feat(profile): general update.

2024-06-15 16:49:06 +01:00 · 2024-06-15 16:49:06 +01:00 · faab4928ed
commit faab4928ed
parent 79eed4b93d
23 changed files with 213 additions and 286 deletions
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@ -7,7 +7,9 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}bin/fc-cache{,-32,-v*}
+@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin}
+
+@{exec_path} = @{bin_dirs}/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@ -18,6 +18,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
  @{bin}/{,e}grep   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/basename   rix,
+  @{bin}/cat        rix,
  @{bin}/cut        rix,
  @{bin}/file       rix,
  @{bin}/head       rix,
--- a/apparmor.d/groups/freedesktop/xdg-screensaver
+++ b/apparmor.d/groups/freedesktop/xdg-screensaver
@ -32,7 +32,7 @@ profile xdg-screensaver @{exec_path} {
  @{bin}/xset         rPx,
  @{bin}/hostname     rix,

-  /dev/dri/card[0-9] rw,
+  /dev/dri/card@{int} rw,

  owner @{HOME}/ r,
  owner @{HOME}/.Xauthority r,
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/inhibit/[0-9]*.ref rw,

  owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
-  owner /var/tmp/etilqs_@{hex} rw,
+  owner /var/tmp/etilqs_@{hex16} rw,

        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -55,7 +55,7 @@ profile aurpublish @{exec_path} {
  owner @{user_cache_dirs}/makepkg/src/* rw,
  owner @{user_config_dirs}/pacman/makepkg.conf r,

-  owner @{tmp}/tmp.* rw,
+  owner @{tmp}/tmp.@{rand10} rw,

  owner @{PROC}/@{pid}/maps r,

--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -146,6 +146,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {

  # Silencer,
  deny @{HOME}/ r,
+  deny @{HOME}/**/ r,
  deny /tmp/ r,

  profile gpg {
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -117,6 +117,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {

  @{sh_path}                    rix,
  @{bin}/ip                     rix,
+  @{bin}/nft                    rix,
  @{bin}/qemu-img               rUx, # TODO: Integration with virt-aa-helper
  @{bin}/qemu-system*           rUx, # TODO: Integration with virt-aa-helper
  @{bin}/tc                     rix,