feat(profiles): general update.

2025-01-18 00:48:10 +01:00 · 2022-05-09 21:51:18 +01:00 · 2022-05-09 21:51:18 +01:00 · 0b66933b45
commit 0b66933b45
parent 940c9de083
22 changed files with 37 additions and 22 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -30,8 +30,11 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/test       rix,
  /{usr/,}bin/{,e}grep   rix,
+  /{usr/,}bin/echo       rix,
+  /{usr/,}bin/gdbus      rix,
+  /{usr/,}bin/test       rix,
+  /{usr/,}bin/touch      rix,

  /{usr/,}{s,}bin/dpkg-preconfigure           rPx,
  /{usr/,}{s,}bin/localepurge                 rPx,
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@ -27,6 +27,7 @@ profile apt-systemd-daily @{exec_path} {
  /{usr/,}bin/flock      rix,
  /{usr/,}bin/grep       rix,
  /{usr/,}bin/gzip       rix,
+  /{usr/,}bin/ls         rix,
  /{usr/,}bin/mv         rix,
  /{usr/,}bin/rm         rix,
  /{usr/,}bin/savelog    rix,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -118,6 +118,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,

  owner @{user_config_dirs}/ r,
+  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
  owner @{user_config_dirs}/mimeapps.list{,.*} rw,

  owner @{user_cache_dirs}/ rw,
--- a/apparmor.d/groups/browsers/firefox-pingsender
+++ b/apparmor.d/groups/browsers/firefox-pingsender
@ -20,7 +20,9 @@ profile firefox-pingsender @{exec_path} {

  owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw,

-  # file_inherit
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+
  owner /dev/tty[0-9]* rw,

  include if exists <local/firefox-pingsender>
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -15,6 +15,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@ -32,6 +32,7 @@ profile ibus-extension-gtk3 @{exec_path} {
  /usr/share/icons/{,**} r,
  /usr/share/X11/xkb/** r,

+  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -20,6 +20,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {

  /usr/share/locale/locale.alias r,

+  /etc/machine-id r,
+
  /var/lib/dbus/machine-id r,
  /var/lib/gdm/.config/ibus/bus/ r,
  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -20,6 +20,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
--- a/apparmor.d/groups/freedesktop/fc-list
+++ b/apparmor.d/groups/freedesktop/fc-list
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -12,7 +13,7 @@ profile fc-list @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>

-  /{usr/,}bin/fc-list mr,
+  @{exec_path} mr,

  include if exists <local/fc-list>
 }
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -32,6 +33,8 @@ profile xrdb @{exec_path} {
  owner /tmp/xauth-[0-9]*-_[0-9] r,
  owner /tmp/kcminit.* r,

+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
+
  # file_inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -25,6 +25,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/xkbcomp    rPx,

  /usr/share/egl/{,**} r,
+  /usr/share/fonts/X11/{,**} r,
  /usr/share/X11/xkb/rules/evdev r,

  owner /tmp/server-[0-9]*.xkm rwk,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>
  include <abstractions/vulkan>
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -11,6 +11,7 @@ profile gnome-calendar @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf>
  include <abstractions/gnome>
+  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/openssl>
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -40,8 +40,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/locale     rix,
  /{usr/,}bin/openvpn    rPx,
  /{usr/,}bin/passwd     rPx,
-  /{usr/,}lib/gnome-control-center-goa-helper         rPx,
-  /{usr/,}lib/gnome-control-center-print-renderer     rPx,
+  @{libexec}/gnome-control-center-goa-helper          rPx,
+  @{libexec}/gnome-control-center-print-renderer      rPx,
  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,

  /usr/share/backgrounds/gnome/* r,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -15,6 +15,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/vulkan>

