feat(profile): general update (2).

2025-01-18 00:48:10 +01:00 · 2024-01-28 22:33:45 +00:00 · 2024-01-28 22:33:45 +00:00 · 049e89b379
commit 049e89b379
parent 9b49999414
21 changed files with 69 additions and 26 deletions
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -27,10 +27,11 @@ profile dpkg-preconfigure @{exec_path} {
  @{bin}/apt-extracttemplates rPx,
  @{bin}/whiptail             rPx,

-  /etc/shadow r,
+  /usr/share/debconf/confmodule r,

-  /etc/inputrc r,
  /etc/debconf.conf r,
+  /etc/inputrc r,
+  /etc/shadow r,

  owner /tmp/*.template.* rw,
  owner /tmp/*.config.* rwPUx,
@ -40,6 +41,7 @@ profile dpkg-preconfigure @{exec_path} {
  owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
  owner /var/cache/debconf/tmp.ci/ r,
  owner /var/cache/debconf/tmp.ci/* rix,
+  owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w,
  owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,

  @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -31,7 +31,9 @@ profile cron @{exec_path} flags=(attach_disconnected) {
  @{bin}/{,ba,da}sh  rix,
  @{bin}/nice        rix,
  @{bin}/ionice      rix,
-  @{bin}/run-parts   rPx,
+  @{bin}/exim4       rPx,
+  @{bin}/run-parts   rCx -> run-parts, # could even be rix, as long as we are not
+                                       # using the  run-parts profile we are good

  @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
  @{lib}/sysstat/debian-sa1       rPUx,
@ -61,5 +63,18 @@ profile cron @{exec_path} flags=(attach_disconnected) {

  /dev/tty rw,

+  profile run-parts {
+    include <abstractions/base>
+
+    @{bin}/run-parts mr,
+
+    /etc/cron.*/     r,
+    /etc/cron.*/* rPUx,
+
+    owner /tmp/#@{int} rw,
+
+   include if exists <local/cron_run_parts>
+  }
+
  include if exists <local/cron>
 }
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -63,9 +63,10 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
  @{sys}/class/ r,
-  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,removable,uevent} r,
+  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r,
+  @{sys}/module/apparmor/parameters/enabled r, # deny ?

  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@ -12,6 +12,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -21,16 +22,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
       member=MakeThreadRealtimeWithPID
       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),

-  dbus send bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=:*, label=at-spi2-registryd),
-
-  dbus send bus=session path=/
-       interface=org.freedesktop.DBus
-       member={AddMatch,GetNameOwner}
-       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
-
  @{exec_path} mr,

  owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -29,6 +29,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {

  network unix stream,

+  signal (receive) set=term peer=gdm,
+
  dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome,

  dbus send bus=session path=/org/gnome/Shell/Screenshot
@ -64,6 +66,10 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  @{bin}/ r,
  @{bin}/* r,

+  /usr/share/dconf/profile/gdm r,
+
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
+  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/*/{,**} rw,
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@ -34,6 +34,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  owner /tmp/server-@{int}.xkm rwk,

  /dev/dri/card@{int} rw,
+  /dev/fb@{int} rw,
  /dev/tty rw,
  /dev/tty@{int} rw,

--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -23,6 +23,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability dac_read_search,
  capability ipc_owner,
+  capability net_admin,
  capability perfmon,
  capability setgid,
  capability setuid,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -60,7 +60,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-shell/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,

-  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -85,6 +85,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  # dbus: own bus=session name=org.gtk.Notifications
  # dbus: own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher

+  # TODO: org.gtk.Actions for com.rastersoft.dingextension
+
  # Talk with gnome-shell

  # dbus: talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
@ -259,7 +261,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/ibus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
-  /var/lib/gdm{3,}/.config/pulse/ r,
+  /var/lib/gdm{3,}/.config/pulse/ rw,
  /var/lib/gdm{3,}/.config/pulse/client.conf r,
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,
  /var/lib/gdm{3,}/.local/share/applications/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-software @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -62,7 +62,7 @@ profile gsd-xsettings @{exec_path} {
  @{etc_ro}/xdg/Xwayland-session.d/ r,
  @{etc_ro}/xdg/Xwayland-session.d/* rix,

