From 02499d90f0f376bb162b626db0531047c548eedf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Mar 2023 15:48:59 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/apt | 2 ++ apparmor.d/groups/apt/apt-methods-http | 1 + apparmor.d/groups/browsers/firefox | 1 + apparmor.d/groups/freedesktop/geoclue | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 2 +- .../groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/groups/freedesktop/xdg-user-dir | 4 +++ apparmor.d/groups/gnome/gnome-disks | 3 ++- .../groups/gnome/gsd-print-notifications | 1 + apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/tracker-extract | 1 + apparmor.d/groups/gnome/tracker-miner | 1 + apparmor.d/groups/gpg/gpg | 2 ++ apparmor.d/groups/gpg/gpg-agent | 3 ++- apparmor.d/groups/gpg/scdaemon | 2 +- apparmor.d/groups/gvfs/gvfsd-fuse | 2 +- apparmor.d/groups/network/mullvad-gui | 1 + apparmor.d/groups/pacman/aurpublish | 2 ++ apparmor.d/groups/pacman/mkinitcpio | 8 +++--- .../groups/pacman/pacman-hook-mkinitcpio | 1 + apparmor.d/groups/systemd/systemd-hwdb | 2 ++ apparmor.d/groups/systemd/systemd-inhibit | 4 +++ apparmor.d/groups/systemd/systemd-localed | 9 ++++--- apparmor.d/groups/systemd/systemd-resolve | 3 +++ apparmor.d/groups/systemd/systemd-udevd | 1 + .../groups/systemd/systemd-vconsole-setup | 5 +++- apparmor.d/groups/ubuntu/apt-esm-json-hook | 1 + apparmor.d/groups/virt/cockpit-bridge | 7 ++--- apparmor.d/groups/virt/cockpit-pcp | 5 ++++ apparmor.d/groups/virt/virtlogd | 8 +++--- apparmor.d/profiles-a-f/aa-log | 2 ++ apparmor.d/profiles-g-l/gsettings | 4 ++- apparmor.d/profiles-g-l/logrotate | 6 ++--- .../profiles-m-r/needrestart-dpkg-status | 2 ++ apparmor.d/profiles-m-r/os-prober | 1 + apparmor.d/profiles-m-r/packagekitd | 4 +-- apparmor.d/profiles-m-r/pass | 27 ++++++++++++++++--- apparmor.d/profiles-m-r/pcscd | 2 ++ apparmor.d/profiles-s-z/spice-vdagent | 4 +++ .../profiles-s-z/update-ca-certificates | 8 +++--- .../profiles-s-z/update-command-not-found | 2 ++ apparmor.d/profiles-s-z/virt-manager | 3 +++ 42 files changed, 119 insertions(+), 33 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 7a86245b..caa340a6 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -228,7 +228,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile systemctl { include + include + capability net_admin, capability sys_resource, ptrace (read), diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7eebc705..6b5a5083 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -66,6 +66,7 @@ profile apt-methods-http @{exec_path} { owner /tmp/aptitude-root.*/aptitude-download-* rw, owner /tmp/apt-changelog-*/*.changelog rw, + @{run}/ubuntu-advantage/aptnews.json rw, @{run}/resolvconf/resolv.conf r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 757a0b8c..948a82ea 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -143,6 +143,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # Desktop integration @{libexec}/gvfsd-metadata rPx, /{usr/,}bin/exo-open rPx -> child-open, + /{usr/,}bin/gnome-software rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/update-mime-database rPx, /{usr/,}bin/xdg-open rPx -> child-open, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 74ded345..cf5a2c51 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -74,6 +74,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /etc/geoclue/{,**} r, + /var/lib/nscd/services r, + @{run}/systemd/journal/socket rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index a0b05cab..9445028f 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -46,7 +46,7 @@ profile plymouthd @{exec_path} { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/graphics/ r, - @{sys}/devices/pci[0-9]*/**/{,uevent,vendor.device} r, + @{sys}/devices/pci[0-9]*/**/{,uevent,vendor,device} r, @{sys}/devices/pci[0-9]*/**/{,uevent} r, @{sys}/devices/virtual/graphics/fbcon/uevent r, @{sys}/devices/virtual/tty/console/active r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 2549c008..5152d6c4 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -105,7 +105,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/fusermount{,3} mr, - /etc/fuse.conf r, + /etc/fuse{,3}.conf r, mount options=(rw, rprivate) -> /, mount options=(rw, rbind) @{run}/user/@{uid}/ -> /, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index 9115c358..8c22068e 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -17,5 +17,9 @@ profile xdg-user-dir @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, + # Silencer + deny network inet