diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash index 9c7be132..8dc6e4c6 100644 --- a/apparmor.d/abstractions/trash +++ b/apparmor.d/abstractions/trash @@ -49,3 +49,28 @@ owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]* rw, owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/ rw, owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/** rw, + + # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir + owner /{media,mnt}/*/*/.Trash/ rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/ rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/#[0-9]*[0-9] rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/directorysizes{,.*} rwl -> /{media,mnt}/*/.Trash/[0-9]*/#[0-9]*[0-9], + owner /{media,mnt}/*/*/.Trash/[0-9]*/files/{,**} rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/info/ rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/ rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/[0-9]* rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/[0-9]*/ rw, + owner /{media,mnt}/*/*/.Trash/[0-9]*/expunged/[0-9]*/** rw, + + # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir + owner /{media,mnt}/*/*/.Trash-[0-9]*/ rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/#[0-9]*[0-9] rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/directorysizes{,.*} rwl -> /{media,mnt}/*/.Trash-[0-9]*/#[0-9]*[0-9], + owner /{media,mnt}/*/*/.Trash-[0-9]*/files/{,**} rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/info/ rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/ rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]* rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]*/ rw, + owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]*/** rw, diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index ccbc62e7..f9a59239 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -5,16 +5,16 @@ abi , owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl, owner /media/*/@{XDG_DOWNLOAD_DIR}/ r, - owner /media/*/@{XDG_DOWNLOAD_DIR}/** rwl, + owner /media/*/@{XDG_DOWNLOAD_DIR}/** rwkl, owner /mnt/*/@{XDG_DOWNLOAD_DIR}/ r, - owner /mnt/*/@{XDG_DOWNLOAD_DIR}/** rwl, + owner /mnt/*/@{XDG_DOWNLOAD_DIR}/** rwkl, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwl, + owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, # For SSHFS mounts (without owner as files in such mounts can be owned by different users) @{HOME}/mount-sshfs/ r, diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 52e870eb..226d229d 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -120,7 +120,7 @@ profile atom @{exec_path} { # Failed to adjust OOM score of renderer with pid : Permission denied deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pids}/task/ r, - deny owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pids}/task/@{tid}/status r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, deny owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index 67dd2f04..6a2c20b0 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -99,7 +99,7 @@ profile code @{exec_path} { # Failed to adjust OOM score of renderer with pid : Permission denied deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pids}/task/ r, - deny owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pids}/task/@{tid}/status r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, deny owner @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index abf55b58..00d92467 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -82,7 +82,7 @@ profile discord @{exec_path} { deny @{PROC}/vmstat r, deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pids}/task/ r, - deny owner @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/status r, deny @{PROC}/@{pids}/stat r, deny owner @{PROC}/@{pids}/statm r, deny @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 5bebfb1c..f6cb7c6c 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -73,8 +73,7 @@ profile freetube @{exec_path} { owner @{PROC}/@{pid}/fd/ r, # @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/task/ r, - deny owner @{PROC}/@{pids}/task/@{tid}/status r, - # @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/status r, deny @{PROC}/@{pids}/stat r, deny owner @{PROC}/@{pids}/statm r, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/apps/spotify b/apparmor.d/groups/apps/spotify index 986aec01..f17c3a9d 100644 --- a/apparmor.d/groups/apps/spotify +++ b/apparmor.d/groups/apps/spotify @@ -46,7 +46,7 @@ profile spotify @{exec_path} { owner @{PROC}/@{pid}/fd/ r, deny owner @{PROC}/@{pids}/task/ r, deny owner @{PROC}/@{pids}/task/@{tid}/stat r, - deny owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pids}/task/@{tid}/status