New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/30139#issuecomment-823664610

Comment:
> Not sure of forcing 600 on /etc/apparmor.d is a good idea, I don't see no harm in them being readable.

> I agree that apparmor files can be world readable - makes inspection easier. Do you have any argument for it beyond being the default from genprof?

I don't have a good reason, I just thought it was annoying having some profiles readable by my user and some not. I fixed the script to change permissions to 644 only if the profile is executable (mask 111).

> Would also make sense to also make sure nothing is o+w, there were/are a few packages that did that:
> https://gist.github.com/Duncaen/125a44a4e9f159141bcaade111a182e6
> In those cases its probably better to abort instead of trying to fix them.

Great idea, I added it to the script, it requires iterating over all files and in the script, so some directories are scanned twice, but I think it's not a big problem.

I also added 3 new rules:
* /usr/include - 644 - http-parser-devel (755), cups (444)

are there reasons to not force permissions here I don't know about?

* /usr/share/applications 644 - KDE applications often violate this rule - falkon, kate5, kde-cli-tools, kdevelop, khelpcenter, kinfocenter, kio, kmenuedit, knewstuff, konsole, kronometer, ksysguard, okteta, plasma-desktop, plasma-workspace, syncthing, systemsettings

* /usr/share/icons - 644 - no known violations

since there are no known violations, is it worth including this rule?