--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -56,7 +56,5 @@ profile gnome-music @{exec_path} {

  owner @{PROC}/@{pid}/mounts r,

-  /dev/shm/ r,
-
  include if exists <local/gnome-music>
 }
--- a/apparmor.d/profiles-a-f/appstreamcli
+++ b/apparmor.d/profiles-a-f/appstreamcli
@ -36,9 +36,9 @@ profile appstreamcli @{exec_path} flags=(complain) {
  
  /var/lib/app-info/ w,
  /var/lib/app-info/yaml/ r,
-  /var/lib/app-info/yaml/*_Components-*.yml.gz w,
+  /var/lib/app-info/yaml/*.yml.gz w,
  /var/lib/apt/lists/ r,
-  /var/lib/apt/lists/*_Components-*.gz r,
+  /var/lib/apt/lists/*.gz r,
  /var/lib/flatpak/appstream/{,**} r,
  /var/lib/swcatalog/ rw,
  /var/lib/swcatalog/icons/{,**} rw,
--- a/apparmor.d/profiles-a-f/child-pager
+++ b/apparmor.d/profiles-a-f/child-pager
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 # Note: This profile does not specify an attachment path because it is
@ -28,14 +28,11 @@ profile child-pager {
  /{usr/,}bin/less  mr,
  /{usr/,}bin/more  mr,

-        @{user_cache_dirs}/lesshs* rw,
-  owner /root/.lesshs* rw,
-
-  # Display properly on different host terminals
  @{system_share_dirs}/terminfo/{,**} r,

-  # For shell pwd
-  /root/ r,
+  owner @{HOME}/ r,
+  owner @{HOME}/.lesshs* rw,
+  owner @{user_cache_dirs}/lesshs* rw,

  include if exists <local/child-pager>
 }
--- a/apparmor.d/profiles-g-l/irqbalance
+++ b/apparmor.d/profiles-g-l/irqbalance
@ -27,6 +27,7 @@ profile irqbalance @{exec_path} {
  @{sys}/devices/system/node/node[0-9]*/{cpumap,meminfo} r,

  @{PROC}/interrupts r,
+  @{PROC}/irq/[0-9]*/node r,
  @{PROC}/irq/[0-9]*/smp_affinity rw,

  include if exists <local/irqbalance>
--- a/apparmor.d/profiles-m-r/mono-sgen
+++ b/apparmor.d/profiles-m-r/mono-sgen
@ -42,7 +42,6 @@ profile mono-sgen @{exec_path} {
  owner /tmp/*.* rw,
  owner /tmp/CASESENSITIVETEST* rw,
  owner /dev/shm/mono.* rw,
-        /dev/shm/ r,

  @{sys}/devices/pci[0-9]*/**/uevent r,
  @{sys}/devices/pci[0-9]*/**/vendor r,
--- a/apparmor.d/profiles-m-r/pkcs11-register
+++ b/apparmor.d/profiles-m-r/pkcs11-register
@ -14,10 +14,10 @@ profile pkcs11-register @{exec_path} {

  /etc/opensc.conf r,

-  owner @{HOME}/.mozilla/firefox/*/pkcs11.txt r,
+  owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw,
  owner @{HOME}/.mozilla/firefox/profiles.ini r,
  owner @{HOME}/.pki/nssdb/pkcs11.txt r,
-  owner @{HOME}/.thunderbird/*/pkcs11.txt r,
+  owner @{HOME}/.thunderbird/*/pkcs11.txt rw,
  owner @{HOME}/.thunderbird/profiles.ini r,

  include if exists <local/pkcs11-register>
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -26,7 +26,7 @@ profile wireplumber @{exec_path} {
  /usr/share/spa-*/bluez[0-9]*/{,*} r,
  /usr/share/wireplumber/{,**} r,

-  /var/lib/gdm/.local/state/wireplumber/{,**} r,
+  /var/lib/gdm/.local/state/wireplumber/{,**} rw,

  owner @{HOME}/.local/state/ w,
  owner @{HOME}/.local/state/wireplumber/{,**} rw,