From 0619f4dcec81630f6758ebc0476b0ab8514149e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Mar 2024 19:45:10 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apps/imv-wayland | 6 +- apparmor.d/groups/apps/zathura | 11 ++- apparmor.d/groups/apt/dpkg-preconfigure | 1 + .../groups/browsers/firefox-crashreporter | 1 + apparmor.d/groups/bus/at-spi2-registryd | 2 + apparmor.d/groups/bus/ibus-engine-simple | 6 ++ apparmor.d/groups/bus/ibus-memconf | 5 +- apparmor.d/groups/bus/ibus-x11 | 1 + apparmor.d/groups/freedesktop/pipewire | 6 +- apparmor.d/groups/freedesktop/xprop | 17 +--- apparmor.d/groups/freedesktop/xwayland | 2 - .../groups/gnome/evolution-alarm-notify | 3 +- apparmor.d/groups/gnome/gdm | 11 +-- apparmor.d/groups/gnome/gjs-console | 1 + .../gnome/gnome-characters-backgroudservice | 8 +- apparmor.d/groups/gnome/gnome-control-center | 25 +++++- apparmor.d/groups/gnome/gnome-session-binary | 3 +- apparmor.d/groups/gnome/gnome-shell | 3 +- apparmor.d/groups/gnome/gnome-system-monitor | 17 +++- apparmor.d/groups/gnome/goa-identity-service | 1 + apparmor.d/groups/gnome/gsd-xsettings | 1 + apparmor.d/groups/gnome/mutter-x11-frames | 3 + apparmor.d/groups/grub/grub-sort-version | 2 +- apparmor.d/groups/gvfs/gvfsd | 9 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 2 +- apparmor.d/groups/gvfs/gvfsd-network | 2 +- apparmor.d/groups/gvfs/gvfsd-recent | 21 ++++- apparmor.d/groups/gvfs/gvfsd-smb-browse | 2 +- apparmor.d/groups/gvfs/gvfsd-trash | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/systemd/systemd-cryptsetup | 4 + apparmor.d/groups/ubuntu/apport | 1 + apparmor.d/groups/ubuntu/apport-gtk | 5 +- apparmor.d/groups/whonix/sensible-browser | 5 ++ .../groups/whonix/whonix-firewall-restarter | 4 +- apparmor.d/profiles-m-r/mutt | 85 ++++++------------- apparmor.d/profiles-m-r/nemo | 62 +------------- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-s-z/snap | 3 + apparmor.d/profiles-s-z/spice-vdagent | 1 + apparmor.d/profiles-s-z/wireplumber | 6 +- apparmor.d/profiles-s-z/yadifad | 13 ++- 43 files changed, 160 insertions(+), 208 deletions(-) diff --git a/apparmor.d/groups/apps/imv-wayland b/apparmor.d/groups/apps/imv-wayland index 4186d0d7..2479e8bf 100644 --- a/apparmor.d/groups/apps/imv-wayland +++ b/apparmor.d/groups/apps/imv-wayland @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,8 +9,7 @@ include @{exec_path} = @{bin}/imv-wayland profile imv @{exec_path} { include - include - include + include include include include @@ -18,7 +18,7 @@ profile imv @{exec_path} { @{exec_path} mr, /etc/imv_config r, - /usr/share/X11/xkb/** r, + /tmp/ r, owner @{user_config_dirs}/imv/config r, diff --git a/apparmor.d/groups/apps/zathura b/apparmor.d/groups/apps/zathura index 8a59be64..aaa939e5 100644 --- a/apparmor.d/groups/apps/zathura +++ b/apparmor.d/groups/apps/zathura @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,18 +9,16 @@ include @{exec_path} = @{bin}/zathura profile zathura @{exec_path} { include - include - include + include + include include include - include - include - include + include @{exec_path} mr, /usr/share/file/{,**} r, - /usr/share/X11/xkb/{,**} r, + /etc/xdg/{,**} r, /etc/zathurarc r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 6627aa16..14ec46d7 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -21,6 +21,7 @@ profile dpkg-preconfigure @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/dialog rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/sort rix, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index dc933497..2ba1f1f9 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -26,6 +26,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index e47c5291..230b2966 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -15,6 +15,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(term) peer=gdm, + #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index fbdcd3fa..98c8c09b 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,12 +9,18 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=term peer=ibus-daemon, unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index e5f44022..9e047b0d 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-memconf profile ibus-memconf @{exec_path} { include + include + include include include @@ -16,9 +18,6 @@ profile ibus-memconf @{exec_path} { @{exec_path} mr, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index bae89756..c030c11a 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -12,6 +12,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 1841bd74..25785b33 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -46,12 +46,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, - - owner @{user_config_dirs}/pipewire/pipewire-pulse.conf r, - owner @{user_config_dirs}/pipewire/pipewire.conf r, + + owner @{user_config_dirs}/pipewire/{,**} r, owner /tmp/librnnoise-@{int}.so rm, + owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index 5340eae1..c9698ba1 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -10,23 +10,10 @@ include @{exec_path} = @{bin}/xprop profile xprop @{exec_path} { include + include + include @{exec_path} mr, - /usr/etc/X11/xdm/Xresources r, - /usr/share/icons/*/cursors/crosshair r, - - owner @{HOME}/.Xauthority r, - owner @{HOME}/.icons/default/index.theme r, - - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6} r, - - owner @{run}/user/@{uid}/xauth_@{rand6} rl, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e7f6416a..fd25c221 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -18,8 +18,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index e0b01f5f..baa3d086 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -12,11 +12,12 @@ profile evolution-alarm-notify @{exec_path} { include include include + include include include include - include include + include network netlink raw, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 2deda234..2161b6e0 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -27,16 +27,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, - signal (send) set=(term) peer=dbus-accessibility, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=dconf-service, - signal (send) set=(term) peer=gdm-session-worker, - signal (send) set=(term) peer=gdm-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=jackdbus, - signal (send) set=(term) peer=tracker-miner, - signal (send) set=(term) peer=xdg-*, - signal (send) set=(term) peer=xorg, + signal (send) set=(term), unix (bind, listen) type=stream addr="@/tmp/dbus-@{rand8}", unix (send receive accept) type=stream addr="@/tmp/dbus-@{rand8}" peer=(label=gdm-session-worker, addr=none), diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 7692322f..292013a5 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -18,6 +18,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index 3cd85fd3..a86934da 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -11,19 +11,13 @@ profile gnome-characters-backgroudservice @{exec_path} { include include include - include + include @{exec_path} mr, @{bin}/gjs-console rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r, - /usr/share/themes/{,**} r, - /usr/share/X11/xkb/{,**} r, - - /etc/gtk-3.0/settings.ini r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 46e06aaf..bca53bab 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -45,12 +45,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/locale rix, @{bin}/sed rix, - @{bin}/bwrap rPUx, - @{bin}/gkbd-keyboard-display rPUx, - @{bin}/gnome-software rPUx, + @{bin}/bwrap rCx -> bwrap, + @{bin}/gkbd-keyboard-display rPx, + @{bin}/gnome-software rPx, @{bin}/openvpn rPx, @{bin}/passwd rPx, - @{bin}/pkexec rPx, + @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, @{bin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx, @@ -165,5 +165,22 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile bwrap { + include + include + + @{bin}/bwrap mr, + + include if exists + } + + profile pkexec { + include + + @{bin}/pkexec mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 432d8306..89c2238b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -71,6 +71,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r, @@ -141,7 +142,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, @{lib}/caribou/caribou rPUx, @{lib}/deja-dup/deja-dup-monitor rPx, - @{lib}/gsd-disk-utility-notify rPx, + @{lib}/gsd-* rPx, @{lib}/update-notifier/ubuntu-advantage-notification rPx, @{lib}/xapps/sn-watcher/* rPUx, @{thunderbird_path} rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1089d544..6b87cf44 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -80,7 +80,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity - #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.dingextension + #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 53d38fee..b76cecae 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -29,10 +29,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/lsblk rPx, - @{bin}/pkexec