diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 96fa5a44..33312db5 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -125,7 +125,7 @@ profile firefox @{exec_path} { /etc/mailcap r, # Set default browser - /{usr/,}bin/update-mime-database rPUx, + /{usr/,}bin/update-mime-database rPx, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, @@ -197,13 +197,19 @@ profile firefox @{exec_path} { @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{user_share_dirs}/gvfs-metadata/home r, - @{user_share_dirs}/gvfs-metadata/home-*.log r, + owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/gvfs-metadata/home r, + owner @{user_share_dirs}/gvfs-metadata/home-*.log r, + owner @{user_share_dirs}/gvfs-metadata/root r, + owner @{user_share_dirs}/gvfs-metadata/root-*.log r, include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + # Silencer + deny owner @{HOME}/.* r, + profile open { include include diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index eb97a127..197c336e 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -33,6 +33,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rPUx, + /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper new file mode 100644 index 00000000..5ee3c3b3 --- /dev/null +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper +profile dbus-daemon-launch-helper @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index a66db46f..670174a3 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -17,7 +17,7 @@ profile at-spi-bus-launcher @{exec_path} { # Needed? deny capability sys_nice, - signal (receive) set=term peer=gdm, + signal (receive) set=(term hup) peer=gdm*, signal (send) set=(term, kill) peer=dbus-daemon, network inet stream, diff --git a/apparmor.d/groups/desktop/xwayland b/apparmor.d/groups/desktop/xwayland index 3053d24f..7eb59d4c 100644 --- a/apparmor.d/groups/desktop/xwayland +++ b/apparmor.d/groups/desktop/xwayland @@ -14,7 +14,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=term peer=gdm, + signal (receive) set=(term hup) peer=gdm*, @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 3f6fc87e..5bef1cc5 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -25,6 +25,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_tty_config, signal (receive) set=term peer=gdm, + signal (send) set=hup peer=at-spi-bus-launcher, signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index ae199bea..22e2aea3 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -21,6 +21,7 @@ profile gnome-contacts @{exec_path} { @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/applications/{,*.desktop} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_cache_dirs}/gstreamer*/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider new file mode 100644 index 00000000..51f66679 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gnome-control-center-search-provider +profile gnome-control-center-search-provider @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/X11/xkb/{,**} r, + + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5ca5f1a4..03c9fee7 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -76,6 +76,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/libgweather/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, + owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, include owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 193e6262..fc3e4854 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -30,6 +30,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner /tmp/{,**} rw, # Silencer for non user's data + deny owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, deny /boot rw, deny /opt rw, deny /root rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 43bdde4d..895d26a9 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -59,11 +59,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/NetworkManager/{,**} rw, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/net/** rw, - @{PROC}/sys/kernel/random/boot_id r, - @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/rfkill/ r, @@ -82,9 +77,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/net/** rw, include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 58fdbaae..0b9db0ff 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -12,6 +12,7 @@ profile ssh-agent @{exec_path} { include include + signal (receive) set=term peer=cockpit-bridge, signal (receive) set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 83be53d0..1a359805 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-coredump -profile systemd-coredump @{exec_path} flags=(complain) { +profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) { include include include diff --git a/apparmor.d/profiles-a-l/aa-notify b/apparmor.d/profiles-a-l/aa-notify index e11bdd83..60c06ef3 100644 --- a/apparmor.d/profiles-a-l/aa-notify +++ b/apparmor.d/profiles-a-l/aa-notify @@ -18,7 +18,7 @@ profile aa-notify @{exec_path} { @{exec_path} mr, - /{usr/,}/bin/ r, + /{usr/,}bin/ r, /etc/apparmor/*.conf r, /etc/inputrc r, diff --git a/apparmor.d/profiles-a-l/browserpass b/apparmor.d/profiles-a-l/browserpass index 728adc2d..110afe8a 100644 --- a/apparmor.d/profiles-a-l/browserpass +++ b/apparmor.d/profiles-a-l/browserpass @@ -11,8 +11,6 @@ profile browserpass @{exec_path} { include include - deny network inet6 stream, - deny network inet stream, network netlink raw, @{exec_path} mr, @@ -27,10 +25,13 @@ profile browserpass @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{user_share_dirs}/gvfs-metadata/home r, - @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{PROC}/@{pid}/mountinfo r, + # Silencer + deny network inet6 stream, + deny network inet stream, + deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, + deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} r, + include if exists } diff --git a/apparmor.d/profiles-a-l/child-pager b/apparmor.d/profiles-a-l/child-pager index 01549252..0a883be7 100644 --- a/apparmor.d/profiles-a-l/child-pager +++ b/apparmor.d/profiles-a-l/child-pager @@ -28,7 +28,7 @@ profile child-pager { /{usr/,}bin/less mr, /{usr/,}bin/more mr, - owner @{user_cache_dirs}/lesshs* rw, + @{user_cache_dirs}/lesshs* rw, owner /root/.lesshs* rw, # Display properly on different host terminals diff --git a/apparmor.d/profiles-a-l/dkms b/apparmor.d/profiles-a-l/dkms index 4d33a625..bb1f731a 100644 --- a/apparmor.d/profiles-a-l/dkms +++ b/apparmor.d/profiles-a-l/dkms @@ -62,7 +62,7 @@ profile dkms @{exec_path} { /{usr/,}lib/modules/*/updates/ rw, /{usr/,}lib/modules/*/updates/dkms/ rw, /{usr/,}lib/modules/*/updates/dkms/*.ko rw, - /{usr/,}lib/modules/*/kernel/drivers/{,**.ko.xz} rw, + /{usr/,}lib/modules/*/kernel/drivers/{,*.**.ko.xz} rw, /var/lib/dkms/ r, /var/lib/dkms/** rw, diff --git a/apparmor.d/profiles-m-z/sudo b/apparmor.d/profiles-m-z/sudo index 65289d58..185687a0 100644 --- a/apparmor.d/profiles-m-z/sudo +++ b/apparmor.d/profiles-m-z/sudo @@ -56,6 +56,7 @@ profile sudo @{exec_path} { /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}{s,}bin/[a-z0-9]* rPUx, + /{usr/,}lib/cockpit/cockpit-askpass rPx, /dev/ r, /dev/ptmx rw,