stream, + deny network inet6 stream, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 317c97ce..27ac6ecd 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -12,6 +12,7 @@ profile gnome-disks @{exec_path} { include include include + include @{exec_path} mr, @@ -23,8 +24,8 @@ profile gnome-disks @{exec_path} { owner @{user_cache_dirs}/gnome-disks/{,**} rw, - owner @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 4445412e..f1dfabe4 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -80,6 +80,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { @{libexec}/gsd-printer rPx, /etc/machine-id r, + /etc/cups/client.conf r, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 191832c1..3d1cf508 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -43,6 +43,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/net rPUx, /{usr/,}bin/firejail rPUx, /{usr/,}bin/bwrap rPUx, /{usr/,}lib/gio-launch-desktop rPx -> child-open, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 44f63542..34576d60 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -76,6 +76,7 @@ profile tracker-extract @{exec_path} { /usr/share/tracker3/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,*} r, + /etc/blkid.conf r, /etc/fstab r, /etc/libva.conf r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 1e356fe5..530a29fa 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -85,6 +85,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/tracker3/{,**} r, /etc/fstab r, + /etc/blkid.conf r, /var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index f8f1ed2b..ac9ff3bc 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -45,6 +45,8 @@ profile gpg @{exec_path} { owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + owner /tmp/tmp.[a-zA-Z0-9]* rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 81b0ab21..5d501337 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -17,8 +17,9 @@ profile gpg-agent @{exec_path} { @{exec_path} mr, - /{usr/,}lib/gnupg/scdaemon rPx, /{usr/,}bin/pinentry{,-*} rPx, + /{usr/,}bin/scdaemon rPx, + /{usr/,}lib/gnupg/scdaemon rPx, /usr/share/gnupg/* r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 1ebaaaa1..611e4c17 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}lib/gnupg/scdaemon +@{exec_path} = /{usr/,}bin/scdaemon /{usr/,}lib/gnupg/scdaemon profile scdaemon @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index af763517..7583e26c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -53,7 +53,7 @@ profile gvfsd-fuse @{exec_path} { /{usr/,}bin/fusermount{,3} mr, - /etc/fuse.conf r, + /etc/fuse{,3}.conf r, /etc/machine-id r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 02a13e73..d0df2371 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -47,6 +47,7 @@ profile mullvad-gui @{exec_path} { /var/lib/dbus/machine-id r, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, + owner @{user_cache_dirs}/dconf/user rw, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index e79ee736..47fcf75c 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -17,6 +17,7 @@ profile aurpublish @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, + /{usr/,}bin/curl rix, /{usr/,}bin/date rix, /{usr/,}bin/gettext rix, /{usr/,}bin/git rPx, @@ -25,6 +26,7 @@ profile aurpublish @{exec_path} { /{usr/,}bin/makepkg rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, /{usr/,}bin/nproc rix, /{usr/,}bin/rm rix, /{usr/,}bin/sha512sum rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index a85c70e9..083b5688 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -35,7 +35,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gzip rix, /{usr/,}bin/hexdump rix, /{usr/,}bin/install rix, - /{usr/,}bin/ldconfig rix, + /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/ldd rix, /{usr/,}bin/ln rix, /{usr/,}bin/loadkeys rix, @@ -94,14 +94,14 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /boot/initramfs-*.img* rw, /boot/vmlinuz-* r, - @{sys}/class/block/ r, - @{sys}/devices/{,**} r, - # Temp files owner @{run}/initramfs/{,**} rw, owner @{run}/mkinitcpio.*/{,**} rw, owner /tmp/mkinitcpio.*/{,**} rw, + @{sys}/class/block/ r, + @{sys}/devices/{,**} r, + owner @{PROC}/@{pid}/mountinfo r, # Inherit silencer diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 86e8ea45..58c4fd8e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -24,6 +24,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/install rix, /{usr/,}bin/mkinitcpio rPx, /{usr/,}bin/mv rix, + /{usr/,}bin/od rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 86b063f9..945c555e 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,6 +16,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w, /{usr/,}lib/udev/hwdb.bin w, + /etc/udev/.