rPx, - @{bin}/sed rix, @{sh_path} rix, + @{bin}/lsblk rPx, + @{bin}/pkexec rCx -> pkexec, + @{bin}/sed rix, + @{bin}/tr rix, /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, @@ -75,5 +76,15 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + /dev/tty rw, + + profile pkexec { + include + + @{bin}/pkexec mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 6bf5921a..9a24db7c 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,6 +11,7 @@ profile goa-identity-service @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index e7c89d22..7e67bcca 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -46,6 +46,7 @@ profile gsd-xsettings @{exec_path} { @{exec_path} mr, @{bin}/cat rix, + @{bin}/sed rix, @{bin}/which{,.debianutils} rix, @{bin}/busctl rPx, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 932c978a..459970b0 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -12,11 +12,14 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include + include include include include include + signal (receive) set=(term) peer=gdm, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index e9501652..43c49dc2 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include + include include - include if exists capability dac_read_search, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index a12a3e00..1e6e05bf 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -13,14 +13,7 @@ profile gvfsd @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.Daemon - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - peer=(name=org.freedesktop.DBus), - - dbus receive bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - peer=(name=:*), # all members + #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 79b85504..456e7f56 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -15,7 +15,7 @@ profile gvfsd-dnssd @{exec_path} { include include - dbus bind bus=session name=org.gtk.vfs.mountpoint_dnssd, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 5eeb0be5..15f30126 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -13,7 +13,7 @@ profile gvfsd-network @{exec_path} { include include - dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int}, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 16bb99e0..5628df1c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -10,10 +10,27 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-recent profile gvfsd-recent @{exec_path} { include + include include include + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + @{exec_path} mr, + /usr/share/mime/mime.cache r, # Full access to user's data @@ -27,10 +44,10 @@ profile gvfsd-recent @{exec_path} { owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - @{run}/mount/utab r, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index b1f0a21c..d17fc086 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -21,7 +21,7 @@ profile gvfsd-smb-browse @{exec_path} { network inet dgram, network inet6 dgram, - dbus bind bus=session name=org.gtk.vfs.mountpoint_smb_browse, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 6fb725ef..56768040 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -19,7 +19,7 @@ profile gvfsd-trash @{exec_path} { network inet stream, network inet6 stream, - dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int}, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 81c49575..33934e90 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -89,7 +89,7 @@ profile sddm-xsession @{exec_path} { include if exists } - profile gpg { + profile gpg { include include include diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index 93f647a8..76394fdc 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -20,6 +20,8 @@ profile systemd-cryptsetup @{exec_path} { /etc/fstab r, + /var/swapfile rw, #aa:only whonix + @{run}/ r, @{run}/cryptsetup/ r, @{run}/cryptsetup/* rwk, @@ -31,5 +33,7 @@ profile systemd-cryptsetup @{exec_path} { @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, + /dev/loop-control r, #aa:only whonix + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index f939deb1..eba45da0 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -29,6 +29,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/gdbus rix, + @{bin}/{,e,f}grep rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-divert rPx -> child-dpkg-divert, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index ff9ecb4e..bcbdeb1d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,11 +9,12 