From e17b682e51f361aab58d98f4bfd63a8aba536756 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 9 Oct 2024 13:56:27 +0100 Subject: [PATCH] feat(profile): minor profile improvments. --- apparmor.d/groups/systemd/systemd-inhibit | 2 ++ apparmor.d/groups/systemd/systemd-network-generator | 2 ++ apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/profiles-a-f/alsactl | 3 +++ apparmor.d/profiles-m-r/mission-control | 1 + apparmor.d/profiles-m-r/packagekitd | 1 + apparmor.d/tunables/multiarch.d/profiles | 2 +- 7 files changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2051a5b19..9938015d3 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,6 +14,8 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, + signal receive set=term peer=packagekitd, + @{exec_path} mr, @{bin}/cat rix, diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index c65980901..e22d89629 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -17,6 +17,8 @@ profile systemd-network-generator @{exec_path} { owner @{run}/systemd/network/{,**} rw, + @{run}/credentials/systemd-network-generator.service/ r, + include if exists } diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 91d7baf3e..6b1616e94 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -89,7 +89,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{lib}/containerd/** w, owner @{lib}/docker/overlay2/*/work/{,**} rw, - owner /var/lib/containerd/** w, + owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index b881e27e1..b2b97a62a 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -22,6 +22,9 @@ profile alsactl @{exec_path} { @{run}/lock/card@{int}.lock rwk, owner @{run}/alsa/{,**} rw, + @{sys}/devices/@{pci}/subsystem_device r, + @{sys}/devices/@{pci}/subsystem_vendor r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index a908feb57..efe44ebc2 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -23,6 +23,7 @@ profile mission-control @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/telepathy/mission-control/*.cfg* rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, + owner @{user_cache_dirs}/.mc_connections rw, @{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 267ce1dbe..3eb16caad 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -36,6 +36,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send set=int peer=apt-methods-*, + signal send set=term peer=systemd-inhibit, #aa:dbus own bus=system name=org.freedesktop.PackageKit diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index dd9386b09..a24cefc01 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Define some variables for some commonly used profile. They may be used in +# Define some variables for some commonly used profile. They may be used in # other profiles peer label. # All variables that refer to a profile name should be prefixed with `p_`