feat(profile): general update.

roddhjav · Nov 27, 2023 · 209688f · 209688f · curiosityseeker · Nov 28, 2023
1 parent fade974
commit 209688f
Show file tree

Hide file tree

Showing 16 changed files with 37 additions and 30 deletions.
diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app
@@ -109,6 +109,7 @@
 
   /dev/hidraw@{int} rw,
   /dev/input/ r,
+  /dev/ptmx rw,
   /dev/pts/ptmx rw,
   /dev/tty rw,
 

diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk
@@ -1,6 +1,8 @@
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/3.0>,
+
   dbus (send) bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
        member=ListMountableInfo

diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
@@ -43,6 +43,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   capability dac_override,
   capability dac_read_search,
   capability fowner,
+  capability fsetid,
   capability kill,
   capability mknod,
   capability perfmon,

diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
@@ -40,7 +40,7 @@ profile gdm-xsession @{exec_path} {
 
   @{bin}/dbus-update-activation-environment    rCx -> dbus,
   @{bin}/dpkg-query                            rpx,
-  @{bin}/flatpak                               rPUx,
+  @{bin}/flatpak                               rPx,
   @{bin}/gpgconf                               rPx,
   @{bin}/gsettings                             rPx,
   @{bin}/im-launch                             rPx,

diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@@ -27,11 +27,13 @@ profile gnome-control-center-goa-helper @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  signal (send) set=(kill) peer=bwrap,
+
   @{exec_path} mr,
 
   @{bin}/bwrap  rPUx,
 
-  @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  @{lib}/webkit2gtk-*/WebKitNetworkProcess rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/themes/{,**} r,
@@ -43,6 +45,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl,
 
+  owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk,
   owner @{user_share_dirs}/webkitgtk/{,**} rw,
   owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
 

diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
@@ -69,7 +69,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/Xorg         rPx,
   /etc/sddm/Xsession  rPx,
 
-  @{bin}/flatpak     rPUx,
+  @{bin}/flatpak      rPx,
   @{bin}/sway        rPUx,
   @{bin}/xauth        rCx -> xauth,
   @{bin}/xsetroot     rPx,

diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession
@@ -36,7 +36,7 @@ profile sddm-xsession @{exec_path} {
   @{bin}/zsh        rix,
 
   @{bin}/dbus-update-activation-environment  rCx -> dbus,
-  @{bin}/flatpak                             rPUx,
+  @{bin}/flatpak                             rPx,
   @{bin}/numlockx                            rPx,
   @{bin}/xhost                               rPx,
   @{bin}/xrdb                                rPx,

diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession
@@ -36,7 +36,7 @@ profile xdm-xsession @{exec_path} {
   @{bin}/whoami             rix,
 
   @{bin}/dbus-update-activation-environment rCx -> dbus,
-  @{bin}/flatpak                            rPUx,
+  @{bin}/flatpak                            rPx,
   @{bin}/pidof                              rPx,
   @{bin}/startplasma-x11                    rPx,
   @{bin}/systemctl                          rPx -> child-systemctl,
@@ -77,13 +77,7 @@ profile xdm-xsession @{exec_path} {
 
   owner @{user_share_dirs}/sddm/xorg-session.log rw,
 
-  owner @{run}/user/@{uid}/gnupg/ rw,
-  owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
-  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
-  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
-  owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
-  owner @{run}/user/@{uid}/gnupg/sshcontrol r,
-        @{run}/user/@{uid}/xauth_@{rand6} rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,
 
   owner /tmp/ssh-*/ rw,
   owner /tmp/ssh-*/agent.* rw,

diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
@@ -54,10 +54,10 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read,trace) peer=@{systemd},
 
-  dbus send bus=system path=/org/freedesktop/login[0-9]
-    interface=org.freedesktop.login[0-9].Manager
+  dbus send bus=system path=/org/freedesktop/login1
+    interface=org.freedesktop.login1.Manager
     member={CreateSession,ReleaseSession}
-    peer=(name=org.freedesktop.login[0-9]),
+    peer=(name=org.freedesktop.login1),
 