#hwdb.bind* rw, + /etc/udev/hwdb.bin rw, /etc/udev/hwdb.d/{,*} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index a6c784df..c9ca2152 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -9,12 +9,16 @@ include @{exec_path} = /{usr/,}bin/systemd-inhibit profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, + capability sys_resource, @{exec_path} mr, /{usr/,}bin/cat rix, + @{run}/systemd/inhibit/*.ref rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index a7f8c16b..0dd7b0f3 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -32,15 +32,18 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /usr/share/kbd/keymaps/{,**} r, - /usr/share/systemd/language-fallback-map r, + /usr/share/systemd/*-map r, /usr/share/X11/xkb/rules/evdev r, + /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf r, - /etc/vconsole.conf r, - /etc/X11/xorg.conf.d/*.conf r, + /etc/vconsole.conf rw, + /etc/X11/xorg.conf.d/ r, + /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/*.conf rw, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve index 2974f5f3..def05d9a 100644 --- a/apparmor.d/groups/systemd/systemd-resolve +++ b/apparmor.d/groups/systemd/systemd-resolve @@ -18,5 +18,8 @@ profile systemd-resolve @{exec_path} { @{exec_path} mr, + @{PROC}/ r, + owner @{PROC}/@{pids}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 11f3e48c..c286a1d1 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -61,6 +61,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}lib/gdm-runtime-config rPx, /{usr/,}lib/systemd/systemd-* rPx, /{usr/,}lib/udev/* rPUx, + /{usr/,}lib/open-iscsi/net-interface-handler rPUx, /usr/share/hplip/config_usb_printer.py rPUx, /etc/console-setup/*.sh rPUx, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 585b841c..2992b678 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -14,6 +14,7 @@ profile systemd-vconsole-setup @{exec_path} { include capability dac_override, + capability net_admin, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -23,9 +24,11 @@ profile systemd-vconsole-setup @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gzip rix, /{usr/,}bin/loadkeys rix, + /{usr/,}bin/setfont rix, + /{usr/,}bin/gzip rix, / r, - /usr/share/kbd/keymaps/{,**} r, + /usr/share/kbd/{,**} r, /etc/vconsole.conf r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index f4e6f7a5..de6cc303 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -19,6 +19,7 @@ profile apt-esm-json-hook @{exec_path} { /{usr/,}bin/dpkg rPx, /var/lib/ubuntu-advantage/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index ae5324f6..6817e508 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -45,14 +45,15 @@ profile cockpit-bridge @{exec_path} { @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/diskstats r, + @{PROC}/loadavg r, @{PROC}/uptime r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, /dev/ptmx rw, diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp index ee17cbc2..014128ab 100644 --- a/apparmor.d/groups/virt/cockpit-pcp +++ b/apparmor.d/groups/virt/cockpit-pcp @@ -28,6 +28,11 @@ profile cockpit-pcp @{exec_path} { /var/log/pcp/pmlogger/ r, + @{sys}/fs/cgroup/{,**/} r, + @{sys}/fs/cgroup/**/{memory,cpu}* r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, + @{PROC}/diskstats r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 90599bf0..494ffde1 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -9,12 +9,12 @@ include @{exec_path} = /{usr/,}{s,}bin/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include - include include + include ptrace (read) peer=libvirtd, - ptrace (read) peer=virtqemud, ptrace (read) peer=unconfined, + ptrace (read) peer=virtqemud, @{exec_path} mr, @@ -29,17 +29,17 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/virtlogd* w, @{run}/libvirt/common/system.token rwk, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/libvirt/virtlogd-sock rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/virtlogd.pid rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, - owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/stat r, /dev/dri/ r, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index e34b00d9..9bdc4d69 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -11,6 +11,8 @@ profile aa-log @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/journalctl