From 049e89b3796551fdf732c8968a8e31f5b3578a36 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Jan 2024 22:33:45 +0000 Subject: [PATCH] feat(profile): general update (2). --- apparmor.d/groups/apt/dpkg-preconfigure | 6 ++++-- apparmor.d/groups/cron/cron | 17 ++++++++++++++++- apparmor.d/groups/freedesktop/pipewire | 3 ++- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 11 +---------- .../groups/freedesktop/xdg-desktop-portal-gnome | 6 ++++++ apparmor.d/groups/freedesktop/xkbcomp | 3 ++- apparmor.d/groups/freedesktop/xorg | 1 + apparmor.d/groups/gnome/gjs-console | 2 +- apparmor.d/groups/gnome/gnome-shell | 4 +++- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/tracker-extract | 3 ++- .../systemd/systemd-generator-ds-identify | 1 + apparmor.d/groups/ubuntu/apport-gtk | 6 +++++- apparmor.d/profiles-a-f/adduser | 1 + apparmor.d/profiles-a-f/anacron | 16 +++++++++++++++- apparmor.d/profiles-a-f/apparmor.systemd | 3 +++ apparmor.d/profiles-a-f/apparmor_parser | 1 + apparmor.d/profiles-g-l/lvm | 1 + .../profiles-s-z/snapd-aa-prompt-listener | 2 +- apparmor.d/profiles-s-z/terminator | 5 +---- 21 files changed, 69 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index b0e76d68..66b4fb36 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -27,10 +27,11 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/apt-extracttemplates rPx, @{bin}/whiptail rPx, - /etc/shadow r, + /usr/share/debconf/confmodule r, - /etc/inputrc r, /etc/debconf.conf r, + /etc/inputrc r, + /etc/shadow r, owner /tmp/*.template.* rw, owner /tmp/*.config.* rwPUx, @@ -40,6 +41,7 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/cache/debconf/tmp.ci/ r, owner /var/cache/debconf/tmp.ci/* rix, + owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index b751d910..297b5a5d 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -31,7 +31,9 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{bin}/{,ba,da}sh rix, @{bin}/nice rix, @{bin}/ionice rix, - @{bin}/run-parts rPx, + @{bin}/exim4 rPx, + @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not + # using the run-parts profile we are good @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, @{lib}/sysstat/debian-sa1 rPUx, @@ -61,5 +63,18 @@ profile cron @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + profile run-parts { + include + + @{bin}/run-parts mr, + + /etc/cron.*/ r, + /etc/cron.*/* rPUx, + + owner /tmp/#@{int} rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 59873eb5..bd1598da 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -63,9 +63,10 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, @{sys}/class/ r, - @{sys}/devices/**/device:*/**/path r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,removable,uevent} r, + @{sys}/devices/**/device:*/**/path r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, + @{sys}/module/apparmor/parameters/enabled r, # deny ? owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 5b6fd1c1..2f6bdc8a 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -12,6 +12,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -21,16 +22,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { member=MakeThreadRealtimeWithPID peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=session path=/ - interface=org.freedesktop.DBus - member={AddMatch,GetNameOwner} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - @{exec_path} mr, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 04bca197..ca0dff4f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -29,6 +29,8 @@ profile xdg-desktop-portal-gnome @{exec_path} { network unix stream, + signal (receive) set=term peer=gdm, + dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, dbus send bus=session path=/org/gnome/Shell/Screenshot @@ -64,6 +66,10 @@ profile xdg-desktop-portal-gnome @{exec_path} { @{bin}/ r, @{bin}/* r, + /usr/share/dconf/profile/gdm r, + + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index eea9ce7a..b596b84f 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -34,9 +34,10 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner /tmp/server-@{int}.xkm rwk, /dev/dri/card@{int} rw, + /dev/fb@{int} rw, /dev/tty rw, /dev/tty@{int} rw, - + deny /dev/input/event@{int} rw, deny /var/log/Xorg.@{int}.log w, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 40b431dc..f7bbf3ac 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -23,6 +23,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, capability ipc_owner, + capability net_admin, capability perfmon, capability setgid, capability setuid, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index c82477b6..925a9efe 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -60,7 +60,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, - /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 2f5ce3aa..e7d38cd7 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -85,6 +85,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { # dbus: own bus=session name=org.gtk.Notifications # dbus: own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + # TODO: org.gtk.Actions for com.rastersoft.dingextension + # Talk with gnome-shell # dbus: talk bus=session name=com.rastersoft.ding label=gnome-extension-ding @@ -259,7 +261,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - /var/lib/gdm{3,}/.config/pulse/ r, + /var/lib/gdm{3,}/.config/pulse/ rw, /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.local/share/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index e6e93528..430ace3c 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -10,6 +10,7 @@ include profile gnome-software @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 27a27858..4079d00f 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -62,7 +62,7 @@ profile gsd-xsettings @{exec_path} { @{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/* rix, - /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm3/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index dda13e90..b63d810c 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -51,9 +51,10 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /var/lib/gdm{3,}/.cache/ rw, - /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index f9969c8c..0252899a 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -15,6 +15,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,ba,da}sh r, + @{bin}/uname rix, @{run}/cloud-init/.ds-identify.result r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 6cd1b9bb..28239687 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -66,10 +66,12 @@ profile apport-gtk @{exec_path} { /etc/bash_completion.d/apport_completion r, /etc/cron.daily/apport r, /etc/default/apport r, + /etc/gtk-3.0/settings.ini r, /etc/init.d/apport r, /etc/logrotate.d/apport r, + /etc/pulse/client.conf r, + /etc/pulse/client.conf.d/{,**} r, /etc/xdg/autostart/*.desktop r, - /etc/gtk-3.0/settings.ini r, /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, @@ -78,6 +80,8 @@ profile apport-gtk @{exec_path} { /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, + owner @{user_config_dirs}/pulse/cookie rk, + @{run}/snapd.socket rw, owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 149d3877..52d04bf5 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -27,6 +27,7 @@ profile adduser @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/find rix, + @{bin}/logger rix, @{bin}/rm rix, @{bin}/chage rPx, diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index e3e843fa..5de7b805 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -14,7 +14,7 @@ profile anacron @{exec_path} { @{exec_path} mr, @{bin}/{,ba,da}sh rix, - @{bin}/run-parts rPx, + @{bin}/run-parts rCx -> run-parts, / r, /etc/anacrontab r, @@ -25,5 +25,19 @@ profile anacron @{exec_path} { /tmp/file* rw, + profile run-parts { + include + + @{bin}/run-parts mr, + + /etc/cron.*/ r, + /etc/cron.*/* rPUx, + + owner /tmp/#@{int} rw, + owner /tmp/file@{rand6} rw, + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index 653a9bd4..14af7a04 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -24,7 +24,9 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, + @{bin}/cat rix, @{bin}/sort rix, + @{bin}/sysctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -41,6 +43,7 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index f9ed8b15..d98b4623 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -18,6 +18,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib_dirs}/snapd/apparmor.d/{,**} r, + @{lib_dirs}/snapd/apparmor/{,**} r, /etc/apparmor.d/{,**} r, /etc/apparmor.d/cache.d/{,**} rw, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 725452b5..85144b65 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -35,6 +35,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener index 332e4051..1f1e6531 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener @@ -12,7 +12,7 @@ include profile snapd-aa-prompt-listener @{exec_path} { include - @{exec_path} mr, + @{exec_path} mrix, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 20b8c1fb..9c2bc946 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -14,13 +14,10 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include include include include - include capability sys_ptrace,