feat(opensuse): final opensuse integration.

apparmor.d/groups/gpg/gpgconf

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -17,7 +18,7 @@ profile gpgconf @{exec_path} {
   @{exec_path} mrix,
 
   /{usr/,}bin/gpg-connect-agent rPx,
-  /{usr/,}bin/gpg               rPUx,
+  /{usr/,}bin/gpg{,2}               rPUx,
   /{usr/,}bin/gpg-agent         rPx,
   /{usr/,}bin/dirmngr           rPx,
   /{usr/,}bin/gpgsm             rPx,
@@ -25,6 +26,8 @@ profile gpgconf @{exec_path} {
 
   /{usr/,}bin/pinentry-*        rPx,
 
+  /etc/gcrypt/hwf.deny r,
+
   owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
   owner @{run}/user/@{uid}/gnupg/ w,
   owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**,

apparmor.d/groups/gpg/gpgsm

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -15,6 +16,8 @@ profile gpgsm @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/gcrypt/hwf.deny r,
+
   deny /usr/bin/.gnupg/ w,
 
   owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

apparmor.d/groups/systemd/localectl

@@ -11,6 +11,8 @@ profile localectl @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   /{usr/,}bin/less  rPx -> child-pager,

apparmor.d/groups/systemd/systemd-hostnamed

@@ -35,6 +35,12 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /etc/.#hostname* rw,
+  /etc/.#machine-info?????? rw,
+  /etc/hostname rw,
+  /etc/machine-info rw,
+
+  @{run}/systemd/default-hostname rw,
   @{run}/systemd/notify rw,
   @{run}/udev/data/+dmi:id r,
 
@@ -46,15 +52,7 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/dmi/id/uevent r,
-
   @{sys}/firmware/dmi/entries/*/raw r,
 
-  /etc/.#hostname* rw,
-  /etc/.#machine-info?????? rw,
-  /etc/hostname rw,
-  /etc/machine-info rw,
-
-  @{run}/udev/data/+dmi:id r,
-
   include if exists <local/systemd-hostnamed>
 }

apparmor.d/groups/systemd/systemd-localed

@@ -31,6 +31,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /usr/share/kbd/keymaps/{,**} r,
   /usr/share/systemd/language-fallback-map r,
   /usr/share/X11/xkb/rules/evdev r,
 

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -19,6 +19,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   capability fsetid,
   capability mknod,
   capability net_admin,
+  capability syslog,
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-xdg-autostart-generator

@@ -16,7 +16,7 @@ profile systemd-xdg-autostart-generator @{exec_path} {
 
   @{exec_path} mr,
 
-  /etc/xdg/autostart/{,*.desktop} r,
+  @{etc_ro}/xdg/autostart/{,*.desktop} r,
 
   owner @{user_config_dirs}/autostart/{,*.desktop} r,
   owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,

apparmor.d/groups/virt/cockpit-session

@@ -25,10 +25,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{,z,ba,da}sh    rix,
   /{usr/,}bin/cockpit-bridge  rPx,
 
-  /etc/environment r,
+  @{etc_ro}/environment r,
   /etc/group r,
   /etc/motd r,
-  /etc/security/limits.d/{,*.conf} r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
   /etc/shells r,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,