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include - include include include include include + include + include include include include @@ -49,6 +50,7 @@ profile apport-gtk @{exec_path} { @{bin}/md5sum rix, @{bin}/pkexec rPx, # TODO: rCx or something @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-detect-virt rPx, @{bin}/which{,.debianutils} rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, @@ -58,6 +60,7 @@ profile apport-gtk @{exec_path} { /usr/share/apport/general-hooks/*.py r, /etc/apport/{,**} r, + /etc/cloud/cloud.cfg.d/{,**} r, /etc/bash_completion.d/apport_completion r, /etc/cron.daily/apport r, /etc/default/apport r, diff --git a/apparmor.d/groups/whonix/sensible-browser b/apparmor.d/groups/whonix/sensible-browser index fe0ad095..7234ef78 100644 --- a/apparmor.d/groups/whonix/sensible-browser +++ b/apparmor.d/groups/whonix/sensible-browser @@ -17,7 +17,12 @@ profile sensible-browser @{exec_path} { @{bin}/whichbrowser rix, @{bin}/x-www-browser rix, + @{lib}/msgcollector/generic_gui_message rPx, + @{lib}/msgcollector/striphtml rPx, + @{bin}/torbrowser rPx, + /etc/open_link_confirm.d/{,**} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter index 31e52b9d..0ee710ca 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-restarter +++ b/apparmor.d/groups/whonix/whonix-firewall-restarter @@ -33,9 +33,7 @@ profile whonix-firewall-restarter @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/*.journal* r, owner /tmp/tmp.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 3b18cb2b..3367f75a 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -26,10 +26,9 @@ profile mutt @{exec_path} { # Used to exec programs defined in the mailcap. # There are countless programs that can be executed from the mailcap. # This profile includes only the most basic. - @{bin}/{,ba,da}sh rix, + @{sh_path} rix, - @{bin}/sendmail rPUx, - @{lib}/sendmail/sendmail rPUx, + @{lib}/{,sendmail/}sendmail rPUx, @{bin}/ispell rPUx, @{bin}/abook rPUx, @{bin}/mutt_dotlock rix, @@ -41,34 +40,33 @@ profile mutt @{exec_path} { @{bin}/vim rCx -> editor, @{bin}/vim.* rCx -> editor, @{bin}/sensible-editor rCx -> editor, - @{bin}/more rCx -> pager, - @{bin}/less rCx -> pager, - @{bin}/pager rCx -> pager, + + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/gpg{2,} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{bin}/pgpewrap rCx -> gpg, /usr/share/terminfo/** r, + /usr/share/mutt/** r, - # Mutt MIME types search path - /etc/mime.types r, - owner @{HOME}/.mime.types r, + @{etc_ro}/mailcap r, + /etc/mime.types r, + /etc/mutt{,**} r, + /etc/Muttrc r, + /etc/Muttrc.d/{*,} r, - # Mutt mailcap search path - /etc/{mutt/,}mailcap r, - /usr/etc/mailcap r, + owner @{HOME}/.mail_aliases r, # Common location for mail aliases owner @{HOME}/.mailcap r, - - # Mutt config files - /usr/share/mutt/** r, - /etc/{mutt/,}Muttrc r, - /etc/{mutt/,}Muttrc.d/{*,} r, - owner @{HOME}/.mutt/** r, - owner @{HOME}/.muttrc* r, - - # Needed for the edit operation. - owner @{HOME}/ r, + owner @{HOME}/.mime.types r, + owner @{HOME}/.mutt_certificates rwk, + owner @{HOME}/.mutt/{,**} r, + owner @{HOME}/.mutthistory rwk, + owner @{HOME}/.muttrc* r, + owner @{HOME}/.signature r, # Mutt signature file # User mbox # Could be a file or dir depending on mbox_type variable @@ -76,24 +74,14 @@ profile mutt @{exec_path} { owner @{HOME}/{mbox,postponed,sent}* rwlk, owner @{HOME}/{mbox,postponed,sent}/ rw, owner @{HOME}/{mbox,postponed,sent}/** rwlk, + + owner @{user_config_dirs}/mutt/{,**} r, + owner @{user_cache_dirs}/mutt rwk, + # User maildir owner @{user_mail_dirs}/ rw, owner @{user_mail_dirs}/** rwlk -> @{user_mail_dirs}/**, - # Trusted certificate store - owner @{HOME}/.mutt_certificates rwk, - - # Mutt history file - owner @{HOME}/.mutthistory rwk, - - # Mutt signature file - owner @{HOME}/.signature r, - - # Common location for mail aliases - owner @{HOME}/.mail_aliases r, - - owner @{HOME}/.cache/mutt rwk, - # Needed to compose a message owner /{var/,}tmp/.mutt*/ rw, owner /{var/,}tmp/.mutt*/* lrwk, @@ -137,35 +125,14 @@ profile mutt @{exec_path} { # Vim swap file owner @{HOME}/ r, - owner @{HOME}/.cache/ r, - owner @{HOME}/.cache/vim/** wr, + owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/vim/** wr, # This is the file that holds the message owner /{var/,}tmp/{.,}mutt* rw, include if exists } - - profile pager { - include - include - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - @{bin}/less mr, - @{bin}/more mr, - @{bin}/pager