   @{exec_path} mrix,
 

diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
@@ -29,22 +29,21 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  dbus bind bus=system name=org.freedesktop.resolve1,
+
+  dbus receive bus=system path=/org/freedesktop/resolve1
+       interface=org.freedesktop.{resolve1.Manager,DBus.Peer,DBus.Properties},
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,GetConnectionUnixUser}
        peer=(name=org.freedesktop.DBus),
 
-  dbus receive bus=system path=/org/freedesktop/resolve[0-9]
-       interface=org.freedesktop.{resolve[0-9].Manager,DBus.Peer,DBus.Properties},
-
-  dbus receive bus=system path=/org/freedesktop/login[0-9]*
-       interface=org.freedesktop.login[0-9]*.Manager
+  dbus receive bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
        member={PrepareForSleep,PrepareForShutdown}
        peer=(name=:*, label=systemd-logind),
 
-  dbus bind bus=system 
-       name=org.freedesktop.resolve[0-9],
-
   @{exec_path} mr,
 
   /etc/systemd/resolved.conf r,

diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
@@ -137,6 +137,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r,
   @{etc_rw}/libvirt/{,**} rw,
+  /etc/gnutls/config r,
   /etc/mdevctl.d/{,**} r,
   /etc/sasl2/qemu.conf r,
   /etc/xml/catalog r,

diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
@@ -50,7 +50,9 @@ profile snap @{exec_path} {
   @{bin}/systemctl        rPx -> child-systemctl,
 
   /snap/{,**} rw,
-  # @{lib_dirs}/snap-confine           rPx -> /usr/lib/snapd/snap-confine,
+  /snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx,
+  @{lib}/snapd/snap-confine rPx,
+
   @{lib_dirs}/snapd/snap-seccomp     rPx,
   @{lib_dirs}/snapd/snapd            rPx,
 

diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
@@ -1,13 +1,14 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
-# Copyright (C) 2022 Alexandre Pujol <[email protected]>
+# Copyright (C) 2021-2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
 @{exec_path} = @{bin}/sudo
+#@{bin}/su
 profile sudo @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
@@ -40,10 +41,10 @@ profile sudo @{exec_path} {
   signal (send) set=(cont,hup) peer=su,
   signal (send) set=(winch),
 
-  dbus send bus=system path=/org/freedesktop/login[0-9]
-       interface=org.freedesktop.login[0-9].Manager
+  dbus send bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.logi1.Manager
        member=CreateSession
-       peer=(name=org.freedesktop.login[0-9]),
+       peer=(name=org.freedesktop.login1),
 
   dbus (send receive) bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd.Manager

diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk
@@ -33,6 +33,9 @@ profile transmission-gtk @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/xdg-open                                    rPx -> child-open,
+  @{lib}/gio-launch-desktop                          rPx -> child-open,
+
   /usr/share/X11/xkb/{,**} r,
 
   owner @{user_torrents_dirs}/ r,

diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession
@@ -36,7 +36,7 @@ profile x11-xsession @{exec_path} {
   @{bin}/run-parts         rCx -> run-parts,
   @{bin}/udevadm           rCx -> udevadm,
 
-  @{bin}/flatpak          rPUx,
+  @{bin}/flatpak           rPx,
   @{bin}/xrdb              rPx,
   @{bin}/numlockx          rPx,
   @{bin}/xhost             rPx,

diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit
@@ -44,7 +44,7 @@ profile xinit @{exec_path} {
   @{bin}/run-parts   rCx -> run-parts,
   @{bin}/udevadm     rCx -> udevadm,
 
-  @{bin}/flatpak    rPUx,
+  @{bin}/flatpak     rPx,
   @{bin}/glxinfo     rPx,
   @{bin}/numlockx    rPx,
   @{bin}/X           rPx,