From 095254864fc6ff74065149caab8676d7346c5ffd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 3 Apr 2024 21:04:18 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/app/chromium | 13 ++++++++----- apparmor.d/abstractions/base.d/complete | 2 ++ apparmor.d/abstractions/common/bwrap | 5 ++--- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/_full/systemd-user | 2 +- apparmor.d/groups/children/child-systemctl | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 8 +++++--- apparmor.d/groups/freedesktop/xorg | 1 - apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/gnome-software | 4 +++- apparmor.d/groups/gnome/gnome-tweaks | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 3 +-- apparmor.d/groups/gnome/tracker-miner | 1 + apparmor.d/groups/ssh/sshd | 1 + apparmor.d/groups/systemd/systemd-oomd | 4 +++- apparmor.d/groups/systemd/systemd-userdbd | 4 +++- apparmor.d/profiles-a-f/cups-notifier-dbus | 4 +++- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/flatpak | 3 ++- apparmor.d/profiles-a-f/flatpak-app | 6 +++--- apparmor.d/profiles-a-f/flatpak-system-helper | 3 ++- apparmor.d/profiles-m-r/mate-notification-daemon | 5 +---- apparmor.d/profiles-m-r/mpv | 4 +--- apparmor.d/profiles-s-z/start-pulseaudio-x11 | 1 + apparmor.d/profiles-s-z/wireplumber | 5 ++++- 26 files changed, 52 insertions(+), 37 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 02bbb766..63942895 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,15 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# For chromium based browser. If your application requires chromium to run -# (like electron) use abstractions/common/chromium instead. - -# This abstraction requires the following variables definied in the profile header: +# Full set of rules for all chromium based browsers. It works as a *function* +# and requires some variables to be provided as *arguments* and set in the +# header of the calling profile. Example: +# # @{name} = chromium # @{domain} = org.chromium.Chromium # @{lib_dirs} = @{lib}/chromium # @{config_dirs} = @{user_config_dirs}/chromium # @{cache_dirs} = @{user_cache_dirs}/chromium +# +# If your application requires chromium to run use abstractions/common/chromium +# or abstractions/common/electron instead. +# include include @@ -98,7 +102,6 @@ /usr/share/@{name}/{,**} r, /usr/share/chromium/extensions/{,**} r, - /usr/share/egl/{,**} r, /usr/share/hwdata/pnp.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/qt{5,}/translations/*.qm r, diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 72ccd3d7..cc4b1a1e 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -25,4 +25,6 @@ @{sys}/devices/system/cpu/possible r, + @{PROC}/sys/kernel/core_pattern r, + deny /apparmor/.null rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index c6bc167c..f2e76bcd 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -17,8 +17,8 @@ network netlink raw, + mount options=(rw rbind) -> /newroot/{,**}, mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/, - mount options=(rw rbind) /oldroot/{,**} -> /newroot/{,**}, mount options=(rw silent rprivate) -> /oldroot/, mount options=(rw silent rslave) -> /, mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, @@ -40,10 +40,9 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, - @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, - @{PROC}/sys/user/max_user_namespaces r, + @{PROC}/sys/user/max_user_namespaces rw, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/gid_map rw, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 071f3533..3862765b 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -74,6 +74,7 @@ owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 3a449bd2..580752a5 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -26,7 +26,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, signal (send) set=(term, cont, kill), - signal (receive) set=(hup) peer=@{systemd}, + signal (receive) set=(hup) peer=@{p_systemd}, ptrace (read),@{p_systemd} diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index ca7bc90d..6011be65 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -31,7 +31,7 @@ profile child-systemctl flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnitFileState - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 993b91e7..13cb4b52 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -12,15 +12,16 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include - capability sys_nice, - capability sys_resource, capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_resource, mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, signal (receive) set=(term) peer=gdm, - ptrace (read) peer=xdg-desktop-portal, + ptrace (read), unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), @@ -37,6 +38,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/fusermount{,3} rCx -> fusermount, / r, + owner /.flatpak-info r, owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 3a263948..1ce739b8 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -56,7 +56,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /var/lib/xkb/server-@{int}.xkm rw, /var/lib/xkb/compiled/server-@{int}.xkm rw, - /usr/share/egl/{,**} rw, /usr/share/libinput*/ r, /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r, /usr/share/libinput*/libinput/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index bca53bab..3107e08d 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -20,6 +20,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -99,7 +100,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, - owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/background rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 616bb442..a33062f5 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -211,7 +211,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/dconf/profile/gdm