r, deny @{PROC}/@{pids}/stat r, deny owner @{PROC}/@{pid}/cmdline r, deny owner @{PROC}/@{pids}/oom_score_adj w, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 21b13ce6..26de8682 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -6,6 +6,8 @@ abi , include +@{BUILD_DIR} = /media/debuilder/ + @{exec_path} = /{usr/,}bin/apt-show-versions profile apt-show-versions @{exec_path} { include @@ -29,6 +31,8 @@ profile apt-show-versions @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + # file_inherit owner /dev/tty[0-9]* rw, owner /var/log/cron-apt/temp w, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 0a6b3744..37f25fe3 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -140,7 +140,7 @@ profile brave @{exec_path} { # deny @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/task/ r, - deny @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/status r, deny owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index b8866bb4..c7d7a96e 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -136,7 +136,7 @@ profile chromium-chromium @{exec_path} { deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pids}/task/ r, deny @{PROC}/@{pids}/task/@{tid}/stat r, - deny @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/status r, deny owner @{PROC}/@{pid}/limits r, deny owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index ca178e3f..e12256a2 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -134,7 +134,7 @@ profile google-chrome-chrome @{exec_path} { deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pid}/task/ r, deny @{PROC}/@{pids}/task/@{tid}/stat r, - deny @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/status r, deny owner @{PROC}/@{pid}/limits r, deny owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 0e30457b..ac03f0b4 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -126,7 +126,7 @@ profile opera @{exec_path} { deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pid}/task/ r, deny @{PROC}/@{pids}/task/@{tid}/stat r, - deny @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/status r, deny owner @{PROC}/@{pid}/limits r, deny owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index ef698ad0..fa9c37f8 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -23,6 +23,8 @@ profile crontab @{exec_path} { /{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, + /etc/cron.{allow,deny} r, + /var/spool/cron/ r, /var/spool/cron/crontabs/ rw, owner /var/spool/cron/crontabs/* rw, @@ -53,6 +55,9 @@ profile crontab @{exec_path} { /tmp/ r, owner /tmp/crontab.*/crontab rw, + # file_inherit + /etc/cron.{allow,deny} r, + } include if exists diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl new file mode 100644 index 00000000..650e615a --- /dev/null +++ b/apparmor.d/groups/systemd/coredumpctl @@ -0,0 +1,81 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/coredumpctl +profile coredumpctl @{exec_path} flags=(complain) { + include + include + + signal (send) peer=child-pager, + + @{exec_path} mr, + + /{usr/,}bin/gdb rCx -> gdb, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + owner /tmp/*.coredump w, + owner /tmp/core.* w, + + owner /var/tmp/coredump-* rw, + + /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/[0-9a-f]*/ r, + /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r, + /{run,var}/log/journal/[0-9a-f]*/system.journal* r, + /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, + + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + + profile gdb { + include + include + + ptrace (trace), + + /{usr/,}bin/gdb mr, + + /{usr/,}bin/iconv rix, + /{usr/,}bin/* r, + /{usr/,}sbin/* r, + + @{PROC}/@{pids}/fd/ r, + + /etc/inputrc r, + + /etc/gdb/** r, + /usr/share/gdb/{,**} r, + /usr/share/glib-2.0/gdb/{,**} r, + /usr/share/gcc-[0-9]*/python/{,**} r, + /usr/share/gcc/** r, + + owner /var/tmp/coredump-* rw, + + # Silencer + deny /usr/share/** w, + + } + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump new file mode 100644 index 00000000..cab3a6b1 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-coredump +profile systemd-coredump @{exec_path} flags=(complain) { + include + include + + capability setpcap, + capability setuid, + capability setgid, + capability dac_read_search, + capability sys_ptrace, + # Needed? + deny capability net_admin, + + @{exec_path} mr, + + /{usr/,}bin/* r, + /{usr/,}sbin/* r, + /usr/libexec/** r, + + /etc/systemd/coredump.conf r, + + /var/lib/systemd/coredump/ r, + owner /var/lib/systemd/coredump/#[0-9]* rw, + owner /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*, + + owner @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/[0-9]* r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 