mr, - - owner @{HOME}/.lesshs* r, - owner @{HOME}/.local/state/ r, - owner @{HOME}/.local/state/less* rw, - - # This is the file that holds the message - owner /{var/,}tmp/mutt* rw, - - include if exists - } profile gpg { include diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index 450273b2..56c2a960 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -10,77 +10,19 @@ include @{exec_path} = @{bin}/nemo profile nemo @{exec_path} { include - include - include - include - include + include include - # This should be tightened when the "profile has merged rule with conflicting x modifiers" error - # will be fixed. (#FIXME#) - include - include - - # For root window - deny capability dac_read_search, - deny capability dac_override, - - # Needed? - deny capability sys_nice, - network inet stream, network inet6 stream, @{exec_path} mr, - @{lib}/@{multiarch}/nemo/** mrix, - - @{lib}/gvfsd-* rPx, +# @{lib}/@{multiarch}/nemo/** mrix, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/fd/ r, - # To read/write files in the system. The read permission is granted for all files, the write - # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in - # the list. - / r, - /boot/ r, - /boot/** r, - owner /boot/** rw, - /etc/ r, - /etc/** r, - owner /etc/** rw, - /home/ r, - /home/** r, - owner /home/** rw, - /lost+found/ r, - /lost+found/** r, - owner /lost+found/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** r, - owner @{MOUNTS}/** rw, - /opt/ r, - /opt/** r, - owner /opt/** rw, - /root/ r, - /root/** r, - owner /root/** rw, - @{run}/ r, - @{run}/** r, - owner @{run}/** rw, - /srv/ r, - /srv/** r, - owner /srv/** rw, - /tmp/ r, - /tmp/** r, - owner /tmp/** rw, - /usr/ r, - /usr/** r, - owner /usr/** rw, - /var/ r, - /var/** r, - owner /var/** rw, - include if exists } diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 601ebfc7..b769ecbb 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -13,9 +13,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only apt include include - include if exists capability chown, capability dac_override, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index dc663fb2..eb547021 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -21,6 +21,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=system name=net.hadess.PowerProfiles + #aa:dbus own bus=system name=org.freedesktop.UPower.PowerProfiles @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 1d9e0bc2..2f976bc0 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -28,6 +28,9 @@ profile snap @{exec_path} { mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, + #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.Settings + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StartTransientUnit diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index bdd03637..fef063b8 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -18,6 +18,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 1442fcf1..d24e8f6b 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -35,10 +35,13 @@ profile wireplumber @{exec_path} { /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + /usr/share/alsa/{,**} r, /usr/share/alsa-card-profile/{,**} r, /usr/share/spa-*/bluez@{int}/{,*} r, /usr/share/wireplumber/{,**} r, + /etc/alsa/conf.d/{,**} r, + /etc/machine-id r, owner @{desktop_local_dirs}/ w, @@ -49,6 +52,8 @@ profile wireplumber @{exec_path} { owner @{user_state_dirs}/ w, owner @{user_state_dirs}/wireplumber/{,**} rw, + owner @{run}/user/@{uid}/pipewire-@{int} rw, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) @@ -69,7 +74,6 @@ profile wireplumber @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, - /dev/snd/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index e24b45b0..0e03b9f7 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -1,9 +1,10 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only include -@{exec_path} = /{,usr/}{,s}bin/yadifad +@{exec_path} = @{bin}/yadifad profile yadifad @{exec_path} { include include @@ -22,16 +23,12 @@ profile yadifad @{exec_path} { /etc/yadifa/yadifad.conf r, - /var/lib/yadifa/** r, - owner /var/lib/yadifa/ydf.@{rand6} rw, - owner /var/lib/yadifa/keys/ydf.@{rand6} rw, - owner /var/lib/yadifa/xfr/ydf.@{rand6} rw, + /var/log/yadifa/{,**} rw, - /var/log/yadifa/*.log rw, - /var/log/yadifa/ydf.@{rand6} rw, + owner /var/lib/yadifa/{,**} rw, + owner @{run}/yadifa/{,*} rw, owner @{run}/yadifa/yadifad.pid rwk, - owner @{run}/yadifa/ydf.@{rand6} rw, include if exists }