rix, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index e9db3c5a..6b5fc2fa 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -17,7 +17,9 @@ profile gsettings @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - owner /dev/tty[0-9]* rw, + /var/lib/gdm/.config/dconf/user r, + + /dev/tty[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 9313a1f0..b9aa7736 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -65,9 +65,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, /etc/ r, - /etc/logrotate.conf rk, - /etc/logrotate.d/ r, - /etc/logrotate.d/* rk, + @{etc_ro}/logrotate.conf rk, + @{etc_ro}/logrotate.d/ r, + @{etc_ro}/logrotate.d/* rk, / r, /var/log{,.hdd}/ r, diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index 396ac8a9..1054ae25 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -11,6 +11,8 @@ profile needrestart-dpkg-status @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 556f52f8..2d54eb27 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -41,6 +41,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/udevadm rPx, /{usr/,}bin/umount rix, /{usr/,}bin/uname rix, + /{usr/,}lib/newns rix, /{usr/,}lib/os-prober/* rix, /{usr/,}lib/os-probes/{,**} rix, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index a37c9efe..3e756a4b 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -157,8 +157,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner /etc/pacman.d/gnupg/ r, # only: arch owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**, - owner /var/tmp/zypp.*/zypp-trusted-*/ r, # only: opensuse - owner /var/tmp/zypp.*/zypp-trusted-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**, + owner /var/tmp/zypp.*/zypp-*/ r, # only: opensuse + owner /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 9e10af0e..c3baca5a 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -42,7 +42,7 @@ profile pass @{exec_path} { /{usr/,}bin/which rix, /{usr/,}bin/git rCx -> git, - /{usr/,}bin/gpg{2,} rUx, + /{usr/,}bin/gpg{2,} rCx -> gpg, /{usr/,}bin/qdbus rCx -> qdbus, /{usr/,}bin/vim{,.*} rCx -> editor, /{usr/,}bin/wl-{copy,paste} rPx, @@ -116,7 +116,7 @@ profile pass @{exec_path} { /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, - /{usr/,}bin/gpg{2,} rUx, + /{usr/,}bin/gpg{2,} rPx -> pass//gpg, /usr/share/git-core/{,**} r, @@ -135,7 +135,28 @@ profile pass @{exec_path} { include if exists } - profile qdbus { + profile gpg flags=(complain) { + include + include + + capability dac_read_search, + + /{usr/,}bin/gpg{,2} mr, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_projects_dirs}/**/*-store/ rw, + owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, + owner @{user_config_dirs}/*-store/ rw, + owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**, + + include if exists + } + + profile qdbus { include /{usr/,}bin/qdbus mr, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 3e38c7ee..8a2a7dc4 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -11,6 +11,8 @@ profile pcscd @{exec_path} { include include + capability sys_ptrace, + network netlink raw, ptrace (read) peer=rngd, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 8b9b6068..d0fa7e8c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -49,8 +49,12 @@ profile spice-vdagent @{exec_path} { @{exec_path} mr, + /usr/share/pipewire/client-rt.conf r, + /etc/pipewire/client.conf r, + /var/lib/nscd/passwd r, + owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index b5e0d280..9c08bed7 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,16 +20,17 @@ profile update-ca-certificates @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, + /{usr/,}bin/find rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/ln rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/mv rix, /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/find rix, - /{usr/,}bin/ln rix, /{usr/,}bin/test rix, + /{usr/,}bin/wc rix, /{usr/,}bin/openssl rix, diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 3647063b..e61a956d 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -16,6 +16,8 @@ profile update-command-not-found @{exec_path} { include include + capability dac_read_search, + @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index da4c4c84..85ba9578 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -48,6 +48,9 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ssh rPx, /{usr/,}lib/spice-client-glib-usb-acl-helper rPx, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /usr/share/egl/{,**} r, /usr/share/gtksourceview-4/{,**} r, /usr/share/hwdata/*.ids r,