feat(profiles): general update.

2024-11-14 23:43:56 +01:00 · 2022-06-26 23:05:09 +01:00 · 2022-06-26 23:05:09 +01:00 · 08beefe867
commit 08beefe867
parent e087349662
16 changed files with 47 additions and 9 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -63,6 +63,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/apt-listchanges                 rPx,
  /{usr/,}bin/apt-show-versions               rPx,
  /{usr/,}bin/debtags                         rPx,
+  /{usr/,}bin/df                              rPx,
+  /{usr/,}bin/dmesg                           rPx,
  /{usr/,}bin/dpkg                            rPx,
  /{usr/,}bin/dpkg-source                     rcx -> dpkg-source,
  /{usr/,}bin/etckeeper                       rPx,
@ -97,6 +99,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /var/cache/apt/ r,
  /var/cache/apt/** rwk,

+  /var/crash/{,*.@{uid}.crash} rw,
+
  /var/lib/apt/extended_states{,.*} rw,
  /var/lib/apt/lists/** rw,
  /var/lib/apt/lists/lock rwk,
@ -105,8 +109,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /var/lib/dpkg/lock{,-frontend} rwk,
  /var/lib/update-notifier/dpkg-run-stamp rw,

-  /var/log/apt/{term,history}.log w,
-  /var/log/apt/eipp.log.xz w,
+  /var/log/apt/{,**} rw,

  # For package building
  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@ -21,6 +21,8 @@ profile dbus-daemon-launch-helper @{exec_path} {
  /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
  /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism       rPx,
  /{usr/,}lib/software-properties/software-properties-dbus  rPx,
+  
+  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,

  /usr/share/dbus-1/{,**} r,

--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-calculator-search-provider
 profile gnome-calculator-search-provider @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
-  include <abstractions/gtk>
  include <abstractions/fonts>
+  include <abstractions/gtk>

  signal (send) set=kill peer=unconfined,

@ -23,6 +24,7 @@ profile gnome-calculator-search-provider @{exec_path} {
  /usr/share/icons/{,**} r,
  
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pids}/cmdline r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -148,6 +148,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/users/@{uid} r,
        @{run}/systemd/sessions/  r,
        @{run}/systemd/sessions/* r,
+        @{run}/cups/cups.sock rw,

  @{run}/udev/data/+dmi:* r,
  @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@ -9,17 +9,22 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-control-center-search-provider
 profile gnome-control-center-search-provider @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
+  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
-  include <abstractions/fonts>

  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/ubuntu/applications/{,**} r,
  /usr/share/X11/xkb/{,**} r,

+  /etc/gnome/defaults.list r,
+
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

  include if exists <local/gnome-control-center-search-provider>
 }
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -20,7 +20,8 @@ profile gnome-terminal-server @{exec_path} {
  @{exec_path} mr,

  # The shell is not confined on purpose.
-  /{usr/,}bin/{,z,ba,da}sh rUx,
+  /{usr/,}bin/{,b,d,rb}ash         rUx,
+  /{usr/,}bin/{c,k,tc,z}sh         rUx,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -16,11 +16,21 @@ profile seahorse @{exec_path} {
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>

+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.Avahi),
+
  dbus send bus=system path=/
       interface=org.freedesktop.Avahi.Server
       member={GetAPIVersion,GetState,ServiceBrowserNew}
       peer=(name=org.freedesktop.Avahi),

+  dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi),
+
  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
       interface=org.freedesktop.Avahi.ServiceBrowser
       member={CacheExhausted,AllForNow},
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -97,7 +97,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/nm-openvpn-service                 rPx,
  /{usr/,}lib/nm-openvpn-service-openvpn-helper  rPx,

-  /dev/rfkill rw,
+  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,

  / r,
  /etc/ r,
@ -136,5 +136,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/** rw,

+  /dev/rfkill rw,
+
  include if exists <local/NetworkManager>
 }
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -50,6 +50,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/resolve/{,**} rw,

  @{PROC}/sys/kernel/hostname r,
+  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

  include if exists <local/systemd-timesyncd>
 }
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -19,9 +19,13 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus
       member={AddMatch,ReleaseName,RequestName},

+  dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
  dbus receive bus=system path=/org/freedesktop/timedate[0-1]
       interface=org.freedesktop.DBus.Properties
-       member=Get,
+       member={Get,GetAll},

  dbus bind bus=system 
       name=org.freedesktop.timedate[0-9],
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -69,16 +69,17 @@ profile apport-gtk @{exec_path} {

  /tmp/[a-z0-9]* rw,
  /tmp/apport_core_* rw,
-  /tmp/launchpadlib.cache.[a-z0-9]*/ w,
+  /tmp/launchpadlib.cache.[a-z0-9]*/ rw,
  /tmp/tmp[a-z0-9]*/{,**} rw,

-  owner @{PROC}/@{pid}/cgroup r,
        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/fd/  r,
+        @{PROC}/@{pids}/mounts r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/modules r,
        @{PROC}/version_signature r,
+  owner @{PROC}/@{pid}/cgroup r,

  profile gdb {
    include <abstractions/base>
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook
 profile apt-esm-json-hook @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/apparmor_parser
 profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability mac_admin,

--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -25,6 +25,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/{,ba,da}sh                        rix,
  /{usr/,}bin/dpkg-query                        rpx,
+  /{usr/,}bin/fail2ban-server                   rPx,
  /{usr/,}bin/locale                            rix,
  /{usr/,}bin/python3.[0-9]*                    rix,
  /{usr/,}bin/stty                              rix,
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -14,6 +14,8 @@ profile run-parts @{exec_path} {

  @{exec_path} mr,

+  /usr/share/update-notifier/notify-reboot-required rPx,
+
  # Crontrab
  /etc/cron.{hourly,daily,weekly,monthly}/                     r,
  /etc/cron.{hourly,daily,weekly,monthly}/0anacron             rPx,
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -11,6 +11,7 @@ profile spice-vdagent @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
+  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/X-strict>