-  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm3/greeter-dconf-defaults r,

--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -51,9 +51,10 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
  /etc/fstab r,

  /var/lib/gdm{3,}/.cache/ rw,
-  /var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
+  /var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@ -15,6 +15,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{bin}/{,ba,da}sh r,
+  @{bin}/uname rix,

  @{run}/cloud-init/.ds-identify.result r,

--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -66,10 +66,12 @@ profile apport-gtk @{exec_path} {
  /etc/bash_completion.d/apport_completion r,
  /etc/cron.daily/apport r,
  /etc/default/apport r,
+  /etc/gtk-3.0/settings.ini r,
  /etc/init.d/apport r,
  /etc/logrotate.d/apport r,
+  /etc/pulse/client.conf r,
+  /etc/pulse/client.conf.d/{,**} r,
  /etc/xdg/autostart/*.desktop r,
-  /etc/gtk-3.0/settings.ini r,

  /var/crash/{,*.@{uid}.crash} rw,
  /var/lib/dpkg/info/ r,
@ -78,6 +80,8 @@ profile apport-gtk @{exec_path} {
  /var/lib/dpkg/info/*.md5sums r,
  /var/log/installer/media-info r,

+  owner @{user_config_dirs}/pulse/cookie rk,
+
        @{run}/snapd.socket rw,
  owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw,

--- a/apparmor.d/profiles-a-f/adduser
+++ b/apparmor.d/profiles-a-f/adduser
@ -27,6 +27,7 @@ profile adduser @{exec_path} {

  @{bin}/{,ba,da}sh rix,
  @{bin}/find       rix,
+  @{bin}/logger     rix,
  @{bin}/rm         rix,

  @{bin}/chage         rPx,
--- a/apparmor.d/profiles-a-f/anacron
+++ b/apparmor.d/profiles-a-f/anacron
@ -14,7 +14,7 @@ profile anacron @{exec_path} {
  @{exec_path} mr,

  @{bin}/{,ba,da}sh  rix,
-  @{bin}/run-parts   rPx,
+  @{bin}/run-parts   rCx -> run-parts,

  / r,
  /etc/anacrontab r,
@ -25,5 +25,19 @@ profile anacron @{exec_path} {

  /tmp/file* rw,

+  profile run-parts {
+    include <abstractions/base>
+
+    @{bin}/run-parts mr,
+
+    /etc/cron.*/     r,
+    /etc/cron.*/* rPUx,
+
+    owner /tmp/#@{int} rw,
+    owner /tmp/file@{rand6} rw,
+
+   include if exists <local/anacron_run_parts>
+  }
+
  include if exists <local/anacron>
 }
--- a/apparmor.d/profiles-a-f/apparmor.systemd
+++ b/apparmor.d/profiles-a-f/apparmor.systemd
@ -24,7 +24,9 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
  @{bin}/getconf              rix,
  @{bin}/ls                   rix,
  @{bin}/sed                  rix,
+  @{bin}/cat                  rix,
  @{bin}/sort                 rix,
+  @{bin}/sysctl               rix,
  @{bin}/systemd-detect-virt  rPx,
  @{bin}/xargs                rix,

@ -41,6 +43,7 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
  @{PROC}/@{pids}/maps r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/mounts r,
+  @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,

  /dev/tty rw,

--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@ -18,6 +18,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{lib_dirs}/snapd/apparmor.d/{,**} r,
+  @{lib_dirs}/snapd/apparmor/{,**} r,

  /etc/apparmor.d/{,**} r,
  /etc/apparmor.d/cache.d/{,**} rw,
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@ -35,6 +35,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,

        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
+++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
@ -12,7 +12,7 @@ include <tunables/global>
 profile snapd-aa-prompt-listener @{exec_path} {
  include <abstractions/base>

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{lib_dirs}/snapd/info r,

--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@ -14,13 +14,10 @@ profile terminator @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.a11y>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
-  include <abstractions/X-strict>

  capability sys_ptrace,