r, /usr/share/desktop-base/** r, /usr/share/desktop-directories/{,*.directory} r, - /usr/share/egl/{,**} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 3aea937a..dd69b647 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -71,6 +71,8 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, + / r, + owner @{HOME}/.var/app/{,**} rw, owner @{user_cache_dirs}/flatpak/{,**} rwl, @@ -92,7 +94,7 @@ profile gnome-software @{exec_path} { owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/.flatpak-cache rw, - owner @{run}/user/@{uid}/.flatpak/{,**} rw, + owner @{run}/user/@{uid}/.flatpak/{,**} rwl, owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk, owner @{run}/user/@{uid}/app/{,*/} rw, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index dbb42817..b69f7f76 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -13,6 +13,7 @@ profile gnome-tweaks @{exec_path} { include include include + include @{exec_path} mr, @@ -28,7 +29,6 @@ profile gnome-tweaks @{exec_path} { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{user_cache_dirs}/thumbnails/{,**} r, owner @{user_config_dirs}/autostart/ rw, owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index b0ba0ac5..057451cc 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -14,7 +14,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gnome*, @@ -38,7 +38,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ w, - owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_share_dirs}/applications/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d3e0d391..fc8fba90 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -48,6 +48,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/ladspa/rdf/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 21f1fea2..d851bcdb 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -77,6 +77,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /etc/issue.net r, /etc/legal r, /etc/machine-id r, + /etc/motd r, /etc/shells r, @{etc_ro}/ssh/sshd_config r, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 7cea1f32..9ac5669f 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -33,7 +33,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/memory.pressure r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, - @{PROC}/pressure/{cpu,io,memory} r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 07156972..752035a9 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -31,7 +31,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 283cb5c0..0c21ef9e 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -17,7 +17,9 @@ profile cups-notifier-dbus @{exec_path} { @{exec_path} mr, - /tmp/cups-dbus-notifier-lockfile rwk, + /etc/cups/client.conf r, + + owner /tmp/cups-dbus-notifier-lockfile rwk, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 3122576c..6c80cfa8 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -17,6 +17,7 @@ profile evince @{exec_path} { include include include + include include include include @@ -46,7 +47,6 @@ profile evince @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/evince/{,*} rw, owner /tmp/*.pdf r, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index a5523785..29d56b63 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -14,7 +14,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include @@ -86,6 +86,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{sys}/module/nvidia/version r, @{PROC}/sys/fs/pipe-max-size r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, /dev/fuse rw, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index c91bf26e..ed7768c4 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -24,7 +24,6 @@ include profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include include - include include include @@ -76,11 +75,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/tmp/etilqs_@{hex} rw, @{run}/.userns r, - owner @{run}/user/@{uid}/*.kioworker.socket r, - owner @{run}/user/@{uid}/#@{int} rwl, owner @{run}/flatpak/{,**} rk, owner @{run}/flatpak/app/*/*ipc* rw, + owner @{run}/flatpak/doc/** rw, owner @{run}/ld-so-cache-dir/* rw, + owner @{run}/user/@{uid}/*.kioworker.socket r, + owner @{run}/user/@{uid}/#@{int} rwl, include if exists include if exists diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 3e36f9ee..35ef8a57 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -48,7 +48,8 @@ profile flatpak-system-helper @{exec_path} { @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, - + owner @{PROC}/@{pid}/fdinfo/@{int} r, + profile gpg { include include diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon index e22c0510..7d3ea019 100644 --- a/apparmor.d/profiles-m-r/mate-notification-daemon +++ b/apparmor.d/profiles-m-r/mate-notification-daemon @@ -9,13 +9,10 @@ include @{exec_path} = @{lib}/mate-notification-daemon/mate-notification-daemon profile mate-notification-daemon @{exec_path} { include - include include - include + include @{exec_path} mr, - owner @{HOME}/.Xauthority r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 9cb3c796..8f667bb2 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -12,9 +12,8 @@ profile mpv @{exec_path} { include include include + include include - include - include include include include @@ -38,7 +37,6 @@ profile mpv @{exec_path} { @{bin}/youtube-dl rPx, @{bin}/yt-dlp rPx, - /etc/libva.conf r, /etc/mpv/* r, /etc/samba/smb.conf r, diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 616e783f..3287c755 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/start-pulseaudio-x11 profile start-pulseaudio-x11 @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index a1783531..85db8c07 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include + include include include include @@ -58,10 +59,12 @@ profile wireplumber @{exec_path} { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/**/path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r,