feat(profile): general update.

2025-01-09 22:58:53 +01:00 · 2025-01-09 22:58:53 +01:00 · fa85d909d7
commit fa85d909d7
parent 70c06a0547
19 changed files with 61 additions and 31 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -130,6 +130,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /var/lib/update-notifier/dpkg-run-stamp rw,

  /var/log/apt/{,**} rw,
+  /var/log/ubuntu-advantage-apt-hook.log w,

  # For package building
  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@ -26,6 +26,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=(term hup kill) peer=dbus-session,
  signal (receive) set=(term hup kill) peer=gdm{,-session-worker},

+  unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0),
+
  #aa:dbus own bus=accessibility name=org.freedesktop.DBus
  #aa:dbus own bus=session name=org.a11y.{B,b}us
  dbus receive bus=accessibility path=/org/freedesktop/DBus
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -45,6 +45,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

+  dbus send bus=system path=/org/freedesktop/login1/session/*
+       interface=org.freedesktop.login1.Session
+       member=ReleaseControl
+       peer=(name=org.freedesktop.login1, label=systemd-logind),
+
  @{exec_path} mrix,

  @{sh_path}        rix,
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -50,7 +50,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
  @{bin}/plymouth                  rPx,
  @{bin}/prime-switch             rPUx,
  @{bin}/sleep                     rix,
-  @{bin}/systemd-cat               rPx,
+  @{bin}/systemd-cat               rix,
  @{lib}/{,gdm/}gdm-session-worker rPx,
  /etc/gdm{3,}/PrimeOff/Default    rix,

--- a/apparmor.d/groups/gnome/gdm-prime-defaut
+++ b/apparmor.d/groups/gnome/gdm-prime-defaut
@ -12,6 +12,9 @@ profile gdm-prime-defaut @{exec_path} flags=(complain) {

  @{exec_path} mr,

+  @{sh_path}           r,
+  @{bin}/prime-offload ix,
+
  include if exists <local/gdm-prime-defaut>
 }

--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -43,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {

  #aa:dbus own bus=system name=org.freedesktop.NetworkManager

+  #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant
  #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld
  #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
  #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -51,7 +51,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  @{bin}/run-parts          rCx -> run-parts,
  @{bin}/sed                rix,
  @{bin}/systemctl          rCx -> systemctl,
-  @{bin}/systemd-cat        rPx,
+  @{bin}/systemd-cat        rix,
  @{bin}/tr                 rix,
  /usr/share/tlp/tlp-readconfs  rPUx,

--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@ -13,6 +13,10 @@ profile sshfs @{exec_path} flags=(complain) {

  mount fstype=fuse.sshfs -> @{HOME}/*/,
  mount fstype=fuse.sshfs -> @{HOME}/*/*/,
+  mount fstype=fuse.sshfs -> @{MOUNTDIRS}/,
+  mount fstype=fuse.sshfs -> @{MOUNTS}/,
+  mount fstype=fuse.sshfs -> @{MOUNTS}/*/,
+  mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/,

  unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),

@ -33,6 +37,17 @@ profile sshfs @{exec_path} flags=(complain) {

    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
+    mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/,
+    mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/,
+    mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/,
+    mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/,
+    
+    umount @{HOME}/*/,
+    umount @{HOME}/*/*/,
+    umount @{MOUNTDIRS}/,
+    umount @{MOUNTS}/,
+    umount @{MOUNTS}/*/,
+    umount @{MOUNTS}/*/*/,

    unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),

--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -13,6 +13,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  include <abstractions/common/systemd>

  capability dac_override,
+  capability dac_read_search,
  capability net_admin,
  capability sys_resource,

--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -95,6 +95,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{run}/systemd/notify rw,
  @{run}/systemd/seats/seat@{int} r,

+  @{att}/@{run}/udev/control rw,
+
  @{run}/udev/ rw,
  @{run}/udev/** rwk,

--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -114,7 +114,7 @@ profile cockpit-bridge @{exec_path} {
    include <abstractions/base>
    include <abstractions/app/sudo>

-    signal (send receive) set=term peer=cockpit-bridge,
+    signal (send receive) set=(cont hup term) peer=cockpit-bridge,

    @{bin}/cockpit-bridge Px,
    @{lib}/cockpit/cockpit-askpass Px,
--- a/apparmor.d/groups/whonix/anondate
+++ b/apparmor.d/groups/whonix/anondate
@ -22,7 +22,7 @@ profile anondate @{exec_path} {
  @{bin}/grep rix,
  @{bin}/minimum-unixtime-show rix,
  @{bin}/rm rix,
-  @{bin}/systemd-cat rPx,
+  @{bin}/systemd-cat rix,
  @{bin}/tee rix,
  @{bin}/timeout rix,
  @{bin}/tor-circuit-established-check  rix,