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_score_adj r,

--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@ -74,8 +74,9 @@ profile dbus-session flags=(attach_disconnected) {
        @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/attr/apparmor/current r,
  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/oom_score_adj r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/oom_score_adj r,

  /dev/ptmx rw,
  /dev/tty@{int} rw,
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -7,7 +7,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{lib}/{,polkit-1/}polkitd
+@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd
 profile polkitd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -83,15 +83,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  # Talk with gnome-shell

  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm

  #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
+  #aa:dbus talk bus=session name=org.gnome.* label=gnome-*
  #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
-  #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+  #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus

  # System bus

@ -163,10 +165,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
       member=Introspect
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

-  dbus send bus=session path=/org/gnome/*/SearchProvider
-      interface=org.gnome.Shell.SearchProvider2
-      peer=(name=@{busname}),
-
  @{exec_path} mr,

  @{bin}/unzip                  rix,
--- a/apparmor.d/groups/gnome/session-migration
+++ b/apparmor.d/groups/gnome/session-migration
@ -9,12 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/session-migration
 profile session-migration @{exec_path} {
  include <abstractions/base>
+  include <abstractions/python>

  @{exec_path} mr,

  @{sh_path}  rix,
+  @{python_path} rix,
  @{bin}/gsettings rPx,
-  /usr/share/session-migration/scripts/*.sh rix,
+  /usr/share/session-migration/scripts/* rix,

  /usr/share/session-migration/{,**} r,

--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@ -14,6 +14,7 @@ profile yelp @{exec_path} {

  network netlink raw,

+  #aa:dbus own bus=accessibility name=org.gnome.Yelp
  #aa:dbus own bus=session name=org.gnome.Yelp

  @{exec_path} mr,
--- a/apparmor.d/groups/grub/grub-check-signatures
+++ b/apparmor.d/groups/grub/grub-check-signatures
@ -22,7 +22,9 @@ profile grub-check-signatures @{exec_path} {

  /usr/share/debconf/confmodule r,

-  owner @{tmp}/tmp.*/ rw,
+  owner @{tmp}/tmp.@{rand10}/ rw,
+
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

  include if exists <local/grub-check-signatures>
 }
--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@ -25,20 +25,28 @@ profile grub-install @{exec_path} flags=(complain) {
  @{bin}/udevadm           rPx,

  /usr/share/grub/{,**} r,
+  /usr/share/locale-langpack/{,**} r,

  /etc/default/grub.d/{,**} r,
  /etc/default/grub r,

-  /boot/efi/EFI/ubuntu/* w,
-  /boot/efi/EFI/BOOT/{,**} rw,
+  /boot/efi/ r,
  /boot/EFI/*/grubx*.efi rw,
+  /boot/efi/EFI/ r,
+  /boot/efi/EFI/BOOT/{,**} rw,
+  /boot/efi/EFI/ubuntu/* w,
  /boot/grub/{,**} rw,

+  @{sys}/devices/**/hid r,
+  @{sys}/devices/**/path r,
+  @{sys}/devices/**/uid r,
+  @{sys}/firmware/efi/ r,
  @{sys}/firmware/efi/efivars/ r,
  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
  @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r,
  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
  @{sys}/firmware/efi/efivars/Timeout-@{uuid} r,
+  @{sys}/firmware/efi/fw_platform_size r,
  @{sys}/firmware/efi/w_platform_size r,

        @{PROC}/devices r,
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@ -40,6 +40,7 @@ profile dolphin @{exec_path} {
  /usr/share/kservices{5,6}/{,**} r,
  /usr/share/kservicetypes5/{,**} r,
  /usr/share/misc/termcap r,
+  /usr/share/thumbnailers/{,**} r,

  /etc/fstab r,
  /etc/machine-id r,
@ -71,6 +72,7 @@ profile dolphin @{exec_path} {
  owner @{user_share_dirs}/dolphin/ rw,
  owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int},
  owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk,
+  owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk,

  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int},
@ -89,6 +91,8 @@ profile dolphin @{exec_path} {

  owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},

+  owner @{tmp}/dolphin.@{rand6} rwl,
+
        @{run}/issue r,
        @{run}/mount/utab r,
  owner @{run}/user/@{uid}/#@{int} rw,
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -72,6 +72,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
  @{sys}/devices/platform/*/i2c-@{int}/name r,

  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/mountinfo r,
  @{PROC}/@{pid}/mounts r,

  /dev/i2c-@{int} rwk,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -68,9 +68,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/product_version r,

-  @{PROC}/@{pid}/cgroup r,
-  @{PROC}/pressure/* r,
-  @{PROC}/sys/net/ipv{4,6}/** rw,
+        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/pressure/* r,
+        @{PROC}/sys/net/ipv{4,6}/** rw,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,

  include if exists <local/systemd-networkd>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -95,6 +95,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{run}/systemd/notify rw,
  @{run}/systemd/seats/seat@{int} r,

+  @{att}/@{run}/systemd/notify w,
  @{att}/@{run}/udev/control rw,

  @{run}/udev/ rw,