8692a99e..99fe9123 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -17,6 +17,14 @@ profile systemd-journald @{exec_path} { capability sys_ptrace, capability dac_read_search, capability kill, + capability sys_admin, + capability setuid, + capability setgid, + + # For audit logs + capability audit_control, + + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 91c2c695..e9ce2a2e 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-sysctl profile systemd-sysctl @{exec_path} { include + include include # Are these needed? diff --git a/apparmor.d/profiles-a-l/anki b/apparmor.d/profiles-a-l/anki index 37d27ef5..7cf6a179 100644 --- a/apparmor.d/profiles-a-l/anki +++ b/apparmor.d/profiles-a-l/anki @@ -80,7 +80,7 @@ profile anki @{exec_path} { owner @{PROC}/@{pid}/fd/ r, deny owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/ r, - deny owner @{PROC}/@{pid}/task/@{tid}/status r, + owner @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/kernel/yama/ptrace_scope r, deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-a-l/debtags b/apparmor.d/profiles-a-l/debtags index 7aa48e17..d600c925 100644 --- a/apparmor.d/profiles-a-l/debtags +++ b/apparmor.d/profiles-a-l/debtags @@ -6,6 +6,8 @@ abi , include +@{BUILD_DIR} = /media/debuilder/ + @{exec_path} = /{usr/,}bin/debtags profile debtags @{exec_path} { include @@ -34,6 +36,8 @@ profile debtags @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + # file_inherit /var/log/cron-apt/temp w , diff --git a/apparmor.d/profiles-m-z/mediainfo-gui b/apparmor.d/profiles-m-z/mediainfo-gui new file mode 100644 index 00000000..96a04c42 --- /dev/null +++ b/apparmor.d/profiles-m-z/mediainfo-gui @@ -0,0 +1,88 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{mediainfo_ext} = [aA]{52,[aA][cC],[cC]3} +@{mediainfo_ext} += [mM][kK][aA] +@{mediainfo_ext} += [fF][lL][aA][cC] +@{mediainfo_ext} += [mM][pP][123cC] +@{mediainfo_ext} += [oO][gGmM][aA] +@{mediainfo_ext} += [wW]{,[aA]}[vV] +@{mediainfo_ext} += [wW][mM]{,[aA]} +@{mediainfo_ext} += 3[gG]{[2pP],[pP][2pP]} +@{mediainfo_ext} += [aA][sS][fF] +@{mediainfo_ext} += [aA][vV][iI] +@{mediainfo_ext} += [dD][iI][vV][xX] +@{mediainfo_ext} += [mM][124][vV] +@{mediainfo_ext} += [mM][kKoO][vV] +@{mediainfo_ext} += [mM][pP][4aAeEgG] +@{mediainfo_ext} += [mM][pP][eE][gG]{,[124]} +@{mediainfo_ext} += [oO][gG][gGmMxXvV] +@{mediainfo_ext} += [rR][mM]{,[vV][bB]} +@{mediainfo_ext} += [wW][eE][bB][mM] +@{mediainfo_ext} += [wW][mMtT][vV] +@{mediainfo_ext} += [mM][pP]2[tT] + +@{exec_path} = /{usr/,}bin/mediainfo-gui +profile mediainfo-gui @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/xdg-open rCx -> open, + + # Which media files mediainfo-gui should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{mediainfo_ext} r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + + profile open { + include + include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + include if exists +} diff --git a/apparmor.d/profiles-m-z/mkvtoolnix-gui b/apparmor.d/profiles-m-z/mkvtoolnix-gui index 9cdd19e2..dad51480 100644 --- a/apparmor.d/profiles-m-z/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-z/mkvtoolnix-gui @@ -59,7 +59,8 @@ profile mkvtoolnix-gui @{exec_path} { @{exec_path} mr, - /{usr/,}bin/mkvmerge rPx, + /{usr/,}bin/mkvmerge rPx, + /{usr/,}bin/mediainfo-gui rPx, # Which files mkvtoolnix should be able to open / r, diff --git a/apparmor.d/profiles-m-z/mpv b/apparmor.d/profiles-m-z/mpv index 60c111d3..6e22dd43 100644 --- a/apparmor.d/profiles-m-z/mpv +++ b/apparmor.d/profiles-m-z/mpv @@ -163,6 +163,7 @@ profile mpv @{exec_path} { /{usr/,}bin/xset rix, /{usr/,}bin/xautolock rix, /{usr/,}bin/dbus-send rix, + /{usr/,}bin/xscreensaver-command rix, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-z/openbox b/apparmor.d/profiles-m-z/openbox index ba976417..1f478dd3 100644 --- a/apparmor.d/profiles-m-z/openbox +++ b/apparmor.d/profiles-m-z/openbox @@ -22,9 +22,11 @@ profile openbox @{exec_path} { /{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart, # Apps allowed to run - /{usr/,}{s,}bin/* rPUx, - /{usr/,}bin/* rPUx, - /usr/{lib,libexec}/* rPUx, + /{usr/,}sbin/* rPUx, + /{usr/,}bin/* rPUx, + /usr/local/bin/* rPUx, + /usr/{lib,libexec}/* rPUx, + /{usr/,}lib/@{multiarch}/*/** rPUx, /usr/share/themes/*/openbox-3/themerc r, @@ -60,8 +62,14 @@ profile openbox @{exec_path} { /{usr/,}bin/which rix, # Apps allowed to run + /{usr/,}sbin/* rPUx, /{usr/,}bin/* rPUx, +<<<<<<< HEAD:apparmor.d/profiles-m-z/openbox /usr/{lib,libexec}/* rPUx, +======= + /usr/local/bin/* rPUx, + /usr/libexec/* rPUx, +>>>>>>> ff78b17 (update apparmor profiles):apparmor.d/openbox /{usr/,}lib/@{multiarch}/*/** rPUx, /usr/local/lib/python*/dist-packages/ r, diff --git a/apparmor.d/profiles-m-z/qtox b/apparmor.d/profiles-m-z/qtox new file mode 100644 index 00000000..f179df3c --- /dev/null +++ b/apparmor.d/profiles-m-z/qtox @@ -0,0 +1,101 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/qtox +profile qtox @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/xdg-open rCx -> open, + + # For importing old profile + owner @{HOME}/**.tox r, + owner /media/*/**.tox r, + + owner @{HOME}/ r, + owner @{user_cache_dirs}/qTox/ rw, + owner @{user_cache_dirs}/qTox/qtox.log rw, + + owner @{user_config_dirs}/tox/ rw, + owner @{user_config_dirs}/tox/** rwkl -> @{HOME}/.config/tox/**, + + owner @{user_config_dirs}/autostart/qTox*.desktop rw, + + owner @{user_share_dirs}/qTox/ rw, + owner @{user_share_dirs}/qTox/** rw, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{user_config_dirs}/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/core_pattern r, # for KCrash::initialize() + @{PROC}/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction? + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw, + + @{sys}/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so + @{sys}/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so + + /dev/ r, + /dev/video[0-9]* rw, + + + profile open { + include + include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/viewnior rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + owner @{user_cache_dirs}/qTox/qtox.log w, + deny /dev/video[0-9]* rw, + + } + + include if exists +} diff --git a/apparmor.d/profiles-m-z/spectre-meltdown-checker b/apparmor.d/profiles-m-z/spectre-meltdown-checker index e05ba5fe..f79c19de 100644 --- a/apparmor.d/profiles-m-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-m-z/spectre-meltdown-checker @@ -119,6 +119,7 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/uptime r, } diff --git a/apparmor.d/profiles-m-z/unhide-tcp b/apparmor.d/profiles-m-z/unhide-tcp index db682f1d..28e83048 100644 --- a/apparmor.d/profiles-m-z/unhide-tcp +++ b/apparmor.d/profiles-m-z/unhide-tcp @@ -26,7 +26,6 @@ profile unhide-tcp @{exec_path} { @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/maps r, # For logs /**/unhide-tcp_[0-9]*-[0-9]*-[0-9]*.log w, diff --git a/apparmor.d/profiles-m-z/utox b/apparmor.d/profiles-m-z/utox new file mode 100644 index 00000000..0c04b94b --- /dev/null +++ b/apparmor.d/profiles-m-z/utox @@ -0,0 +1,84 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/utox +profile utox @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/xdg-open rCx -> open, + + owner @{HOME}/ r, + owner @{user_config_dirs}/tox/ rw, + owner @{user_config_dirs}/tox/** rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + deny owner @{PROC}/@{pid}/cmdline r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + # For video support + owner /dev/shm/libv4l-* rw, + /dev/video[0-9]* rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/product_{name,version} r, + @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r, + + + profile open { + include + include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/viewnior rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + owner @{user_config_dirs}/tox/[0-9A-F].ftinfo w, + owner @{user_config_dirs}/tox/[0-9A-F].ftoutfo w, + deny /dev/video[0-9]* rw, + + } + + include if exists +} diff --git a/apparmor.d/profiles-m-z/vidcutter b/apparmor.d/profiles-m-z/vidcutter index 92b0d3a0..1c13184a 100644 --- a/apparmor.d/profiles-m-z/vidcutter +++ b/apparmor.d/profiles-m-z/vidcutter @@ -58,9 +58,9 @@ profile vidcutter @{exec_path} { /{usr/,}bin/ r, /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/ffmpeg rPUx, - /{usr/,}bin/ffprobe rPUx, - /{usr/,}bin/mediainfo rPUx, + /{usr/,}bin/ffmpeg rPx, + /{usr/,}bin/ffprobe rPx, + /{usr/,}bin/mediainfo rPx, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, diff --git a/apparmor.d/profiles-m-z/warzone2100 b/apparmor.d/profiles-m-z/warzone2100 new file mode 100644 index 00000000..6571404e --- /dev/null +++ b/apparmor.d/profiles-m-z/warzone2100 @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/warzone2100 +profile warzone2100 @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + deny ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/which rix, + + owner @{user_share_dirs}/warzone2100-*/ rw, + owner @{user_share_dirs}/warzone2100-*/** rw, + + # What's this for? + deny owner @{user_share_dirs}/applications/*.desktop w, + + /usr/share/warzone2100/{,**} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + deny @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + + include if exists +}