feat(profile): update for ubuntu/debian based systems.

2025-03-20 00:34:24 +01:00 · 2025-03-20 00:34:24 +01:00 · ec04495c4a
commit ec04495c4a
parent a69dc5bc8b
11 changed files with 20 additions and 6 deletions
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -51,6 +51,8 @@ profile dpkg-preconfigure @{exec_path} {

  /var/lib/locales/supported.d/{,*} r,

+  /var/cache/debconf/tmp.ci/ w,
+
  owner @{tmp}/*.template.* rw,
  owner @{tmp}/*.config.* rwPUx,

--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -62,10 +62,12 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  /usr/share/distro-info/* r,

+  @{etc_ro}/login.defs r,
  @{etc_ro}/security/capability.conf r,
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
+  /etc/default/apport r,
  /etc/default/grub.d/* r,
  /etc/dpkg/origins/{,debian,ubuntu} r,
  /etc/fwupd/{,**} r,
@ -107,6 +109,9 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  owner @{tmp}/apt-dpkg-install-*/{,*} rw,

+        @{PROC}/@{pid}/attr/current r,
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/environ r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/fd/ r,
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@ -55,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pids}/fd/ r,

+  owner @{att}/dev/tty@{int} rw,
  owner /dev/tty@{int} rw,

  include if exists <local/ibus-daemon>
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -11,13 +11,11 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

-  signal (receive) set=term peer=ibus-daemon,
-
-  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????",          label=ibus-daemon),
-  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
+  signal receive set=term peer=ibus-daemon,

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -27,6 +27,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

+  owner @{att}/dev/tty@{int} rw,
  owner /dev/tty@{int} rw,

  include if exists <local/ibus-portal>
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -141,7 +141,6 @@ profile cron-popularity-contest @{exec_path} {
    network inet6 stream,
    network netlink raw,

-    @{bin}/perl r,
    @{bin}/gzip rix,

    /usr/share/popularity-contest/popcon-upload r,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -74,6 +74,10 @@ profile gnome-initial-setup @{exec_path} {
  @{run}/systemd/sessions/@{int} r,
  @{run}/systemd/users/@{uid} r,

+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r,

  @{sys}/devices/virtual/dmi/id/bios_vendor r,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -103,6 +103,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  profile open flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/attached/consoles>
+    include <abstractions/consoles>
    include <abstractions/desktop>

    @{bin}/env rix,
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -14,6 +14,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -38,7 +38,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
       interface=org.gtk.private.CommandLine
       member=Print
-       peer=(name=:*, label=nautilus),
+       peer=(name=@{busname}, label=nautilus),

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
--- a/apparmor.d/groups/gnome/session-migration
+++ b/apparmor.d/groups/gnome/session-migration
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/session-migration
 profile session-migration @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/bus-session>
  include <abstractions/python>

@ -19,6 +20,7 @@ profile session-migration @{exec_path} {
  @{bin}/gsettings rPx,
  /usr/share/session-migration/scripts/* rix,

+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/session-migration/{,**} r,

  owner @{gdm_share_dirs}/session_migration-* rw,